Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Analysis ID:	756016
MD5:	630ffd21c1de8a583a4e1627b8ac6534
SHA1:	7cdb7d33a07326fa3b2699bb7308889a0920541a
SHA256:	02b628dcbfaa0cad2ccde62b1cfb16425a8d40b4cad9de200569ce1b84981612
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe (PID: 5808 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe MD5: 630FFD21C1DE8A583A4E1627B8AC6534)

powershell.exe (PID: 1436 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 1092 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe (PID: 1044 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe MD5: 630FFD21C1DE8A583A4E1627B8AC6534)

owFIYUUG.exe (PID: 5580 cmdline: C:\Users\user\AppData\Roaming\owFIYUUG.exe MD5: 630FFD21C1DE8A583A4E1627B8AC6534)

schtasks.exe (PID: 2204 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

owFIYUUG.exe (PID: 4764 cmdline: C:\Users\user\AppData\Roaming\owFIYUUG.exe MD5: 630FFD21C1DE8A583A4E1627B8AC6534)

explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msiexec.exe (PID: 5544 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cmd.exe (PID: 1380 cmdline: /c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.shinecleaningasheville.com/f9r5/"], "decoy": ["teknotimur.com", "zuliboo.com", "remmingtoncampbell.com", "vehicletitleloansphoenix.com", "sen-computer.com", "98731.biz", "shelikesblu.com", "canis-totem.com", "metaversemedianetwork.com", "adsdu.com", "vanishmediasystems.com", "astewaykebede.com", "wszhongxue.com", "gacha-animator-free.com", "papatyadekorasyon.com", "mqc168.top", "simplebrilliantsolutions.com", "jubileehawkesprairie.com", "ridflab.com", "conboysfilm.com", "iseemerit.world", "airhbb.com", "haveyourshare.com", "qcstcsz.com", "attorneykarinaramirez.com", "patriziabartelle.com", "dcc.coop", "hdzz.top", "treesandstarsoracle.com", "rebarunikont.com", "achivego.site", "baipiao100.com", "menslibwrty.com", "insulationtraining.online", "horseflix.club", "suxyqyu.xyz", "sqoki.com", "ffbsjhvbsjhbvsajv.xyz", "beapest.cfd", "4892166.com", "dvdmediastar.com", "hotwomensearching4u.site", "cupompetlover.com", "terrapretasales.com", "joinsequene.com", "powerkitap.com", "jonjene.com", "wqcwgl.com", "utahexotics.com", "ballerboutique.com", "cftronline.com", "gettidaladvance.site", "anagladstonedesign.com", "bunsi-figura.store", "ttvip-13.net", "cmjysx-uqps.website", "ifealafia.com", "carlospainter.com", "elitetrio.xyz", "inggridangelia.com", "leporebaq.com", "youpinhang.com", "palm3d.net", "wo567567.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9b90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x88f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x98fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5819:$sqlite3step: 68 34 1C 7B E1 0x592c:$sqlite3step: 68 34 1C 7B E1 0x5848:$sqlite3text: 68 38 2A 90 C5 0x596d:$sqlite3text: 68 38 2A 90 C5 0x585b:$sqlite3blob: 68 53 D8 7F 8C 0x5983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9b90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x88f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x98fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5819:$sqlite3step: 68 34 1C 7B E1 0x592c:$sqlite3step: 68 34 1C 7B E1 0x5848:$sqlite3text: 68 38 2A 90 C5 0x596d:$sqlite3text: 68 38 2A 90 C5 0x585b:$sqlite3blob: 68 53 D8 7F 8C 0x5983:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17819:$sqlite3step: 68 34 1C 7B E1 0x1792c:$sqlite3step: 68 34 1C 7B E1 0x17848:$sqlite3text: 68 38 2A 90 C5 0x1796d:$sqlite3text: 68 38 2A 90 C5 0x1785b:$sqlite3blob: 68 53 D8 7F 8C 0x17983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xfdff1:$a1: 3C 30 50 4F 53 54 74 09 40 0x12c411:$a1: 3C 30 50 4F 53 54 74 09 40 0x159831:$a1: 3C 30 50 4F 53 54 74 09 40 0x114930:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x142d50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170170:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x10276f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x130b8f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15dfaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x10d657:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x13ba77:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x168e97:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1016a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x101922:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12fac8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12fd42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15cee8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15d162:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10d455:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x168c95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10cf41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13b361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x168781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10d557:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x168d97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x10d6cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13baef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x168f0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10233a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13075a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15db7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1105b9:$sqlite3step: 68 34 1C 7B E1 0x1106cc:$sqlite3step: 68 34 1C 7B E1 0x13e9d9:$sqlite3step: 68 34 1C 7B E1 0x13eaec:$sqlite3step: 68 34 1C 7B E1 0x16bdf9:$sqlite3step: 68 34 1C 7B E1 0x16bf0c:$sqlite3step: 68 34 1C 7B E1 0x1105e8:$sqlite3text: 68 38 2A 90 C5 0x11070d:$sqlite3text: 68 38 2A 90 C5 0x13ea08:$sqlite3text: 68 38 2A 90 C5 0x13eb2d:$sqlite3text: 68 38 2A 90 C5 0x16be28:$sqlite3text: 68 38 2A 90 C5 0x16bf4d:$sqlite3text: 68 38 2A 90 C5 0x1105fb:$sqlite3blob: 68 53 D8 7F 8C 0x110723:$sqlite3blob: 68 53 D8 7F 8C 0x13ea1b:$sqlite3blob: 68 53 D8 7F 8C 0x13eb43:$sqlite3blob: 68 53 D8 7F 8C 0x16be3b:$sqlite3blob: 68 53 D8 7F 8C 0x16bf63:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xb205a:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: owFIYUUG.exe PID: 5580	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 1044	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x88690:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: msiexec.exe PID: 5544	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x154422:$a1: 3C 30 50 4F 53 54 74 09 40 0x19b622:$a1: 3C 30 50 4F 53 54 74 09 40 0x19d6c3:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.owFIYUUG.exe.3012e30.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.owFIYUUG.exe.3012e30.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a98a:$v1: SbieDll.dll 0x2a9a4:$v2: USER 0x2a9b0:$v3: SANDBOX 0x2a9c2:$v4: VIRUS 0x2aa12:$v4: VIRUS 0x2a9d0:$v5: MALWARE 0x2a9e2:$v6: SCHMIDTI 0x2a9f6:$v7: CURRENTUSER
5.2.owFIYUUG.exe.3030600.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.owFIYUUG.exe.3030600.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd1ba:$v1: SbieDll.dll 0xd1d4:$v2: USER 0xd1e0:$v3: SANDBOX 0xd1f2:$v4: VIRUS 0xd242:$v4: VIRUS 0xd200:$v5: MALWARE 0xd212:$v6: SCHMIDTI 0xd226:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd1ba:$v1: SbieDll.dll 0xd1d4:$v2: USER 0xd1e0:$v3: SANDBOX 0xd1f2:$v4: VIRUS 0xd242:$v4: VIRUS 0xd200:$v5: MALWARE 0xd212:$v6: SCHMIDTI 0xd226:$v7: CURRENTUSER
6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x91071:$a1: 3C 30 50 4F 53 54 74 09 40 0xbf491:$a1: 3C 30 50 4F 53 54 74 09 40 0xec8b1:$a1: 3C 30 50 4F 53 54 74 09 40 0xa79b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xd5dd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1031f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x957ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xc3c0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf102f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa06d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xceaf7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xfbf17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x94728:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x949a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc2b48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc2dc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xeff68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf01e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa04d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xce8f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfbd15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x9ffc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xce3e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfb801:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa05d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xce9f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfbe17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa074f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xceb6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xfbf8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x953ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc37da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf0bfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa3639:$sqlite3step: 68 34 1C 7B E1 0xa374c:$sqlite3step: 68 34 1C 7B E1 0xd1a59:$sqlite3step: 68 34 1C 7B E1 0xd1b6c:$sqlite3step: 68 34 1C 7B E1 0xfee79:$sqlite3step: 68 34 1C 7B E1 0xfef8c:$sqlite3step: 68 34 1C 7B E1 0xa3668:$sqlite3text: 68 38 2A 90 C5 0xa378d:$sqlite3text: 68 38 2A 90 C5 0xd1a88:$sqlite3text: 68 38 2A 90 C5 0xd1bad:$sqlite3text: 68 38 2A 90 C5 0xfeea8:$sqlite3text: 68 38 2A 90 C5 0xfefcd:$sqlite3text: 68 38 2A 90 C5 0xa367b:$sqlite3blob: 68 53 D8 7F 8C 0xa37a3:$sqlite3blob: 68 53 D8 7F 8C 0xd1a9b:$sqlite3blob: 68 53 D8 7F 8C 0xd1bc3:$sqlite3blob: 68 53 D8 7F 8C 0xfeebb:$sqlite3blob: 68 53 D8 7F 8C 0xfefe3:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xfd601:$a1: 3C 30 50 4F 53 54 74 09 40 0x12ba21:$a1: 3C 30 50 4F 53 54 74 09 40 0x158e41:$a1: 3C 30 50 4F 53 54 74 09 40 0x113f40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x142360:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16f780:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x101d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x13019f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d5bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x10cc67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x13b087:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x1684a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x100cb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x100f32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12f0d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12f352:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15c4f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15c772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10ca65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13ae85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1682a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10c551:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13a971:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x167d91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10cb67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13af87:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1683a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x10ccdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13b0ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x16851f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10194a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12fd6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15d18a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x10fbc9:$sqlite3step: 68 34 1C 7B E1 0x10fcdc:$sqlite3step: 68 34 1C 7B E1 0x13dfe9:$sqlite3step: 68 34 1C 7B E1 0x13e0fc:$sqlite3step: 68 34 1C 7B E1 0x16b409:$sqlite3step: 68 34 1C 7B E1 0x16b51c:$sqlite3step: 68 34 1C 7B E1 0x10fbf8:$sqlite3text: 68 38 2A 90 C5 0x10fd1d:$sqlite3text: 68 38 2A 90 C5 0x13e018:$sqlite3text: 68 38 2A 90 C5 0x13e13d:$sqlite3text: 68 38 2A 90 C5 0x16b438:$sqlite3text: 68 38 2A 90 C5 0x16b55d:$sqlite3text: 68 38 2A 90 C5 0x10fc0b:$sqlite3blob: 68 53 D8 7F 8C 0x10fd33:$sqlite3blob: 68 53 D8 7F 8C 0x13e02b:$sqlite3blob: 68 53 D8 7F 8C 0x13e153:$sqlite3blob: 68 53 D8 7F 8C 0x16b44b:$sqlite3blob: 68 53 D8 7F 8C 0x16b573:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a98a:$v1: SbieDll.dll 0x2a9a4:$v2: USER 0x2a9b0:$v3: SANDBOX 0x2a9c2:$v4: VIRUS 0x2aa12:$v4: VIRUS 0x2a9d0:$v5: MALWARE 0x2a9e2:$v6: SCHMIDTI 0x2a9f6:$v7: CURRENTUSER
Click to see the 15 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, ParentProcessId: 5808, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp, ProcessId: 1092, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe

Joe Sandbox ML: detected

Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.shinecleaningasheville.com/f9r5/"], "decoy": ["teknotimur.com", "zuliboo.com", "remmingtoncampbell.com", "vehicletitleloansphoenix.com", "sen-computer.com", "98731.biz", "shelikesblu.com", "canis-totem.com", "metaversemedianetwork.com", "adsdu.com", "vanishmediasystems.com", "astewaykebede.com", "wszhongxue.com", "gacha-animator-free.com", "papatyadekorasyon.com", "mqc168.top", "simplebrilliantsolutions.com", "jubileehawkesprairie.com", "ridflab.com", "conboysfilm.com", "iseemerit.world", "airhbb.com", "haveyourshare.com", "qcstcsz.com", "attorneykarinaramirez.com", "patriziabartelle.com", "dcc.coop", "hdzz.top", "treesandstarsoracle.com", "rebarunikont.com", "achivego.site", "baipiao100.com", "menslibwrty.com", "insulationtraining.online", "horseflix.club", "suxyqyu.xyz", "sqoki.com", "ffbsjhvbsjhbvsajv.xyz", "beapest.cfd", "4892166.com", "dvdmediastar.com", "hotwomensearching4u.site", "cupompetlover.com", "terrapretasales.com", "joinsequene.com", "powerkitap.com", "jonjene.com", "wqcwgl.com", "utahexotics.com", "ballerboutique.com", "cftronline.com", "gettidaladvance.site", "anagladstonedesign.com", "bunsi-figura.store", "ttvip-13.net", "cmjysx-uqps.website", "ifealafia.com", "carlospainter.com", "elitetrio.xyz", "inggridangelia.com", "leporebaq.com", "youpinhang.com", "palm3d.net", "wo567567.com"]}

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.shinecleaningasheville.com/f9r5/

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317991275.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 0000000B.00000000.377790638.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.460452224.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.445459434.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.479699094.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx#
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322181268.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFF&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsu&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323589071.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comasik
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comc&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321668227.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321718791.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd-&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321668227.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comedta
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldF
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321718791.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324285201.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324559034.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324418155.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324662108.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324459395.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324285201.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324559034.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324418155.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324662108.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324459395.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.325354347.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.325199869.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324736578.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320263598.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320494921.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320525670.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320440189.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320571444.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320191564.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320099257.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320394274.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320301449.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Q&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/X&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320263598.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320191564.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320099257.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318642829.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318619322.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.313670458.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320237486.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320477184.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319735455.00000000057C3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319806390.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320289081.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320716381.00000000057BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320419124.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320513514.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320160969.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320652389.00000000057BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320327067.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320085368.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319864076.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320019809.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319971645.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320556591.00000000057C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319806390.00000000057C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comn
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.owFIYUUG.exe.3012e30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.owFIYUUG.exe.3030600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 1044, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.owFIYUUG.exe.3012e30.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.owFIYUUG.exe.3030600.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 1044, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_0157C164	5_2_0157C164
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_0157E5B0	5_2_0157E5B0
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_0157E5A2	5_2_0157E5A2
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_01684948	5_2_01684948
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_01684938	5_2_01684938
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_07D30040	5_2_07D30040
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_07D30007	5_2_07D30007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105F900	6_2_0105F900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01074120	6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01072990	6_2_01072990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106C1C0	6_2_0106C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01056800	6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111002	6_2_01111002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108701D	6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0112E824	6_2_0112E824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A830	6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106B090	6_2_0106B090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010820A0	6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011220A8	6_2_011220A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011160F5	6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011228EC	6_2_011228EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111231B	6_2_0111231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01122B28	6_2_01122B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010FCB4F	6_2_010FCB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107AB40	6_2_0107AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01073360	6_2_01073360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108138B	6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010FEB8A	6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107EB9A	6_2_0107EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108EBB0	6_2_0108EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111DBD2	6_2_0111DBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011103DA	6_2_011103DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108ABD8	6_2_0108ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010A8BE8	6_2_010A8BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011023E3	6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B236	6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0110FA2B	6_2_0110FA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01115A4F	6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011232A9	6_2_011232A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011222AE	6_2_011222AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111E2C5	6_2_0111E2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01122D07	6_2_01122D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01050D20	6_2_01050D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01121D55	6_2_01121D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01072D50	6_2_01072D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082581	6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010865A0	6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011225DD	6_2_011225DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106D5E0	6_2_0106D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106841F	6_2_0106841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01072430	6_2_01072430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111CC77	6_2_0111CC77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B477	6_2_0107B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111D466	6_2_0111D466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114496	6_2_01114496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084CD4	6_2_01084CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0112DFCE	6_2_0112DFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01121FF1	6_2_01121FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011167E2	6_2_011167E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111D616	6_2_0111D616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01075600	6_2_01075600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01076E30	6_2_01076E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059660	6_2_01059660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010DAE60	6_2_010DAE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01101EB6	6_2_01101EB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010806C0	6_2_010806C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01122EF7	6_2_01122EF7

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: String function: 010E5720 appears 85 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: String function: 0105B150 appears 177 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: String function: 010AD08C appears 48 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01099860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01099660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010996E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_010996E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099910 NtAdjustPrivilegesToken,	6_2_01099910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099950 NtQueueApcThread,	6_2_01099950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010999A0 NtCreateSection,	6_2_010999A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010999D0 NtCreateProcessEx,	6_2_010999D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099820 NtEnumerateKey,	6_2_01099820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0109B040 NtSuspendThread,	6_2_0109B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099840 NtDelayExecution,	6_2_01099840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010998A0 NtWriteVirtualMemory,	6_2_010998A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010998F0 NtReadVirtualMemory,	6_2_010998F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099B00 NtSetValueKey,	6_2_01099B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0109A3B0 NtGetContextThread,	6_2_0109A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099A00 NtProtectVirtualMemory,	6_2_01099A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099A10 NtQuerySection,	6_2_01099A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099A20 NtResumeThread,	6_2_01099A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099A50 NtCreateFile,	6_2_01099A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099A80 NtOpenDirectoryObject,	6_2_01099A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099520 NtWaitForSingleObject,	6_2_01099520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0109AD30 NtSetContextThread,	6_2_0109AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099540 NtReadFile,	6_2_01099540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099560 NtWriteFile,	6_2_01099560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010995D0 NtClose,	6_2_010995D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010995F0 NtQueryInformationFile,	6_2_010995F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0109A710 NtOpenProcessToken,	6_2_0109A710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099710 NtQueryInformationToken,	6_2_01099710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099730 NtQueryVirtualMemory,	6_2_01099730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099760 NtOpenProcess,	6_2_01099760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0109A770 NtOpenThread,	6_2_0109A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099770 NtSetInformationFile,	6_2_01099770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099780 NtMapViewOfSection,	6_2_01099780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010997A0 NtUnmapViewOfSection,	6_2_010997A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099FE0 NtCreateMutant,	6_2_01099FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099610 NtEnumerateValueKey,	6_2_01099610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099650 NtQueryValueKey,	6_2_01099650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01099670 NtQueryInformationProcess,	6_2_01099670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010996D0 NtCreateKey,	6_2_010996D0

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310398354.00000000004E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQxoP.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.364294039.0000000007190000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.358683097.000000000114F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.352743513.0000000000E16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.356648553.0000000000FB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Binary or memory string: OriginalFilenameQxoP.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: owFIYUUG.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

File created: C:\Users\user\AppData\Roaming\owFIYUUG.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE80B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/9@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310229761.0000000000402000.00000002.00000001.01000000.00000003.sdmp, owFIYUUG.exe.0.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310229761.0000000000402000.00000002.00000001.01000000.00000003.sdmp, owFIYUUG.exe.0.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310229761.0000000000402000.00000002.00000001.01000000.00000003.sdmp, owFIYUUG.exe.0.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2960:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_01

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msiexec.pdb source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_0168F401 push ecx; ret	5_2_0168F415
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Code function: 5_2_07D365EA push edx; retf	5_2_07D365EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010AD0D1 push ecx; ret	6_2_010AD0E4

Source: initial sample	Static PE information: section name: .text entropy: 7.640989875299505
Source: initial sample	Static PE information: section name: .text entropy: 7.640989875299505

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

File created: C:\Users\user\AppData\Roaming\owFIYUUG.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 5.2.owFIYUUG.exe.3012e30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.owFIYUUG.exe.3030600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: owFIYUUG.exe PID: 5580, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe TID: 5816	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe TID: 2528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe TID: 5576	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe TID: 5636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Code function: 6_2_01086B90 rdtsc

6_2_01086B90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

API coverage: 0.5 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000B.00000000.489448105.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.410055991.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 0000000B.00000000.410055991.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.382222721.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.410055991.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000B.00000000.489448105.0000000008631000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Code function: 6_2_01086B90 rdtsc

6_2_01086B90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059100 mov eax, dword ptr fs:[00000030h]	6_2_01059100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059100 mov eax, dword ptr fs:[00000030h]	6_2_01059100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059100 mov eax, dword ptr fs:[00000030h]	6_2_01059100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01060100 mov eax, dword ptr fs:[00000030h]	6_2_01060100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01060100 mov eax, dword ptr fs:[00000030h]	6_2_01060100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01060100 mov eax, dword ptr fs:[00000030h]	6_2_01060100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h]	6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h]	6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h]	6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h]	6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01074120 mov ecx, dword ptr fs:[00000030h]	6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108513A mov eax, dword ptr fs:[00000030h]	6_2_0108513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108513A mov eax, dword ptr fs:[00000030h]	6_2_0108513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01053138 mov ecx, dword ptr fs:[00000030h]	6_2_01053138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111951 mov eax, dword ptr fs:[00000030h]	6_2_01111951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B944 mov eax, dword ptr fs:[00000030h]	6_2_0107B944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B944 mov eax, dword ptr fs:[00000030h]	6_2_0107B944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105395E mov eax, dword ptr fs:[00000030h]	6_2_0105395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105395E mov eax, dword ptr fs:[00000030h]	6_2_0105395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105C962 mov eax, dword ptr fs:[00000030h]	6_2_0105C962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111E962 mov eax, dword ptr fs:[00000030h]	6_2_0111E962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105B171 mov eax, dword ptr fs:[00000030h]	6_2_0105B171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105B171 mov eax, dword ptr fs:[00000030h]	6_2_0105B171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01128966 mov eax, dword ptr fs:[00000030h]	6_2_01128966
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107C182 mov eax, dword ptr fs:[00000030h]	6_2_0107C182
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108A185 mov eax, dword ptr fs:[00000030h]	6_2_0108A185
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01058190 mov ecx, dword ptr fs:[00000030h]	6_2_01058190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082990 mov eax, dword ptr fs:[00000030h]	6_2_01082990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084190 mov eax, dword ptr fs:[00000030h]	6_2_01084190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111A189 mov eax, dword ptr fs:[00000030h]	6_2_0111A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111A189 mov ecx, dword ptr fs:[00000030h]	6_2_0111A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105519E mov eax, dword ptr fs:[00000030h]	6_2_0105519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105519E mov ecx, dword ptr fs:[00000030h]	6_2_0105519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h]	6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h]	6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h]	6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h]	6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0112F1B5 mov eax, dword ptr fs:[00000030h]	6_2_0112F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0112F1B5 mov eax, dword ptr fs:[00000030h]	6_2_0112F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010861A0 mov eax, dword ptr fs:[00000030h]	6_2_010861A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010861A0 mov eax, dword ptr fs:[00000030h]	6_2_010861A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D69A6 mov eax, dword ptr fs:[00000030h]	6_2_010D69A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h]	6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h]	6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h]	6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h]	6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010899BC mov eax, dword ptr fs:[00000030h]	6_2_010899BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h]	6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h]	6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h]	6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h]	6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108C9BF mov eax, dword ptr fs:[00000030h]	6_2_0108C9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108C9BF mov eax, dword ptr fs:[00000030h]	6_2_0108C9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h]	6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h]	6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h]	6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h]	6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h]	6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106C1C0 mov eax, dword ptr fs:[00000030h]	6_2_0106C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011119D8 mov eax, dword ptr fs:[00000030h]	6_2_011119D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov ecx, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov ecx, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h]	6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0105B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0105B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105B1E1 mov eax, dword ptr fs:[00000030h]	6_2_0105B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010531E0 mov eax, dword ptr fs:[00000030h]	6_2_010531E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E41E8 mov eax, dword ptr fs:[00000030h]	6_2_010E41E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107D1EF mov eax, dword ptr fs:[00000030h]	6_2_0107D1EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011289E7 mov eax, dword ptr fs:[00000030h]	6_2_011289E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01056800 mov eax, dword ptr fs:[00000030h]	6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01056800 mov eax, dword ptr fs:[00000030h]	6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01056800 mov eax, dword ptr fs:[00000030h]	6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01124015 mov eax, dword ptr fs:[00000030h]	6_2_01124015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01124015 mov eax, dword ptr fs:[00000030h]	6_2_01124015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h]	6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h]	6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h]	6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h]	6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h]	6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h]	6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D7016 mov eax, dword ptr fs:[00000030h]	6_2_010D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D7016 mov eax, dword ptr fs:[00000030h]	6_2_010D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D7016 mov eax, dword ptr fs:[00000030h]	6_2_010D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h]	6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h]	6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h]	6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h]	6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h]	6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084020 mov edi, dword ptr fs:[00000030h]	6_2_01084020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h]	6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h]	6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h]	6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h]	6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h]	6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h]	6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h]	6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h]	6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111843 mov eax, dword ptr fs:[00000030h]	6_2_01111843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01057057 mov eax, dword ptr fs:[00000030h]	6_2_01057057
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055050 mov eax, dword ptr fs:[00000030h]	6_2_01055050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055050 mov eax, dword ptr fs:[00000030h]	6_2_01055050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055050 mov eax, dword ptr fs:[00000030h]	6_2_01055050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01070050 mov eax, dword ptr fs:[00000030h]	6_2_01070050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01070050 mov eax, dword ptr fs:[00000030h]	6_2_01070050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112073 mov eax, dword ptr fs:[00000030h]	6_2_01112073
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01121074 mov eax, dword ptr fs:[00000030h]	6_2_01121074
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107F86D mov eax, dword ptr fs:[00000030h]	6_2_0107F86D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059080 mov eax, dword ptr fs:[00000030h]	6_2_01059080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01053880 mov eax, dword ptr fs:[00000030h]	6_2_01053880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01053880 mov eax, dword ptr fs:[00000030h]	6_2_01053880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D3884 mov eax, dword ptr fs:[00000030h]	6_2_010D3884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D3884 mov eax, dword ptr fs:[00000030h]	6_2_010D3884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010990AF mov eax, dword ptr fs:[00000030h]	6_2_010990AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h]	6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h]	6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h]	6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h]	6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h]	6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h]	6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h]	6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h]	6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h]	6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628AE mov ecx, dword ptr fs:[00000030h]	6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h]	6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h]	6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h]	6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108F0BF mov ecx, dword ptr fs:[00000030h]	6_2_0108F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108F0BF mov eax, dword ptr fs:[00000030h]	6_2_0108F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108F0BF mov eax, dword ptr fs:[00000030h]	6_2_0108F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010570C0 mov eax, dword ptr fs:[00000030h]	6_2_010570C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010570C0 mov eax, dword ptr fs:[00000030h]	6_2_010570C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010578D6 mov eax, dword ptr fs:[00000030h]	6_2_010578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010578D6 mov eax, dword ptr fs:[00000030h]	6_2_010578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010578D6 mov ecx, dword ptr fs:[00000030h]	6_2_010578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B0C7 mov eax, dword ptr fs:[00000030h]	6_2_0111B0C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B0C7 mov eax, dword ptr fs:[00000030h]	6_2_0111B0C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011118CA mov eax, dword ptr fs:[00000030h]	6_2_011118CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h]	6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010EB8D0 mov ecx, dword ptr fs:[00000030h]	6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h]	6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h]	6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h]	6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h]	6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B8E4 mov eax, dword ptr fs:[00000030h]	6_2_0107B8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B8E4 mov eax, dword ptr fs:[00000030h]	6_2_0107B8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010540E1 mov eax, dword ptr fs:[00000030h]	6_2_010540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010540E1 mov eax, dword ptr fs:[00000030h]	6_2_010540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010540E1 mov eax, dword ptr fs:[00000030h]	6_2_010540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h]	6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h]	6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h]	6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h]	6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h]	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h]	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h]	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h]	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h]	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h]	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h]	6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010558EC mov eax, dword ptr fs:[00000030h]	6_2_010558EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628FD mov eax, dword ptr fs:[00000030h]	6_2_010628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628FD mov eax, dword ptr fs:[00000030h]	6_2_010628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010628FD mov eax, dword ptr fs:[00000030h]	6_2_010628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111131B mov eax, dword ptr fs:[00000030h]	6_2_0111131B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h]	6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105DB40 mov eax, dword ptr fs:[00000030h]	6_2_0105DB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01128B58 mov eax, dword ptr fs:[00000030h]	6_2_01128B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h]	6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h]	6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h]	6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h]	6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105F358 mov eax, dword ptr fs:[00000030h]	6_2_0105F358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105DB60 mov ecx, dword ptr fs:[00000030h]	6_2_0105DB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E6365 mov eax, dword ptr fs:[00000030h]	6_2_010E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E6365 mov eax, dword ptr fs:[00000030h]	6_2_010E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E6365 mov eax, dword ptr fs:[00000030h]	6_2_010E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01083B7A mov eax, dword ptr fs:[00000030h]	6_2_01083B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01083B7A mov eax, dword ptr fs:[00000030h]	6_2_01083B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01057B70 mov eax, dword ptr fs:[00000030h]	6_2_01057B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106F370 mov eax, dword ptr fs:[00000030h]	6_2_0106F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106F370 mov eax, dword ptr fs:[00000030h]	6_2_0106F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106F370 mov eax, dword ptr fs:[00000030h]	6_2_0106F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108138B mov eax, dword ptr fs:[00000030h]	6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108138B mov eax, dword ptr fs:[00000030h]	6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108138B mov eax, dword ptr fs:[00000030h]	6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010FEB8A mov ecx, dword ptr fs:[00000030h]	6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010FEB8A mov eax, dword ptr fs:[00000030h]	6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010FEB8A mov eax, dword ptr fs:[00000030h]	6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010FEB8A mov eax, dword ptr fs:[00000030h]	6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01061B8F mov eax, dword ptr fs:[00000030h]	6_2_01061B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01061B8F mov eax, dword ptr fs:[00000030h]	6_2_01061B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0110D380 mov ecx, dword ptr fs:[00000030h]	6_2_0110D380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01054B94 mov edi, dword ptr fs:[00000030h]	6_2_01054B94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108B390 mov eax, dword ptr fs:[00000030h]	6_2_0108B390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111138A mov eax, dword ptr fs:[00000030h]	6_2_0111138A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107EB9A mov eax, dword ptr fs:[00000030h]	6_2_0107EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107EB9A mov eax, dword ptr fs:[00000030h]	6_2_0107EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082397 mov eax, dword ptr fs:[00000030h]	6_2_01082397
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01128BB6 mov eax, dword ptr fs:[00000030h]	6_2_01128BB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084BAD mov eax, dword ptr fs:[00000030h]	6_2_01084BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084BAD mov eax, dword ptr fs:[00000030h]	6_2_01084BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084BAD mov eax, dword ptr fs:[00000030h]	6_2_01084BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01129BBE mov eax, dword ptr fs:[00000030h]	6_2_01129BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01125BA5 mov eax, dword ptr fs:[00000030h]	6_2_01125BA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111BA8 mov eax, dword ptr fs:[00000030h]	6_2_01111BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D53CA mov eax, dword ptr fs:[00000030h]	6_2_010D53CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D53CA mov eax, dword ptr fs:[00000030h]	6_2_010D53CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010853C5 mov eax, dword ptr fs:[00000030h]	6_2_010853C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h]	6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h]	6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h]	6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h]	6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h]	6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h]	6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01051BE9 mov eax, dword ptr fs:[00000030h]	6_2_01051BE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107DBE9 mov eax, dword ptr fs:[00000030h]	6_2_0107DBE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011023E3 mov ecx, dword ptr fs:[00000030h]	6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011023E3 mov ecx, dword ptr fs:[00000030h]	6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011023E3 mov eax, dword ptr fs:[00000030h]	6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov ecx, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h]	6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111AA16 mov eax, dword ptr fs:[00000030h]	6_2_0111AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111AA16 mov eax, dword ptr fs:[00000030h]	6_2_0111AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01068A0A mov eax, dword ptr fs:[00000030h]	6_2_01068A0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105AA16 mov eax, dword ptr fs:[00000030h]	6_2_0105AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105AA16 mov eax, dword ptr fs:[00000030h]	6_2_0105AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055210 mov eax, dword ptr fs:[00000030h]	6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055210 mov ecx, dword ptr fs:[00000030h]	6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055210 mov eax, dword ptr fs:[00000030h]	6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055210 mov eax, dword ptr fs:[00000030h]	6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01073A1C mov eax, dword ptr fs:[00000030h]	6_2_01073A1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01094A2C mov eax, dword ptr fs:[00000030h]	6_2_01094A2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01094A2C mov eax, dword ptr fs:[00000030h]	6_2_01094A2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01054A20 mov eax, dword ptr fs:[00000030h]	6_2_01054A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01054A20 mov eax, dword ptr fs:[00000030h]	6_2_01054A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h]	6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h]	6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h]	6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h]	6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h]	6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h]	6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h]	6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111229 mov eax, dword ptr fs:[00000030h]	6_2_01111229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01058239 mov eax, dword ptr fs:[00000030h]	6_2_01058239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01058239 mov eax, dword ptr fs:[00000030h]	6_2_01058239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01058239 mov eax, dword ptr fs:[00000030h]	6_2_01058239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111EA55 mov eax, dword ptr fs:[00000030h]	6_2_0111EA55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h]	6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h]	6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h]	6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h]	6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111A5F mov eax, dword ptr fs:[00000030h]	6_2_01111A5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E4257 mov eax, dword ptr fs:[00000030h]	6_2_010E4257
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h]	6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h]	6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h]	6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h]	6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01095A69 mov eax, dword ptr fs:[00000030h]	6_2_01095A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01095A69 mov eax, dword ptr fs:[00000030h]	6_2_01095A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01095A69 mov eax, dword ptr fs:[00000030h]	6_2_01095A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0110B260 mov eax, dword ptr fs:[00000030h]	6_2_0110B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0110B260 mov eax, dword ptr fs:[00000030h]	6_2_0110B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01128A62 mov eax, dword ptr fs:[00000030h]	6_2_01128A62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0109927A mov eax, dword ptr fs:[00000030h]	6_2_0109927A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108DA88 mov eax, dword ptr fs:[00000030h]	6_2_0108DA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108DA88 mov eax, dword ptr fs:[00000030h]	6_2_0108DA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111129A mov eax, dword ptr fs:[00000030h]	6_2_0111129A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108D294 mov eax, dword ptr fs:[00000030h]	6_2_0108D294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108D294 mov eax, dword ptr fs:[00000030h]	6_2_0108D294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h]	6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h]	6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h]	6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h]	6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h]	6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01051AA0 mov eax, dword ptr fs:[00000030h]	6_2_01051AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h]	6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h]	6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h]	6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h]	6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01085AA0 mov eax, dword ptr fs:[00000030h]	6_2_01085AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01085AA0 mov eax, dword ptr fs:[00000030h]	6_2_01085AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010812BD mov esi, dword ptr fs:[00000030h]	6_2_010812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010812BD mov eax, dword ptr fs:[00000030h]	6_2_010812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010812BD mov eax, dword ptr fs:[00000030h]	6_2_010812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0106AAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106AAB0 mov eax, dword ptr fs:[00000030h]	6_2_0106AAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108FAB0 mov eax, dword ptr fs:[00000030h]	6_2_0108FAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082ACB mov eax, dword ptr fs:[00000030h]	6_2_01082ACB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055AC0 mov eax, dword ptr fs:[00000030h]	6_2_01055AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055AC0 mov eax, dword ptr fs:[00000030h]	6_2_01055AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01055AC0 mov eax, dword ptr fs:[00000030h]	6_2_01055AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01053ACA mov eax, dword ptr fs:[00000030h]	6_2_01053ACA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01128ADD mov eax, dword ptr fs:[00000030h]	6_2_01128ADD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010512D4 mov eax, dword ptr fs:[00000030h]	6_2_010512D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082AE4 mov eax, dword ptr fs:[00000030h]	6_2_01082AE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h]	6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h]	6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h]	6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h]	6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h]	6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01113518 mov eax, dword ptr fs:[00000030h]	6_2_01113518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01113518 mov eax, dword ptr fs:[00000030h]	6_2_01113518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01113518 mov eax, dword ptr fs:[00000030h]	6_2_01113518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010FCD04 mov eax, dword ptr fs:[00000030h]	6_2_010FCD04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01059515 mov ecx, dword ptr fs:[00000030h]	6_2_01059515
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h]	6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h]	6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h]	6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h]	6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01128D34 mov eax, dword ptr fs:[00000030h]	6_2_01128D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111E539 mov eax, dword ptr fs:[00000030h]	6_2_0111E539
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108F527 mov eax, dword ptr fs:[00000030h]	6_2_0108F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108F527 mov eax, dword ptr fs:[00000030h]	6_2_0108F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108F527 mov eax, dword ptr fs:[00000030h]	6_2_0108F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h]	6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084D3B mov eax, dword ptr fs:[00000030h]	6_2_01084D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084D3B mov eax, dword ptr fs:[00000030h]	6_2_01084D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01084D3B mov eax, dword ptr fs:[00000030h]	6_2_01084D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105AD30 mov eax, dword ptr fs:[00000030h]	6_2_0105AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010DA537 mov eax, dword ptr fs:[00000030h]	6_2_010DA537
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0110FD52 mov eax, dword ptr fs:[00000030h]	6_2_0110FD52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105354C mov eax, dword ptr fs:[00000030h]	6_2_0105354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0105354C mov eax, dword ptr fs:[00000030h]	6_2_0105354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01093D43 mov eax, dword ptr fs:[00000030h]	6_2_01093D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D3540 mov eax, dword ptr fs:[00000030h]	6_2_010D3540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01103D40 mov eax, dword ptr fs:[00000030h]	6_2_01103D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01077D50 mov eax, dword ptr fs:[00000030h]	6_2_01077D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01108D47 mov eax, dword ptr fs:[00000030h]	6_2_01108D47
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01094D51 mov eax, dword ptr fs:[00000030h]	6_2_01094D51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01094D51 mov eax, dword ptr fs:[00000030h]	6_2_01094D51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107C577 mov eax, dword ptr fs:[00000030h]	6_2_0107C577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0107C577 mov eax, dword ptr fs:[00000030h]	6_2_0107C577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h]	6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h]	6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h]	6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h]	6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h]	6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h]	6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h]	6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h]	6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h]	6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h]	6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h]	6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h]	6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h]	6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h]	6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h]	6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h]	6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h]	6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h]	6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108FD9B mov eax, dword ptr fs:[00000030h]	6_2_0108FD9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0108FD9B mov eax, dword ptr fs:[00000030h]	6_2_0108FD9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h]	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h]	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h]	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h]	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h]	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h]	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h]	6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01053591 mov eax, dword ptr fs:[00000030h]	6_2_01053591
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010865A0 mov eax, dword ptr fs:[00000030h]	6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010865A0 mov eax, dword ptr fs:[00000030h]	6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010865A0 mov eax, dword ptr fs:[00000030h]	6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010835A1 mov eax, dword ptr fs:[00000030h]	6_2_010835A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01095DBF mov eax, dword ptr fs:[00000030h]	6_2_01095DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01095DBF mov eax, dword ptr fs:[00000030h]	6_2_01095DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01081DB5 mov eax, dword ptr fs:[00000030h]	6_2_01081DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01081DB5 mov eax, dword ptr fs:[00000030h]	6_2_01081DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01081DB5 mov eax, dword ptr fs:[00000030h]	6_2_01081DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011205AC mov eax, dword ptr fs:[00000030h]	6_2_011205AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_011205AC mov eax, dword ptr fs:[00000030h]	6_2_011205AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0110FDD3 mov eax, dword ptr fs:[00000030h]	6_2_0110FDD3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6DC9 mov ecx, dword ptr fs:[00000030h]	6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h]	6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010515C1 mov eax, dword ptr fs:[00000030h]	6_2_010515C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01108DF1 mov eax, dword ptr fs:[00000030h]	6_2_01108DF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010895EC mov eax, dword ptr fs:[00000030h]	6_2_010895EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106D5E0 mov eax, dword ptr fs:[00000030h]	6_2_0106D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0106D5E0 mov eax, dword ptr fs:[00000030h]	6_2_0106D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E3DE3 mov ecx, dword ptr fs:[00000030h]	6_2_010E3DE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E3DE3 mov eax, dword ptr fs:[00000030h]	6_2_010E3DE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010E3DE3 mov eax, dword ptr fs:[00000030h]	6_2_010E3DE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h]	6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010595F0 mov eax, dword ptr fs:[00000030h]	6_2_010595F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010595F0 mov ecx, dword ptr fs:[00000030h]	6_2_010595F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01128C14 mov eax, dword ptr fs:[00000030h]	6_2_01128C14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h]	6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h]	6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h]	6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h]	6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01058410 mov eax, dword ptr fs:[00000030h]	6_2_01058410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h]	6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h]	6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h]	6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h]	6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h]	6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h]	6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h]	6_2_01111C06

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Code function: 6_2_01099860 NtQuerySystemInformation,LdrInitializeThunk,

6_2_01099860

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe

Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1110000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Thread register set: target process: 3324	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Thread register set: target process: 3324	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 3324	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe"	Jump to behavior

Source: explorer.exe, 0000000B.00000000.455879712.00000000086BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.378208988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.378208988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.378208988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.377066230.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.445159754.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.479345772.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Queries volume information: C:\Users\user\AppData\Roaming\owFIYUUG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	412 Process Injection	1 Rootkit	1 Credential API Hooking	321 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 DLL Side-Loading	11 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	412 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\owFIYUUG.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\owFIYUUG.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/-&	0%	Avira URL Cloud	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comldF	0%	Avira URL Cloud	safe
http://www.fontbureau.comedta	0%	Avira URL Cloud	safe
http://www.fontbureau.comasik	0%	Avira URL Cloud	safe
http://www.sakkal.comn	0%	Avira URL Cloud	safe
http://www.fontbureau.comd-&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Q&	0%	Avira URL Cloud	safe
http://www.fontbureau.comFF&	0%	Avira URL Cloud	safe
http://www.fontbureau.comc&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/X&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/u&	0%	Avira URL Cloud	safe
www.shinecleaningasheville.com/f9r5/	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsu&	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.shinecleaningasheville.com/f9r5/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comI.TTF	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comedta	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/-&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320263598.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320494921.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320525670.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320440189.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320571444.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320191564.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320099257.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320394274.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320301449.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comldF	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.313670458.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.comn	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319806390.00000000057C4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324285201.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324559034.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324418155.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324662108.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324459395.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.325354347.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.325199869.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324736578.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comgrita	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comasik	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323589071.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcom	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd-&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cnt	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Q&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/typedesigners.html	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comFF&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320237486.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320477184.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319735455.00000000057C3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319806390.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320289081.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320716381.00000000057BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320419124.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320513514.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320160969.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320652389.00000000057BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320327067.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320085368.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319864076.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320019809.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319971645.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320556591.00000000057C6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comc&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000B.00000000.377790638.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.460452224.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.445459434.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.479699094.000000000091F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317991275.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324285201.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324559034.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324418155.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324662108.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324459395.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/X&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/u&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320263598.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320191564.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320099257.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318642829.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318619322.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321668227.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321718791.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321668227.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322181268.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/s	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlx#	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comt	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comm	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321718791.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comalsu&	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756016
Start date and time:	2022-11-29 14:00:02 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/9@0/0
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 100% (good quality ratio 90.7%) Quality average: 75.2% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 28 Number of non-executed functions: 232
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Execution Graph export aborted for target SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, PID 5808 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:01:11	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe modified
14:01:16	Task Scheduler	Run new task: owFIYUUG path: C:\Users\user\AppData\Roaming\owFIYUUG.exe
14:01:16	API Interceptor	19x Sleep call for process: powershell.exe modified
14:01:28	API Interceptor	1x Sleep call for process: owFIYUUG.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\owFIYUUG.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\owFIYUUG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21832
Entropy (8bit):	5.601252470026008
Encrypted:	false
SSDEEP:	384:htCRDuWQai1oxW1b+RgSBxnoG7iJ9gNSJ3uyVc+m0CP1AVrdYqsRgA+inYM:va4oxA4xoG7NcuSCqOCM
MD5:	8A0EBD4F63004083D9E1B87EADB8F420
SHA1:	DB20459DCEB8FFC473A557BDCB846B4FF6E6CB15
SHA-256:	6CBBAF5136896652C6BB53005B42E35A4D2E17504420BF82A56E3EF55F1C5922
SHA-512:	163A3F16437EAF6B419EBCD271B56990B628D93696CB5F334294D844328CB0047B3C7517E9C797FA415D3AAE91A315785E2E16D55C886FCA101FB23DB4BE857A
Malicious:	false
Preview:	@...e.....................Z.V.K.)...6.M..............@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwzfto0e.i5p.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwi5re21.2w2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\owFIYUUG.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.133232133416081
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTdv
MD5:	3C7813180DB11C81533084FF4928074F
SHA1:	7775FC8013D2C8AE41FD46E208914762FDBE285E
SHA-256:	F7D0D79388EBA3CD3BA2E062BB6806198C306B2431C3C4DE175ED35BAF2AA151
SHA-512:	5C8F15B20752FD1D6F46917EC98F39A9DDE3E42D388D80BEAF27606A514798F68A9BE3978DF0074E34C167329D5B81538D062EDEAEBA40E06454D0EBB5F1BD4B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpE80B.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.133232133416081
Encrypted:	false
SSDEEP:	24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTdv
MD5:	3C7813180DB11C81533084FF4928074F
SHA1:	7775FC8013D2C8AE41FD46E208914762FDBE285E
SHA-256:	F7D0D79388EBA3CD3BA2E062BB6806198C306B2431C3C4DE175ED35BAF2AA151
SHA-512:	5C8F15B20752FD1D6F46917EC98F39A9DDE3E42D388D80BEAF27606A514798F68A9BE3978DF0074E34C167329D5B81538D062EDEAEBA40E06454D0EBB5F1BD4B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\owFIYUUG.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	906240
Entropy (8bit):	7.6340340391964485
Encrypted:	false
SSDEEP:	24576:hIVD2ISXOaDU11ecODssqm/6rw5Roa/W9DdEPf:ha2RXOKcLsq46s5RoafP
MD5:	630FFD21C1DE8A583A4E1627B8AC6534
SHA1:	7CDB7D33A07326FA3B2699BB7308889A0920541A
SHA-256:	02B628DCBFAA0CAD2CCDE62B1CFB16425A8D40B4CAD9DE200569CE1B84981612
SHA-512:	9EE857113DF144F0FED19C1C831CF4731B866E8B5A92417B11C445D2CB9A374C430A6C2FC4A7318BD01A0FDC756132D7F4895F0798A3FDF194AC3B223F10CD68
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D..c..............0.............R.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text...X.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................4.......H.......<...........l...8u...u..........................................^..}.....(.......(......0...........s......o......(........0...........s......o......(........0...........s......o......(........0...........s......o......(........0..+.........,..{.......+....,...{....o........(.......0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

C:\Users\user\AppData\Roaming\owFIYUUG.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6340340391964485
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
File size:	906240
MD5:	630ffd21c1de8a583a4e1627b8ac6534
SHA1:	7cdb7d33a07326fa3b2699bb7308889a0920541a
SHA256:	02b628dcbfaa0cad2ccde62b1cfb16425a8d40b4cad9de200569ce1b84981612
SHA512:	9ee857113df144f0fed19c1c831cf4731b866e8b5a92417b11c445d2cb9a374c430a6c2fc4a7318bd01a0fdc756132d7f4895f0798a3fdf194ac3b223f10cd68
SSDEEP:	24576:hIVD2ISXOaDU11ecODssqm/6rw5Roa/W9DdEPf:ha2RXOKcLsq46s5RoafP
TLSH:	F615DF903366AFB1F5286BF37521900827B63C6FA5E1D2295DDDB0CE2A71B4149F0B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D..c..............0.............R.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4deb52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385B444 [Tue Nov 29 07:27:00 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdeb00	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe0000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdcb58	0xdcc00	False	0.819646712202718	data	7.640989875299505	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe0000	0x388	0x400	False	0.369140625	data	2.8465332420355964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe2000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe0058	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE2
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE2
GetMessageW	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE2
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE2

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exePID: 5808, Parent PID: 3324

General

Target ID:	0
Start time:	14:01:03
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Imagebase:	0x400000
File size:	906240 bytes
MD5 hash:	630FFD21C1DE8A583A4E1627B8AC6534
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 1436, Parent PID: 5808

General

Target ID:	1
Start time:	14:01:13
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe
Imagebase:	0x8d0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3492, Parent PID: 1436

General

Target ID:	2
Start time:	14:01:13
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 1092, Parent PID: 5808

General

Target ID:	3
Start time:	14:01:13
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp
Imagebase:	0xd90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2960, Parent PID: 1092

General

Target ID:	4
Start time:	14:01:13
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: owFIYUUG.exePID: 5580, Parent PID: 1084

General

Target ID:	5
Start time:	14:01:16
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\owFIYUUG.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\owFIYUUG.exe
Imagebase:	0xb00000
File size:	906240 bytes
MD5 hash:	630FFD21C1DE8A583A4E1627B8AC6534
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exePID: 1044, Parent PID: 5808

General

Target ID:	6
Start time:	14:01:18
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Imagebase:	0x640000
File size:	906240 bytes
MD5 hash:	630FFD21C1DE8A583A4E1627B8AC6534
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2204, Parent PID: 5580

General

Target ID:	8
Start time:	14:01:31
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp
Imagebase:	0xd90000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2940, Parent PID: 2204

General

Target ID:	9
Start time:	14:01:31
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: owFIYUUG.exePID: 4764, Parent PID: 5580

General

Target ID:	10
Start time:	14:01:32
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\owFIYUUG.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\owFIYUUG.exe
Imagebase:	0xf20000
File size:	906240 bytes
MD5 hash:	630FFD21C1DE8A583A4E1627B8AC6534
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3324, Parent PID: 4764

General

Target ID:	11
Start time:	14:01:34
Start date:	29/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69bc80000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 5544, Parent PID: 3324

General

Target ID:	14
Start time:	14:02:38
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0x1110000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1380, Parent PID: 5544

General

Target ID:	15
Start time:	14:02:44
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3492, Parent PID: 1380

General

Target ID:	16
Start time:	14:02:45
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exePID: 5808, Parent PID: 3324COMMON

Executed Functions

Function 009BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352172091.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cac9104904e0c0f29c1428b2a52c6229b7a62642de84cf8858da8fa8e8b4434
Instruction ID: 8d280e2b0af0c13768140264ca6b903262bdcab754115e724bc4bb153d130662
Opcode Fuzzy Hash: 0cac9104904e0c0f29c1428b2a52c6229b7a62642de84cf8858da8fa8e8b4434
Instruction Fuzzy Hash: FB214871500240DFDB21DF14DAC0BA6BF65FB98338F248979E8050B65AD37AD846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352172091.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100663bff434900aac505fe9206c2b80cf5a2c584cde44e436d597839e5fd0c2
Instruction ID: 956f5ef2883cf3384f86226c8d2232b8d7f47029aef07ae88f91ca3af6c5833a
Opcode Fuzzy Hash: 100663bff434900aac505fe9206c2b80cf5a2c584cde44e436d597839e5fd0c2
Instruction Fuzzy Hash: 64110876504280DFDF12CF10D6C4B56BF71FB98324F28C6A9E8450B61AC33AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009BD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352172091.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30416f1fbc4d8f92238cb0b17535ff404e1e9bb315dcd2e816286d613cb32573
Instruction ID: d72db83b657f0596728d79adb8c666f395c556a8c39d51ae8e5e37c42366e73c
Opcode Fuzzy Hash: 30416f1fbc4d8f92238cb0b17535ff404e1e9bb315dcd2e816286d613cb32573
Instruction Fuzzy Hash: 0101F7B10063849AE7205E15CEC4BE6BBDCEF51338F18896AE9090B746EB799C44C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 009BD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.352172091.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9bd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf48d947784b082ab6ac39f20bc62c66e56f6338be61742c80d821f18073dba
Instruction ID: ab1db0801ad3dbd71057fe03432792806f7ea17cbe94bac2d4afd412b08bfeb3
Opcode Fuzzy Hash: 5bf48d947784b082ab6ac39f20bc62c66e56f6338be61742c80d821f18073dba
Instruction Fuzzy Hash: 8FF062B14053849AE7109E15CDC4BA2FFACEB51734F18C45AED085B686D7799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: owFIYUUG.exePID: 5580, Parent PID: 1084COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.7%
Total number of Nodes:	192
Total number of Limit Nodes:	12

Executed Functions

Function 01684938 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.376375697.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1680000_owFIYUUG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d59f42ff07dbf025a73af9313de032809d6988fcbc197b143498ad5c88acec0
Instruction ID: f3d1c88d292795fbc17a01fcb066077bae52ead05f9dd7405954aaff576b99c4
Opcode Fuzzy Hash: 0d59f42ff07dbf025a73af9313de032809d6988fcbc197b143498ad5c88acec0
Instruction Fuzzy Hash: C032D434A00219CFDB54EFA8D994B9DB7B2FF8A304F1585A9D409AB365DB30AD85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01684948 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.376375697.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1680000_owFIYUUG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164b6e9fd6b9417146bde51a9072898c04d3f1bd8147f5297ba6cb05513cdac4
Instruction ID: 7be0dde5bb7ba140d98dc44c320fbee852835c253bd9712934a3b917e80da3cd
Opcode Fuzzy Hash: 164b6e9fd6b9417146bde51a9072898c04d3f1bd8147f5297ba6cb05513cdac4
Instruction Fuzzy Hash: D132C334A00219CFDB64EFA4D994B9DB7B2FF8A304F1585A9D409AB365DB30AD85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0157B6C1 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0157B730
GetCurrentThread.KERNEL32 ref: 0157B76D
GetCurrentProcess.KERNEL32 ref: 0157B7AA
GetCurrentThreadId.KERNEL32 ref: 0157B803

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 62a38d001e824c0e8f92f66a058a0f624e22a080a92a67652e2b073afe685a37
Instruction ID: 1ba7b7ebefeff319186ac8019bf14cbf927cbd1a3964f7b23c23c841d2e2ab69
Opcode Fuzzy Hash: 62a38d001e824c0e8f92f66a058a0f624e22a080a92a67652e2b073afe685a37
Instruction Fuzzy Hash: 845154B09002498FDB24CFA9D948BEEBBF1BF48318F28856AE409A7760C7745844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0157B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0157B730
GetCurrentThread.KERNEL32 ref: 0157B76D
GetCurrentProcess.KERNEL32 ref: 0157B7AA
GetCurrentThreadId.KERNEL32 ref: 0157B803

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d65fb01f9b4202447946ef0b4e8b4093965457579ac9d3064be6ecb68cbfbcef
Instruction ID: 1d9ad21a9a8ca96d21046c7054ab51334583e4726eec829c2c7859b3de20c68e
Opcode Fuzzy Hash: d65fb01f9b4202447946ef0b4e8b4093965457579ac9d3064be6ecb68cbfbcef
Instruction Fuzzy Hash: 025155B09002498FDB24CFAAD948BDEBBF5FF48314F24846AE409A7760D7349844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0157FD2C Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0157FE4A

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e8cea5025510524e2418cef9896dd78c9c38283e84bb09a039fd9c4ead1735d7
Instruction ID: 5ab18ed6867cc5f5b0447e68fadedc0efd43e3c03e9f7a876d203d6f926f56fd
Opcode Fuzzy Hash: e8cea5025510524e2418cef9896dd78c9c38283e84bb09a039fd9c4ead1735d7
Instruction Fuzzy Hash: A051C0B1D103099FDB14CFA9D985ADEBFB1BF88314F24852AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0157FD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0157FE4A

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c12c0ce48b11c730a12b4a3270eed5583b00b20c642c764e298c4645a63daef9
Instruction ID: 63f7a252989f3fb21ef30b9395b6d98ab0a8aa37c43db1e6a53ee60cfd8ac9a4
Opcode Fuzzy Hash: c12c0ce48b11c730a12b4a3270eed5583b00b20c642c764e298c4645a63daef9
Instruction Fuzzy Hash: 7741C0B1D003099FDF14CFA9D985ADEBFB5BF48314F24852AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01575364 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01575421

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0fa2d2257b73189ea7bfafbecc9780ea6fb8aa51231e72c01dc0c2573106891b
Instruction ID: 673d1e9b6f3bf9af584bf152d7fe74e78504e6800625b8004ba6a85c5d4879cd
Opcode Fuzzy Hash: 0fa2d2257b73189ea7bfafbecc9780ea6fb8aa51231e72c01dc0c2573106891b
Instruction Fuzzy Hash: 9D410471D00218CFDB24CFAAC945BCEBBF5BF58308F54856AD408AB251DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 01573DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01575421

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5e07d5e64813db51503ab1e4eb1a44ec2e1003404a87d5a7cb005144d8e4a959
Instruction ID: caacd1fd3def970389b868b304ff4a70bc786dff3448da97ca126429f694cd1d
Opcode Fuzzy Hash: 5e07d5e64813db51503ab1e4eb1a44ec2e1003404a87d5a7cb005144d8e4a959
Instruction Fuzzy Hash: 66410271D0021CCFDB24CFAAC945BCEBBB1BF58308F54846AD409AB251DBB56949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016823B0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01682471

Memory Dump Source

Source File: 00000005.00000002.376375697.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1680000_owFIYUUG.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 088d69c8993104772263a61b14f43a0872fe40ad7250d64b44f3d162b5fc1832
Instruction ID: 621a65e676f21db732c717ca704f975439726663f3958534cc7c9631a8023376
Opcode Fuzzy Hash: 088d69c8993104772263a61b14f43a0872fe40ad7250d64b44f3d162b5fc1832
Instruction Fuzzy Hash: 054138B4A003058FCB14CF99C888AAABBF5FF88314F25C55DE519AB321D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01577D57 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 01577E3D

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 4cc07b5636643af7e610fcf24d11eb3373b386d0abec55c1c91f6df8a5a5c81c
Instruction ID: aa2a20005c3bc15522da95144abc04c768cbc48c2e73d1bd4a0539fefbd3ae1a
Opcode Fuzzy Hash: 4cc07b5636643af7e610fcf24d11eb3373b386d0abec55c1c91f6df8a5a5c81c
Instruction Fuzzy Hash: D231DF729153858FDB21CF68F8093EA7FF4FB15314F0848AAC4949B252D7384909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0157B8F2 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157B97F

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e98b9825055d61bc73baca9a9493c53d6fea7659b055c0088359f4fc7a9e6a7
Instruction ID: c57e1aeeb537a47c21b778fa1c5dec69b2bc5543c6eb03a2314f007944b7baf0
Opcode Fuzzy Hash: 5e98b9825055d61bc73baca9a9493c53d6fea7659b055c0088359f4fc7a9e6a7
Instruction Fuzzy Hash: 1721E3B5D003189FDB10CFA9D584AEEBBF5FB48324F14842AE858A7710C378A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0157B8F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157B97F

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8d14365c89a6a02fffa80494118c4353929c0294418370c396f8173c11ca1f4d
Instruction ID: bc9ef40936f02a5be96b87c7e6040cca1828eab0ce4fdd720fa62d139ae65f11
Opcode Fuzzy Hash: 8d14365c89a6a02fffa80494118c4353929c0294418370c396f8173c11ca1f4d
Instruction Fuzzy Hash: 2B21D5B5D002199FDB10CFA9D584ADEFBF8FB48324F14841AE958A7710D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01680012 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 0168009D

Memory Dump Source

Source File: 00000005.00000002.376375697.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1680000_owFIYUUG.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7164f9cc85333c43d52fc815ea66dba85aba78c2ebf681467f237f9138a042cd
Instruction ID: d5f8ab6be44a39ec050c29cf38719d416959aff06612ef955b3828f49d330c5a
Opcode Fuzzy Hash: 7164f9cc85333c43d52fc815ea66dba85aba78c2ebf681467f237f9138a042cd
Instruction Fuzzy Hash: 332167B18003498FDB20CF99C848BDABFF4EF49324F14885AE858A7311D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015794B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01579991,00000800,00000000,00000000), ref: 01579BA2

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4573f01395135ad764c2496272a33219962f392b2b38158a38e1fb8fde49e534
Instruction ID: 92d48f39471e31ceee303c3a5f62579d009e12c075959cd1d49a2fd850685d32
Opcode Fuzzy Hash: 4573f01395135ad764c2496272a33219962f392b2b38158a38e1fb8fde49e534
Instruction Fuzzy Hash: 971114B29042098FDB20CF9AD544AEEFBF4FB98324F54842EE419A7610C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01579B30 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01579991,00000800,00000000,00000000), ref: 01579BA2

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ce5db13f5c660c5c3914a05c6307225b89b525b69f3d84f4757e74bb9ba1d804
Instruction ID: 2302f1580750a05434cc959ed322548afe100e1b2198fc9cfdd17c57dae34f92
Opcode Fuzzy Hash: ce5db13f5c660c5c3914a05c6307225b89b525b69f3d84f4757e74bb9ba1d804
Instruction Fuzzy Hash: 0A1114B29002498FDB20CF9AD544AEEFBF4FF88324F14842ED419AB610C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015798AA Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01579916

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5db226de66391b43b46c8c19a3af5e6c2a162e809e781baa16f1877bca9a8ba1
Instruction ID: d34921f39accbb4a44ed164341efb418839542525c58cd10b26853325ecd28c4
Opcode Fuzzy Hash: 5db226de66391b43b46c8c19a3af5e6c2a162e809e781baa16f1877bca9a8ba1
Instruction Fuzzy Hash: E5111FB2D002098FDB20CFAAD544ADEFBF4FB89328F10842AD419A7610C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015798B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01579916

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 266ddc76a6460456d92ee1cf6b469369cc6fccc0f4e6e7b342cacb2d702cc95a
Instruction ID: 71f677eb1a858bcd6ae274f9c29fe7d14564b5d993418420f7cddadd4c74645f
Opcode Fuzzy Hash: 266ddc76a6460456d92ee1cf6b469369cc6fccc0f4e6e7b342cacb2d702cc95a
Instruction Fuzzy Hash: A711DFB6D002498FDB20CF9AD544ADEFBF4EB88228F14846AD469B7610D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07D38BF0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 07D38C48

Memory Dump Source

Source File: 00000005.00000002.381589669.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7d30000_owFIYUUG.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bd7e1bc3b425f1152e9e7809265bc8a4c4fa29a0aa2c726a445801203cfa947a
Instruction ID: e2e56c01ffbb90ce9c446d1db49e9e939a7ba9664320fd4bb90eb4b2b0c19f20
Opcode Fuzzy Hash: bd7e1bc3b425f1152e9e7809265bc8a4c4fa29a0aa2c726a445801203cfa947a
Instruction Fuzzy Hash: F71115B18003198FCB20CF9AC545BDEFBF4EB48324F14886AE558A7750D738A949DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01680040 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0168009D

Memory Dump Source

Source File: 00000005.00000002.376375697.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1680000_owFIYUUG.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c4d0bdd2b634008bf8f8b7b53fa03e4f254d79d0373ecbf3f6afb3e9affebabc
Instruction ID: 0a2fb043b7b132807daaaab097636948600ba6d6d90c9279e9ac95cff03abaaf
Opcode Fuzzy Hash: c4d0bdd2b634008bf8f8b7b53fa03e4f254d79d0373ecbf3f6afb3e9affebabc
Instruction Fuzzy Hash: 641115B58002098FDB20DF99D585BDEBBF8EB48324F10891AE818A3710C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07D38208 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07D38265

Memory Dump Source

Source File: 00000005.00000002.381589669.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7d30000_owFIYUUG.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fcb7771b4cd0e862a6ba2a941a6fb90e1b5e2366eedf2007bee220d1cdbdc3ca
Instruction ID: 8e8ade5af9992886b061d8e1296b89366af1d486d1254816042616d51cc0926f
Opcode Fuzzy Hash: fcb7771b4cd0e862a6ba2a941a6fb90e1b5e2366eedf2007bee220d1cdbdc3ca
Instruction Fuzzy Hash: D511D0B58006499FDB20CF9AD985BDEFBF8EB48324F14881AE459A7610C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0157E5B0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1fa7668be2a4f4c22cb01d223a920cec00aa0b0e567dc78abe1f98be5fe604
Instruction ID: 3316b3befa80f5c8131b011645eee0220062f43141a8bfb6f31d4ddeb86bdeaa
Opcode Fuzzy Hash: fd1fa7668be2a4f4c22cb01d223a920cec00aa0b0e567dc78abe1f98be5fe604
Instruction Fuzzy Hash: EA12D7F14237668BE330CF65E5885893B71B74532AB924209D2721FAD8E7F4114EEF46

Uniqueness

Uniqueness Score: -1.00%

Function 0157C164 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3459003034dbf95b1fa930c424251522ec9febce1c2b7825493269eea0f0cef6
Instruction ID: ea8e78fe31aa162845306c01b08f1bb7adfd0349548a2a564d606b1a5e1b69b3
Opcode Fuzzy Hash: 3459003034dbf95b1fa930c424251522ec9febce1c2b7825493269eea0f0cef6
Instruction Fuzzy Hash: F2A15C32E0021A8FCF15DFE9D8449DEBBB2FF85300B15856AE905AF265EB71A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0157E5A2 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.375515348.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1570000_owFIYUUG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d71ebaf1f1223c7bd6fa977cb8f16127d249372fc6b8e7a05cc5164c6e750b
Instruction ID: 5ff7e7f39c455a76d4254a2e7f51bad9ff26c0b3a1d86705cad4f9d4b4bcc552
Opcode Fuzzy Hash: 32d71ebaf1f1223c7bd6fa977cb8f16127d249372fc6b8e7a05cc5164c6e750b
Instruction Fuzzy Hash: 07C129B14237668BE330CF65E9881893B71FB8532AF524219D1726F6D8E7B4108EEF45

Uniqueness

Uniqueness Score: -1.00%

Function 07D30007 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.381589669.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7d30000_owFIYUUG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0cd5661285c022daaa83257b7271783edd3390ceee13ab0fa94f7e403b4f9f
Instruction ID: ca8605b209caa371733d0a43cce0fbbd7d8687c3548dcaf0469b081840b74290
Opcode Fuzzy Hash: ce0cd5661285c022daaa83257b7271783edd3390ceee13ab0fa94f7e403b4f9f
Instruction Fuzzy Hash: 3E415E71E05A548FE719CF679D416CAFBF3AFC9211F18C1BAC44CAA265EB3409468F11

Uniqueness

Uniqueness Score: -1.00%

Function 07D30040 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.381589669.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7d30000_owFIYUUG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b38f78b77b235d9c9995ab4e817759bcabffb85bfb6e0c00f1f9a894eee82
Instruction ID: 934442626d513a7d7d1ece80addf1b25759d651e88e4369f4d9fedaa730967ae
Opcode Fuzzy Hash: 549b38f78b77b235d9c9995ab4e817759bcabffb85bfb6e0c00f1f9a894eee82
Instruction Fuzzy Hash: 1B4135B1E05A58CFEB5CCF6B8D4168AFAF7AFC9201F14C1B9844CAA255EB3059858F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exePID: 1044, Parent PID: 5808COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	34.4%
Total number of Nodes:	32
Total number of Limit Nodes:	1

Executed Functions

Function 01099860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0109986A

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0519bab75daf4e1ff0f91e507ddac5773def89b543715a974b3634832043ab8
Instruction ID: e39a60ca623bb4abd20a526d14ef158471281c48d64abb3ccee174302c19e1f2
Opcode Fuzzy Hash: f0519bab75daf4e1ff0f91e507ddac5773def89b543715a974b3634832043ab8
Instruction Fuzzy Hash: 9F90027120100923D11161D985047071109A7D0281FD1C412A0814598DDA968952B261

Uniqueness

Uniqueness Score: -1.00%

Function 01099660 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0109966A

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e992dd9d19beeeb10062b9a2670136354475db4c6de158b34eb49c12b11c82d8
Instruction ID: 577d6c93e703d1c9fa0c69ee0068d368421fb464a34ff48cf6ec3162e4361eb5
Opcode Fuzzy Hash: e992dd9d19beeeb10062b9a2670136354475db4c6de158b34eb49c12b11c82d8
Instruction Fuzzy Hash: FA90027120100D12D18071D9840464A1105A7D1341FD1C015A0415694DCE558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 010996E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010996EA

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6b7f92c5552c80e1b3eaaa126c4b915bcdd80e8283b40e15118db83bf2db271
Instruction ID: 18fff2ad34053bd52854c1b55d10c397d85d71d6b63a73d92d69f49208c760ce
Opcode Fuzzy Hash: a6b7f92c5552c80e1b3eaaa126c4b915bcdd80e8283b40e15118db83bf2db271
Instruction Fuzzy Hash: C390027120108D12D11061D9C40474A1105A7D0341FD5C411A4814698DCAD588917261

Uniqueness

Uniqueness Score: -1.00%

Function 0109967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01099694

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e7b59a91347aac1e959d12d62319506f0aa6c9d21a2978405c1d238e8a70ea93
Instruction ID: e916c4108128a425b09e695ce5a11a669f60918a7e7d4ec91e60baf5fed0dd51
Opcode Fuzzy Hash: e7b59a91347aac1e959d12d62319506f0aa6c9d21a2978405c1d238e8a70ea93
Instruction Fuzzy Hash: A4B09B719014C5D5DB51D7E546087177A4077D4745F56C055D1420681B8778C091F6F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0110B260 Relevance: 37.8, Strings: 30, Instructions: 262
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

The instruction at %p referenced memory at %p., xrefs: 0110B432
*** Resource timeout (%p) in %ws:%s, xrefs: 0110B352
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0110B3D6
*** enter .exr %p for the exception record, xrefs: 0110B4F1
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0110B476
*** An Access Violation occurred in %ws:%s, xrefs: 0110B48F
write to, xrefs: 0110B4A6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0110B305
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0110B323
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0110B314
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0110B2DC
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0110B39B
*** enter .cxr %p for the context, xrefs: 0110B50D
*** Inpage error in %ws:%s, xrefs: 0110B418
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0110B2F3
*** then kb to get the faulting stack, xrefs: 0110B51C
Go determine why that thread has not released the critical section., xrefs: 0110B3C5
a NULL pointer, xrefs: 0110B4E0
This failed because of error %Ix., xrefs: 0110B446
an invalid address, %p, xrefs: 0110B4CF
The resource is owned exclusively by thread %p, xrefs: 0110B374
<unknown>, xrefs: 0110B27E, 0110B2D1, 0110B350, 0110B399, 0110B417, 0110B48E
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0110B38F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0110B484
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0110B47D
The critical section is owned by thread %p., xrefs: 0110B3B9
The instruction at %p tried to %s , xrefs: 0110B4B6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0110B53F
read from, xrefs: 0110B4AD, 0110B4B2
The resource is owned shared by %d threads, xrefs: 0110B37E

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: ea3344cbf68d363271ad9cf160e2bf5b4a8c9ce55abc3831a6ba3a381799e8b0
Instruction ID: f75be8fbc2b0e434dd9ffd35f5c9bafc6acbc5979b1f0a257ff2f6542a3ad8db
Opcode Fuzzy Hash: ea3344cbf68d363271ad9cf160e2bf5b4a8c9ce55abc3831a6ba3a381799e8b0
Instruction Fuzzy Hash: 878179BCE88200FFDB2A6B4ADC89DAB3B25FF66755F020058F5845F162D3A18511C776

Uniqueness

Uniqueness Score: -1.00%

Function 01111C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E01111C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x10348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0105B150();
				} else {
					E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x114589c);
				E0105B150("Heap error detected at %p (heap handle %p)\n",  *0x11458a0);
				_t27 =  *0x1145898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01111E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0105B150();
				} else {
					E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0105B150("Error code: %d - %s\n",  *0x1145898);
				_t113 =  *0x11458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0105B150("Parameter1: %p\n",  *0x11458a4);
				}
				_t115 =  *0x11458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0105B150("Parameter2: %p\n",  *0x11458a8);
				}
				_t117 =  *0x11458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0105B150("Parameter3: %p\n",  *0x11458ac);
				}
				_t119 =  *0x11458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x11458b4);
					E0105B150("Last known valid blocks: before - %p, after - %p\n",  *0x11458b0);
				} else {
					_t120 =  *0x11458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0105B150();
				} else {
					E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0105B150("Stack trace available at %p\n", 0x11458c0);
			}

0x01111c10
0x01111c16
0x01111c1e
0x01111c3d
0x01111c3e
0x01111c20
0x01111c35
0x01111c3a
0x01111c44
0x01111c55
0x01111c5a
0x01111c65
0x01111c67
0x00000000
0x01111c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01111c67
0x01111cdc
0x01111ce5
0x01111d04
0x01111d05
0x01111ce7
0x01111cfc
0x01111d01
0x01111d0b
0x01111d17
0x01111d1f
0x01111d25
0x01111d30
0x01111d4f
0x01111d50
0x01111d32
0x01111d47
0x01111d4c
0x01111d61
0x01111d67
0x01111d68
0x01111d6e
0x01111d79
0x01111d98
0x01111d99
0x01111d7b
0x01111d90
0x01111d95
0x01111daa
0x01111db0
0x01111db1
0x01111db7
0x01111dc2
0x01111de1
0x01111de2
0x01111dc4
0x01111dd9
0x01111dde
0x01111df3
0x01111df9
0x01111dfa
0x01111e00
0x01111e0a
0x01111e13
0x01111e32
0x01111e33
0x01111e15
0x01111e2a
0x01111e2f
0x01111e39
0x01111e4a
0x01111e02
0x01111e02
0x01111e08
0x00000000
0x00000000
0x01111e08
0x01111e5b
0x01111e7a
0x01111e7b
0x01111e5d
0x01111e72
0x01111e77
0x01111e95

Strings

heap_failure_block_not_busy, xrefs: 01111CA6
heap_failure_buffer_underrun, xrefs: 01111C9F
heap_failure_lfh_bitmap_mismatch, xrefs: 01111CD7
heap_failure_usage_after_free, xrefs: 01111CBB
Error code: %d - %s, xrefs: 01111D12
heap_failure_generic, xrefs: 01111C7C
Last known valid blocks: before - %p, after - %p, xrefs: 01111E45
heap_failure_invalid_argument, xrefs: 01111CAD
heap_failure_listentry_corruption, xrefs: 01111CD0
heap_failure_multiple_entries_corruption, xrefs: 01111C8A
HEAP[%wZ]: , xrefs: 01111C30, 01111CF7, 01111D42, 01111D8B, 01111DD4, 01111E25, 01111E6D
heap_failure_virtual_block_corruption, xrefs: 01111C91
heap_failure_buffer_overrun, xrefs: 01111C98
heap_failure_internal, xrefs: 01111C6E
heap_failure_cross_heap_operation, xrefs: 01111CC2
heap_failure_unknown, xrefs: 01111C75
HEAP: , xrefs: 01111C16, 01111C3D, 01111D04, 01111D4F, 01111D98, 01111DE1, 01111E32, 01111E7A
heap_failure_freelists_corruption, xrefs: 01111CC9
Heap error detected at %p (heap handle %p), xrefs: 01111C50
Parameter3: %p, xrefs: 01111DEE
Parameter2: %p, xrefs: 01111DA5
heap_failure_entry_corruption, xrefs: 01111C83
heap_failure_invalid_allocation_type, xrefs: 01111CB4
Stack trace available at %p, xrefs: 01111E86
Parameter1: %p, xrefs: 01111D5C

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 7639509ed8ec680fa51d731ec51c84b62ecfcd80de45c62b9e7d674bf30808a7
Instruction ID: ed0f80041f76ae42ed53e6e975f44963c167179592b42d33c3f839f3d702981b
Opcode Fuzzy Hash: 7639509ed8ec680fa51d731ec51c84b62ecfcd80de45c62b9e7d674bf30808a7
Instruction Fuzzy Hash: 9C614A36511145EFD7ADA7B6D484E29F3A6F744930B8A803EFA495F344DB24AC808F4E

Uniqueness

Uniqueness Score: -1.00%

Function 0108C9BF Relevance: 14.2, Strings: 11, Instructions: 412
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0108C9BF(signed int __ecx, signed int __edx, signed int _a4, intOrPtr _a12) {
				signed int _v12;
				char _v552;
				char _v1072;
				char _v1073;
				signed int _v1080;
				signed int _v1084;
				signed short _v1088;
				signed int _v1092;
				signed short _v1094;
				char _v1096;
				char _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				char _v1112;
				char _v1116;
				signed short _v1120;
				char _v1124;
				char* _v1128;
				char _v1132;
				char _v1135;
				char _v1136;
				signed int _v1140;
				char _v1144;
				intOrPtr _v1148;
				short _v1150;
				char _v1152;
				signed int _v1156;
				char* _v1160;
				char _v1164;
				signed int _v1168;
				signed int _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				char _v1184;
				signed int _v1188;
				signed int _v1192;
				intOrPtr _v1196;
				char* _v1200;
				intOrPtr _v1204;
				char _v1208;
				char _v1216;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t166;
				void* _t184;
				signed short _t188;
				char _t199;
				intOrPtr _t200;
				signed int _t205;
				signed int _t207;
				intOrPtr _t218;
				short _t219;
				char _t236;
				char _t242;
				signed int _t253;
				intOrPtr _t258;
				void* _t260;
				signed int _t272;
				void* _t276;
				unsigned int _t277;
				signed short _t279;
				signed int _t280;
				void* _t281;
				void* _t305;

				_t271 = __edx;
				_v12 =  *0x114d360 ^ _t280;
				_t253 = _a4;
				_v1104 = _a12;
				_t272 = __ecx;
				_v1160 =  &_v1072;
				_v1168 = __ecx;
				_t166 = 0;
				_v1073 = 0;
				_v1084 = 0;
				_t274 = 0;
				_v1156 = 0;
				_v1164 = 0x2080000;
				_v1096 = 0;
				_v1092 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1100 = 0;
				if(__ecx == 0) {
					L67:
					_push(_t166);
					_push(_t253);
					_push(_t271);
					_push(_t272);
					E010E5720(0x33, 0, "SXS: %s() bad parameters\nSXS:   Map                : %p\nSXS:   Data               : %p\nSXS:   AssemblyRosterIndex: 0x%lx\nSXS:   Map->AssemblyCount : 0x%lx\n", "RtlpResolveAssemblyStorageMapEntry");
					_t274 = 0xc000000d;
					L21:
					if(_v1073 == 0) {
						L23:
						if(_v1092 != 0) {
							E0105AD30(_v1092);
						}
						L24:
						if(_v1084 != 0) {
							_push(_v1084);
							E010995D0();
						}
						_t170 = _v1156;
						if(_v1156 != 0) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t170);
						}
						L26:
						return E0109B640(_t274, _t253, _v12 ^ _t280, _t271, _t272, _t274);
					}
					L22:
					_v1144 = _v1100;
					E0108CCC0(4,  &_v1144, _v1104);
					goto L23;
				}
				if(__edx == 0 || _t253 < 1 || _t253 >  *((intOrPtr*)(__ecx + 4))) {
					_t166 =  *((intOrPtr*)(_t272 + 4));
					goto L67;
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t253 * 4)) != 0) {
						goto L26;
					}
					asm("lfence");
					_t258 =  *((intOrPtr*)(__edx + 0x18));
					_t260 =  *((intOrPtr*)(_t258 + __edx + 0x10)) + __edx;
					_t276 =  *((intOrPtr*)(_t253 * 0x18 +  *((intOrPtr*)(_t258 + __edx + 0xc)) + __edx + 0x10)) + __edx;
					_t181 =  *((intOrPtr*)(_t276 + 0x50));
					if( *((intOrPtr*)(_t276 + 0x50)) > 0xfffe) {
						_push(__edx);
						E010E5720(0x33, 0, "SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p\n", _t181);
						_t274 = 0xc0000106;
						goto L23;
					}
					if(( *(_t276 + 4) & 0x00000010) != 0) {
						_v1080 =  &_v1164;
						_t272 =  *((intOrPtr*)(_t276 + 0x18)) + _t260;
						if(_t272 != 0) {
							_t184 = L010A13D0(_t272, 0x5c);
							if(_t184 != 0) {
								_t188 = 0x00000004 + (_t184 - _t272 >> 0x00000001) * 0x00000002 & 0x0000ffff;
								_v1088 = _t188;
								_t277 = _t188 & 0x0000ffff;
								if(_t188 <= 0x208) {
									_t264 = _v1080;
									L39:
									E0109F3E0( *((intOrPtr*)(_t264 + 4)), _t272, _t277 - 2);
									_t281 = _t281 + 0xc;
									 *((short*)( *((intOrPtr*)(_v1080 + 4)) + (_t277 >> 1) * 2 - 2)) = 0;
									 *_v1080 = _v1088 + 0xfffffffe;
									L18:
									if(_v1084 == 0) {
										if(E01066A00( *((intOrPtr*)(_v1080 + 4)),  &_v1112, 0,  &_v1184) != 0) {
											_v1156 = _v1108;
											_t199 = _v1184;
											if(_t199 == 0) {
												_t200 = 0;
											} else {
												_v1112 = _t199;
												_v1108 = _v1180;
												_t200 = _v1176;
											}
											_v1192 = _v1192 & 0x00000000;
											_v1188 = _v1188 & 0x00000000;
											_v1204 = _t200;
											_push(0x21);
											_v1200 =  &_v1112;
											_push(3);
											_push( &_v1216);
											_v1208 = 0x18;
											_push( &_v1208);
											_push(0x100020);
											_v1196 = 0x40;
											_push( &_v1084);
											_t205 = E01099830();
											_t272 = _v1172;
											_t274 = _t205;
											if(_t272 != 0) {
												asm("lock xadd [edi], eax");
												if((_t205 | 0xffffffff) == 0) {
													_push( *((intOrPtr*)(_t272 + 4)));
													E010995D0();
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t272);
												}
											}
											if(_t274 >= 0) {
												goto L19;
											} else {
												_push(_t274);
												E010E5720(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n",  *((intOrPtr*)(_v1080 + 4)));
												goto L21;
											}
										}
										E010E5720(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n",  *((intOrPtr*)(_v1080 + 4)));
										_t274 = 0xc000003a;
										goto L21;
									}
									L19:
									_t271 = _t253;
									_t207 = E0108CE6C(_v1168, _t253, _v1080,  &_v1084);
									_t274 = _t207;
									if(_t207 < 0) {
										E010E5720(0x33, 0, "SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx\n", _t274);
									} else {
										_t274 = 0;
									}
									goto L21;
								}
								_v1094 = _t188;
								_t218 = E01073A1C(_t277);
								_v1092 = _t218;
								if(_t218 != 0) {
									_t264 =  &_v1096;
									_v1080 =  &_v1096;
									goto L39;
								}
								_t274 = 0xc0000017;
								goto L24;
							}
							_t274 = 0xc00000e5;
							goto L23;
						}
						_t274 = 0xc00000e5;
						goto L26;
					}
					_v1080 = _v1080 & 0x00000000;
					_t219 =  *((intOrPtr*)(_t276 + 0x50));
					_v1152 = _t219;
					_v1150 = _t219;
					_v1144 = __edx;
					_v1148 =  *((intOrPtr*)(_t276 + 0x54)) + _t260;
					_v1140 = _t253;
					_v1128 =  &_v552;
					_v1136 = 0;
					_v1132 = 0x2160000;
					_v1124 = 0;
					_v1116 = 0;
					_v1120 = 0;
					E0108CCC0(1,  &_v1144, _v1104);
					if(_v1116 != 0) {
						_t274 = 0xc0000120;
						goto L23;
					}
					if(_v1124 != 0) {
						_t271 =  &_v1132;
						_t274 = E0108CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 >= 0) {
							_t271 = _t253;
							_t274 = E0108CE6C(_t272, _t253,  &_v1132,  &_v1084);
							if(_t274 < 0) {
								_push(_t274);
								_push(_t253);
								_push("SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx\n");
								L44:
								_push(0);
								_push(0x33);
								E010E5720();
								goto L23;
							}
							_t274 = 0;
							goto L23;
						}
						_push(_t274);
						_push( &_v1132);
						_push("SXS: Attempt to probe known root of assembly storage (\"%wZ\") failed; Status = 0x%08lx\n");
						goto L44;
					}
					_t279 = _v1120;
					_t272 = 0;
					_t236 = _v1136;
					_v1100 = _t236;
					_v1088 = _t279;
					_v1073 = 1;
					if(_t279 == 0) {
						L16:
						_t305 = _t272 - _t279;
						L17:
						if(_t305 == 0) {
							L54:
							_push(_t272);
							E010E5720(0x33, 0, "SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries\n",  &_v1152);
							_t274 = 0xc0150004;
							goto L22;
						}
						goto L18;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						_v1144 = _t236;
						_v1128 =  &_v552;
						_v1140 = _t272;
						_v1132 = 0x2160000;
						_v1136 = 0;
						E0108CCC0(2,  &_v1144, _v1104);
						if(_v1136 != 0) {
							break;
						}
						_t242 = _v1132;
						if(_v1135 != 0) {
							if(_t242 == 0) {
								goto L54;
							}
							_t119 = _t272 + 1; // 0x1
							_t279 = _t119;
							_v1088 = _t279;
						}
						if(_t242 == 0) {
							L27:
							_t272 = _t272 + 1;
							if(_t272 >= _t279) {
								goto L17;
							} else {
								_t236 = _v1100;
								continue;
							}
						}
						if(_v1084 != 0) {
							_push(_v1084);
							E010995D0();
							_v1084 = _v1084 & 0x00000000;
						}
						_t271 =  &_v1132;
						_t274 = E0108CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 < 0) {
							if(_t274 != 0xc0150004) {
								_push(_t274);
								_push( &_v1152);
								E010E5720(0x33, 0, "SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx\n",  &_v1132);
								goto L22;
							}
							_t279 = _v1088;
							goto L27;
						} else {
							_t279 = _v1088;
							goto L16;
						}
					}
					_t274 = 0xc0000120;
					goto L22;
				}
			}

0x0108c9bf
0x0108c9d1
0x0108c9d8
0x0108c9dc
0x0108c9e9
0x0108c9eb
0x0108c9f3
0x0108c9f9
0x0108c9fb
0x0108ca01
0x0108ca07
0x0108ca09
0x0108ca0f
0x0108ca19
0x0108ca1f
0x0108ca25
0x0108ca2b
0x0108ca31
0x0108ca39
0x010cac23
0x010cac23
0x010cac24
0x010cac25
0x010cac26
0x010cac34
0x010cac3c
0x0108cc3c
0x0108cc43
0x0108cc65
0x0108cc6c
0x010cac4c
0x010cac4c
0x0108cc72
0x0108cc79
0x010cac56
0x010cac5c
0x010cac5c
0x0108cc7f
0x0108cc87
0x010cac72
0x010cac72
0x0108cc8d
0x0108cc9f
0x0108cc9f
0x0108cc45
0x0108cc51
0x0108cc60
0x00000000
0x0108cc60
0x0108ca41
0x010cac20
0x00000000
0x0108ca59
0x0108ca5f
0x00000000
0x00000000
0x0108ca65
0x0108ca68
0x0108ca76
0x0108ca7c
0x0108ca7e
0x0108ca86
0x010ca8ea
0x010ca8f5
0x010ca8fd
0x00000000
0x010ca8fd
0x0108ca90
0x010ca90d
0x010ca916
0x010ca918
0x010ca927
0x010ca930
0x010ca94c
0x010ca94f
0x010ca955
0x010ca95b
0x010ca98c
0x010ca992
0x010ca99a
0x010ca9a9
0x010ca9af
0x010ca9c3
0x0108cc09
0x0108cc10
0x010cab03
0x010cab2f
0x010cab35
0x010cab3e
0x010cab5a
0x010cab40
0x010cab40
0x010cab4c
0x010cab52
0x010cab52
0x010cab5c
0x010cab63
0x010cab6a
0x010cab76
0x010cab78
0x010cab84
0x010cab86
0x010cab8d
0x010cab97
0x010cab98
0x010caba3
0x010cabad
0x010cabae
0x010cabb3
0x010cabb9
0x010cabbd
0x010cabc2
0x010cabc6
0x010cabc8
0x010cabcb
0x010cabdc
0x010cabdc
0x010cabc6
0x010cabe3
0x00000000
0x010cabe9
0x010cabef
0x010cabfc
0x00000000
0x010cac01
0x010cabe3
0x010cab17
0x010cab1f
0x00000000
0x010cab1f
0x0108cc16
0x0108cc29
0x0108cc2b
0x0108cc30
0x0108cc34
0x010cac13
0x0108cc3a
0x0108cc3a
0x0108cc3a
0x00000000
0x0108cc34
0x010ca95e
0x010ca965
0x010ca96a
0x010ca972
0x010ca97e
0x010ca984
0x00000000
0x010ca984
0x010ca974
0x00000000
0x010ca974
0x010ca932
0x00000000
0x010ca932
0x010ca91a
0x00000000
0x010ca91a
0x0108ca96
0x0108ca9d
0x0108caa7
0x0108caae
0x0108caba
0x0108cac0
0x0108cace
0x0108cad4
0x0108cae3
0x0108cae9
0x0108caf3
0x0108caf9
0x0108caff
0x0108cb05
0x0108cb11
0x010ca9cb
0x00000000
0x010ca9cb
0x0108cb1e
0x010ca9f8
0x010caa03
0x010caa07
0x010caa36
0x010caa47
0x010caa4b
0x010caa18
0x010caa19
0x010caa1a
0x010caa1f
0x010caa1f
0x010caa21
0x010caa23
0x00000000
0x010caa28
0x010caa4d
0x00000000
0x010caa4d
0x010caa09
0x010caa10
0x010caa11
0x00000000
0x010caa11
0x0108cb24
0x0108cb2a
0x0108cb2c
0x0108cb32
0x0108cb38
0x0108cb3e
0x0108cb47
0x0108cc01
0x0108cc01
0x0108cc03
0x0108cc03
0x010caac0
0x010caac0
0x010caad1
0x010caad9
0x00000000
0x010caad9
0x00000000
0x00000000
0x00000000
0x00000000
0x0108cb4d
0x0108cb4d
0x0108cb53
0x0108cb5f
0x0108cb6e
0x0108cb74
0x0108cb7e
0x0108cb87
0x0108cb93
0x00000000
0x00000000
0x0108cba0
0x0108cba7
0x010caa57
0x00000000
0x00000000
0x010caa59
0x010caa59
0x010caa5c
0x010caa5c
0x0108cbb0
0x0108cca2
0x0108cca2
0x0108cca5
0x00000000
0x0108ccab
0x0108ccab
0x00000000
0x0108ccab
0x0108cca5
0x0108cbbd
0x010caa67
0x010caa6d
0x010caa72
0x010caa72
0x0108cbe6
0x0108cbf1
0x0108cbf5
0x010caa84
0x010caa91
0x010caa98
0x010caaa9
0x00000000
0x010caaae
0x010caa86
0x00000000
0x0108cbfb
0x0108cbfb
0x00000000
0x0108cbfb
0x0108cbf5
0x010caab6
0x00000000
0x010caab6

Strings

SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 010CAAA0
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 010CAC0A
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 010CAA1A
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 010CAB0E
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010CABF3
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010CA8EC
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 010CAA11
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010CAAC8
@, xrefs: 010CABA3
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 010CAC2C
RtlpResolveAssemblyStorageMapEntry, xrefs: 010CAC27

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 36c88a1535a50ed193c7e664c45bd1d5019b53e73841d349b21426dc000bb029
Instruction ID: d967ff784e3bd7af3e14cfaddedab369b11cd40024779640dea9d7e0b1e4911e
Opcode Fuzzy Hash: 36c88a1535a50ed193c7e664c45bd1d5019b53e73841d349b21426dc000bb029
Instruction Fuzzy Hash: 5A025FF1D0422D9BEB71DB14CD80BDEB7B8AB54704F4041EAE689A7241E7319E84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01114AEF Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E01114AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E0105B150();
						} else {
							E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E0105B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0110FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E0105B150();
						} else {
							E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E0105B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E0105B150();
									} else {
										E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E0105B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0110FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E0105B150();
										} else {
											E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E010AD540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0111A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E0107E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0111A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E0107E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E0107A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E0107A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E0107BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E011023E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E01051F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x01114af7
0x01114afb
0x01114afd
0x01114b01
0x01114b03
0x01114b08
0x01114b0a
0x01114b0f
0x01114eb5
0x01114eb5
0x01114ebb
0x011150d5
0x011150d8
0x01114ff6
0x00000000
0x01114ff6
0x011150de
0x011150e4
0x011150e8
0x01115107
0x0111510c
0x011150ea
0x011150ff
0x01115104
0x01115112
0x01115115
0x01115118
0x01115119
0x011150cb
0x011150cb
0x011150af
0x00000000
0x011150af
0x01114ecb
0x011150b6
0x011150bb
0x01114ed1
0x01114ee6
0x01114eeb
0x011150c1
0x011150c2
0x011150c5
0x011150c6
0x00000000
0x00000000
0x00000000
0x00000000
0x01114b15
0x01114b15
0x01114b1c
0x01114b1e
0x01114b23
0x01114b27
0x01114b33
0x01114b38
0x01114b3a
0x01114b3c
0x01114b41
0x01114b41
0x01114b3a
0x01114b52
0x01115045
0x0111504b
0x0111504f
0x0111506e
0x01115073
0x01115051
0x01115066
0x0111506b
0x01115083
0x01115088
0x01115088
0x0111508a
0x01115091
0x01115099
0x01115099
0x0111509d
0x011150a7
0x011150ad
0x011150ad
0x011150ad
0x00000000
0x0111509d
0x01114b58
0x01114b5b
0x01114b5e
0x01114b63
0x01114b66
0x01114b69
0x01114b6f
0x01114be4
0x01114bf0
0x01114bf2
0x01114bf5
0x01114dc3
0x01114dc6
0x01114dc9
0x01114dce
0x01114dce
0x01114dd0
0x01114dd0
0x01114dd5
0x01114def
0x01114dd7
0x01114de7
0x01114de7
0x01114df3
0x01115001
0x01115007
0x0111500b
0x0111502a
0x0111502f
0x0111500d
0x01115022
0x01115027
0x01115039
0x0111503a
0x0111503b
0x00000000
0x01114df9
0x01114dfd
0x01114e90
0x01114e94
0x01114e9e
0x01114ea4
0x01114ea4
0x01114ea4
0x01114ea6
0x01114ea6
0x00000000
0x01114ea6
0x01114e03
0x01114e08
0x01114f88
0x01114f92
0x01114f99
0x01114f9c
0x01114fe0
0x01114fe4
0x01114fee
0x01114ff4
0x01114ff4
0x01114ff4
0x00000000
0x01114fe4
0x01114f9e
0x01114fa4
0x01114fa8
0x01114fc7
0x01114fcc
0x01114faa
0x01114fbf
0x01114fc4
0x01114fd2
0x01114fd5
0x01114fd6
0x01114f34
0x01114f34
0x00000000
0x01114f39
0x01114e0e
0x01114e14
0x01114e1b
0x01114e25
0x01114e2b
0x01114e2b
0x01114e33
0x01114e38
0x01114e8a
0x01114e8a
0x00000000
0x01114e3a
0x01114e3e
0x01114e43
0x01114e47
0x01114e53
0x01114e58
0x01114e5a
0x01114e5c
0x01114e61
0x01114e61
0x01114e5a
0x01114e6e
0x01114f41
0x01114f47
0x01114f4b
0x01114f6a
0x01114f6f
0x01114f4d
0x01114f62
0x01114f67
0x01114f7f
0x01114f80
0x01114f81
0x00000000
0x01114e74
0x01114e78
0x01114e82
0x01114e88
0x01114e88
0x00000000
0x01114e78
0x01114e6e
0x01114e38
0x01114df3
0x01114bfe
0x01114c01
0x01114c04
0x01114c07
0x01114c09
0x01114c0c
0x01114c0e
0x01114c0e
0x01114c11
0x01114c11
0x01114c0c
0x01114c14
0x01114c17
0x01114dae
0x01114db2
0x01114db7
0x01114dba
0x01114dbd
0x01114ef1
0x01114ef7
0x01114efb
0x01114f1a
0x01114f1f
0x01114efd
0x01114f12
0x01114f17
0x01114f2b
0x01114f2b
0x01114f2d
0x01114f2e
0x01114f2f
0x00000000
0x01114f2f
0x00000000
0x01114c1d
0x01114c1d
0x01114c20
0x01114c23
0x01114c26
0x01114c29
0x01114c2c
0x01114c2e
0x01114d91
0x01114d91
0x01114d92
0x01114d97
0x01114d9e
0x00000000
0x01114d9e
0x01114c34
0x01114c37
0x01114c39
0x01114c3c
0x00000000
0x00000000
0x01114c45
0x01114c48
0x01114c4e
0x01114c50
0x01114c78
0x01114c78
0x01114c7b
0x01114c7d
0x01114c80
0x01114c84
0x01114cad
0x01114cad
0x01114cb0
0x01114cb8
0x01114cbb
0x01114cbe
0x01114cc1
0x01114cc7
0x01114cdc
0x01114cc9
0x01114cd2
0x01114cd4
0x01114cd4
0x01114cde
0x01114ce0
0x01114d13
0x01114d13
0x01114d16
0x01114d18
0x01114d29
0x01114d2a
0x01114d2c
0x01114d34
0x01114d1a
0x01114d1a
0x01114d1a
0x01114d1d
0x01114d1f
0x01114d22
0x01114d24
0x01114d24
0x01114d3c
0x01114d3f
0x01114d45
0x01114d47
0x01114d6c
0x01114d6c
0x01114d70
0x01114d7e
0x01114d84
0x01114d84
0x00000000
0x01114d49
0x01114d49
0x01114d56
0x01114d56
0x01114d59
0x00000000
0x00000000
0x01114d4e
0x01114d50
0x01114d52
0x01114d8e
0x01114d5d
0x01114d5f
0x01114d67
0x00000000
0x01114d67
0x01114d54
0x01114d54
0x01114d5b
0x00000000
0x01114d5b
0x01114ce2
0x01114ce2
0x01114ce5
0x01114ce5
0x01114ce7
0x01114cfb
0x01114ce9
0x01114ce9
0x01114cec
0x01114cef
0x01114cf1
0x01114cf3
0x01114cf3
0x01114cf3
0x01114cf6
0x01114cf6
0x01114d02
0x01114d05
0x00000000
0x00000000
0x01114d07
0x01114d0f
0x01114d11
0x00000000
0x00000000
0x00000000
0x01114d11
0x00000000
0x01114ce5
0x01114ce0
0x01114c8a
0x01114c8f
0x01114c91
0x00000000
0x00000000
0x01114c9d
0x00000000
0x01114c9d
0x01114c52
0x01114c5f
0x01114c5f
0x01114c62
0x00000000
0x00000000
0x01114c57
0x01114c59
0x01114c5b
0x01114caa
0x01114c66
0x01114c68
0x01114c70
0x01114c75
0x00000000
0x01114c75
0x01114c5d
0x01114c5d
0x01114c64
0x00000000
0x01114c64
0x01114c17
0x01114b75
0x01114bc4
0x01114bc8
0x00000000
0x00000000
0x01114bd9
0x00000000
0x00000000
0x00000000
0x01114b77
0x01114b7a
0x01114b8c
0x01114b7c
0x01114b7e
0x01114b83
0x01114b86
0x01114b86
0x01114b90
0x01114b93
0x00000000
0x00000000
0x01114b95
0x01114bab
0x01114bb0
0x00000000
0x00000000
0x01114bb2
0x01114bb9
0x00000000
0x00000000
0x01114bbb
0x01114bbe
0x01114bc1
0x01114bc1
0x00000000
0x01114bc1
0x01114b97
0x01114ba4
0x00000000
0x00000000
0x01114ba6
0x00000000
0x01114ba6
0x01114ea9
0x01114ea9
0x01114eb2
0x00000000

Strings

Free Heap block %p modified at %p after it was freed, xrefs: 01114F2F
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01114F81
HEAP[%wZ]: , xrefs: 01114EE1, 01114F0D, 01114F5D, 01114FBA, 0111501D, 01115061, 011150FA
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 011150C6
Heap block at %p has incorrect segment offset (%x), xrefs: 0111503B
Heap block at %p is not last block in segment (%p), xrefs: 01114FD6
HEAP: , xrefs: 01114F1A, 01114F6A, 01114FC7, 0111502A, 0111506E, 011150B6, 01115107
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01115119
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0111508C

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 807107dac080e9f3dc93f14c59885cd707cbffbb3ca01709861219c11870594f
Instruction ID: da9edc53e47ec252083722de4062362e11dba3813d89c53e4832a0922fe7bc1f
Opcode Fuzzy Hash: 807107dac080e9f3dc93f14c59885cd707cbffbb3ca01709861219c11870594f
Instruction Fuzzy Hash: A312D1706006429FDB2DCF69C494BBAFBF6FF45B00F158469E4868BA85D734E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011131DC Relevance: 10.2, Strings: 8, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 01113392
HEAP[%wZ]: , xrefs: 01113213, 0111327A, 011132C3, 01113328, 01113376, 011133BD
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 011132DB
HEAP: , xrefs: 01113220, 01113287, 011132D0, 01113335, 01113383, 011133CA
Invalid CommitSize parameter - %Ix, xrefs: 01113295
Specified HeapBase (%p) is free or not writable, xrefs: 011133D8
Invalid ReserveSize parameter - %Ix, xrefs: 0111322C
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 01113344

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: b41190f182d2472541c7bf06637b8ac2efa5b664cc19ef79c637ee2d32078851
Instruction ID: 20023b21bb3323cf9af48c054ee37ff9772812d13de829cfee1a066cb4ccdc4c
Opcode Fuzzy Hash: b41190f182d2472541c7bf06637b8ac2efa5b664cc19ef79c637ee2d32078851
Instruction Fuzzy Hash: 0D515C32224645EFD769EBA9C884EAAF7A5FB48A30F048039F8559F349C771E940CF15

Uniqueness

Uniqueness Score: -1.00%

Function 010878A0 Relevance: 8.5, Strings: 6, Instructions: 989
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E010878A0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20, intOrPtr _a24, signed int _a28, signed int _a32, signed int* _a36, signed int _a40, signed int _a44) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed short _v34;
				signed short _v36;
				char _v48;
				char _v64;
				signed int _v68;
				signed int _v72;
				char _v73;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed short _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				short _v148;
				signed int _v152;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				signed short _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				signed int _v212;
				intOrPtr _v216;
				signed int* _v220;
				char* _v228;
				char _v232;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t462;
				signed int _t463;
				signed int* _t473;
				signed char* _t474;
				signed int _t475;
				signed char* _t476;
				signed int _t478;
				signed int _t480;
				intOrPtr _t484;
				signed int _t488;
				signed char* _t489;
				signed int _t490;
				signed char* _t491;
				signed int _t499;
				signed int _t501;
				signed int _t504;
				void* _t505;
				signed int _t506;
				signed int _t508;
				void* _t512;
				signed int _t514;
				signed int _t520;
				signed int _t524;
				signed int _t525;
				signed int _t530;
				signed int _t532;
				signed int _t533;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				signed int _t541;
				signed int _t546;
				intOrPtr _t555;
				signed short _t557;
				signed int _t560;
				signed int _t562;
				signed int _t565;
				signed int _t567;
				signed int _t568;
				signed int _t571;
				signed int _t572;
				signed int _t573;
				signed int _t575;
				signed int _t577;
				signed int _t578;
				signed int _t580;
				signed int _t583;
				signed int _t587;
				signed int _t589;
				signed int _t591;
				signed int _t597;
				signed char _t601;
				signed int _t609;
				void* _t610;
				intOrPtr _t611;
				void* _t612;
				signed int _t613;
				signed int _t615;
				signed int _t616;
				signed int _t619;
				signed int _t620;
				signed int* _t621;
				signed int _t622;
				intOrPtr _t626;
				void* _t632;
				signed int _t634;
				signed int _t637;
				intOrPtr _t638;
				signed int _t641;
				signed int _t647;
				signed int _t649;
				signed int _t653;
				signed int _t667;
				signed int _t669;
				intOrPtr _t671;
				signed int _t672;
				signed int _t674;
				signed int _t689;
				signed int _t698;
				signed char _t702;
				intOrPtr _t708;
				void* _t712;
				signed int _t714;
				signed int _t716;
				signed int _t717;
				signed int _t719;
				void* _t720;
				signed int _t721;
				signed int _t723;
				signed int _t724;
				signed int _t725;
				intOrPtr* _t727;
				void* _t728;
				signed int _t729;
				signed int _t730;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t743;
				void* _t744;
				signed int _t752;
				signed int _t775;
				void* _t783;

				_t699 = __edx;
				_push(0xfffffffe);
				_push(0x11300b0);
				_push(0x10a17f0);
				_push( *[fs:0x0]);
				_t462 =  *0x114d360;
				_v12 = _v12 ^ _t462;
				_t463 = _t462 ^ _t743;
				_v32 = _t463;
				_push(_t463);
				 *[fs:0x0] =  &_v20;
				_v28 = _t744 - 0xd4;
				_v140 = __edx;
				_v100 = __ecx;
				_t609 = _a8;
				_v92 = _t609;
				_t626 = _a12;
				_v156 = _t626;
				_v164 = _a16;
				_t727 = _a20;
				_v160 = _t727;
				_v176 = _a28;
				_v200 = _a32;
				_v220 = _a36;
				_v108 = _a44;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v148 = 0;
				_v128 = 0;
				_v72 = 0;
				_v112 = 0;
				_v184 = 0x560054;
				_v180 = L"LdrpResSearchResourceInsideDirectory Enter";
				_v232 = 0x540052;
				_v228 = L"LdrpResSearchResourceInsideDirectory Exit";
				_t473 =  *( *[fs:0x30] + 0x50);
				if(_t473 != 0) {
					__eflags =  *_t473;
					if( *_t473 == 0) {
						goto L1;
					}
					_t474 =  *( *[fs:0x30] + 0x50) + 0x22b;
					L2:
					if(( *_t474 & 0x00000001) != 0) {
						_t475 = E01077D50();
						__eflags = _t475;
						if(_t475 == 0) {
							_t476 = 0x7ffe0384;
						} else {
							_t476 =  *( *[fs:0x30] + 0x50) + 0x22a;
						}
						_t699 =  *_t476 & 0x000000ff;
						E010E6715( &_v184,  *_t476 & 0x000000ff);
						_t626 = _v156;
					}
					if(_t609 == 0 || _t626 == 0 || _t727 == 0) {
						L196:
						_t478 = 0xc000000d;
						goto L70;
					} else {
						_t611 = _a24;
						_t37 = _t611 - 1; // 0x1034f83
						_t480 = _t37;
						if(_t480 > 3) {
							goto L196;
						}
						_t699 = _a40;
						_v104 = _t699;
						_t752 = _t699 & 0x00008000;
						if(_t752 != 0) {
							_t480 = _v140;
							__eflags = _t480;
							if(_t480 == 0) {
								goto L196;
							}
							__eflags = _t480 - 0xffffffff;
							if(_t480 == 0xffffffff) {
								goto L196;
							}
							__eflags = _v164;
							if(_v164 != 0) {
								goto L8;
							}
							goto L196;
						}
						L8:
						_t714 = _t699 & 0x00001000;
						_v84 = _t714;
						_v144 = _t480 & 0xffffff00 | _t752 != 0x00000000;
						if((_t699 & 0x00008800) == 0x8800) {
							_t632 = 1;
						} else {
							_t632 = 0;
						}
						_v73 = _t632;
						if(_t714 == 0 || _a4 != 0) {
							if(_t632 != 0 || _v100 != 0) {
								if(_t632 == 1) {
									__eflags = _v140;
									if(_v140 == 0) {
										goto L196;
									}
								}
								_v208 = _t727;
								_t484 = _t611;
								_v120 = _t484;
								_t729 = _v92;
								_v88 = 0;
								_v96 = 0;
								_v136 = 0;
								if(_v108 != 0) {
									 *_v108 = 0;
									_t611 = _t484;
									_t699 = _v104;
								}
								_v8 = 0;
								_v172 = _v112;
								while(1) {
									L18:
									_t716 = _v84;
									if(_t729 == 0) {
										break;
									}
									_t708 = _v120 - 1;
									_v120 = _t708;
									_v216 = _t708;
									_t699 = _v104;
									if(_t484 == 0) {
										L59:
										_t484 = _v120;
										break;
									}
									_v128 =  *_v160;
									if(_v120 == 0) {
										__eflags = _t611 - 3;
										if(_t611 != 3) {
											goto L21;
										}
										_v136 = _t729;
										_t597 = _v176;
										__eflags = _t597;
										if(_t597 == 0) {
											_v68 = 0xc000000d;
											L64:
											_t717 = _v72;
											L65:
											__eflags = _t717;
											if(_t717 != 0) {
												L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t717);
												_v72 = 0;
											}
											_t488 =  *( *[fs:0x30] + 0x50);
											__eflags = _t488;
											if(_t488 != 0) {
												__eflags =  *_t488;
												if( *_t488 == 0) {
													goto L67;
												}
												_t489 =  *( *[fs:0x30] + 0x50) + 0x22b;
												goto L68;
											} else {
												L67:
												_t489 = 0x7ffe0385;
												L68:
												__eflags =  *_t489 & 0x00000001;
												if(( *_t489 & 0x00000001) != 0) {
													_t490 = E01077D50();
													__eflags = _t490;
													if(_t490 == 0) {
														_t491 = 0x7ffe0384;
													} else {
														_t491 =  *( *[fs:0x30] + 0x50) + 0x22a;
													}
													_t699 =  *_t491 & 0x000000ff;
													E010E6715( &_v232,  *_t491 & 0x000000ff);
												}
												_v8 = 0xfffffffe;
												_t478 = _v68;
												L70:
												 *[fs:0x0] = _v20;
												_pop(_t712);
												_pop(_t728);
												_pop(_t610);
												__eflags = _v32 ^ _t743;
												return E0109B640(_t478, _t610, _v32 ^ _t743, _t699, _t712, _t728);
											}
										}
										_v148 =  *_t597;
										_v172 = 0;
										_v112 = 0;
										_t601 =  !_t699;
										__eflags = _t601 & 0x00000004;
										if((_t601 & 0x00000004) != 0) {
											_v128 =  *(_v176 + 4) & 0x0000ffff;
										}
									}
									L21:
									if(_t632 != 0) {
										_t699 = _t729;
										_t478 = E010E94CA(_v140,  &_v48, 0x10);
										_v68 = _t478;
										__eflags = _t478;
										if(_t478 < 0) {
											L270:
											_v8 = 0xfffffffe;
											goto L70;
										}
										_t632 = _v73;
										__eflags = _t632;
										if(_t632 == 0) {
											goto L22;
										}
										L203:
										_t546 = _v36 & 0x0000ffff;
										L28:
										_v116 = _t546;
										_v132 = _t546;
										if(_t546 != 0) {
											__eflags = _t716;
											if(_t716 == 0) {
												goto L29;
											}
											_t699 = _t546 * 8 >> 0x20;
											_t589 = E0108F3D5( &_v196, _t546 * 8, _t546 * 8 >> 0x20);
											__eflags = _t589;
											if(_t589 < 0) {
												_v68 = 0xc000007b;
												goto L64;
											}
											_t725 = _v196;
											_t699 = _t725 + 0x10;
											_t591 = E01051C45(_t729, _t725 + 0x10,  &_v80);
											__eflags = _t591;
											if(_t591 < 0) {
												_v68 = 0xc000007b;
												goto L64;
											}
											__eflags = _t725 + 0x10 + _t729 - (_v100 & 0xfffffffc) + _a4;
											if(_t725 + 0x10 + _t729 > (_v100 & 0xfffffffc) + _a4) {
												_v68 = 0xc000007b;
												goto L64;
											}
											_t546 = _v116;
											_t632 = _v73;
										}
										L29:
										_t77 = _t729 + 0x10; // 0x10
										_t721 = _t77;
										_v188 = _t721;
										_v152 = _t721;
										if((_v128 & 0xffff0000) != 0) {
											L40:
											L41:
											if(_t546 == 0) {
												_v124 = 0;
												_t484 = _v120;
												L62:
												_t612 = _t611 - _t484;
												__eflags = _t612 - 1;
												if(_t612 != 1) {
													_t613 = _t612 - 2;
													__eflags = _t613;
													if(_t613 != 0) {
														__eflags = _t613 == 1;
														if(_t613 == 1) {
															_v68 = 0xc0000204;
														} else {
															_v68 = 0xc000000d;
														}
													} else {
														_v68 = 0xc000008b;
													}
												} else {
													_v68 = 0xc000008a;
												}
												goto L64;
											}
											if(_v73 != 0) {
												_t667 = _v72;
												__eflags = _t667;
												if(_t667 != 0) {
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t667);
													_v72 = 0;
													_t546 = _v132;
												}
												_t738 = _t546 * 8;
												_t717 = E01074620(_t667,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t546 * 8);
												_v72 = _t717;
												__eflags = _t717;
												if(_t717 != 0) {
													_t699 = _v152;
													_t478 = E010E94CA(_v140, _t717, _t738);
													_v68 = _t478;
													__eflags = _t478;
													if(_t478 < 0) {
														goto L270;
													}
													_v188 = _t717;
													_v152 = _t717;
													_v104 = _a40;
													_v172 = _v112;
													_v160 = _v208;
													_v120 = _v216;
													_v88 = _v96;
													_t546 = _v132;
													_v116 = _t546;
													_t669 = _v84;
													goto L43;
												} else {
													_v68 = 0xc0000017;
													goto L65;
												}
											}
											L43:
											_t699 = _v104;
											L44:
											while(1) {
												L44:
												if(_v136 != 0) {
													__eflags = _t699 & 0x00000020;
													if((_t699 & 0x00000020) == 0) {
														while(1) {
															L46:
															_t729 = 0;
															_v124 = 0;
															_t622 = _t717;
															_v152 = _t622;
															_t105 = _t546 - 1; // 0x0
															_t671 = _t717 + _t105 * 8;
															_v204 = _t671;
															_v132 = _t546;
															while(1) {
																L47:
																_t783 = _t622 - _t671;
																if(_t783 > 0) {
																	break;
																}
																_t723 = _t546 >> 1;
																if(_t783 != 0) {
																	_t567 = _t546 & 0x00000001;
																	__eflags = _t567;
																	_v180 = _t567;
																	_t568 = _t622 + _t723 * 8;
																	_v168 = _t568;
																	if(_t567 == 0) {
																		_t568 = _t568 + 0xfffffff8;
																		__eflags = _t568;
																		_v168 = _t568;
																	}
																	_t699 = _v140;
																	_t478 = E01088379(_v100, _v140, _a4, _v128, _v92, _t568, _v140,  &_v192);
																	_v68 = _t478;
																	__eflags = _t478;
																	if(_t478 < 0) {
																		goto L270;
																	} else {
																		__eflags = _v192;
																		if(__eflags == 0) {
																			_t571 =  *(_v168 + 4);
																			__eflags = _t571;
																			if(_t571 >= 0) {
																				_t729 = 0;
																				_v124 = 0;
																				__eflags = _v84;
																				if(_v84 == 0) {
																					_t572 = _t571 + _v92;
																					L137:
																					_v96 = _t572;
																					_v88 = _t572;
																					break;
																				}
																				__eflags = _v136;
																				if(_v136 != 0) {
																					_t699 = _t571;
																					_t573 = E01051C45(_v92, _t571,  &_v80);
																					__eflags = _t573;
																					if(_t573 >= 0) {
																						L136:
																						_t572 = _v80;
																						goto L137;
																					}
																					_v68 = 0xc000007b;
																					goto L64;
																				}
																				_v68 = 0xc000007b;
																				goto L64;
																			}
																			__eflags = _v84 - _t729;
																			if(_v84 == _t729) {
																				_t729 = (_t571 & 0x7fffffff) + _v92;
																				_v124 = _t729;
																				break;
																			}
																			__eflags = _v136 - _t729;
																			if(_v136 != _t729) {
																				_v68 = 0xc000007b;
																				goto L64;
																			}
																			_t699 = _t571 & 0x7fffffff;
																			_t575 = E01051C45(_v92, _t571 & 0x7fffffff,  &_v80);
																			__eflags = _t575;
																			if(_t575 >= 0) {
																				L75:
																				_t729 = _v80;
																				_v124 = _t729;
																				break;
																			}
																			_v68 = 0xc000007b;
																			goto L64;
																		}
																		if(__eflags < 0) {
																			_t671 = _v168 + 0xfffffff8;
																			_v204 = _t671;
																			__eflags = _v180;
																			if(_v180 == 0) {
																				_t546 = _t723 - 1;
																				_v132 = _t546;
																				_t699 = _v104;
																			} else {
																				_v132 = _t723;
																				_t546 = _t723;
																				_t699 = _v104;
																			}
																		} else {
																			_t622 = _v168 + 8;
																			_v152 = _t622;
																			_v132 = _t723;
																			_t671 = _v204;
																			_t546 = _t723;
																			_t699 = _v104;
																		}
																		continue;
																	}
																}
																if(_t546 == 0) {
																	break;
																}
																_t724 = _v92;
																_t699 = _v140;
																_t478 = E01088379(_v100, _v140, _a4, _v128, _t724, _t622, _v140,  &_v192);
																_v68 = _t478;
																if(_t478 < 0) {
																	goto L270;
																}
																if(_v192 == _t729) {
																	_t577 =  *(_t622 + 4);
																	__eflags = _t577;
																	if(_t577 >= 0) {
																		__eflags = _v84 - _t729;
																		if(_v84 == _t729) {
																			_t572 = _t577 + _t724;
																			goto L137;
																		}
																		__eflags = _v136 - _t729;
																		if(_v136 == _t729) {
																			_v68 = 0xc000007b;
																			goto L64;
																		}
																		_t699 = _t577;
																		_t578 = E01051C45(_t724, _t577,  &_v80);
																		__eflags = _t578;
																		if(_t578 < 0) {
																			_v68 = 0xc000007b;
																			goto L64;
																		}
																		goto L136;
																	}
																	__eflags = _v84 - _t729;
																	if(_v84 == _t729) {
																		_t729 = (_t577 & 0x7fffffff) + _t724;
																		_v124 = _t729;
																		break;
																	}
																	__eflags = _v136 - _t729;
																	if(_v136 != _t729) {
																		_v68 = 0xc000007b;
																		goto L64;
																	}
																	_t699 = _t577 & 0x7fffffff;
																	_t580 = E01051C45(_t724, _t577 & 0x7fffffff,  &_v80);
																	__eflags = _t580;
																	if(_t580 < 0) {
																		_v68 = 0xc000007b;
																		goto L64;
																	}
																	goto L75;
																}
																break;
															}
															_t699 = _v104;
															if(_v136 != 0) {
																__eflags = _v88;
																if(_v88 != 0) {
																	goto L53;
																}
																__eflags = _t699 & 0x00000004;
																if((_t699 & 0x00000004) != 0) {
																	L58:
																	_t716 = _v84;
																	_t611 = _a24;
																	goto L59;
																}
																_t557 = _v172 + 1;
																_v172 = _t557;
																_v112 = _t557;
																_t672 = _t557 & 0x0000ffff;
																__eflags = _t672 - _v148;
																_t560 = _v176;
																if(_t672 >= _v148) {
																	__eflags =  *((char*)(_t560 + 0x204));
																	if( *((char*)(_t560 + 0x204)) != 0) {
																		goto L53;
																	}
																	_t699 = _t699 | 0x00000020;
																	_v104 = _t699;
																	_a40 = _t699;
																	_t546 = _v116;
																	_t717 = _v188;
																	_t669 = _v84;
																	goto L44;
																}
																_v128 =  *(_t560 + 4 + _t672 * 8) & 0x0000ffff;
																_t546 = _v116;
																_t717 = _v188;
																L46:
																_t729 = 0;
																_v124 = 0;
																_t622 = _t717;
																_v152 = _t622;
																_t105 = _t546 - 1; // 0x0
																_t671 = _t717 + _t105 * 8;
																_v204 = _t671;
																_v132 = _t546;
																goto L47;
															}
															L53:
															_t555 = _v160 + 4;
															_v160 = _t555;
															_v208 = _t555;
															_t611 = _a24;
															_t632 = _v73;
															_t484 = _v120;
															goto L18;
														}
													}
													_t729 = 0;
													_v124 = 0;
													__eflags = _t669;
													if(_t669 == 0) {
														_t562 =  *(_t717 + 4) + _v92;
														_v88 = _t562;
														_v96 = _t562;
														goto L57;
													} else {
														_t699 =  *(_t717 + 4);
														_t565 = E01051C45(_v92,  *(_t717 + 4),  &_v80);
														__eflags = _t565;
														if(_t565 < 0) {
															_v68 = 0xc000007b;
															goto L64;
														}
														_t674 = _v80;
														_v88 = _t674;
														_v96 = _t674;
														_t699 = _v104;
														L57:
														_v128 =  *_t717;
														goto L58;
													}
													L101:
													__eflags = _t699;
													if(_t699 != 0) {
														L61:
														__eflags = _t729;
														if(_t729 != 0) {
															__eflags = _t699;
															if(_t699 == 0) {
																goto L62;
															}
															__eflags = _t716;
															if(_t716 == 0) {
																_t699 = _v100 & 0xfffffffc;
																_t615 = _a4;
																L173:
																_t634 = _v200;
																__eflags = _t634;
																if(_t634 == 0) {
																	L178:
																	_v68 = 0;
																	goto L64;
																}
																__eflags = _t716;
																if(_t716 == 0) {
																	L177:
																	 *_t634 = _t729;
																	goto L178;
																}
																__eflags = _t729 - _t699;
																if(_t729 < _t699) {
																	L204:
																	_v68 = 0xc000007b;
																	goto L64;
																}
																__eflags = _t729 - _t699 + _t615;
																if(_t729 > _t699 + _t615) {
																	_v68 = 0xc000007b;
																	goto L64;
																}
																goto L177;
															}
															_t699 = 0x18;
															_t499 = E01051C45(_t729, 0x18,  &_v80);
															__eflags = _t499;
															if(_t499 < 0) {
																_v124 = 0;
																_v68 = 0xc000007b;
																goto L64;
															}
															_t699 = _v100 & 0xfffffffc;
															_t615 = _a4;
															__eflags = _t729 + 0x18 - _t699 + _t615;
															if(_t729 + 0x18 > _t699 + _t615) {
																_v124 = 0;
																_v68 = 0xc000007b;
																goto L64;
															}
															goto L173;
														}
														goto L62;
													}
													_t616 = _v92;
													__eflags = _t716;
													if(_t716 == 0) {
														_t702 = _v100;
														L105:
														_t637 = _v108;
														__eflags = _t637;
														if(_t637 != 0) {
															 *_t637 = _v128;
														}
														_t719 = _t702 & 0xfffffffc;
														__eflags = _t702 & 0x00000001;
														if((_t702 & 0x00000001) != 0) {
															L145:
															_t638 = _v156;
															_t501 =  *(_t638 + 0x18) & 0x0000ffff;
															_t699 = 0x10b;
															__eflags = _t501 - 0x10b;
															if(_t501 != 0x10b) {
																_t699 = 0x20b;
																__eflags = _t501 - 0x20b;
																if(_t501 != 0x20b) {
																	L255:
																	_v96 = 0;
																	_v68 = 0xc0000089;
																	goto L64;
																}
																_t730 =  *(_t638 + 0x98);
																L147:
																__eflags = _t730;
																if(_t730 == 0) {
																	goto L255;
																}
																__eflags = _v84;
																if(_v84 == 0) {
																	L152:
																	_t619 = _t730 - _v92 + _t719;
																	_v108 = _t619;
																	_v212 = _t619;
																	_t699 = _a4;
																	_t731 = E010547A3(_t719, _a4, _t638, _v164, _t730, _v144);
																	__eflags = _t731;
																	if(_t731 == 0) {
																		_v96 = 0;
																		_v68 = 0xc000007b;
																		goto L64;
																	}
																	__eflags = _v73;
																	if(_v73 != 0) {
																		_t699 = _v88;
																		_t478 = E010E94CA(_v140,  &_v64, 0x10);
																		_v68 = _t478;
																		__eflags = _t478;
																		if(_t478 < 0) {
																			goto L270;
																		}
																		_t504 =  &_v64;
																		_v88 = _t504;
																		_v96 = _t504;
																		L155:
																		_t505 =  *_t504;
																		__eflags = _t505 -  *((intOrPtr*)(_t731 + 8));
																		if(_t505 <=  *((intOrPtr*)(_t731 + 8))) {
																			goto L111;
																		}
																		_v108 =  *((intOrPtr*)(_t731 + 0xc));
																		_t699 = _a4;
																		_t524 = E010547A3(_t719, _a4, _v156, _v164, _t505, _v144);
																		__eflags = _t524;
																		if(_t524 == 0) {
																			_v96 = 0;
																			_v68 = 0xc000007b;
																			goto L64;
																		}
																		_t733 =  *((intOrPtr*)(_t524 + 0xc));
																		_v180 = _t733;
																		_t525 = E010547A3(_t719, _a4, _v156, _v164, _t733, _v144);
																		_v144 = _t525;
																		_t653 = _v84;
																		__eflags = _t525;
																		if(_t525 == 0) {
																			_t734 = 0;
																			L163:
																			__eflags = _t653;
																			if(_t653 == 0) {
																				L167:
																				_t619 = _t619 +  *((intOrPtr*)(_t525 + 0xc)) - _t734 - _v108 + _v92;
																				goto L110;
																			}
																			_t699 = _v108;
																			_t530 = E0108865D(_t525,  *((intOrPtr*)(_t525 + 0xc)), _v108,  &_v80);
																			__eflags = _t530;
																			if(_t530 < 0) {
																				_v68 = 0xc000007b;
																				goto L64;
																			}
																			_t699 = _t734 - _v92;
																			_t532 = E0108865D( &_v80, _v80, _t734 - _v92,  &_v80);
																			__eflags = _t532;
																			if(_t532 < 0) {
																				_v68 = 0xc000007b;
																				goto L64;
																			}
																			_t525 = _v144;
																			goto L167;
																		}
																		__eflags = _t653;
																		if(_t653 == 0) {
																			L162:
																			_t734 =  *((intOrPtr*)(_t525 + 0x14)) -  *((intOrPtr*)(_t525 + 0xc)) + _v180 + _t719;
																			__eflags = _t734;
																			goto L163;
																		}
																		_t699 = _t733 -  *((intOrPtr*)(_t525 + 0xc));
																		_t533 = E01051C45(_t719, _t733 -  *((intOrPtr*)(_t525 + 0xc)),  &_v80);
																		__eflags = _t533;
																		if(_t533 < 0) {
																			_v68 = 0xc000007b;
																			goto L64;
																		}
																		_t699 =  *(_v144 + 0x14);
																		_t535 = E01051C45(_v80,  *(_v144 + 0x14),  &_v80);
																		__eflags = _t535;
																		if(_t535 < 0) {
																			_v68 = 0xc000007b;
																			goto L64;
																		}
																		_t525 = _v144;
																		_t653 = _v84;
																		goto L162;
																	}
																	_t504 = _v88;
																	goto L155;
																}
																_t699 = _t730;
																_t537 = E01051C45(_t719, _t730,  &_v80);
																__eflags = _t537;
																if(_t537 < 0) {
																	_v68 = 0xc000007b;
																	goto L64;
																}
																_t699 = _t616;
																_t539 = E0108865D( &_v80, _v80, _t616,  &_v80);
																__eflags = _t539;
																if(_t539 < 0) {
																	_v68 = 0xc000007b;
																	goto L64;
																}
																_t638 = _v156;
																goto L152;
															}
															_t730 =  *(_t638 + 0x88);
															goto L147;
														} else {
															__eflags = _v73;
															if(_v73 != 0) {
																goto L145;
															}
															_t619 = 0;
															__eflags = 0;
															L110:
															_v212 = _t619;
															_v108 = _t619;
															L111:
															_t699 = _v88;
															_t732 =  *(_t699 + 4);
															_t506 = _v84;
															__eflags = _t506;
															if(_t506 == 0) {
																_t620 = 0;
																L119:
																_t641 = _v200;
																__eflags = _t641;
																if(_t641 == 0) {
																	L126:
																	_t621 = _v220;
																	__eflags = _t621;
																	if(_t621 == 0) {
																		L132:
																		_v68 = 0;
																		goto L64;
																	}
																	__eflags = _v84;
																	if(_v84 == 0) {
																		L131:
																		 *_t621 = _t732;
																		goto L132;
																	}
																	__eflags = _t641;
																	if(_t641 == 0) {
																		goto L131;
																	}
																	_t720 =  *_t641;
																	_t699 = _t732;
																	_t508 = E01051C45(_t720, _t732,  &_v80);
																	__eflags = _t508;
																	if(_t508 < 0) {
																		_v68 = 0xc000007b;
																		goto L64;
																	}
																	__eflags = _t732 + _t720 - (_v100 & 0xfffffffc) + _a4;
																	if(_t732 + _t720 > (_v100 & 0xfffffffc) + _a4) {
																		_v68 = 0xc000007b;
																		goto L64;
																	}
																	goto L131;
																}
																__eflags = _t506;
																if(_t506 == 0) {
																	_t512 =  *_t699 - _v108 + _t719;
																	L125:
																	 *_t641 = _t512;
																	goto L126;
																}
																_t699 = _t620;
																_t514 = E01051C45(_t719, _t620,  &_v80);
																__eflags = _t514;
																if(_t514 < 0) {
																	_v68 = 0xc000007b;
																	goto L64;
																}
																_t647 = _v80;
																__eflags = _t647 - _t719;
																if(_t647 < _t719) {
																	goto L204;
																}
																__eflags = _t647 - (_t719 & 0xfffffffc) + _a4;
																if(_t647 > (_t719 & 0xfffffffc) + _a4) {
																	goto L204;
																}
																_t512 = _t620 + _t719;
																_t641 = _v200;
																goto L125;
															}
															_t699 = _t619;
															_t520 = E0108865D(_v88,  *_v88, _t619,  &_v80);
															__eflags = _t520;
															if(_t520 < 0) {
																_v68 = 0xc000007b;
																goto L64;
															}
															_t620 = _v80;
															__eflags = _t620 - _v92 - _v100;
															if(_t620 < _v92 - _v100) {
																L236:
																_v96 = 0;
																_v68 = 0xc000007b;
																goto L64;
															}
															_t649 = _a4;
															__eflags = _t620 - _t649;
															if(_t620 > _t649) {
																goto L236;
															}
															__eflags = _t732;
															if(_t732 == 0) {
																goto L236;
															}
															__eflags = _t732 - _t649;
															if(_t732 > _t649) {
																goto L236;
															}
															__eflags = _t732 + _t620 - _t649;
															if(_t732 + _t620 > _t649) {
																_v96 = 0;
																_v68 = 0xc000007b;
																goto L64;
															}
															_t506 = _v84;
															_t699 = _v88;
															goto L119;
														}
													}
													_t541 = _v88;
													__eflags = _t541 - _t616;
													if(_t541 <= _t616) {
														goto L236;
													}
													_t699 = _v100;
													__eflags = _t541 + 0x10 - (_v100 & 0xfffffffc) + _a4;
													if(_t541 + 0x10 > (_v100 & 0xfffffffc) + _a4) {
														goto L236;
													}
													goto L105;
												}
												goto L46;
											}
										}
										if(_t546 != 0) {
											__eflags = _v84;
											if(_v84 == 0) {
												L98:
												_t717 = _t721 + _t546 * 8;
												_v188 = _t717;
												_v152 = _t717;
												_t632 = _v73;
												goto L31;
											}
											_t699 = _t546;
											_t587 = E01051C45(_t721, _t546,  &_v80);
											__eflags = _t587;
											if(_t587 < 0) {
												_v68 = 0xc000007b;
												goto L64;
											}
											_t546 = _v116;
											goto L98;
										}
										L31:
										if(_t632 != 0) {
											_t546 = _v34 & 0x0000ffff;
										} else {
											_t546 =  *(_t729 + 0xe) & 0x0000ffff;
										}
										_v116 = _t546;
										_v132 = _t546;
										_t669 = _v84;
										if(_t669 == 0) {
											goto L41;
										} else {
											_t699 = _t546 * 8 >> 0x20;
											_t583 = _t546 * 8;
											_v184 = _t583;
											_v180 = _t699;
											_t775 = _t699;
											if(_t775 < 0 || _t775 <= 0 && _t583 <= 0xffffffff) {
												_v196 = _t583;
												_t689 = _t583 + _t717;
												if(_t689 < _t717) {
													L205:
													_v80 = 0xffffffff;
													_v68 = 0xc000007b;
													goto L64;
												}
												_v80 = _t689;
												if(_t689 > (_v100 & 0xfffffffc) + _a4) {
													_v68 = 0xc000007b;
													goto L64;
												}
												_t546 = _v116;
												goto L40;
											} else {
												_v196 = 0xffffffff;
												_v68 = 0xc000007b;
												goto L64;
											}
										}
									}
									L22:
									if(_t716 == 0) {
										L26:
										if(_t632 != 0) {
											goto L203;
										}
										_t546 =  *(_t729 + 0xc) & 0x0000ffff;
										goto L28;
									}
									_t69 = _t729 + 0x18; // 0x18
									_t698 = _t69;
									if(_t698 < _t729) {
										goto L205;
									}
									_v80 = _t698;
									if(_t698 > (_v100 & 0xfffffffc) + _a4) {
										goto L204;
									} else {
										_t632 = _v73;
										goto L26;
									}
								}
								_t699 = _t699 & 0x00000002;
								__eflags = _v88;
								if(_v88 != 0) {
									goto L101;
								}
								goto L61;
							} else {
								goto L196;
							}
						} else {
							goto L196;
						}
					}
				}
				L1:
				_t474 = 0x7ffe0385;
				goto L2;
			}

0x010878a0
0x010878a5
0x010878a7
0x010878ac
0x010878b7
0x010878be
0x010878c3
0x010878c6
0x010878c8
0x010878ce
0x010878d2
0x010878d8
0x010878db
0x010878e1
0x010878e4
0x010878e7
0x010878ea
0x010878ed
0x010878f6
0x010878fc
0x010878ff
0x01087908
0x01087911
0x0108791a
0x01087923
0x0108792b
0x0108792c
0x0108792d
0x0108792e
0x01087931
0x01087938
0x0108793b
0x0108793e
0x01087942
0x0108794c
0x01087956
0x01087960
0x01087970
0x01087975
0x010c88bf
0x010c88c2
0x00000000
0x00000000
0x010c88d1
0x01087980
0x01087983
0x010c88db
0x010c88e0
0x010c88e2
0x010c88f4
0x010c88e4
0x010c88ed
0x010c88ed
0x010c88f9
0x010c8902
0x010c8907
0x010c8907
0x0108798b
0x010c892e
0x010c892e
0x00000000
0x010879a1
0x010879a1
0x010879a4
0x010879a4
0x010879aa
0x00000000
0x00000000
0x010879b0
0x010879b3
0x010879b6
0x010879bc
0x010c8912
0x010c8918
0x010c891a
0x00000000
0x00000000
0x010c891c
0x010c891f
0x00000000
0x00000000
0x010c8921
0x010c8928
0x00000000
0x00000000
0x00000000
0x010c8928
0x010879c2
0x010879c4
0x010879ca
0x010879d0
0x010879e2
0x010c8938
0x010879e8
0x010879e8
0x010879e8
0x010879ea
0x010879ef
0x010879fd
0x01087a0c
0x010c893f
0x010c8946
0x00000000
0x00000000
0x010c8948
0x01087a12
0x01087a18
0x01087a1a
0x01087a1d
0x01087a20
0x01087a27
0x01087a2e
0x01087a3c
0x01087a43
0x01087a46
0x01087a48
0x01087a48
0x01087a4b
0x01087a56
0x01087a5c
0x01087a5c
0x01087a5c
0x01087a61
0x00000000
0x00000000
0x01087a6a
0x01087a6b
0x01087a6e
0x01087a76
0x01087a79
0x01087c68
0x01087c68
0x00000000
0x01087c68
0x01087a87
0x01087a8e
0x01087e5b
0x01087e5e
0x00000000
0x00000000
0x01087e64
0x01087e6a
0x01087e70
0x01087e72
0x010c894d
0x01087c92
0x01087c92
0x01087c95
0x01087c95
0x01087c97
0x010c8d23
0x010c8d28
0x010c8d28
0x01087ca3
0x01087ca6
0x01087ca8
0x010c8d34
0x010c8d37
0x00000000
0x00000000
0x010c8d46
0x00000000
0x01087cae
0x01087cae
0x01087cae
0x01087cb3
0x01087cb3
0x01087cb6
0x010c8d50
0x010c8d55
0x010c8d57
0x010c8d69
0x010c8d59
0x010c8d62
0x010c8d62
0x010c8d6e
0x010c8d77
0x010c8d77
0x01087cbc
0x01087cc3
0x01087cc6
0x01087cc9
0x01087cd1
0x01087cd2
0x01087cd3
0x01087cd7
0x01087ce1
0x01087ce1
0x01087ca8
0x01087e7b
0x01087e84
0x01087e8a
0x01087e90
0x01087e92
0x01087e94
0x01087ea4
0x01087ea4
0x01087e94
0x01087a94
0x01087a96
0x010c895f
0x010c8967
0x010c896c
0x010c896f
0x010c8971
0x010c8da0
0x010c8da0
0x00000000
0x010c8da0
0x010c8977
0x010c897a
0x010c897c
0x00000000
0x00000000
0x010c8982
0x010c8982
0x01087ace
0x01087ace
0x01087ad1
0x01087ad6
0x01087dfa
0x01087dfc
0x00000000
0x00000000
0x01087e07
0x01087e11
0x01087e16
0x01087e18
0x010c89aa
0x00000000
0x010c89aa
0x01087e22
0x01087e28
0x01087e2d
0x01087e32
0x01087e34
0x010c89b6
0x00000000
0x010c89b6
0x01087e48
0x01087e4a
0x010c89c2
0x00000000
0x010c89c2
0x01087e50
0x01087e53
0x01087e53
0x01087adc
0x01087adc
0x01087adc
0x01087adf
0x01087ae5
0x01087af2
0x01087b63
0x01087b66
0x01087b68
0x0108828b
0x01088292
0x01087c80
0x01087c80
0x01087c82
0x01087c85
0x010880d1
0x010880d1
0x010880d4
0x010c8cfa
0x010c8cfd
0x010c8d0b
0x010c8cff
0x010c8cff
0x010c8cff
0x010880da
0x010880da
0x010880da
0x01087c8b
0x01087c8b
0x01087c8b
0x00000000
0x01087c85
0x01087b72
0x010c8a05
0x010c8a08
0x010c8a0a
0x010c8a18
0x010c8a1d
0x010c8a24
0x010c8a24
0x010c8a27
0x010c8a3f
0x010c8a41
0x010c8a44
0x010c8a46
0x010c8a56
0x010c8a62
0x010c8a67
0x010c8a6a
0x010c8a6c
0x00000000
0x00000000
0x010c8a72
0x010c8a78
0x010c8a81
0x010c8a88
0x010c8a94
0x010c8aa0
0x010c8aa6
0x010c8aa9
0x010c8aac
0x010c8aaf
0x00000000
0x010c8a48
0x010c8a48
0x00000000
0x010c8a48
0x010c8a46
0x01087b78
0x01087b78
0x00000000
0x01087b80
0x01087b80
0x01087b87
0x01087ee1
0x01087ee4
0x01087b90
0x01087b90
0x01087b90
0x01087b92
0x01087b95
0x01087b97
0x01087b9d
0x01087ba0
0x01087ba3
0x01087ba9
0x01087bb0
0x01087bb0
0x01087bb0
0x01087bb2
0x00000000
0x00000000
0x01087bb6
0x01087bb8
0x01087d29
0x01087d29
0x01087d2b
0x01087d31
0x01087d34
0x01087d3a
0x01087d3c
0x01087d3c
0x01087d3f
0x01087d3f
0x01087d57
0x01087d60
0x01087d65
0x01087d68
0x01087d6a
0x00000000
0x01087d70
0x01087d76
0x01087d78
0x01088091
0x01088094
0x01088096
0x010c8aee
0x010c8af0
0x010c8af3
0x010c8af6
0x010c8b31
0x01088080
0x01088080
0x01088083
0x00000000
0x01088083
0x010c8af8
0x010c8afe
0x010c8b10
0x010c8b15
0x010c8b1a
0x010c8b1c
0x0108807d
0x0108807d
0x00000000
0x0108807d
0x010c8b22
0x00000000
0x010c8b22
0x010c8b00
0x00000000
0x010c8b00
0x0108809c
0x0108809f
0x010c8ae3
0x010c8ae6
0x00000000
0x010c8ae6
0x010880a5
0x010880ab
0x010c8ac3
0x00000000
0x010c8ac3
0x010880ba
0x010880bf
0x010880c4
0x010880c6
0x01087d1e
0x01087d1e
0x01087d21
0x00000000
0x01087d21
0x010c8acf
0x00000000
0x010c8acf
0x01087d7e
0x0108830e
0x01088311
0x01088317
0x0108831e
0x0108832d
0x01088330
0x01088333
0x01088320
0x01088320
0x01088323
0x01088325
0x01088325
0x01087d84
0x01087d8a
0x01087d8d
0x01087d93
0x01087d96
0x01087d9c
0x01087d9e
0x01087d9e
0x00000000
0x01087d7e
0x01087d6a
0x01087bc0
0x00000000
0x00000000
0x01087bcb
0x01087bd5
0x01087bde
0x01087be3
0x01087be8
0x00000000
0x00000000
0x01087bf4
0x01087ce4
0x01087ce7
0x01087ce9
0x01088053
0x01088056
0x010c8b68
0x00000000
0x010c8b68
0x0108805c
0x01088062
0x010c8b50
0x00000000
0x010c8b50
0x0108806c
0x01088070
0x01088075
0x01088077
0x010c8b5c
0x00000000
0x010c8b5c
0x00000000
0x01088077
0x01087cef
0x01087cf2
0x01088343
0x01088345
0x00000000
0x01088345
0x01087cf8
0x01087cfe
0x010c8b38
0x00000000
0x010c8b38
0x01087d0d
0x01087d11
0x01087d16
0x01087d18
0x010c8b44
0x00000000
0x010c8b44
0x00000000
0x01087d18
0x00000000
0x01087bf4
0x01087bfa
0x01087c04
0x01087da6
0x01087daa
0x00000000
0x00000000
0x01087db0
0x01087db3
0x01087c62
0x01087c62
0x01087c65
0x00000000
0x01087c65
0x01087dbf
0x01087dc1
0x01087dc7
0x01087dcb
0x01087dd6
0x01087dd8
0x01087dde
0x010c8b6f
0x010c8b76
0x00000000
0x00000000
0x010c8b7c
0x010c8b7f
0x010c8b82
0x010c8b85
0x010c8b88
0x010c8b8e
0x00000000
0x010c8b8e
0x01087de9
0x01087dec
0x01087def
0x01087b90
0x01087b90
0x01087b92
0x01087b95
0x01087b97
0x01087b9d
0x01087ba0
0x01087ba3
0x01087ba9
0x00000000
0x01087ba9
0x01087c0a
0x01087c10
0x01087c13
0x01087c19
0x01087c1f
0x01087c22
0x01087c25
0x00000000
0x01087c25
0x01087b90
0x01087c2d
0x01087c2f
0x01087c32
0x01087c34
0x01088350
0x01088353
0x01088356
0x00000000
0x01087c3a
0x01087c3e
0x01087c44
0x01087c49
0x01087c4b
0x010c8ab7
0x00000000
0x010c8ab7
0x01087c51
0x01087c54
0x01087c57
0x01087c5a
0x01087c5d
0x01087c5f
0x00000000
0x01087c5f
0x01087eef
0x01087eef
0x01087ef1
0x01087c78
0x01087c78
0x01087c7a
0x0108829a
0x0108829c
0x00000000
0x00000000
0x010882a2
0x010882a4
0x010c8ce3
0x010c8ce6
0x010882d9
0x010882d9
0x010882df
0x010882e1
0x010882fc
0x010882fc
0x00000000
0x010882fc
0x010882e3
0x010882e5
0x010882fa
0x010882fa
0x00000000
0x010882fa
0x010882e7
0x010882e9
0x010c898b
0x010c898b
0x00000000
0x010c898b
0x010882f2
0x010882f4
0x010c8cee
0x00000000
0x010c8cee
0x00000000
0x010882f4
0x010882ae
0x010882b5
0x010882ba
0x010882bc
0x010c8cba
0x010c8cc1
0x00000000
0x010c8cc1
0x010882c5
0x010882c8
0x010882d1
0x010882d3
0x010c8ccd
0x010c8cd4
0x00000000
0x010c8cd4
0x00000000
0x010882d3
0x00000000
0x01087c7a
0x01087ef7
0x01087efa
0x01087efc
0x0108835e
0x01087f23
0x01087f23
0x01087f26
0x01087f28
0x01087f2d
0x01087f2d
0x01087f32
0x01087f35
0x01087f38
0x010880e6
0x010880e6
0x010880ec
0x010880f0
0x010880f5
0x010880f8
0x010c8ba9
0x010c8bae
0x010c8bb1
0x010c8ca7
0x010c8ca7
0x010c8cae
0x00000000
0x010c8cae
0x010c8bb7
0x01088104
0x01088104
0x01088106
0x00000000
0x00000000
0x0108810c
0x01088110
0x01088143
0x01088148
0x0108814a
0x0108814d
0x01088161
0x0108816b
0x0108816d
0x0108816f
0x010c8bda
0x010c8be1
0x00000000
0x010c8be1
0x01088175
0x01088179
0x010c8bf3
0x010c8bfc
0x010c8c01
0x010c8c04
0x010c8c06
0x00000000
0x00000000
0x010c8c0c
0x010c8c0f
0x010c8c12
0x01088182
0x01088182
0x01088184
0x01088187
0x00000000
0x00000000
0x01088190
0x010881a6
0x010881ab
0x010881b0
0x010881b2
0x010c8c1a
0x010c8c21
0x00000000
0x010c8c21
0x010881b8
0x010881bb
0x010881d9
0x010881de
0x010881e4
0x010881e7
0x010881e9
0x010c8c45
0x0108823f
0x0108823f
0x01088241
0x01088279
0x01088284
0x00000000
0x01088284
0x01088247
0x0108824d
0x01088252
0x01088254
0x010c8c4c
0x00000000
0x010c8c4c
0x01088260
0x01088266
0x0108826b
0x0108826d
0x010c8c58
0x00000000
0x010c8c58
0x01088273
0x00000000
0x01088273
0x010881ef
0x010881f1
0x01088231
0x0108823d
0x0108823d
0x00000000
0x0108823d
0x010881f9
0x010881fe
0x01088203
0x01088205
0x010c8c2d
0x00000000
0x010c8c2d
0x01088215
0x0108821b
0x01088220
0x01088222
0x010c8c39
0x00000000
0x010c8c39
0x01088228
0x0108822e
0x00000000
0x0108822e
0x0108817f
0x00000000
0x0108817f
0x01088116
0x0108811a
0x0108811f
0x01088121
0x010c8bc2
0x00000000
0x010c8bc2
0x0108812b
0x01088130
0x01088135
0x01088137
0x010c8bce
0x00000000
0x010c8bce
0x0108813d
0x00000000
0x0108813d
0x010880fe
0x00000000
0x01087f3e
0x01087f3e
0x01087f42
0x00000000
0x00000000
0x01087f48
0x01087f48
0x01087f4a
0x01087f4a
0x01087f50
0x01087f53
0x01087f53
0x01087f56
0x01087f59
0x01087f5c
0x01087f5e
0x01088366
0x01087fb9
0x01087fb9
0x01087fbf
0x01087fc1
0x01088006
0x01088006
0x0108800c
0x0108800e
0x01088047
0x01088047
0x00000000
0x01088047
0x01088010
0x01088014
0x01088045
0x01088045
0x00000000
0x01088045
0x01088016
0x01088018
0x00000000
0x00000000
0x0108801a
0x01088020
0x01088024
0x01088029
0x0108802b
0x010c8c8f
0x00000000
0x010c8c8f
0x0108803d
0x0108803f
0x010c8c9b
0x00000000
0x010c8c9b
0x00000000
0x0108803f
0x01087fc3
0x01087fc5
0x01088372
0x01088004
0x01088004
0x00000000
0x01088004
0x01087fcf
0x01087fd3
0x01087fd8
0x01087fda
0x010c8c83
0x00000000
0x010c8c83
0x01087fe0
0x01087fe3
0x01087fe5
0x00000000
0x00000000
0x01087ff3
0x01087ff5
0x00000000
0x00000000
0x01087ffb
0x01087ffe
0x00000000
0x01087ffe
0x01087f68
0x01087f6f
0x01087f74
0x01087f76
0x010c8c64
0x00000000
0x010c8c64
0x01087f7c
0x01087f85
0x01087f87
0x010c8b96
0x010c8b96
0x010c8b9d
0x00000000
0x010c8b9d
0x01087f8d
0x01087f90
0x01087f92
0x00000000
0x00000000
0x01087f98
0x01087f9a
0x00000000
0x00000000
0x01087fa0
0x01087fa2
0x00000000
0x00000000
0x01087fab
0x01087fad
0x010c8c70
0x010c8c77
0x00000000
0x010c8c77
0x01087fb3
0x01087fb6
0x00000000
0x01087fb6
0x01087f38
0x01087f02
0x01087f05
0x01087f07
0x00000000
0x00000000
0x01087f0d
0x01087f1b
0x01087f1d
0x00000000
0x00000000
0x00000000
0x01087f1d
0x00000000
0x01087b87
0x01087b80
0x01087af6
0x01087eac
0x01087eb0
0x01087eca
0x01087eca
0x01087ecd
0x01087ed3
0x01087ed9
0x00000000
0x01087ed9
0x01087eb6
0x01087eba
0x01087ebf
0x01087ec1
0x010c89ce
0x00000000
0x010c89ce
0x01087ec7
0x00000000
0x01087ec7
0x01087afc
0x01087afe
0x010c89da
0x01087b04
0x01087b04
0x01087b04
0x01087b08
0x01087b0b
0x01087b0e
0x01087b13
0x00000000
0x01087b15
0x01087b1a
0x01087b1a
0x01087b1c
0x01087b22
0x01087b28
0x01087b2a
0x01087b3b
0x01087b41
0x01087b46
0x010c8997
0x010c8997
0x010c899e
0x00000000
0x010c899e
0x01087b4c
0x01087b5a
0x010c89e3
0x00000000
0x010c89e3
0x01087b60
0x00000000
0x010c89ef
0x010c89ef
0x010c89f9
0x00000000
0x010c89f9
0x01087b2a
0x01087b13
0x01087a9c
0x01087a9e
0x01087ac2
0x01087ac4
0x00000000
0x00000000
0x01087aca
0x00000000
0x01087aca
0x01087aa0
0x01087aa0
0x01087aa5
0x00000000
0x00000000
0x01087aab
0x01087ab9
0x00000000
0x01087abf
0x01087abf
0x00000000
0x01087abf
0x01087ab9
0x01087c6b
0x01087c6e
0x01087c72
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x010879ef
0x0108798b
0x0108797b
0x0108797b
0x00000000

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 0108794C
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01087960
{, xrefs: 010C8CEE
R, xrefs: 01087956
T, xrefs: 01087942
MUI, xrefs: 01087BCA

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$MUI$R$T${
API String ID: 0-2515562510
Opcode ID: d2cc5c243bcf9b4504d66e081144d42bf45092783203645209db67662fce6acf
Instruction ID: ea860424bf9707f6b678f3765e8f3a696a507390eb0ace9458c6bad1d2052ecc
Opcode Fuzzy Hash: d2cc5c243bcf9b4504d66e081144d42bf45092783203645209db67662fce6acf
Instruction Fuzzy Hash: 73925A70E08219CFDF64DF98C880BAEBBB5BF44704F24829AD9D9AB245D7749981CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0107A309 Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0107A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x1148a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0107A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0107DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E01059373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E0105A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x1148748 - 1;
						if( *0x1148748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0105B150();
								__eflags =  *0x1147bc8;
								if( *0x1147bc8 == 0) {
									__eflags = 1;
									E01112073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x1148748 - 1;
							if( *0x1148748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0108174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E01077D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E011114FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E01059373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E01059819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x1148748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E0105B150();
											} else {
												E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0105B150();
											_pop(_t491);
											__eflags =  *0x1147bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01112073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0111A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0107A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E01077D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E01077D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01111411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E01077D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E01077D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x1148748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E0105B150();
							} else {
								E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0105B150();
							__eflags =  *0x1147bc8;
							if( *0x1147bc8 == 0) {
								__eflags = 0;
								E01112073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x1148748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E0105B150();
												} else {
													E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E0105B150();
												__eflags =  *0x1147bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01112073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0111A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0107A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0107B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0107A830(_t553, _v64, _v24);
								_t286 = E01077D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E01077D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01111411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E01077D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E01077D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01111411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0108174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0107B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E01077D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E011114FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E010799BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0107A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0108ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x0107a309
0x0107a316
0x0107a319
0x0107a31d
0x0107a32d
0x0107a331
0x010c1e0d
0x010c1e10
0x0107a3cb
0x0107a3cb
0x0107a3bd
0x0107a3c3
0x0107a3c3
0x0107a33a
0x010c1e17
0x010c1e1b
0x010c1e1d
0x010c1e2f
0x010c1e34
0x010c1e36
0x010c1e3c
0x010c1e3c
0x010c1e3c
0x010c1e3c
0x010c1e36
0x010c1e42
0x010c1e45
0x010c1e47
0x0107a3f8
0x0107a3f8
0x0107a3fb
0x0107a3fd
0x010c1e50
0x0107a403
0x0107a411
0x0107a411
0x0107a411
0x0107a41e
0x0107a420
0x0107a424
0x0107a427
0x0107a7c9
0x0107a7cd
0x0107a7d2
0x0107a7d9
0x0107a7e0
0x0107a7e3
0x0107a7ed
0x0107a7f3
0x0107a7f9
0x0107a7ff
0x0107a802
0x0107a807
0x0107a809
0x0107a809
0x0107a809
0x0107a80f
0x0107a80f
0x0107a812
0x0107a81c
0x0107a821
0x0107a824
0x0107a42d
0x0107a42d
0x0107a42d
0x0107a42d
0x0107a42d
0x0107a436
0x0107a43a
0x0107a609
0x0107a60d
0x0107a612
0x0107a616
0x0107a61a
0x010c1e57
0x010c1e59
0x00000000
0x00000000
0x010c1e5f
0x0107a620
0x0107a627
0x010c1e64
0x010c1e66
0x010c1e6c
0x010c1e72
0x010c1e76
0x010c1e95
0x010c1e9a
0x010c1e78
0x010c1e8d
0x010c1e92
0x010c1ea0
0x010c1ea5
0x010c1eaa
0x010c1eb2
0x010c1eb6
0x010c1eb9
0x010c1eb9
0x010c1ebe
0x010c1ec2
0x010c1ec2
0x010c1e66
0x0107a62d
0x0107a633
0x0107a636
0x0107a63a
0x0107a63c
0x0107a640
0x0107a642
0x0107a644
0x0107a644
0x0107a644
0x0107a64d
0x0107a64d
0x0107a651
0x0107a655
0x010c1eca
0x010c1ed1
0x00000000
0x00000000
0x010c1ed7
0x00000000
0x0107a65b
0x0107a669
0x0107a66e
0x0107a670
0x00000000
0x00000000
0x0107a676
0x0107a67b
0x0107a680
0x0107a682
0x010c1f1a
0x0107a688
0x0107a688
0x0107a688
0x0107a68a
0x0107a68d
0x010c1f24
0x010c1f2a
0x010c1f31
0x010c1f43
0x010c1f43
0x010c1f31
0x0107a693
0x0107a697
0x0107a69d
0x0107a6a0
0x0107a6a6
0x0107a6a8
0x0107a6a8
0x0107a6a8
0x0107a6a8
0x0107a6b2
0x0107a6b7
0x0107a6c1
0x0107a6c6
0x0107a6d2
0x0107a6d9
0x0107a6e3
0x0107a6e6
0x0107a6eb
0x0107a6ed
0x0107a6ed
0x0107a6ed
0x0107a6ed
0x0107a6f3
0x0107a6f8
0x0107a702
0x0107a70a
0x0107a70e
0x0107a71a
0x0107a71e
0x010c1fcb
0x010c1fcf
0x010c1fdd
0x010c1fe3
0x010c1fe3
0x0107a724
0x0107a728
0x0107a72a
0x0107a72d
0x0107a737
0x0107a73a
0x0107a73c
0x0107a742
0x0107a748
0x010c1f4d
0x010c1f50
0x010c1f56
0x010c1f5c
0x010c1f5f
0x010c1f7e
0x010c1f83
0x010c1f61
0x010c1f76
0x010c1f7b
0x010c1f89
0x010c1f8e
0x010c1f93
0x010c1f94
0x010c1f9a
0x010c1f9c
0x010c1f9e
0x010c1fa1
0x010c1fa1
0x010c1fa6
0x010c1fa6
0x010c1f50
0x0107a74e
0x0107a751
0x0107a754
0x0107a75d
0x0107a75e
0x0107a762
0x0107a767
0x010c1faf
0x010c1fb0
0x010c1fb9
0x010c1fbe
0x010c1fc2
0x010c1fc2
0x0107a76d
0x0107a76d
0x0107a775
0x0107a778
0x0107a77d
0x0107a77d
0x0107a71e
0x0107a782
0x0107a787
0x0107a789
0x010c1ff3
0x0107a78f
0x0107a78f
0x0107a78f
0x0107a791
0x0107a794
0x010c1ffd
0x010c2006
0x010c200c
0x010c2017
0x010c2019
0x010c2024
0x010c2024
0x010c2024
0x010c2047
0x010c2047
0x010c200c
0x0107a79a
0x0107a79f
0x0107a7a4
0x0107a7a9
0x0107a7ab
0x010c205a
0x0107a7b1
0x0107a7b1
0x0107a7b1
0x0107a7b3
0x0107a7b6
0x00000000
0x0107a7bc
0x010c2066
0x010c2068
0x010c2073
0x010c2073
0x010c2073
0x010c2078
0x010c2079
0x010c207d
0x00000000
0x010c207d
0x0107a7b6
0x0107a440
0x0107a440
0x0107a440
0x0107a446
0x0107a44c
0x0107a44f
0x0107a453
0x0107a455
0x010c20b3
0x010c20b9
0x010c20b9
0x0107a45d
0x0107a460
0x0107a464
0x0107a466
0x0107a46b
0x0107a46f
0x0107a471
0x0107a471
0x0107a471
0x0107a474
0x0107a479
0x0107a47d
0x0107a47f
0x010c2229
0x010c222f
0x0107a3c8
0x0107a3c8
0x0107a3ca
0x0107a3ca
0x00000000
0x0107a3ca
0x010c2235
0x010c223a
0x010c223a
0x00000000
0x00000000
0x010c2240
0x010c2246
0x010c224a
0x010c2269
0x010c226e
0x010c224c
0x010c2261
0x010c2266
0x010c2274
0x010c2279
0x010c227e
0x010c2286
0x010c2288
0x010c228d
0x010c228d
0x010c2292
0x010c2292
0x010c2295
0x010c2295
0x00000000
0x010c2295
0x0107a485
0x0107a489
0x0107a48b
0x0107a48f
0x0107a493
0x0107a497
0x0107a49b
0x0107a4bb
0x0107a4bb
0x0107a4bd
0x0107a4ff
0x0107a4ff
0x0107a501
0x0107a505
0x0107a50f
0x0107a517
0x0107a51b
0x0107a527
0x0107a52b
0x010c2182
0x010c2185
0x010c2193
0x010c2199
0x010c2199
0x0107a531
0x0107a535
0x0107a538
0x0107a548
0x0107a54b
0x0107a54d
0x0107a553
0x0107a559
0x010c2100
0x010c2103
0x010c2109
0x010c210f
0x010c2112
0x010c2131
0x010c2136
0x010c2114
0x010c2129
0x010c212e
0x010c213c
0x010c2141
0x010c2147
0x010c214d
0x010c2151
0x010c2154
0x010c2154
0x010c2159
0x010c2159
0x010c2103
0x0107a55f
0x0107a562
0x0107a565
0x0107a567
0x010c2162
0x0107a56d
0x0107a574
0x0107a575
0x0107a579
0x0107a57e
0x010c2169
0x010c216a
0x010c2170
0x010c2175
0x010c2179
0x010c2179
0x0107a57e
0x0107a584
0x0107a58f
0x0107a58f
0x0107a52b
0x0107a5ad
0x0107a5bc
0x0107a5c1
0x0107a5c6
0x0107a5cb
0x0107a5cd
0x010c21a9
0x0107a5d3
0x0107a5d3
0x0107a5d3
0x0107a5d5
0x0107a5d8
0x010c21b3
0x010c21bc
0x010c21c2
0x010c21cd
0x010c21cf
0x010c21da
0x010c21da
0x010c21da
0x010c21f7
0x010c21f7
0x010c21c2
0x0107a5de
0x0107a5e3
0x0107a5e8
0x0107a5ea
0x010c220a
0x0107a5f0
0x0107a5f0
0x0107a5f0
0x0107a5f2
0x0107a5f5
0x010c2219
0x010c221b
0x010c208c
0x010c208c
0x010c208c
0x010c2095
0x010c2096
0x010c2097
0x010c2098
0x010c20a4
0x010c20a5
0x010c20a9
0x010c20a9
0x00000000
0x0107a5f5
0x0107a4bf
0x0107a4d3
0x0107a4d8
0x0107a4da
0x010c1ede
0x010c1ede
0x010c1ee4
0x010c1ee9
0x00000000
0x00000000
0x010c1f07
0x00000000
0x010c1f07
0x0107a4e0
0x0107a4e5
0x0107a4e7
0x010c20cb
0x0107a4ed
0x0107a4ed
0x0107a4ed
0x0107a4f2
0x0107a4f5
0x010c20d5
0x010c20de
0x010c20e4
0x010c20f6
0x010c20f6
0x010c20e4
0x0107a4fb
0x00000000
0x0107a4fb
0x0107a4a1
0x0107a4a4
0x0107a4a8
0x00000000
0x00000000
0x0107a4aa
0x0107a4ac
0x00000000
0x00000000
0x0107a4b2
0x0107a4b5
0x00000000
0x00000000
0x00000000
0x0107a4b5
0x0107a43a
0x0107a340
0x0107a346
0x0107a600
0x00000000
0x0107a600
0x0107a34f
0x0107a351
0x0107a358
0x0107a3c6
0x00000000
0x0107a371
0x0107a37a
0x0107a37f
0x0107a382
0x0107a384
0x0107a394
0x00000000
0x0107a396
0x0107a399
0x0107a3a7
0x0107a3b0
0x0107a3b4
0x0107a3bb
0x0107a3d2
0x0107a3da
0x0107a3df
0x0107a3e1
0x0107a3e5
0x0107a3ea
0x0107a3f0
0x0107a3f0
0x0107a3e1
0x00000000
0x0107a3bb
0x0107a394

Strings

(LONG)FreeEntry->Size > 1, xrefs: 010C213C
HEAP[%wZ]: , xrefs: 010C1E88, 010C1F71, 010C2124, 010C225C
(UCRBlock != NULL), xrefs: 010C1EA0
HEAP: , xrefs: 010C1E95, 010C1F7E, 010C2131, 010C2269
((LONG)FreeEntry->Size > 1), xrefs: 010C1F89
(!TrailingUCR), xrefs: 010C2274

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 5dcf7e930839d85a0ded4fa25350a1e8f81790969d1c80377e6c506f46e3437a
Instruction ID: 03d8222359a167c93441422b970346e91318cb9e277b503eb674f0b4b003b745
Opcode Fuzzy Hash: 5dcf7e930839d85a0ded4fa25350a1e8f81790969d1c80377e6c506f46e3437a
Instruction Fuzzy Hash: A242DD31A04781DFD755DF28C884A6EBBE5BF88A04F08496DE8C68B252D734D981CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01112D82 Relevance: 7.7, Strings: 6, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E01112D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1130e80);
				E010AD0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E010540E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E011130C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E0105B150();
						} else {
							E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E0105B150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E0106EEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01114496(_t181, 0);
						_t177 = E01074620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E011149A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0110FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E01051F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E010816C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01114496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x1146360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x1146364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x1146366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E010FD455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E0105B150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E0105B150("Just allocated block at %p for %Ix bytes\n",  *0x1146360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x1146378 = 1;
									 *0x11460c0 = 0;
									asm("int3");
									 *0x1146378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x1145708; // 0x0
					 *0x114b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E010AD130(0, _t177, _t181);
				}
			}

0x01112d82
0x01112d84
0x01112d89
0x01112d8e
0x01112d90
0x01112d92
0x01112d97
0x01112d9a
0x01112da4
0x01112dc0
0x01112dc3
0x01112dd1
0x01112dd6
0x01112dd8
0x011130a7
0x011130a7
0x011130aa
0x011130aa
0x011130ad
0x011130b4
0x00000000
0x011130b9
0x01112de3
0x01112de8
0x01112deb
0x01112dee
0x01112df1
0x01112df3
0x01112dfb
0x01112dfb
0x01112df5
0x01112df5
0x01112df5
0x01112e04
0x01112e0a
0x01112e0d
0x01112e11
0x01112e11
0x01112e12
0x01112e15
0x01112e18
0x01112e1a
0x01113027
0x01113027
0x0111302d
0x01113030
0x0111304f
0x01113054
0x01113032
0x01113047
0x0111304c
0x0111305a
0x01113063
0x00000000
0x01112e20
0x01112e20
0x01112e23
0x00000000
0x00000000
0x01112e29
0x01112e2b
0x01112e47
0x01112e2d
0x01112e33
0x01112e38
0x01112e3f
0x01112e42
0x01112e42
0x01112e4e
0x01112e5d
0x01112e5f
0x01112e62
0x01112e66
0x01112e6b
0x01112e6d
0x00000000
0x01112e73
0x01112e73
0x01112e76
0x01112e7a
0x01112e83
0x01112e83
0x01112e83
0x01112e85
0x01112e87
0x01112e8a
0x01112e8d
0x01112e92
0x01112e9c
0x01112e9f
0x01112ea1
0x01112ea2
0x01112ea6
0x01112ea6
0x01112e9f
0x01112eab
0x01112eaf
0x01112edf
0x01112ee2
0x01112ee5
0x01112eb1
0x01112eb3
0x01112eb8
0x01112ebd
0x01112ec4
0x01112ed6
0x01112ec6
0x01112ec7
0x01112ecc
0x01112ecf
0x01112ed2
0x01112ed2
0x01112ed9
0x01112ed9
0x01112ee8
0x01112eeb
0x01112eef
0x01112ef2
0x01112efe
0x01112f04
0x01112f04
0x01112f04
0x01112f06
0x01112f0d
0x01112f0f
0x01112f13
0x01112f13
0x01112f1b
0x01112f21
0x01112f27
0x01112f95
0x01112f98
0x01112f9b
0x01112fa0
0x00000000
0x00000000
0x01112fa6
0x01112fa9
0x01112fac
0x00000000
0x00000000
0x01112fb2
0x01112fb9
0x00000000
0x00000000
0x01112fc3
0x01112fca
0x00000000
0x00000000
0x01112fd0
0x01112fd6
0x01112fd9
0x01112ff8
0x01112ffd
0x01112fdb
0x01112ff0
0x01112ff5
0x0111300e
0x0111300f
0x0111301a
0x00000000
0x01112f29
0x01112f29
0x01112f2c
0x01112f4b
0x01112f50
0x01112f2e
0x01112f43
0x01112f48
0x01112f56
0x01112f64
0x01112f6c
0x01112f6c
0x01112f72
0x01112f76
0x01112f7c
0x01112f83
0x01112f89
0x01112f8a
0x01112f8a
0x00000000
0x01112f76
0x01112f27
0x01112e6d
0x01112da6
0x01112dab
0x01112db3
0x01112db9
0x011130bc
0x011130c1
0x011130c1

Strings

HEAP[%wZ]: , xrefs: 01112F3E, 01112FEB, 01113042
RtlAllocateHeap, xrefs: 01112DCA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0111305E
HEAP: , xrefs: 01112F4B, 01112FF8, 0111304F
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01113015
Just allocated block at %p for %Ix bytes, xrefs: 01112F5F

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: fd0d1244617b205c0a1fe6e3634768000d4cdb43633ed8e5ae7b850a42a779e1
Instruction ID: bfeabf31152d5a27dda2cd709ce5ce54657c63dffe9153b5939ff11886e4defd
Opcode Fuzzy Hash: fd0d1244617b205c0a1fe6e3634768000d4cdb43633ed8e5ae7b850a42a779e1
Instruction Fuzzy Hash: 56913535510681DFDB2EDF68C440AADFBF2FF89710F28802CE5995B299C7329982CB05

Uniqueness

Uniqueness Score: -1.00%

Function 01063D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01063D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01061B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01061B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01061B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01061B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01061B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = E01074620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0109F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E010A1370(_t276, 0x1034e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0109BB40(0,  &_v68, _t170);
									if(L010643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0109BB40(_t257,  &_v68, _t243);
								if(L010643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E010A1370(_t278, 0x1034e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = E01074620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0109F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E010A1370(_v16, 0x1034e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0109BB40(_t262,  &_v68, _t244);
								if(L010643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E010A1370(_t282, 0x1034e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0109BB40(_t262,  &_v68, _t201);
							if(L010643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = E01074620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0109F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E010A1370(_t280, 0x1034e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0109BB40(_t267,  &_v68, _t245);
							if(L010643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E010A1370(_t284, 0x1034e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0109BB40(_t267,  &_v68, _t224);
						if(L010643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01063d3c
0x01063d42
0x01063d44
0x01063d46
0x01063d49
0x01063d4c
0x01063d4f
0x01063d52
0x01063d55
0x01063d58
0x01063d5b
0x01063d5f
0x01063d61
0x01063d66
0x010b8213
0x010b8218
0x01064085
0x01064088
0x0106408e
0x01064094
0x0106409a
0x010640a0
0x010640a6
0x010640a9
0x010640af
0x010640b6
0x010640bd
0x010640bd
0x01063d83
0x010b821f
0x010b8229
0x010b8238
0x010b8238
0x010b823d
0x010b823d
0x01063da0
0x01063daf
0x01063db5
0x01063dba
0x01063dba
0x01063dd4
0x01063e94
0x01063eab
0x01063f6d
0x01063f84
0x0106406b
0x0106406b
0x0106406e
0x0106406e
0x01064070
0x01064074
0x010b8351
0x010b8351
0x0106407a
0x0106407f
0x010b835d
0x010b8370
0x010b8377
0x010b8379
0x010b837c
0x010b837c
0x010b835d
0x00000000
0x0106407f
0x01063f8a
0x01063f8d
0x01063f90
0x01063f95
0x010b830d
0x010b830f
0x01063f9b
0x01063fac
0x01063fae
0x01063fb1
0x01063fb1
0x01063fb6
0x010b8317
0x010b831a
0x00000000
0x01063fbc
0x01063fc1
0x01063fc9
0x01063fd7
0x01063fda
0x01063fdd
0x01064021
0x01064021
0x01064029
0x01064030
0x01064044
0x01064046
0x01064046
0x01064044
0x01064049
0x010b8327
0x010b8334
0x010b8339
0x010b833c
0x0106404f
0x0106404f
0x0106404f
0x01064051
0x01064056
0x01064063
0x01064063
0x01064068
0x00000000
0x01064068
0x01063fdf
0x01063fe2
0x01063fe4
0x01063fe7
0x01063fef
0x01064003
0x01064005
0x01064005
0x0106400c
0x01064013
0x01064016
0x01064017
0x0106401b
0x0106401e
0x00000000
0x0106401e
0x01063fb6
0x01063eb1
0x01063eb4
0x01063eb7
0x01063ebc
0x010b82a9
0x010b82ab
0x01063ec2
0x01063ed3
0x01063ed5
0x01063ed8
0x01063ed8
0x01063edd
0x010b82b3
0x010b82b6
0x00000000
0x01063ee3
0x01063ee8
0x01063eed
0x01063ef0
0x01063ef3
0x01063f02
0x01063f05
0x01063f08
0x010b82c0
0x010b82c3
0x010b82c5
0x010b82c8
0x010b82d0
0x010b82e4
0x010b82e6
0x010b82e6
0x010b82ed
0x010b82f4
0x010b82f7
0x010b82f8
0x010b82fc
0x010b82ff
0x010b82ff
0x01063f0e
0x01063f11
0x01063f16
0x01063f1d
0x01063f31
0x010b8307
0x010b8307
0x01063f31
0x01063f39
0x01063f48
0x01063f4d
0x01063f50
0x01063f50
0x01063f53
0x01063f58
0x01063f65
0x01063f65
0x01063f6a
0x00000000
0x01063f6a
0x01063edd
0x01063dda
0x01063ddd
0x01063de0
0x01063de5
0x010b8245
0x01063deb
0x01063df7
0x01063dfc
0x01063dfe
0x01063e01
0x01063e01
0x01063e06
0x010b824d
0x010b824f
0x010b8254
0x00000000
0x01063e0c
0x01063e11
0x01063e16
0x01063e19
0x01063e29
0x01063e2c
0x01063e2f
0x010b825c
0x010b825f
0x010b8261
0x010b8264
0x010b826c
0x010b8280
0x010b8282
0x010b8282
0x010b8289
0x010b8290
0x010b8293
0x010b8294
0x010b8298
0x010b829b
0x010b829b
0x01063e35
0x01063e38
0x01063e3d
0x01063e44
0x01063e58
0x010b82a3
0x010b82a3
0x01063e58
0x01063e60
0x01063e6f
0x01063e74
0x01063e77
0x01063e77
0x01063e7a
0x01063e7f
0x01063e8c
0x01063e8c
0x01063e91
0x00000000
0x01063e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01063E97
Kernel-MUI-Language-Allowed, xrefs: 01063DC0
Kernel-MUI-Number-Allowed, xrefs: 01063D8C
WindowsExcludedProcs, xrefs: 01063D6F
Kernel-MUI-Language-SKU, xrefs: 01063F70

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: e6dd45d5cc5f2f224b4c6d19ab77f7d871edf75a410f318c0d54de80ba856548
Instruction ID: d1358846b18914840be10d23f5b67b63ff27d357e78a1c44cf48af844bdab1d3
Opcode Fuzzy Hash: e6dd45d5cc5f2f224b4c6d19ab77f7d871edf75a410f318c0d54de80ba856548
Instruction Fuzzy Hash: 88F14A72D00219EBDB11DF98C980AEEBBFDFF58650F14406AE985EB250D7749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010540E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E010540E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0105B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0105B150(", passed to %s", _t29);
					}
					_push("\n");
					E0105B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1146378 = 1;
						asm("int3");
						 *0x1146378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x010540e6
0x010540e8
0x010540f1
0x010b042d
0x010b044c
0x010b0451
0x010b042f
0x010b0444
0x010b0449
0x010b045d
0x010b0466
0x010b046e
0x010b0474
0x010b0475
0x010b047a
0x010b048a
0x010b048c
0x010b0493
0x010b0494
0x010b0494
0x00000000
0x010b049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 010B043F
Invalid heap signature for heap at %p, xrefs: 010B0458
RtlAllocateHeap, xrefs: 010B0468
HEAP: , xrefs: 010B044C
, passed to %s, xrefs: 010B0469

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 6b4a189010daebb8b0356646a413058da9ae51b0b7fa21a6de6934f03114282e
Instruction ID: 51f4c90ff916e99397e18052b8e15859ab9ba558d92393988e09b96d699da798
Opcode Fuzzy Hash: 6b4a189010daebb8b0356646a413058da9ae51b0b7fa21a6de6934f03114282e
Instruction Fuzzy Hash: E5012832114681AFD3B99779A84DFD777F8DB81F30F18806DF4894B6818FA9A480CA24

Uniqueness

Uniqueness Score: -1.00%

Function 0108701D Relevance: 5.6, Strings: 4, Instructions: 569
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E0108701D(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t253;
				short _t254;
				signed int* _t256;
				signed int* _t257;
				signed int _t258;
				signed char* _t259;
				signed int* _t261;
				signed int _t263;
				signed int* _t267;
				signed int _t268;
				signed int _t275;
				signed char _t281;
				signed int _t290;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed short _t308;
				signed int _t312;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t339;
				signed int _t348;
				signed int _t351;
				short _t357;
				signed char _t363;
				signed int _t366;
				signed char _t369;
				void* _t370;
				signed int _t371;
				signed int _t375;
				signed int _t386;
				signed int _t389;
				signed int* _t391;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				signed int _t409;
				intOrPtr _t410;
				signed int _t414;
				signed int _t415;
				void* _t417;
				void* _t418;
				void* _t419;
				signed int _t426;
				void* _t428;

				_push(0x338);
				_push(0x1130060);
				E010AD0E8(__ebx, __edi, __esi);
				 *(_t418 - 0x2f4) = __edx;
				 *(_t418 - 0x2e8) = __ecx;
				 *(_t418 - 0x2f0) =  *(_t418 + 0xc);
				 *(_t418 - 0x304) =  *(_t418 + 0x14);
				 *(_t418 - 0x328) =  *(_t418 + 0x18);
				 *(_t418 - 0x30c) =  *(_t418 + 0x1c);
				 *(_t418 - 0x308) =  *(_t418 + 0x20);
				 *(_t418 - 0x2e4) = 0;
				 *((intOrPtr*)(_t418 - 0x31c)) = 0;
				 *((intOrPtr*)(_t418 - 0x318)) = 0;
				 *((intOrPtr*)(_t418 - 0x314)) = 0;
				 *((intOrPtr*)(_t418 - 0x310)) = 0;
				 *((char*)(_t418 - 0x2d9)) = 0;
				_t389 =  *(_t418 + 8);
				 *(_t418 - 0x334) = _t389 & 0x00000040;
				 *((char*)(_t418 - 0x2da)) = 0;
				 *((char*)(_t418 - 0x2db)) = 0;
				_t357 = 0x4a;
				 *((short*)(_t418 - 0x300)) = _t357;
				_t253 = 0x4c;
				 *((short*)(_t418 - 0x2fe)) = _t253;
				 *(_t418 - 0x2fc) = L"LdrpResSearchResourceMappedFile Enter";
				_t254 = 0x48;
				 *((short*)(_t418 - 0x348)) = _t254;
				 *((short*)(_t418 - 0x346)) = _t357;
				 *(_t418 - 0x344) = L"LdrpResSearchResourceMappedFile Exit";
				_t256 =  *( *[fs:0x30] + 0x50);
				if(_t256 != 0) {
					__eflags =  *_t256;
					if(__eflags == 0) {
						goto L1;
					}
					_t257 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					if(( *_t257 & 1) != 0) {
						_t258 = E01077D50();
						__eflags = _t258;
						if(_t258 == 0) {
							_t259 = 0x7ffe0384;
						} else {
							_t259 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E010E6715(_t418 - 0x300,  *_t259 & 0x000000ff);
						_t389 =  *(_t418 + 8);
					}
					_t409 = 0;
					_t413 = _t389 & 0x00000080;
					if( *((intOrPtr*)(_t418 + 0x10)) == 3) {
						_t261 =  *(_t418 - 0x2f0);
						_t409 = _t261[2] & 0x0000ffff;
						 *(_t418 - 4) =  *(_t418 - 4) & 0x00000000;
						__eflags =  *_t261 & 0xffff0000;
						if(( *_t261 & 0xffff0000) != 0) {
							__eflags = E0109E490( *_t261, L"MUI");
							if(__eflags != 0) {
								goto L41;
							}
							_t263 = 1;
							L42:
							 *((char*)(_t418 - 0x2d9)) = _t263;
							 *(_t418 - 4) = 0xfffffffe;
							_t389 =  *(_t418 + 8);
							goto L4;
						}
						L41:
						_t263 = 0;
						__eflags = 0;
						goto L42;
					} else {
						L4:
						_t348 = _t413;
						if((_t389 & 0x00000010) == 0) {
							_t348 = _t413;
							__eflags =  *((intOrPtr*)(_t418 + 0x10)) - 1;
							if(__eflags < 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(_t418 + 0x10)) - 3;
							if(__eflags > 0) {
								goto L5;
							}
							_t351 =  *(_t418 - 0x2f0);
							if(__eflags != 0) {
								_t386 = 0;
							} else {
								_t386 =  *(_t351 + 8) & 0x0000ffff;
							}
							__eflags =  *_t351 - 0x10;
							if( *_t351 != 0x10) {
								__eflags =  *_t351 - 0x18;
								if( *_t351 == 0x18) {
									goto L55;
								}
								__eflags =  *((char*)(_t418 - 0x2d9));
								if(__eflags == 0) {
									goto L56;
								}
								goto L55;
							} else {
								L55:
								__eflags =  !_t389 & 0x00000008;
								if(__eflags != 0) {
									__eflags = _t386;
									if(__eflags != 0) {
										__eflags = _t386 - 0x400;
										if(__eflags == 0) {
											goto L65;
										}
										__eflags = _t386 - 0x800;
										if(__eflags != 0) {
											goto L56;
										}
									}
									L65:
									_t389 = _t389 | 0x00000010;
									 *(_t418 + 8) = _t389;
									_t348 = _t413;
									goto L5;
								}
								L56:
								_push(1);
								_push(_t389);
								_push(0);
								_push( *(_t418 - 0x2f4));
								_push( *(_t418 - 0x2e8));
								_t339 = E010662A0(_t351, _t409, _t413, __eflags);
								 *(_t418 - 0x2d8) = _t339;
								__eflags = _t339;
								if(_t339 >= 0) {
									_t348 = E01057406( *(_t418 - 0x2e8), _t351, _t386,  *(_t418 + 8)) | _t413;
									L59:
									_t389 =  *(_t418 + 8);
									goto L5;
								}
								__eflags = _t339 - 0xc000008a;
								if(_t339 != 0xc000008a) {
									L95:
									_t363 = 1;
									L36:
									_t391 = 0x7ffe0385;
									_t96 = _t391 - 1; // 0x7ffe0384
									_t349 = _t96;
									_t267 =  *( *[fs:0x30] + 0x50);
									if(_t267 != 0) {
										__eflags =  *_t267;
										if( *_t267 != 0) {
											_t391 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										}
									}
									if(( *_t391 & _t363) != 0) {
										_t268 = E01077D50();
										__eflags = _t268;
										if(_t268 != 0) {
											_t349 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										}
										E010E6715(_t418 - 0x348,  *_t349 & 0x000000ff);
										goto L38;
									} else {
										L38:
										L39:
										return E010AD130(_t349, _t409, _t413);
									}
								}
								_t348 = _t413 | 0x00080000;
								__eflags = _t348;
								goto L59;
							}
						}
						L5:
						if((_t348 & 0x00060000) == 0x60000) {
							 *(_t418 - 0x2d8) = 0xc000008a;
							goto L95;
						}
						_t366 =  !_t348;
						_t275 =  !_t389;
						_t426 = _t275 & 0x00000010;
						asm("bt ecx, 0x13");
						asm("bt ecx, 0x11");
						 *(_t418 - 0x2d1) = _t426 != 0;
						 *(_t418 - 0x2d0) = 1;
						 *((short*)(_t418 - 0x2cc)) = 0;
						if(((_t389 & 0xffffff00 | _t426 != 0x00000000) & (_t275 & 0xffffff00 | _t426 > 0x00000000) & ((_t275 & 0xffffff00 | _t426 > 0x00000000) & 0xffffff00 | _t426 > 0x00000000)) != 0) {
							L43:
							_t281 =  *(_t418 + 8);
							__eflags = _t281 & 0x00000010;
							if((_t281 & 0x00000010) != 0) {
								__eflags = _t281 & 0x00000020;
								if(__eflags == 0) {
									goto L44;
								}
								L8:
								_t413 =  *(_t418 - 0x2e8);
								_t409 =  *(_t418 - 0x2f4);
								L9:
								_t398 =  *(_t418 + 8);
								L10:
								asm("bt eax, 0x12");
								asm("bt ebx, 0x13");
								if(((( !_t349 & 0xffffff00 | _t428 >= 0x00000000) & 0xffffff00 | (_t398 & 0x00000010) == 0x00000000) & (_t366 & 0xffffff00 | _t428 >= 0x00000000) & ( !_t349 & 0xffffff00 | _t428 >= 0x00000000)) == 0) {
									_push(_t418 - 0x314);
									_push(_t418 - 0x31c);
									_push(_t398);
									_push(_t409);
									_push(_t413);
									_t290 = E01087620(_t349, _t409, _t413, __eflags);
									__eflags = _t290;
									if(_t290 >= 0) {
										do {
											goto L11;
											L34:
										} while (_t409 < 0 && _t299 != 0);
										goto L36;
									}
									goto L39;
								}
								L11:
								asm("sbb al, al");
								_t369 =  !( ~(_t349 & 0x00020000)) &  *(_t418 - 0x2d1);
								 *(_t418 - 0x2d1) = _t369;
								 *(_t418 - 0x2e9) = _t369;
								 *(_t418 - 0x2dc) = _t369;
								_t409 = 0;
								 *(_t418 - 0x2d8) = 0;
								 *(_t418 - 0x2e0) =  *(_t418 - 0x2e0) & 0;
								 *(_t418 - 0x2f8) = 0;
								_t414 = 0;
								while(1) {
									 *(_t418 - 0x2fc) = _t414;
									if(_t414 >= ( *(_t418 - 0x2d0) & 0x0000ffff)) {
										break;
									}
									if(_t369 != 0) {
										 *(_t418 - 0x2e4) =  *(_t418 - 0x2e4) & 0x00000000;
										 *(_t418 - 0x2e0) =  *(_t418 - 0x2e0) & 0x00000000;
										_t302 =  *(_t418 + _t414 * 8 - 0x2cc) & 0x0000ffff;
										__eflags = _t302;
										if(_t302 != 0) {
											__eflags =  *((intOrPtr*)(_t418 + _t414 * 8 - 0x2c8)) - 0xa;
											if( *((intOrPtr*)(_t418 + _t414 * 8 - 0x2c8)) == 0xa) {
												L68:
												_t409 = 0xc000000d;
												 *(_t418 - 0x2d8) = 0xc000000d;
												L121:
												_t414 = _t414 + 1;
												continue;
											}
											 *(_t418 - 0x2f8) = _t302;
											__eflags = _t369;
											if(__eflags == 0) {
												goto L14;
											}
											_push(_t349 | 0x00001000);
											_push(_t418 - 0x2e0);
											_push(_t418 - 0x2e4);
											_push( *(_t418 - 0x2f8));
											_push( *(_t418 - 0x2e8));
											_t409 = E0106BA00(_t349, _t409, _t414, __eflags);
											 *(_t418 - 0x2d8) = _t409;
											__eflags = _t409;
											if(_t409 < 0) {
												__eflags = _t409 - 0xc0000034;
												if(_t409 == 0xc0000034) {
													L106:
													_t409 = 0xc00b0001;
													 *(_t418 - 0x2d8) = 0xc00b0001;
													L120:
													_t369 =  *(_t418 - 0x2d1);
													goto L121;
												}
												__eflags = _t409 - 0xc000003a;
												if(_t409 != 0xc000003a) {
													goto L120;
												}
												goto L106;
											}
											 *((char*)(_t418 - 0x2da)) = 1;
											__eflags =  *(_t418 - 0x2e0);
											if(__eflags == 0) {
												_push(1);
												_push(0x200);
												_push(_t418 - 0x2e0);
												_push( *(_t418 - 0x2e4));
												_t409 = E010884E0(_t349, _t409, _t414, __eflags);
												 *(_t418 - 0x2d8) = _t409;
											}
											_t298 =  *(_t418 + 8);
											__eflags = _t298 & 0x00001000;
											if(__eflags == 0) {
												L76:
												_push(_t418 - 0x310);
												_push(_t418 - 0x318);
												_push(_t298);
												_push( *(_t418 - 0x2e0));
												_push( *(_t418 - 0x2e4));
												_t409 = E01087620(_t349, _t409, _t414, __eflags);
												 *(_t418 - 0x2d8) = _t409;
												_t369 =  *(_t418 - 0x2d1);
												__eflags = _t409;
												if(_t409 >= 0) {
													goto L14;
												}
												goto L121;
											} else {
												__eflags = _t409;
												if(__eflags < 0) {
													_t369 =  *(_t418 - 0x2d1);
													_t413 =  *(_t418 - 0x2f0);
													L29:
													if(_t369 != 0) {
														__eflags = _t298 & 0x00200000;
														if((_t298 & 0x00200000) == 0) {
															E01084CD4( *(_t418 - 0x2e4),  *(_t418 - 0x2e0), _t413,  *((intOrPtr*)(_t418 + 0x10)));
														}
													}
													if(_t409 >= 0) {
														L49:
														_t299 =  *(_t418 - 0x2d1);
														goto L32;
													} else {
														_t371 =  *(_t418 - 0x2e9);
														_t299 = _t371;
														 *(_t418 - 0x2d1) = _t299;
														if(_t371 != 0) {
															__eflags =  *((char*)(_t418 - 0x2db));
															if( *((char*)(_t418 - 0x2db)) != 0) {
																L137:
																_t370 = 0;
																__eflags = _t349 & 0x00040000;
																if((_t349 & 0x00040000) != 0) {
																	_t299 = 0;
																	__eflags = 0;
																} else {
																	_t349 = _t349 | 0x00020000;
																	_t299 =  *(_t418 - 0x2dc);
																}
																 *(_t418 - 0x2d1) = _t299;
																L33:
																_t363 = _t370 + 1;
																goto L34;
															}
															__eflags =  *((char*)(_t418 - 0x2da));
															if( *((char*)(_t418 - 0x2da)) != 0) {
																goto L137;
															}
															_t300 = L01056398( *(_t418 - 0x2e8));
															__eflags = _t300;
															if(_t300 < 0) {
																goto L137;
															}
															_t349 = _t349 | 0x00400000;
															_t363 = 1;
															 *((char*)(_t418 - 0x2db)) = 1;
															_t299 =  *(_t418 - 0x2dc);
															 *(_t418 - 0x2d1) = _t299;
															goto L34;
														}
														L32:
														_t370 = 0;
														goto L33;
													}
												}
												goto L76;
											}
										}
										__eflags =  *((intOrPtr*)(_t418 + _t414 * 8 - 0x2c8)) - 2;
										if( *((intOrPtr*)(_t418 + _t414 * 8 - 0x2c8)) == 2) {
											goto L121;
										}
										goto L68;
									}
									L14:
									 *(_t418 - 0x32c) =  *(_t418 - 0x32c) & 0x00000000;
									if(_t369 != 0) {
										 *(_t418 - 0x320) =  *(_t418 - 0x320) & 0x00000000;
									} else {
										 *(_t418 - 0x320) = _t418 - 0x2f8;
									}
									_t415 =  *(_t418 + 8);
									if(_t369 != 0) {
										_t415 = _t415 | 0x00000020;
									}
									_t303 =  *(_t418 - 0x328);
									if(_t303 == 0) {
										_t303 = _t418 - 0x32c;
									}
									 *(_t418 - 0x324) = _t303;
									_t410 =  *((intOrPtr*)(_t418 - 0x310));
									if(_t369 != 0) {
										_t399 =  *((intOrPtr*)(_t418 - 0x318));
									} else {
										_t410 =  *((intOrPtr*)(_t418 - 0x314));
										_t399 =  *((intOrPtr*)(_t418 - 0x31c));
									}
									_t304 =  *(_t418 - 0x2e0);
									if(_t369 != 0) {
										_t375 =  *(_t418 - 0x2e4);
									} else {
										_t304 =  *(_t418 - 0x2f4);
										_t375 =  *(_t418 - 0x2e8);
									}
									_t413 =  *(_t418 - 0x2f0);
									_t409 = E010878A0(_t375, 0, _t304, _t399, _t410, 0,  *(_t418 - 0x2f0),  *((intOrPtr*)(_t418 + 0x10)), _t418 - 0x2d0,  *(_t418 - 0x304),  *(_t418 - 0x324), _t415,  *(_t418 - 0x320));
									 *(_t418 - 0x2d8) = _t409;
									if( *(_t418 - 0x334) != 0) {
										__eflags =  !_t349 & 0x00040000;
										if(__eflags == 0) {
											goto L24;
										}
										_t369 =  *(_t418 - 0x2d1);
										__eflags = _t409;
										if(__eflags < 0) {
											goto L26;
										}
										_t404 =  *(_t418 - 0x304);
										__eflags =  *(_t418 - 0x304);
										if(__eflags == 0) {
											goto L25;
										}
										__eflags = _t369;
										if(__eflags == 0) {
											goto L25;
										}
										_t320 =  *(_t418 - 0x328);
										__eflags = _t320;
										if(_t320 == 0) {
											_t321 =  *(_t418 - 0x32c);
										} else {
											_t321 =  *_t320;
										}
										_t409 = E01090245( *(_t418 - 0x2e4),  *_t404, _t321,  *((intOrPtr*)(_t413 + 0xc)), 1);
										 *(_t418 - 0x2d8) = _t409;
										__eflags = _t409;
										if(__eflags < 0) {
											 *( *(_t418 - 0x304)) =  *( *(_t418 - 0x304)) & 0x00000000;
											__eflags = _t409 - 0xc000007b;
											if(__eflags == 0) {
												goto L95;
											}
										}
										goto L24;
									} else {
										L24:
										_t369 =  *(_t418 - 0x2d1);
										L25:
										if(_t409 >= 0) {
											L47:
											_t401 =  *(_t418 - 0x308);
											__eflags = _t401;
											if(_t401 == 0) {
												L28:
												_t298 =  *(_t418 + 8);
												goto L29;
											}
											_t308 =  *(_t418 - 0x2f8);
											__eflags = _t308;
											if(_t308 != 0) {
												 *((intOrPtr*)(_t418 - 0x33c)) = _t418 - 0xc8;
												 *((short*)(_t418 - 0x33e)) = 0xac;
												_t409 = E01064720(_t401, _t308 & 0x0000ffff, _t418 - 0x340, 2, 0);
												 *(_t418 - 0x2d8) = _t409;
												__eflags = _t409;
												if(_t409 < 0) {
													goto L95;
												}
												_t312 = ( *(_t418 - 0x340) & 0x0000ffff) >> 1;
												__eflags = _t312;
												_t401 =  *(_t418 - 0x308);
												goto L126;
											} else {
												_t312 = 0;
												 *((short*)(_t418 - 0xc8)) = 0;
												L126:
												 *(_t418 - 0x2fc) = _t312;
												_t363 = 1;
												 *(_t418 - 4) = 1;
												__eflags = _t312 -  *_t401;
												if(_t312 >=  *_t401) {
													L130:
													 *_t401 = _t312 + 1;
													 *(_t418 - 0x2d8) = 0xc0000023;
													 *(_t418 - 4) = 0xfffffffe;
													goto L36;
												}
												__eflags =  *(_t418 - 0x30c);
												if( *(_t418 - 0x30c) == 0) {
													goto L130;
												}
												_t417 = _t312 + _t312;
												E0109F3E0( *(_t418 - 0x30c), _t418 - 0xc8, _t417);
												_t419 = _t419 + 0xc;
												 *( *(_t418 - 0x308)) =  *(_t418 - 0x2fc) + 1;
												__eflags = 0;
												 *((short*)(_t417 +  *(_t418 - 0x30c))) = 0;
												 *(_t418 - 4) = 0xfffffffe;
												_t369 =  *(_t418 - 0x2d1);
												break;
											}
											goto L49;
										}
										L26:
										if(_t369 != 0) {
											_t319 = E010E9024(_t349,  *(_t418 - 0x2e8),  *(_t418 - 0x2f4), _t409, __eflags,  *(_t418 - 0x2e4),  *(_t418 - 0x2e0));
											__eflags = _t319;
											if(_t319 != 0) {
												_t369 =  *(_t418 - 0x2d1);
												goto L28;
											}
											_t414 =  *(_t418 - 0x2fc);
											goto L120;
										}
										if(_t409 >= 0) {
											goto L47;
										}
										goto L28;
									}
								}
								_t413 =  *(_t418 - 0x2f0);
								goto L28;
							}
							L44:
							__eflags = _t281 & 0x00000004;
							if((_t281 & 0x00000004) != 0) {
								_t349 = _t348 | 0x00000004;
							}
							_t409 =  *(_t418 - 0x2f4);
							_t413 =  *(_t418 - 0x2e8);
							_t366 = _t413;
							__eflags = E010699C7(_t366, _t409, _t409, _t349, _t418 - 0x2d0);
							if(__eflags >= 0) {
								goto L9;
							} else {
								_t398 =  *(_t418 + 8);
								__eflags = _t398 & 0x00001000;
								if(__eflags == 0) {
									goto L10;
								} else {
									goto L39;
								}
								goto L47;
							}
						}
						_t428 =  *((intOrPtr*)(_t418 + 0x10)) - 3;
						if(_t428 == 0) {
							goto L43;
						}
						goto L8;
					}
				}
				L1:
				_t257 = 0x7ffe0385;
				goto L2;
			}

0x0108701d
0x01087022
0x01087027
0x0108702c
0x01087032
0x0108703b
0x01087044
0x0108704d
0x01087056
0x0108705f
0x01087067
0x0108706d
0x01087073
0x01087079
0x0108707f
0x01087085
0x0108708b
0x01087093
0x01087099
0x0108709f
0x010870a7
0x010870a8
0x010870b1
0x010870b2
0x010870b9
0x010870c5
0x010870c6
0x010870cd
0x010870d4
0x010870e4
0x010870e9
0x010c841d
0x010c8420
0x00000000
0x00000000
0x010c842f
0x010870f4
0x010870f9
0x010c8439
0x010c843e
0x010c8440
0x010c8452
0x010c8442
0x010c844b
0x010c844b
0x010c8460
0x010c8465
0x010c8465
0x010870ff
0x01087103
0x0108710d
0x01087342
0x01087348
0x0108734c
0x01087350
0x01087356
0x010875ef
0x010875f1
0x00000000
0x00000000
0x010875f7
0x0108735e
0x0108735e
0x01087364
0x0108736b
0x00000000
0x0108736b
0x0108735c
0x0108735c
0x0108735c
0x00000000
0x01087113
0x01087113
0x01087113
0x01087118
0x010873cf
0x010873d1
0x010873d5
0x00000000
0x00000000
0x010873db
0x010873df
0x00000000
0x00000000
0x010873e5
0x010873eb
0x010c849c
0x010873f1
0x010873f1
0x010873f1
0x010873f5
0x010873f8
0x010875fe
0x01087601
0x00000000
0x00000000
0x01087607
0x0108760e
0x00000000
0x00000000
0x00000000
0x010873fe
0x010873fe
0x01087402
0x01087404
0x01087475
0x01087478
0x010c84a8
0x010c84ab
0x00000000
0x00000000
0x010c84b6
0x010c84b9
0x00000000
0x00000000
0x010c84bf
0x0108747e
0x0108747e
0x01087481
0x01087484
0x00000000
0x01087484
0x01087406
0x01087406
0x01087408
0x01087409
0x0108740b
0x01087411
0x01087417
0x0108741c
0x01087422
0x01087424
0x010874d8
0x0108743d
0x0108743d
0x00000000
0x0108743d
0x0108742a
0x0108742f
0x010c8494
0x010c8496
0x01087313
0x01087313
0x01087318
0x01087318
0x01087321
0x01087326
0x010c876e
0x010c8771
0x010c8780
0x010c8780
0x010c8771
0x0108732e
0x010c878b
0x010c8790
0x010c8792
0x010c879d
0x010c879d
0x010c879d
0x010c87ac
0x00000000
0x01087334
0x01087334
0x0108733a
0x0108733f
0x0108733f
0x0108732e
0x01087437
0x01087437
0x00000000
0x01087437
0x010873f8
0x0108711e
0x01087129
0x010c84c4
0x00000000
0x010c84c4
0x01087131
0x01087135
0x01087137
0x0108713c
0x01087145
0x0108714e
0x01087158
0x01087161
0x0108716a
0x01087373
0x01087373
0x01087376
0x01087378
0x01087468
0x0108746a
0x00000000
0x00000000
0x0108717a
0x0108717a
0x01087180
0x01087186
0x01087186
0x01087189
0x0108718d
0x01087194
0x010871a5
0x0108744b
0x01087452
0x01087453
0x01087454
0x01087455
0x01087456
0x0108745b
0x0108745d
0x010871ab
0x00000000
0x01087307
0x01087307
0x00000000
0x010871ab
0x00000000
0x01087463
0x010871ab
0x010871b4
0x010871be
0x010871c0
0x010871c6
0x010871cc
0x010871d2
0x010871d4
0x010871da
0x010871e2
0x010871e9
0x010871eb
0x010871eb
0x010871fa
0x00000000
0x00000000
0x01087202
0x0108748b
0x01087492
0x01087499
0x010874a1
0x010874a4
0x010874df
0x010874e7
0x010874b4
0x010874b4
0x010874b9
0x010c85ea
0x010c85ea
0x00000000
0x010c85ea
0x010874e9
0x010874f0
0x010874f2
0x00000000
0x00000000
0x010874ff
0x01087506
0x0108750d
0x0108750e
0x01087514
0x0108751f
0x01087521
0x01087527
0x01087529
0x010c84ec
0x010c84f2
0x010c8500
0x010c8500
0x010c8505
0x010c85e4
0x010c85e4
0x00000000
0x010c85e4
0x010c84f4
0x010c84fa
0x00000000
0x00000000
0x00000000
0x010c84fa
0x01087532
0x01087538
0x0108753f
0x010c8510
0x010c8511
0x010c851c
0x010c851d
0x010c8528
0x010c852a
0x010c852a
0x01087545
0x01087548
0x0108754d
0x01087557
0x0108755d
0x01087564
0x01087565
0x01087566
0x0108756c
0x01087577
0x01087579
0x0108757f
0x01087585
0x01087587
0x00000000
0x00000000
0x00000000
0x0108754f
0x0108754f
0x01087551
0x010c86ec
0x010c86f2
0x010872de
0x010872e0
0x010875bc
0x010875c1
0x010875d7
0x010875d7
0x010875c1
0x010872e8
0x010873c4
0x010873c4
0x00000000
0x010872ee
0x010872ee
0x010872f4
0x010872f6
0x010872fe
0x010c8708
0x010c870f
0x010c8749
0x010c8749
0x010c874b
0x010c8751
0x010c8761
0x010c8761
0x010c8753
0x010c8753
0x010c8759
0x010c8759
0x010c8763
0x01087306
0x01087306
0x00000000
0x01087306
0x010c8711
0x010c8718
0x00000000
0x00000000
0x010c8720
0x010c8725
0x010c8727
0x00000000
0x00000000
0x010c8729
0x010c8731
0x010c8732
0x010c8738
0x010c873e
0x00000000
0x010c873e
0x01087304
0x01087304
0x00000000
0x01087304
0x010872e8
0x00000000
0x01087551
0x0108754d
0x010874a6
0x010874ae
0x00000000
0x00000000
0x00000000
0x010874ae
0x01087208
0x01087208
0x01087211
0x01087592
0x01087217
0x0108721d
0x0108721d
0x01087223
0x01087228
0x0108759e
0x0108759e
0x0108722e
0x01087236
0x01087238
0x01087238
0x0108723e
0x01087246
0x0108724c
0x010875a6
0x01087252
0x01087252
0x01087258
0x01087258
0x01087260
0x01087266
0x010875b1
0x0108726c
0x0108726c
0x01087272
0x01087272
0x01087295
0x010872a8
0x010872aa
0x010872b7
0x010c8539
0x010c853e
0x00000000
0x00000000
0x010c8544
0x010c854a
0x010c854c
0x00000000
0x00000000
0x010c8552
0x010c8558
0x010c855a
0x00000000
0x00000000
0x010c8560
0x010c8562
0x00000000
0x00000000
0x010c8568
0x010c856e
0x010c8570
0x010c8576
0x010c8572
0x010c8572
0x010c8572
0x010c858f
0x010c8591
0x010c8597
0x010c8599
0x010c85a5
0x010c85a8
0x010c85ae
0x00000000
0x00000000
0x010c85b4
0x00000000
0x010872bd
0x010872bd
0x010872bd
0x010872c3
0x010872c5
0x010873b1
0x010873b1
0x010873b7
0x010873b9
0x010872db
0x010872db
0x00000000
0x010872db
0x010c85f0
0x010c85f7
0x010c85fa
0x010c860d
0x010c8618
0x010c8633
0x010c8635
0x010c863b
0x010c863d
0x00000000
0x00000000
0x010c864a
0x010c864a
0x010c864c
0x00000000
0x010c85fc
0x010c85fc
0x010c85fe
0x010c8652
0x010c8652
0x010c865a
0x010c865b
0x010c865e
0x010c8660
0x010c86b7
0x010c86b8
0x010c86ba
0x010c86c4
0x00000000
0x010c86c4
0x010c8662
0x010c8669
0x00000000
0x00000000
0x010c866b
0x010c867c
0x010c8681
0x010c8691
0x010c8693
0x010c869b
0x010c869f
0x010c86a6
0x00000000
0x010c86a6
0x00000000
0x010c85fa
0x010872cb
0x010872cd
0x010c85d1
0x010c85d6
0x010c85d8
0x010c86fd
0x00000000
0x010c86fd
0x010c85de
0x00000000
0x010c85de
0x010872d5
0x00000000
0x00000000
0x00000000
0x010872d5
0x010872b7
0x010c86ac
0x00000000
0x010c86ac
0x0108737e
0x0108737e
0x01087380
0x010c84d0
0x010c84d0
0x0108738f
0x01087397
0x0108739d
0x010873a4
0x010873a6
0x00000000
0x010873ac
0x010c84d8
0x010c84db
0x010c84e1
0x00000000
0x010c84e7
0x00000000
0x010c84e7
0x00000000
0x010c84e1
0x010873a6
0x01087170
0x01087174
0x00000000
0x00000000
0x00000000
0x01087174
0x0108710d
0x010870ef
0x010870ef
0x00000000

Strings

LdrpResSearchResourceMappedFile Enter, xrefs: 010870B9
#, xrefs: 010C86BA
LdrpResSearchResourceMappedFile Exit, xrefs: 010870D4
MUI, xrefs: 010875E1

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-3266796247
Opcode ID: 9325095d33ae530ffc24841702ce7cb587d9d704a28c116d253b825798be4c61
Instruction ID: e61424bf7218d504901af2bc371c16cba64afc145538f08d97e8b6849f485cd0
Opcode Fuzzy Hash: 9325095d33ae530ffc24841702ce7cb587d9d704a28c116d253b825798be4c61
Instruction Fuzzy Hash: 8D32B2319082698BDF66DF18C844BEDBBB5AF45340F2480EAE8C9A7255D7709F81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0107A830 Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0107A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1148748 - 1;
					if( *0x1148748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
									_t260 = _t257 + 4;
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0105B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1147bc8;
								if(__eflags == 0) {
									E01112073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0111A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E010AD5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0107AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0111A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0111A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1148748 - 1;
					if( *0x1148748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0105B150();
							} else {
								E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0105B150();
							__eflags =  *0x1147bc8;
							if(__eflags == 0) {
								_t131 = E01112073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x0107a83a
0x0107a83c
0x0107a83e
0x0107a841
0x0107a844
0x0107a84a
0x0107aa53
0x0107aa59
0x0107aa59
0x0107a858
0x0107a85e
0x0107aaf5
0x0107aafc
0x010c229e
0x010c22a2
0x010c22a8
0x010c22b3
0x010c22b5
0x010c22bb
0x010c22c1
0x010c22c5
0x010c22e6
0x010c22eb
0x010c22f0
0x010c22c7
0x010c22dc
0x010c22e1
0x010c22e1
0x010c22f3
0x010c22f8
0x010c22fd
0x010c2300
0x010c2307
0x010c230e
0x010c230e
0x010c2313
0x010c2313
0x010c22b5
0x010c22a2
0x0107aafc
0x0107a864
0x0107a869
0x0107aa5c
0x0107aa5e
0x0107a86f
0x0107a87f
0x0107a885
0x0107a885
0x0107a88b
0x0107a890
0x0107a896
0x0107ab0c
0x0107ab0f
0x0107ab15
0x010c2320
0x010c2320
0x0107ab1b
0x0107a89c
0x0107a89f
0x0107a8a2
0x0107a8a2
0x0107a8a5
0x0107a8af
0x0107a8b3
0x0107a8b8
0x0107aa66
0x0107a8be
0x0107a8c5
0x0107a8c6
0x0107a8ce
0x010c2328
0x010c2332
0x010c2337
0x010c2337
0x0107a8ce
0x0107a8d4
0x0107a8d8
0x0107a8db
0x0107a8de
0x0107a8e1
0x0107a8e5
0x0107a8e8
0x0107a8f0
0x0107a8f3
0x010c234c
0x010c2350
0x010c2355
0x010c2359
0x010c2359
0x0107a8f9
0x0107a901
0x0107aae4
0x0107aae4
0x0107aaea
0x00000000
0x0107a907
0x0107a90a
0x0107a91d
0x0107a91d
0x00000000
0x0107a910
0x0107a910
0x0107a910
0x0107a914
0x0107a924
0x0107a924
0x0107a924
0x0107a924
0x0107a916
0x0107a91b
0x00000000
0x00000000
0x00000000
0x0107a91b
0x0107a925
0x0107a925
0x0107a932
0x0107a936
0x0107a93c
0x0107a93c
0x0107a93c
0x0107ab22
0x0107ab24
0x0107ab27
0x0107ab27
0x0107a942
0x0107a944
0x0107aaba
0x0107aabd
0x0107aac0
0x0107aac0
0x0107aac2
0x0107ab2f
0x0107aac4
0x0107aac4
0x0107aac7
0x0107aaca
0x0107aacc
0x0107aace
0x0107aace
0x0107aace
0x0107aad1
0x0107aad1
0x0107aad7
0x0107aad9
0x00000000
0x00000000
0x010c2361
0x010c2369
0x010c236b
0x00000000
0x010c2371
0x00000000
0x010c2371
0x00000000
0x010c236b
0x0107aac0
0x0107a94a
0x0107a94a
0x0107a94d
0x0107a94d
0x0107a950
0x0107a954
0x010c2376
0x010c2380
0x0107a95a
0x0107a95a
0x0107a95c
0x0107a95f
0x0107a961
0x0107a961
0x0107a967
0x0107a96a
0x0107a972
0x0107aa02
0x0107aa06
0x0107aa10
0x0107aa16
0x0107aa16
0x0107aa1b
0x0107aa21
0x0107aa24
0x0107aa27
0x0107aa29
0x0107aa2c
0x0107aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x0107a978
0x0107a978
0x0107a97b
0x0107a981
0x0107a996
0x0107a998
0x0107a99f
0x0107a9a2
0x010c238a
0x0107a9a8
0x0107a9a8
0x0107a9a8
0x0107a9aa
0x0107a9ad
0x0107a9b0
0x0107a9bb
0x0107a9be
0x0107a9c7
0x0107a9c9
0x0107a9c9
0x0107a9cc
0x0107a9d1
0x0107aa6d
0x0107aa70
0x0107aa73
0x0107aa75
0x0107aa79
0x0107aa7e
0x0107aa82
0x0107aa8f
0x0107aa94
0x0107aa96
0x010c2392
0x010c23a1
0x010c23a1
0x0107aa9c
0x0107aa9f
0x0107aaa2
0x0107aaa2
0x0107aaa8
0x0107aaab
0x0107aaaf
0x00000000
0x0107aab5
0x00000000
0x0107aab5
0x0107a9d7
0x0107a9d7
0x0107a9da
0x0107a9e0
0x0107a9e3
0x0107a9e6
0x0107a9e9
0x0107a9eb
0x0107a9fd
0x0107a9fd
0x00000000
0x0107a9eb
0x00000000
0x00000000
0x00000000
0x0107a983
0x0107a983
0x0107a983
0x0107a987
0x0107a995
0x0107a995
0x0107a995
0x0107a995
0x0107a989
0x0107a98e
0x00000000
0x0107a990
0x00000000
0x0107a990
0x0107a98e
0x00000000
0x0107a983
0x0107a972
0x0107a90a
0x0107aa34
0x0107aa34
0x0107aa40
0x0107aa43
0x0107aa46
0x0107aa4d
0x010c23ab
0x010c23b2
0x010c23b8
0x010c23be
0x010c23c3
0x010c23c5
0x010c23cb
0x010c23d1
0x010c23d5
0x010c23f6
0x010c23fb
0x010c23d7
0x010c23ec
0x010c23f1
0x010c2403
0x010c2408
0x010c2410
0x010c2417
0x010c2422
0x010c2422
0x010c2417
0x010c23c5
0x010c23b2
0x00000000

Strings

HEAP[%wZ]: , xrefs: 010C22D7, 010C23E7
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 010C2403
HEAP: , xrefs: 010C22E6, 010C23F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 010C22F3

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 346119332f7919f0da061a304a9672ba0c93194528e865aea0d49c098a9d5055
Instruction ID: 5c4056b6c3ea85ae0a5bd03c4213dbb47c69ce8395c6b66d8b41db290a4b56cc
Opcode Fuzzy Hash: 346119332f7919f0da061a304a9672ba0c93194528e865aea0d49c098a9d5055
Instruction Fuzzy Hash: F4D1BD34B00646DFDB59CF68C490BBEBBF1BF48200F1985A9D9D69B786E330A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0107D1EF Relevance: 5.2, Strings: 4, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0107D1EF(signed int __ecx) {
				signed int _v8;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				char _v100;
				char _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t88;
				intOrPtr _t100;
				signed int _t121;
				void* _t122;
				signed char _t126;
				void* _t128;
				void* _t131;
				void* _t133;
				signed int _t136;
				signed int _t138;

				_t123 = __ecx;
				_t138 = (_t136 & 0xfffffff8) - 0x64;
				_t83 =  *0x114d360 ^ _t138;
				_v8 =  *0x114d360 ^ _t138;
				_t121 = __ecx;
				if(__ecx == 0) {
					L15:
					_pop(_t128);
					_pop(_t133);
					_pop(_t122);
					return E0109B640(_t83, _t122, _v8 ^ _t138, _t126, _t128, _t133);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v104 = 0;
					_v100 = 0;
					_t88 = E0109F380( *[fs:0x18] + 0x19c,  &_v104, 8);
					_t138 = _t138 + 0xc;
					if(_t88 != 0) {
						_push(8);
						_push( &_v104);
						_push(0x2c);
						_push(0xfffffffe);
						if(E010995B0() >= 0) {
							_t123 =  *[fs:0x18];
							 *((intOrPtr*)(_t123 + 0x19c)) = _v104;
							 *((intOrPtr*)(_t123 + 0x1a0)) = _v100;
						}
					}
					if(( *(_t121 + 0x28) & 0x00000001) != 0) {
						if(( *(_t121 + 0x38) & 0x00000001) == 0) {
							_t123 = _t121;
							L010720A0(_t121);
							 *(_t121 + 0x28) =  *(_t121 + 0x28) & 0x000000fe;
						}
					}
					if( *((intOrPtr*)(_t121 + 0x2c)) != 0) {
						if(( *(_t121 + 0x38) & 0x00000002) == 0) {
							E01053E80(0);
							 *((intOrPtr*)(_t121 + 0x2c)) = 0;
						}
					}
					_t83 =  *(_t121 + 0x48);
					if(_t83 != 0 && ( *(_t83 + 0x10c) & 0x00000001) == 0) {
						_t83 =  *[fs:0x18];
						_t131 = 0x50;
						if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) != 0) {
							if(( *(_t121 + 0x38) & 0x00000004) == 0) {
								E0109FA60( &_v92, 0, _t131);
								_t138 = _t138 + 0xc;
								_v72 =  *((intOrPtr*)(_t121 + 0x30));
								_v68 =  *((intOrPtr*)(_t121 + 0x34));
								_push( &_v92);
								_v92 = 0xc0000710;
								_v76 = 2;
								L010ADEF0(_t123, _t126);
								_push(4);
								_v100 = 0;
								_push( &_v100);
								_push(5);
								_push(0xfffffffe);
								_t83 = E010995B0();
							}
						}
						_t126 =  *(_t121 + 0x38);
						if((_t126 & 0x00000010) == 0 && E0107D8FC() != 0) {
							_push( *((intOrPtr*)(_t121 + 0x34)));
							E010E5720(0x54, 0, "ThreadPool: callback %p(%p) returned with a transaction uncleared\n",  *((intOrPtr*)(_t121 + 0x30)));
							E0109FA60( &_v92, 0, _t131);
							_t138 = _t138 + 0x20;
							_v92 = 0xc000071d;
							_v76 = 0;
							_push( &_v92);
							_t83 = L010ADEF0(_t123, _t126);
							_t126 =  *(_t121 + 0x38);
						}
						if((_t126 & 0x00000020) == 0) {
							_t123 =  *[fs:0x18];
							_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xa0));
							_t83 =  *(_t100 + 0xc);
							if( *(_t100 + 0xc) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E010E5720(0x54, 0, "ThreadPool: callback %p(%p) returned with the loader lock held\n",  *((intOrPtr*)(_t121 + 0x30)));
								E0109FA60( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071e;
								_v76 = 0;
								_push( &_v92);
								_t83 = L010ADEF0(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if((_t126 & 0x00000040) == 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xfb8)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E010E5720(0x54, 0, "ThreadPool: callback %p(%p) returned with preferred languages set\n",  *((intOrPtr*)(_t121 + 0x30)));
								E0109FA60( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071f;
								_v76 = 0;
								_push( &_v92);
								_t83 = L010ADEF0(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if(_t126 >= 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xf88)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E010E5720(0x54, 0, "ThreadPool: callback %p(%p) returned with background priorities set\n",  *((intOrPtr*)(_t121 + 0x30)));
								E0109FA60( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc0000720;
								_v76 = 0;
								_push( &_v92);
								_t83 = L010ADEF0(_t123, _t126);
							}
						}
					}
					goto L15;
				}
			}

0x0107d1ef
0x0107d1f7
0x0107d1ff
0x0107d201
0x0107d206
0x0107d20c
0x0107d2f8
0x0107d2fc
0x0107d2fd
0x0107d2fe
0x0107d309
0x0107d212
0x0107d232
0x0107d239
0x0107d23a
0x0107d23b
0x0107d23e
0x0107d242
0x0107d246
0x0107d24b
0x0107d250
0x010c3380
0x010c3386
0x010c3387
0x010c3389
0x010c3392
0x010c3398
0x010c33a3
0x010c33ad
0x010c33ad
0x010c3392
0x0107d25a
0x010c33bc
0x010c33c2
0x010c33c4
0x010c33c9
0x010c33c9
0x010c33bc
0x0107d263
0x010c33d6
0x010c33dd
0x010c33e2
0x010c33e2
0x010c33d6
0x0107d269
0x0107d26e
0x0107d27d
0x0107d285
0x0107d28c
0x010c33ee
0x010c33fb
0x010c3403
0x010c3406
0x010c340d
0x010c3415
0x010c3416
0x010c341e
0x010c3426
0x010c342b
0x010c3431
0x010c3435
0x010c3436
0x010c3438
0x010c343a
0x010c343a
0x010c33ee
0x0107d292
0x0107d298
0x010c3444
0x010c3452
0x010c3461
0x010c3466
0x010c3469
0x010c3475
0x010c3479
0x010c347a
0x010c347f
0x010c347f
0x0107d2aa
0x0107d2b2
0x0107d2b9
0x0107d2bf
0x0107d2c5
0x010c3487
0x010c3495
0x010c34a4
0x010c34a9
0x010c34ac
0x010c34b8
0x010c34bc
0x010c34bd
0x010c34c2
0x010c34c2
0x0107d2c5
0x0107d2ce
0x0107d2d0
0x0107d2dc
0x010c34ca
0x010c34d8
0x010c34e7
0x010c34ec
0x010c34ef
0x010c34fb
0x010c34ff
0x010c3500
0x010c3505
0x010c3505
0x0107d2dc
0x0107d2e4
0x0107d2e6
0x0107d2f2
0x010c350d
0x010c351b
0x010c352a
0x010c352f
0x010c3532
0x010c353e
0x010c3542
0x010c3543
0x010c3543
0x0107d2f2
0x0107d2e4
0x00000000
0x0107d26e

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 010C344A
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010C3513
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 010C348D
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 010C34D0

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 437695fe41a25365c7fa5dd378a80f1c76ecef0c8c04113fea88e53a699c318b
Instruction ID: 7ee1cdc52247dcbac72cd8458c94e07fe1bc528e9acf99264c9b66b7cd0b8a49
Opcode Fuzzy Hash: 437695fe41a25365c7fa5dd378a80f1c76ecef0c8c04113fea88e53a699c318b
Instruction Fuzzy Hash: CB71D0B19043059FCB61DF94C884B9B7FE8AF64764F4048A8F9C98B242D734D58ACBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0107A229 Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0107A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0107DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01099730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0111A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01099660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0105B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01077D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0111138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01077D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01077D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01111582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01077D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01077D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01111582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E010AD5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x0107a229
0x0107a231
0x0107a23f
0x0107a242
0x0107a244
0x0107a24c
0x0107a255
0x0107a25a
0x0107a25f
0x010c1c76
0x010c1c78
0x010c1c7e
0x010c1c7f
0x010c1c81
0x010c1c82
0x010c1c84
0x010c1c89
0x010c1c8b
0x010c1c9e
0x010c1c9e
0x010c1cab
0x010c1cb2
0x00000000
0x010c1cb2
0x010c1c8d
0x010c1c92
0x00000000
0x00000000
0x010c1c94
0x010c1c98
0x00000000
0x00000000
0x00000000
0x010c1c98
0x0107a265
0x0107a265
0x0107a266
0x0107a26f
0x0107a270
0x0107a276
0x0107a277
0x0107a279
0x0107a27e
0x0107a282
0x010c1db5
0x010c1dbb
0x010c1dc1
0x010c1dc5
0x010c1de4
0x010c1de9
0x010c1dc7
0x010c1ddc
0x010c1de1
0x010c1def
0x010c1df3
0x010c1df7
0x010c1dfe
0x010c1e06
0x0107a302
0x0107a308
0x0107a308
0x0107a288
0x0107a28d
0x0107a294
0x010c1cc1
0x0107a29a
0x0107a29a
0x0107a29a
0x0107a29f
0x010c1ccb
0x010c1cd1
0x010c1cd8
0x010c1cea
0x010c1cea
0x010c1cd8
0x0107a2a9
0x0107a2af
0x0107a2bc
0x010c1cfd
0x0107a2c2
0x0107a2c2
0x0107a2c2
0x0107a2c7
0x010c1d07
0x010c1d0d
0x010c1d14
0x010c1d1f
0x010c1d21
0x010c1d2c
0x010c1d2c
0x010c1d2c
0x010c1d47
0x010c1d47
0x010c1d14
0x0107a2cd
0x0107a2d2
0x0107a2d9
0x010c1d5a
0x0107a2df
0x0107a2df
0x0107a2df
0x0107a2e4
0x010c1d69
0x010c1d6b
0x010c1d76
0x010c1d76
0x010c1d76
0x010c1d91
0x010c1d91
0x0107a2ea
0x0107a2f0
0x0107a2f5
0x010c1da8
0x010c1dad
0x010c1dad
0x0107a2fd
0x0107a300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 010C1DD7
HEAP: , xrefs: 010C1DE4
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 010C1DF9
`, xrefs: 010C1C8D

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: d84798c4d494e0e867d24ee4256e7c20ca09c8f7851277bde93eca059ae638a2
Instruction ID: e499156ceffc84c4ec97f27b3b35b6542811037da700ca71111578b489061392
Opcode Fuzzy Hash: d84798c4d494e0e867d24ee4256e7c20ca09c8f7851277bde93eca059ae638a2
Instruction Fuzzy Hash: B951E332605681DFD722EB68C844F6FBBE9EF80B50F0804A8F9D58B292D735D901CB65

Uniqueness

Uniqueness Score: -1.00%

Function 011149A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 01114AD6
HEAP[%wZ]: , xrefs: 01114A3D, 01114AB7
HEAP: , xrefs: 01114A4A, 01114A5D, 01114A5F, 01114AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01114A61

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 67229d6db9ea227efcb50694e6d644637cb012e18a75128b04c163c4bd23dbad
Instruction ID: 9b1c44b8d407b66f5301e70f4a74d49d3f2dc62b979d8d7cff44fe848652ba34
Opcode Fuzzy Hash: 67229d6db9ea227efcb50694e6d644637cb012e18a75128b04c163c4bd23dbad
Instruction Fuzzy Hash: A9316632200115EFD328CBA8D884FA7B7A8EF08B20F164039F846DB684D771E840CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0105751A Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 010B284E
HEAP[%wZ]: , xrefs: 010B27F7, 010B2834
VirtualProtect Failed 0x%p %x, xrefs: 010B2811
HEAP: , xrefs: 010B2804, 010B2841

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 32524c6798e42bed609c286c4f8867cfc7ef72fa3341012b0079f5029994dda2
Instruction ID: 0f76eddbebfa5a6e3eb8b6bc9231f604060dbfb6c6a13c032c9eb468aaab29ba
Opcode Fuzzy Hash: 32524c6798e42bed609c286c4f8867cfc7ef72fa3341012b0079f5029994dda2
Instruction Fuzzy Hash: 7331C332A00145AFDB91DB99CC84FEFBBB9EF44620F5440A5F954AB291D7B0E940CE61

Uniqueness

Uniqueness Score: -1.00%

Function 01113518 Relevance: 5.1, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E01113518(signed int* __ecx) {
				char _v8;
				void* _t11;
				signed int* _t34;

				_push(__ecx);
				_t34 = __ecx;
				if(__ecx !=  *((intOrPtr*)( *[fs:0x30] + 0x18))) {
					if(E010540E1("RtlDestroyHeap") == 0 || E01114496(__ecx, 0) == 0) {
						goto L5;
					} else {
						_t32 = __ecx + 0x80;
						 *((intOrPtr*)(__ecx + 0x60)) = 0;
						if( *((intOrPtr*)(__ecx + 0x80)) != 0) {
							_v8 = 0;
							E0108174B(_t32,  &_v8, 0x8000);
						}
						_t11 = 1;
					}
				} else {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0105B150("May not destroy the process heap at %p\n", _t34);
					L5:
					_t11 = 0;
				}
				return _t11;
			}

0x0111351d
0x01113525
0x0111352a
0x0111357d
0x00000000
0x0111358c
0x0111358e
0x01113594
0x01113599
0x0111359b
0x011135a7
0x011135a7
0x011135ac
0x011135ac
0x0111352c
0x01113536
0x01113555
0x0111355a
0x01113538
0x0111354d
0x01113552
0x01113566
0x0111356d
0x0111356d
0x0111356d
0x011135b2

Strings

HEAP[%wZ]: , xrefs: 01113548
May not destroy the process heap at %p, xrefs: 01113561
HEAP: , xrefs: 01113555
RtlDestroyHeap, xrefs: 01113571

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 9bfacecc416d9b50010f33e59e47c4d8f28006ffd87200be49079cd67ed7bd51
Instruction ID: a1252f63d1c2f52656088c3bdbe7126620dc07193a4ad19ba06f559fbc01007e
Opcode Fuzzy Hash: 9bfacecc416d9b50010f33e59e47c4d8f28006ffd87200be49079cd67ed7bd51
Instruction Fuzzy Hash: 01012B321206019FC7A9EB6DC444BD6B3E9FB41E20F004465E8959F289DB71E941CA55

Uniqueness

Uniqueness Score: -1.00%

Function 010799BF Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E010799BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E0110FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E0111A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E010AD540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E0105B150();
										} else {
											E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E0105B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x1146378 = 1;
											asm("int3");
											 *0x1146378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0107A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0107A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0107BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E0111A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0107A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0107A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E010AD540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E0105B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x1146378 = 1;
									asm("int3");
									 *0x1146378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E0110FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E0111A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E010AD540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E0105B150();
													} else {
														E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E0105B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x1146378 = 1;
														asm("int3");
														 *0x1146378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0107A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0107A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0107BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E0111A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E010AD540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E0105B150();
													} else {
														E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E0105B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x1146378 = 1;
														asm("int3");
														 *0x1146378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0107A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0107A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0107BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0107BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x010799ca
0x010799cc
0x010799df
0x010799e3
0x010799f8
0x010799fb
0x010799fb
0x00000000
0x01079a48
0x01079a48
0x01079a4c
0x01079a51
0x01079a55
0x01079a61
0x01079a66
0x01079a68
0x010c1457
0x010c145c
0x010c145c
0x01079a68
0x01079a6e
0x01079a71
0x01079a74
0x01079a76
0x010c1466
0x010c1469
0x010c1469
0x010c146c
0x010c146e
0x010c1471
0x010c1474
0x010c1477
0x010c1479
0x010c159c
0x010c159c
0x010c159d
0x010c15a6
0x010c15ab
0x010c15ab
0x00000000
0x010c15ab
0x010c147f
0x010c1481
0x00000000
0x00000000
0x010c148a
0x010c148d
0x010c1493
0x010c1495
0x010c14c0
0x010c14c0
0x010c14c3
0x010c14c6
0x010c14c8
0x010c14cb
0x010c14cf
0x010c14f2
0x010c14f2
0x010c14f5
0x010c14f8
0x010c1501
0x010c1508
0x010c150b
0x010c150e
0x010c1510
0x010c1513
0x010c1515
0x010c1515
0x010c1518
0x010c1518
0x010c1513
0x010c1521
0x010c1525
0x010c152a
0x010c152d
0x010c1530
0x010c1532
0x010c1539
0x010c153d
0x010c155d
0x010c1562
0x010c153f
0x010c1555
0x010c155a
0x010c1570
0x010c1577
0x010c157c
0x010c1582
0x010c1585
0x010c1589
0x010c158b
0x010c1592
0x010c1593
0x010c1593
0x010c1589
0x010c1530
0x00000000
0x010c14f8
0x010c14d5
0x010c14da
0x010c14dc
0x00000000
0x010c14de
0x010c14e8
0x00000000
0x010c14e8
0x010c1497
0x010c1497
0x010c14a4
0x010c14a4
0x010c14a7
0x010c14a9
0x010c14ab
0x010c14ab
0x010c149c
0x010c149e
0x010c14a0
0x010c14b0
0x010c14b0
0x00000000
0x010c14a2
0x010c14a2
0x00000000
0x010c14a2
0x010c14a0
0x010c14b3
0x010c14bb
0x00000000
0x010c14bb
0x010c1495
0x01079a7c
0x01079a7c
0x01079a7f
0x01079a7f
0x01079a82
0x01079a84
0x01079a87
0x01079a8a
0x01079a8d
0x01079a8f
0x010c166a
0x010c166a
0x010c166b
0x010c1674
0x00000000
0x010c1674
0x01079a95
0x01079a97
0x00000000
0x00000000
0x01079aa0
0x01079aa3
0x01079aa9
0x01079aab
0x01079ad7
0x01079ad7
0x01079ada
0x01079add
0x01079adf
0x01079ae2
0x01079ae6
0x01079b22
0x01079b27
0x01079b29
0x00000000
0x01079b2b
0x010c15be
0x00000000
0x010c15be
0x01079b29
0x01079ae8
0x01079ae8
0x01079aeb
0x01079aee
0x010c15cb
0x010c15d2
0x010c15d5
0x010c15d7
0x010c15da
0x010c15dc
0x010c15dc
0x010c15dc
0x010c15da
0x010c15e5
0x010c15e9
0x010c15ee
0x010c15f1
0x010c15f3
0x010c15f9
0x010c1600
0x010c1604
0x010c1624
0x010c1629
0x010c1606
0x010c161c
0x010c1621
0x010c1637
0x010c163e
0x010c1643
0x010c1649
0x010c164c
0x010c1650
0x010c1656
0x010c165d
0x010c165e
0x010c165e
0x010c1650
0x010c15f3
0x01079af4
0x01079af7
0x01079afc
0x01079b00
0x01079b04
0x01079b08
0x01079b14
0x010799fe
0x01079a04
0x01079a07
0x00000000
0x01079a29
0x010c169c
0x010c16a0
0x010c16a5
0x010c16a9
0x010c16b5
0x010c16ba
0x010c16bc
0x010c16be
0x010c16c3
0x010c16c3
0x010c16bc
0x010c16c8
0x010c16cc
0x010c181b
0x010c181b
0x010c181e
0x010c181e
0x010c1821
0x010c1823
0x010c1826
0x010c1829
0x010c182c
0x010c182e
0x010c1688
0x010c1688
0x010c1689
0x010c168b
0x010c168c
0x010c168d
0x010c168f
0x010c1692
0x00000000
0x010c1692
0x010c1834
0x010c1836
0x00000000
0x00000000
0x010c183f
0x010c1842
0x010c1848
0x010c184a
0x010c1875
0x010c1875
0x010c1878
0x010c187b
0x010c187d
0x010c1880
0x010c1884
0x010c18a7
0x010c18a7
0x010c18aa
0x010c18ad
0x010c18b6
0x010c18bd
0x010c18c0
0x010c18c3
0x010c18c5
0x010c18c8
0x010c18ca
0x010c18ca
0x010c18cd
0x010c18cd
0x010c18c8
0x010c18d5
0x010c18da
0x010c18df
0x010c18e2
0x010c18e5
0x010c18e7
0x010c18ee
0x010c18f2
0x010c1912
0x010c1917
0x010c18f4
0x010c190a
0x010c190f
0x010c1925
0x010c192c
0x010c1931
0x010c193a
0x010c193e
0x010c1940
0x010c1947
0x010c1948
0x010c1948
0x010c193e
0x010c18e5
0x010c194f
0x010c1952
0x010c1956
0x010c195d
0x010c1961
0x010c196d
0x00000000
0x010c196d
0x010c188a
0x010c188f
0x010c1891
0x00000000
0x00000000
0x010c189d
0x00000000
0x010c189d
0x010c184c
0x010c1859
0x010c1859
0x010c185c
0x00000000
0x00000000
0x010c1851
0x010c1853
0x010c1855
0x010c1865
0x010c1865
0x010c1866
0x010c1868
0x010c1870
0x00000000
0x010c1870
0x010c1857
0x010c1857
0x010c185e
0x00000000
0x010c16d2
0x010c16d2
0x010c16d5
0x010c16d5
0x010c16d8
0x010c16da
0x010c16dd
0x010c16e0
0x010c16e3
0x010c16e5
0x010c1808
0x010c1808
0x010c1809
0x010c1812
0x010c1817
0x010c1817
0x00000000
0x010c1817
0x010c16eb
0x010c16ed
0x00000000
0x00000000
0x010c16f6
0x010c16f9
0x010c16ff
0x010c1701
0x010c172c
0x010c172c
0x010c172f
0x010c1732
0x010c1734
0x010c1737
0x010c173b
0x010c175e
0x010c175e
0x010c1761
0x010c1764
0x010c176d
0x010c1774
0x010c1777
0x010c177a
0x010c177c
0x010c177f
0x010c1781
0x010c1781
0x010c1784
0x010c1784
0x010c177f
0x010c178c
0x010c1791
0x010c1796
0x010c1799
0x010c179c
0x010c179e
0x010c17a5
0x010c17a9
0x010c17c9
0x010c17ce
0x010c17ab
0x010c17c1
0x010c17c6
0x010c17dc
0x010c17e3
0x010c17e8
0x010c17ee
0x010c17f1
0x010c17f5
0x010c17f7
0x010c17fe
0x010c17ff
0x010c17ff
0x010c17f5
0x010c179c
0x00000000
0x010c1764
0x010c1741
0x010c1746
0x010c1748
0x00000000
0x00000000
0x010c1754
0x00000000
0x010c1754
0x010c1703
0x010c1710
0x010c1710
0x010c1713
0x00000000
0x00000000
0x010c1708
0x010c170a
0x010c170c
0x010c171c
0x010c171c
0x010c171d
0x010c171f
0x010c1727
0x00000000
0x010c1727
0x010c170e
0x010c170e
0x010c1715
0x00000000
0x010c1715
0x010c16cc
0x01079a45
0x01079a45
0x01079a0e
0x01079a1c
0x01079a23
0x010c167e
0x010c167f
0x010c1681
0x010c1683
0x010c1684
0x00000000
0x010c1684
0x00000000
0x01079aad
0x01079aad
0x01079ab0
0x01079ab3
0x01079ab3
0x01079ab6
0x00000000
0x00000000
0x01079ab8
0x01079aba
0x01079abc
0x01079ac8
0x01079ac8
0x00000000
0x01079abe
0x01079abe
0x01079ac0
0x00000000
0x01079ac0
0x01079abc
0x01079ad2
0x00000000
0x01079ad2
0x01079aab

Strings

HEAP[%wZ]: , xrefs: 010C1550, 010C1617, 010C17BC, 010C1905
HEAP: , xrefs: 010C155D, 010C1624, 010C17C9, 010C1912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 010C1572, 010C1639, 010C17DE, 010C1927

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 36bb7195b236ecb92239df470d7cd05cd7baf250b2e8558dce72131f3d97e6fc
Instruction ID: 079d58501e2985e803275ffbff6f29bc1ec4787f9cb0eeaab2d3d17628135893
Opcode Fuzzy Hash: 36bb7195b236ecb92239df470d7cd05cd7baf250b2e8558dce72131f3d97e6fc
Instruction Fuzzy Hash: EE22BF70A00246DFEB65DF29C444B7EBBF5EF45B04F2885ADE8868B282D735D885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010662A0 Relevance: 4.0, Strings: 3, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E010662A0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t93;
				short _t94;
				signed char* _t98;
				signed int _t99;
				signed char* _t100;
				signed int _t102;
				signed char* _t106;
				signed int _t107;
				signed char* _t108;
				signed int _t118;
				void* _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t130;
				void* _t132;
				void* _t134;
				void* _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t143;
				short _t148;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t158;
				intOrPtr _t159;
				intOrPtr _t160;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				signed int _t173;
				intOrPtr _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				signed int _t187;
				signed int _t192;
				signed int _t193;
				signed int _t195;
				void* _t196;

				_push(0x44);
				_push(0x112f958);
				E010AD0E8(__ebx, __edi, __esi);
				 *(_t196 - 0x34) =  *(_t196 + 8);
				 *(_t196 - 0x3c) =  *(_t196 + 0x10);
				 *((intOrPtr*)(_t196 - 0x28)) = L"MUI";
				 *((intOrPtr*)(_t196 - 0x24)) = 1;
				 *((intOrPtr*)(_t196 - 0x20)) = 0;
				 *(_t196 - 0x38) =  *(_t196 + 0xc);
				 *(_t196 - 0x30) = 0;
				_t148 = 0x2e;
				 *((short*)(_t196 - 0x4c)) = _t148;
				_t93 = 0x30;
				 *((short*)(_t196 - 0x4a)) = _t93;
				 *(_t196 - 0x48) = L"LdrResGetRCConfig Enter";
				_t94 = 0x2c;
				 *((short*)(_t196 - 0x54)) = _t94;
				 *((short*)(_t196 - 0x52)) = _t148;
				 *(_t196 - 0x50) = L"LdrResGetRCConfig Exit";
				_t187 =  *(_t196 + 0x14) & 0x00002000;
				asm("sbb esi, esi");
				_t192 = ( ~_t187 & 0x00001000) + 0x1030;
				if(E01077D50() != 0) {
					_t98 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				} else {
					_t98 = 0x7ffe0385;
				}
				if(( *_t98 & 0x00000001) != 0) {
					_t99 = E01077D50();
					__eflags = _t99;
					if(_t99 == 0) {
						_t100 = 0x7ffe0384;
					} else {
						_t100 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E010E6715(_t196 - 0x4c,  *_t100 & 0x000000ff);
				}
				_t102 =  *(_t196 - 0x34);
				if(_t102 == 0) {
					_t193 = 0xc000000d;
					goto L7;
				} else {
					if( *((intOrPtr*)(_t196 + 0x18)) == 0) {
						L17:
						__eflags =  *(_t196 + 0xc);
						if(__eflags == 0) {
							__eflags = _t187;
							if(__eflags != 0) {
								goto L18;
							}
							_push(0);
							_push( *(_t196 + 0x14));
							_push(_t196 - 0x38);
							_push(_t102);
							__eflags = E010884E0(0, _t187, _t192, __eflags);
							if(__eflags >= 0) {
								goto L18;
							}
							L12:
							return E010AD130(0, _t187, _t193);
						}
						L18:
						_t195 = E0108701D(0,  *(_t196 - 0x34),  *(_t196 - 0x38), _t187, _t192 | 0x00200000, __eflags, _t192 | 0x00200000, _t196 - 0x28, 3, _t196 - 0x30, _t196 - 0x40, 0, 0);
						 *(_t196 - 0x2c) = _t195;
						__eflags = _t195;
						if(_t195 >= 0) {
							 *((intOrPtr*)(_t196 - 4)) = 0;
							__eflags = _t187;
							_t187 =  *(_t196 - 0x30);
							if(__eflags != 0) {
								L55:
								 *((intOrPtr*)(_t196 - 4)) = 0xfffffffe;
								_t118 =  *(_t196 - 0x3c);
								__eflags = _t118;
								if(_t118 != 0) {
									 *_t118 = _t187;
								}
								_t193 = 0;
								 *(_t196 - 0x2c) = 0;
								L23:
								__eflags =  *((char*)(_t196 + 0x18));
								if( *((char*)(_t196 + 0x18)) != 0) {
									__eflags = _t187;
									if(__eflags == 0) {
										_t187 = _t187 | 0xffffffff;
										__eflags = _t187;
									}
									_push(0);
									_push(_t193);
									_push(2);
									_push(0);
									_push(_t187);
									_push(0);
									E0108DA88(0,  *(_t196 - 0x34), 0, _t187, _t193, __eflags);
								}
								L8:
								if(E01077D50() != 0) {
									_t106 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									_t193 =  *(_t196 - 0x2c);
								} else {
									_t106 = 0x7ffe0385;
								}
								if(( *_t106 & 0x00000001) != 0) {
									_t107 = E01077D50();
									__eflags = _t107;
									if(_t107 == 0) {
										_t108 = 0x7ffe0384;
									} else {
										_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
										_t193 =  *(_t196 - 0x2c);
									}
									E010E6715(_t196 - 0x54,  *_t108 & 0x000000ff);
								}
								goto L12;
							}
							_t178 =  *((intOrPtr*)(_t187 + 4));
							__eflags = _t178 + _t187 - ( *(_t196 - 0x34) & 0xfffffffc) +  *(_t196 - 0x38);
							if(_t178 + _t187 > ( *(_t196 - 0x34) & 0xfffffffc) +  *(_t196 - 0x38)) {
								_t193 = 0xc000007b;
								 *(_t196 - 0x2c) = 0xc000007b;
								L61:
								 *((intOrPtr*)(_t196 - 4)) = 0xfffffffe;
								L21:
								__eflags = _t193;
								if(_t193 < 0) {
									_t187 = 0;
								}
								goto L23;
							}
							_t193 = 0xc00b0003;
							 *(_t196 - 0x2c) = 0xc00b0003;
							_t156 =  *((intOrPtr*)(_t187 + 0x44));
							_t122 =  *((intOrPtr*)(_t187 + 0x48)) + _t156;
							__eflags = _t122 - _t178;
							if(_t122 > _t178) {
								goto L61;
							}
							__eflags = _t122 - _t156;
							if(_t122 < _t156) {
								goto L61;
							}
							_t157 =  *((intOrPtr*)(_t187 + 0x4c));
							_t124 =  *((intOrPtr*)(_t187 + 0x50)) + _t157;
							__eflags = _t124 - _t178;
							if(_t124 > _t178) {
								goto L61;
							}
							__eflags = _t124 - _t157;
							if(_t124 < _t157) {
								goto L61;
							}
							_t158 =  *((intOrPtr*)(_t187 + 0x54));
							_t126 =  *((intOrPtr*)(_t187 + 0x58)) + _t158;
							__eflags = _t126 - _t178;
							if(_t126 > _t178) {
								goto L61;
							}
							__eflags = _t126 - _t158;
							if(_t126 < _t158) {
								goto L61;
							}
							_t159 =  *((intOrPtr*)(_t187 + 0x5c));
							_t128 =  *((intOrPtr*)(_t187 + 0x60)) + _t159;
							__eflags = _t128 - _t178;
							if(_t128 > _t178) {
								goto L61;
							}
							__eflags = _t128 - _t159;
							if(_t128 < _t159) {
								goto L61;
							}
							_t160 =  *((intOrPtr*)(_t187 + 0x64));
							_t130 =  *((intOrPtr*)(_t187 + 0x68)) + _t160;
							__eflags = _t130 - _t178;
							if(_t130 > _t178) {
								goto L61;
							}
							__eflags = _t130 - _t160;
							if(_t130 < _t160) {
								goto L61;
							}
							_t161 =  *((intOrPtr*)(_t187 + 0x6c));
							_t132 =  *((intOrPtr*)(_t187 + 0x70)) + _t161;
							__eflags = _t132 - _t178;
							if(_t132 > _t178) {
								goto L61;
							}
							__eflags = _t132 - _t161;
							if(_t132 < _t161) {
								goto L61;
							}
							_t162 =  *((intOrPtr*)(_t187 + 0x74));
							_t134 =  *((intOrPtr*)(_t187 + 0x78)) + _t162;
							__eflags = _t134 - _t178;
							if(_t134 > _t178) {
								goto L61;
							}
							__eflags = _t134 - _t162;
							if(_t134 < _t162) {
								goto L61;
							}
							_t163 =  *((intOrPtr*)(_t187 + 0x7c));
							_t136 =  *((intOrPtr*)(_t187 + 0x80)) + _t163;
							__eflags = _t136 - _t178;
							if(_t136 > _t178) {
								goto L61;
							}
							__eflags = _t136 - _t163;
							if(_t136 < _t163) {
								goto L61;
							}
							__eflags =  *_t187 - 0xfecdfecd;
							if( *_t187 != 0xfecdfecd) {
								goto L61;
							}
							__eflags = _t178 -  *((intOrPtr*)(_t196 - 0x40));
							if(_t178 !=  *((intOrPtr*)(_t196 - 0x40))) {
								goto L61;
							}
							__eflags =  *((intOrPtr*)(_t187 + 8)) - 0x10000;
							if( *((intOrPtr*)(_t187 + 8)) != 0x10000) {
								goto L61;
							}
							_t164 =  *(_t187 + 0xc);
							__eflags =  *(_t187 + 0xc);
							if( *(_t187 + 0xc) != 0) {
								_t179 = 7;
								_t137 = E010595C8(_t164, _t179);
								__eflags = _t137;
								if(_t137 == 0) {
									goto L61;
								}
							}
							_t180 = 3;
							_t138 = E010595C8( *(_t187 + 0x10) & 0xffffffcf, _t180);
							__eflags = _t138;
							if(_t138 == 0) {
								goto L61;
							}
							_t181 = 0x30;
							_t139 = E010595C8( *(_t187 + 0x10) & 0xfffffffc, _t181);
							__eflags = _t139;
							if(_t139 == 0) {
								goto L61;
							}
							__eflags =  *(_t187 + 0x10) & 0x00000001;
							if(( *(_t187 + 0x10) & 0x00000001) == 0) {
								L54:
								 *(_t196 - 0x2c) = 0;
								goto L55;
							}
							_t182 = 3;
							_t140 = E010595C8( *((intOrPtr*)(_t187 + 0x18)), _t182);
							__eflags = _t140;
							if(_t140 == 0) {
								goto L61;
							}
							_t170 =  *(_t187 + 0x14);
							__eflags =  *(_t187 + 0x14);
							if( *(_t187 + 0x14) != 0) {
								_t141 = E010595C8(_t170, 0x100);
								__eflags = _t141;
								if(_t141 == 0) {
									goto L61;
								}
							}
							goto L54;
						}
						_t187 =  *(_t196 - 0x30);
						__eflags = _t195 - 0xc000007b;
						if(_t195 != 0xc000007b) {
							_t193 = 0xc000008a;
							 *(_t196 - 0x2c) = 0xc000008a;
						}
						goto L21;
					}
					_t143 = E0106D1D0(_t102, 0, 0, 8);
					 *(_t196 - 0x30) = _t143;
					if(_t143 != 0xffffffff) {
						__eflags = _t143;
						if(_t143 == 0) {
							_t102 =  *(_t196 - 0x34);
							goto L17;
						}
						_t193 = 0;
						 *(_t196 - 0x2c) = 0;
						_t173 =  *(_t196 - 0x3c);
						__eflags = _t173;
						if(_t173 != 0) {
							 *_t173 = _t143;
						}
					} else {
						_t193 = 0xc000008a;
						L7:
						 *(_t196 - 0x2c) = _t193;
					}
					goto L8;
				}
			}

0x010662a0
0x010662a2
0x010662a7
0x010662af
0x010662b5
0x010662b8
0x010662bf
0x010662c8
0x010662ce
0x010662d1
0x010662d6
0x010662d7
0x010662dd
0x010662de
0x010662e2
0x010662eb
0x010662ec
0x010662f0
0x010662f4
0x010662fe
0x01066308
0x01066310
0x0106631d
0x010b903d
0x01066323
0x01066323
0x01066323
0x0106632b
0x010b9047
0x010b904c
0x010b904e
0x010b9060
0x010b9050
0x010b9059
0x010b9059
0x010b906b
0x010b906b
0x01066331
0x01066336
0x010b9075
0x00000000
0x0106633c
0x0106633f
0x01066399
0x01066399
0x0106639c
0x0106658b
0x0106658d
0x00000000
0x00000000
0x01066593
0x01066594
0x0106659a
0x0106659b
0x010665a1
0x010665a3
0x00000000
0x00000000
0x0106637a
0x0106637f
0x0106637f
0x010663a2
0x010663c4
0x010663c6
0x010663c9
0x010663cb
0x0106640d
0x01066410
0x01066412
0x01066415
0x01066571
0x01066571
0x01066578
0x0106657b
0x0106657d
0x0106657f
0x0106657f
0x01066581
0x01066583
0x010663e6
0x010663e6
0x010663ea
0x010663f0
0x010663f2
0x010663f4
0x010663f4
0x010663f4
0x010663f7
0x010663f8
0x010663f9
0x010663fb
0x010663fc
0x010663fd
0x01066403
0x01066403
0x0106635d
0x01066364
0x010b90db
0x010b90e0
0x0106636a
0x0106636a
0x0106636a
0x01066372
0x010b90e8
0x010b90ed
0x010b90ef
0x010b9104
0x010b90f1
0x010b90fa
0x010b90ff
0x010b90ff
0x010b910f
0x010b910f
0x00000000
0x01066378
0x0106641b
0x0106642a
0x0106642c
0x010b907f
0x010b9084
0x010665ae
0x010665ae
0x010663e0
0x010663e0
0x010663e2
0x010663e4
0x010663e4
0x00000000
0x010663e2
0x01066432
0x01066437
0x0106643a
0x01066440
0x01066442
0x01066444
0x00000000
0x00000000
0x0106644a
0x0106644c
0x00000000
0x00000000
0x01066452
0x01066458
0x0106645a
0x0106645c
0x00000000
0x00000000
0x01066462
0x01066464
0x00000000
0x00000000
0x0106646a
0x01066470
0x01066472
0x01066474
0x00000000
0x00000000
0x0106647a
0x0106647c
0x00000000
0x00000000
0x01066482
0x01066488
0x0106648a
0x0106648c
0x00000000
0x00000000
0x01066492
0x01066494
0x00000000
0x00000000
0x0106649a
0x010664a0
0x010664a2
0x010664a4
0x00000000
0x00000000
0x010664aa
0x010664ac
0x00000000
0x00000000
0x010664b2
0x010664b8
0x010664ba
0x010664bc
0x00000000
0x00000000
0x010664c2
0x010664c4
0x00000000
0x00000000
0x010664ca
0x010664d0
0x010664d2
0x010664d4
0x00000000
0x00000000
0x010664da
0x010664dc
0x00000000
0x00000000
0x010664e2
0x010664eb
0x010664ed
0x010664ef
0x00000000
0x00000000
0x010664f5
0x010664f7
0x00000000
0x00000000
0x010664fd
0x01066503
0x00000000
0x00000000
0x01066509
0x0106650c
0x00000000
0x00000000
0x01066512
0x01066519
0x00000000
0x00000000
0x0106651f
0x01066522
0x01066524
0x010b908e
0x010b908f
0x010b9094
0x010b9096
0x00000000
0x00000000
0x010b909c
0x01066532
0x01066533
0x01066538
0x0106653a
0x00000000
0x00000000
0x01066544
0x01066545
0x0106654a
0x0106654c
0x00000000
0x00000000
0x0106654e
0x01066552
0x0106656e
0x0106656e
0x00000000
0x0106656e
0x01066556
0x0106655a
0x0106655f
0x01066561
0x00000000
0x00000000
0x01066563
0x01066566
0x01066568
0x010b90a6
0x010b90ab
0x010b90ad
0x00000000
0x00000000
0x010b90b3
0x00000000
0x01066568
0x010663cd
0x010663d0
0x010663d6
0x010663d8
0x010663dd
0x010663dd
0x00000000
0x010663d6
0x01066348
0x0106634d
0x01066353
0x01066382
0x01066384
0x01066396
0x00000000
0x01066396
0x01066386
0x01066388
0x0106638b
0x0106638e
0x01066390
0x01066392
0x01066392
0x01066355
0x01066355
0x0106635a
0x0106635a
0x0106635a
0x00000000
0x01066353

Strings

LdrResGetRCConfig Enter, xrefs: 010662E2
LdrResGetRCConfig Exit, xrefs: 010662F4
MUI, xrefs: 010662B8, 010663B7

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: ddf17d0072ddac3242569a0a91b56f3fd9f731c633e0ee8583cb648be460dd83
Instruction ID: 4785e9b3823572d733c570909f4df7cbd050e2450ea8473f339c9ff7780c36de
Opcode Fuzzy Hash: ddf17d0072ddac3242569a0a91b56f3fd9f731c633e0ee8583cb648be460dd83
Instruction Fuzzy Hash: 39B1D171A006569FDF15CFA9C881BECBBB9BF44314F148169E991EB394D732E860CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01058239 Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E01058239(signed int* __ecx, char* __edx, signed int _a4) {
				signed int _v12;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				signed int _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				short _v578;
				char _v580;
				signed int _v584;
				intOrPtr _v586;
				char _v588;
				char* _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char* _v604;
				signed int* _v608;
				intOrPtr _v612;
				short _v614;
				char _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _v628;
				char* _v632;
				signed int _v636;
				char _v640;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t94;
				char* _t99;
				intOrPtr _t118;
				intOrPtr _t122;
				intOrPtr _t125;
				short _t126;
				signed int* _t137;
				intOrPtr _t138;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t148;
				signed int _t150;
				signed int _t151;
				void* _t152;
				signed int _t154;

				_t149 = __edx;
				_v12 =  *0x114d360 ^ _t154;
				_v564 = _v564 & 0x00000000;
				_t151 = _a4;
				_t137 = __ecx;
				_v604 = __edx;
				_v608 = __ecx;
				_t150 = 0;
				_v568 = 0x220;
				_v592 =  &_v560;
				if(E01066D30( &_v580, L"UseFilter") < 0) {
					L4:
					return E0109B640(_t89, _t137, _v12 ^ _t154, _t149, _t150, _t151);
				}
				_push( &_v572);
				_push(0x220);
				_push( &_v560);
				_push(2);
				_push( &_v580);
				_push( *_t137);
				_t89 = E01099650();
				if(_t89 >= 0) {
					if(_v556 != 4 || _v552 != 4 || _v548 == 0) {
						L3:
						_t89 = 0;
					} else {
						_t94 =  *_t151;
						_t151 =  *(_t151 + 4);
						_v588 = _t94;
						_v584 = _t151;
						if(E01066D30( &_v580, L"\\??\\") < 0) {
							goto L4;
						}
						if(E0106AA20( &_v560,  &_v580,  &_v588, 1) != 0) {
							_v588 = _v588 + 0xfff8;
							_v586 = _v586 + 0xfff8;
							_v584 = _t151 + 8;
						}
						_t99 =  &_v560;
						_t143 = 0;
						_v596 = _t99;
						_v600 = 0;
						do {
							_t149 =  &_v572;
							_push( &_v572);
							_push(_v568);
							_push(_t99);
							_push(0);
							_push(_t143);
							_push( *_t137);
							_t151 = E01099820();
							if(_t151 < 0) {
								goto L37;
							}
							_t145 = _v596;
							_v580 =  *((intOrPtr*)(_t145 + 0xc));
							_v624 = _v624 & 0x00000000;
							_v620 = _v620 & 0x00000000;
							_v578 =  *((intOrPtr*)(_t145 + 0xc));
							_v576 = _t145 + 0x10;
							_v636 =  *_t137;
							_v632 =  &_v580;
							_push( &_v640);
							_push(_v604);
							_v640 = 0x18;
							_push( &_v564);
							_v628 = 0x240;
							_t151 = E01099600();
							if(_t151 < 0) {
								goto L37;
							}
							_t151 = E01066D30( &_v580, L"FilterFullPath");
							if(_t151 < 0) {
								L36:
								_push(_v564);
								E010995D0();
								goto L37;
							}
							_t138 = _v592;
							_t118 = _v568;
							do {
								_push( &_v572);
								_push(_t118);
								_push(_t138);
								_push(2);
								_push( &_v580);
								_push(_v564);
								_t152 = E01099650();
								if(_t152 == 0x80000005 || _t152 == 0xc0000023) {
									if(_t150 != 0) {
										L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t150);
									}
									_t147 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
									if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
										_t122 =  *0x1147b9c; // 0x0
										_t150 = E01074620(_t147, _t147, _t122 + 0x180000, _v572);
										if(_t150 == 0) {
											goto L25;
										}
										_t118 = _v572;
										_t138 = _t150;
										_v596 = _t150;
										_v568 = _t118;
										goto L27;
									} else {
										_t150 = 0;
										L25:
										_t151 = 0xc0000017;
										goto L26;
									}
								} else {
									L26:
									_t118 = _v568;
								}
								L27:
							} while (_t151 == 0x80000005 || _t151 == 0xc0000023);
							_v592 = _t138;
							_t137 = _v608;
							if(_t151 >= 0) {
								_t148 = _v592;
								if( *((intOrPtr*)(_t148 + 4)) != 1) {
									goto L36;
								}
								_t125 =  *((intOrPtr*)(_t148 + 8));
								if(_t125 > 0xfffe) {
									goto L36;
								}
								_t126 = _t125 + 0xfffffffe;
								_v616 = _t126;
								_v614 = _t126;
								_v612 = _t148 + 0xc;
								if(E01069660( &_v588,  &_v616, 1) == 0) {
									break;
								}
								goto L36;
							}
							_push(_v564);
							E010995D0();
							_t65 = _t151 + 0x3fffffcc; // 0x3fffffcc
							asm("sbb eax, eax");
							_t151 = _t151 &  ~_t65;
							L37:
							_t99 = _v596;
							_t143 = _v600 + 1;
							_v600 = _t143;
						} while (_t151 >= 0);
						if(_t150 != 0) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t150);
						}
						if(_t151 >= 0) {
							_push( *_t137);
							E010995D0();
							 *_t137 = _v564;
						}
						_t85 = _t151 + 0x7fffffe6; // 0x7fffffe6
						asm("sbb eax, eax");
						_t89 =  ~_t85 & _t151;
					}
					goto L4;
				}
				if(_t89 != 0xc0000034) {
					if(_t89 == 0xc0000023) {
						goto L3;
					}
					if(_t89 != 0x80000005) {
						goto L4;
					}
				}
				goto L3;
			}

0x01058239
0x0105824b
0x0105824e
0x0105825d
0x01058260
0x0105826e
0x01058275
0x0105827b
0x0105827d
0x01058287
0x01058294
0x010582ce
0x010582de
0x010582de
0x0105829c
0x0105829d
0x010582a8
0x010582a9
0x010582b1
0x010582b2
0x010582b4
0x010582bb
0x010b2dfa
0x010582cc
0x010582cc
0x010b2e19
0x010b2e19
0x010b2e1b
0x010b2e1e
0x010b2e30
0x010b2e3d
0x00000000
0x00000000
0x010b2e5a
0x010b2e61
0x010b2e68
0x010b2e72
0x010b2e72
0x010b2e78
0x010b2e7e
0x010b2e80
0x010b2e86
0x010b2e8c
0x010b2e8c
0x010b2e92
0x010b2e93
0x010b2e99
0x010b2e9a
0x010b2e9c
0x010b2e9d
0x010b2ea4
0x010b2ea8
0x00000000
0x00000000
0x010b2eae
0x010b2eb8
0x010b2ec3
0x010b2eca
0x010b2ed1
0x010b2edb
0x010b2ee3
0x010b2eef
0x010b2efb
0x010b2efc
0x010b2f08
0x010b2f12
0x010b2f13
0x010b2f22
0x010b2f26
0x00000000
0x00000000
0x010b2f3d
0x010b2f41
0x010b3069
0x010b3069
0x010b306f
0x00000000
0x010b306f
0x010b2f47
0x010b2f4d
0x010b2f53
0x010b2f59
0x010b2f5a
0x010b2f5b
0x010b2f5c
0x010b2f64
0x010b2f65
0x010b2f70
0x010b2f78
0x010b2f84
0x010b2f92
0x010b2f92
0x010b2f9d
0x010b2fa2
0x010b2fed
0x010b3004
0x010b3008
0x00000000
0x00000000
0x010b300a
0x010b3010
0x010b3012
0x010b3018
0x00000000
0x010b2fa4
0x010b2fa4
0x010b2fa6
0x010b2fa6
0x00000000
0x010b2fa6
0x010b2fab
0x010b2fab
0x010b2fab
0x010b2fab
0x010b2fb1
0x010b2fb1
0x010b2fc1
0x010b2fc7
0x010b2fcf
0x010b3020
0x010b302a
0x00000000
0x00000000
0x010b302c
0x010b3034
0x00000000
0x00000000
0x010b3036
0x010b3039
0x010b3040
0x010b304a
0x010b3067
0x00000000
0x00000000
0x00000000
0x010b3067
0x010b2fd1
0x010b2fd7
0x010b2fdc
0x010b2fe4
0x010b2fe6
0x010b3074
0x010b307a
0x010b3080
0x010b3081
0x010b3087
0x010b3091
0x010b309f
0x010b309f
0x010b30a6
0x010b30a8
0x010b30aa
0x010b30b5
0x010b30b5
0x010b30b7
0x010b30bf
0x010b30c1
0x010b30c1
0x00000000
0x010b2dfa
0x010582c6
0x010b2ddd
0x00000000
0x00000000
0x010b2de8
0x00000000
0x00000000
0x010b2dee
0x00000000

Strings

FilterFullPath, xrefs: 010B2F2C
\??\, xrefs: 010B2E2A
UseFilter, xrefs: 01058263

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 5b5e05ed15f0085db01b4c36431c6bdf43b06d60881b7e8096a23a9af71b4c32
Instruction ID: 8a68eeafaeadb03f9183c4aa61236508d14c589573a2ac47615a007b65d48f27
Opcode Fuzzy Hash: 5b5e05ed15f0085db01b4c36431c6bdf43b06d60881b7e8096a23a9af71b4c32
Instruction Fuzzy Hash: 9AA14B719116299BDB71DF68CC88BEEB7B8EF44710F1041EAE948A7250D735AE84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011023E3 Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E011023E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x114874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x114874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E010AD4F0(_t83, 0x1036c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0105B150();
					} else {
						E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E0105B150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1146378 = 1;
						asm("int3");
						 *0x1146378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x011023e3
0x011023e8
0x011023eb
0x011023ee
0x011023f3
0x0110259b
0x0110259b
0x0110259d
0x011025a3
0x011025a3
0x011023fb
0x01102424
0x0110244f
0x01102460
0x01102451
0x01102451
0x01102456
0x01102458
0x01102458
0x0110245b
0x0110245b
0x01102426
0x01102431
0x01102436
0x01102443
0x01102438
0x01102438
0x01102438
0x01102445
0x01102445
0x01102463
0x01102469
0x0110246f
0x01102480
0x01102495
0x011024a1
0x011024ce
0x011024df
0x011024d0
0x011024d0
0x011024d5
0x011024d7
0x011024d7
0x011024da
0x011024da
0x011024a3
0x011024b0
0x011024b5
0x011024c2
0x011024b7
0x011024b7
0x011024b7
0x011024c4
0x011024c4
0x011024e8
0x01102497
0x0110249a
0x0110249a
0x01102482
0x01102488
0x01102488
0x01102471
0x01102479
0x01102479
0x011024ef
0x011023fd
0x01102401
0x01102412
0x01102403
0x01102403
0x01102408
0x0110240a
0x0110240a
0x0110240d
0x0110240d
0x0110241b
0x0110241b
0x011024f1
0x011024f6
0x01102507
0x01102510
0x00000000
0x01102510
0x0110250b
0x00000000
0x011024f8
0x011024f8
0x011024fc
0x01102500
0x01102512
0x01102515
0x0110251a
0x01102521
0x01102524
0x01102529
0x0110252f
0x00000000
0x00000000
0x0110253c
0x0110255c
0x01102561
0x0110253e
0x01102554
0x01102559
0x0110256a
0x0110256d
0x01102574
0x01102586
0x01102588
0x0110258f
0x01102590
0x01102590
0x01102597
0x00000000
0x01102597

Strings

HEAP[%wZ]: , xrefs: 0110254F
HEAP: , xrefs: 0110255C
Heap block at %p modified at %p past requested size of %Ix, xrefs: 0110256F

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: b665d0174565019fc14f0426863334d306db71d149fee8fd3f1a15b22a1ed542
Instruction ID: 8dabf1b496ff8cc2d6659379bb9eccfa7645d7ddc1d2567718b83b5cd564c407
Opcode Fuzzy Hash: b665d0174565019fc14f0426863334d306db71d149fee8fd3f1a15b22a1ed542
Instruction Fuzzy Hash: 5C512734A002508AE77ECE2EC85C7B27BF1DB48644F564859E8C2CB2C1D3B6D846DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0107EB9A Relevance: 3.9, Strings: 3, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E0107EB9A(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				signed int _t63;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t77;
				signed int* _t91;
				intOrPtr _t92;
				signed int _t95;
				signed char _t109;
				signed int _t114;
				unsigned int _t119;
				intOrPtr* _t122;
				intOrPtr _t127;
				signed int _t130;
				void* _t135;

				_t92 = __ecx;
				_t122 = __edx;
				_v8 = __ecx;
				 *((intOrPtr*)(__ecx + 0xb4)) = __edx;
				if( *__edx != 0) {
					_t95 =  *((intOrPtr*)(__edx + 4)) -  *((intOrPtr*)(__edx + 0x14)) - 1;
					__eflags =  *(__edx + 8);
					if(__eflags != 0) {
						_t95 = _t95 + _t95;
					}
					 *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) =  *( *((intOrPtr*)(_t122 + 0x20)) + _t95 * 4) & 0x00000000;
					asm("btr eax, esi");
					_t92 = _v8;
				}
				_t62 = _t92 + 0xc0;
				_t127 =  *((intOrPtr*)(_t62 + 4));
				while(1) {
					L2:
					_v12 = _t127;
					if(_t62 == _t127) {
						break;
					}
					_t7 = _t127 - 8; // -8
					_t91 = _t7;
					if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
						_t119 =  *(_t92 + 0x50) ^  *_t91;
						 *_t91 = _t119;
						_t109 = _t119 >> 0x00000010 ^ _t119 >> 0x00000008 ^ _t119;
						if(_t119 >> 0x18 != _t109) {
							_push(_t109);
							E0110FA2B(_t91, _v8, _t91, _t122, _t127, __eflags);
						}
						_t92 = _v8;
					}
					_t114 =  *_t91 & 0x0000ffff;
					_t63 = _t122;
					_t135 = _t114 -  *((intOrPtr*)(_t122 + 4));
					while(1) {
						_v20 = _t63;
						if(_t135 < 0) {
							break;
						}
						_t130 =  *_t63;
						_v16 = _t130;
						_t127 = _v12;
						if(_t130 != 0) {
							_t63 = _v16;
							__eflags = _t114 -  *((intOrPtr*)(_t63 + 4));
							continue;
						}
						_v16 =  *((intOrPtr*)(_t63 + 4)) - 1;
						L10:
						if( *_t122 != 0) {
							_t64 =  *((intOrPtr*)(_t122 + 4));
							__eflags = _t114 - _t64;
							_t65 = _t64 - 1;
							__eflags = _t65;
							if(_t65 < 0) {
								_t65 = _t114;
							}
							E0107BC04(_t92, _t122, 1, _t127, _t65, _t114);
						}
						E0107E4A0(_v8, _v20, 1, _t127, _v16,  *_t91 & 0x0000ffff);
						if( *0x1148748 >= 1) {
							__eflags =  *( *((intOrPtr*)(_v20 + 0x1c)) + (_v16 -  *((intOrPtr*)(_v20 + 0x14)) >> 5) * 4) & 1 << (_v16 -  *((intOrPtr*)(_v20 + 0x14)) & 0x0000001f);
							if(__eflags == 0) {
								_t77 =  *[fs:0x30];
								__eflags =  *(_t77 + 0xc);
								if( *(_t77 + 0xc) == 0) {
									_push("HEAP: ");
									E0105B150();
								} else {
									E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))");
								E0105B150();
								__eflags =  *0x1147bc8;
								if(__eflags == 0) {
									__eflags = 1;
									E01112073(_t91, 1, _t122, 1);
								}
							}
							_t127 = _v12;
						}
						_t92 = _v8;
						if( *((intOrPtr*)(_t92 + 0x4c)) != 0) {
							_t91[0] = _t91[0] ^ _t91[0] ^  *_t91;
							 *_t91 =  *_t91 ^  *(_t92 + 0x50);
						}
						_t127 =  *((intOrPtr*)(_t127 + 4));
						_t62 = _t92 + 0xc0;
						goto L2;
					}
					_v16 = _t114;
					goto L10;
				}
				return _t62;
			}

0x0107eb9a
0x0107eba5
0x0107eba7
0x0107ebaa
0x0107ebb3
0x0107eca0
0x0107eca1
0x0107eca5
0x0107ecd1
0x0107ecd1
0x0107ecaa
0x0107ecc3
0x0107ecc9
0x0107ecc9
0x0107ebb9
0x0107ebbf
0x0107ebc2
0x0107ebc2
0x0107ebc2
0x0107ebc7
0x00000000
0x00000000
0x0107ebd1
0x0107ebd1
0x0107ebd4
0x0107ebd9
0x0107ebdd
0x0107ebe9
0x0107ebf0
0x010c4258
0x010c425e
0x010c425e
0x0107ebf6
0x0107ebf6
0x0107ebf9
0x0107ebfc
0x0107ebfe
0x0107ec01
0x0107ec01
0x0107ec04
0x00000000
0x00000000
0x0107ec0a
0x0107ec0e
0x0107ec11
0x0107ec14
0x0107ec8f
0x0107ec92
0x00000000
0x0107ec92
0x0107ec1a
0x0107ec1d
0x0107ec20
0x0107ec72
0x0107ec75
0x0107ec77
0x0107ec77
0x0107ec78
0x0107ec7a
0x0107ec7a
0x0107ec83
0x0107ec83
0x0107ec32
0x0107ec3e
0x010c4281
0x010c4284
0x010c4286
0x010c428c
0x010c4290
0x010c42af
0x010c42b4
0x010c4292
0x010c42a7
0x010c42ac
0x010c42ba
0x010c42bf
0x010c42c4
0x010c42cc
0x010c42d0
0x010c42d1
0x010c42d1
0x010c42cc
0x010c42d6
0x010c42d6
0x0107ec44
0x0107ec4b
0x0107ec55
0x0107ec5b
0x0107ec5b
0x0107ec5d
0x0107ec60
0x00000000
0x0107ec60
0x0107ec8a
0x00000000
0x0107ec8a
0x0107ec71

Strings

HEAP[%wZ]: , xrefs: 010C42A2
HEAP: , xrefs: 010C42AF
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 010C42BA

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: a69d74545b019edd0a643b9ec7d6caa85c59d940541aecbc15d1da221e28fa82
Instruction ID: d1ddb679e3e0f8e9ea179bd88a96bca4609c2e97e48570f7435e141616e5ce3c
Opcode Fuzzy Hash: a69d74545b019edd0a643b9ec7d6caa85c59d940541aecbc15d1da221e28fa82
Instruction Fuzzy Hash: 6951DE35A01519EFDB58DF68C894AAEBBF2FF84310F1581E8D8859B342D731A942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01095DBF Relevance: 3.9, Strings: 3, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E01095DBF(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v24;
				signed int _v36;
				char _v548;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E010693A0();
				if(_t25 != 0) {
					E01072280(_t25, 0x11479e4);
					_t75 =  *( *0x114b224);
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E01057470( *0x114b21c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E0106FFB0(0x11479e4, _t72, 0x11479e4);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v24 =  *0x114d360 ^ _t87;
							_t76 = _t65;
							 *0x114b1e0( &_v548, 0x104, _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x1148484;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L24:
									_push( &_v556);
									_push( &_v564);
									E010E34A0(0x11479e4, _t72, _t76, __eflags);
									goto L14;
								} else {
									_t76 = ( *0x1148480 & 0x0000ffff) + 2 + _t67;
									_t42 = E01074620(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E01067B60(_t67,  &_v572, 0x1148480);
										E01067B60(_t67,  &_v580,  &_v572);
										E0106A990(_t67,  &_v588, 0x1034e90);
										L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x1148484);
										 *0x1148480 = _v608;
										_t54 = _v604;
										 *0x1148484 = _t54;
										 *0x114847c = _t54;
										E010E3DE3(_t67, __eflags);
										goto L24;
									} else {
										_t56 =  *0x1145780; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xc80);
											_push("minkernel\\ntdll\\ldrinit.c");
											E010D5510();
											_t56 =  *0x1145780; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L14:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return E0109B640(_t39, 0x11479e4, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							 *( *0x114b224) = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E01057470( *0x114b21c, 1);
								}
							}
							_t25 = E0106FFB0(0x11479e4, _t72, 0x11479e4);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x01095dbf
0x01095dc1
0x01095dc3
0x01095dc4
0x01095dc6
0x01095dcd
0x01095dd9
0x01095de3
0x01095de5
0x01095de7
0x01095e23
0x01095e25
0x00000000
0x01095e27
0x01095e27
0x00000000
0x01095e27
0x01095de9
0x01095de9
0x01095deb
0x01095df4
0x01095df4
0x01095df9
0x01095dfc
0x01095e2a
0x01095e2b
0x01095e32
0x01095e33
0x01095e3d
0x01095e4a
0x01095e5b
0x01095e5e
0x01095e68
0x01095e68
0x01095e6a
0x010d0041
0x010d004c
0x010d0055
0x010d005a
0x010d005f
0x010d0130
0x010d0134
0x010d0139
0x010d013a
0x00000000
0x010d0065
0x010d0075
0x010d007d
0x010d0082
0x010d0086
0x010d0088
0x010d00c5
0x010d00c7
0x010d00cc
0x010d00db
0x010d00ea
0x010d00f9
0x010d010f
0x010d0118
0x010d011d
0x010d0121
0x010d0126
0x010d012b
0x00000000
0x010d008a
0x010d008a
0x010d008f
0x010d0091
0x010d0093
0x010d0098
0x010d009a
0x010d009f
0x010d00a4
0x010d00a9
0x010d00ae
0x010d00b3
0x010d00b3
0x010d00b6
0x010d00b8
0x010d00ba
0x010d00ba
0x010d00bb
0x010d00bb
0x010d0088
0x01095e70
0x01095e70
0x01095e70
0x01095e70
0x01095e70
0x01095e79
0x01095e7a
0x01095e84
0x01095dfe
0x01095dfe
0x01095dfe
0x01095dff
0x01095e04
0x01095e06
0x01095e08
0x01095e0a
0x01095e0c
0x01095e16
0x01095e16
0x01095e0c
0x01095e1c
0x00000000
0x01095e1c
0x01095dfc
0x01095dcf
0x01095dcf
0x01095dd2
0x01095dd2

Strings

Failed to reallocate the system dirs string !, xrefs: 010D0093
LdrpInitializePerUserWindowsDirectory, xrefs: 010D009A
minkernel\ntdll\ldrinit.c, xrefs: 010D00A4

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: d545196f305f3bd22af27b0934d9654f60fdd3bd30f7c4d18f624d9c1da3084f
Instruction ID: 7e9254a9cd87de20b20138a6541d3e5a2212ba2a782f63f99df7b08959fa4143
Opcode Fuzzy Hash: d545196f305f3bd22af27b0934d9654f60fdd3bd30f7c4d18f624d9c1da3084f
Instruction Fuzzy Hash: 1141F179514301ABC766EB69DC04F9B7BE8EF44B10F04442AF9E897290EB70D800CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0107B8E4 Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0107B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x1148748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E0105B150();
						} else {
							E0105B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E0105B150();
						__eflags =  *0x1147bc8;
						if(__eflags == 0) {
							E01112073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E0107AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x0107b8f0
0x0107b8f2
0x0107b8f4
0x010c2c4e
0x010c2c50
0x010c2c56
0x010c2c5c
0x010c2c60
0x010c2c7f
0x010c2c84
0x010c2c62
0x010c2c77
0x010c2c7c
0x010c2c8a
0x010c2c8f
0x010c2c94
0x010c2c9c
0x010c2ca5
0x010c2ca5
0x010c2c9c
0x010c2c50
0x0107b8fa
0x0107b902
0x0107b921
0x0107b921
0x0107b924
0x0107b924
0x0107b927
0x00000000
0x00000000
0x0107b929
0x0107b92b
0x0107b92d
0x0107b940
0x00000000
0x0107b940
0x0107b932
0x0107b932
0x00000000
0x0107b932
0x00000000
0x0107b904
0x0107b904
0x0107b90a
0x0107b90c
0x0107b916
0x0107b919
0x0107b915
0x0107b915
0x0107b91b
0x0107b91b
0x00000000
0x0107b910

Strings

HEAP[%wZ]: , xrefs: 010C2C72
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 010C2C8A
HEAP: , xrefs: 010C2C7F

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 0cb6cbfde8ff7c35ade168788296ff6919fe4dda217a8ce6559460c29e392ba4
Instruction ID: a2a54b482aa528557027aeed83532b5228b223e5f184659c2811688f5a1a6f8d
Opcode Fuzzy Hash: 0cb6cbfde8ff7c35ade168788296ff6919fe4dda217a8ce6559460c29e392ba4
Instruction Fuzzy Hash: A711E631B045069FD7A9D729C494B7AB7A5EF80A20F14816DE4D6CF281D730E881CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0106BA00 Relevance: 3.1, Strings: 2, Instructions: 614
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0106BA00(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24) {
				void* _v4;
				char _v88;
				char _v792;
				char _v1496;
				char _v1672;
				char _v2376;
				int _v2380;
				char _v2381;
				char _v2382;
				void* _v2388;
				short _v2390;
				char _v2392;
				intOrPtr _v2396;
				int _v2400;
				char _v2408;
				int _v2412;
				int _v2416;
				void* _v2420;
				char _v2424;
				signed int _v2428;
				signed int _v2432;
				char* _v2436;
				short _v2438;
				char _v2440;
				signed int _v2444;
				char _v2448;
				signed int _v2452;
				short _v2454;
				char _v2456;
				int _v2460;
				int _v2464;
				int _v2468;
				char _v2472;
				int _v2476;
				int _v2480;
				signed int _v2484;
				void* _v2488;
				intOrPtr _v2496;
				signed int _v2500;
				int _v2508;
				char _v2512;
				char* _v2516;
				char _v2520;
				char _v2528;
				char _v2556;
				char _v2560;
				char _v2564;
				intOrPtr _t254;
				void* _t257;
				signed int _t258;
				int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t273;
				signed int _t277;
				signed char* _t280;
				signed int _t281;
				signed char* _t282;
				signed int _t291;
				signed int _t294;
				signed char* _t295;
				signed int _t296;
				signed char* _t297;
				signed int _t300;
				signed int _t309;
				signed int _t311;
				signed int _t317;
				int _t334;
				signed int _t337;
				intOrPtr* _t338;
				signed int _t339;
				signed int _t364;
				int _t374;
				signed int _t376;
				signed int _t378;
				signed int _t391;
				void* _t401;
				signed int _t403;
				intOrPtr _t406;
				signed int _t411;
				signed int _t416;
				signed int _t422;
				intOrPtr* _t430;
				signed int _t431;
				intOrPtr* _t438;
				signed int _t442;
				short _t454;
				void* _t458;
				void* _t464;
				void* _t467;
				signed int _t468;
				signed char* _t472;
				int _t477;
				signed int _t478;
				void* _t486;

				_push(0x9f4);
				_push(0x112fa40);
				E010AD0E8(__ebx, __edi, __esi);
				_v2396 = _a8;
				_v2444 = _a12 & 0x0000ffff;
				_v2428 = _a16;
				_v2484 = _a20;
				_v2448 = 0;
				_v2480 = 0;
				_t477 = 0;
				_v2420 = 0;
				_v2412 = 0;
				_v2468 = 0;
				_v2408 = 0;
				_v2488 = 0;
				_v2382 = 0;
				_v2564 = 0x24;
				_v2560 = 1;
				_t403 = 7;
				_t467 =  &_v2556;
				memset(_t467, 0, _t403 << 2);
				_t468 = _t467 + _t403;
				_v2424 = 0;
				_v2464 = 0;
				_v2460 = 0;
				_v2381 = 1;
				_v2476 = 0;
				_v2432 =  &_v2376;
				_v2472 = 0x2be;
				_v2496 = 1;
				_v2416 = 1;
				_t254 = _v2396;
				if(_t254 == 0) {
					L99:
					goto L8;
				} else {
					_t405 = _v2444;
					if(_v2444 == 0) {
						goto L99;
					} else {
						_t468 = _v2428;
						if(_t468 == 0) {
							goto L99;
						} else {
							_t406 = _t254;
							_t257 = E0106D1D0(_t406, _t405,  &_v2408, 4);
							if(_t257 == 0xffffffff) {
								_t468 = _a24 & 0x00400000;
								__eflags = _t468;
								if(_t468 != 0) {
									goto L10;
								} else {
									 *_v2428 = 0;
									goto L8;
								}
							} else {
								if(_t257 == 0) {
									_t468 = _a24 & 0x00400000;
									__eflags = _t468;
									L10:
									_v2500 = _t468;
									_v2400 = 0;
									__eflags = _t468;
									if(_t468 != 0) {
										_t258 = 0xc0000039;
									} else {
										_t406 = _v2396;
										_t258 = E01088ED7(_t406,  &_v792, _t406,  &_v2480,  &_v2420,  &_v2412,  &_v2476);
										_t477 = _v2420;
									}
									__eflags = _t258;
									if(_t258 < 0) {
										_t406 = _v2396;
										_t478 = E010E6365(_t406,  &_v792, 0x2be,  &_v2480,  &_v2460,  &_v2412,  &_v2424);
										_v2380 = _t478;
										__eflags = _t478;
										if(_t478 < 0) {
											goto L30;
										} else {
											_t477 = _v2460;
											_v2420 = _t477;
											goto L13;
										}
									} else {
										L13:
										_t291 = _v2480 & 0xfffffffe;
										__eflags = _t291 - 0x2be;
										if(_t291 >= 0x2be) {
											E0109B75A();
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t486);
											_push(_t406);
											_push(0);
											_push(_t477);
											_push(_t468);
											_t294 =  *( *[fs:0x30] + 0x50);
											_t472 = 0x7ffe0385;
											__eflags = _t294;
											if(_t294 != 0) {
												__eflags =  *_t294;
												if( *_t294 == 0) {
													goto L63;
												} else {
													_t295 =  *( *[fs:0x30] + 0x50) + 0x22b;
												}
											} else {
												L63:
												_t295 = _t472;
											}
											__eflags =  *_t295 & 0x00000001;
											_t481 = 0x7ffe0384;
											if(( *_t295 & 0x00000001) != 0) {
												_t296 = E01077D50();
												__eflags = _t296;
												if(_t296 == 0) {
													_t297 = 0x7ffe0384;
												} else {
													_t297 =  *( *[fs:0x30] + 0x50) + 0x22a;
												}
												E010E6715(0x1031b58,  *_t297 & 0x000000ff);
											}
											_t401 = E0106C1C0(_a4, _a8, _a12, 0, _a16);
											_t416 =  *( *[fs:0x30] + 0x50);
											__eflags = _t416;
											if(_t416 != 0) {
												__eflags =  *_t416;
												if( *_t416 != 0) {
													_t472 =  *( *[fs:0x30] + 0x50) + 0x22b;
												}
											}
											__eflags =  *_t472 & 0x00000001;
											if(( *_t472 & 0x00000001) != 0) {
												_t300 = E01077D50();
												__eflags = _t300;
												if(_t300 != 0) {
													_t481 =  *( *[fs:0x30] + 0x50) + 0x22a;
													__eflags =  *( *[fs:0x30] + 0x50) + 0x22a;
												}
												E010E6715(0x1031b48,  *_t481 & 0x000000ff);
											}
											return _t401;
										} else {
											 *((short*)(_t486 + _t291 - 0x318)) = 0;
											_t309 = L010A13D0(_t477, 0x7e);
											__eflags = _t309;
											if(_t309 != 0) {
												_t311 = E010E5F5F( &_v792, _t477,  &_v2464);
												__eflags = _t311;
												if(_t311 < 0) {
													goto L15;
												} else {
													_t477 = _v2464;
													_v2420 = _t477;
													_t438 = _t477;
													_t464 = _t438 + 2;
													do {
														_t391 =  *_t438;
														_t438 = _t438 + 2;
														__eflags = _t391;
													} while (_t391 != 0);
													_t422 = (_t438 - _t464 >> 1) + (_t438 - _t464 >> 1);
													_v2412 = _t422;
													goto L16;
												}
												L33:
												__eflags = _t264;
												if(_t264 != 0) {
													_push(_v2408);
													_push(_t478);
													asm("sbb edi, edi");
													_t468 = ( ~_t468 & 0x00000020) + 1;
													__eflags = _t468;
													_push(_t468);
													_push(_v2444);
													_push(0);
													_push( &_v2448);
													E0108DA88(0, _v2396,  &_v2400, _t468, _t478, _t468);
												}
												__eflags = _v2400 - 0xffffffff;
												if(_v2400 == 0xffffffff) {
													 *_v2428 = 0;
												} else {
													_t277 = E01077D50();
													__eflags = _t277;
													if(_t277 != 0) {
														_t280 =  *( *[fs:0x30] + 0x50) + 0x22b;
													} else {
														_t280 = 0x7ffe0385;
													}
													__eflags =  *_t280 & 0x00000001;
													if(( *_t280 & 0x00000001) != 0) {
														_t281 = E01077D50();
														__eflags = _t281;
														if(_t281 == 0) {
															_t282 = 0x7ffe0384;
														} else {
															_t282 =  *( *[fs:0x30] + 0x50) + 0x22a;
														}
														E010E6715( &_v2392,  *_t282 & 0x000000ff);
													}
													_v4 = 2;
													 *_v2428 = _v2400;
													_t411 = _v2484;
													__eflags = _t411;
													if(_t411 != 0) {
														 *_t411 = _v2408;
													}
													_t477 = 0;
													_v2380 = 0;
													_v4 = 0xfffffffe;
												}
												__eflags = _v2460;
												if(_v2460 != 0) {
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v2460);
												}
												_t267 = _v2464;
												__eflags = _t267;
												if(_t267 != 0) {
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t267);
												}
												_t270 = _v2468;
												__eflags = _t270;
												if(_t270 != 0) {
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t270);
													_t477 = _v2380;
												}
												_t273 = _v2432;
												__eflags = _t273;
												if(_t273 != 0) {
													__eflags =  &_v2376 - _t273;
													if( &_v2376 != _t273) {
														L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t273);
														_t477 = _v2380;
													}
												}
												goto L8;
											} else {
												L15:
												_t422 = _v2412;
											}
											L16:
											_v2516 =  &_v1496;
											_v2520 = 0x2be0000;
											_v2508 = 0;
											_v2512 = 0;
											_t454 = 0x3c;
											__eflags = _t422 + 0xc - _t454;
											if(_t422 + 0xc > _t454) {
												_t317 = E01074620(_t422,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xa + _t422 * 2);
												_v2468 = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													_t478 = 0xc0000017;
													goto L89;
												} else {
													_v2452 = _t317;
													_v2454 = 0xa + _v2412 * 2;
													_t477 = _v2420;
													goto L18;
												}
											} else {
												_v2452 =  &_v88;
												_v2454 = _t454;
												L18:
												_v2456 = 0;
												_t478 = E0106A990(_t422,  &_v2456, _t477);
												_v2380 = _t478;
												__eflags = _t478;
												if(_t478 >= 0) {
													_t478 = E0106A990(_t422,  &_v2456, L".mui");
													_v2380 = _t478;
													__eflags = _t478;
													if(_t478 >= 0) {
														_t484 = _v2476;
														__eflags = _v2476;
														if(__eflags != 0) {
															E0106F540( &_v2564, _t484);
														}
														_v4 = 1;
														_t456 = _v2444;
														_t424 =  &_v2456;
														_v2380 = E01091CC7(0,  &_v2456, _v2444, _t468, _t484, __eflags,  &_v2520,  &_v2512,  &_v2488);
														_v4 = 0xfffffffe;
														E0106BFE4(_t329, _t484);
														__eflags = _v2380;
														if(_v2380 >= 0) {
															_v2382 = 1;
															_t424 = _v2488;
															_v2388 =  *((intOrPtr*)(_t424 + 4));
															_v2392 =  *_t424;
															_v2390 =  *((intOrPtr*)(_t424 + 2));
														}
														__eflags = _v2382;
														if(_v2382 != 0) {
															_v2436 = 0;
															_t334 = 0;
															_v2416 = 0;
															goto L28;
														} else {
															_v2388 =  &_v1496;
															_v2392 = 0x2be0000;
															E0106A990(_t424,  &_v2392,  &_v792);
															_v2436 =  &_v1672;
															_v2438 = 0xaa;
															_t364 = E01064720(_t456, _v2444 & 0x0000ffff,  &_v2440, 2, 0);
															__eflags = _t364;
															if(_t364 < 0) {
																_t478 = 0xc000000d;
																goto L89;
															} else {
																E01067B60(_t424,  &_v2392,  &_v2440);
																E0106A990(_t424,  &_v2392, "\\");
																E0106A990(_t424,  &_v2392, _v2452);
																_t434 = _v2436;
																_t374 = E0108FE34(_v2436, _v2388, __eflags,  &_v2472,  &_v2376);
																_v2380 = _t374;
																__eflags = _t374 - 0xc0000023;
																if(_t374 == 0xc0000023) {
																	_t376 = E01074620(_t434,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v2472);
																	_v2432 = _t376;
																	__eflags = _t376;
																	if(__eflags == 0) {
																		goto L26;
																	} else {
																		_v2380 = E0108FE34(_v2436, _v2388, __eflags,  &_v2472, _t376);
																		goto L25;
																	}
																	goto L33;
																} else {
																	L25:
																	_t376 = _v2432;
																}
																L26:
																__eflags = _v2380;
																if(_v2380 >= 0) {
																	_t378 = E01066D30( &_v2528, _t376);
																	__eflags = _t378;
																	if(_t378 < 0) {
																		goto L27;
																	} else {
																		_t478 = E0108D715(_v2396,  &_v2528, _v2424, _a24, _v2436, 2,  &_v2448,  &_v2408,  &_v2400);
																		_v2380 = _t478;
																		__eflags = _t478;
																		if(_t478 < 0) {
																			__eflags = _t478 - 0xc0000034;
																			if(__eflags != 0) {
																				E010D7632(_t478,  &_v2528, __eflags, _v2424, _a24,  &_v2440);
																			}
																			goto L27;
																		} else {
																			E01066D30( &_v2392, _v2432);
																		}
																	}
																} else {
																	L27:
																	_t334 = _v2416;
																	L28:
																	_t478 = E0108D715(_v2396,  &_v2392, _v2424, _a24, _v2436, _t334,  &_v2448,  &_v2408,  &_v2400);
																	_v2380 = _t478;
																	__eflags = _t478 - 0xc000003a;
																	if(_t478 == 0xc000003a) {
																		L50:
																		_t337 = E010930B8( &_v792,  &_v1496);
																		__eflags = _t337;
																		if(_t337 != 0) {
																			_t338 =  &_v1496;
																			_v2388 = _t338;
																			_t430 = _t338;
																			_t458 = _t430 + 2;
																			do {
																				_t339 =  *_t430;
																				_t430 = _t430 + 2;
																				__eflags = _t339;
																			} while (_t339 != 0);
																			_t431 = _t430 - _t458;
																			__eflags = _t431;
																			_t432 = _t431 >> 1;
																			_v2392 = (_t431 >> 1) + (_t431 >> 1);
																			_v2390 = 0x2be;
																			E0106A990(_t431 >> 1,  &_v2392, "\\");
																			E01067B60(_t432,  &_v2392,  &_v2440);
																			E0106A990(_t432,  &_v2392, "\\");
																			E0106A990(_t432,  &_v2392, _v2452);
																			_t478 = E0108D715(_v2396,  &_v2392, _v2424, _a24, _v2436, _v2416,  &_v2448,  &_v2408,  &_v2400);
																			L89:
																			_v2380 = _t478;
																		}
																	} else {
																		__eflags = _t478 - 0xc0000034;
																		if(_t478 == 0xc0000034) {
																			goto L50;
																		}
																	}
																}
															}
														}
													}
												}
											}
											L30:
											__eflags = _v2400;
											if(_v2400 == 0) {
												_v2400 = _v2400 | 0xffffffff;
											}
											__eflags = _t478;
											if(_t478 < 0) {
												__eflags = _t478 - 0xc000012d;
												if(_t478 == 0xc000012d) {
													L90:
													_t264 = 0;
												} else {
													__eflags = _t478 - 0xc00000a5;
													if(_t478 == 0xc00000a5) {
														goto L90;
													} else {
														__eflags = _t478 - 0xc0000017;
														if(_t478 != 0xc0000017) {
															goto L32;
														} else {
															goto L90;
														}
													}
												}
											} else {
												L32:
												_t264 = _v2381;
											}
											goto L33;
										}
									}
								} else {
									_v4 = 0;
									 *_t468 = _t257;
									_t442 = _v2484;
									if(_t442 != 0) {
										 *_t442 = _v2408;
									}
									_v2380 = 0;
									_v4 = 0xfffffffe;
									L8:
									return E010AD130(0, _t468, _t477);
								}
							}
						}
					}
				}
			}

0x0106ba00
0x0106ba05
0x0106ba0a
0x0106ba12
0x0106ba1c
0x0106ba25
0x0106ba2e
0x0106ba36
0x0106ba3c
0x0106ba42
0x0106ba44
0x0106ba4a
0x0106ba50
0x0106ba56
0x0106ba5c
0x0106ba62
0x0106ba68
0x0106ba75
0x0106ba7d
0x0106ba80
0x0106ba86
0x0106ba86
0x0106ba88
0x0106ba8e
0x0106ba94
0x0106ba9a
0x0106baa0
0x0106baac
0x0106bab2
0x0106babc
0x0106bac2
0x0106bac8
0x0106bad0
0x010bad5b
0x00000000
0x0106bad6
0x0106bad6
0x0106badf
0x00000000
0x0106bae5
0x0106bae5
0x0106baed
0x00000000
0x0106baf3
0x0106bafe
0x0106bb00
0x0106bb08
0x0106beed
0x0106beed
0x0106bef3
0x00000000
0x0106bef9
0x0106beff
0x00000000
0x0106bf01
0x0106bb0e
0x0106bb10
0x0106bb43
0x0106bb43
0x0106bb49
0x0106bb49
0x0106bb4f
0x0106bb55
0x0106bb57
0x010ba9c0
0x0106bb5d
0x0106bb80
0x0106bb86
0x0106bb8b
0x0106bb8b
0x0106bb91
0x0106bb93
0x010ba9f1
0x010ba9fc
0x010ba9fe
0x010baa04
0x010baa06
0x00000000
0x010baa0c
0x010baa0c
0x010baa12
0x00000000
0x010baa12
0x0106bb99
0x0106bb99
0x0106bb9f
0x0106bba2
0x0106bba7
0x0106bff6
0x0106bffb
0x0106bffc
0x0106bffd
0x0106bffe
0x0106bfff
0x0106c002
0x0106c008
0x0106c00f
0x0106c010
0x0106c011
0x0106c012
0x0106c015
0x0106c01a
0x0106c01c
0x010bad65
0x010bad68
0x00000000
0x010bad6e
0x010bad77
0x010bad77
0x0106c022
0x0106c022
0x0106c022
0x0106c022
0x0106c024
0x0106c027
0x0106c02c
0x010bad81
0x010bad86
0x010bad88
0x010bad9a
0x010bad8a
0x010bad93
0x010bad93
0x010bada4
0x010bada4
0x0106c04c
0x0106c04e
0x0106c051
0x0106c053
0x010badae
0x010badb1
0x010badc0
0x010badc0
0x010badb1
0x0106c059
0x0106c05c
0x010badcb
0x010badd0
0x010badd2
0x010baddd
0x010baddd
0x010baddd
0x010badeb
0x010badeb
0x0106c06a
0x0106bbad
0x0106bbaf
0x0106bbba
0x0106bbc1
0x0106bbc3
0x010baa2c
0x010baa31
0x010baa33
0x00000000
0x010baa39
0x010baa39
0x010baa3f
0x010baa45
0x010baa47
0x010baa4a
0x010baa4a
0x010baa4d
0x010baa50
0x010baa50
0x010baa59
0x010baa5b
0x00000000
0x010baa5b
0x0106be11
0x0106be11
0x0106be13
0x0106be15
0x0106be1b
0x0106be1e
0x0106be23
0x0106be23
0x0106be24
0x0106be25
0x0106be2b
0x0106be32
0x0106be3f
0x0106be3f
0x0106be44
0x0106be4b
0x0106bf65
0x0106be51
0x0106be51
0x0106be56
0x0106be58
0x010bac9c
0x0106be5e
0x0106be5e
0x0106be5e
0x0106be63
0x0106be66
0x010baca6
0x010bacab
0x010bacad
0x010bacbf
0x010bacaf
0x010bacb8
0x010bacb8
0x010baccd
0x010baccd
0x0106be6c
0x0106be7f
0x0106be81
0x0106be87
0x0106be89
0x0106be91
0x0106be91
0x0106be93
0x0106be95
0x0106be9b
0x0106be9b
0x0106bea2
0x0106bea9
0x010bad15
0x010bad1a
0x0106beaf
0x0106beb5
0x0106beb7
0x010bad30
0x010bad35
0x0106bebd
0x0106bec3
0x0106bec5
0x0106bfc2
0x0106bfc7
0x0106bfc7
0x0106becb
0x0106bed1
0x0106bed3
0x0106bedb
0x0106bedd
0x010bad4b
0x010bad50
0x010bad50
0x0106bedd
0x00000000
0x0106bbc9
0x0106bbc9
0x0106bbc9
0x0106bbc9
0x0106bbcf
0x0106bbd5
0x0106bbdb
0x0106bbe5
0x0106bbed
0x0106bbf8
0x0106bbf9
0x0106bbfb
0x0106bf7f
0x0106bf84
0x0106bf8a
0x0106bf8c
0x010baa66
0x00000000
0x0106bf92
0x0106bf92
0x0106bfa5
0x0106bfac
0x00000000
0x0106bfac
0x0106bc01
0x0106bc04
0x0106bc0a
0x0106bc11
0x0106bc13
0x0106bc27
0x0106bc29
0x0106bc2f
0x0106bc31
0x0106bc48
0x0106bc4a
0x0106bc50
0x0106bc52
0x0106bc58
0x0106bc5e
0x0106bc60
0x0106bfda
0x0106bfda
0x0106bc66
0x0106bc82
0x0106bc88
0x0106bc93
0x0106bc99
0x0106bca0
0x0106bca5
0x0106bcac
0x010baa97
0x010baa9e
0x010baaa7
0x010baab0
0x010baabb
0x010baabb
0x0106bcb2
0x0106bcb9
0x010babb7
0x010babbd
0x010babbf
0x00000000
0x0106bcbf
0x0106bcc5
0x0106bccb
0x0106bce3
0x0106bcee
0x0106bcf9
0x0106bd14
0x0106bd19
0x0106bd1b
0x010babad
0x00000000
0x0106bd21
0x0106bd2f
0x0106bd40
0x0106bd52
0x0106bd6b
0x0106bd71
0x0106bd76
0x0106bd7c
0x0106bd81
0x010baad8
0x010baadd
0x010baae3
0x010baae5
0x00000000
0x010baaeb
0x010bab04
0x00000000
0x010bab04
0x00000000
0x0106bd87
0x0106bd87
0x0106bd87
0x0106bd87
0x0106bd8d
0x0106bd8d
0x0106bd94
0x010bab17
0x010bab1c
0x010bab1e
0x00000000
0x010bab24
0x010bab5b
0x010bab5d
0x010bab63
0x010bab65
0x010bab7f
0x010bab85
0x010baba3
0x010baba3
0x00000000
0x010bab67
0x010bab75
0x010bab75
0x010bab65
0x0106bd9a
0x0106bd9a
0x0106bd9a
0x0106bda0
0x0106bdd6
0x0106bdd8
0x0106bdde
0x0106bde4
0x0106bf0b
0x0106bf18
0x0106bf1d
0x0106bf1f
0x010babca
0x010babd0
0x010babd6
0x010babd8
0x010babdb
0x010babdb
0x010babde
0x010babe1
0x010babe1
0x010babe6
0x010babe6
0x010babe8
0x010babed
0x010babf9
0x010bac0d
0x010bac20
0x010bac2d
0x010bac3f
0x010bac7f
0x010bac81
0x010bac81
0x010bac81
0x0106bdea
0x0106bdea
0x0106bdf0
0x00000000
0x00000000
0x0106bdf0
0x0106bde4
0x0106bd94
0x0106bd1b
0x0106bcb9
0x0106bc52
0x0106bc31
0x0106bdf6
0x0106bdf6
0x0106bdfd
0x0106bf2a
0x0106bf2a
0x0106be03
0x0106be05
0x0106bf36
0x0106bf3c
0x010bac8c
0x010bac8c
0x0106bf42
0x0106bf42
0x0106bf48
0x00000000
0x0106bf4e
0x0106bf4e
0x0106bf54
0x00000000
0x0106bf5a
0x00000000
0x0106bf5a
0x0106bf54
0x0106bf48
0x0106be0b
0x0106be0b
0x0106be0b
0x0106be0b
0x00000000
0x0106be05
0x0106bba7
0x0106bb12
0x0106bb12
0x0106bb15
0x0106bb17
0x0106bb1f
0x0106bb27
0x0106bb27
0x0106bb29
0x0106bb2f
0x0106bb38
0x0106bb3d
0x0106bb3d
0x0106bb10
0x0106bb08
0x0106baed
0x0106badf

Strings

.mui, xrefs: 0106BC37
$, xrefs: 0106BA68

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $$.mui
API String ID: 0-2138749814
Opcode ID: 1b2efc5527b20cbee4ac01d5ecdbddf723b5c85893f4a6145d4b2358bd97124c
Instruction ID: 28fffa0102a4b36e32b3d3ccfe08b3ca50286f118bd707be6c0a9526e2161ed4
Opcode Fuzzy Hash: 1b2efc5527b20cbee4ac01d5ecdbddf723b5c85893f4a6145d4b2358bd97124c
Instruction Fuzzy Hash: EB425EB1A02669DFEB61DF58CC80BEAB7B8BB45310F0041D9E589E7252DB319E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010699C7 Relevance: 2.8, Strings: 2, Instructions: 294
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E010699C7(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed short* _a12) {
				char _v12;
				char* _v16;
				short _v18;
				char _v20;
				char* _v24;
				short _v26;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				void* _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				char _v77;
				void* _v80;
				signed int _v88;
				char _v89;
				short _t109;
				short _t110;
				void* _t111;
				signed char* _t114;
				signed int _t115;
				signed char* _t116;
				signed int _t118;
				signed int _t120;
				signed int _t125;
				signed int _t143;
				short _t146;
				signed int _t149;
				short* _t156;
				intOrPtr _t165;
				signed char* _t169;

				_v52 = __ecx;
				_t146 = 0x38;
				_t109 = 0x3a;
				_v26 = _t109;
				_t110 = 0x36;
				_v48 = __edx;
				_v28 = _t146;
				_v24 = L"LdrResFallbackLangList Enter";
				_v20 = _t110;
				_v18 = _t146;
				_v16 = L"LdrResFallbackLangList Exit";
				_t111 = E01077D50();
				_t169 = 0x7ffe0385;
				if(_t111 != 0) {
					_t114 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				} else {
					_t114 = 0x7ffe0385;
				}
				_t140 = 0x7ffe0384;
				if(( *_t114 & 0x00000001) != 0) {
					_t115 = E01077D50();
					if(_t115 == 0) {
						_t116 = 0x7ffe0384;
					} else {
						_t116 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E010E6715( &_v28,  *_t116 & 0x000000ff);
				}
				_t156 = _a12;
				if(_t156 == 0) {
					_t165 = 0xc000000d;
					goto L37;
				} else {
					 *_t156 = 0;
					_t149 = 0;
					 *((char*)(_t156 + 0x204)) = 0;
					_v60 = 0;
					_v64 = 0;
					_v77 = 0;
					_v56 = 0;
					while(1) {
						L5:
						_t125 = _t149;
						_t143 = _t149;
						_v68 = _t149 + 1;
						if(_t125 > 7) {
							break;
						}
						switch( *((intOrPtr*)(_t125 * 4 +  &M01069CEB))) {
							case 0:
								__si = _a4;
								goto L13;
							case 1:
								__eflags = _a8 & 0x00000004;
								if((_a8 & 0x00000004) != 0) {
									 *((char*)(__edx + 0x204)) = 1;
									goto L36;
								}
								__eflags = _a4 & 0x000003ff;
								if((_a4 & 0x000003ff) != 0) {
									 *((char*)(__edx + 0x204)) = 1;
									__edx =  &_v72;
									__eax = E0105649B(__ecx, __edx);
									__eflags = __eax;
									if(__eax < 0) {
										goto L36;
									}
									__si = _v72;
									__eflags = __si;
									if(__si != 0) {
										__ecx = __ebx;
									} else {
										__ecx = __ecx | 0xffffffff;
									}
									_v68 = __ecx;
									L26:
									_push(2);
									goto L13;
								}
								goto L26;
							case 2:
								_v76 = 0;
								_t127 = E0106ABEC();
								_t151 = _v60;
								if(_t127 == 0 || _t151 >= ( *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff)) {
									_t173 = 0;
								} else {
									E0106AAC7(_t151,  *( *[fs:0x18] + 0xfc0), _t151,  &_v76,  &_v77);
									_t173 = _v88;
									_t151 = _v72;
								}
								if(_t173 == 0) {
									goto L21;
								} else {
									if(_v77 != 0) {
										__eflags = _a8 & 0x00100000;
										if((_a8 & 0x00100000) != 0) {
											_t173 = 0xeeee;
										}
									}
									_v60 = _t151 + 1;
									_t149 = _t143;
									_push(3);
									_pop(_t167);
									_v68 = _t149;
									goto L13;
								}
							case 3:
								__eax = _v52;
								__eflags = __eax;
								if(__eax == 0) {
									L32:
									goto L5;
								}
								__edx = _v48;
								 &_v36 =  &_v44;
								__ecx = __eax;
								__eax = E010661A7(__ecx, _v48,  &_v44,  &_v36, _a8);
								__eflags = __eax;
								if(__eax >= 0) {
									 &_v12 = E0109BB40(__ecx,  &_v12, _v44);
									 &_v48 =  &_v20;
									__eax = L010643C0( &_v20,  &_v48);
									__eflags = __al;
									if(__al == 0) {
										_v64 = 0xc00b0005;
										goto L31;
									}
									__eflags = _a8 & 0x00100000;
									__si = _v40;
									_v76 = _v40;
									if((_a8 & 0x00100000) != 0) {
										__edx =  *[fs:0x18];
										 &_v77 =  &_v76;
										__edx =  *( *[fs:0x18] + 0xfc0);
										__eax = E0106AAC7(__ecx, __edx, 0,  &_v76,  &_v77);
										__eflags = _v89;
										if(_v89 == 0) {
											__si = _v76;
										}
									}
									__eax = _v36;
									__al = __al & 0x00000001;
									asm("sbb edi, edi");
									goto L42;
								}
								L31:
								__ecx = _v68;
								__edx = _a12;
								goto L32;
							case 4:
								__eax = 0xeeee;
								_v76 = __ax;
								__eax = _a8;
								__eax =  !_a8;
								__eflags = __eax & 0x00080000;
								if((__eax & 0x00080000) != 0) {
									goto L36;
								}
								__eflags =  *[fs:0x18];
								if( *[fs:0x18] == 0) {
									__si = _v76;
									goto L5;
								}
								__eax =  *[fs:0x18];
								__si =  *((intOrPtr*)( *[fs:0x18] + 0xc4));
								goto L13;
							case 5:
								__eax =  &_v56;
								_push( &_v56);
								_push(1);
								__eax = E01099630();
								__edx = _a12;
								__ecx = __eax;
								_v72 = __ecx;
								__eflags = __ecx;
								__ecx = _v76;
								if(__eflags < 0) {
									goto L5;
								}
								__si = _v56;
								goto L42;
							case 6:
								__eax =  &_v32;
								_push( &_v32);
								_push(0);
								__eax = E01099630();
								__edx = _a12;
								__ecx = __eax;
								_v72 = __ecx;
								__eflags = __ecx;
								__ecx = _v76;
								if(__eflags < 0) {
									goto L5;
								}
								__eax = _v32;
								__eflags = _v32 - _v56;
								if(_v32 == _v56) {
									goto L5;
								}
								__si = __ax;
								L42:
								__ecx = _v68;
								goto L13;
							case 7:
								L13:
								_t159 = _a12;
								if(_t173 == 0xeeee) {
									goto L5;
								}
								_t144 =  *_t159 & 0x0000ffff;
								_t153 = 0;
								_t129 = _t144;
								if(_t129 == 0) {
									L19:
									if(_t144 >= 0x40) {
										goto L36;
									}
									 *(_t159 + 4 + _t129 * 8) = _t173;
									 *((intOrPtr*)(_t159 + 8 + ( *_t159 & 0x0000ffff) * 8)) = _t167;
									 *_t159 =  *_t159 + 1;
									L21:
									_t149 = _v68;
									goto L5;
								}
								_t162 =  &(_t159[2]);
								while( *_t162 != _t173) {
									_t153 = _t153 + 1;
									_t162 =  &(_t162[4]);
									if(_t153 < _t129) {
										continue;
									}
									break;
								}
								_t159 = _a12;
								_t149 = _v68;
								if(_t153 < _t129) {
									goto L5;
								}
								goto L19;
						}
					}
					L36:
					_t165 = _v64;
					_t169 = 0x7ffe0385;
					_t63 = _t169 - 1; // 0x7ffe0384
					_t140 = _t63;
					L37:
					_t118 = E01077D50();
					if(_t118 != 0) {
						_t169 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t169 & 0x00000001) != 0) {
						_t120 = E01077D50();
						if(_t120 != 0) {
							_t140 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						E010E6715( &_v20,  *_t140 & 0x000000ff);
					}
					return _t165;
				}
			}

0x010699d7
0x010699dd
0x010699e0
0x010699e3
0x010699e8
0x010699e9
0x010699ed
0x010699f2
0x010699fa
0x010699ff
0x01069a04
0x01069a0c
0x01069a11
0x01069a18
0x010b9ff0
0x01069a1e
0x01069a1e
0x01069a1e
0x01069a23
0x01069a28
0x010b9ffa
0x010ba001
0x010ba013
0x010ba003
0x010ba00c
0x010ba00c
0x010ba01c
0x010ba01c
0x01069a2e
0x01069a33
0x010ba026
0x00000000
0x01069a39
0x01069a3d
0x01069a40
0x01069a42
0x01069a48
0x01069a4c
0x01069a50
0x01069a54
0x01069a58
0x01069a58
0x01069a58
0x01069a5a
0x01069a5d
0x01069a64
0x00000000
0x00000000
0x01069a6a
0x00000000
0x01069b45
0x00000000
0x00000000
0x01069b4e
0x01069b52
0x010ba0cc
0x00000000
0x010ba0cc
0x01069b58
0x01069b5f
0x010ba030
0x010ba03a
0x010ba03e
0x010ba043
0x010ba045
0x00000000
0x00000000
0x010ba04b
0x010ba050
0x010ba053
0x010ba05a
0x010ba055
0x010ba055
0x010ba055
0x010ba05c
0x01069b6a
0x01069b6a
0x00000000
0x01069b6c
0x00000000
0x00000000
0x01069a73
0x01069a78
0x01069a7d
0x01069a83
0x01069b72
0x01069aa1
0x01069ab9
0x01069abe
0x01069ac3
0x01069ac3
0x01069aca
0x00000000
0x01069ad0
0x01069ad5
0x010ba065
0x010ba06c
0x010ba072
0x010ba072
0x010ba06c
0x01069adc
0x01069ae0
0x01069ae2
0x01069ae4
0x01069ae5
0x00000000
0x01069ae5
0x00000000
0x01069b83
0x01069b87
0x01069b89
0x01069bb2
0x00000000
0x01069bb2
0x01069b8e
0x01069b97
0x01069b9c
0x01069b9e
0x01069ba3
0x01069ba5
0x01069c9f
0x01069ca9
0x01069cae
0x01069cb3
0x01069cb5
0x010ba0b5
0x00000000
0x010ba0b5
0x01069cbb
0x01069cc2
0x01069cc7
0x01069ccc
0x010ba07c
0x010ba088
0x010ba08d
0x010ba095
0x010ba09a
0x010ba09f
0x010ba0ab
0x010ba0ab
0x010ba09f
0x01069cd2
0x01069cd6
0x01069cdd
0x00000000
0x01069ce2
0x01069bab
0x01069bab
0x01069baf
0x00000000
0x00000000
0x01069bbc
0x01069bc1
0x01069bc6
0x01069bc9
0x01069bcb
0x01069bd0
0x00000000
0x00000000
0x01069bd2
0x01069bda
0x010ba0c2
0x00000000
0x010ba0c2
0x01069be0
0x01069be6
0x00000000
0x00000000
0x01069c1f
0x01069c28
0x01069c29
0x01069c2b
0x01069c30
0x01069c33
0x01069c35
0x01069c39
0x01069c3b
0x01069c3f
0x00000000
0x00000000
0x01069c45
0x00000000
0x00000000
0x01069c53
0x01069c5c
0x01069c5d
0x01069c5f
0x01069c64
0x01069c67
0x01069c69
0x01069c6d
0x01069c6f
0x01069c73
0x00000000
0x00000000
0x01069c79
0x01069c7d
0x01069c81
0x00000000
0x00000000
0x01069c87
0x01069c4a
0x01069c4a
0x00000000
0x00000000
0x01069ae9
0x01069ae9
0x01069af4
0x00000000
0x00000000
0x01069afa
0x01069afd
0x01069aff
0x01069b03
0x01069b24
0x01069b27
0x00000000
0x00000000
0x01069b2d
0x01069b35
0x01069b39
0x01069b3c
0x01069b3c
0x00000000
0x01069b3c
0x01069b05
0x01069b08
0x01069b0d
0x01069b0e
0x01069b13
0x00000000
0x00000000
0x00000000
0x01069b13
0x01069b15
0x01069b1a
0x01069b1e
0x00000000
0x00000000
0x00000000
0x00000000
0x01069a6a
0x01069bf2
0x01069bf2
0x01069bf6
0x01069bfb
0x01069bfb
0x01069bfe
0x01069bfe
0x01069c05
0x010ba0e1
0x010ba0e1
0x01069c0e
0x010ba0ec
0x010ba0f3
0x010ba0fe
0x010ba0fe
0x010ba10b
0x010ba10b
0x01069c1c
0x01069c1c

Strings

LdrResFallbackLangList Exit, xrefs: 01069A04
LdrResFallbackLangList Enter, xrefs: 010699F2

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-1720564570
Opcode ID: cb219954c988343e1c1ba98a106a7f71a9aa8731d4a9f8609adbd5ef4808f26d
Instruction ID: fda4b60afa4a2b3b470bf3f084cadf07b77a2da5d15771e55848e2355a6de639
Opcode Fuzzy Hash: cb219954c988343e1c1ba98a106a7f71a9aa8731d4a9f8609adbd5ef4808f26d
Instruction Fuzzy Hash: C5B1AB32608386CFDB14CF18C580AAEB7E8BF84758F048969F9C59B691E734D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0111E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0111E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0111BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0111BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0111AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01099730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0111A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0111A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01099730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0111A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0111A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01072280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0106B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0106FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01077D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0110FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0111e547
0x0111e549
0x0111e54f
0x0111e553
0x0111e557
0x0111e55a
0x0111e55c
0x0111e55f
0x0111e561
0x0111e567
0x0111e56b
0x0111e7e2
0x00000000
0x0111e571
0x0111e575
0x0111e577
0x0111e57b
0x0111e57c
0x0111e57d
0x0111e57e
0x0111e57f
0x0111e588
0x0111e58f
0x0111e591
0x0111e592
0x0111e592
0x0111e596
0x0111e59e
0x0111e5a0
0x0111e5a6
0x0111e61d
0x0111e61d
0x0111e621
0x0111e623
0x0111e630
0x0111e630
0x0111e7e6
0x0111e7eb
0x0111e7ed
0x0111e7f4
0x0111e7fa
0x0111e7ff
0x0111e7ff
0x0111e80a
0x0111e812
0x0111e812
0x0111e5ab
0x0111e5b4
0x0111e5b9
0x0111e5be
0x0111e5c0
0x0111e5c2
0x0111e5c8
0x0111e5c9
0x0111e5cb
0x0111e5cc
0x0111e5d5
0x0111e5e4
0x0111e5f1
0x0111e5f8
0x0111e5f8
0x0111e5d5
0x0111e602
0x0111e616
0x0111e63d
0x0111e644
0x0111e64d
0x0111e652
0x0111e657
0x0111e659
0x0111e65b
0x0111e661
0x0111e662
0x0111e664
0x0111e665
0x0111e66e
0x0111e67d
0x0111e68a
0x0111e691
0x0111e691
0x0111e66e
0x0111e6b0
0x00000000
0x0111e6b6
0x0111e6bd
0x0111e6c7
0x0111e6d7
0x0111e6d9
0x0111e6db
0x0111e6de
0x0111e6e3
0x0111e6f3
0x0111e6fc
0x0111e700
0x0111e700
0x0111e704
0x0111e70a
0x0111e70a
0x0111e713
0x0111e716
0x0111e719
0x0111e720
0x0111e761
0x0111e76b
0x0111e774
0x0111e77a
0x0111e77a
0x0111e78a
0x0111e791
0x0111e799
0x0111e79b
0x0111e79f
0x0111e7aa
0x0111e7c0
0x0111e7ac
0x0111e7b2
0x0111e7b9
0x0111e7b9
0x0111e7c7
0x0111e806
0x00000000
0x0111e7c9
0x0111e7d1
0x0111e7d8
0x00000000
0x0111e7d8
0x00000000
0x00000000
0x0111e722
0x0111e72e
0x0111e748
0x0111e74c
0x0111e754
0x0111e756
0x0111e75c
0x0111e75c
0x00000000
0x0111e75c
0x0111e758
0x0111e758
0x00000000
0x0111e758
0x0111e750
0x00000000
0x00000000
0x0111e752
0x00000000
0x0111e752
0x0111e730
0x0111e735
0x0111e73d
0x0111e73f
0x00000000
0x00000000
0x0111e741
0x0111e741
0x00000000
0x0111e741
0x0111e739
0x00000000
0x00000000
0x0111e73b
0x00000000
0x0111e73b
0x0111e722
0x0111e720
0x0111e6b0
0x0111e618
0x00000000
0x0111e618

Strings

`, xrefs: 0111E5D7
`, xrefs: 0111E670

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 16eb37a953091ef2a5d3f5a088cc9d61286bb4ed76574e8a8b85006f9a30a4bb
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: B291AD316057429FE72ACE69C841B5BFBE5AF84714F14893DFA95CB284E770E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010D51BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010D51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x11305f0);
				E010AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0106EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010D53CA(0);
						return E010AD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0109F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01073690(1, _t117, 0x1031810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0109AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = E01074620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0109AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E010D500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01099860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x010d51be
0x010d51c3
0x010d51c8
0x010d51cd
0x010d51d0
0x010d51d3
0x010d51d8
0x010d51db
0x010d51de
0x010d51e0
0x010d51e3
0x010d51e6
0x010d51e8
0x010d5342
0x010d5351
0x010d5356
0x010d535a
0x010d5360
0x010d5363
0x010d5366
0x010d5369
0x010d5369
0x010d536b
0x010d536b
0x010d5370
0x010d53a3
0x010d53a4
0x010d53a6
0x010d53ab
0x010d53ab
0x010d53ae
0x010d53ae
0x010d53b5
0x010d53bf
0x010d53bf
0x010d5375
0x010d5396
0x010d53a0
0x010d53a0
0x00000000
0x010d5396
0x010d5377
0x010d5379
0x010d537f
0x010d538c
0x010d5390
0x00000000
0x010d5390
0x010d51ee
0x010d51f1
0x010d5301
0x010d5310
0x010d5315
0x010d5318
0x010d531b
0x010d5320
0x010d532e
0x010d5331
0x00000000
0x010d5331
0x010d5328
0x010d5329
0x00000000
0x010d5329
0x010d51fa
0x010d5235
0x010d5236
0x010d5239
0x010d523f
0x010d5240
0x010d5241
0x010d5242
0x010d5246
0x010d5247
0x010d524e
0x010d5251
0x010d5267
0x010d5269
0x010d526e
0x010d527d
0x010d527e
0x010d5281
0x010d5282
0x010d5287
0x010d5288
0x010d528a
0x010d528f
0x010d5294
0x00000000
0x00000000
0x010d529a
0x010d529c
0x010d529e
0x010d529e
0x010d52a4
0x010d52b0
0x00000000
0x00000000
0x010d52ba
0x010d52bc
0x010d52bc
0x010d52d4
0x010d52d9
0x010d52dc
0x010d52e1
0x00000000
0x00000000
0x010d52e7
0x010d52f4
0x00000000
0x010d52f4
0x010d5270
0x00000000
0x010d5270
0x010d51fc
0x010d51fd
0x010d5202
0x010d5203
0x010d5205
0x010d520a
0x010d520f
0x00000000
0x00000000
0x010d521b
0x010d5226
0x010d522b
0x010d521d
0x010d521d
0x010d5222
0x010d5222
0x010d522d
0x00000000

Strings

Legacy, xrefs: 010D5226
UEFI, xrefs: 010D521D

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 4c10adb0155348e77fbafba5f2d047a20b083ddec2e2fbc1ca1496b90f4a18b9
Instruction ID: 51d403c6ab16523750ce9f750cc2f2978dc6a701d1082c58e19109c6bbd9305f
Opcode Fuzzy Hash: 4c10adb0155348e77fbafba5f2d047a20b083ddec2e2fbc1ca1496b90f4a18b9
Instruction Fuzzy Hash: 84514D71A007099FDB25DFA8CD50BAEBBF8BB58740F14806DEA89EB251DB71D900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010661A7 Relevance: 2.6, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010661A7(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				short _v22;
				char _v24;
				char* _v28;
				short _v30;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t33;
				short _t34;
				void* _t35;
				signed char* _t38;
				signed int _t39;
				signed char* _t40;
				intOrPtr* _t43;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t49;
				signed int _t53;
				signed char* _t56;
				short _t59;
				intOrPtr* _t61;
				signed int _t69;
				signed int _t70;

				_v12 = __ecx;
				_t70 = 0;
				_t59 = 0x42;
				_t33 = 0x44;
				_v22 = _t33;
				_t34 = 0x40;
				_v16 = __edx;
				_v8 = 0;
				_v24 = _t59;
				_v20 = L"RtlpResUltimateFallbackInfo Enter";
				_v32 = _t34;
				_v30 = _t59;
				_v28 = L"RtlpResUltimateFallbackInfo Exit";
				_t35 = E01077D50();
				_t56 = 0x7ffe0385;
				if(_t35 != 0) {
					_t38 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				} else {
					_t38 = 0x7ffe0385;
				}
				_t71 = 0x7ffe0384;
				if(( *_t38 & 0x00000001) != 0) {
					_t39 = E01077D50();
					__eflags = _t39;
					if(_t39 == 0) {
						_t40 = 0x7ffe0384;
					} else {
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E010E6715( &_v24,  *_t40 & 0x000000ff);
				}
				_t67 = _v12;
				if(_v12 == 0) {
					L27:
					return 0xc000000d;
				} else {
					_t43 = _a4;
					if(_t43 == 0) {
						goto L27;
					}
					_t61 = _a8;
					_t77 = _t61;
					if(_t61 == 0) {
						goto L27;
					}
					 *_t43 = _t70;
					 *_t61 = _t70;
					_t45 = E010662A0(_t56, _t70, _t71, _t77, _t67, _v16,  &_v8, _a12, 1);
					if(_t45 >= 0) {
						_t46 = _v8;
						__eflags = _t46;
						if(_t46 == 0) {
							L17:
							_t70 = 0xc0000001;
							L14:
							_t47 = E01077D50();
							__eflags = _t47;
							if(_t47 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t56 & 0x00000001;
							if(( *_t56 & 0x00000001) != 0) {
								_t49 = E01077D50();
								__eflags = _t49;
								if(_t49 != 0) {
									_t71 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								E010E6715( &_v32,  *_t71 & 0x000000ff);
								goto L16;
							} else {
								L16:
								return _t70;
							}
						}
						__eflags = _t46 - 0xffffffff;
						if(_t46 == 0xffffffff) {
							goto L17;
						}
						__eflags =  *((intOrPtr*)(_t46 + 0x7c)) - _t70;
						if( *((intOrPtr*)(_t46 + 0x7c)) == _t70) {
							goto L17;
						}
						__eflags =  *((intOrPtr*)(_t46 + 0x80)) - _t70;
						if( *((intOrPtr*)(_t46 + 0x80)) == _t70) {
							goto L17;
						}
						_t69 =  *(_t46 + 0x18);
						__eflags = _t69;
						if(_t69 == 0) {
							goto L17;
						}
						_t53 = _t46 +  *((intOrPtr*)(_t46 + 0x7c));
						__eflags = _t53;
						 *_a8 = _t69;
						 *_a4 = _t53;
						goto L14;
					}
					return _t45;
				}
			}

0x010661b4
0x010661b7
0x010661b9
0x010661bc
0x010661bf
0x010661c3
0x010661c4
0x010661c7
0x010661ca
0x010661ce
0x010661d5
0x010661d9
0x010661dd
0x010661e4
0x010661e9
0x010661f0
0x010b8fb9
0x010661f6
0x010661f6
0x010661f6
0x010661fb
0x01066200
0x010b8fc3
0x010b8fc8
0x010b8fca
0x010b8fdc
0x010b8fcc
0x010b8fd5
0x010b8fd5
0x010b8fe4
0x010b8fe4
0x01066206
0x0106620b
0x010b902a
0x00000000
0x01066211
0x01066211
0x01066216
0x00000000
0x00000000
0x0106621c
0x0106621f
0x01066221
0x00000000
0x00000000
0x0106622c
0x01066235
0x01066238
0x0106623f
0x0106624a
0x0106624d
0x0106624f
0x01066291
0x01066291
0x01066277
0x01066277
0x0106627c
0x0106627e
0x010b8ff7
0x010b8ff7
0x01066284
0x01066287
0x010b9002
0x010b9007
0x010b9009
0x010b9014
0x010b9014
0x010b9014
0x010b9020
0x00000000
0x0106628d
0x0106628d
0x00000000
0x0106628d
0x01066287
0x01066251
0x01066254
0x00000000
0x00000000
0x01066256
0x01066259
0x00000000
0x00000000
0x0106625b
0x01066261
0x00000000
0x00000000
0x01066263
0x01066266
0x01066268
0x00000000
0x00000000
0x0106626d
0x0106626d
0x01066270
0x01066275
0x00000000
0x01066275
0x01066247
0x01066247

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 010661DD
RtlpResUltimateFallbackInfo Enter, xrefs: 010661CE

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 95167e86b6cbd857346665b20c81fa0a9ba2c7909339f4e2ecf2b265f1220e6c
Instruction ID: 256b58f68e76febe0699fc53846cca7819940b848a3abf3d03214f7805eb4f85
Opcode Fuzzy Hash: 95167e86b6cbd857346665b20c81fa0a9ba2c7909339f4e2ecf2b265f1220e6c
Instruction Fuzzy Hash: 8D41F771A00606DFDB11DF6AC484BAE7BF9FF81304F1440A5EA80DB2A1E736D940CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0106C1C0 Relevance: 2.1, Strings: 1, Instructions: 876
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0106C1C0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				char _v69;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				char _v104;
				signed char _v105;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int* _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed short _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				char _v165;
				signed int _v172;
				signed int _v176;
				void* _v180;
				signed int _v184;
				char _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				void* _v216;
				signed int _v220;
				signed int* _v224;
				signed int* _v228;
				signed int _v236;
				char _v244;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t427;
				signed int _t428;
				signed int _t434;
				signed int _t439;
				void* _t441;
				signed int _t442;
				signed int _t443;
				signed char _t444;
				signed int _t452;
				signed int _t459;
				signed int _t460;
				signed int _t462;
				signed int _t463;
				signed char _t464;
				signed int _t470;
				signed short _t471;
				signed int _t474;
				signed int _t477;
				signed int _t479;
				signed int* _t483;
				signed short _t485;
				signed int _t486;
				signed int _t487;
				signed int _t490;
				signed int _t492;
				signed int _t500;
				signed int _t504;
				signed int _t511;
				signed int _t518;
				signed int _t527;
				signed int _t529;
				signed int _t531;
				signed int _t532;
				signed int _t536;
				signed int _t544;
				void* _t546;
				signed char _t548;
				signed short _t552;
				signed short* _t555;
				intOrPtr _t556;
				signed int _t557;
				signed int _t560;
				signed char _t565;
				signed int _t566;
				signed char _t568;
				intOrPtr* _t569;
				signed char _t575;
				signed int _t582;
				signed short _t583;
				signed int _t584;
				signed int _t588;
				signed int _t590;
				signed int _t591;
				signed int _t598;
				intOrPtr _t599;
				signed char _t601;
				intOrPtr* _t602;
				signed int _t605;
				intOrPtr* _t608;
				signed int _t618;
				void* _t620;
				signed int _t621;
				signed int _t622;
				signed int _t623;
				signed int _t626;
				signed int _t630;
				signed int _t631;
				signed int* _t633;
				void* _t634;
				signed int _t635;
				signed int _t636;
				signed int _t637;
				signed int* _t638;
				signed int _t641;
				void* _t642;
				intOrPtr _t643;

				_push(0xfffffffe);
				_push(0x112fa78);
				_push(0x10a17f0);
				_push( *[fs:0x0]);
				_t643 = _t642 - 0xe0;
				_t427 =  *0x114d360;
				_v12 = _v12 ^ _t427;
				_t428 = _t427 ^ _t641;
				_v32 = _t428;
				_push(_t428);
				 *[fs:0x0] =  &_v20;
				_v28 = _t643;
				_t633 = __edx;
				_v100 = __edx;
				_v96 = __ecx;
				_v164 = __edx;
				_v128 = _a12;
				_v160 = __edx;
				_v69 = 0;
				_v184 = 0;
				_t560 = _a4;
				_t594 = _a8;
				if(_t560 < 3) {
					__eflags = _t594 & 0x00000002;
					if((_t594 & 0x00000002) != 0) {
						goto L1;
					}
					L214:
					_t431 = 0xc00000f1;
					L92:
					 *[fs:0x0] = _v20;
					_pop(_t620);
					_pop(_t634);
					_pop(_t546);
					return E0109B640(_t431, _t546, _v32 ^ _t641, _t594, _t620, _t634);
				}
				L1:
				if(_t560 > 4) {
					goto L214;
				}
				_t434 = _t594 & 0x00000041;
				if(_t434 != 0) {
					__eflags = _t560 - 4;
					if(_t560 != 4) {
						goto L214;
					}
					L147:
					__eflags = _t434;
					if(_t434 == 0) {
						goto L214;
					}
					__eflags = _t560 - 4;
					if(_t560 == 4) {
						_t560 = 3;
					}
					L4:
					_v124 = _t560;
					_v136 = _t560;
					_v8 = 0;
					_t548 =  !_t594;
					if((_t548 & 0x00000010) == 0) {
						L30:
						_t549 = 1;
						_v104 = 1;
						_t565 = _v96;
						_t635 = _t565;
						_v208 = _t635;
						_v120 = 0;
						_t621 = 0;
						_v92 = 0;
						__eflags = _t565 & 0x00000003;
						if((_t565 & 0x00000003) != 0) {
							asm("sbb al, al");
							_t549 = 0x00000001 &  !( ~(_t565 & 0x00000001));
							_v104 = 1;
							_t635 = _t635 & 0xfffffffc;
							__eflags = _t635;
							_v208 = _t635;
						}
						_t594 = E0106E9C0(1, _t635, 0, 0,  &_v120);
						_t566 = _v120;
						__eflags = _t566;
						if(_t566 == 0) {
							L46:
							__eflags = _t594;
							if(_t594 < 0) {
								goto L207;
							}
							goto L47;
						} else {
							_t511 =  *(_t566 + 0x18) & 0x0000ffff;
							_t594 = 0x10b;
							__eflags = _t511 - 0x10b;
							if(_t511 != 0x10b) {
								_t594 = 0x20b;
								__eflags = _t511 - 0x20b;
								if(_t511 != 0x20b) {
									L207:
									_t621 = 0;
									L134:
									_v92 = _t621;
									L47:
									_v116 = _t621;
									__eflags = _t621;
									if(_t621 == 0) {
										_v8 = 0xfffffffe;
										_t431 = 0xc0000089;
										goto L92;
									}
									_v176 = _t621;
									_v84 = 0xeeee;
									_v112 = 0;
									_t636 = 0;
									_v156 = 0;
									_v148 = 0;
									__eflags = 0;
									_v68 = 0;
									_v64 = 0;
									_v88 = 0;
									_v180 = 0;
									_t594 = _v100;
									while(1) {
										L49:
										__eflags = _t621;
										if(_t621 == 0) {
											goto L112;
										}
										_t470 = _v136;
										_t566 = _t470 - 1;
										_v136 = _t566;
										__eflags = _t470;
										if(_t470 == 0) {
											goto L112;
										}
										__eflags = _t566;
										if(_t566 == 0) {
											__eflags = _v124 - 3;
											if(_v124 == 3) {
												_v148 = _t621;
											}
										}
										__eflags = _v148;
										if(_v148 != 0) {
											_t471 =  *((intOrPtr*)(_v160 + 8));
											_v88 = _t471;
											__eflags = 0x000003ff & _t471;
											_t189 =  &_v69;
											 *_t189 = (0x000003ff & _t471) == 0;
											__eflags =  *_t189;
											_t550 = _a8;
											goto L96;
										} else {
											L53:
											_t566 =  *((intOrPtr*)(_t621 + 0xc));
											_t109 = _t621 + 0x10; // 0x10
											_t638 = _t109;
											_v224 = _t638;
											_t459 =  *_t594;
											_v92 = _t459;
											_t460 = _t459 & 0xffff0000;
											__eflags = _t460;
											_v140 = _t460;
											if(_t460 == 0) {
												_t638 = _t638 + (_t566 & 0x0000ffff) * 8;
												_v224 = _t638;
												_t566 =  *((intOrPtr*)(_t621 + 0xe));
											}
											__eflags = _t566;
											if(_t566 == 0) {
												_t623 = _v124;
												_t462 = _t623 - _v136;
												__eflags = _t462 - 1;
												if(__eflags != 0) {
													_t462 = _t462 - 2;
													__eflags = _t462;
													if(__eflags == 0) {
														_t637 = 0xc000008b;
														L197:
														_v76 = _t637;
														_t550 = _a8;
														_t594 =  !_a8;
														asm("bt edx, 0x13");
														asm("bt edx, 0x11");
														_t463 = _t462 & 0xffffff00 | __eflags > 0x00000000;
														_t575 = (_t566 & 0xffffff00 | __eflags > 0x00000000) & _t463;
														__eflags =  !_a8 & 0x00000010;
														_t464 = _t463 & 0xffffff00 | ( !_a8 & 0x00000010) != 0x00000000;
														__eflags = _t464 & _t575;
														if((_t464 & _t575) == 0) {
															goto L91;
														}
														__eflags = _t623 - 3;
														if(_t623 != 3) {
															goto L91;
														} else {
															_t569 = _v160;
															_v48 =  *_t569;
															_v44 =  *((intOrPtr*)(_t569 + 4));
															_v40 =  *((intOrPtr*)(_t569 + 8));
															__eflags = _a4 - 4;
															if(_a4 != 4) {
																goto L191;
															}
															goto L247;
														}
														L199:
														__eflags = _t548 & 0x00000008;
														if((_t548 & 0x00000008) == 0) {
															L11:
															_v80 = 0;
															_v140 = 0;
															_v68 = 0;
															_t557 = _v96;
															_t631 = E0106D1D0(_t557, 0, 0, 8);
															_v68 = _t631;
															if(_t631 == 0xffffffff) {
																L169:
																_t529 = 0x80000;
																_v80 = 0x80000;
																L19:
																_t594 = _a8 | _t529;
																_a8 = _t594;
																if((_t594 & 0x00040000) == 0) {
																	goto L30;
																}
																_t431 = 0xc000008a;
																_v76 = 0xc000008a;
																if((_t594 & 0x00020000) == 0) {
																	_v48 =  *_t633;
																	_t588 = _v124;
																	if(_t588 < 2) {
																		_t531 = 0;
																	} else {
																		_t51 =  &(_t633[1]); // 0x49
																		_t531 =  *_t51;
																	}
																	_v44 = _t531;
																	if(_t588 != 3) {
																		_t532 = 0;
																	} else {
																		_t53 =  &(_t633[2]); // 0x64004c
																		_t532 =  *_t53;
																	}
																	_v40 = _t532;
																	if(_a4 == 4) {
																		_t318 =  &(_t633[3]); // 0x520072
																		_v36 =  *_t318;
																	}
																	_t594 =  &_v48;
																	_v76 = E0106B62E(_t557,  &_v48, _a4,  &_v48, _v128);
																}
																_v8 = 0xfffffffe;
																goto L92;
															}
															if(_t631 == 0) {
																_v60 = L"MUI";
																_v56 = 1;
																_v52 = 0;
																_t590 = _t557;
																_t536 = E0106C1C0(_t590,  &_v60, 3, 0x30,  &_v144);
																_v196 = _t536;
																__eflags = _t536;
																if(__eflags < 0) {
																	L193:
																	_t631 = 0;
																	_v68 = 0;
																	_t591 = _t590 | 0xffffffff;
																	L168:
																	_push(0);
																	_push(_t536);
																	_push(2);
																	_push(0);
																	_push(_t591);
																	_push(0);
																	E0108DA88(_t557, _t557, 0, _t631, _t633, __eflags);
																	__eflags = _t631;
																	if(_t631 != 0) {
																		goto L13;
																	}
																	goto L169;
																}
																_t590 = _t557;
																_t536 = E0106D9A0(_t590, _v144,  &_v68,  &_v140);
																_v196 = _t536;
																__eflags = _t536;
																if(__eflags < 0) {
																	goto L193;
																}
																_t631 = _v68;
																__eflags =  *_t631 - 0xfecdfecd;
																if(__eflags != 0) {
																	_t536 = 0xc000007b;
																	_v196 = 0xc000007b;
																	goto L193;
																}
																_v140 = 0;
																_t591 = _t631;
																goto L168;
															}
															L13:
															_push( &_v80);
															_push(_a8);
															_push( *_t633);
															_push(_t631);
															if(L0106ED40() < 0) {
																_t529 = 0x60000;
																L17:
																_v80 = _t529;
																L18:
																_t557 = _v96;
																goto L19;
															}
															_t529 = _v80;
															if(( *(_t631 + 0x14) & 0x00000100) != 0) {
																_t529 = _t529 | 0x00100000;
																_v80 = _t529;
															}
															if(( *(_t631 + 0x10) & 0x00000010) == 0) {
																goto L18;
															} else {
																_t529 = _t529 | 0x00200000;
																goto L17;
															}
														}
														__eflags = _t630;
														if(_t630 != 0) {
															__eflags = _t630 - 0x400;
															if(_t630 == 0x400) {
																goto L29;
															}
															__eflags = _t630 - 0x800;
															if(_t630 != 0x800) {
																goto L11;
															}
															goto L29;
														} else {
															L29:
															_t618 = _t594 | 0x00000010;
															__eflags = _t618;
															_a8 = _t618;
															goto L30;
														}
													}
													__eflags = _t462 == 1;
													if(_t462 == 1) {
														_t637 = 0xc0000204;
													} else {
														_t637 = 0xc000000d;
													}
													goto L90;
												}
												_t637 = 0xc000008a;
												goto L197;
											} else {
												__eflags = _v148;
												if(_v148 != 0) {
													_t550 = _a8;
													__eflags = _t550 & 0x00000020;
													if((_t550 & 0x00000020) == 0) {
														goto L57;
													}
													_t621 = 0;
													_v176 = 0;
													_v84 =  *_t638;
													_t636 = _t638[1] + _v116;
													__eflags = _t636;
													_v156 = _t636;
													L84:
													_t439 = _t550 & 0x00000002;
													__eflags = _t636;
													if(_t636 == 0) {
														L115:
														__eflags = _t621;
														if(_t621 != 0) {
															__eflags = _t439;
															if(_t439 == 0) {
																goto L116;
															}
															 *_v128 = _t621;
															_t637 = 0;
															L90:
															_v76 = _t637;
															L91:
															_v8 = 0xfffffffe;
															_t431 = _t637;
															goto L92;
														}
														L116:
														_t622 = _v124;
														_t441 = _t622 - _v136;
														__eflags = _t441 - 3;
														if(_t441 != 3) {
															_t442 = _t441 - 1;
															__eflags = _t442;
															if(__eflags != 0) {
																_t442 = _t442 - 1;
																__eflags = _t442;
																if(__eflags != 0) {
																	_t637 = 0xc000000d;
																	_v76 = 0xc000000d;
																	L227:
																	__eflags = _t637 - 0xc000008a;
																	if(__eflags == 0) {
																		L188:
																		_t594 =  !_t550;
																		asm("bt edx, 0x13");
																		asm("bt edx, 0x11");
																		_t443 = _t442 & 0xffffff00 | __eflags > 0x00000000;
																		_t568 = (_t566 & 0xffffff00 | __eflags > 0x00000000) & _t443;
																		__eflags =  !_t550 & 0x00000010;
																		_t444 = _t443 & 0xffffff00 | ( !_t550 & 0x00000010) != 0x00000000;
																		__eflags = _t444 & _t568;
																		if((_t444 & _t568) == 0) {
																			goto L91;
																		}
																		__eflags = _t622 - 3;
																		if(_t622 != 3) {
																			goto L91;
																		}
																		_t569 = _v160;
																		_v48 =  *_t569;
																		_v44 =  *((intOrPtr*)(_t569 + 4));
																		_v40 =  *((intOrPtr*)(_t569 + 8));
																		__eflags = _a4 - 4;
																		if(_a4 == 4) {
																			L247:
																			_v36 =  *((intOrPtr*)(_t569 + 0xc));
																		}
																		L191:
																		_t594 =  &_v48;
																		_t551 = _v96;
																		_t637 = E0106B62E(_v96,  &_v48, _a4, _t550, _v128);
																		_v76 = _t637;
																		__eflags = _t637;
																		if(_t637 >= 0) {
																			_t594 = 0;
																			E01084CD4(_t551, 0,  &_v48, _a4);
																		}
																		goto L91;
																	}
																	__eflags = _t637 - 0xc000008b;
																	if(__eflags != 0) {
																		goto L91;
																	}
																	goto L188;
																}
																_t637 = 0xc000008b;
																_v76 = 0xc000008b;
																goto L188;
															}
															_t637 = 0xc000008a;
															_v76 = 0xc000008a;
															goto L188;
														}
														_t637 = 0xc0000204;
														_v76 = 0xc0000204;
														__eflags = _v148;
														if(_v148 == 0) {
															goto L227;
														}
														_v156 = 0;
														L96:
														while(1) {
															L97:
															_t452 = _v112;
															_v112 = _v112 + 1;
															__eflags = _t452 - 0xc;
															if(__eflags > 0) {
																break;
															}
															switch( *((intOrPtr*)(_t452 * 4 +  &M0106CEB0))) {
																case 0:
																	__eflags = 0 - _v88;
																	if(0 == _v88) {
																		goto L119;
																	}
																	__eflags = _t550 & 0x00080000;
																	if((_t550 & 0x00080000) != 0) {
																		_t454 = _v88 & 0x0000ffff;
																		goto L102;
																	}
																	goto L101;
																case 1:
																	__edx = __ebx;
																	__edx =  !__ebx;
																	asm("bt edx, 0x13");
																	__ecx = __ecx & 0xffffff00 | __eflags > 0x00000000;
																	asm("bt edx, 0x11");
																	__eax = __eax & 0xffffff00 | __eflags > 0x00000000;
																	__cl = __cl & __al;
																	__eflags = __dl & 0x00000010;
																	__eax = __eax & 0xffffff00 | (__dl & 0x00000010) != 0x00000000;
																	__eflags = __al & __cl;
																	if((__al & __cl) == 0) {
																		goto L101;
																	}
																	__edx = _v160;
																	__eax =  *__edx;
																	_v48 =  *__edx;
																	__ecx = _v124;
																	__eflags = __ecx - 2;
																	if(__ecx < 2) {
																		__eax = 0;
																	} else {
																		__eax =  *(__edx + 4);
																	}
																	_v44 = __eax;
																	__eflags = __ecx - 3;
																	if(__ecx != 3) {
																		__eax = 0;
																	} else {
																		__eax =  *(__edx + 8);
																	}
																	_v40 = __eax;
																	__eflags = _a4 - 4;
																	if(_a4 == 4) {
																		__eax =  *(__edx + 0xc);
																		_v36 =  *(__edx + 0xc);
																	}
																	__edx =  &_v48;
																	__edi = _v96;
																	__ecx = __edi;
																	__eax = E0106B62E(__ecx, __edx, _a4, __ebx, _v128);
																	__esi = __eax;
																	_v76 = __esi;
																	__eflags = __esi;
																	if(__esi < 0) {
																		goto L101;
																	} else {
																		__eax =  &_v48;
																		__edx = 0;
																		__ecx = __edi;
																		__eax = E01084CD4(__ecx, 0,  &_v48, _a4);
																		goto L91;
																	}
																case 2:
																	__eflags = _v69;
																	if(_v69 != 0) {
																		goto L101;
																	}
																	__ax = _v88;
																	goto L102;
																case 3:
																	__eflags = __bl & 0x00000004;
																	if((__bl & 0x00000004) != 0) {
																		goto L145;
																	}
																	__eflags = _v69;
																	if(_v69 != 0) {
																		goto L101;
																	}
																	__edx =  &_v64;
																	__eax = E0105649B(__ecx, __edx);
																	__eflags = __eax;
																	if(__eax < 0) {
																		L119:
																		_t454 = 0;
																		goto L102;
																	}
																	__ax = _v64;
																	_v68 = __eax;
																	__eflags = _v64;
																	if(_v64 != 0) {
																		_v112 = _v112 - 1;
																	}
																	goto L104;
																case 4:
																	__eflags = _v69;
																	if(_v69 == 0) {
																		__ax = _v88;
																		__ecx = 0x3ff;
																		__ax = _v88 & __cx;
																	} else {
																		__eax = _v84 & 0x0000ffff;
																	}
																	goto L102;
																case 5:
																	__eflags = _v69;
																	if(_v69 != 0) {
																		goto L101;
																	}
																	goto L145;
																case 6:
																	__ax = _v84;
																	_v68 = __eax;
																	_v64 = __ax;
																	__eflags = __bl & 0x00000020;
																	if((__bl & 0x00000020) != 0) {
																		goto L104;
																	}
																	__eax = 0;
																	_v64 = __ax;
																	__eax = E0106ABEC();
																	__eflags = __al;
																	if(__al == 0) {
																		__eax = 0;
																		_v64 = __ax;
																		L173:
																		__eax = _v84 & 0x0000ffff;
																		goto L102;
																	}
																	 *[fs:0x18] =  *( *[fs:0x18] + 0xfc0);
																	__eax =  *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff;
																	__eflags = _v184 - __eax;
																	if(_v184 >= __eax) {
																		__eax = 0;
																		__eflags = 0;
																		_v64 = __ax;
																		L172:
																		__ebx = _a8;
																		goto L173;
																	}
																	__edx =  *[fs:0x18];
																	 &_v165 =  &_v64;
																	__esi = _v184;
																	__edx =  *( *[fs:0x18] + 0xfc0);
																	__eax = E0106AAC7(__ecx, __edx, __esi,  &_v64,  &_v165);
																	__eax = _v64 & 0x0000ffff;
																	_v68 = __eax;
																	__eflags = __ax;
																	if(__ax == 0) {
																		goto L172;
																	}
																	__esi = __esi + 1;
																	_v184 = __esi;
																	_v112 = _v112 - 1;
																	__ebx = _a8;
																	goto L104;
																case 7:
																	__eax = __ebx;
																	__eax =  !__ebx;
																	__eflags = __eax & 0x00080000;
																	if((__eax & 0x00080000) == 0) {
																		L101:
																		_t454 = _v84;
																		goto L102;
																	}
																	__ecx = _v96;
																	__eax = E010660F7(__ecx, 0, 1);
																	__eflags = __eax;
																	if(__eax == 0) {
																		goto L101;
																	} else {
																		__eflags =  *__eax - 0xfecdfecd;
																		if( *__eax != 0xfecdfecd) {
																			goto L101;
																		}
																		__ecx =  *(__eax + 0x7c);
																		__eflags = __ecx;
																		if(__ecx == 0) {
																			goto L101;
																		}
																		 &_v244 = E0109BB40(__ecx,  &_v244,  &_v244);
																		 &_v216 =  &_v244;
																		__eax = L010643C0( &_v244,  &_v216);
																		__eflags = __al;
																		if(__al == 0) {
																			goto L101;
																		}
																		__ax = _v216;
																		goto L102;
																	}
																	goto L176;
																case 8:
																	L176:
																	__ax = _v84;
																	_v68 = __eax;
																	_v64 = _v84;
																	__eax = __ebx;
																	__eax =  !__ebx;
																	__eflags = __eax & 0x00080000;
																	if((__eax & 0x00080000) != 0) {
																		__ebx = __ebx | 0x00000020;
																		_a8 = __ebx;
																		goto L104;
																	}
																	__eflags =  *[fs:0x18];
																	if( *[fs:0x18] == 0) {
																		__ax = _v64;
																		__ebx = _a8;
																	} else {
																		__eax =  *[fs:0x18];
																		__ax =  *((intOrPtr*)(__eax + 0xc4));
																		_v64 =  *((intOrPtr*)(__eax + 0xc4));
																		__ebx = _a8;
																	}
																	goto L103;
																case 9:
																	_v68 = __esi;
																	_v64 = _v84;
																	__eax =  &_v180;
																	_push( &_v180);
																	_push(1);
																	__eax = E01099630();
																	_v76 = __eax;
																	__eflags = __eax;
																	if(__eax < 0) {
																		goto L104;
																	}
																	__ax = _v180;
																	goto L102;
																case 0xa:
																	__ax = _v84;
																	_v68 = __eax;
																	_v64 = _v84;
																	__eax =  &_v220;
																	_push( &_v220);
																	_push(0);
																	__eax = E01099630();
																	_v76 = __eax;
																	__eflags = __eax;
																	if(__eax < 0) {
																		goto L104;
																	}
																	__eax = _v220;
																	__eflags = __eax - _v180;
																	if(__eax == _v180) {
																		goto L104;
																	}
																	goto L102;
																case 0xb:
																	__eax = 0x409;
																	L102:
																	_v64 = _t454;
																	L103:
																	_v68 = _t454;
																	L104:
																	_t573 = _v68;
																	goto L105;
																case 0xc:
																	__ebx = __ebx | 0x00000020;
																	_a8 = __ebx;
																	L105:
																	_t456 =  !_t550;
																	__eflags = _t456 & 0x00000020;
																	if((_t456 & 0x00000020) == 0) {
																		L107:
																		_v84 = _v68 & 0x0000ffff;
																		_t594 =  &_v84;
																		_v100 = _t594;
																		_v164 = _t594;
																		_t621 = _v148;
																		_v176 = _t621;
																		goto L53;
																	}
																	__eflags = (_t573 & 0x0000ffff) - _v84;
																	if((_t573 & 0x0000ffff) == _v84) {
																		goto L97;
																	}
																	goto L107;
															}
														}
														L145:
														_v8 = 0xfffffffe;
														_t431 = 0xc0000204;
														goto L92;
													}
													__eflags = _t439;
													if(_t439 != 0) {
														goto L115;
													}
													 *_v128 = _t636;
													_t500 =  *[fs:0x18];
													__eflags =  *(_t500 + 0xfe0);
													if( *(_t500 + 0xfe0) == 0) {
														_v100 =  *[fs:0x18];
														 *((intOrPtr*)(_v100 + 0xfe0)) = E01074620(_t566,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc);
													}
													_t504 =  *[fs:0x18];
													__eflags =  *(_t504 + 0xfe0);
													if( *(_t504 + 0xfe0) != 0) {
														_t594 = _v96;
														 *( *( *[fs:0x18] + 0xfe0)) = _t594;
														( *( *[fs:0x18] + 0xfe0))[1] = _v156;
														( *( *[fs:0x18] + 0xfe0))[2] = _t594;
													}
													_t637 = 0;
													__eflags = 0;
													goto L90;
												}
												L57:
												_v228 = _t638;
												_v152 = _t566;
												_t621 = 0;
												_v172 = 0;
												_v80 = 0;
												_v204 = 0;
												_t598 = (_t566 & 0x0000ffff) - 1;
												__eflags = _t598;
												_t599 = _t638 + _t598 * 8;
												_v200 = _t599;
												_v132 = _t566;
												while(1) {
													__eflags = _t638 - _t599;
													if(_t638 > _t599) {
														break;
													}
													_t601 = _v132;
													_t552 = _t566 >> 0x00000001 & 0x0000ffff;
													__eflags = _t552;
													if(_t552 == 0) {
														__eflags = _t566;
														if(_t566 == 0) {
															break;
														}
														_t474 =  *_t638;
														__eflags = _v140 - _t621;
														if(_v140 != _t621) {
															__eflags = _t474;
															if(_t474 >= 0) {
																break;
															}
															_t555 = (_t474 & 0x7fffffff) + _v116;
															_t477 = E010A12B0(_v92,  &(_t555[1]),  *_t555 & 0x0000ffff);
															_t643 = _t643 + 0xc;
															_t566 = _t477;
															__eflags = _t566;
															if(_t566 != 0) {
																break;
															}
															_t602 = _v92;
															_v192 = _t602 + 2;
															do {
																_t479 =  *_t602;
																_t602 = _t602 + 2;
																__eflags = _t479;
															} while (_t479 != 0);
															__eflags = _t602 - _v192 >> 1 - ( *_t555 & 0x0000ffff);
															if(_t602 - _v192 >> 1 == ( *_t555 & 0x0000ffff)) {
																L77:
																__eflags = _t566;
																if(_t566 != 0) {
																	break;
																}
																_t566 = _t638[1];
																__eflags = _t566;
																if(_t566 >= 0) {
																	L111:
																	_t636 = _v116 + _t566;
																	_v204 = _t636;
																	L81:
																	_v176 = _t621;
																	_v156 = _t636;
																	_t594 = _v100 + 4;
																	_v100 = _t594;
																	_v164 = _t594;
																	goto L49;
																}
																L79:
																_t621 = (_t566 & 0x7fffffff) + _v116;
																__eflags = _t621;
																_v172 = _t621;
																break;
															}
															break;
														}
														__eflags = _t474;
														if(_t474 < 0) {
															break;
														}
														_t566 = _v92 - _t474;
														__eflags = _t566;
														goto L77;
													}
													_v105 = _v152 & 0x00000001;
													_t582 = _t552;
													_v192 = _t582;
													_t483 = _t638 + _t582 * 8;
													_v120 = _t483;
													__eflags = _t601 & 0x00000001;
													if((_t601 & 0x00000001) == 0) {
														_t483 =  &(_t483[0xfffffffffffffffe]);
														_v120 = _t483;
													}
													_t605 =  *_t483;
													__eflags = _v140 - _t621;
													if(_v140 != _t621) {
														__eflags = _t605;
														if(_t605 >= 0) {
															goto L67;
														}
														_t607 = (_t605 & 0x7fffffff) + _v116;
														_v144 = (_t605 & 0x7fffffff) + _v116;
														_t490 = E010A12B0(_v92,  &(((_t605 & 0x7fffffff) + _v116)[1]),  *_t607 & 0x0000ffff);
														_t643 = _t643 + 0xc;
														_t584 = _t490;
														__eflags = _t584;
														if(_t584 != 0) {
															L163:
															_t483 = _v120;
															goto L64;
														}
														_t608 = _v92;
														_v188 = _t608 + 2;
														do {
															_t492 =  *_t608;
															_t608 = _t608 + 2;
															__eflags = _t492;
														} while (_t492 != 0);
														__eflags = _t608 - _v188 >> 1 - ( *_v144 & 0x0000ffff);
														if(_t608 - _v188 >> 1 != ( *_v144 & 0x0000ffff)) {
															_t483 = _v120;
															goto L72;
														}
														goto L163;
													} else {
														__eflags = _t605;
														if(_t605 < 0) {
															L72:
															_t638 =  &(_t483[2]);
															_v228 = _t638;
															_t486 = _t552;
															_v152 = _t486;
															_t599 = _v200;
															L70:
															_t487 = _t486 & 0x0000ffff;
															_v132 = _t487;
															_t566 = _t487;
															continue;
														}
														_t584 = _v92 - _t605;
														__eflags = _t584;
														L64:
														__eflags = _t584;
														if(__eflags == 0) {
															_t566 = _t483[1];
															__eflags = _t566;
															if(_t566 < 0) {
																goto L79;
															}
															_t621 = 0;
															__eflags = 0;
															_v172 = 0;
															goto L111;
														}
														if(__eflags >= 0) {
															goto L72;
														}
														_t582 = _v192;
														L67:
														_t599 = _t483 - 8;
														_v200 = _t599;
														__eflags = _v105;
														if(_v105 == 0) {
															_t583 = _t582 - 1;
															_v152 = _t583 & 0x0000ffff;
															_t485 = _t583 & 0x0000ffff;
														} else {
															_t485 = _t552;
															_v152 = _t485;
														}
														_t486 = _t485 & 0x0000ffff;
														goto L70;
													}
												}
												_t636 = _v80;
												goto L81;
											}
										}
										L112:
										_t550 = _a8;
										goto L84;
									}
								}
								_t566 = _t635;
								_t594 = L01052F47(_t566, _t549, 2,  &_v188, _t566,  &_v92);
								_t621 = _v92;
								goto L46;
							}
							__eflags =  *((intOrPtr*)(_t566 + 0x74)) - 2;
							if( *((intOrPtr*)(_t566 + 0x74)) <= 2) {
								goto L207;
							}
							_t626 =  *(_t566 + 0x88);
							_v132 = _t626;
							__eflags = _t626;
							if(_t626 == 0) {
								goto L207;
							}
							_v188 =  *((intOrPtr*)(_t566 + 0x8c));
							__eflags = _t549;
							if(_t549 != 0) {
								L133:
								_t621 = _t626 + _t635;
								__eflags = _t621;
								goto L134;
							}
							__eflags = _t626 -  *((intOrPtr*)(_t566 + 0x54));
							if(_t626 <  *((intOrPtr*)(_t566 + 0x54))) {
								goto L133;
							}
							_t82 = _v120 + 0x18; // 0x18
							_t594 = _t82 + ( *(_t566 + 0x14) & 0x0000ffff);
							_t518 =  *(_v120 + 6) & 0x0000ffff;
							_v144 = _t518;
							_t566 = 0;
							__eflags = 0;
							while(1) {
								_v236 = _t566;
								_v212 = _t594;
								__eflags = _t566 - _t518;
								if(_t566 >= _t518) {
									break;
								}
								_t556 =  *((intOrPtr*)(_t594 + 0xc));
								__eflags = _t626 - _t556;
								if(_t626 < _t556) {
									L114:
									_t594 = _t594 + 0x28;
									_t566 = _t566 + 1;
									continue;
								}
								__eflags = _t626 -  *((intOrPtr*)(_t594 + 0x10)) + _t556;
								if(_t626 >=  *((intOrPtr*)(_t594 + 0x10)) + _t556) {
									_t518 = _v144;
									goto L114;
								}
								__eflags = _t594;
								if(_t594 == 0) {
									break;
								}
								_t621 =  *((intOrPtr*)(_t594 + 0x14)) - _t556 + _v132 + _t635;
								__eflags = _t621;
								L44:
								_v92 = _t621;
								_v100 = _v164;
								__eflags = _t621;
								if(_t621 == 0) {
									goto L207;
								}
								_t594 = 0;
								__eflags = 0;
								goto L46;
							}
							_t621 = 0;
							goto L44;
						}
					}
					_t21 = _t560 - 1; // 0x2
					if(_t21 > 2) {
						goto L30;
					}
					if(_t560 != 3) {
						_t630 = 0;
					} else {
						_t22 =  &(_t633[2]); // 0x64004c
						_t630 =  *_t22 & 0x0000ffff;
					}
					_v88 = _t630;
					_t527 =  *_t633;
					if(_t527 == 0x10 || _t527 == 0x18) {
						goto L199;
					} else {
						if((_t527 & 0xffff0000) != 0) {
							_t544 = E0109E490(_t527, L"MUI");
							_t643 = _t643 + 8;
							__eflags = _t544;
							if(_t544 != 0) {
								goto L11;
							}
							_t594 = _a8;
							goto L199;
						}
						goto L11;
					}
				}
				if(_t560 == 4) {
					goto L147;
				}
				goto L4;
			}

0x0106c1c5
0x0106c1c7
0x0106c1cc
0x0106c1d7
0x0106c1d8
0x0106c1de
0x0106c1e3
0x0106c1e6
0x0106c1e8
0x0106c1ee
0x0106c1f2
0x0106c1f8
0x0106c1fb
0x0106c1fd
0x0106c200
0x0106c203
0x0106c20c
0x0106c20f
0x0106c215
0x0106c219
0x0106c223
0x0106c226
0x0106c22c
0x0106ce8b
0x0106ce8e
0x00000000
0x00000000
0x010bae13
0x010bae13
0x0106c762
0x0106c765
0x0106c76d
0x0106c76e
0x0106c76f
0x0106c77d
0x0106c77d
0x0106c232
0x0106c235
0x00000000
0x00000000
0x0106c23d
0x0106c240
0x0106ca53
0x0106ca56
0x00000000
0x00000000
0x0106ca5c
0x0106ca5c
0x0106ca5e
0x00000000
0x00000000
0x0106ca64
0x0106ca67
0x0106ca6d
0x0106ca6d
0x0106c24f
0x0106c24f
0x0106c252
0x0106c258
0x0106c261
0x0106c266
0x0106c39f
0x0106c39f
0x0106c3a1
0x0106c3a4
0x0106c3a7
0x0106c3a9
0x0106c3af
0x0106c3b6
0x0106c3b8
0x0106c3bb
0x0106c3be
0x0106c3c6
0x0106c3ca
0x0106c3cc
0x0106c3cf
0x0106c3cf
0x0106c3d2
0x0106c3d2
0x0106c3e8
0x0106c3ea
0x0106c3ed
0x0106c3ef
0x0106c4ae
0x0106c4ae
0x0106c4b0
0x00000000
0x00000000
0x00000000
0x0106c3f5
0x0106c3f5
0x0106c3f9
0x0106c3fe
0x0106c401
0x0106ca77
0x0106ca7c
0x0106ca7f
0x0106ce62
0x0106ce62
0x0106c9d3
0x0106c9d3
0x0106c4b6
0x0106c4b6
0x0106c4b9
0x0106c4bb
0x0106ce69
0x0106ce70
0x00000000
0x0106ce70
0x0106c4c1
0x0106c4c7
0x0106c4ce
0x0106c4d5
0x0106c4d7
0x0106c4dd
0x0106c4e3
0x0106c4e5
0x0106c4e8
0x0106c4ec
0x0106c4f0
0x0106c4f6
0x0106c500
0x0106c500
0x0106c500
0x0106c502
0x00000000
0x00000000
0x0106c508
0x0106c510
0x0106c511
0x0106c517
0x0106c519
0x00000000
0x00000000
0x0106c51f
0x0106c521
0x0106c780
0x0106c784
0x0106c78a
0x0106c78a
0x0106c784
0x0106c527
0x0106c52e
0x0106c79b
0x0106c79f
0x0106c7a8
0x0106c7ab
0x0106c7ab
0x0106c7ab
0x0106c7af
0x00000000
0x0106c534
0x0106c534
0x0106c534
0x0106c538
0x0106c538
0x0106c53b
0x0106c541
0x0106c543
0x0106c546
0x0106c546
0x0106c54b
0x0106c551
0x0106c556
0x0106c559
0x0106c55f
0x0106c55f
0x0106c563
0x0106c566
0x0106cdc9
0x0106cdce
0x0106cdd4
0x0106cdd7
0x010baf3f
0x010baf3f
0x010baf42
0x010baf5d
0x0106cde2
0x0106cde2
0x0106cde5
0x0106cdea
0x0106cdec
0x0106cdf3
0x0106cdf7
0x0106cdfa
0x0106cdfc
0x0106cdff
0x0106ce02
0x0106ce04
0x00000000
0x00000000
0x010baf67
0x010baf6a
0x00000000
0x010baf70
0x010baf70
0x010baf78
0x010baf7e
0x010baf84
0x010baf87
0x010baf8b
0x00000000
0x00000000
0x00000000
0x010baf8b
0x0106ce0f
0x0106ce0f
0x0106ce12
0x0106c2a8
0x0106c2a8
0x0106c2af
0x0106c2b9
0x0106c2c6
0x0106c2d0
0x0106c2d2
0x0106c2d8
0x0106cc01
0x0106cc01
0x0106cc06
0x0106c31f
0x0106c322
0x0106c324
0x0106c32d
0x00000000
0x00000000
0x0106c32f
0x0106c334
0x0106c33d
0x0106c341
0x0106c344
0x0106c34a
0x010bae74
0x0106c350
0x0106c350
0x0106c350
0x0106c350
0x0106c353
0x0106c359
0x010bae7b
0x0106c35f
0x0106c35f
0x0106c35f
0x0106c35f
0x0106c362
0x0106c369
0x0106cc0e
0x0106cc11
0x0106cc11
0x0106c377
0x0106c381
0x0106c381
0x0106c384
0x00000000
0x0106c384
0x0106c2e0
0x0106cb6d
0x0106cb74
0x0106cb7b
0x0106cb90
0x0106cb92
0x0106cb97
0x0106cb9d
0x0106cb9f
0x0106cd93
0x0106cd93
0x0106cd95
0x0106cd98
0x0106cbe6
0x0106cbe6
0x0106cbe8
0x0106cbe9
0x0106cbeb
0x0106cbed
0x0106cbee
0x0106cbf4
0x0106cbf9
0x0106cbfb
0x00000000
0x00000000
0x00000000
0x0106cbfb
0x0106cbb6
0x0106cbb8
0x0106cbbd
0x0106cbc3
0x0106cbc5
0x00000000
0x00000000
0x0106cbcb
0x0106cbce
0x0106cbd4
0x010bae4d
0x010bae52
0x00000000
0x010bae52
0x0106cbda
0x0106cbe4
0x00000000
0x0106cbe4
0x0106c2e6
0x0106c2e9
0x0106c2ed
0x0106c2ee
0x0106c2f0
0x0106c2f8
0x010bae5d
0x0106c319
0x0106c319
0x0106c31c
0x0106c31c
0x00000000
0x0106c31c
0x0106c2fe
0x0106c308
0x010bae67
0x010bae6c
0x010bae6c
0x0106c312
0x00000000
0x0106c314
0x0106c314
0x00000000
0x0106c314
0x0106c312
0x0106c390
0x0106c393
0x010bae31
0x010bae34
0x00000000
0x00000000
0x010bae3f
0x010bae42
0x00000000
0x00000000
0x00000000
0x0106c399
0x0106c399
0x0106c399
0x0106c399
0x0106c39c
0x00000000
0x0106c39c
0x0106c393
0x010baf44
0x010baf47
0x010baf53
0x010baf49
0x010baf49
0x010baf49
0x00000000
0x010baf47
0x0106cddd
0x00000000
0x0106c56c
0x0106c56c
0x0106c573
0x0106c6be
0x0106c6c1
0x0106c6c4
0x00000000
0x00000000
0x0106c6ca
0x0106c6cc
0x0106c6d4
0x0106c6da
0x0106c6da
0x0106c6dd
0x0106c6e3
0x0106c6e5
0x0106c6e8
0x0106c6ea
0x0106c873
0x0106c873
0x0106c875
0x0106ce99
0x0106ce9b
0x00000000
0x00000000
0x0106cea4
0x0106cea6
0x0106c756
0x0106c756
0x0106c759
0x0106c759
0x0106c760
0x00000000
0x0106c760
0x0106c87b
0x0106c87b
0x0106c880
0x0106c886
0x0106c889
0x0106cd00
0x0106cd00
0x0106cd03
0x0106ce31
0x0106ce31
0x0106ce34
0x010bae89
0x010bae8e
0x010bae91
0x010bae91
0x010bae97
0x0106cd11
0x0106cd13
0x0106cd15
0x0106cd1c
0x0106cd20
0x0106cd23
0x0106cd25
0x0106cd28
0x0106cd2b
0x0106cd2d
0x00000000
0x00000000
0x0106cd33
0x0106cd36
0x00000000
0x00000000
0x0106cd3c
0x0106cd44
0x0106cd4a
0x0106cd50
0x0106cd53
0x0106cd57
0x010baf91
0x010baf94
0x010baf94
0x0106cd5d
0x0106cd64
0x0106cd67
0x0106cd71
0x0106cd73
0x0106cd76
0x0106cd78
0x0106cd85
0x0106cd89
0x0106cd89
0x00000000
0x0106cd78
0x010bae9d
0x010baea3
0x00000000
0x00000000
0x00000000
0x010baea9
0x0106ce3a
0x0106ce3f
0x00000000
0x0106ce3f
0x0106cd09
0x0106cd0e
0x00000000
0x0106cd0e
0x0106c88f
0x0106c894
0x0106c897
0x0106c89e
0x00000000
0x00000000
0x0106c8a4
0x0106c7b2
0x0106c7b5
0x0106c7b5
0x0106c7b5
0x0106c7b8
0x0106c7bb
0x0106c7be
0x00000000
0x00000000
0x0106c7c4
0x00000000
0x0106c7cd
0x0106c7d1
0x00000000
0x00000000
0x0106c7d7
0x0106c7dd
0x0106ce28
0x00000000
0x0106ce28
0x00000000
0x00000000
0x0106c8ba
0x0106c8bc
0x0106c8be
0x0106c8c2
0x0106c8c5
0x0106c8c9
0x0106c8cc
0x0106c8ce
0x0106c8d1
0x0106c8d4
0x0106c8d6
0x00000000
0x00000000
0x0106c8dc
0x0106c8e2
0x0106c8e4
0x0106c8e7
0x0106c8ea
0x0106c8ed
0x010baeae
0x0106c8f3
0x0106c8f3
0x0106c8f3
0x0106c8f6
0x0106c8f9
0x0106c8fc
0x010baeb5
0x0106c902
0x0106c902
0x0106c902
0x0106c905
0x0106c908
0x0106c90c
0x0106ce1d
0x0106ce20
0x0106ce20
0x0106c919
0x0106c91c
0x0106c91f
0x0106c921
0x0106c926
0x0106c928
0x0106c92b
0x0106c92d
0x00000000
0x0106c933
0x0106c936
0x0106c93a
0x0106c93c
0x0106c93e
0x00000000
0x0106c93e
0x00000000
0x0106c9db
0x0106c9df
0x00000000
0x00000000
0x0106c9e5
0x00000000
0x00000000
0x0106c9ee
0x0106c9f1
0x00000000
0x00000000
0x0106c9f3
0x0106c9f7
0x00000000
0x00000000
0x0106c9fd
0x0106ca00
0x0106ca05
0x0106ca07
0x0106c8b3
0x0106c8b3
0x00000000
0x0106c8b3
0x0106ca0d
0x0106ca11
0x0106ca14
0x0106ca17
0x0106ca1d
0x0106ca1d
0x00000000
0x00000000
0x0106ca25
0x0106ca29
0x0106ce7a
0x0106ce7e
0x0106ce83
0x0106ca2f
0x0106ca2f
0x0106ca2f
0x00000000
0x00000000
0x0106ca38
0x0106ca3c
0x00000000
0x00000000
0x00000000
0x00000000
0x0106c948
0x0106c94c
0x0106c94f
0x0106c953
0x0106c956
0x00000000
0x00000000
0x0106c95c
0x0106c95e
0x0106c962
0x0106c967
0x0106c969
0x010baebc
0x010baebe
0x0106cc22
0x0106cc22
0x00000000
0x0106cc22
0x0106c975
0x0106c97b
0x0106c97f
0x0106c985
0x0106cc19
0x0106cc19
0x0106cc1b
0x0106cc1f
0x0106cc1f
0x00000000
0x0106cc1f
0x0106c98b
0x0106c999
0x0106c99d
0x0106c9a4
0x0106c9aa
0x0106c9af
0x0106c9b3
0x0106c9b6
0x0106c9b9
0x00000000
0x00000000
0x0106c9bf
0x0106c9c0
0x0106c9c6
0x0106c9c9
0x00000000
0x00000000
0x0106cc2b
0x0106cc2d
0x0106cc2f
0x0106cc34
0x0106c7e3
0x0106c7e3
0x00000000
0x0106c7e3
0x010baecb
0x010baece
0x010baed3
0x010baed5
0x00000000
0x010baedb
0x010baedb
0x010baee1
0x00000000
0x00000000
0x010baee7
0x010baeea
0x010baeec
0x00000000
0x00000000
0x010baefc
0x010baf08
0x010baf0f
0x010baf14
0x010baf16
0x00000000
0x00000000
0x010baf1c
0x00000000
0x010baf1c
0x00000000
0x00000000
0x0106cc3f
0x0106cc3f
0x0106cc43
0x0106cc46
0x0106cc4a
0x0106cc4c
0x0106cc4e
0x0106cc53
0x010baf28
0x010baf2b
0x00000000
0x010baf2b
0x0106cc59
0x0106cc61
0x010baf33
0x010baf37
0x0106cc67
0x0106cc67
0x0106cc6d
0x0106cc74
0x0106cc78
0x0106cc78
0x00000000
0x00000000
0x0106cc84
0x0106cc87
0x0106cc8b
0x0106cc91
0x0106cc92
0x0106cc94
0x0106cc99
0x0106cc9c
0x0106cc9e
0x00000000
0x00000000
0x0106cca4
0x00000000
0x00000000
0x0106ccb0
0x0106ccb4
0x0106ccb7
0x0106ccbb
0x0106ccc1
0x0106ccc2
0x0106ccc4
0x0106ccc9
0x0106cccc
0x0106ccce
0x00000000
0x00000000
0x0106ccd4
0x0106ccda
0x0106cce0
0x00000000
0x00000000
0x00000000
0x00000000
0x0106cceb
0x0106c7e7
0x0106c7e7
0x0106c7eb
0x0106c7eb
0x0106c7ee
0x0106c7ee
0x00000000
0x00000000
0x0106ccf5
0x0106ccf8
0x0106c7f1
0x0106c7f3
0x0106c7f5
0x0106c7f7
0x0106c801
0x0106c807
0x0106c80a
0x0106c80d
0x0106c810
0x0106c816
0x0106c81c
0x00000000
0x0106c81c
0x0106c7fc
0x0106c7ff
0x00000000
0x00000000
0x00000000
0x00000000
0x0106c7c4
0x0106ca42
0x0106ca42
0x0106ca49
0x00000000
0x0106ca49
0x0106c6f0
0x0106c6f2
0x00000000
0x00000000
0x0106c6fb
0x0106c6fd
0x0106c703
0x0106c70a
0x0106cda6
0x0106cdbe
0x0106cdbe
0x0106c710
0x0106c716
0x0106c71d
0x0106c72b
0x0106c72e
0x0106c742
0x0106c751
0x0106c751
0x0106c754
0x0106c754
0x00000000
0x0106c754
0x0106c579
0x0106c579
0x0106c57f
0x0106c586
0x0106c588
0x0106c590
0x0106c593
0x0106c59c
0x0106c59c
0x0106c59d
0x0106c5a0
0x0106c5a6
0x0106c5b0
0x0106c5b0
0x0106c5b2
0x00000000
0x00000000
0x0106c5b8
0x0106c5c1
0x0106c5c4
0x0106c5c7
0x0106c65f
0x0106c662
0x00000000
0x00000000
0x0106c664
0x0106c666
0x0106c66c
0x0106caa6
0x0106caa8
0x00000000
0x00000000
0x0106cab6
0x0106cac4
0x0106cac9
0x0106cacc
0x0106cace
0x0106cad0
0x00000000
0x00000000
0x0106cad6
0x0106cadc
0x0106cae2
0x0106cae2
0x0106cae5
0x0106cae8
0x0106cae8
0x0106caf8
0x0106cafa
0x0106c67b
0x0106c67b
0x0106c67d
0x00000000
0x00000000
0x0106c67f
0x0106c682
0x0106c684
0x0106c84c
0x0106c84f
0x0106c851
0x0106c69e
0x0106c69e
0x0106c6a4
0x0106c6ad
0x0106c6b0
0x0106c6b3
0x00000000
0x0106c6b3
0x0106c68a
0x0106c692
0x0106c692
0x0106c695
0x00000000
0x0106c695
0x00000000
0x0106cb00
0x0106c672
0x0106c674
0x00000000
0x00000000
0x0106c679
0x0106c679
0x00000000
0x0106c679
0x0106c5d5
0x0106c5d8
0x0106c5da
0x0106c5e0
0x0106c5e3
0x0106c5e6
0x0106c5e9
0x0106c63e
0x0106c641
0x0106c641
0x0106c5eb
0x0106c5ed
0x0106c5f3
0x0106cb05
0x0106cb07
0x00000000
0x00000000
0x0106cb13
0x0106cb16
0x0106cb27
0x0106cb2c
0x0106cb2f
0x0106cb31
0x0106cb33
0x0106cb65
0x0106cb65
0x00000000
0x0106cb65
0x0106cb35
0x0106cb3b
0x0106cb41
0x0106cb41
0x0106cb44
0x0106cb47
0x0106cb47
0x0106cb5d
0x0106cb5f
0x010baf9c
0x00000000
0x010baf9c
0x00000000
0x0106c5f9
0x0106c5f9
0x0106c5fb
0x0106c646
0x0106c646
0x0106c649
0x0106c64f
0x0106c651
0x0106c657
0x0106c630
0x0106c630
0x0106c633
0x0106c636
0x00000000
0x0106c636
0x0106c600
0x0106c600
0x0106c602
0x0106c602
0x0106c604
0x0106c839
0x0106c83c
0x0106c83e
0x00000000
0x00000000
0x0106c844
0x0106c844
0x0106c846
0x00000000
0x0106c846
0x0106c60a
0x00000000
0x00000000
0x0106c60c
0x0106c612
0x0106c612
0x0106c615
0x0106c61b
0x0106c61f
0x0106c827
0x0106c82b
0x0106c831
0x0106c625
0x0106c625
0x0106c627
0x0106c627
0x0106c62d
0x00000000
0x0106c62d
0x0106c5f3
0x0106c69b
0x00000000
0x0106c69b
0x0106c566
0x0106c85c
0x0106c85c
0x00000000
0x0106c85c
0x0106c500
0x0106ca95
0x0106ca9c
0x0106ca9e
0x00000000
0x0106ca9e
0x0106c407
0x0106c40b
0x00000000
0x00000000
0x0106c411
0x0106c417
0x0106c41a
0x0106c41c
0x00000000
0x00000000
0x0106c428
0x0106c42e
0x0106c430
0x0106c9d1
0x0106c9d1
0x0106c9d1
0x00000000
0x0106c9d1
0x0106c436
0x0106c439
0x00000000
0x00000000
0x0106c449
0x0106c44c
0x0106c44e
0x0106c452
0x0106c458
0x0106c458
0x0106c45a
0x0106c45a
0x0106c460
0x0106c466
0x0106c468
0x00000000
0x00000000
0x0106c46e
0x0106c471
0x0106c473
0x0106c86a
0x0106c86a
0x0106c86d
0x00000000
0x0106c86d
0x0106c47e
0x0106c480
0x0106c864
0x00000000
0x0106c864
0x0106c486
0x0106c488
0x00000000
0x00000000
0x0106c496
0x0106c496
0x0106c498
0x0106c498
0x0106c4a1
0x0106c4a4
0x0106c4a6
0x00000000
0x00000000
0x0106c4ac
0x0106c4ac
0x00000000
0x0106c4ac
0x010bae82
0x00000000
0x010bae82
0x0106c3ef
0x0106c26c
0x0106c272
0x00000000
0x00000000
0x0106c27b
0x010bae1d
0x0106c281
0x0106c281
0x0106c281
0x0106c281
0x0106c285
0x0106c289
0x0106c28e
0x00000000
0x0106c29d
0x0106c2a2
0x0106ce4d
0x0106ce52
0x0106ce55
0x0106ce57
0x00000000
0x00000000
0x010bae24
0x00000000
0x010bae24
0x00000000
0x0106c2a2
0x0106c28e
0x0106c249
0x00000000
0x00000000
0x00000000

Strings

MUI, xrefs: 0106C2EE, 0106CB6D, 0106CE47

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 8b6524c785bf5b9a12fd36c110fbbb1c029fac52347fab69813532c66f114b8e
Instruction ID: a7248bea9a6de0bb17efaa1576db2d0b70e9c8bde9a5019c141be2fed1d3433f
Opcode Fuzzy Hash: 8b6524c785bf5b9a12fd36c110fbbb1c029fac52347fab69813532c66f114b8e
Instruction Fuzzy Hash: 20727E75E00219CFEB65CF68C9807EDBBF9BF48314F1481AAE8D9AB241D7349985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010FEB8A Relevance: 1.8, Strings: 1, Instructions: 599
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E010FEB8A(signed int __ecx, signed int __edx, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t258;
				signed int _t260;
				signed int _t261;
				signed char _t262;
				signed int _t263;
				char* _t264;
				signed int _t265;
				intOrPtr _t267;
				signed int _t271;
				signed char _t272;
				signed short _t273;
				signed int _t277;
				signed char _t281;
				signed short _t283;
				signed short _t288;
				signed char _t289;
				signed short _t290;
				signed short _t292;
				signed short _t294;
				signed char _t295;
				intOrPtr _t296;
				signed int _t297;
				signed char _t298;
				unsigned int _t302;
				intOrPtr* _t303;
				signed int _t304;
				unsigned int _t306;
				signed short _t307;
				signed short _t308;
				signed int _t311;
				signed short _t314;
				signed short _t326;
				signed char _t329;
				signed short _t330;
				signed int _t332;
				void* _t333;
				signed short _t337;
				signed int _t339;
				void* _t340;
				signed short _t344;
				signed int _t347;
				signed int _t349;
				signed int _t351;
				signed int _t359;
				signed short _t362;
				signed int _t369;
				signed int _t376;
				signed short _t377;
				signed short* _t378;
				signed short _t381;
				signed char _t383;
				signed short _t384;
				signed short _t385;
				signed int _t390;
				signed int _t393;
				void* _t400;
				signed short _t406;
				signed int _t407;
				signed short _t408;
				signed short _t409;
				signed short _t410;
				signed short _t411;
				intOrPtr _t415;
				signed int _t416;
				signed char _t417;
				signed int _t418;
				unsigned int _t423;
				unsigned int _t431;
				signed int _t437;
				signed int _t442;
				intOrPtr _t443;
				void* _t449;
				intOrPtr _t451;
				signed short _t453;
				signed int _t455;

				_t258 =  *0x114d360 ^ _t455;
				_v8 = _t258;
				_t452 = __ecx;
				_t395 = __edx;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					__eflags =  *(__ecx + 0x40) & 0x61000000;
					asm("bt dword [edi+0x40], 0x1c");
					__eflags = (_t258 & 0xffffff00 | ( *(__ecx + 0x40) & 0x61000000) >= 0x00000000) & (__ecx & 0xffffff00 | __eflags != 0x00000000);
					if(__eflags == 0) {
						L5:
						_v12 = _v12 & 0x00000000;
						_t260 =  *_t395;
						_push(2);
						__eflags = _t260;
						if(_t260 != 0) {
							_t399 =  *(_t395 + 0xa) & 0x0000ffff;
							__eflags = _t399 & 0x00001002;
							if((_t399 & 0x00001002) == 0) {
								goto L25;
							}
							_t441 = _t399 & 0x00000002;
							__eflags = _t441;
							if(_t441 == 0) {
								L14:
								__eflags = _a4;
								if(_a4 == 0) {
									L17:
									_t453 =  *(_t395 + 4) + _t260;
									__eflags = _t399 & 0x00001000;
									if((_t399 & 0x00001000) != 0) {
										_t441 = _t260 - 0x18;
										_t399 = _t452;
										_t260 = E010FD42F(_t452, _t260 - 0x18);
									}
									__eflags = _a4;
									if(_a4 == 0) {
										L21:
										_t451 =  *((intOrPtr*)(_t260 + 0x10));
										_t399 = 2;
										__eflags = _t451 - _t452 + 0xa4;
										if(_t451 == _t452 + 0xa4) {
											__eflags =  *((intOrPtr*)(_t452 + 0xda)) - _t399;
											if( *((intOrPtr*)(_t452 + 0xda)) != _t399) {
												goto L62;
											}
											_t441 =  *(_t452 + 0xd4);
											goto L63;
										}
										_t441 = _t451 + 0xfffffff0;
										goto L63;
									} else {
										__eflags = _t453 -  *((intOrPtr*)(_t260 + 0x28));
										if(_t453 <  *((intOrPtr*)(_t260 + 0x28))) {
											goto L82;
										}
										goto L21;
									}
								}
								__eflags = _t441;
								if(_t441 == 0) {
									goto L17;
								}
								_t453 =  *(_t260 + 0x24);
								goto L82;
							} else {
								__eflags =  *((char*)(_t452 + 0xda)) - 2;
								if( *((char*)(_t452 + 0xda)) != 2) {
									_t437 = 0;
									__eflags = 0;
								} else {
									_t437 =  *(_t452 + 0xd4);
								}
								__eflags = _t260 - _t437;
								if(_t260 == _t437) {
									goto L61;
								} else {
									_t399 =  *(_t395 + 0xa) & 0x0000ffff;
									goto L14;
								}
							}
						} else {
							_t441 = _t452;
							L63:
							_t453 = 0;
							__eflags = _t441;
							if(_t441 != 0) {
								__eflags =  *((intOrPtr*)(_t452 + 0xda)) - _t399;
								if( *((intOrPtr*)(_t452 + 0xda)) != _t399) {
									_t359 = 0;
									__eflags = 0;
								} else {
									_t359 =  *(_t452 + 0xd4);
								}
								__eflags = _t441 - _t359;
								if(_t441 == _t359) {
									_t441 = _t395;
									E01116D15(_t452, _t395,  &_v12);
									goto L193;
								} else {
									 *_t395 = _t441;
									__eflags =  *(_t452 + 0x4c) - _t453;
									if( *(_t452 + 0x4c) == _t453) {
										_t362 =  *_t441 & 0x0000ffff;
									} else {
										_t377 =  *_t441;
										__eflags =  *(_t452 + 0x4c) & _t377;
										if(( *(_t452 + 0x4c) & _t377) != 0) {
											_t377 = _t377 ^  *(_t452 + 0x50);
											__eflags = _t377;
										}
										_t362 = _t377 & 0x0000ffff;
									}
									 *(_t395 + 4) = (_t362 & 0x0000ffff) << 3;
									 *(_t395 + 0xa) = _t399;
									 *(_t395 + 8) = _t453;
									 *(_t395 + 0xc) =  *((intOrPtr*)(_t441 + 0x20)) -  *(_t441 + 0x2c) << 0xc;
									_t369 =  *(_t441 + 0x2c) << 0xc;
									 *(_t395 + 0x10) = _t369;
									__eflags =  *(_t441 + 0xc) & _t399;
									if(( *(_t441 + 0xc) & _t399) != 0) {
										_t376 = _t369 + 0x1000;
										__eflags = _t376;
										 *(_t395 + 0x10) = _t376;
									}
									 *(_t395 + 0x14) =  *((intOrPtr*)(_t441 + 0x24)) + (( !( *( *((intOrPtr*)(_t441 + 0x24)) + 2)) & 0x00000001) + 1) * 8;
									 *((intOrPtr*)(_t395 + 0x18)) =  *((intOrPtr*)(_t441 + 0x28));
									L82:
									__eflags = _t453;
									if(_t453 == 0) {
										L193:
										_t263 = E01077D50();
										__eflags = _t263;
										if(_t263 == 0) {
											_t264 = 0x7ffe0380;
										} else {
											_t264 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										__eflags =  *_t264;
										if( *_t264 != 0) {
											_t267 =  *[fs:0x30];
											__eflags =  *(_t267 + 0x240) & 0x00000001;
											if(( *(_t267 + 0x240) & 0x00000001) != 0) {
												__eflags = _v12 - 0x8000001a;
												if(_v12 != 0x8000001a) {
													E01111BA8(_t452);
												}
											}
										}
										_t265 = _v12;
										goto L201;
									}
									_t272 =  *((intOrPtr*)(_t453 + 7));
									__eflags = _t272 & 0x00000040;
									if((_t272 & 0x00000040) == 0) {
										__eflags = _t272 - 4;
										if(_t272 != 4) {
											_t273 = _t453;
											L89:
											 *_t395 = _t273 + 8;
											_t441 = 2;
											 *(_t395 + 0xa) = 1;
											__eflags =  *((intOrPtr*)(_t452 + 0xda)) - _t441;
											if( *((intOrPtr*)(_t452 + 0xda)) != _t441) {
												_t277 = 0;
												__eflags = 0;
											} else {
												_t277 =  *(_t452 + 0xd4);
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L97:
												_t281 =  *(_t452 + 0x4c) >> 0x00000014 &  *(_t452 + 0x52) ^  *(_t453 + 2);
												__eflags = _t281 & 0x00000001;
												if((_t281 & 0x00000001) == 0) {
													 *_t395 = _t453 + 0x10;
													__eflags =  *(_t452 + 0x4c);
													if( *(_t452 + 0x4c) == 0) {
														_t283 =  *_t453 & 0x0000ffff;
													} else {
														_t288 =  *_t453;
														__eflags =  *(_t452 + 0x4c) & _t288;
														if(( *(_t452 + 0x4c) & _t288) != 0) {
															_t288 = _t288 ^  *(_t452 + 0x50);
															__eflags = _t288;
														}
														_t283 = _t288 & 0x0000ffff;
													}
													 *(_t395 + 4) = (_t283 & 0x0000ffff) * 8 - 0x10;
													 *((char*)(_t395 + 9)) =  *(_t453 + 6);
													 *(_t395 + 0xa) = 0;
													 *(_t395 + 8) = 0x10;
													 *(_t395 + 0x14) = 0x10;
													goto L193;
												}
												_t289 =  *((intOrPtr*)(_t453 + 7));
												__eflags = _t289 & 0x00000040;
												if((_t289 & 0x00000040) == 0) {
													__eflags = _t289 - 4;
													if(_t289 != 4) {
														_t290 = _t453;
														L104:
														 *_t395 = _t290 + 8;
														_t399 =  *((intOrPtr*)(_t453 + 7));
														__eflags = _t399 - 4;
														if(_t399 == 4) {
															__eflags =  *(_t452 + 0x4c);
															if( *(_t452 + 0x4c) == 0) {
																_t292 =  *_t453 & 0x0000ffff;
															} else {
																_t308 =  *_t453;
																__eflags =  *(_t452 + 0x4c) & _t308;
																if(( *(_t452 + 0x4c) & _t308) != 0) {
																	_t308 = _t308 ^  *(_t452 + 0x50);
																	__eflags = _t308;
																}
																_t292 = _t308 & 0x0000ffff;
															}
															 *((char*)(_t395 + 9)) = 0x40;
															_t294 = 0x4001;
															 *(_t395 + 4) =  *((intOrPtr*)(_t453 - 8)) - (_t292 & 0x0000ffff);
															 *(_t395 + 0xa) = 0x4001;
															__eflags =  *(_t452 + 0x4c);
															if( *(_t452 + 0x4c) == 0) {
																_t406 =  *_t453 & 0x0000ffff;
															} else {
																_t307 =  *_t453;
																__eflags =  *(_t452 + 0x4c) & _t307;
																if(( *(_t452 + 0x4c) & _t307) != 0) {
																	_t307 = _t307 ^  *(_t452 + 0x50);
																	__eflags = _t307;
																}
																_t406 = _t307 & 0x0000ffff;
																_t294 =  *(_t395 + 0xa) & 0x0000ffff;
															}
															_t407 = _t406 & 0x0000ffff;
															 *(_t395 + 8) = _t407;
															__eflags = _t441 & _t294;
															if((_t441 & _t294) == 0) {
																 *(_t395 + 0x14) = _t407;
															}
															_t408 = _t294 & 0x0000ffff;
															L166:
															__eflags =  *(_t452 + 0x4c);
															if( *(_t452 + 0x4c) == 0) {
																_t295 =  *(_t453 + 2);
																_t409 = _t408 & 0x0000ffff;
															} else {
																_t306 =  *_t453;
																__eflags =  *(_t452 + 0x4c) & _t306;
																if(( *(_t452 + 0x4c) & _t306) != 0) {
																	_t306 = _t306 ^  *(_t452 + 0x50);
																	__eflags = _t306;
																}
																_t409 =  *(_t395 + 0xa) & 0x0000ffff;
																_t295 = _t306 >> 0x10;
															}
															__eflags = _t441 & _t295;
															if((_t441 & _t295) == 0) {
																_t296 =  *[fs:0x30];
																_t410 = _t409 & 0x0000ffff;
																__eflags =  *(_t296 + 0x68) & 0x00000800;
																if(( *(_t296 + 0x68) & 0x00000800) != 0) {
																	_t297 =  *(_t453 + 3) & 0x000000ff;
																} else {
																	_t297 = 0;
																}
																 *(_t395 + 0x10) = _t297;
															} else {
																_t441 = _t453;
																_t303 = E010FD380(_t452, _t453);
																 *(_t395 + 0xc) =  *(_t303 + 4);
																 *((short*)(_t395 + 0x12)) =  *_t303;
																_t415 =  *[fs:0x30];
																__eflags =  *(_t415 + 0x68) & 0x00000800;
																if(( *(_t415 + 0x68) & 0x00000800) != 0) {
																	_t304 =  *(_t303 + 2) & 0x0000ffff;
																} else {
																	_t304 = 0;
																}
																 *(_t395 + 0x10) = _t304;
																 *(_t395 + 0xa) =  *(_t395 + 0xa) | 0x00000010;
																_t410 =  *(_t395 + 0xa) & 0x0000ffff;
															}
															__eflags =  *(_t452 + 0x4c);
															if( *(_t452 + 0x4c) == 0) {
																_t298 =  *(_t453 + 2);
																_t411 = _t410 & 0x0000ffff;
															} else {
																_t302 =  *_t453;
																__eflags =  *(_t452 + 0x4c) & _t302;
																if(( *(_t452 + 0x4c) & _t302) != 0) {
																	_t302 = _t302 ^  *(_t452 + 0x50);
																	__eflags = _t302;
																}
																_t411 =  *(_t395 + 0xa) & 0x0000ffff;
																_t298 = _t302 >> 0x10;
															}
															 *(_t395 + 0xa) = _t298 & 0xe0 | _t411;
															goto L193;
														}
														__eflags = _t399 - 3;
														if(_t399 == 3) {
															_t408 = 0x1000;
															 *_t395 =  *(_t453 + 0x18);
															 *(_t395 + 0x14) =  *(_t395 + 0x14) & 0x00000000;
															 *(_t395 + 4) =  *(_t453 + 0x1c);
															 *(_t395 + 8) = 0x10000000;
															goto L166;
														}
														__eflags = _t399 - 1;
														if(_t399 != 1) {
															_t442 =  *(_t452 + 0x4c);
															__eflags = _t442;
															if(_t442 == 0) {
																_t311 =  *_t453 & 0x0000ffff;
															} else {
																_t344 =  *_t453;
																_t442 =  *(_t452 + 0x4c);
																__eflags = _t344 & _t442;
																if((_t344 & _t442) != 0) {
																	_t344 = _t344 ^  *(_t452 + 0x50);
																	__eflags = _t344;
																}
																_t399 =  *((intOrPtr*)(_t453 + 7));
																_t311 = _t344 & 0x0000ffff;
															}
															_v20 = _t311;
															__eflags = _t399 - 5;
															if(_t399 != 5) {
																__eflags = _t399 & 0x00000040;
																if((_t399 & 0x00000040) == 0) {
																	__eflags = (_t399 & 0x0000003f) - 0x3f;
																	if((_t399 & 0x0000003f) == 0x3f) {
																		__eflags = _t399;
																		if(_t399 >= 0) {
																			__eflags = _t442;
																			if(_t442 == 0) {
																				_t314 =  *_t453 & 0x0000ffff;
																			} else {
																				_t337 =  *_t453;
																				__eflags =  *(_t452 + 0x4c) & _t337;
																				if(( *(_t452 + 0x4c) & _t337) != 0) {
																					_t337 = _t337 ^  *(_t452 + 0x50);
																					__eflags = _t337;
																				}
																				_t314 = _t337 & 0x0000ffff;
																			}
																		} else {
																			_t431 = _t453 >> 0x00000003 ^  *_t453 ^  *0x114874c ^ _t452;
																			__eflags = _t431;
																			if(_t431 == 0) {
																				_t339 = _t453 - (_t431 >> 0xd);
																				__eflags = _t339;
																				_t340 =  *_t339;
																			} else {
																				_t340 = 0;
																			}
																			_t314 =  *((intOrPtr*)(_t340 + 0x14));
																		}
																		_t416 =  *(_t453 + (_t314 & 0xffff) * 8 - 4);
																	} else {
																		_t416 = _t399 & 0x3f;
																	}
																} else {
																	_t416 =  *(_t453 + 4 + (_t399 & 0x3f) * 8) & 0x0000ffff;
																}
															} else {
																_t416 =  *(_t452 + 0x54) & 0x0000ffff ^  *(_t453 + 4) & 0x0000ffff;
															}
															 *(_t395 + 4) = ((_v20 & 0x0000ffff) << 3) - _t416;
															 *((char*)(_t395 + 9)) =  *(_t453 + 6);
															 *(_t395 + 0xa) = 1;
															_t417 =  *((intOrPtr*)(_t453 + 7));
															__eflags = _t417 - 5;
															if(_t417 != 5) {
																__eflags = _t417 & 0x00000040;
																if((_t417 & 0x00000040) == 0) {
																	__eflags = (_t417 & 0x0000003f) - 0x3f;
																	if((_t417 & 0x0000003f) == 0x3f) {
																		__eflags = _t417;
																		if(_t417 >= 0) {
																			__eflags =  *(_t452 + 0x4c);
																			if( *(_t452 + 0x4c) == 0) {
																				_t326 =  *_t453 & 0x0000ffff;
																			} else {
																				_t330 =  *_t453;
																				__eflags =  *(_t452 + 0x4c) & _t330;
																				if(( *(_t452 + 0x4c) & _t330) != 0) {
																					_t330 = _t330 ^  *(_t452 + 0x50);
																					__eflags = _t330;
																				}
																				_t326 = _t330 & 0x0000ffff;
																			}
																		} else {
																			_t423 = _t453 >> 0x00000003 ^  *_t453 ^  *0x114874c ^ _t452;
																			__eflags = _t423;
																			if(_t423 == 0) {
																				_t332 = _t453 - (_t423 >> 0xd);
																				__eflags = _t332;
																				_t333 =  *_t332;
																			} else {
																				_t333 = 0;
																			}
																			_t326 =  *((intOrPtr*)(_t333 + 0x14));
																		}
																		_t418 =  *(_t453 + (_t326 & 0xffff) * 8 - 4);
																	} else {
																		_t418 = _t417 & 0x3f;
																	}
																} else {
																	_t418 =  *(_t453 + 4 + (_t417 & 0x3f) * 8) & 0x0000ffff;
																}
															} else {
																_t418 =  *(_t452 + 0x54) & 0x0000ffff ^  *(_t453 + 4) & 0x0000ffff;
															}
															_t329 =  *(_t395 + 0xa) & 0x0000ffff;
															_t441 = 2;
															 *(_t395 + 8) = _t418;
															__eflags = _t441 & _t329;
															if((_t441 & _t329) == 0) {
																 *(_t395 + 0x14) = _t418;
															}
															_t408 = _t329;
															goto L166;
														}
														 *(_t395 + 0xa) = 1;
														goto L26;
													}
													_t347 =  *(_t453 + 6) & 0x000000ff;
													L100:
													_t290 = _t453 + _t347 * 8;
													goto L104;
												}
												_t347 = _t289 & 0x3f;
												__eflags = _t347;
												goto L100;
											} else {
												_t441 = _t395;
												_t399 = _t452;
												_t349 = E011167E2(_t452, _t395, _t452);
												__eflags = _t349;
												if(_t349 == 0) {
													_t441 = 2;
													goto L97;
												}
												__eflags =  *(_t395 + 0xa) & 0x00002000;
												if(( *(_t395 + 0xa) & 0x00002000) == 0) {
													goto L193;
												}
												L25:
												_t441 = 2;
												L26:
												__eflags =  *((intOrPtr*)(_t452 + 0xda)) - _t441;
												if( *((intOrPtr*)(_t452 + 0xda)) != _t441) {
													_t261 = 0;
													__eflags = 0;
												} else {
													_t261 =  *(_t452 + 0xd4);
												}
												__eflags = _t261;
												if(_t261 == 0) {
													L32:
													__eflags =  *(_t395 + 0xa) & 0x00000001;
													_t400 =  *_t395;
													if(( *(_t395 + 0xa) & 0x00000001) == 0) {
														_t399 = _t400 + 0xfffffff0;
														__eflags =  *(_t452 + 0x4c);
														if( *(_t452 + 0x4c) == 0) {
															_t453 =  *_t399 & 0x0000ffff;
														} else {
															_t381 =  *_t399;
															__eflags =  *(_t452 + 0x4c) & _t381;
															if(( *(_t452 + 0x4c) & _t381) != 0) {
																_t381 = _t381 ^  *(_t452 + 0x50);
																__eflags = _t381;
															}
															_t453 = _t381 & 0x0000ffff;
														}
														_t262 =  *(_t399 + 6);
														__eflags = _t262;
														if(_t262 == 0) {
															_t441 = _t452;
														} else {
															_t441 = (_t399 & 0xffff0000) - ((_t262 & 0x000000ff) << 0x10) + 0x10000;
														}
														__eflags = _t441;
														if(_t441 == 0) {
															L192:
															_v12 = 0xc0000141;
															goto L193;
														} else {
															__eflags =  *((char*)(_t399 + 7)) - 3;
															if( *((char*)(_t399 + 7)) != 3) {
																_t271 = _t453 & 0x0000ffff;
																L81:
																_t453 = _t399 + _t271 * 8;
																goto L82;
															}
															L58:
															__eflags =  *(_t399 + 0x1c) + 0x20 + _t399 -  *((intOrPtr*)(_t441 + 0x28));
															if( *(_t399 + 0x1c) + 0x20 + _t399 <  *((intOrPtr*)(_t441 + 0x28))) {
																 *_t395 =  *(_t399 + 0x18);
																 *(_t395 + 0x14) =  *(_t395 + 0x14) & 0x00000000;
																_t453 = 0;
																 *(_t395 + 4) =  *(_t399 + 0x1c);
																 *(_t395 + 8) = 0x10000000;
																goto L82;
															}
															_t443 =  *((intOrPtr*)(_t441 + 0x10));
															__eflags = _t443 - _t452 + 0xa4;
															if(_t443 == _t452 + 0xa4) {
																L61:
																_t399 = 2;
																L62:
																_t441 = 0;
																__eflags = 0;
																goto L63;
															}
															_t441 = _t443 + 0xfffffff0;
															_t399 = 2;
															goto L63;
														}
													}
													_t399 = _t400 + 0xfffffff8;
													__eflags =  *((char*)(_t399 + 7)) - 5;
													if( *((char*)(_t399 + 7)) == 5) {
														_t399 = _t399 - (( *(_t399 + 6) & 0x000000ff) << 3);
														__eflags = _t399;
													}
													__eflags =  *((intOrPtr*)(_t399 + 7)) - 4;
													if( *((intOrPtr*)(_t399 + 7)) != 4) {
														_t383 =  *(_t399 + 6);
														__eflags = _t383;
														if(_t383 == 0) {
															_t441 = _t452;
														} else {
															_t449 = (_t399 & 0xffff0000) - ((_t383 & 0x000000ff) << 0x10);
															_t383 =  *((intOrPtr*)(_t399 + 7));
															_t441 = _t449 + 0x10000;
														}
														__eflags = _t441;
														if(_t441 == 0) {
															goto L192;
														} else {
															__eflags = _t383 - 3;
															if(_t383 == 3) {
																goto L58;
															}
															__eflags =  *(_t452 + 0x4c);
															if( *(_t452 + 0x4c) == 0) {
																_t384 =  *_t399 & 0x0000ffff;
															} else {
																_t385 =  *_t399;
																__eflags =  *(_t452 + 0x4c) & _t385;
																if(( *(_t452 + 0x4c) & _t385) != 0) {
																	_t385 = _t385 ^  *(_t452 + 0x50);
																	__eflags = _t385;
																}
																_t384 = _t385 & 0x0000ffff;
															}
															_t271 = _t384 & 0x0000ffff;
															goto L81;
														}
													} else {
														_t453 =  *(_t399 - 0x18);
														_t378 = _t452 + 0x9c;
														L65:
														__eflags = _t453 - _t378;
														if(_t453 == _t378) {
															_v12 = 0x8000001a;
															goto L193;
														}
														_t453 = _t453 + 0x18;
														goto L82;
													}
												} else {
													_t441 = _t395;
													_t390 = E011167E2(_t452, _t395, _t399);
													__eflags = _t390;
													if(_t390 == 0) {
														goto L32;
													}
													__eflags =  *(_t395 + 0xa) & 0x00002000;
													if(( *(_t395 + 0xa) & 0x00002000) == 0) {
														goto L193;
													}
													goto L32;
												}
											}
										}
										_t351 =  *(_t453 + 6) & 0x000000ff;
										L85:
										_t273 = _t453 + _t351 * 8;
										goto L89;
									}
									_t351 = _t272 & 0x3f;
									__eflags = _t351;
									goto L85;
								}
							}
							_t378 = _t452 + 0x9c;
							_t453 =  *_t378;
							goto L65;
						}
					}
					_t393 = E0111433B(__edx, __ecx, __ecx, _t453, __eflags);
					__eflags = _t393;
					if(_t393 != 0) {
						goto L5;
					} else {
						_v12 = 0xc000000d;
						goto L193;
					}
				} else {
					_t453 =  *0x1145724; // 0x0
					 *0x114b1e0(__ecx, __edx);
					_t265 =  *_t453();
					L201:
					return E0109B640(_t265, _t395, _v8 ^ _t455, _t441, _t452, _t453);
				}
			}

0x010feb97
0x010feb99
0x010feb9f
0x010feba1
0x010febaa
0x010febc3
0x010febcd
0x010febd5
0x010febd7
0x010febf0
0x010febf0
0x010febf4
0x010febf6
0x010febf9
0x010febfb
0x010fec04
0x010fec08
0x010fec0e
0x00000000
0x00000000
0x010fec16
0x010fec16
0x010fec19
0x010fec3a
0x010fec3a
0x010fec3e
0x010fec4d
0x010fec50
0x010fec52
0x010fec58
0x010fec5a
0x010fec5d
0x010fec5f
0x010fec5f
0x010fec64
0x010fec68
0x010fec73
0x010fec73
0x010fec7e
0x010fec7f
0x010fec81
0x010fec8b
0x010fec91
0x00000000
0x00000000
0x010fec97
0x00000000
0x010fec97
0x010fec83
0x00000000
0x010fec6a
0x010fec6a
0x010fec6d
0x00000000
0x00000000
0x00000000
0x010fec6d
0x010fec68
0x010fec40
0x010fec43
0x00000000
0x00000000
0x010fec45
0x00000000
0x010fec1b
0x010fec1b
0x010fec22
0x010fec2c
0x010fec2c
0x010fec24
0x010fec24
0x010fec24
0x010fec2e
0x010fec30
0x00000000
0x010fec36
0x010fec36
0x00000000
0x010fec36
0x010fec30
0x010febfd
0x010febfd
0x010fedd2
0x010fedd2
0x010fedd4
0x010fedd6
0x010fedf0
0x010fedf6
0x010fee00
0x010fee00
0x010fedf8
0x010fedf8
0x010fedf8
0x010fee02
0x010fee04
0x010fef6c
0x010fef71
0x00000000
0x010fee0a
0x010fee0a
0x010fee0c
0x010fee0f
0x010fee20
0x010fee11
0x010fee11
0x010fee13
0x010fee16
0x010fee18
0x010fee18
0x010fee18
0x010fee1b
0x010fee1b
0x010fee29
0x010fee2c
0x010fee30
0x010fee3d
0x010fee43
0x010fee46
0x010fee49
0x010fee4c
0x010fee4e
0x010fee4e
0x010fee53
0x010fee53
0x010fee65
0x010fee6b
0x010fee90
0x010fee90
0x010fee92
0x010ff23e
0x010ff23e
0x010ff243
0x010ff245
0x010ff257
0x010ff247
0x010ff250
0x010ff250
0x010ff25c
0x010ff25f
0x010ff261
0x010ff267
0x010ff26e
0x010ff270
0x010ff277
0x010ff27b
0x010ff27b
0x010ff277
0x010ff26e
0x010ff280
0x00000000
0x010ff280
0x010fee98
0x010fee9b
0x010fee9d
0x010feeaa
0x010feeac
0x010feeb4
0x010feeb6
0x010feeb9
0x010feec0
0x010feec1
0x010feec5
0x010feecb
0x010feed5
0x010feed5
0x010feecd
0x010feecd
0x010feecd
0x010feed7
0x010feed9
0x010fef00
0x010fef09
0x010fef0c
0x010fef0e
0x010ff1f7
0x010ff1f9
0x010ff1fd
0x010ff20e
0x010ff1ff
0x010ff1ff
0x010ff201
0x010ff204
0x010ff206
0x010ff206
0x010ff206
0x010ff209
0x010ff209
0x010ff21b
0x010ff221
0x010ff226
0x010ff22a
0x010ff22e
0x00000000
0x010ff22e
0x010fef14
0x010fef17
0x010fef19
0x010fef26
0x010fef28
0x010fef30
0x010fef32
0x010fef35
0x010fef37
0x010fef3a
0x010fef3d
0x010ff0ea
0x010ff0ee
0x010ff0ff
0x010ff0f0
0x010ff0f0
0x010ff0f2
0x010ff0f5
0x010ff0f7
0x010ff0f7
0x010ff0f7
0x010ff0fa
0x010ff0fa
0x010ff10a
0x010ff10e
0x010ff113
0x010ff116
0x010ff11a
0x010ff11e
0x010ff133
0x010ff120
0x010ff120
0x010ff122
0x010ff125
0x010ff127
0x010ff127
0x010ff127
0x010ff12a
0x010ff12d
0x010ff12d
0x010ff136
0x010ff139
0x010ff13c
0x010ff13e
0x010ff140
0x010ff140
0x010ff143
0x010ff146
0x010ff146
0x010ff14a
0x010ff15f
0x010ff162
0x010ff14c
0x010ff14c
0x010ff14e
0x010ff151
0x010ff153
0x010ff153
0x010ff153
0x010ff156
0x010ff15a
0x010ff15a
0x010ff165
0x010ff167
0x010ff1a9
0x010ff1af
0x010ff1b2
0x010ff1b9
0x010ff1bf
0x010ff1bb
0x010ff1bb
0x010ff1bb
0x010ff1c3
0x010ff169
0x010ff169
0x010ff16d
0x010ff175
0x010ff17b
0x010ff17f
0x010ff186
0x010ff18d
0x010ff193
0x010ff18f
0x010ff18f
0x010ff18f
0x010ff197
0x010ff19b
0x010ff1a4
0x010ff1a4
0x010ff1c7
0x010ff1cb
0x010ff1e0
0x010ff1e3
0x010ff1cd
0x010ff1cd
0x010ff1cf
0x010ff1d2
0x010ff1d4
0x010ff1d4
0x010ff1d4
0x010ff1d7
0x010ff1db
0x010ff1db
0x010ff1ee
0x00000000
0x010ff1ee
0x010fef43
0x010fef46
0x010ff0d0
0x010ff0d5
0x010ff0da
0x010ff0de
0x010ff0e1
0x00000000
0x010ff0e1
0x010fef4c
0x010fef4f
0x010fef7b
0x010fef7e
0x010fef80
0x010fef96
0x010fef82
0x010fef82
0x010fef84
0x010fef87
0x010fef89
0x010fef8b
0x010fef8b
0x010fef8b
0x010fef8e
0x010fef91
0x010fef91
0x010fef99
0x010fef9c
0x010fef9f
0x010fefad
0x010fefb0
0x010fefc3
0x010fefc5
0x010fefcf
0x010fefd1
0x010feffa
0x010feffc
0x010ff00d
0x010feffe
0x010feffe
0x010ff000
0x010ff003
0x010ff005
0x010ff005
0x010ff005
0x010ff008
0x010ff008
0x010fefd3
0x010fefe0
0x010fefe2
0x010fefe5
0x010feff0
0x010feff0
0x010feff2
0x010fefe7
0x010fefe7
0x010fefe7
0x010feff4
0x010feff4
0x010ff016
0x010fefc7
0x010fefca
0x010fefca
0x010fefb2
0x010fefb8
0x010fefb8
0x010fefa1
0x010fefa9
0x010fefa9
0x010ff025
0x010ff02b
0x010ff031
0x010ff035
0x010ff038
0x010ff03b
0x010ff049
0x010ff04c
0x010ff05f
0x010ff061
0x010ff06b
0x010ff06d
0x010ff096
0x010ff09a
0x010ff0ab
0x010ff09c
0x010ff09c
0x010ff09e
0x010ff0a1
0x010ff0a3
0x010ff0a3
0x010ff0a3
0x010ff0a6
0x010ff0a6
0x010ff06f
0x010ff07c
0x010ff07e
0x010ff081
0x010ff08c
0x010ff08c
0x010ff08e
0x010ff083
0x010ff083
0x010ff083
0x010ff090
0x010ff090
0x010ff0b4
0x010ff063
0x010ff066
0x010ff066
0x010ff04e
0x010ff054
0x010ff054
0x010ff03d
0x010ff045
0x010ff045
0x010ff0b8
0x010ff0be
0x010ff0bf
0x010ff0c2
0x010ff0c4
0x010ff0c6
0x010ff0c6
0x010ff0c9
0x00000000
0x010ff0c9
0x010fef54
0x00000000
0x010fef54
0x010fef2a
0x010fef21
0x010fef21
0x00000000
0x010fef21
0x010fef1e
0x010fef1e
0x00000000
0x010feedb
0x010feedc
0x010feede
0x010feee0
0x010feee5
0x010feee7
0x010feeff
0x00000000
0x010feeff
0x010feeee
0x010feef2
0x00000000
0x00000000
0x010feca2
0x010feca4
0x010feca5
0x010feca5
0x010fecab
0x010fecb5
0x010fecb5
0x010fecad
0x010fecad
0x010fecad
0x010fecb7
0x010fecb9
0x010fecd8
0x010fecd8
0x010fecdc
0x010fecde
0x010fed59
0x010fed5c
0x010fed60
0x010fed71
0x010fed62
0x010fed62
0x010fed64
0x010fed67
0x010fed69
0x010fed69
0x010fed69
0x010fed6c
0x010fed6c
0x010fed74
0x010fed77
0x010fed79
0x010fed93
0x010fed7b
0x010fed8b
0x010fed8b
0x010fed95
0x010fed97
0x010ff237
0x010ff237
0x00000000
0x010fed9d
0x010fed9d
0x010feda1
0x010fee8a
0x010fee8d
0x010fee8d
0x00000000
0x010fee8d
0x010feda7
0x010fedaf
0x010fedb2
0x010fee73
0x010fee78
0x010fee7c
0x010fee7e
0x010fee81
0x00000000
0x010fee81
0x010fedb8
0x010fedc1
0x010fedc3
0x010fedcd
0x010fedcf
0x010fedd0
0x010fedd0
0x010fedd0
0x00000000
0x010fedd0
0x010fedc7
0x010fedca
0x00000000
0x010fedca
0x010fed97
0x010fece0
0x010fece3
0x010fece7
0x010fecf0
0x010fecf0
0x010fecf0
0x010fecf5
0x010fecf8
0x010fed08
0x010fed0b
0x010fed0d
0x010fed2a
0x010fed0f
0x010fed1d
0x010fed1f
0x010fed22
0x010fed22
0x010fed2c
0x010fed2e
0x00000000
0x010fed34
0x010fed34
0x010fed37
0x00000000
0x00000000
0x010fed39
0x010fed3d
0x010fed4e
0x010fed3f
0x010fed3f
0x010fed41
0x010fed44
0x010fed46
0x010fed46
0x010fed46
0x010fed49
0x010fed49
0x010fed51
0x00000000
0x010fed51
0x010fecfa
0x010fecfa
0x010fecfd
0x010fede0
0x010fede0
0x010fede2
0x010fef5d
0x00000000
0x010fef5d
0x010fede8
0x00000000
0x010fede8
0x010fecbb
0x010fecbc
0x010fecc0
0x010fecc5
0x010fecc7
0x00000000
0x00000000
0x010fecce
0x010fecd2
0x00000000
0x00000000
0x00000000
0x010fecd2
0x010fecb9
0x010feed9
0x010feeae
0x010feea5
0x010feea5
0x00000000
0x010feea5
0x010feea2
0x010feea2
0x00000000
0x010feea2
0x010fee04
0x010fedd8
0x010fedde
0x00000000
0x010fedde
0x010febfb
0x010febdb
0x010febe0
0x010febe2
0x00000000
0x010febe4
0x010febe4
0x00000000
0x010febe4
0x010febac
0x010febac
0x010febb6
0x010febbc
0x010ff283
0x010ff293
0x010ff293

Strings

@, xrefs: 010FF10A

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 45e5ed183101da06f1f05724a8a51ad8d7b1e571ddd52e88a0611442bb3f41ad
Instruction ID: 9f982de8fce872be1affa69113361fdf2028781d3dab5c2a4515cdc0eb7ecc0f
Opcode Fuzzy Hash: 45e5ed183101da06f1f05724a8a51ad8d7b1e571ddd52e88a0611442bb3f41ad
Instruction Fuzzy Hash: E43216752046528BE768CF2DC452376BBE1BF45300F09849EEBC68FA96D335E456CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0107B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0107B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x114d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01077D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01128CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01099E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0109B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0109CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01077D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01128F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0109AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1148628; // 0x0
								_v68 = _t77;
								_t78 =  *0x114862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1148628; // 0x0
							_t116 =  *0x114862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0107b94c
0x0107b956
0x0107b95c
0x0107b95e
0x0107b964
0x0107b969
0x0107b96d
0x0107b96d
0x0107b970
0x0107b974
0x0107b97a
0x0107badf
0x0107badf
0x0107bae2
0x0107bae4
0x0107bae6
0x0107baf0
0x010c2cb8
0x0107baf6
0x0107baf6
0x0107baf6
0x0107bafd
0x0107bb1f
0x0107bb1f
0x0107baff
0x0107bb00
0x0107bb00
0x0107bb03
0x0107bb03
0x0107bacb
0x0107bacf
0x0107bad0
0x0107bad1
0x0107badc
0x0107badc
0x0107b980
0x0107b980
0x0107b988
0x0107b98b
0x0107b98d
0x0107b990
0x0107b993
0x0107b999
0x0107b99b
0x0107b9a1
0x0107b9a5
0x0107b9aa
0x0107b9b0
0x0107b9bb
0x0107b9c0
0x0107b9c3
0x0107b9ca
0x0107b9cc
0x0107b9cf
0x0107b9d3
0x0107b9d7
0x0107ba94
0x0107ba94
0x0107ba98
0x0107baa3
0x010c2ccb
0x0107baa9
0x0107baa9
0x0107baa9
0x0107bab1
0x010c2cd5
0x010c2cdd
0x010c2cdd
0x0107babb
0x0107babc
0x0107bac2
0x0107bac3
0x0107bac3
0x0107bac6
0x00000000
0x0107b9dd
0x0107b9dd
0x0107b9e7
0x0107b9e7
0x0107b9ec
0x0107b9ec
0x0107b9f1
0x0107b9f5
0x0107b9fa
0x0107ba00
0x0107ba0c
0x0107ba10
0x0107ba10
0x0107ba12
0x0107ba18
0x00000000
0x00000000
0x0107bb26
0x0107bb26
0x0107ba1e
0x0107ba1e
0x0107ba23
0x0107ba25
0x0107ba2c
0x0107ba30
0x0107ba35
0x0107ba35
0x0107ba41
0x0107ba46
0x0107ba4c
0x0107ba50
0x0107ba54
0x0107ba6a
0x0107ba6e
0x0107ba70
0x0107ba74
0x0107ba78
0x0107ba7a
0x0107ba7c
0x0107ba8e
0x0107ba90
0x0107ba92
0x0107bb14
0x0107bb14
0x0107bb16
0x0107bb16
0x00000000
0x0107ba7c
0x0107bb0a
0x0107bb0d
0x00000000
0x00000000
0x00000000
0x0107bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107B9A5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 8449c5d683a736555a1c99a3a522b212e9d7199434e2291e735552f0385a7688
Instruction ID: 044371daacd8405f4883ef2370e1c2378767557a19e8317e9fcfb185b8f76a4c
Opcode Fuzzy Hash: 8449c5d683a736555a1c99a3a522b212e9d7199434e2291e735552f0385a7688
Instruction Fuzzy Hash: 90514571A08305DFC764EF6CC09092ABBE5FB88610F1489AEFAD987355D770E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01082581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E01082581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546912004) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t234;
				signed char _t238;
				signed char _t239;
				signed char _t241;
				signed int _t245;
				signed int _t247;
				intOrPtr _t249;
				signed int _t252;
				signed int _t259;
				signed int _t262;
				signed int _t270;
				intOrPtr _t276;
				signed int _t278;
				signed int _t280;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				signed int* _t290;
				signed int _t291;
				signed int _t295;
				intOrPtr _t307;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t323;
				signed int _t324;
				void* _t326;
				signed int _t327;
				signed int _t329;
				signed int _t332;
				signed char _t333;
				signed char _t335;
				void* _t336;

				_t329 = _t332;
				_t333 = _t332 - 0x4c;
				_v8 =  *0x114d360 ^ _t329;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t323 = 0x114b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t336 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t276 = 0x48;
				_t305 = 0 | _t336 == 0x00000000;
				_t316 = 0;
				_v37 = _t336 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t276 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t324 = 0xc0000106;
						goto L32;
					} else {
						_t323 = E01074620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t276);
						_v52 = _t323;
						__eflags = _t323;
						if(_t323 == 0) {
							_t324 = 0xc0000017;
							goto L32;
						} else {
							 *(_t323 + 0x44) =  *(_t323 + 0x44) & 0x00000000;
							_t50 = _t323 + 0x48; // 0x48
							_t318 = _t50;
							_t305 = _v32;
							 *((intOrPtr*)(_t323 + 0x3c)) = _t276;
							_t278 = 0;
							 *((short*)(_t323 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t323 + 0x18) = _t318;
								__eflags = _t305 - 0x1148478;
								 *_t323 = ((0 | _t305 == 0x01148478) - 0x00000001 & 0xfffffffb) + 7;
								E0109F3E0(_t318,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t333 = _t333 + 0xc;
								_t278 = 1;
								__eflags = _a8;
								_t318 = _t318 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t270 = E010E39F2(_t318);
									_t305 = _v32;
									_t318 = _t270;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t324 = _v68;
								__eflags = 0;
								 *((short*)(_t318 - 2)) = 0;
								goto L32;
							} else {
								_t280 = _t323 + _t278 * 4;
								_v56 = _t280;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t234 =  *(_v60 + _t289 * 4);
										__eflags = _t234;
										if(_t234 == 0) {
											goto L30;
										} else {
											__eflags = _t234 == 5;
											if(_t234 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t280 =  *(_v60 + _t289 * 4);
										 *(_t280 + 0x18) = _t318;
										_t238 =  *(_v60 + _t289 * 4);
										__eflags = _t238 - 8;
										if(_t238 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t238 * 4 +  &M01082959))) {
												case 0:
													__ax =  *0x1148488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0109F3E0(__edi,  *0x114848c, __ax & 0x0000ffff);
														__eax =  *0x1148488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0109F3E0(_t318, _v80, _v64);
													_t265 = _v64;
													goto L26;
												case 2:
													 *0x1148480 & 0x0000ffff = E0109F3E0(__edi,  *0x1148484,  *0x1148480 & 0x0000ffff);
													__eax =  *0x1148480 & 0x0000ffff;
													__eax = ( *0x1148480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0109F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0109F3E0(_t318, _v76, _v36);
														_t265 = _v36;
													}
													L26:
													_t333 = _t333 + 0xc;
													_t318 = _t318 + (_t265 >> 1) * 2 + 2;
													__eflags = _t318;
													L27:
													_push(0x3b);
													_pop(_t267);
													 *((short*)(_t318 - 2)) = _t267;
													goto L28;
												case 6:
													__ebx =  *0x114575c;
													__eflags = __ebx - 0x114575c;
													if(__ebx != 0x114575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0109F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x114575c;
														} while (__ebx != 0x114575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1148478 & 0x0000ffff = E0109F3E0(__edi,  *0x114847c,  *0x1148478 & 0x0000ffff);
													__eax =  *0x1148478 & 0x0000ffff;
													__eax = ( *0x1148478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E010E39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1146e58 & 0x0000ffff = E0109F3E0(__edi,  *0x1146e5c,  *0x1146e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1146e58 & 0x0000ffff;
													__eax = ( *0x1146e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t305 = _v32;
													L29:
													_t280 = _t280 + 4;
													__eflags = _t280;
													_v56 = _t280;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t238 =  *(_v60 + _t316 * 4);
						if(_t238 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t238 * 4 +  &M01082935))) {
							case 0:
								__ax =  *0x1148488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E01082E3E(0,  &_v64);
								_t276 = _t276 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1148480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1148480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0106EEF0(0x11479a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0106EB70(__ecx, 0x11479a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t212 = _v72;
											__eflags = _t212;
											if(_t212 != 0) {
												L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
											}
											_t213 = _v52;
											__eflags = _t213;
											if(_t213 != 0) {
												__eflags = _t324;
												if(_t324 < 0) {
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
													_t213 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1147b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = E01074620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0106EB70(__ecx, 0x11479a0);
										__eax = _v52;
										L36:
										_pop(_t317);
										_pop(_t325);
										__eflags = _v8 ^ _t329;
										_pop(_t277);
										return E0109B640(_t213, _t277, _v8 ^ _t329, _t305, _t317, _t325);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t272 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t274 = E01082E3E(_t272,  &_v36);
									_t285 = _v36;
									_v76 = _t274;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t276 = _t276 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x1145764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1148478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1148478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1146e58 & 0x0000ffff;
								__eax = ( *0x1146e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t316 = _t316 + 1;
								if(_t316 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t290 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t290 =  *_t290 | _t238;
					asm("o16 sub [eax], cl");
					_t239 = _t238 + _t333;
					asm("daa");
					 *_t290 =  *_t290 | _t239;
					 *[es:ecx] =  *[es:ecx] | _t239;
					_t326 = _t323 + 1;
					 *_t239 =  *_t239 - _t290;
					 *0x1f010826 =  *0x1f010826 + _t239;
					_pop(_t281);
					_t241 = _t333;
					_t335 = _t239 | 0x00000001;
					 *_t241 =  *_t241 - _t290;
					 *0x2010c5b =  *0x2010c5b + _t326;
					 *_t241 =  *_t241 - _t290;
					 *((intOrPtr*)(_t241 - 0x9fef7d8)) =  *((intOrPtr*)(_t241 - 0x9fef7d8)) + _t241;
					asm("daa");
					 *_t290 =  *_t290 | _t241;
					_push(ds);
					 *_t241 =  *_t241 - _t290;
					 *((intOrPtr*)(_t326 + 0x28)) =  *((intOrPtr*)(_t326 + 0x28)) + _t290;
					 *_t290 =  *_t290 | _t241;
					asm("daa");
					 *_t290 =  *_t290 | _t241;
					asm("fcomp dword [ebx+0xc]");
					 *((intOrPtr*)(_t241 +  &_a1546912004)) =  *((intOrPtr*)(_t241 +  &_a1546912004)) + _t326;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x112ff00);
					E010AD08C(_t281, _t318, _t326);
					_v44 =  *[fs:0x18];
					_t319 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t245 = 0xc0000100;
					} else {
						_v8 = 0;
						_t327 = 0xc0000100;
						_v52 = 0xc0000100;
						_t247 = 4;
						while(1) {
							_v40 = _t247;
							__eflags = _t247;
							if(_t247 == 0) {
								break;
							}
							_t295 = _t247 * 0xc;
							_v48 = _t295;
							__eflags = _t282 -  *((intOrPtr*)(_t295 + 0x1031664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t262 = E0109E5C0(_a8,  *((intOrPtr*)(_t295 + 0x1031668)), _t282);
									_t335 = _t335 + 0xc;
									__eflags = _t262;
									if(__eflags == 0) {
										_t327 = E010D51BE(_t282,  *((intOrPtr*)(_v48 + 0x103166c)), _a16, _t319, _t327, __eflags, _a20, _a24);
										_v52 = _t327;
										break;
									} else {
										_t247 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t247 = _t247 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t327;
						__eflags = _t327;
						if(_t327 < 0) {
							__eflags = _t327 - 0xc0000100;
							if(_t327 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t319;
									if( *_t291 == _t319) {
										_t327 = 0xc0000100;
										goto L76;
									} else {
										_t307 =  *((intOrPtr*)(_v44 + 0x30));
										_t249 =  *((intOrPtr*)(_t307 + 0x10));
										__eflags =  *((intOrPtr*)(_t249 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t249 + 0x48)) == _t291) {
											__eflags =  *(_t307 + 0x1c);
											if( *(_t307 + 0x1c) == 0) {
												L106:
												_t327 = E01082AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t327;
												__eflags = _t327 - 0xc0000100;
												if(_t327 != 0xc0000100) {
													goto L69;
												} else {
													_t319 = 1;
													_t291 = _v36;
													goto L75;
												}
											} else {
												_t252 = E01066600( *(_t307 + 0x1c));
												__eflags = _t252;
												if(_t252 != 0) {
													goto L106;
												} else {
													_t291 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t327 = E01082C50(_t291, _a8, _t282, _a16, _a20, _a24, _t319);
											L76:
											_v32 = _t327;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0106EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t327 = _a24;
									_t259 = E01082AE4( &_v36, _a8, _t282, _a16, _a20, _t327);
									_v32 = _t259;
									__eflags = _t259 - 0xc0000100;
									if(_t259 == 0xc0000100) {
										_v32 = E01082C50(_v36, _a8, _t282, _a16, _a20, _t327, 1);
									}
									_v8 = _t319;
									E01082ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t245 = _t327;
					}
					L70:
					return E010AD0D1(_t245);
				}
				L108:
			}

0x01082584
0x01082586
0x01082590
0x01082596
0x01082597
0x01082598
0x01082599
0x0108259e
0x010825a4
0x010825a9
0x010825ac
0x010825ae
0x010825b1
0x010825b2
0x010825b5
0x010825b8
0x010825bb
0x010825bc
0x010825bf
0x010825c2
0x010825c5
0x010825c6
0x010825cb
0x010825ce
0x010825d8
0x010825db
0x010825dd
0x010825de
0x010825e1
0x010825e3
0x010825e9
0x010826da
0x010826da
0x010826dd
0x010826e2
0x010c5b56
0x00000000
0x010826e8
0x010826f9
0x010826fb
0x010826fe
0x01082700
0x010c5b60
0x00000000
0x01082706
0x01082706
0x0108270a
0x0108270a
0x0108270d
0x01082713
0x01082716
0x01082718
0x0108271c
0x0108271e
0x010c5b6c
0x010c5b6f
0x010c5b7f
0x010c5b89
0x010c5b8e
0x010c5b93
0x010c5b96
0x010c5b9c
0x010c5ba0
0x010c5ba3
0x010c5bab
0x010c5bb0
0x010c5bb3
0x010c5bb3
0x010c5ba3
0x01082724
0x01082726
0x01082729
0x0108272c
0x0108279d
0x0108279d
0x010827a0
0x010827a2
0x00000000
0x0108272e
0x0108272e
0x01082731
0x01082734
0x01082734
0x01082736
0x010c5bc1
0x010c5bc1
0x010c5bc4
0x00000000
0x010c5bca
0x010c5bca
0x010c5bcd
0x00000000
0x010c5bd3
0x00000000
0x010c5bd3
0x010c5bcd
0x0108273c
0x0108273c
0x01082742
0x01082747
0x0108274a
0x0108274d
0x01082750
0x00000000
0x01082756
0x01082756
0x00000000
0x01082902
0x01082908
0x0108290b
0x00000000
0x01082911
0x0108291c
0x01082921
0x00000000
0x01082921
0x00000000
0x00000000
0x01082880
0x01082887
0x0108288c
0x00000000
0x00000000
0x01082805
0x0108280a
0x01082814
0x01082816
0x00000000
0x00000000
0x0108281e
0x01082821
0x01082823
0x00000000
0x01082829
0x01082829
0x01082831
0x0108283c
0x0108283e
0x00000000
0x0108283e
0x00000000
0x00000000
0x0108284e
0x01082850
0x01082851
0x01082854
0x01082857
0x0108285a
0x0108285c
0x0108285d
0x00000000
0x00000000
0x0108275d
0x01082761
0x00000000
0x01082767
0x0108276e
0x01082773
0x01082773
0x01082776
0x01082778
0x0108277e
0x0108277e
0x01082781
0x01082781
0x01082783
0x01082784
0x00000000
0x00000000
0x010c5bd8
0x010c5bde
0x010c5be4
0x010c5be6
0x010c5be8
0x010c5be9
0x010c5bee
0x010c5bf8
0x010c5bff
0x010c5c01
0x010c5c04
0x010c5c07
0x010c5c0b
0x010c5c0d
0x010c5c0d
0x010c5c15
0x010c5c18
0x010c5c1b
0x010c5c1b
0x010c5c1e
0x00000000
0x00000000
0x010828c3
0x010828c8
0x010828d2
0x010828d4
0x010828d8
0x010828db
0x010c5c26
0x010c5c28
0x010c5c2d
0x010c5c2d
0x00000000
0x00000000
0x010c5c34
0x010c5c36
0x010c5c49
0x010c5c4e
0x010c5c54
0x010c5c5b
0x010c5c5d
0x010c5c60
0x01082788
0x01082788
0x0108278b
0x0108278e
0x0108278e
0x0108278e
0x01082791
0x00000000
0x00000000
0x01082756
0x01082750
0x00000000
0x01082794
0x01082794
0x01082795
0x01082798
0x01082798
0x00000000
0x01082734
0x0108272c
0x01082700
0x010825ef
0x010825ef
0x010825ef
0x010825f2
0x010825f8
0x00000000
0x00000000
0x010825fe
0x00000000
0x010828e6
0x010828ec
0x010828ef
0x010828f5
0x010828f8
0x010828f8
0x00000000
0x010828f8
0x00000000
0x00000000
0x01082866
0x01082866
0x01082876
0x01082879
0x00000000
0x00000000
0x010827e0
0x010827e7
0x010827e9
0x010827eb
0x010c5afd
0x00000000
0x010c5afd
0x00000000
0x00000000
0x01082633
0x01082638
0x0108263b
0x0108263c
0x0108263e
0x01082640
0x01082642
0x01082647
0x01082649
0x0108264e
0x01082650
0x01082653
0x01082659
0x010826a2
0x010826a7
0x010826ac
0x010826b2
0x010c5b11
0x010c5b15
0x010c5b17
0x00000000
0x010826b8
0x010826b8
0x010826ba
0x010827a6
0x010827a6
0x010827a9
0x010827ab
0x010827b9
0x010827b9
0x010827be
0x010827c1
0x010827c3
0x010827c5
0x010827c7
0x010c5c74
0x010c5c79
0x010c5c79
0x010827c7
0x00000000
0x010826c0
0x010826c0
0x010826c3
0x010826c6
0x010826c6
0x010826c9
0x010826c9
0x00000000
0x010826c9
0x010826ba
0x0108265b
0x0108265b
0x0108265e
0x01082667
0x0108266d
0x01082677
0x0108267c
0x0108267f
0x01082681
0x010c5b49
0x010c5b4e
0x010827cd
0x010827d0
0x010827d1
0x010827d2
0x010827d4
0x010827dd
0x01082687
0x01082687
0x0108268a
0x0108268b
0x0108268e
0x0108268f
0x01082691
0x01082696
0x01082698
0x0108269d
0x0108269f
0x00000000
0x0108269f
0x01082681
0x00000000
0x00000000
0x01082846
0x00000000
0x00000000
0x01082605
0x0108260a
0x0108260c
0x01082611
0x01082616
0x01082619
0x01082619
0x0108261e
0x00000000
0x01082624
0x01082627
0x01082627
0x00000000
0x00000000
0x010c5b1f
0x00000000
0x00000000
0x01082894
0x0108289b
0x0108289d
0x010828a1
0x010c5b2b
0x010c5b2e
0x010c5b2e
0x010828a7
0x010828a9
0x010c5b04
0x010c5b09
0x010c5b09
0x010c5b09
0x00000000
0x00000000
0x010c5b35
0x010c5b3c
0x010828fb
0x010828fb
0x010826cc
0x010826cc
0x010826d0
0x00000000
0x010826d2
0x010826d2
0x00000000
0x010826d2
0x00000000
0x00000000
0x010825fe
0x0108292d
0x0108292f
0x01082930
0x01082935
0x01082937
0x01082939
0x0108293c
0x0108293e
0x0108293f
0x01082941
0x01082945
0x01082946
0x01082948
0x0108294e
0x01082951
0x01082951
0x01082952
0x01082954
0x0108295a
0x0108295c
0x01082962
0x01082963
0x01082965
0x01082966
0x01082968
0x0108296b
0x0108296e
0x0108296f
0x01082971
0x01082974
0x0108297d
0x0108297e
0x0108297f
0x01082980
0x01082981
0x01082982
0x01082983
0x01082984
0x01082985
0x01082986
0x01082987
0x01082988
0x01082989
0x0108298a
0x0108298b
0x0108298c
0x0108298d
0x0108298e
0x0108298f
0x01082990
0x01082992
0x01082997
0x010829a3
0x010829a6
0x010829ab
0x010829ad
0x010829b0
0x010829b2
0x010c5c80
0x010829b8
0x010829b8
0x010829bb
0x010829c0
0x010829c5
0x010829c6
0x010829c6
0x010829c9
0x010829cb
0x00000000
0x00000000
0x010829cd
0x010829d0
0x010829d9
0x010829db
0x010829dd
0x01082a7f
0x01082a84
0x01082a87
0x01082a89
0x010c5ca1
0x010c5ca3
0x00000000
0x01082a8f
0x01082a8f
0x00000000
0x01082a8f
0x00000000
0x010829e3
0x010829e3
0x010829e3
0x00000000
0x010829e3
0x010829dd
0x00000000
0x010829db
0x010829e6
0x010829e9
0x010829eb
0x010829ed
0x010829f3
0x010829f5
0x010829f8
0x010829fa
0x01082a97
0x01082a9a
0x01082a9d
0x01082add
0x00000000
0x01082a9f
0x01082aa2
0x01082aa5
0x01082aa8
0x01082aab
0x010c5cab
0x010c5caf
0x010c5cc5
0x010c5cda
0x010c5cdc
0x010c5cdf
0x010c5ce5
0x00000000
0x010c5ceb
0x010c5ced
0x010c5cee
0x00000000
0x010c5cee
0x010c5cb1
0x010c5cb4
0x010c5cb9
0x010c5cbb
0x00000000
0x010c5cbd
0x010c5cbd
0x00000000
0x010c5cbd
0x010c5cbb
0x01082ab1
0x01082ab1
0x01082ac4
0x01082ac6
0x01082ac6
0x00000000
0x01082ac6
0x01082aab
0x00000000
0x01082a00
0x01082a09
0x01082a0e
0x01082a21
0x01082a24
0x01082a35
0x01082a3a
0x01082a3d
0x01082a42
0x01082a59
0x01082a59
0x01082a5c
0x01082a5f
0x01082a5f
0x010829fa
0x010829f3
0x01082a64
0x01082a64
0x01082a6b
0x01082a6b
0x01082a6d
0x01082a72
0x01082a72
0x00000000

Strings

PATH, xrefs: 01082642, 01082691

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 28d30171445154ccaa31a5891efe33af64536669ed162ba9a8214bd80a7268a2
Instruction ID: 2347f85a0e4a21711cc590372b32cf0c272e66f25eb18e1f083ffd217d07e119
Opcode Fuzzy Hash: 28d30171445154ccaa31a5891efe33af64536669ed162ba9a8214bd80a7268a2
Instruction Fuzzy Hash: 78C1AF75E04219EBDB25EF99D880BEEBBF5FF48750F484029E9C1AB250D734A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0108FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0108FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0106EEF0(0x1147b60);
					_t134 =  *0x1147b84; // 0x771a7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1147b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1147b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01066D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E010676E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E010F8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0105B150();
													}
													_t116 = E010F6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E010675CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1148638; // 0x0
																	_t122 = L010638A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E010676E2(_t154);
																			goto L41;
																		}
																	} else {
																		E010676E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0108FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L010670F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0108FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0108FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0108FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0108FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0108FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1147b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1147b84 = _t75;
						_t73 = E0106EB70(_t134, 0x1147b60);
						if( *0x1147b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0106FF60( *0x1147b20);
							}
						}
						goto L5;
					}
				}
			}

0x0108fab0
0x0108fab2
0x0108fab3
0x0108fab4
0x0108fabc
0x0108fac0
0x0108fb14
0x0108fb17
0x0108fac2
0x0108fac8
0x0108facd
0x0108fad3
0x0108fad3
0x0108fadd
0x0108fb18
0x0108fb1b
0x0108fb1d
0x0108fb1e
0x0108fb1f
0x0108fb20
0x0108fb21
0x0108fb22
0x0108fb23
0x0108fb24
0x0108fb25
0x0108fb26
0x0108fb27
0x0108fb28
0x0108fb29
0x0108fb2a
0x0108fb2b
0x0108fb2c
0x0108fb2d
0x0108fb2e
0x0108fb2f
0x0108fb3a
0x0108fb3b
0x0108fb3e
0x0108fb41
0x0108fb44
0x0108fb47
0x0108fb4a
0x0108fb4d
0x0108fb53
0x010cbdcb
0x010cbdcb
0x0108fb59
0x0108fb5b
0x0108fb5b
0x0108fb5e
0x010cbdd5
0x010cbdd8
0x00000000
0x010cbdda
0x00000000
0x010cbdda
0x0108fb64
0x0108fb64
0x0108fb64
0x0108fb67
0x0108fb6e
0x0108fb70
0x0108fb72
0x00000000
0x0108fb78
0x0108fb7a
0x0108fb7a
0x0108fb7d
0x0108fb80
0x010cbddf
0x010cbde1
0x00000000
0x010cbde3
0x00000000
0x010cbde3
0x0108fb86
0x0108fb86
0x0108fb86
0x0108fb8b
0x0108fb90
0x0108fb92
0x0108fb94
0x0108fb9a
0x0108fb9b
0x0108fba1
0x010cbde8
0x010cbdeb
0x010cbded
0x010cbeb5
0x010cbeb5
0x010cbebb
0x010cbebd
0x010cbec3
0x010cbed2
0x010cbedd
0x010cbedd
0x010cbeed
0x00000000
0x010cbdf3
0x010cbdfe
0x010cbe06
0x010cbe0b
0x010cbe0d
0x010cbe0f
0x010cbe14
0x010cbe19
0x010cbe20
0x010cbe25
0x010cbe27
0x010cbe35
0x010cbe39
0x010cbe46
0x010cbe4f
0x010cbe54
0x010cbe56
0x010cbef8
0x010cbef8
0x00000000
0x010cbe5c
0x010cbe5c
0x010cbe60
0x00000000
0x010cbe66
0x010cbe66
0x010cbe7f
0x010cbe84
0x010cbe87
0x010cbe89
0x010cbe8b
0x010cbe99
0x010cbe9d
0x010cbea0
0x010cbeac
0x010cbeaf
0x010cbeb1
0x010cbeb3
0x010cbeb3
0x00000000
0x010cbea2
0x010cbea2
0x00000000
0x010cbea2
0x010cbe8d
0x010cbe8d
0x010cbe92
0x00000000
0x010cbe92
0x010cbe8b
0x010cbe60
0x010cbe3b
0x010cbe3b
0x010cbe3e
0x00000000
0x010cbe40
0x010cbe40
0x010cbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x010cbe44
0x010cbe3e
0x010cbe29
0x010cbe29
0x00000000
0x010cbe29
0x010cbe27
0x00000000
0x0108fba7
0x0108fba7
0x0108fbab
0x010cbf02
0x0108fbb1
0x0108fbb1
0x0108fbb8
0x0108fbbd
0x0108fbbd
0x0108fbbf
0x0108fbbf
0x0108fbc5
0x0108fbcb
0x0108fbf8
0x0108fbf8
0x0108fbfa
0x00000000
0x0108fc00
0x0108fc00
0x0108fc03
0x00000000
0x0108fc09
0x0108fc09
0x0108fc0f
0x0108fc15
0x0108fc23
0x0108fc23
0x0108fc25
0x0108fc27
0x0108fc75
0x0108fc7c
0x0108fc84
0x00000000
0x0108fc29
0x0108fc29
0x0108fc2d
0x0108fc30
0x010cbf0f
0x00000000
0x0108fc36
0x0108fc38
0x0108fc3b
0x0108fc41
0x010cbf17
0x010cbf19
0x010cbf48
0x010cbf4b
0x00000000
0x010cbf1b
0x010cbf22
0x010cbf24
0x010cbf26
0x00000000
0x010cbf2c
0x010cbf37
0x010cbf39
0x010cbf3b
0x00000000
0x010cbf41
0x010cbf41
0x010cbf41
0x010cbf41
0x010cbf45
0x00000000
0x010cbf45
0x010cbf3b
0x010cbf26
0x00000000
0x0108fc47
0x0108fc47
0x0108fc49
0x0108fcb2
0x0108fcb4
0x0108fcb6
0x0108fcdc
0x0108fcdc
0x00000000
0x0108fcb8
0x0108fcc3
0x0108fcc5
0x0108fcc7
0x00000000
0x0108fcc9
0x0108fcc9
0x0108fccd
0x00000000
0x0108fccd
0x0108fcc7
0x00000000
0x0108fc4b
0x0108fc4b
0x0108fc4e
0x0108fc4e
0x0108fc51
0x0108fc51
0x0108fc54
0x0108fc5a
0x0108fc5c
0x0108fc5f
0x0108fc61
0x0108fc63
0x0108fc65
0x0108fc67
0x0108fc6e
0x0108fc72
0x0108fc72
0x0108fc72
0x0108fc72
0x0108fc67
0x0108fc61
0x00000000
0x0108fc5a
0x0108fc49
0x0108fc41
0x0108fc30
0x0108fc27
0x0108fc03
0x0108fbcd
0x0108fbd3
0x0108fbd9
0x0108fbdc
0x0108fbde
0x0108fc99
0x0108fc9b
0x0108fc9d
0x0108fcd5
0x0108fcd5
0x0108fc89
0x0108fc89
0x00000000
0x0108fc9f
0x0108fc9f
0x0108fca3
0x00000000
0x0108fca3
0x00000000
0x0108fbe4
0x0108fbe4
0x0108fbe4
0x0108fbe4
0x0108fbe9
0x0108fbf2
0x00000000
0x0108fbf2
0x0108fbde
0x0108fbcb
0x0108fbab
0x0108fc8b
0x0108fc8b
0x0108fc8c
0x0108fb80
0x0108fb72
0x0108fb5e
0x0108fc8d
0x0108fc91
0x0108fadf
0x0108fadf
0x0108fae1
0x0108fae4
0x0108fae7
0x0108faec
0x0108faf8
0x0108fb00
0x0108fb07
0x0108fb0f
0x0108fb0f
0x0108fb07
0x00000000
0x0108faf8
0x0108fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 010CBE0F

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 0f834f10afcdd1d5f55ace8ec974e1301320f347c7e5c2f1287ec76f2f613ac9
Instruction ID: 821004c34a6b5e948e1315f39f759ce98dd82dbdbfb250e6e14d2ace110fe857
Opcode Fuzzy Hash: 0f834f10afcdd1d5f55ace8ec974e1301320f347c7e5c2f1287ec76f2f613ac9
Instruction Fuzzy Hash: 85A1F371B0460B8BEB65EB78C4507AEB7E5AB44B50F0445BDEAC6CB681DB30D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01052D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01052D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1145350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1147bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E010997C0();
				}
				if( *0x11479c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x11479c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01081624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01077D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E010EFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01099520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0108E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L010ADF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1146901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1146901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01099980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E010995D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01077D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01077D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E010D7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E010EFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1145350;
							if(_t109 != 0x1145350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E010EFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E010E5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01052d8a
0x01052d8a
0x01052d92
0x01052d96
0x01052d9e
0x01052da0
0x01052da3
0x01052da5
0x01052da8
0x01052dab
0x01052db2
0x010af9aa
0x010af9ab
0x010af9ae
0x010af9ae
0x01052db8
0x01052dc2
0x010af9b9
0x010af9be
0x010af9bf
0x010af9bf
0x01052dcf
0x010af9c9
0x01052dd5
0x01052dd5
0x01052dd5
0x01052dde
0x01052de1
0x01052e70
0x01052e72
0x01052e72
0x01052de7
0x01052deb
0x01052e7c
0x01052e83
0x01052e85
0x01052e8b
0x01052e8d
0x01052e92
0x01052e92
0x01052e85
0x01052df1
0x01052df7
0x01052df9
0x01052df9
0x01052dfc
0x01052dff
0x01052e02
0x00000000
0x01052e05
0x01052e0c
0x010af9d9
0x01052e12
0x01052e12
0x01052e12
0x01052e1a
0x010af9e3
0x010af9e9
0x010af9f0
0x010af9f6
0x010af9f8
0x010af9f8
0x010af9f0
0x01052e23
0x010afa02
0x010afa03
0x010afa05
0x010afa06
0x00000000
0x01052e29
0x01052e29
0x01052e2e
0x01052e34
0x01052e3e
0x00000000
0x00000000
0x01052e44
0x01052e47
0x01052e4d
0x00000000
0x00000000
0x01052e4f
0x01052e54
0x00000000
0x00000000
0x01052e5a
0x01052e5f
0x01052e9a
0x01052ea4
0x01052ea5
0x01052ea8
0x01052eaf
0x01052eb2
0x01052eb5
0x010afae9
0x010afaeb
0x010afaed
0x010afaef
0x010afaf7
0x010afaf8
0x010afafd
0x010afaff
0x010afb04
0x010afb04
0x010afaff
0x01052ec0
0x01052ec4
0x01052ec6
0x01052ec8
0x010afb14
0x010afb18
0x010afb1e
0x010afb21
0x010afb21
0x01052ece
0x01052ece
0x01052ece
0x01052ed7
0x01052e61
0x01052e63
0x010afa6b
0x010afa71
0x010afa76
0x010afa78
0x010afa8a
0x010afa7a
0x010afa83
0x010afa83
0x010afa8f
0x010afa91
0x010afa97
0x010afa9d
0x010afaa4
0x010afaaa
0x010afaaf
0x010afab1
0x010afac3
0x010afab3
0x010afabc
0x010afabc
0x010afac8
0x010afacb
0x010afadf
0x010afadf
0x010afacb
0x010afaa4
0x010afa91
0x01052e6f
0x01052e6f
0x01052e5f
0x010afa13
0x010afa15
0x010afa17
0x010afa1f
0x010afa21
0x010afa22
0x010afa25
0x010afa28
0x010afa2f
0x010afa2f
0x010afa2a
0x010afa2a
0x010afa2a
0x010afa31
0x010afa34
0x010afa36
0x010afa3c
0x010afa3e
0x010afa41
0x010afa43
0x010afa45
0x010afa45
0x010afa41
0x010afa3c
0x010afa4a
0x010afa4f
0x010afa51
0x010afa53
0x010afa56
0x010afa5b
0x010afa5e
0x00000000
0x010afa5e
0x01052e23

Strings

RTL: Re-Waiting, xrefs: 010AFA4A

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: a8ba35436b341215be5274abb1f0c9891d69fedd2649f1bcec968a5cb2ef1d1d
Instruction ID: 61b81c8c2f11542a9cda6101b9f370cd7a3caa0e553d806484cb838798d45ceb
Opcode Fuzzy Hash: a8ba35436b341215be5274abb1f0c9891d69fedd2649f1bcec968a5cb2ef1d1d
Instruction Fuzzy Hash: AC613371A00646DFEBB2EBACC894BBF7BE5EF44714F1402A9D9D19B2C1C73099418791

Uniqueness

Uniqueness Score: -1.00%

Function 0108F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0108F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01074120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01099830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01099990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E010995D0();
							goto L11;
						} else {
							_t109 = E01074620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0109F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E010995D0();
										L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0108f0d3
0x0108f0d9
0x0108f0e0
0x0108f0e7
0x0108f0f2
0x0108f0f4
0x0108f0f8
0x0108f100
0x0108f108
0x0108f10d
0x0108f115
0x0108f116
0x0108f11f
0x0108f123
0x0108f124
0x0108f12c
0x0108f130
0x0108f134
0x0108f13d
0x0108f144
0x0108f14b
0x0108f152
0x010cbab0
0x010cbab0
0x0108f158
0x0108f158
0x0108f15a
0x0108f160
0x0108f165
0x0108f166
0x0108f16f
0x0108f173
0x010cbaa7
0x010cbaa7
0x010cbaab
0x00000000
0x0108f179
0x0108f18d
0x0108f191
0x010cbaa2
0x00000000
0x0108f197
0x0108f19b
0x0108f1a2
0x0108f1a9
0x0108f1af
0x0108f1b2
0x0108f1b6
0x0108f1b9
0x0108f1c4
0x0108f1d8
0x0108f1df
0x0108f1e3
0x0108f1eb
0x0108f1ee
0x0108f1f4
0x0108f20f
0x010cbab7
0x010cbabb
0x010cbacc
0x010cbad1
0x0108f215
0x0108f218
0x0108f226
0x0108f22b
0x00000000
0x0108f22b
0x0108f1f6
0x0108f1f6
0x0108f1f9
0x0108f1fb
0x0108f1fb
0x0108f1f4
0x0108f191
0x0108f173
0x0108f152
0x0108f203

Strings

@, xrefs: 0108F124

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 244444b1f3223ae3d91698740cd509571a410ec3b4c4981a41e72fd3155cdee6
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 59515971604711ABC321DF29C841A6BBBF8FF58B50F00892EFAD597690E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010D3540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E010D3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x114d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01090BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E010D3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0109FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E010D3540;
						E0109FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E010ADDD0( &_v1072, _t75, _t79, _t80, _t81);
						E010E0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E010997C0();
					}
					return E0109B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E010D3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E010D3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0109FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01099650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E010D3787(_a4,  &_v352, _t80);
						}
					}
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E010995D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x010d3552
0x010d355a
0x010d355d
0x010d3566
0x010d3567
0x010d357e
0x010d358f
0x010d35a1
0x010d35a5
0x010d366b
0x010d366b
0x010d366d
0x010d3672
0x010d3679
0x010d3685
0x010d368d
0x010d369d
0x010d36a7
0x010d36b8
0x010d36c6
0x010d36c7
0x010d36dc
0x010d36e1
0x010d36e7
0x010d36e9
0x010d36e9
0x010d3703
0x010d3703
0x010d35b5
0x010d35c0
0x010d35c4
0x00000000
0x00000000
0x010d35ca
0x010d35d7
0x010d35e2
0x010d35e6
0x010d35e8
0x010d35f5
0x010d35fa
0x010d3603
0x010d3604
0x010d3609
0x010d360a
0x010d3612
0x010d3613
0x010d361e
0x010d3622
0x010d3628
0x010d362f
0x010d362f
0x010d3636
0x010d3638
0x010d363b
0x010d3642
0x010d3642
0x010d3636
0x010d3657
0x010d3657
0x010d365c
0x010d3662
0x010d3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 010D358F

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 162a95c70ca5c3a0104448b980adefa10d47cc1c48ee9fb9816b51e0a6174996
Instruction ID: a8df97c0dca0e74ac48bcc4c4587a73d6e94d9555d87e344c0c1b57e0810da5e
Opcode Fuzzy Hash: 162a95c70ca5c3a0104448b980adefa10d47cc1c48ee9fb9816b51e0a6174996
Instruction Fuzzy Hash: 534131F2D0062D9BDF219A50CC85FEEB77CAB54714F0085E5EA49AB240DB319E88CF95

Uniqueness

Uniqueness Score: -1.00%

Function 011205AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E011205AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E011207DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01099730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0111A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0111A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01121293(_t79, _v40, E011207DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01077D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0111138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x011205c5
0x011205ca
0x011205d3
0x011206db
0x011206db
0x011206dd
0x011206e3
0x011206e3
0x011205dd
0x011205e7
0x011205f6
0x01120600
0x01120607
0x01120610
0x01120615
0x0112061a
0x0112061c
0x0112061e
0x01120624
0x01120625
0x01120627
0x01120628
0x01120631
0x01120640
0x0112064d
0x01120654
0x01120654
0x01120631
0x0112066d
0x01120674
0x00000000
0x00000000
0x01120692
0x0112069e
0x011206b0
0x011206a0
0x011206a9
0x011206a9
0x011206b8
0x011206d6
0x011206d6
0x00000000

Strings

`, xrefs: 01120633

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 308655cdfefe0a2bcf838b01afb82ac1ad90bb636a419d9826481f0d7444af7b
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: BB3124323003566BE724DE28CD44F9BBBE9EBC8754F144228FA449B280E770E924C791

Uniqueness

Uniqueness Score: -1.00%

Function 01084020 Relevance: 1.4, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01084020(intOrPtr* _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t43;
				char _t70;
				intOrPtr _t77;
				intOrPtr* _t79;

				_t79 = _a4;
				_t70 = 0;
				_t77 =  *[fs:0x30];
				_v32 = 0;
				_v28 = 0;
				_v12 = 0;
				 *((intOrPtr*)(_t79 + 4)) =  *((intOrPtr*)(_t77 + 0xa4));
				 *((intOrPtr*)(_t79 + 8)) =  *((intOrPtr*)(_t77 + 0xa8));
				 *(_t79 + 0xc) =  *(_t77 + 0xac) & 0x0000ffff;
				 *((intOrPtr*)(_t79 + 0x10)) =  *((intOrPtr*)(_t77 + 0xb0));
				_t43 =  *((intOrPtr*)(_t77 + 0x1f4));
				if(_t43 == 0 ||  *_t43 == 0) {
					 *((short*)(_t79 + 0x14)) = 0;
				} else {
					if(E01064921(_t79 + 0x14, 0x100, _t43) < 0) {
						 *((short*)(_t79 + 0x14)) = 0;
					}
					_t70 = 0;
				}
				if( *_t79 != 0x11c) {
					if( *_t79 != 0x124) {
						goto L10;
					}
					goto L4;
				} else {
					L4:
					 *((short*)(_t79 + 0x114)) =  *(_t77 + 0xaf) & 0x000000ff;
					 *(_t79 + 0x116) =  *(_t77 + 0xae) & 0x000000ff;
					 *(_t79 + 0x118) = E01084190();
					if( *_t79 == 0x124) {
						 *(_t79 + 0x11c) = E01084190() & 0x0001ffff;
					}
					 *((char*)(_t79 + 0x11a)) = _t70;
					if(E01084710( &_v16) != 0) {
						 *((char*)(_t79 + 0x11a)) = _v16;
					}
					E0109BB40(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
					_push( &_v24);
					_push(4);
					_push( &_v12);
					_push( &_v20);
					_push( &_v32);
					if(E0109A9B0() < 0) {
						L10:
						return 0;
					} else {
						if(_v12 == 1) {
							if(_v20 != 4 || _v24 != 4) {
								goto L9;
							} else {
								goto L10;
							}
						}
						L9:
						 *(_t79 + 0x118) =  *(_t79 + 0x118) & 0x0000ffef | 0x00000100;
						if( *_t79 == 0x124) {
							 *(_t79 + 0x11c) =  *(_t79 + 0x11c) & 0xfffdffef | 0x00000100;
						}
						goto L10;
					}
				}
			}

0x0108402a
0x0108402d
0x01084030
0x0108403c
0x0108403f
0x01084042
0x0108404b
0x01084054
0x0108405e
0x01084067
0x0108406a
0x01084072
0x0108407f
0x010c63db
0x010c63e8
0x010c63ec
0x010c63ec
0x010c63f0
0x010c63f0
0x01084089
0x0108414e
0x00000000
0x00000000
0x00000000
0x0108408f
0x0108408f
0x0108409b
0x010840ac
0x010840bd
0x010840c6
0x0108415f
0x0108415f
0x010840cf
0x010840dd
0x010840e2
0x010840e2
0x010840f1
0x010840f9
0x010840fa
0x010840ff
0x01084103
0x01084107
0x0108410f
0x0108413f
0x01084145
0x01084111
0x01084115
0x010c63fb
0x00000000
0x010c640b
0x00000000
0x010c640b
0x010c63fb
0x0108411b
0x01084132
0x0108413b
0x01084177
0x01084177
0x00000000
0x0108413b
0x0108410f

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 010840E8

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: d26a93a2615a0990b96cec31ff007fd0e24f76fe25de581c12121b252b5524bc
Instruction ID: 247284a1e67d37fbb8fec76c64397aff663166d1887db5dbb4d8fe47d61add03
Opcode Fuzzy Hash: d26a93a2615a0990b96cec31ff007fd0e24f76fe25de581c12121b252b5524bc
Instruction Fuzzy Hash: 27416075A047469ADB25AFA8C4407EBFBF8AF55700F00496ED6DAC3240E334A545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010D3884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E010D3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01099650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = E01074620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01099650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x010d3893
0x010d3896
0x010d3899
0x010d389f
0x010d38a0
0x010d38a4
0x010d38a9
0x010d38ac
0x010d38ad
0x010d38ae
0x010d38af
0x010d38b1
0x010d38b4
0x010d38bb
0x010d38bc
0x010d38bd
0x010d38c4
0x010d38c8
0x010d38ca
0x010d38ca
0x010d38d5
0x010d393e
0x010d3940
0x010d3942
0x010d3952
0x010d3954
0x010d3961
0x010d3961
0x010d3967
0x010d396e
0x010d396e
0x010d3947
0x010d394c
0x00000000
0x010d394c
0x010d38ea
0x010d38ee
0x010d38f8
0x010d38f9
0x010d38ff
0x010d3900
0x010d3902
0x010d3903
0x010d390b
0x010d390f
0x010d3950
0x00000000
0x010d3950
0x010d3915
0x010d391d
0x010d391d
0x010d3922
0x010d3926
0x00000000
0x010d3928
0x010d392b
0x010d392b
0x010d3935
0x010d3937
0x010d3937
0x00000000
0x010d3935
0x010d3926
0x010d38f0
0x00000000

Strings

BinaryName, xrefs: 010D38B4

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 90ef0391a109723288a5c0fdd60cbb1274b0298487f0c1aeb40082aa0f5d10c7
Instruction ID: d7ff9cd2312bf33a3aa796e70cd57f313a3c8949890f4790a5f0342e456d690c
Opcode Fuzzy Hash: 90ef0391a109723288a5c0fdd60cbb1274b0298487f0c1aeb40082aa0f5d10c7
Instruction Fuzzy Hash: 3031E8B2D0171AAFDB15DB58C945DAFF7B4FB44720F014169E994AB250D7319E00C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0108D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0108D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x114d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01074120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0109B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E010998D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E010995D0();
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0108d29c
0x0108d2a6
0x0108d2b1
0x0108d2b5
0x0108d2b6
0x0108d2bc
0x0108d2bd
0x0108d2be
0x0108d2bf
0x0108d2c2
0x0108d2c4
0x0108d2cc
0x0108d384
0x0108d34b
0x0108d34f
0x0108d350
0x0108d351
0x0108d35c
0x0108d35c
0x0108d2d6
0x0108d2da
0x0108d2e1
0x0108d361
0x0108d369
0x0108d36d
0x0108d2e3
0x0108d2e3
0x0108d2e3
0x0108d2e5
0x0108d2ed
0x0108d2f5
0x0108d2fa
0x0108d302
0x0108d303
0x0108d30b
0x0108d30f
0x0108d313
0x0108d318
0x0108d31c
0x0108d320
0x0108d379
0x0108d37d
0x00000000
0x00000000
0x010caffe
0x010cb001
0x010cb011
0x00000000
0x0108d322
0x0108d322
0x0108d330
0x0108d337
0x0108d35d
0x0108d339
0x0108d33f
0x0108d38c
0x0108d38c
0x0108d33f
0x0108d349
0x00000000
0x0108d349

Strings

@, xrefs: 0108D303

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: fd600cf6f23b21e757ba2c4687a3a7173c8422f3453d70c429c3894e81412656
Instruction ID: 7b85fbd5cc2551a179206bd6b20e747f688502429cfff47c749535272b7de830
Opcode Fuzzy Hash: fd600cf6f23b21e757ba2c4687a3a7173c8422f3453d70c429c3894e81412656
Instruction Fuzzy Hash: B731B1B150C305AFC761EF68D8809AFBBE8FB95654F004A2EF9D493290D634DD05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01061B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01061B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0109BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0109A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0109A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = E01074620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01061b8f
0x01061b9a
0x01061b9c
0x01061b9e
0x01061ba3
0x010b7010
0x010b7010
0x00000000
0x01061ba9
0x01061ba9
0x01061bae
0x00000000
0x01061bc5
0x01061bca
0x01061bcf
0x01061bd0
0x01061bd1
0x01061bd2
0x01061bd6
0x01061bdc
0x01061be0
0x010b6ffc
0x010b7000
0x00000000
0x010b7006
0x010b7009
0x010b7009
0x01061be6
0x01061bec
0x01061c0b
0x01061c0b
0x01061c0c
0x01061c11
0x01061c12
0x01061c15
0x01061c1b
0x01061c1f
0x01061c31
0x01061c33
0x010b7026
0x010b7026
0x01061c21
0x01061c24
0x01061c24
0x01061bee
0x01061bee
0x01061bf2
0x01061c3a
0x01061bf4
0x01061bf4
0x01061c05
0x01061c05
0x01061c09
0x01061c3e
0x00000000
0x00000000
0x00000000
0x01061c09
0x01061bec
0x01061be0
0x01061bae
0x01061c2e

Strings

WindowsExcludedProcs, xrefs: 01061BC5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: cd5bd8399ca9d69e80d8dfda9ddeebd635a7aab0ee63c6eb99dc5aebcb3c89bc
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 8C210A3650151DEBDB229A59C880F9FBBADEFC4760F054466FE849B204D631DD00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01108DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01108DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1130d50);
				E010AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E010E5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L010ADEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L010ADEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E010AD130(_t34, _t39, _t40);
			}

0x01108df1
0x01108df1
0x01108df1
0x01108df1
0x01108df1
0x01108df1
0x01108df3
0x01108df8
0x01108dfd
0x01108e00
0x01108e0e
0x01108e2a
0x01108e36
0x01108e38
0x01108e3c
0x01108e46
0x01108e46
0x01108e36
0x01108e50
0x01108e56
0x01108e59
0x01108e5c
0x01108e60
0x01108e67
0x01108e6d
0x01108e73
0x01108e74
0x01108eb1
0x01108ebd

Strings

Critical error detected %lx, xrefs: 01108E21

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: ed1a011cfc916e39071600508b37c7fc8cd29d10bcdf1a1ba6fa597e09060b4c
Instruction ID: cd14ab7d8edec6f6022cb98b52b4a819fba37c36d66cd9a096555cb03b3aee51
Opcode Fuzzy Hash: ed1a011cfc916e39071600508b37c7fc8cd29d10bcdf1a1ba6fa597e09060b4c
Instruction Fuzzy Hash: 351179B5D54348DADB29DFE889057DDBBB0BB14314F20421DE1A86B282C7700A01CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01125BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01125BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1131178);
				E010AD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01124C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0109D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01125542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x11460e8;
								if( *0x11460e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x11460e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01099710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01096DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0109F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0109F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0109F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0109FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0109FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0109F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0109F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01124CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E010AD130(_t427, _t494, _t511);
				}
			}

0x01125ba5
0x01125baa
0x01125baf
0x01125bb4
0x01125bb6
0x01125bbc
0x01125bbe
0x01125bc4
0x01125bcd
0x01125bd3
0x01125bd6
0x01125bdc
0x01125be0
0x01125be3
0x01125beb
0x01125bf2
0x01125bf8
0x01125bfe
0x01125c04
0x01125c0e
0x01125c18
0x01125c1f
0x01125c25
0x01125c2a
0x01125c2c
0x01125c32
0x01125c3a
0x01125c3f
0x01125c42
0x01125c48
0x01125c5b
0x01125c5b
0x01125c2c
0x01125cb7
0x01125cb9
0x01125cbf
0x01125cc2
0x01125cca
0x01125ccb
0x01125ccb
0x01125cd1
0x01125cd7
0x01125cda
0x01125ce1
0x01125ce4
0x01125ce7
0x01125ced
0x01125cf3
0x01125cf9
0x01125cff
0x01125d08
0x01125d0a
0x01125d0e
0x01125d10
0x00000000
0x00000000
0x01125d16
0x01125d1a
0x00000000
0x00000000
0x01125d20
0x01125d22
0x01125d25
0x01125d2f
0x01125d2f
0x01125d33
0x01125d3d
0x01125d49
0x01125d4b
0x00000000
0x00000000
0x01125d5a
0x01125d5d
0x01125d60
0x00000000
0x00000000
0x01125d66
0x01125d69
0x00000000
0x00000000
0x01125d6f
0x01125d6f
0x01125d73
0x01125d79
0x01125d7f
0x01125d86
0x01125d95
0x01125d98
0x01125dba
0x01125dcb
0x01125dce
0x01125dd3
0x01125dd6
0x01125dd8
0x01125de6
0x01125dec
0x01125dee
0x01125df1
0x01125df3
0x0112635a
0x0112635a
0x00000000
0x0112635a
0x01125dfe
0x01125e02
0x01125e05
0x01125e07
0x01125e10
0x01125e13
0x01125e1b
0x01125e1c
0x01125e21
0x01125e22
0x01125e23
0x01125e25
0x01125e2a
0x01125e2c
0x01125e2e
0x01125e36
0x01125e39
0x01125e42
0x01125e47
0x01125e4d
0x01125e54
0x01125e54
0x01125e54
0x01125e2e
0x01125e5c
0x01125e5f
0x01125e62
0x01125e64
0x01125e6b
0x01125e70
0x01125e7a
0x01125e7a
0x01125e7a
0x01125e6b
0x01125e7e
0x01125e7f
0x01125e7f
0x01125e81
0x01125e87
0x01125e8b
0x01125e8c
0x01125e8c
0x01125e8c
0x01125e9a
0x01125e9c
0x01125ea2
0x01125ea6
0x01125f50
0x01125f50
0x01125f57
0x01125f66
0x01125f66
0x01125f66
0x01125f68
0x01125f6a
0x011263d0
0x00000000
0x01125f70
0x01125f70
0x01125f91
0x01125f9c
0x01125f9e
0x01125fa4
0x01125fa6
0x0112638c
0x01126392
0x011263a1
0x011263a7
0x011263af
0x011263af
0x011263bd
0x011263d8
0x00000000
0x011263d8
0x01125fac
0x01125fb2
0x01125fb4
0x01125fbd
0x01125fc6
0x01125fce
0x01125fd4
0x01125fdc
0x01125fec
0x01125fed
0x01125fee
0x01125fef
0x01125ff9
0x01125ffa
0x01125ffb
0x01125ffc
0x01126000
0x01126004
0x01126012
0x01126012
0x01126018
0x01126019
0x0112601a
0x0112601b
0x0112601c
0x01126020
0x01126059
0x0112605c
0x01126061
0x01126061
0x01126022
0x01126022
0x01126022
0x01126025
0x0112602a
0x0112602b
0x01126031
0x01126037
0x01126038
0x0112603e
0x01126048
0x01126049
0x0112604a
0x0112604b
0x0112604c
0x0112604d
0x01126053
0x01126054
0x01126054
0x01126062
0x01126065
0x01126067
0x0112606a
0x01126070
0x01126075
0x01126076
0x01126081
0x01126087
0x01126095
0x01126099
0x0112609e
0x011260a4
0x011260ae
0x011260b0
0x011260b3
0x011260b6
0x011260b8
0x011260ba
0x011260ba
0x011260ba
0x011260ba
0x011260be
0x011260c0
0x011260c5
0x011260c5
0x011260c5
0x011260c6
0x011260cd
0x01126114
0x011260cf
0x011260cf
0x011260d4
0x011260d5
0x011260da
0x011260db
0x011260e1
0x011260e2
0x011260e8
0x011260f8
0x011260fd
0x011260fe
0x01126102
0x01126104
0x01126107
0x01126109
0x0112610b
0x0112610b
0x0112610b
0x0112610b
0x0112610f
0x0112610f
0x01126117
0x0112611a
0x0112611f
0x01126125
0x01126134
0x01126139
0x0112613f
0x01126146
0x01126148
0x0112614b
0x0112614d
0x0112614f
0x0112614f
0x0112614f
0x0112614f
0x01126153
0x01126159
0x01126159
0x0112615c
0x01126163
0x01126169
0x0112616c
0x01126172
0x01126181
0x01126186
0x01126187
0x0112618b
0x01126191
0x01126195
0x011261a3
0x011261bb
0x011261c0
0x011261c3
0x011261cc
0x011261d0
0x011261dc
0x011261de
0x011261e1
0x011261e4
0x011261e6
0x011261e8
0x011261e8
0x011261e8
0x011261e8
0x011261e6
0x011261ec
0x011261f3
0x01126203
0x01126209
0x0112620a
0x01126216
0x0112621d
0x01126227
0x01126241
0x01126246
0x0112624c
0x01126257
0x01126259
0x0112625c
0x0112625e
0x01126260
0x01126260
0x01126260
0x01126260
0x0112625e
0x01126264
0x01126267
0x01126269
0x01126315
0x01126315
0x0112631b
0x0112631e
0x01126324
0x01126327
0x0112632f
0x01126330
0x01126333
0x0112633a
0x0112633c
0x01126335
0x01126335
0x01126335
0x0112633f
0x01126342
0x0112634c
0x01126352
0x01126355
0x01126355
0x01126359
0x00000000
0x0112626f
0x01126275
0x01126275
0x01126278
0x0112627e
0x0112627e
0x01126281
0x01126287
0x0112628d
0x01126298
0x0112629c
0x011262a2
0x0112629e
0x0112629e
0x0112629e
0x011262a7
0x011262a7
0x011262aa
0x011262b0
0x011262f0
0x011262f0
0x011262f2
0x011262f8
0x011262fd
0x011262b2
0x011262b2
0x011262b2
0x011262b5
0x011262dd
0x011262e2
0x011262e5
0x011262b7
0x011262b8
0x011262bb
0x011262bd
0x011262c0
0x011262c4
0x011262cd
0x011262cd
0x011262c0
0x011262bb
0x011262b5
0x01126302
0x01126303
0x01126305
0x01126305
0x01126305
0x0112630c
0x0112630c
0x00000000
0x0112627e
0x01126269
0x01125eac
0x01125ebb
0x01125ebe
0x01125ecb
0x01125ecb
0x01125ece
0x01125ece
0x01125ed4
0x01125ed7
0x01125ed9
0x01125edb
0x01125edb
0x01125ee1
0x01125ee1
0x01125ee3
0x01125f20
0x01125f20
0x01125ee5
0x01125ee5
0x01125ee5
0x01125ee8
0x01125f11
0x01125f18
0x01125eea
0x01125eea
0x01125eed
0x01125ef2
0x01125ef8
0x01125efb
0x01125f0a
0x01125f0a
0x01125eed
0x01125ee8
0x01125f22
0x01125f28
0x00000000
0x00000000
0x01125f30
0x01125f31
0x01125f37
0x01125f3a
0x01125f3d
0x01125f44
0x00000000
0x00000000
0x00000000
0x01125f46
0x01125f48
0x01125f4d
0x00000000
0x01125f4d
0x01125dda
0x01125ddf
0x00000000
0x01125ddf
0x01125dd8
0x01125da7
0x01125da9
0x01125dac
0x01125dae
0x00000000
0x01125db4
0x01125db4
0x00000000
0x01125db4
0x01125dae
0x01125d88
0x01125d8d
0x01126363
0x01126369
0x0112636a
0x01126370
0x01126372
0x0112637a
0x0112637b
0x0112637d
0x00000000
0x00000000
0x0112637f
0x01126385
0x00000000
0x01126385
0x01125d38
0x01125d3b
0x00000000
0x00000000
0x00000000
0x01125d3b
0x01125d27
0x01125d29
0x00000000
0x00000000
0x00000000
0x01126360
0x00000000
0x01126360
0x01125c10
0x01125c10
0x011263da
0x011263e5
0x011263e5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e1a97fcc5e10b64a1386d40dc4c06053d97cde4d56dde3d6c642d8da780857
Instruction ID: 0f7bbd39e5ab43b692110618b7155ba2b86a044edc654265971858232079edc4
Opcode Fuzzy Hash: 78e1a97fcc5e10b64a1386d40dc4c06053d97cde4d56dde3d6c642d8da780857
Instruction Fuzzy Hash: 9F425D75D00229CFDB68CF68C880BA9BBB1FF45304F1581AAD94DEB282E7349995CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01115A4F Relevance: .6, Instructions: 581
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E01115A4F(intOrPtr* __ecx, signed int __edx) {
				intOrPtr* _v8;
				signed int** _v12;
				unsigned int* _v16;
				signed int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				signed int** _t198;
				signed int* _t199;
				signed int _t201;
				signed int _t203;
				intOrPtr _t204;
				signed int _t213;
				char* _t215;
				signed int _t216;
				void* _t219;
				signed int _t228;
				signed int _t236;
				void* _t237;
				signed int _t245;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t268;
				void* _t271;
				intOrPtr _t280;
				intOrPtr* _t281;
				char* _t302;
				signed int _t307;
				intOrPtr* _t308;
				signed int _t309;
				intOrPtr* _t310;
				signed int _t316;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t330;
				intOrPtr _t335;
				signed int _t340;
				unsigned int _t348;
				signed int _t364;
				signed int _t380;
				signed char _t409;
				signed int* _t410;
				void* _t411;
				signed char _t412;
				signed int _t414;
				signed int _t425;
				signed char _t428;
				signed int* _t429;
				signed int _t434;
				signed char _t436;
				signed int* _t438;
				signed int* _t447;
				intOrPtr* _t451;
				signed int* _t452;
				signed int _t455;
				signed int _t456;
				intOrPtr _t457;
				intOrPtr* _t458;
				signed char* _t459;
				unsigned int* _t460;
				signed int _t461;
				signed int _t463;
				signed int _t464;
				signed char* _t465;
				void* _t466;
				void* _t468;
				signed int* _t469;
				void* _t491;

				_t451 = __ecx;
				_v44 = __edx;
				_v8 = __ecx;
				_t198 = __ecx + 4;
				_v12 = _t198;
				while(1) {
					L4:
					_t409 = 1;
					while(1) {
						L5:
						_t199 =  *_t198;
						_v28 = _t199;
						if(_t199 == 0) {
							goto L35;
						} else {
							_v24 = _v24 & 0x00000000;
							_t460 =  &(_t199[4]);
							_t335 =  *_t451;
							_v16 = _t460;
							_t11 = _t335 + 0xc; // 0x8b147989
							_t309 =  *_t11;
							if(( *_t460 >> 0x00000010 & 0x00008000) != 0) {
								_t14 = _t451 + 0x5c; // 0x0
								_t464 =  *_t14 & 0x0000ffff;
								_v24 = _t409;
								if((_t409 &  *(_t309 + 0x1bf + _t464 * 4)) == 0 && E0108F3FD(_t309,  *(_t309 + 0x1be + _t464 * 4) & 0x000000ff) >= 0) {
									 *(_t309 + 0x1bf + _t464 * 4) =  *(_t309 + 0x1bf + _t464 * 4) & 0x000000ff | 1;
									if(E01077D50() == 0) {
										_t302 = 0x7ffe0380;
									} else {
										_t302 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									if( *_t302 != 0 && ( *( *[fs:0x30] + 0x240) & 1) != 0) {
										E01111229( *((intOrPtr*)(_t309 + 0xc)),  *(_t309 + 0x1be + _t464 * 4) & 0x000000ff);
									}
								}
								_t460 = _v16;
							}
							asm("sbb eax, eax");
							_t414 = 0;
							_v32 = 0;
							goto L18;
						}
						L19:
						if(_t461 == 0) {
							L30:
							_t411 = 0;
							L31:
							if(_v24 != 0) {
								_t280 =  *0x1146244; // 0x0
								_t64 = _t280 + 1; // 0x1
								_t491 = _t64 -  *0x1146240; // 0x4
								if(_t491 < 0) {
									asm("lock cmpxchg [esi], ecx");
								}
							}
							if(_t411 != 0) {
								L134:
								return _t411;
							} else {
								goto L35;
							}
						}
						asm("lock cmpxchg [edi], ecx");
						_t451 = _v8;
						if(_t461 == _t461) {
							L23:
							if(_t461 == 0xffffffff) {
								goto L30;
							}
							_t281 = _v28;
							_t340 =  *((intOrPtr*)(_t281 + 4));
							_v20 = _t340;
							if(_t340 == 0 ||  *_t281 != _t451 || _t461 == 0) {
								 *_v16 = _t461;
							} else {
								_t49 = _t451 + 0x5c; // 0x0
								_t50 = ( *_t49 & 0x0000ffff) + 0x103b800; // 0x20202020
								_t455 = E0111A600(_v20 + 0x14,  *((E0105774A(_t340) & 0x0000ffff) + 0x1146120) & 0x000000ff,  *_t50 & 0x000000ff);
								_t463 = _v20;
								 *_v16 = (_t461 & 0x0000ffff) - 0x00000001 | _t455 << 0x00000010;
								_t55 = _t463 + 0x10; // 0x8b0c244c
								_t348 =  *_t55 ^  *0x114874c ^ _t463 ^ _t309;
								_t451 = _v8;
								_t411 = (_t348 & 0x0000ffff) + (_t348 >> 0x10) * _t455 + _t463;
								if(( *(_t411 + 7) & 0x0000003f) == 0) {
									goto L31;
								}
								_push(_t348);
								_push(0);
								E0111A80D( *((intOrPtr*)( *((intOrPtr*)( *_t451 + 0xc)) + 0xc)), 0xf, _t411, 0);
							}
							goto L30;
						}
						L21:
						_t414 = _t414 + 1;
						if(_t414 <= _v32) {
							_t460 = _v16;
							L18:
							_t461 =  *_t460;
							if((_t461 >> 0x00000010 & 0x00008000) != 0) {
								goto L21;
							}
							goto L19;
						}
						_t461 = _t461 | 0xffffffff;
						goto L23;
						L35:
						_v32 =  *_t451;
						_t68 = _t451 + 8; // 0x1146628
						_t201 = _t68;
						_v20 = _t201;
						while(1) {
							_t452 = 0;
							while(1) {
								L37:
								_t307 = 0;
								_v28 = 0x10;
								_v24 = _v24 & 0;
								_t330 = _t201;
								_v16 = _t330;
								do {
									L38:
									_t410 =  *_t330;
									_t457 = _v8;
									_v36 = _t410;
									if(_t410 != 0) {
										_t203 =  *(_t410 + 0x10) & 0x0000ffff;
										_v40 = _t203;
										if(_t203 > _v24) {
											_t271 = E01095A69(_t457, _t410);
											_t330 = _v16;
											if(_t271 == 0) {
												_t307 = _t330;
												_t452 = _v36;
												_v24 = _v40;
											}
										}
									}
									_t330 = _t330 + 4;
									_t83 =  &_v28;
									 *_t83 = _v28 - 1;
									_v16 = _t330;
								} while ( *_t83 != 0);
								_v28 = _t452;
								if(_t307 == 0) {
									_t452 = 0;
									L59:
									if(_t452 == 0) {
										_t204 = _v8;
										_t458 = 0;
										_t115 = _t204 + 0x5c; // 0x0
										_t208 =  *((intOrPtr*)( *((intOrPtr*)(_v32 + 0xc)) + 0x3c0 + ( *_t115 & 0x0000ffff) * 4)) + 0x48;
										_v20 = 0;
										_v28 = 0;
										_v24 =  *((intOrPtr*)( *((intOrPtr*)(_v32 + 0xc)) + 0x3c0 + ( *_t115 & 0x0000ffff) * 4)) + 0x48;
										while(1) {
											_t308 = E01081710(_t208);
											_v32 = _t308;
											if(_t308 == 0) {
												break;
											}
											_t125 = _t308 - 0x20; // -32
											_t452 = _t125;
											_t126 =  &(_t452[7]); // -4
											_t438 = _t126;
											if((1 &  *_t438) == 0) {
												_t322 = 0xfffffffd;
												_t245 =  *_t438;
												do {
													asm("lock cmpxchg [edx], ecx");
												} while ((_t245 & _t322) != 0);
												_t323 = _v32;
												if(_t245 != 2) {
													L91:
													_t208 = _v24;
													_t452 = 0;
													continue;
												}
												L90:
												 *_t452 =  *_t452 & 0x00000000;
												E01070010( *( *_t452), _t323);
												goto L91;
											}
											if(E01094D51(_t452, _v8) == 0) {
												_t249 = _v20;
												if(_t249 == 0) {
													_v28 = _t308;
												}
												 *_t308 = _t458;
												_t458 = _t308;
												_v20 = _t249 + 1;
												goto L91;
											}
											_t130 =  &(_t452[7]); // -4
											_t324 = 0xfffffffd;
											_t251 =  *_t130;
											do {
												asm("lock cmpxchg [edx], ecx");
											} while ((_t251 & _t324) != 0);
											_t323 = _v32;
											if(_t251 == 2) {
												goto L90;
											}
											if(E01078D76(_v8, _t452) == 0) {
												goto L91;
											}
											break;
										}
										_t334 = _v20;
										if(_v20 != 0) {
											E010E51C0(_v24, _t458, _v28, _t334);
										}
										L74:
										if(_t452 == 0) {
											_t411 = 0;
											goto L134;
										}
										_t137 =  &(_t452[7]); // 0x1c
										_t459 = _t137;
										_t452[6] = _v44;
										while(1) {
											_t412 =  *_t459;
											_t198 = _v12;
											if(_t412 == 0 || (_t412 & 0x00000006) != 0) {
												break;
											}
											asm("lock cmpxchg [esi], ecx");
											if(_t412 != _t412) {
												continue;
											}
											_t213 =  *_t452;
											_t310 = _v8;
											_v40 = _t213;
											if(_t213 == _t310) {
												if(E01077D50() == 0) {
													_t215 = 0x7ffe0380;
												} else {
													_t215 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
												}
												_t409 = 1;
												if( *_t215 != 0 && ( *( *[fs:0x30] + 0x240) & 1) != 0) {
													E011117D2( *((intOrPtr*)( *((intOrPtr*)( *_t310 + 0xc)) + 0xc)), _t452[1]);
													_t409 = 1;
												}
												_t174 = _t310 + 4; // 0x1146624
												_t198 = _t174;
												_t175 = _t452;
												_t452 =  *_t198;
												 *_t198 = _t175;
												if(_t452 == 0) {
													L1:
													_t451 = _t310;
													goto L5;
												} else {
													_t176 =  &(_t452[7]); // 0x1c
													_t465 = _t176;
													_t425 = 0xfffffff9;
													_t216 =  *_t465;
													do {
														asm("lock cmpxchg [esi], ecx");
													} while ((_t216 & _t425) != 0);
													if(_t216 == 6) {
														L83:
														_t144 =  &(_t452[8]); // 0x20
														 *_t452 =  *_t452 & 0x00000000;
														E01070010( *( *_t452), _t144);
														_t451 = _t310;
														L132:
														_t198 = _v12;
														goto L4;
														do {
															while(1) {
																L4:
																_t409 = 1;
																L5:
																_t199 =  *_t198;
																_v28 = _t199;
																if(_t199 == 0) {
																	goto L35;
																} else {
																	_v24 = _v24 & 0x00000000;
																	_t460 =  &(_t199[4]);
																	_t335 =  *_t451;
																	_v16 = _t460;
																	_t11 = _t335 + 0xc; // 0x8b147989
																	_t309 =  *_t11;
																	if(( *_t460 >> 0x00000010 & 0x00008000) != 0) {
																		_t14 = _t451 + 0x5c; // 0x0
																		_t464 =  *_t14 & 0x0000ffff;
																		_v24 = _t409;
																		if((_t409 &  *(_t309 + 0x1bf + _t464 * 4)) == 0 && E0108F3FD(_t309,  *(_t309 + 0x1be + _t464 * 4) & 0x000000ff) >= 0) {
																			 *(_t309 + 0x1bf + _t464 * 4) =  *(_t309 + 0x1bf + _t464 * 4) & 0x000000ff | 1;
																			if(E01077D50() == 0) {
																				_t302 = 0x7ffe0380;
																			} else {
																				_t302 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																			}
																			if( *_t302 != 0 && ( *( *[fs:0x30] + 0x240) & 1) != 0) {
																				E01111229( *((intOrPtr*)(_t309 + 0xc)),  *(_t309 + 0x1be + _t464 * 4) & 0x000000ff);
																			}
																		}
																		_t460 = _v16;
																	}
																	asm("sbb eax, eax");
																	_t414 = 0;
																	_v32 = 0;
																	goto L18;
																}
															}
															L107:
															_t451 = _v8;
															_t166 = _t451 + 4; // 0x1146624
															_t198 = _t166;
														} while (_t228 != 2);
														 *_t429 =  *_t429 & 0x00000000;
														E01070010( *( *_t429),  &(_t429[8]));
														goto L132;
													}
													_t219 = E01078D76(_t310, _t452);
													_t177 = _t310 + 4; // 0x1146624
													_t198 = _t177;
													_t409 = 1;
													if(_t219 == 0) {
														goto L1;
													} else {
														goto L120;
													}
													while(1) {
														L120:
														_t428 =  *_t465;
														_t198 = _v12;
														if(_t428 == 0 || (_t428 & 0x00000002) != 0) {
															break;
														}
														asm("lock cmpxchg [esi], ecx");
														if(_t428 != _t428) {
															continue;
														}
														_t364 =  *_t452;
														_t466 = 0;
														_v32 = _t364;
														do {
															_t429 =  *(_t364 + ((( *(_t364 + 0x5e) & 0x0000ffff) + _t466 & 0x0000000f) + 2) * 4);
															if(_t429 != 0) {
																if((_t429[7] & 0x00000001) != 0) {
																	goto L130;
																}
																asm("lock cmpxchg [ebx], ecx");
																if(_t429 == _t429) {
																	L105:
																	_t164 =  &(_t429[7]); // 0x1d
																	_t316 = 0xfffffffd;
																	_t228 =  *_t164;
																	do {
																		asm("lock cmpxchg [esi], ecx");
																	} while ((_t228 & _t316) != 0);
																	goto L107;
																}
																L129:
																_t364 = _v32;
																goto L130;
															}
															asm("lock cmpxchg [ebx], ecx");
															_t198 = _v12;
															if(0 == 0) {
																goto L3;
															}
															goto L129;
															L130:
															_t466 = _t466 + 1;
														} while (_t466 < 0x10);
														L131:
														_t190 =  &(_t452[8]); // 0x20
														E01070010( *((intOrPtr*)( *((intOrPtr*)( *( *_t452) + 0xc)) + 0x3c0 + ( *( *_t452 + 0x5c) & 0x0000ffff) * 4)) + 0x48, _t190);
														_t451 = _v8;
														goto L132;
													}
													L2:
													_t451 = _t310;
													while(1) {
														L4:
														_t409 = 1;
														goto L5;
													}
												}
											}
											_t434 = 0xfffffff9;
											_t236 =  *_t459;
											do {
												asm("lock cmpxchg [esi], ecx");
											} while ((_t236 & _t434) != 0);
											if(_t236 != 6) {
												_t237 = E01078D76(_v40, _t452);
												_t198 = _v12;
												if(_t237 == 0) {
													goto L2;
												} else {
													goto L93;
												}
												while(1) {
													L93:
													_t436 =  *_t459;
													_t198 = _v12;
													if(_t436 == 0 || (_t436 & 0x00000002) != 0) {
														goto L2;
													}
													asm("lock cmpxchg [esi], ecx");
													if(_t436 != _t436) {
														continue;
													}
													_t380 =  *_t452;
													_t468 = 0;
													_v32 = _t380;
													do {
														_t429 =  *(_t380 + ((( *(_t380 + 0x5e) & 0x0000ffff) + _t468 & 0x0000000f) + 2) * 4);
														if(_t429 != 0) {
															if((_t429[7] & 0x00000001) != 0) {
																goto L103;
															}
															asm("lock cmpxchg [ebx], ecx");
															if(_t429 == _t429) {
																goto L105;
															}
															L102:
															_t380 = _v32;
															goto L103;
														}
														asm("lock cmpxchg [ebx], ecx");
														_t198 = _v12;
														if(0 == 0) {
															goto L3;
														}
														goto L102;
														L103:
														_t468 = _t468 + 1;
													} while (_t468 < 0x10);
													goto L131;
												}
												goto L2;
											}
											goto L83;
										}
										L3:
										_t451 = _v8;
										goto L4;
									}
									_t111 =  &(_t452[7]); // 0x1c
									_t325 = 0xfffffffd;
									_t253 =  *_t111;
									do {
										asm("lock cmpxchg [edx], ecx");
									} while ((_t253 & _t325) != 0);
									if(_t253 != 2) {
										goto L74;
									}
									_t112 =  &(_t452[8]); // 0x20
									 *_t452 =  *_t452 & 0x00000000;
									E01070010( *( *_t452), _t112);
									_t201 = _v20;
									_t452 = 0;
									L37:
									_t307 = 0;
									_v28 = 0x10;
									_v24 = _v24 & 0;
									_t330 = _t201;
									_v16 = _t330;
									goto L38;
								}
								_t88 = _t457 + 0x5c; // 0x0
								_t259 =  *((intOrPtr*)( *((intOrPtr*)(_v32 + 0xc)) + 0x3c0 + ( *_t88 & 0x0000ffff) * 4)) + 0x48;
								_v16 =  *((intOrPtr*)( *((intOrPtr*)(_v32 + 0xc)) + 0x3c0 + ( *_t88 & 0x0000ffff) * 4)) + 0x48;
								while(1) {
									_t469 = E01081710(_t259);
									_v24 = _t469;
									if(_t469 == 0) {
										break;
									}
									_t469 = _t469 - 0x20;
									_t95 =  &(_t469[7]); // -4
									_t447 = _t95;
									if((1 &  *_t447) != 0) {
										if(E01094D51(_t469, _v8) == 0) {
											E01070010(_v16, _v24);
											_t469 = 0;
										}
										break;
									}
									_t456 = 0xfffffffd;
									_t268 =  *_t447;
									do {
										asm("lock cmpxchg [edx], ecx");
									} while ((_t268 & _t456) != 0);
									_t452 = _v28;
									_t259 = _v16;
									if(_t268 == 2) {
										 *_t469 =  *_t469 & 0x00000000;
										E01070010( *( *_t469), _v24);
										_t259 = _v16;
									}
								}
								asm("lock cmpxchg [ebx], edx");
								if(_t452 == _t452) {
									if(_t469 == 0) {
										 *((short*)(_v8 + 0x5e)) = _t307 - _v8 - 0x00000008 >> 0x00000002 & 0x000000ff;
									}
									goto L59;
								}
								_t201 = _v20;
								if(_t469 != 0) {
									_t107 =  &(_t469[8]); // 0x20
									E01070010(_v16, _t107);
									_t201 = _v20;
								}
							}
						}
					}
				}
			}

0x01115a5a
0x01115a5c
0x01115a5f
0x01115a62
0x01115a65
0x01115a75
0x01115a75
0x01115a77
0x01115a78
0x01115a78
0x01115a78
0x01115a7a
0x01115a7f
0x00000000
0x01115a85
0x01115a85
0x01115a89
0x01115a8e
0x01115a93
0x01115a96
0x01115a96
0x01115a9e
0x01115aa4
0x01115aa4
0x01115aa8
0x01115ab4
0x01115ad8
0x01115ae6
0x01115af8
0x01115ae8
0x01115af1
0x01115af1
0x01115b00
0x01115b1e
0x01115b1e
0x01115b00
0x01115b23
0x01115b23
0x01115b30
0x01115b35
0x01115b37
0x00000000
0x01115b37
0x01115b4d
0x01115b50
0x01115c21
0x01115c21
0x01115c23
0x01115c27
0x01115c29
0x01115c2e
0x01115c31
0x01115c37
0x01115c45
0x01115c45
0x01115c37
0x01115c4b
0x011160ee
0x011160f4
0x00000000
0x00000000
0x00000000
0x01115c4b
0x01115b63
0x01115b67
0x01115b6c
0x01115b77
0x01115b7a
0x00000000
0x00000000
0x01115b80
0x01115b83
0x01115b86
0x01115b8b
0x01115c1f
0x01115b9e
0x01115b9e
0x01115ba2
0x01115bca
0x01115bd3
0x01115bdd
0x01115bdf
0x01115bea
0x01115bf7
0x01115bfc
0x01115c02
0x00000000
0x00000000
0x01115c06
0x01115c07
0x01115c15
0x01115c15
0x00000000
0x01115b8b
0x01115b6e
0x01115b6e
0x01115b72
0x01115b3c
0x01115b3f
0x01115b3f
0x01115b4b
0x00000000
0x00000000
0x00000000
0x01115b4b
0x01115b74
0x00000000
0x01115c51
0x01115c53
0x01115c56
0x01115c56
0x01115c59
0x01115c5c
0x01115c5c
0x01115c5e
0x01115c5e
0x01115c5e
0x01115c60
0x01115c67
0x01115c6a
0x01115c6c
0x01115c6f
0x01115c6f
0x01115c6f
0x01115c71
0x01115c74
0x01115c79
0x01115c7f
0x01115c82
0x01115c88
0x01115c8c
0x01115c91
0x01115c96
0x01115c9b
0x01115c9d
0x01115ca0
0x01115ca0
0x01115c96
0x01115c88
0x01115ca3
0x01115ca6
0x01115ca6
0x01115caa
0x01115caa
0x01115caf
0x01115cb4
0x01115d7b
0x01115d7d
0x01115d7f
0x01115db3
0x01115db6
0x01115db8
0x01115dcb
0x01115dce
0x01115dd1
0x01115dd4
0x01115dd7
0x01115dde
0x01115de0
0x01115de5
0x00000000
0x00000000
0x01115de7
0x01115de7
0x01115dec
0x01115dec
0x01115df4
0x01115ed8
0x01115ed9
0x01115edb
0x01115edf
0x01115edf
0x01115ee5
0x01115eeb
0x01115efb
0x01115efb
0x01115efe
0x00000000
0x01115efe
0x01115eed
0x01115ef3
0x01115ef6
0x00000000
0x01115ef6
0x01115e06
0x01115ec2
0x01115ec7
0x01115ec9
0x01115ec9
0x01115ecd
0x01115ecf
0x01115ed1
0x00000000
0x01115ed1
0x01115e0e
0x01115e11
0x01115e12
0x01115e14
0x01115e18
0x01115e18
0x01115e1e
0x01115e24
0x00000000
0x00000000
0x01115e36
0x00000000
0x00000000
0x00000000
0x01115e36
0x01115e3c
0x01115e41
0x01115e4d
0x01115e4d
0x01115e52
0x01115e54
0x011160ea
0x00000000
0x011160ea
0x01115e5d
0x01115e5d
0x01115e60
0x01115e63
0x01115e63
0x01115e65
0x01115e6a
0x00000000
0x00000000
0x01115e80
0x01115e86
0x00000000
0x00000000
0x01115e88
0x01115e8a
0x01115e8d
0x01115e92
0x01115fcd
0x01115fdf
0x01115fcf
0x01115fd8
0x01115fd8
0x01115fe6
0x01115fea
0x01116005
0x0111600c
0x0111600c
0x0111600d
0x0111600d
0x01116010
0x01116010
0x01116010
0x01116014
0x01115a6a
0x01115a6a
0x00000000
0x0111601a
0x0111601c
0x0111601c
0x0111601f
0x01116020
0x01116022
0x01116026
0x01116026
0x0111602f
0x01115eac
0x01115eae
0x01115eb3
0x01115eb6
0x01115ebb
0x011160e2
0x011160e2
0x011160e5
0x01115a75
0x01115a75
0x01115a75
0x01115a77
0x01115a78
0x01115a78
0x01115a7a
0x01115a7f
0x00000000
0x01115a85
0x01115a85
0x01115a89
0x01115a8e
0x01115a93
0x01115a96
0x01115a96
0x01115a9e
0x01115aa4
0x01115aa4
0x01115aa8
0x01115ab4
0x01115ad8
0x01115ae6
0x01115af8
0x01115ae8
0x01115af1
0x01115af1
0x01115b00
0x01115b1e
0x01115b1e
0x01115b00
0x01115b23
0x01115b23
0x01115b30
0x01115b35
0x01115b37
0x00000000
0x01115b37
0x01115a7f
0x01115fa3
0x01115fa3
0x01115fa9
0x01115fa9
0x01115fa9
0x01115fb6
0x01115fbc
0x00000000
0x01115fbc
0x01116039
0x01116042
0x01116042
0x01116045
0x01116046
0x00000000
0x00000000
0x00000000
0x00000000
0x0111604c
0x0111604c
0x0111604c
0x0111604e
0x01116053
0x00000000
0x00000000
0x01116069
0x0111606f
0x00000000
0x00000000
0x01116071
0x01116073
0x01116075
0x01116078
0x01116087
0x0111608b
0x011160a7
0x00000000
0x00000000
0x011160ad
0x011160b3
0x01115f91
0x01115f93
0x01115f96
0x01115f97
0x01115f99
0x01115f9d
0x01115f9d
0x00000000
0x01115f99
0x011160b9
0x011160b9
0x00000000
0x011160b9
0x01116091
0x01116097
0x0111609a
0x00000000
0x00000000
0x00000000
0x011160bc
0x011160bc
0x011160bd
0x011160c2
0x011160c4
0x011160da
0x011160df
0x00000000
0x011160df
0x01115a6e
0x01115a6e
0x01115a75
0x01115a75
0x01115a77
0x00000000
0x01115a77
0x01115a75
0x01116014
0x01115e9a
0x01115e9b
0x01115e9d
0x01115ea1
0x01115ea1
0x01115eaa
0x01115f0a
0x01115f11
0x01115f14
0x00000000
0x00000000
0x00000000
0x00000000
0x01115f1a
0x01115f1a
0x01115f1a
0x01115f1c
0x01115f21
0x00000000
0x00000000
0x01115f37
0x01115f3d
0x00000000
0x00000000
0x01115f3f
0x01115f41
0x01115f43
0x01115f46
0x01115f55
0x01115f59
0x01115f75
0x00000000
0x00000000
0x01115f7b
0x01115f81
0x00000000
0x00000000
0x01115f83
0x01115f83
0x00000000
0x01115f83
0x01115f5f
0x01115f65
0x01115f68
0x00000000
0x00000000
0x00000000
0x01115f86
0x01115f86
0x01115f87
0x00000000
0x01115f8c
0x00000000
0x01115f1a
0x00000000
0x01115eaa
0x01115a72
0x01115a72
0x00000000
0x01115a72
0x01115d83
0x01115d86
0x01115d87
0x01115d89
0x01115d8d
0x01115d8d
0x01115d96
0x00000000
0x00000000
0x01115d9e
0x01115da3
0x01115da6
0x01115dab
0x01115c5c
0x01115c5e
0x01115c5e
0x01115c60
0x01115c67
0x01115c6a
0x01115c6c
0x00000000
0x01115c6c
0x01115cbd
0x01115ccb
0x01115cce
0x01115cd1
0x01115cd8
0x01115cda
0x01115cdf
0x00000000
0x00000000
0x01115ce1
0x01115ce7
0x01115ce7
0x01115cee
0x01115d2a
0x01115d32
0x01115d37
0x01115d37
0x00000000
0x01115d2a
0x01115cf2
0x01115cf3
0x01115cf5
0x01115cf9
0x01115cf9
0x01115cff
0x01115d05
0x01115d08
0x01115d11
0x01115d14
0x01115d19
0x01115d19
0x01115d08
0x01115d3d
0x01115d43
0x01115d65
0x01115d75
0x01115d75
0x00000000
0x01115d65
0x01115d45
0x01115d4a
0x01115d53
0x01115d56
0x01115d5b
0x01115d5b
0x01115d4a
0x01115c5e
0x01115c5c
0x01115a78

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1754c02699c6e2936935a3f790ea9e4336a8187c4639ad7249052b47dca5c6
Instruction ID: 671f8cec3b51d365b8b6a79723c5d56e2d97ba500f328a0090a05f4b025aa3e1
Opcode Fuzzy Hash: 2f1754c02699c6e2936935a3f790ea9e4336a8187c4639ad7249052b47dca5c6
Instruction Fuzzy Hash: 5022AF35A002168FDB5DCF59C490AAEF7B2BF8A314F28857DD9519B349DB30A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011160F5 Relevance: .6, Instructions: 558
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E011160F5(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed char _v40;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int** _v60;
				intOrPtr _v64;
				intOrPtr _v72;
				void* __ebx;
				signed int _t200;
				char* _t203;
				unsigned int _t214;
				signed short _t224;
				char* _t228;
				signed int* _t233;
				signed int _t241;
				signed int _t253;
				signed int* _t256;
				signed int* _t257;
				signed int _t262;
				signed int _t263;
				signed int _t266;
				signed short _t271;
				void* _t275;
				signed int _t279;
				signed int*** _t287;
				signed int _t294;
				signed char _t307;
				intOrPtr _t309;
				intOrPtr* _t310;
				unsigned int _t312;
				signed int _t313;
				signed char* _t315;
				signed int _t321;
				signed int _t322;
				signed int* _t326;
				void* _t327;
				signed int _t328;
				signed char _t331;
				signed int _t332;
				signed int _t340;
				intOrPtr _t349;
				unsigned int _t354;
				signed int _t356;
				signed int* _t367;
				signed int** _t370;
				signed int _t387;
				intOrPtr _t392;
				unsigned int _t398;
				signed int _t403;
				signed int _t410;
				void* _t411;
				signed char _t413;
				signed int _t414;
				signed int** _t415;
				intOrPtr _t417;
				intOrPtr _t420;
				signed int _t423;
				signed int _t425;
				signed int** _t426;
				signed int** _t427;
				intOrPtr* _t430;
				signed int _t433;
				intOrPtr* _t434;
				signed int** _t436;
				signed int**** _t441;
				signed int _t445;
				intOrPtr* _t447;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				signed int* _t453;
				void* _t454;
				signed int _t457;
				signed int* _t458;
				void* _t459;
				signed int _t460;

				_t433 = 0;
				_t309 = __ecx;
				_t403 = 0;
				_v64 = __ecx;
				_v32 = 0;
				_v36 = 0;
				_t331 = 1;
				do {
					if((_t331 &  *(_t309 + 0x1bf + _t403 * 4)) != 0) {
						if(( *(_t309 + 0x1b8) & _t331) != 0) {
							goto L2;
						}
						_t307 =  *0x1146240; // 0x4
						_v40 = _t307;
						if(_t307 == 0) {
							goto L37;
						}
						L5:
						_t332 = _t433;
						_v56 = _t433;
						do {
							if(_t332 != 0) {
								_t445 = _t332 * 0x68;
								_t332 = _v56;
								_t447 = _t445 + 0xffffff98 +  *((intOrPtr*)(_t309 + 0x5c4 + _t403 * 4));
							} else {
								_t447 =  *((intOrPtr*)(_t309 + 0x3c0 + _t403 * 4));
							}
							if(_t447 != 0 &&  *((intOrPtr*)(_t447 + 0x54)) == 1) {
								_t214 = E01115A4F(_t447, _t332);
								_t312 = _t214;
								if(_t312 == 0) {
									L34:
									_t403 = _v36;
									_t332 = _v56;
									_t309 = _v64;
									goto L35;
								}
								 *( *_t447 + 0x14) = _t433;
								_t349 = _v64;
								_t408 =  *(_t349 + 0xc);
								_t354 = _t312 >> 0x00000003 ^  *0x114874c ^  *(_t349 + 0xc) ^  *_t312;
								if(_t354 != 0) {
									L17:
									_push(_t354);
									_push(_t433);
									E0111A80D(_t408, 3, _t312, _t433);
									goto L34;
								}
								_t354 = _t354 >> 0xd;
								_t436 =  *(_t214 - _t354);
								_v60 = _t436;
								if(_t436 == 0) {
									L16:
									_t433 = 0;
									goto L17;
								}
								_t356 = _t436[1];
								_v44 = 0;
								_t410 =  *(_t312 + 4) >> 0x00000008 & 0x0000ffff;
								_v52 = _t356;
								_v48 = _t410;
								_t451 =  *( *( *_t436) + 0xc);
								_t224 =  *(_t356 + 0x10) ^ _t451 ^  *0x114874c ^ _t356;
								_t354 = (_t224 >> 0x10) * _t410 + _v52;
								if((_t224 & 0x0000ffff) + _t354 == _t312) {
									if(E01077D50() == 0) {
										_t228 = 0x7ffe0380;
									} else {
										_t228 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									if( *_t228 != 0 && ( *( *[fs:0x30] + 0x240) & 1) != 0) {
										_t41 = _t312 + 8; // 0x8
										E01111608( *(_t451 + 0xc), _t41, 2);
									}
									asm("sbb eax, eax");
									_v20 = 0;
									_t411 = 0;
									_t43 =  &(_t436[4]); // 0x10
									_t233 = _t43;
									_v24 = _t233;
									while(1) {
										_t452 =  *_t233;
										_v28 = _t452;
										if((_t452 >> 0x00000010 & 0x00008000) != 0) {
											goto L28;
										}
										L27:
										asm("lock cmpxchg [edi], ecx");
										_t436 = _v60;
										if(_t452 == _t452) {
											L30:
											 *((char*)(_t312 + 7)) = 0x80;
											if(_t452 != 0xffffffff) {
												_t313 = _v48;
												asm("btr [eax], ebx");
												if(_t436[3] == 0) {
													L49:
													_t453 =  *_t436;
													_t241 = (_t452 & 0x0000ffff) + _v44 + 0x00000001 | _t313 << 0x00000010;
													if(_t241 != _t436[6]) {
														L86:
														_t315 =  &(_t436[7]);
														_t436[4] = _t241;
														if(( *_t315 & 0x00000002) != 0 || E01078D76(_t453, _t436) == 0) {
															L33:
															_t433 = 0;
															goto L34;
														} else {
															while(1) {
																_t413 =  *_t315;
																if(_t413 == 0 || (_t413 & 0x00000002) != 0) {
																	goto L33;
																}
																asm("lock cmpxchg [ebx], ecx");
																if(_t413 != _t413) {
																	continue;
																}
																_t367 =  *_t436;
																_v28 = _t367;
																_t454 = 0;
																do {
																	_t414 = _t367[((_t367[0x17] & 0x0000ffff) + _t454 & 0x0000000f) + 2];
																	if(_t414 != 0) {
																		if(( *(_t414 + 0x1c) & 0x00000001) != 0) {
																			goto L98;
																		}
																		asm("lock cmpxchg [ebx], ecx");
																		if(_t414 == _t414) {
																			_t321 = 0xfffffffd;
																			_t253 =  *(_t414 + 0x1c);
																			do {
																				asm("lock cmpxchg [esi], ecx");
																			} while ((_t253 & _t321) != 0);
																			_t433 = 0;
																			if(_t253 == 2) {
																				 *_t414 = 0;
																				E01070010( *((intOrPtr*)( *_t414)), _t414 + 0x20);
																			}
																			goto L34;
																		}
																		L97:
																		_t367 = _v28;
																		goto L98;
																	}
																	asm("lock cmpxchg [ebx], ecx");
																	if(0 == 0) {
																		goto L33;
																	}
																	goto L97;
																	L98:
																	_t454 = _t454 + 1;
																} while (_t454 < 0x10);
																_t415 =  &(_t436[8]);
																_t370 =  *((intOrPtr*)( *( *( *_t436) + 0xc) + 0x3c0 + (( *_t436)[0x17] & 0x0000ffff) * 4)) + 0x48;
																L32:
																E01070010(_t370, _t415);
																goto L33;
															}
															goto L33;
														}
													}
													_t322 = _t453[0x16];
													_t417 =  *((intOrPtr*)( *_t453 + 0x10));
													_t377 = _t453[0x15];
													if(_t453[0x15] != 1 || _t417 < _t322) {
														L53:
														_t256 =  *_t436;
														_v48 = _t256;
														_t257 =  &(_t256[1]);
														_t457 =  *_t257;
														 *_t257 = 0;
														if(_t457 == 0) {
															L73:
															_t458 =  *_t436;
															_t323 =  *( *_v48 + 0xc);
															_v24 =  *( *_v48 + 0xc);
															if((_t436[5] & 0x00000003) != 0) {
																_v12 =  &(_t436[1][0x407]) & 0xfffff000;
																_t271 = E01115634(_t436);
																_push( &_v8);
																_t387 = (_t436[6] & 0x0000ffff) * (_t271 & 0x0000ffff) << 3;
																_v16 = _t387;
																_t275 = E01080678(_t323[3], 1);
																_t377 = _t387;
																_push(_t275);
																_push( &_v16);
																_push( &_v12);
																_push(0xffffffff);
																E01099A00();
															}
															_t436[1][3] = 0;
															E010797ED(_t323, _t436[1], _t377);
															_t262 = _t436[6] & 0x0000ffff;
															_v48 = _t262;
															_t137 =  &(_t458[0x14]); // 0x50
															_t263 = _t137;
															_v48 =  ~_t262;
															_v52 = _t263;
															do {
																_t459 =  *_t263;
																_t420 =  *((intOrPtr*)(_t263 + 4));
																_v20 = _t420;
																asm("lock cmpxchg8b [edi]");
																_t263 = _v48;
															} while (_t459 != _t459 || _t420 != _v20);
															_t441 = _v60;
															_t441[1] = 0;
															asm("lock inc dword [eax+0x20]");
															_t441[4] = 0;
															_t460 = 0xfffffffe;
															_t266 = _t441[7];
															do {
																asm("lock cmpxchg [edx], ecx");
															} while ((_t266 & _t460) != 0);
															if(_t266 != 1) {
																goto L33;
															}
															_t415 =  &(_t441[8]);
															_t370 =  *( *_t441);
															 *_t441 = 0;
															goto L32;
														}
														_t95 = _t457 + 0x1c; // 0x1c
														_t326 = _t95;
														_t423 = 0xfffffff9;
														_t279 =  *_t326;
														do {
															asm("lock cmpxchg [ebx], ecx");
														} while ((_t279 & _t423) != 0);
														if(_t279 != 6) {
															_t377 = _v48;
															if(E01078D76(_v48, _t457) == 0) {
																goto L73;
															} else {
																goto L59;
															}
															while(1) {
																L59:
																_t425 =  *_t326;
																if(_t425 == 0 || (_t425 & 0x00000002) != 0) {
																	goto L73;
																}
																_t377 = _t425 | 0x00000002;
																asm("lock cmpxchg [ebx], ecx");
																if(_t425 != _t425) {
																	continue;
																}
																_t392 =  *_t457;
																_v44 = _t392;
																_t327 = 0;
																do {
																	_t287 = _t392 + ((( *(_t392 + 0x5e) & 0x0000ffff) + _t327 & 0x0000000f) + 2) * 4;
																	_t426 =  *_t287;
																	_v28 = _t287;
																	if(_t426 != 0) {
																		if((_t426[7] & 0x00000001) != 0) {
																			goto L69;
																		}
																		asm("lock cmpxchg [edi], ecx");
																		_t436 = _v60;
																		if(_t426 == _t426) {
																			_t328 = 0xfffffffd;
																			_t294 = _t426[7];
																			do {
																				_t377 = _t294 & _t328;
																				asm("lock cmpxchg [esi], ecx");
																			} while ((_t294 & _t328) != 0);
																			if(_t294 != 2) {
																				goto L73;
																			}
																			_t377 =  *( *_t426);
																			 *_t426 = 0;
																			_t427 =  &(_t426[8]);
																			L72:
																			E01070010(_t377, _t427);
																			goto L73;
																		}
																		L68:
																		_t392 = _v44;
																		goto L69;
																	}
																	_t377 = _t457;
																	asm("lock cmpxchg [edx], ecx");
																	if(0 == 0) {
																		goto L73;
																	}
																	goto L68;
																	L69:
																	_t327 = _t327 + 1;
																} while (_t327 < 0x10);
																_t377 =  *((intOrPtr*)( *((intOrPtr*)( *( *_t457) + 0xc)) + 0x3c0 + (( *_t457)[0x17] & 0x0000ffff) * 4)) + 0x48;
																L71:
																_t116 = _t457 + 0x20; // 0x20
																_t427 = _t116;
																goto L72;
															}
															goto L73;
														}
														_t377 =  *( *_t457);
														 *_t457 = 0;
														goto L71;
													} else {
														_t377 =  *_t453;
														if(_t417 - _t322 <  *((intOrPtr*)( *_t453 + 0x14))) {
															goto L86;
														}
														goto L53;
													}
												}
												_t430 = E010E5208( &(_t436[2]));
												if(_t430 == 0) {
													goto L49;
												}
												do {
													_t398 =  *(_t430 - 4);
													_t430 =  *_t430;
													asm("btr [eax], edi");
													_v44 = _v44 + 1;
													_v48 = _t398 >> 0x00000008 & 0x0000ffff;
												} while (_t430 != 0);
												_t452 = _v28;
												_t436 = _v60;
												_t313 = _v48;
												goto L49;
											}
											_t54 = _t312 + 8; // 0x8
											_t415 = _t54;
											_t370 =  &(_t436[2]);
											goto L32;
										}
										L28:
										_t411 = _t411 + 1;
										if(_t411 <= _v20) {
											_t45 =  &(_t436[4]); // 0x10
											_t233 = _t45;
											_t452 =  *_t233;
											_v28 = _t452;
											if((_t452 >> 0x00000010 & 0x00008000) != 0) {
												goto L28;
											}
											goto L27;
										}
										_t452 = _t452 | 0xffffffff;
										_v28 = _t452;
										goto L30;
									}
								}
								_t408 =  *(_t451 + 0xc);
								goto L16;
							}
							L35:
							_t332 = _t332 + 1;
							_v56 = _t332;
						} while (_t332 < _v40);
						_t331 = 1;
						goto L37;
					}
					L2:
					_v40 = _t331;
					goto L5;
					L37:
					_t403 = _t403 + 1;
					_v36 = _t403;
				} while (_t403 < 0x81);
				_t62 = _t309 + 0x38; // 0x38
				_t195 = _t62;
				_v40 = 0xc;
				_v36 = _t62;
				do {
					_t448 = _t433;
					_t434 = E010E5208(_t195);
					if(_t434 == 0) {
						goto L112;
					} else {
						goto L40;
					}
					do {
						L40:
						_t310 = _t434;
						_t434 =  *_t434;
						_t200 = 1 <<  *(_t310 + 8);
						if(1 > 0x78000) {
							_t200 = 0x78000;
						}
						_t340 = ( *(_t310 + 0xa) & 0x0000ffff) + _t200;
						_v32 = _v32 + _t340;
						_v28 = _t340;
						E0107C111( *((intOrPtr*)(_v64 + 0xc)), _t310, _t340);
						_t448 = _t448 + 1;
						if(E01077D50() == 0) {
							_t203 = 0x7ffe0380;
						} else {
							_t203 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t203 == 0 || ( *( *[fs:0x30] + 0x240) & 1) == 0) {
							_t309 = _v64;
						} else {
							E011118CA(_t310,  *((intOrPtr*)(_v64 + 0xc)), _t310, _v28, 0);
							_t309 = _v72;
							E01111951(_t309,  *((intOrPtr*)(_t309 + 0xc)), _t310, _v36, 0);
						}
					} while (_t434 != 0);
					if(_t448 != 0) {
						asm("lock xadd [eax], esi");
					}
					L112:
					_t195 = _v36 + 0x20;
					_t188 =  &_v40;
					 *_t188 = _v40 - 1;
					_v36 = _t195;
					_t433 = 0;
				} while ( *_t188 != 0);
				if(_v32 != 0) {
					_t192 = _t309 + 0x2c; // 0x2c
					_t195 = _t192;
					asm("lock xadd [eax], ecx");
				}
				return _t195;
			}

0x01116103
0x01116105
0x01116107
0x01116109
0x0111610f
0x01116113
0x01116117
0x01116118
0x01116121
0x0111612f
0x00000000
0x00000000
0x01116131
0x01116136
0x0111613c
0x00000000
0x00000000
0x01116142
0x01116142
0x01116144
0x01116148
0x0111614a
0x01116155
0x01116158
0x0111615f
0x0111614c
0x0111614c
0x0111614c
0x01116168
0x0111617e
0x01116183
0x01116187
0x011162cd
0x011162cd
0x011162d1
0x011162d5
0x00000000
0x011162d5
0x0111618f
0x01116192
0x01116196
0x011161a6
0x011161ab
0x01116204
0x01116204
0x01116205
0x0111620b
0x00000000
0x0111620b
0x011161ad
0x011161b2
0x011161b4
0x011161ba
0x01116202
0x01116202
0x00000000
0x01116202
0x011161c1
0x011161c7
0x011161cb
0x011161d0
0x011161d4
0x011161da
0x011161e8
0x011161f5
0x011161fd
0x0111621c
0x0111622e
0x0111621e
0x01116227
0x01116227
0x01116236
0x0111624c
0x01116251
0x01116251
0x01116260
0x01116265
0x0111626b
0x0111626d
0x0111626d
0x01116270
0x01116279
0x01116279
0x01116280
0x01116289
0x00000000
0x00000000
0x0111628b
0x01116299
0x0111629d
0x011162a3
0x011162b3
0x011162b3
0x011162ba
0x01116377
0x0111637e
0x01116387
0x011163c4
0x011163cc
0x011163d3
0x011163d9
0x0111660c
0x0111660c
0x0111660f
0x01116616
0x011162cb
0x011162cb
0x00000000
0x0111662d
0x0111662d
0x0111662d
0x01116631
0x00000000
0x00000000
0x01116647
0x0111664d
0x00000000
0x00000000
0x0111664f
0x01116653
0x01116657
0x01116659
0x01116668
0x0111666c
0x01116685
0x00000000
0x00000000
0x0111668b
0x01116691
0x011166bf
0x011166c0
0x011166c2
0x011166c6
0x011166c6
0x011166cc
0x011166d1
0x011166db
0x011166e0
0x011166e0
0x00000000
0x011166d1
0x01116693
0x01116693
0x00000000
0x01116693
0x01116672
0x01116678
0x00000000
0x00000000
0x00000000
0x01116697
0x01116697
0x01116698
0x0111669f
0x011166b2
0x011162c6
0x011162c6
0x00000000
0x011162c6
0x00000000
0x0111662d
0x01116616
0x011163e1
0x011163e4
0x011163e7
0x011163ed
0x01116400
0x01116400
0x01116404
0x01116408
0x0111640b
0x0111640b
0x0111640f
0x011164e9
0x011164f1
0x011164f5
0x011164f8
0x011164fc
0x0111650d
0x01116511
0x01116524
0x01116527
0x0111652a
0x01116535
0x0111653a
0x0111653b
0x01116540
0x01116545
0x01116546
0x01116548
0x01116548
0x01116555
0x0111655b
0x01116560
0x01116566
0x0111656c
0x0111656c
0x0111656f
0x01116573
0x01116577
0x01116577
0x01116579
0x0111657e
0x0111658c
0x01116596
0x01116596
0x011165a2
0x011165ac
0x011165af
0x011165b5
0x011165bb
0x011165bc
0x011165be
0x011165c2
0x011165c2
0x011165cd
0x00000000
0x00000000
0x011165d5
0x011165d8
0x011165da
0x00000000
0x011165da
0x01116417
0x01116417
0x0111641a
0x0111641b
0x0111641d
0x01116421
0x01116421
0x0111642a
0x01116439
0x01116446
0x00000000
0x00000000
0x00000000
0x00000000
0x0111644c
0x0111644c
0x0111644c
0x01116450
0x00000000
0x00000000
0x01116463
0x01116466
0x0111646c
0x00000000
0x00000000
0x0111646e
0x01116472
0x01116476
0x01116478
0x01116484
0x01116487
0x01116489
0x0111648f
0x011164a8
0x00000000
0x00000000
0x011164b2
0x011164b6
0x011164bc
0x011165e6
0x011165e7
0x011165e9
0x011165eb
0x011165ed
0x011165ed
0x011165f6
0x00000000
0x00000000
0x011165fe
0x01116602
0x01116604
0x011164e4
0x011164e4
0x00000000
0x011164e4
0x011164c2
0x011164c2
0x00000000
0x011164c2
0x01116495
0x01116499
0x0111649f
0x00000000
0x00000000
0x00000000
0x011164c6
0x011164c6
0x011164c7
0x011164de
0x011164e1
0x011164e1
0x011164e1
0x00000000
0x011164e1
0x00000000
0x0111644c
0x0111642e
0x01116432
0x00000000
0x011163f3
0x011163f3
0x011163fa
0x00000000
0x00000000
0x00000000
0x011163fa
0x011163ed
0x01116391
0x01116395
0x00000000
0x00000000
0x0111639b
0x0111639b
0x011163a1
0x011163a9
0x011163ac
0x011163b0
0x011163b4
0x011163b8
0x011163bc
0x011163c0
0x00000000
0x011163c0
0x011162c0
0x011162c0
0x011162c3
0x00000000
0x011162c3
0x011162a5
0x011162a5
0x011162aa
0x01116276
0x01116276
0x01116279
0x01116280
0x01116289
0x00000000
0x00000000
0x00000000
0x01116289
0x011162ac
0x011162af
0x00000000
0x011162af
0x01116279
0x011161ff
0x00000000
0x011161ff
0x011162d9
0x011162d9
0x011162da
0x011162de
0x011162ea
0x00000000
0x011162ea
0x01116123
0x01116123
0x00000000
0x011162eb
0x011162eb
0x011162ec
0x011162f0
0x011162fc
0x011162fc
0x011162ff
0x01116307
0x0111630b
0x0111630d
0x01116314
0x01116318
0x00000000
0x00000000
0x00000000
0x00000000
0x0111631e
0x0111631e
0x0111631e
0x01116322
0x01116328
0x01116331
0x01116333
0x01116333
0x0111633b
0x0111633d
0x01116341
0x0111634d
0x01116352
0x0111635a
0x011166ea
0x01116360
0x01116369
0x01116369
0x011166f2
0x01116731
0x01116705
0x01116715
0x0111671e
0x0111672a
0x0111672a
0x01116735
0x0111673f
0x0111674a
0x0111674a
0x0111674e
0x01116752
0x01116755
0x01116755
0x0111675c
0x01116760
0x01116760
0x0111676d
0x01116771
0x01116771
0x01116774
0x01116774
0x0111677e

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8536d430b8a77c75988be207c9ac7d9aa6ad5df2e36bd31203c71f80b1fc16e
Instruction ID: 8d03559956855688ff0a85d600128ecadbb4301b41d2c5eb2d8cc85a2f2b5935
Opcode Fuzzy Hash: f8536d430b8a77c75988be207c9ac7d9aa6ad5df2e36bd31203c71f80b1fc16e
Instruction Fuzzy Hash: D022AC356042118FDB1DCF18C490A6AF7E2FF89314B148A7DE996CB389DB71E842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01074120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01074120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x114d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0108F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01076E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = E01074620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01076E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M010745F8))) {
												case 0:
													_v568 = 0x1031078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x10311c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = E01074620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0109F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0109F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E010552A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0106EB70(1, 0x11479a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0106AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E010995D0();
																			L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0109B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01093D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0109B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01074128
0x01074135
0x0107413c
0x01074141
0x01074145
0x01074147
0x0107414e
0x01074151
0x01074159
0x0107415c
0x01074160
0x01074164
0x01074168
0x0107416c
0x0107417f
0x01074181
0x0107446a
0x0107446a
0x0107418c
0x01074195
0x01074199
0x01074432
0x01074439
0x0107443d
0x01074442
0x01074447
0x00000000
0x0107419f
0x010741a3
0x010741b1
0x010741b9
0x010741bd
0x010745db
0x010745db
0x00000000
0x010741c3
0x010741c3
0x010741ce
0x010741d4
0x010be138
0x010be13e
0x010be169
0x010be16d
0x010be19e
0x010be16f
0x010be16f
0x010be175
0x010be179
0x010be18f
0x010be193
0x00000000
0x010be199
0x00000000
0x010be199
0x010be193
0x00000000
0x00000000
0x00000000
0x010741da
0x010741da
0x010741df
0x010741e4
0x010741ec
0x01074203
0x01074207
0x010be1fd
0x01074222
0x01074226
0x010be1f3
0x010be1f3
0x0107422c
0x0107422c
0x01074233
0x010be1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01074239
0x01074239
0x01074239
0x01074239
0x01074233
0x01074226
0x010741ee
0x010741ee
0x010741f4
0x01074575
0x010be1b1
0x010be1b1
0x00000000
0x0107457b
0x0107457b
0x01074582
0x010be1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01074588
0x01074588
0x0107458c
0x010be1c4
0x010be1c4
0x00000000
0x01074592
0x01074592
0x01074599
0x010be1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0107459f
0x0107459f
0x010745a3
0x010be1d7
0x010be1e4
0x00000000
0x010745a9
0x010745a9
0x010745b0
0x010be1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x010745b6
0x010745b6
0x010745b6
0x00000000
0x010745b6
0x010745b0
0x010745a3
0x01074599
0x0107458c
0x01074582
0x00000000
0x00000000
0x00000000
0x00000000
0x010741f4
0x0107423e
0x01074241
0x010745c0
0x010745c4
0x00000000
0x010745ca
0x010745ca
0x00000000
0x010be207
0x010be20f
0x00000000
0x00000000
0x00000000
0x00000000
0x010745d1
0x00000000
0x00000000
0x010745ca
0x00000000
0x01074247
0x01074247
0x01074247
0x01074249
0x01074249
0x01074249
0x01074251
0x01074251
0x01074257
0x0107425f
0x0107426e
0x01074270
0x0107427a
0x010be219
0x010be219
0x01074280
0x01074282
0x01074456
0x010745ea
0x00000000
0x010745f0
0x010be223
0x00000000
0x010be223
0x0107445c
0x0107445c
0x00000000
0x0107445c
0x00000000
0x01074288
0x0107428c
0x010be298
0x01074292
0x01074292
0x0107429e
0x010742a3
0x010742a7
0x010742ac
0x010be22d
0x010742b2
0x010742b2
0x010742b9
0x010742bc
0x010742c2
0x010742ca
0x010742cd
0x010742cd
0x010742d4
0x0107433f
0x0107433f
0x010742d6
0x010742d6
0x010742d9
0x010742dd
0x010742eb
0x010be23a
0x010742f1
0x01074305
0x0107430d
0x01074315
0x01074318
0x0107431f
0x01074322
0x0107432e
0x0107433b
0x0107433b
0x00000000
0x0107432e
0x010742eb
0x0107434c
0x0107434e
0x01074352
0x01074359
0x0107435e
0x01074361
0x0107436e
0x0107438a
0x0107438e
0x01074396
0x0107439e
0x010743a1
0x010743ad
0x010743bb
0x010743bb
0x010743ad
0x0107436e
0x010743bf
0x010743c5
0x01074463
0x01074463
0x010743ce
0x010743d5
0x010743d9
0x010743df
0x01074475
0x01074479
0x01074491
0x01074491
0x01074479
0x010743e5
0x010743eb
0x010743f4
0x010743f6
0x010743f9
0x010743fc
0x010743ff
0x010744e8
0x010744ed
0x010744f3
0x010be247
0x00000000
0x010744f9
0x01074504
0x01074508
0x0107450f
0x010be269
0x00000000
0x01074515
0x01074519
0x01074531
0x01074534
0x01074537
0x0107453e
0x01074541
0x0107454a
0x010be255
0x010be255
0x010be25b
0x010be25e
0x010be261
0x010be261
0x01074555
0x01074559
0x0107455d
0x010be26d
0x010be270
0x010be274
0x010be27a
0x010be27d
0x010be28e
0x010be28e
0x01074563
0x01074563
0x01074569
0x01074569
0x00000000
0x0107455d
0x0107450f
0x00000000
0x010744f3
0x010743ff
0x01074405
0x01074405
0x01074405
0x010742ac
0x0107428c
0x01074282
0x01074407
0x0107440d
0x010be2af
0x010be2af
0x01074413
0x01074413
0x00000000
0x010741d4
0x00000000
0x010741c3
0x010741bd
0x01074415
0x01074415
0x01074416
0x01074417
0x01074429
0x0107416e
0x0107416e
0x01074175
0x01074498
0x0107449f
0x010be12d
0x00000000
0x010be133
0x00000000
0x010be133
0x010744a5
0x010744a5
0x010744aa
0x00000000
0x010744bb
0x010744ca
0x010744d6
0x010744d7
0x010744d8
0x010744e3
0x010744e3
0x010744aa
0x0107417b
0x0107417b
0x0107417b
0x00000000
0x0107417b
0x01074175
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4533506035c952616d60a676936d29351f57f21b13bd1d84a2b281330bb18d0
Instruction ID: b165d446b7226d6fef8b161664e827ae6d4a00e51aaae03466945786a95625b6
Opcode Fuzzy Hash: c4533506035c952616d60a676936d29351f57f21b13bd1d84a2b281330bb18d0
Instruction Fuzzy Hash: BDF18D70A082118FC764CF18C480ABAB7E1FF98714F55896EF9C6CB291E734D891CB56

Uniqueness

Uniqueness Score: -1.00%

Function 010820A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E010820A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1148714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01082EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01082EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E010558EC(_t240);
									_t221 =  *0x1145cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1145cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01094A2C(0x1146e40, 0x1094b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01077D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1035c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0108F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0108F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E010D7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01072400(_t267 + 0x20);
															}
															L01072400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01082397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01072280(_t134, 0x1148608);
									__eflags =  *0x1146e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0106FFB0(_t198, _t241, 0x1148608);
										__eflags = _t253;
										if(_t253 != 0) {
											L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1146e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1148608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01086B90(_t210,  &_v64);
										_t262 =  *0x1148608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0108E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E010997C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0109006A(0x1148608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1148608);
												E0109B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1146904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1146e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0106FFB0(_t198, _t240, 0x1148608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E010900C2(0x1148608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x010820a0
0x010820a8
0x010820ad
0x010820b3
0x010820b8
0x010820c2
0x010820c7
0x010820cb
0x010820d2
0x01082263
0x01082266
0x010c5836
0x010c5836
0x00000000
0x0108226c
0x0108226c
0x01082270
0x01082274
0x010820e2
0x010820e2
0x010820e6
0x010820ee
0x010c57dc
0x010c57de
0x010c57ec
0x010c57ec
0x010c57f1
0x010c57f3
0x010c57f8
0x00000000
0x010c57f8
0x010c57e0
0x010c57e4
0x010c57ea
0x00000000
0x00000000
0x00000000
0x010c57ea
0x010820f4
0x010820f4
0x010820f8
0x010820f8
0x010820fc
0x01082100
0x01082106
0x01082201
0x01082206
0x0108220b
0x0108220e
0x010822a9
0x010822ac
0x00000000
0x00000000
0x010822b2
0x010822b5
0x010c5801
0x010c5806
0x00000000
0x00000000
0x010c5810
0x010c5815
0x010c5818
0x00000000
0x00000000
0x010c581e
0x010822bb
0x010822bb
0x01082218
0x01082218
0x0108221c
0x01082220
0x01082222
0x010822c2
0x010822c4
0x010822dc
0x010822dc
0x010822e1
0x00000000
0x00000000
0x00000000
0x010822e7
0x010822c8
0x010822cd
0x010822d3
0x010822d6
0x010c5823
0x010c5825
0x010c5827
0x00000000
0x00000000
0x010c582d
0x00000000
0x010c582d
0x00000000
0x01082228
0x01082228
0x00000000
0x01082228
0x01082222
0x01082214
0x01082214
0x00000000
0x01082114
0x01082114
0x01082114
0x0108211a
0x0108211c
0x01082348
0x0108234d
0x010c5840
0x010c5845
0x010c5848
0x010c584e
0x010c584e
0x010c5848
0x01082353
0x01082355
0x01082388
0x01082388
0x01082368
0x0108236a
0x0108236c
0x0108238f
0x00000000
0x0108236e
0x0108236e
0x0108218e
0x0108218e
0x01082191
0x01082195
0x010c5a03
0x010c5a06
0x010c5a0c
0x010c5a0f
0x010c5a11
0x010c5a13
0x010c5a13
0x010c5a19
0x010c5a1f
0x00000000
0x0108219b
0x0108219b
0x010821a0
0x01082282
0x01082284
0x01082284
0x01082284
0x01082284
0x010821a6
0x010821a9
0x010821ac
0x010821ae
0x010821b3
0x0108228b
0x01082290
0x01082379
0x01082296
0x01082298
0x01082298
0x01082290
0x010821b9
0x010821be
0x010822a2
0x010822a2
0x010821c4
0x010821c8
0x010821cc
0x010821d0
0x010821d4
0x010821de
0x010821e3
0x010c5a29
0x010c5a2c
0x00000000
0x00000000
0x010c5a3b
0x00000000
0x010821e9
0x010821e9
0x010821e9
0x010821ee
0x010821f1
0x010c5a45
0x010c5a4b
0x010c5a52
0x010c5a58
0x010c5a5d
0x010c5a5f
0x010c5a71
0x010c5a61
0x010c5a6a
0x010c5a6a
0x010c5a76
0x010c5a79
0x010c5a7f
0x010c5a83
0x010c5a85
0x010c5a87
0x010c5a87
0x010c5a8c
0x010c5a91
0x010c5a97
0x010c5a9f
0x010c5aa0
0x010c5aa1
0x010c5aa6
0x010c5aab
0x010c5ab1
0x010c5ab3
0x010c5ab9
0x010c5aca
0x010c5ad4
0x010c5ad4
0x010c5ade
0x010c5ade
0x010c5aab
0x010c5a79
0x010c5a52
0x010821f7
0x010821f9
0x010821fe
0x010821fe
0x010821e3
0x01082195
0x0108236c
0x01082122
0x01082122
0x01082124
0x01082231
0x01082236
0x01082236
0x01082238
0x01082238
0x01082240
0x01082242
0x01082244
0x010c59fc
0x0108218c
0x0108218c
0x00000000
0x0108218c
0x0108224a
0x0108224f
0x01082256
0x01082304
0x01082309
0x0108230f
0x0108231e
0x0108231e
0x0108231e
0x01082320
0x01082325
0x0108232a
0x0108232c
0x0108233e
0x0108233e
0x00000000
0x0108232c
0x01082311
0x01082317
0x0108231a
0x0108231c
0x01082380
0x01082380
0x01082380
0x01082384
0x00000000
0x00000000
0x01082386
0x00000000
0x0108231c
0x0108225c
0x0108225c
0x00000000
0x0108225c
0x0108212a
0x01082134
0x01082138
0x0108213d
0x010c5858
0x010c5863
0x010c5863
0x010c5867
0x010c586a
0x00000000
0x00000000
0x010c586c
0x010c586c
0x010c5871
0x010c5875
0x010c5877
0x010c5997
0x010c599c
0x010c59a1
0x010c59a7
0x010c59a7
0x00000000
0x010c59a7
0x010c587d
0x00000000
0x010c588b
0x010c588b
0x010c5890
0x010c5892
0x010c5894
0x010c5899
0x010c589b
0x010c58a0
0x010c58a0
0x010c58aa
0x010c58b2
0x010c58b6
0x010c58be
0x010c58c6
0x010c58c9
0x010c590d
0x010c5917
0x010c591a
0x010c591c
0x010c5920
0x010c5928
0x010c592a
0x010c592c
0x010c592e
0x010c592e
0x010c58cb
0x010c58cd
0x010c58d8
0x010c58e0
0x010c58f4
0x010c58fe
0x010c58fe
0x010c593a
0x010c593e
0x010c5940
0x010c5942
0x00000000
0x010c5944
0x010c5944
0x010c5949
0x010c594e
0x010c594e
0x010c5953
0x010c595b
0x010c5976
0x010c5976
0x010c597a
0x010c597f
0x00000000
0x00000000
0x00000000
0x00000000
0x010c5981
0x010c5981
0x010c5981
0x010c5983
0x010c5988
0x010c598d
0x010c5991
0x010c5991
0x00000000
0x010c595d
0x010c595d
0x010c5963
0x010c5965
0x00000000
0x00000000
0x00000000
0x00000000
0x010c5967
0x010c5967
0x010c596b
0x010c596d
0x00000000
0x00000000
0x010c596f
0x010c5971
0x010c5971
0x010c5974
0x00000000
0x00000000
0x00000000
0x010c5974
0x00000000
0x010c5967
0x010c595b
0x010c5942
0x010c5863
0x01082143
0x01082143
0x01082149
0x0108214f
0x010822f1
0x010822f6
0x00000000
0x01082173
0x01082173
0x0108217d
0x01082181
0x01082186
0x010c59ae
0x010c59b2
0x010c59b5
0x010c59b7
0x010c59ba
0x010c59cd
0x010c59d1
0x010c59d5
0x010c59d9
0x010c59db
0x00000000
0x00000000
0x010c59dd
0x010c59dd
0x010c59e1
0x010c59e4
0x010c59e7
0x010c59ee
0x010c59ee
0x010c59f3
0x010c59f3
0x00000000
0x01082186
0x0108214f
0x01082106
0x01082266
0x010820d8
0x010820da
0x010820e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a329fee1a16820328d509bedad6b31b0661c2d646028665b1e75d4c41e7a822a
Instruction ID: 7f50e6ffc73c0985c75fc804831d4302e16e1e237c042f63dfe5df6644280a2c
Opcode Fuzzy Hash: a329fee1a16820328d509bedad6b31b0661c2d646028665b1e75d4c41e7a822a
Instruction Fuzzy Hash: 1DF1243860C3019FDB66DF2CC84076E7BE1AF95B24F1485ADE9D99B281D734E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01056800 Relevance: .4, Instructions: 373
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E01056800(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed short* _a8, intOrPtr _a12, signed short* _a16, signed short* _a20, intOrPtr _a24, intOrPtr* _a28, intOrPtr* _a32, intOrPtr* _a36, intOrPtr* _a40, signed char _a44) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _t124;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				void* _t131;
				intOrPtr* _t132;
				intOrPtr _t153;
				intOrPtr _t162;
				void* _t194;
				intOrPtr _t196;
				void* _t205;
				void* _t206;
				signed short* _t207;
				void* _t209;
				signed int _t211;
				intOrPtr* _t212;
				signed short* _t213;
				signed int _t215;
				signed short* _t217;
				void* _t219;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t238;
				intOrPtr _t256;
				void* _t262;
				short _t268;
				signed int _t271;
				void* _t272;
				intOrPtr* _t273;
				void* _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;

				_t275 = __esi;
				_t272 = __edi;
				_t205 = __ebx;
				if((_a44 & 0xfffffffe) != 0) {
					L61:
					return 0xc000000d;
				}
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				if(E01056BF3(_a8) < 0) {
					goto L61;
				}
				_t256 = _a12;
				_t215 = 0;
				if(_t256 != 0) {
					_t124 = E01056BF3(_t256);
					_t215 = 0;
				} else {
					_t124 = 0;
				}
				if(_t124 < 0) {
					goto L61;
				} else {
					_push(_t205);
					_v5 = _t215;
					_v32 = _t215;
					_t217 = _a16;
					_t206 = 0x5c;
					if(_t217 == 0) {
						L12:
						_t207 = _a20;
						if(_t207 == 0) {
							_t125 = 0;
						} else {
							_t125 = E01056BF3(_t207);
						}
						if(_t125 < 0) {
							L65:
							_t126 = 0xc000000d;
							goto L53;
						} else {
							_t218 = _a28;
							if(_a28 == 0) {
								_t219 = 0;
								_t127 = 0;
							} else {
								_t127 = E01056BF3(_t218);
								_t219 = 0;
							}
							if(_t127 < 0) {
								goto L65;
							} else {
								_t128 = _a32;
								if(_a32 == 0) {
									_t129 = _t219;
								} else {
									_t129 = E01056BF3(_t128);
									_t219 = 0;
								}
								if(_t129 < 0) {
									goto L65;
								} else {
									_push(_t275);
									_t276 = _a36;
									if(_t276 == 0) {
										_t130 = _t219;
									} else {
										_t130 = E01056BF3(_t276);
										_t219 = 0;
									}
									if(_t130 < 0) {
										_t126 = 0xc000000d;
										goto L52;
									} else {
										_push(_t272);
										_t273 = _a40;
										if(_t273 == 0) {
											_t131 = _t219;
										} else {
											_t131 = E01056BF3(_t273);
										}
										if(_t131 < 0) {
											_t126 = 0xc000000d;
											goto L51;
										} else {
											if(_t207 == 0) {
												_t207 = _a8;
												_a20 = _t207;
											}
											_t132 = _a28;
											if(_t132 == 0) {
												_t132 = 0x1031ab0;
												_a28 = 0x1031ab0;
											}
											if(_a32 == 0) {
												_a32 = 0x1031ab0;
											}
											if(_t276 == 0) {
												_t276 = 0x1031ab0;
												_a36 = 0x1031ab0;
											}
											if(_t273 == 0) {
												_t273 = 0x1031ab0;
											}
											_t209 = 3;
											_t278 = 0;
											_t228 = (( *_t207 & 0x0000ffff) + 0x00000005 & 0xfffffffc) + (( *(_t132 + 2) & 0x0000ffff) + _t209 & 0xfffffffc) + (( *_a8 & 0x0000ffff) + 0x00000005 & 0xfffffffc) + (( *(_a32 + 2) & 0x0000ffff) + _t209 & 0xfffffffc) + 0x4ac + (( *(_t276 + 2) & 0x0000ffff) + _t209 & 0xfffffffc);
											_v16 = _t228;
											if( *_t273 != 0) {
												_t228 = _t228 + (( *(_t273 + 2) & 0x0000ffff) + _t209 & 0xfffffffc);
												_v16 = _t228;
											}
											if(_t256 != 0) {
												_t229 = _t228 + (( *(_t256 + 2) & 0x0000ffff) + _t209 & 0xfffffffc);
												_v16 = _t229;
											}
											if(_a24 != _t278) {
												_t153 = E0108585B(_a24, 1);
												_t229 = _v16;
											} else {
												_t153 =  *((intOrPtr*)(_v24 + 0x290));
											}
											_v20 = _t153;
											_t211 = _t153 + 0x00000003 & 0xfffffffc;
											if(_t211 < _t153) {
												L77:
												_t126 = 0xc0000095;
												goto L51;
											} else {
												while(1) {
													_t154 = _t211 + _t229;
													if(_t211 + _t229 < _t229) {
														goto L77;
													}
													_t279 = E01074620(_t229,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t278, _t154);
													if(_t279 == 0) {
														_t126 = 0xc000009a;
														L51:
														L52:
														L53:
														return _t126;
													}
													_t158 = _v16 + _t279;
													_v12 = _v16 + _t279;
													if(_a24 != 0) {
														E0109F3E0(_t158, _a24, _v20);
														L42:
														E0109FA60(_t279, 0, 0x2a4);
														_t162 = _v16;
														 *_t279 = _t162;
														 *((intOrPtr*)(_t279 + 4)) = _t162;
														 *(_t279 + 0x290) = _t211;
														 *((intOrPtr*)(_t279 + 0xc)) = 0;
														_t53 = _t279 + 0x24; // 0x24
														_t212 = _t53;
														 *((intOrPtr*)(_t279 + 0x2c)) = 0;
														 *((intOrPtr*)(_t279 + 0x48)) = _v12;
														_t57 = _t279 + 0x2a4; // 0x2a4
														_v12 = _t57;
														 *((intOrPtr*)(_t279 + 8)) = 1;
														 *(_t279 + 0x14) =  *(_v24 + 0x14) & 1;
														_t169 = _a16;
														if(_a16 == 0) {
															E0106EEF0(0x11479a0);
															E01056C14( &_v12, _t212, _v24 + 0x24, 0x208);
															E0106EB70( &_v12, 0x11479a0);
														} else {
															E01056C14( &_v12, _t212, _t169, 0x208);
															if(_v5 != 0) {
																_t268 = 0x5c;
																 *((short*)( *((intOrPtr*)(_t279 + 0x28)) + _v32 * 2)) = _t268;
																_t194 = 2;
																 *_t212 =  *_t212 + _t194;
															}
														}
														_t234 = _a12;
														if(_a12 != 0) {
															_t104 = _t279 + 0x30; // 0x30
															E01056C14( &_v12, _t104, _t234,  *(_t234 + 2) & 0x0000ffff);
														}
														_t72 = _t279 + 0x38; // 0x38
														E01056C14( &_v12, _t72, _a8, ( *_a8 & 0x0000ffff) + 2);
														_t213 = _a20;
														_t75 = _t279 + 0x40; // 0x40
														_t262 = _t75;
														_t238 =  *_t213 & 0x0000ffff;
														_t180 = _t213[1] & 0x0000ffff;
														if(_t238 != (_t213[1] & 0x0000ffff)) {
															_t180 = _t238 + 2;
														}
														E01056C14( &_v12, _t262, _t213, _t180);
														_t80 = _t279 + 0x70; // 0x70
														E01056C14( &_v12, _t80, _a28,  *(_a28 + 2) & 0x0000ffff);
														_t84 = _t279 + 0x78; // 0x78
														E01056C14( &_v12, _t84, _a32,  *(_a32 + 2) & 0x0000ffff);
														_t88 = _t279 + 0x80; // 0x80
														E01056C14( &_v12, _t88, _a36,  *(_a36 + 2) & 0x0000ffff);
														if( *_t273 != 0) {
															_t118 = _t279 + 0x88; // 0x88
															E01056C14( &_v12, _t118, _t273,  *(_t273 + 2) & 0x0000ffff);
														}
														if((_a44 & 0x00000001) == 0) {
															_t279 = E010DBCB0(_t279);
														}
														_t126 = 0;
														 *_a4 = _t279;
														goto L51;
													}
													E0106EEF0(0x11479a0);
													_t269 = _v24;
													_t196 =  *((intOrPtr*)(_v24 + 0x290));
													_v20 = _t196;
													_t251 = _t196 + 0x00000003 & 0xfffffffc;
													_v28 = _t196 + 0x00000003 & 0xfffffffc;
													if(_t196 > _t211) {
														E0106EB70(_t251, 0x11479a0);
														_t278 = 0;
														L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t279);
														_t211 = _v28;
														_t229 = _v16;
														if(_t211 >= _v20) {
															continue;
														}
														goto L77;
													}
													E0109F3E0(_v12,  *((intOrPtr*)(_t269 + 0x48)), _t196);
													E0106EB70(_t251, 0x11479a0);
													_t211 = _v28;
													goto L42;
												}
												goto L77;
											}
										}
									}
								}
							}
						}
					}
					_t271 = ( *_t217 & 0x0000ffff) >> 1;
					_v32 = _t271;
					if(E01056BF3(_t217) < 0 || _t271 == 0) {
						goto L65;
					} else {
						if( *((intOrPtr*)(_t217[2] + _t271 * 2 - 2)) == _t206) {
							L11:
							_t256 = _a12;
							goto L12;
						}
						if(_t271 > 0x103) {
							goto L65;
						}
						_v5 = 1;
						goto L11;
					}
				}
			}

0x01056800
0x01056800
0x01056800
0x0105680f
0x010b1b26
0x00000000
0x010b1b26
0x01056821
0x0105682b
0x00000000
0x00000000
0x01056831
0x01056834
0x01056838
0x01056b68
0x01056b6d
0x0105683e
0x0105683e
0x0105683e
0x01056842
0x00000000
0x01056848
0x01056848
0x01056849
0x0105684c
0x0105684f
0x01056854
0x01056857
0x01056893
0x01056893
0x01056898
0x010b1b30
0x0105689e
0x010568a0
0x010568a0
0x010568a7
0x010b1b47
0x010b1b47
0x00000000
0x010568ad
0x010568ad
0x010568b2
0x010b1b37
0x010b1b39
0x010568b8
0x010568b8
0x010568bd
0x010568bd
0x010568c1
0x00000000
0x010568c7
0x010568c7
0x010568cc
0x010b1b40
0x010568d2
0x010568d4
0x010568d9
0x010568d9
0x010568dd
0x00000000
0x010568e3
0x010568e3
0x010568e4
0x010568e9
0x010b1b51
0x010568ef
0x010568f1
0x010568f6
0x010568f6
0x010568fa
0x010b1b58
0x00000000
0x01056900
0x01056900
0x01056901
0x01056906
0x010b1b62
0x0105690c
0x0105690e
0x0105690e
0x01056915
0x010b1b69
0x00000000
0x0105691b
0x0105691d
0x010b1b73
0x010b1b76
0x010b1b76
0x01056923
0x0105692d
0x010b1b7e
0x010b1b80
0x010b1b80
0x01056937
0x010b1b88
0x010b1b88
0x0105693f
0x010b1b90
0x010b1b92
0x010b1b92
0x01056947
0x010b1b9a
0x010b1b9a
0x01056959
0x0105698f
0x01056991
0x01056993
0x01056999
0x010b1baa
0x010b1bac
0x010b1bac
0x010569a1
0x01056b7d
0x01056b7f
0x01056b7f
0x010569aa
0x01056b8d
0x01056b92
0x010569b0
0x010569b3
0x010569b3
0x010569bc
0x010569bf
0x010569c4
0x010b1bdf
0x010b1bdf
0x00000000
0x010569ca
0x010569ca
0x010569ca
0x010569cf
0x00000000
0x00000000
0x010569e5
0x010569e9
0x010b1c0f
0x01056b5d
0x01056b5e
0x01056b5f
0x00000000
0x01056b5f
0x010569f2
0x010569f8
0x010569fb
0x01056ba1
0x01056a44
0x01056a4d
0x01056a52
0x01056a57
0x01056a5a
0x01056a62
0x01056a68
0x01056a6b
0x01056a6b
0x01056a6e
0x01056a74
0x01056a77
0x01056a7d
0x01056a83
0x01056a8b
0x01056a8e
0x01056a93
0x01056bb3
0x01056bc9
0x01056bd3
0x01056a99
0x01056aa4
0x01056aad
0x01056ab7
0x01056aba
0x01056abe
0x01056abf
0x01056abf
0x01056aad
0x01056ac2
0x01056ac7
0x01056be1
0x01056be9
0x01056be9
0x01056ad0
0x01056ade
0x01056ae3
0x01056ae6
0x01056ae6
0x01056ae9
0x01056aec
0x01056af3
0x01056af5
0x01056af5
0x01056afd
0x01056b05
0x01056b11
0x01056b19
0x01056b25
0x01056b2d
0x01056b3c
0x01056b46
0x010b1bed
0x010b1bf8
0x010b1bf8
0x01056b50
0x010b1c08
0x010b1c08
0x01056b59
0x01056b5b
0x00000000
0x01056b5b
0x01056a06
0x01056a0b
0x01056a0e
0x01056a14
0x01056a1a
0x01056a1d
0x01056a22
0x010b1bb9
0x010b1bc5
0x010b1bcb
0x010b1bd0
0x010b1bd3
0x010b1bd9
0x00000000
0x00000000
0x00000000
0x010b1bd9
0x01056a2f
0x01056a3c
0x01056a41
0x00000000
0x01056a41
0x00000000
0x010569ca
0x010569c4
0x01056915
0x010568fa
0x010568dd
0x010568c1
0x010568a7
0x0105685c
0x0105685e
0x01056868
0x00000000
0x01056876
0x0105687e
0x01056890
0x01056890
0x00000000
0x01056890
0x01056886
0x00000000
0x00000000
0x0105688c
0x00000000
0x0105688c
0x01056868

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fb72513669c38be3ec7524e26fa3b6c359df9e7a4f5981072d1862d5358ccb
Instruction ID: a52c331dc7578375d42a441d9508a0ee46f9146f5db5f8c83a4add1eec9f0f61
Opcode Fuzzy Hash: 34fb72513669c38be3ec7524e26fa3b6c359df9e7a4f5981072d1862d5358ccb
Instruction Fuzzy Hash: B5D1BF71A002069BDB94DF68C890AFFBBF4AF14314F44866DED96D7280E735D985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010865A0 Relevance: .4, Instructions: 368
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E010865A0(signed int __ecx, unsigned int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr* _v12;
				unsigned int _v16;
				intOrPtr _v20;
				signed int _v24;
				short _v26;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* __ebx;
				signed int _t189;
				signed int _t197;
				signed int _t202;
				signed int _t203;
				unsigned int _t205;
				signed int _t206;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				intOrPtr _t227;
				signed int _t229;
				signed int* _t240;
				signed int _t251;
				signed int _t253;
				signed int _t256;
				signed int _t259;
				signed int _t264;
				signed int _t267;
				signed int _t271;
				intOrPtr _t278;
				intOrPtr _t279;
				signed int _t280;
				signed short _t283;
				signed int _t285;
				signed int _t290;
				signed char _t294;
				signed int _t295;
				intOrPtr _t296;
				intOrPtr* _t299;
				signed int _t300;
				signed int _t302;
				signed int _t309;
				signed int _t311;
				signed int _t319;
				void* _t323;
				unsigned int _t325;
				signed int _t330;
				signed int _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				intOrPtr _t336;
				intOrPtr _t337;
				signed int _t343;
				signed int _t344;
				unsigned int _t345;
				signed int _t346;
				signed int _t347;
				unsigned int _t348;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed int _t367;
				intOrPtr* _t369;
				unsigned int _t371;
				signed int _t372;
				signed int _t376;

				_t325 = __edx;
				_t278 = _a16;
				_t189 =  *(_t278 + 2) & 0x000000ff;
				_t358 = __ecx;
				_t285 =  *(__edx + 0x1b) & 0x000000ff;
				_v16 = __edx;
				_v24 = __ecx;
				_v20 =  *((intOrPtr*)(__edx + 0x10));
				if(_t285 != 0) {
					_v12 =  *((intOrPtr*)(__ecx + 0x5c4 + _t189 * 4)) + 0xffffff98 + _t285 * 0x68;
				} else {
					_v12 =  *((intOrPtr*)(__ecx + 0x3c0 + _t189 * 4));
				}
				_t195 =  *(_t278 + 3) >> 0x00000001 & 0x00000003;
				if(( *(_t278 + 3) >> 0x00000001 & 0x00000003) != 0) {
					_t279 = _a12;
					_t197 = E011156B6(_t358, _t325, _a4, _t195 & 0x000000ff, _a8, _t279, _t278);
					__eflags = _t197;
					if(_t197 == 0) {
						_t325 = _v16;
						goto L4;
					}
				} else {
					_t279 = _a12;
					L4:
					_t290 = _a8 + 8;
					_v40 = _t290;
					_v28 = _t290 >> 0x00000003 & 0x0000ffff;
					 *_a4 = _t325;
					_t202 = _t279 - 0x20;
					if(_t290 == 0x20) {
						_t203 = _t202 >> 5;
					} else {
						_t203 = _t202 / _t290;
					}
					_t280 = 0;
					_v8 = 0;
					_t330 = (_t203 + 0x0000001f >> 0x00000003 & 0x1ffffffc) + 0x00000020 & 0xfffffff8;
					_t205 = _a4 + _t330;
					_v44 = _t330;
					_t333 =  *0x114874c; // 0x14ed13b7
					_v32 = _t333;
					if(_t290 + _t205 <= _a12 + _a4) {
						_t376 = _a8 + 8;
						_v36 = _t376 << 0xd;
						_t367 = _t205 - _a4 << 0xd;
						do {
							_t283 = _v8;
							_t319 = _t205 >> 0x00000003 ^  *(_v24 + 0xc) ^ _t367;
							_t367 = _t367 + _v36;
							 *_t205 = _t319 ^ _t333;
							_t280 = _t283 + 1;
							_v8 = _t280;
							 *(_t205 + 4) = (_t283 & 0x0000ffff) << 0x00000008 |  *(_t205 + 4) & 0xff0000ff;
							 *((char*)(_t205 + 7)) = 0x80;
							_t205 = _t205 + _t376;
							_t323 = _t376 + _t205;
							_t376 = _v40;
							_t333 = _v32;
						} while (_t323 <= _a4 + _a12);
						_t358 = _v24;
					}
					_t206 = _a4;
					 *(_t206 + 0x14) = _t280;
					 *((intOrPtr*)(_t206 + 0x18)) = _t206 + 0x1c;
					_t51 = _t280 + 7; // 0x7
					E0109FA60(_t206 + 0x1c, 0, _t51 >> 3);
					_t294 = _t280 & 0x0000001f;
					if(_t294 != 0) {
						 *(_a4 + (_t280 >> 5) * 4 + 0x1c) =  *(_a4 + (_t280 >> 5) * 4 + 0x1c) |  !((1 << _t294) - 1);
					}
					_t334 = _v16;
					_t295 = _a4;
					 *((short*)(_t334 + 0x14)) = _v28;
					 *_t334 = _v12;
					 *(_t334 + 0x18) = _t280;
					 *((char*)(_t334 + 0x1a)) =  *((intOrPtr*)(_a16 + 2));
					 *((short*)(_t334 + 0x16)) = 0;
					 *(_t334 + 4) = _t295;
					 *((intOrPtr*)(_t334 + 8)) = 0;
					 *((intOrPtr*)(_t334 + 0xc)) = 0;
					_t335 = _v12;
					_v26 = _v28 << 3;
					_v28 = _v44;
					 *(_t295 + 0x10) = _v32 ^ _v28 ^ _t358 ^ _t295;
					if( *((intOrPtr*)(_t335 + 0x54)) == 0) {
						_t296 =  *_t335;
						_t223 =  *(_t296 + 0x14);
						__eflags = _t223 - 0x20;
						if(__eflags < 0) {
							_t224 = _t223 + 4;
							__eflags = _t224;
							goto L32;
						}
						goto L29;
					} else {
						 *((short*)(_t335 + 0x60)) =  *((short*)(_t335 + 0x60)) + 1;
						if( *((short*)(_t335 + 0x60)) > 0x1c) {
							_t296 =  *_t335;
							_t271 =  *(_t296 + 0x14);
							__eflags = _t271;
							if(__eflags != 0) {
								_t224 = _t271 + 0xfffffffc;
								L32:
								 *(_t296 + 0x14) = _t224;
							}
							L29:
							 *((short*)(_t335 + 0x60)) = 0;
						}
					}
					_t369 = _t335 + 0x50;
					do {
						_t226 =  *_t369;
						_t359 =  *((intOrPtr*)(_t369 + 4));
						_v40 = _t226;
						_v44 = _t226 + _t280;
						if(_t280 <= 0) {
						}
						_t336 = _t359;
						asm("lock cmpxchg8b [esi]");
						_t280 = _v8;
					} while (_t226 != _v40 || _t336 != _t359);
					_t299 = _v12;
					_t337 =  *[fs:0x18];
					_t227 =  *_t299;
					 *((intOrPtr*)(_t227 + 0x10)) =  *((intOrPtr*)(_t227 + 0x10)) + 1;
					 *((intOrPtr*)(_t299 + 0x58)) =  *((intOrPtr*)(_t227 + 0x10));
					_t229 =  *(_t337 + 0xfaa) & 0x0000ffff;
					_t300 = _t229 + 0x00000001 & 0x000000ff;
					 *(_t337 + 0xfaa) = _t300 + 0x00000001 & 0x000000ff;
					_t302 = _t280;
					_v32 = ( *(_t229 + 0x1146120) & 0x000000ff | ( *(_t300 + 0x1146120) & 0x000000ff) << 0x00000007 & 0x0000ffff) % _t302 << 0x10;
					_t341 = _v16;
					_v32 = _t302;
					_t303 = _v32;
					 *((intOrPtr*)(_v16 + 0x1c)) = 1;
					asm("lock cmpxchg [esi], ecx");
					if(( *0x11484b4 & 0x00000002) == 0) {
						_t394 =  *0x11484b8;
						_t371 =  *( *[fs:0x18] + 0xfaa) & 0xff;
						_v32 = _t371;
						if( *0x11484b8 == 0) {
							_push(0);
							_push(4);
							_push(0x11484b8);
							_push(0x24);
							_push(0xffffffff);
							__eflags = E01099670();
							if(__eflags < 0) {
								_t363 =  *0x7ffe0004;
								_v44 = _t363;
								__eflags = _t363 - 0x1000000;
								if(__eflags < 0) {
									_t280 = 0x7ffe0324;
									while(1) {
										_t311 =  *_t280;
										_t346 =  *0x7ffe0320;
										__eflags = _t311 -  *0x7ffe0328;
										if(_t311 ==  *0x7ffe0328) {
											break;
										}
										asm("pause");
									}
									_t371 = _v32;
									_t264 = _t346;
									_t347 = _t264 * _v44 >> 0x20;
									_t303 = (_t311 << 8) * _v44;
									_t341 = _t347 >> 0x18;
									_t267 = ((_t347 << 0x00000020 | _t264 * _v44) >> 0x18) + (_t311 << 8) * _v44;
									__eflags = _t267;
								} else {
									_t348 =  *0x7ffe0320 * _t363 >> 0x20;
									_t267 = (_t348 << 0x00000020 | 0x7ffe0320 * _t363) >> 0x18;
									_t341 = _t348 >> 0x18;
								}
								 *0x11484b8 = _t267;
							}
						}
						_t251 = E01085720(_t303, _t341, _t394, 0x11484b8);
						_t395 =  *0x11484b8;
						_t361 = _t251;
						_v40 = _t361;
						if( *0x11484b8 == 0) {
							_push(0);
							_push(4);
							_push(0x11484b8);
							_push(0x24);
							_push(0xffffffff);
							__eflags = E01099670();
							if(__eflags < 0) {
								_t280 =  *0x7ffe0004;
								_v44 = _t280;
								__eflags = _t280 - 0x1000000;
								if(__eflags < 0) {
									_t280 = 0x7ffe0320;
									while(1) {
										_t309 =  *0x7ffe0324;
										_t343 =  *_t280;
										__eflags = _t309 -  *0x7ffe0328;
										if(_t309 ==  *0x7ffe0328) {
											break;
										}
										asm("pause");
									}
									_t371 = _v32;
									_t256 = _t343;
									_t344 = _t256 * _v44 >> 0x20;
									_t361 = _v40;
									_t303 = (_t309 << 8) * _v44;
									_t341 = _t344 >> 0x18;
									_t259 = ((_t344 << 0x00000020 | _t256 * _v44) >> 0x18) + (_t309 << 8) * _v44;
									__eflags = _t259;
								} else {
									_t345 =  *0x7ffe0320 * _t280 >> 0x20;
									_t259 = (_t345 << 0x00000020 | 0x7ffe0320 * _t280) >> 0x18;
									_t341 = _t345 >> 0x18;
								}
								 *0x11484b8 = _t259;
							}
							L58:
						}
						_t253 = E01085720(_t303, _t341, _t395, 0x11484b8);
						_t341 = _v16;
						_t372 = _t371 >> 3;
						 *(0x1146120 + _t372 * 8) = _t253 & 0x7f7f7f7f;
						 *(0x1146124 + _t372 * 8) = _t361 & 0x7f7f7f7f;
					}
					_t240 =  *( *[fs:0x30] + 0x50);
					if(_t240 != 0) {
						__eflags =  *_t240;
						if( *_t240 == 0) {
							goto L24;
						} else {
							_t197 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
							goto L25;
						}
						goto L58;
					} else {
						L24:
						_t197 = 0x7ffe0380;
					}
					L25:
					if( *_t197 != 0) {
						_t197 =  *[fs:0x30];
						__eflags =  *(_t197 + 0x240) & 0x00000001;
						if(( *(_t197 + 0x240) & 0x00000001) != 0) {
							return E01111A5F(_t280,  *(_v24 + 0xc),  *((intOrPtr*)(_t341 + 4)),  *(_t341 + 0x14) & 0x0000ffff,  *(_t341 + 0x18) & 0x0000ffff,  *(_t341 + 0x1b) & 0x000000ff);
						}
					}
				}
				return _t197;
				goto L58;
			}

0x010865a0
0x010865a9
0x010865b1
0x010865b5
0x010865b7
0x010865bb
0x010865be
0x010865c1
0x010865c6
0x010868b5
0x010865cc
0x010865d3
0x010865d3
0x010865db
0x010865dd
0x010c7d05
0x010c7d13
0x010c7d18
0x010c7d1a
0x010c7d20
0x00000000
0x010c7d20
0x010865e3
0x010865e3
0x010865e6
0x010865e9
0x010865ee
0x010865f7
0x010865fd
0x010865ff
0x01086605
0x01086889
0x0108660b
0x0108660d
0x0108660d
0x01086612
0x01086620
0x01086626
0x01086629
0x0108662b
0x01086638
0x0108663e
0x01086641
0x0108664b
0x01086653
0x01086656
0x01086660
0x0108666b
0x0108666e
0x01086670
0x01086675
0x01086686
0x01086689
0x0108668c
0x01086695
0x01086699
0x0108669b
0x0108669e
0x010866a3
0x010866a3
0x010866a8
0x010866a8
0x010866ab
0x010866b1
0x010866b4
0x010866b7
0x010866c1
0x010866cb
0x010866ce
0x010866e5
0x010866e5
0x010866e8
0x010866ee
0x010866f1
0x010866f8
0x010866fd
0x01086704
0x01086709
0x0108670d
0x01086710
0x01086713
0x01086719
0x0108671f
0x01086726
0x01086734
0x0108673c
0x01086891
0x01086893
0x01086896
0x01086899
0x010868bd
0x010868bd
0x00000000
0x010868bd
0x00000000
0x01086742
0x01086742
0x0108674b
0x010868c5
0x010868c7
0x010868ca
0x010868cc
0x010868ce
0x010868c0
0x010868c0
0x010868c0
0x0108689b
0x0108689d
0x0108689d
0x0108674b
0x01086751
0x01086754
0x01086754
0x01086756
0x01086759
0x0108675f
0x01086764
0x01086764
0x0108676d
0x01086772
0x01086776
0x01086779
0x01086782
0x01086785
0x0108678c
0x0108678e
0x01086794
0x01086797
0x010867a1
0x010867aa
0x010867ca
0x010867d4
0x010867d7
0x010867da
0x010867de
0x010867e1
0x010867eb
0x010867f6
0x010867fe
0x0108680c
0x0108680f
0x01086812
0x010c7d30
0x010c7d32
0x010c7d34
0x010c7d39
0x010c7d3b
0x010c7d42
0x010c7d44
0x010c7d4a
0x010c7d50
0x010c7d53
0x010c7d59
0x010c7d6d
0x010c7d7c
0x010c7d7c
0x010c7d7e
0x010c7d82
0x010c7d84
0x00000000
0x00000000
0x010c7d86
0x010c7d86
0x010c7d8a
0x010c7d8d
0x010c7d8f
0x010c7d95
0x010c7d9d
0x010c7da0
0x010c7da0
0x010c7d5b
0x010c7d62
0x010c7d64
0x010c7d68
0x010c7d68
0x010c7da2
0x010c7da2
0x010c7d44
0x0108681d
0x01086822
0x01086829
0x0108682b
0x0108682e
0x010c7dac
0x010c7dae
0x010c7db0
0x010c7db5
0x010c7db7
0x010c7dbe
0x010c7dc0
0x010c7dc6
0x010c7dcc
0x010c7dcf
0x010c7dd5
0x010c7dee
0x010c7df8
0x010c7df8
0x010c7dfa
0x010c7dfe
0x010c7e00
0x00000000
0x00000000
0x010c7e02
0x010c7e02
0x010c7e06
0x010c7e09
0x010c7e0b
0x010c7e0e
0x010c7e14
0x010c7e1c
0x010c7e1f
0x010c7e1f
0x010c7dd7
0x010c7dde
0x010c7de0
0x010c7de4
0x010c7de4
0x010c7e21
0x010c7e21
0x00000000
0x010c7dc0
0x01086839
0x0108683e
0x01086850
0x01086853
0x0108685a
0x0108685a
0x01086867
0x0108686c
0x010c7e2b
0x010c7e2e
0x00000000
0x010c7e34
0x010c7e3d
0x00000000
0x010c7e3d
0x00000000
0x01086872
0x01086872
0x01086872
0x01086872
0x01086877
0x0108687a
0x010c7e47
0x010c7e4d
0x010c7e54
0x00000000
0x010c7e75
0x010c7e54
0x0108687a
0x01086886
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befccbc450cb2f72e1a6ed891d46c42a85c268d81b83ab47351b2050bafc99f1
Instruction ID: 2dbb5b4ef5dbd54eb6924543e0b526c34a7ff5497b3a5e2c937b0eb12027e167
Opcode Fuzzy Hash: befccbc450cb2f72e1a6ed891d46c42a85c268d81b83ab47351b2050bafc99f1
Instruction Fuzzy Hash: 72E18075A04205CFCB58DF59C880BADBBF1FF48310F1981A9E995AB395D734E981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0106D5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0106D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x114d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E01066600(0x11452d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L110:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L115;
						} else {
							_t283 =  *0x1147b9c; // 0x0
							_t281 = E01074620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L115:
								E0109F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L110;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1147b90; // 0x77090000
								if(_t384 == 0) {
									_t353 =  *0x1147b8c; // 0xb22b58
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01072280(_t200, 0x11484d8);
									_t277 =  *0x11485f4; // 0xb23048
									_t351 =  *0x11485f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L119;
												}
												goto L153;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xb22fe0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L119:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L153;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0106FFB0(_t287, _t353, 0x11484d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E010ACC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E01066600(0x11452d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E01067926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x114b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E010DE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1148472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x114b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x114b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L137;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01072280(_t250, 0x11484d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L136:
															asm("int 0x29");
															L137:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01093898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L136;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0106FFB0(_t293, _t353, 0x11484d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E010937F5(_t353, 0);
																}
																E01090413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01089B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E010802D6(_t174);
																}
																L010777F0( *0x1147b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0108C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0106EC7F(_t353);
										L010819B8(_t287, 0, _t353, 0);
										_t200 = E0105F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x114b2f8 |  *0x114b2fc) == 0 || ( *0x114b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0109B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x114b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01106B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01106AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L109:
														_t356 = 0;
														_v44 = 0;
														goto L64;
													} else {
														__eflags = 0;
														__eflags = 0;
														if(0 < 0) {
															goto L109;
														}
														L64:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L145:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E0106E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L103;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L72;
																		}
																	} else {
																		L103:
																		_t307 =  *(_t306 + 0x50);
																		goto L70;
																	}
																	goto L153;
																} else {
																	_t239 = E0106EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L71:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01099730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L70:
																			_v48 = _t307;
																			goto L71;
																		}
																	}
																}
															}
															L72:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L152:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L152;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L76:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L92;
																		} else {
																			_v64 = 0;
																			E0106E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L145;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L145;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L84;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L84:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t115 = _v64 + 0x18; // 0x18
																						_t348 = _t115 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_v64 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L145;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L99:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L99;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L145;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L01068F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L145;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01093C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L92;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L92:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L96:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L151:
																													 *_t358 = 0;
																													goto L152;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L96;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L151;
																														} else {
																															goto L96;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L98;
																						}
																					}
																					goto L145;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L152;
																		} else {
																			goto L76;
																		}
																	}
																}
															}
														}
														L98:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L153;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L153:
			}

0x0106d5f2
0x0106d5f5
0x0106d5f5
0x0106d5fd
0x0106d600
0x0106d60a
0x0106d60d
0x0106d617
0x0106d61d
0x0106d627
0x0106d62e
0x0106d911
0x0106d913
0x00000000
0x0106d919
0x0106d919
0x0106d919
0x0106d634
0x0106d634
0x0106d634
0x0106d634
0x0106d640
0x0106d8bf
0x00000000
0x0106d646
0x0106d646
0x0106d64d
0x0106d652
0x010bb2fc
0x010bb2fc
0x010bb302
0x010bb33b
0x010bb341
0x00000000
0x010bb304
0x010bb304
0x010bb319
0x010bb31e
0x010bb324
0x010bb326
0x010bb332
0x010bb347
0x010bb34c
0x010bb351
0x010bb35a
0x00000000
0x010bb328
0x010bb328
0x00000000
0x010bb328
0x010bb326
0x0106d658
0x0106d658
0x0106d65b
0x0106d665
0x00000000
0x0106d66b
0x0106d66b
0x0106d66b
0x0106d66b
0x0106d66d
0x0106d672
0x0106d67a
0x00000000
0x00000000
0x0106d680
0x0106d686
0x0106d8ce
0x0106d8d4
0x0106d8dd
0x0106d8e0
0x0106d68c
0x0106d691
0x0106d69d
0x0106d6a2
0x0106d6a7
0x0106d6b0
0x0106d6b5
0x0106d6e0
0x0106d6b7
0x0106d6b7
0x0106d6b9
0x0106d6b9
0x0106d6bb
0x0106d6bd
0x0106d6ce
0x0106d6d0
0x0106d6d2
0x010bb363
0x010bb365
0x00000000
0x010bb36b
0x00000000
0x010bb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0106d6bf
0x0106d6bf
0x0106d6e5
0x0106d6e7
0x0106d6e9
0x0106d6ec
0x0106d6ec
0x0106d6ef
0x0106d6f5
0x0106d6f9
0x0106d6fb
0x0106d6fd
0x0106d701
0x0106d703
0x0106d70a
0x0106d70a
0x0106d701
0x0106d710
0x0106d710
0x0106d6c1
0x0106d6c1
0x0106d6c6
0x010bb36d
0x010bb36f
0x00000000
0x010bb375
0x010bb375
0x010bb375
0x00000000
0x010bb375
0x00000000
0x0106d6cc
0x0106d6d8
0x0106d6d8
0x0106d6d8
0x00000000
0x0106d6c6
0x0106d6bf
0x00000000
0x0106d6da
0x0106d6da
0x0106d716
0x0106d71b
0x0106d720
0x0106d726
0x0106d726
0x0106d72d
0x00000000
0x0106d733
0x0106d739
0x0106d742
0x0106d750
0x0106d758
0x0106d764
0x0106d776
0x0106d77a
0x0106d783
0x0106d928
0x0106d92c
0x0106d93d
0x0106d944
0x0106d94f
0x0106d954
0x0106d956
0x0106d95f
0x0106d961
0x0106d973
0x0106d973
0x0106d956
0x0106d944
0x0106d92c
0x0106d78b
0x010bb394
0x0106d791
0x0106d798
0x010bb3a3
0x010bb3bb
0x010bb3bb
0x0106d7a5
0x0106d866
0x0106d870
0x0106d892
0x0106d898
0x0106d89e
0x0106d8a0
0x0106d8a6
0x0106d8ac
0x0106d8ae
0x0106d8b4
0x0106d8b4
0x0106d8ae
0x0106d7a5
0x0106d78b
0x0106d7b1
0x010bb3c5
0x010bb3c5
0x0106d7c3
0x0106d7ca
0x0106d7e5
0x0106d7eb
0x0106d8eb
0x0106d8ed
0x00000000
0x0106d8f3
0x0106d8f3
0x0106d8f3
0x00000000
0x0106d8ed
0x0106d7cc
0x0106d7cc
0x0106d7d2
0x00000000
0x0106d7d4
0x0106d7d4
0x0106d7d7
0x0106d7df
0x010bb3d4
0x010bb3d9
0x010bb3dc
0x010bb3dc
0x010bb3df
0x010bb3e2
0x010bb468
0x010bb46d
0x010bb46f
0x010bb46f
0x010bb475
0x0106d8f8
0x0106d8f9
0x0106d8fd
0x010bb3e8
0x010bb3e8
0x010bb3eb
0x010bb3ed
0x00000000
0x010bb3ef
0x010bb3ef
0x010bb3f1
0x010bb3f4
0x010bb3fe
0x010bb404
0x010bb409
0x010bb40e
0x010bb410
0x010bb410
0x010bb414
0x010bb414
0x010bb41b
0x010bb420
0x010bb423
0x010bb425
0x010bb427
0x010bb42a
0x010bb42d
0x010bb42d
0x010bb42a
0x010bb432
0x010bb436
0x010bb438
0x010bb43b
0x010bb43b
0x010bb449
0x010bb44e
0x010bb454
0x010bb458
0x010bb458
0x010bb45d
0x00000000
0x010bb45d
0x010bb3ed
0x00000000
0x00000000
0x00000000
0x0106d7df
0x0106d7d2
0x0106d7ca
0x010bb37c
0x010bb37e
0x010bb385
0x010bb38a
0x00000000
0x010bb38a
0x0106d742
0x0106d7f1
0x0106d7f8
0x010bb49b
0x010bb49b
0x0106d800
0x0106d837
0x0106d843
0x0106d845
0x0106d847
0x0106d84a
0x0106d84b
0x0106d84e
0x0106d857
0x0106d818
0x0106d824
0x0106d831
0x010bb4a5
0x010bb4ab
0x010bb4b3
0x010bb4b8
0x010bb4bb
0x00000000
0x010bb4c1
0x010bb4c1
0x010bb4c8
0x00000000
0x010bb4ce
0x010bb4d4
0x010bb4e1
0x010bb4e3
0x010bb4e5
0x00000000
0x010bb4eb
0x010bb4f0
0x010bb4f2
0x0106dac9
0x0106dacc
0x0106dacf
0x0106dad1
0x0106dd78
0x0106dd78
0x0106dcf2
0x00000000
0x0106dad7
0x0106dad7
0x0106dad9
0x0106dadb
0x00000000
0x00000000
0x0106dae1
0x0106dae1
0x0106dae4
0x0106dae6
0x010bb4f9
0x010bb4f9
0x010bb500
0x0106daec
0x0106daec
0x0106daf5
0x0106daf8
0x0106dafb
0x0106db03
0x0106db11
0x0106db16
0x0106db19
0x0106db1b
0x010bb52c
0x010bb531
0x010bb534
0x0106db21
0x0106db21
0x0106db24
0x0106dcd9
0x0106dce2
0x0106dce5
0x0106dd6a
0x0106dd6d
0x00000000
0x0106dd73
0x010bb51a
0x010bb51c
0x010bb51f
0x010bb524
0x00000000
0x010bb524
0x0106dce7
0x0106dce7
0x0106dce7
0x00000000
0x0106dce7
0x00000000
0x0106db2a
0x0106db2c
0x0106db31
0x0106db33
0x0106db36
0x0106db39
0x0106db3b
0x0106db66
0x0106db66
0x0106db3d
0x0106db3d
0x0106db3e
0x0106db46
0x0106db47
0x0106db49
0x0106db4c
0x0106db53
0x0106db55
0x0106db58
0x0106db5a
0x010bb50a
0x010bb50f
0x010bb512
0x0106db60
0x0106db60
0x0106db63
0x0106db63
0x00000000
0x0106db63
0x0106db5a
0x0106db3b
0x0106db24
0x0106db69
0x0106db69
0x0106db6c
0x0106db6f
0x0106db74
0x010bb557
0x010bb557
0x010bb55e
0x0106db7a
0x0106db7c
0x0106db7f
0x0106db82
0x0106db85
0x00000000
0x0106db8b
0x0106db8b
0x0106db8d
0x0106db9b
0x0106db9b
0x0106db9d
0x0106dba0
0x0106dba2
0x0106dba4
0x0106dba7
0x0106dba9
0x0106dbae
0x0106dbae
0x0106dbb1
0x0106dbb4
0x0106dbb4
0x0106dbb7
0x0106dbba
0x0106dcd2
0x0106dcd4
0x00000000
0x0106dbc0
0x0106dbc0
0x0106dbd2
0x0106dbd7
0x0106dbda
0x0106dbdd
0x0106dbdf
0x00000000
0x0106dbe5
0x0106dbe5
0x0106dbee
0x0106dbf1
0x010bb541
0x010bb544
0x00000000
0x010bb546
0x010bb546
0x00000000
0x010bb546
0x0106dbf7
0x0106dbf7
0x0106dbfd
0x0106dbfd
0x0106dbff
0x0106dc0b
0x0106dc18
0x0106dc1b
0x0106dc1d
0x0106dc21
0x0106dc21
0x0106dc23
0x0106dc23
0x0106dc26
0x0106dc29
0x0106dc2b
0x00000000
0x00000000
0x0106dc31
0x0106dc34
0x0106dc36
0x0106dcbf
0x0106dcbf
0x0106dcc2
0x00000000
0x0106dc3c
0x0106dc41
0x0106dc43
0x00000000
0x0106dc45
0x0106dc45
0x0106dc47
0x00000000
0x0106dc4d
0x0106dc4d
0x0106dc50
0x0106dc52
0x0106dc55
0x0106dcfa
0x0106dcfe
0x0106dd08
0x0106dd0a
0x0106dd0c
0x00000000
0x0106dd12
0x0106dd15
0x0106dd2d
0x0106dd2f
0x0106dd32
0x0106dd35
0x00000000
0x0106dd35
0x0106dc5b
0x0106dc5b
0x0106dc5e
0x0106dc61
0x0106dc64
0x0106dc67
0x0106dc67
0x0106dc6a
0x0106dc6c
0x0106dc8e
0x0106dc8e
0x0106dc91
0x0106dc93
0x0106dcce
0x0106dcce
0x0106dc95
0x0106dc9c
0x0106dc6e
0x0106dc72
0x0106dc75
0x0106dc77
0x0106dc79
0x010bb551
0x010bb551
0x00000000
0x0106dc7f
0x0106dc7f
0x0106dc81
0x00000000
0x0106dc83
0x0106dc86
0x0106dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0106dc88
0x0106dc81
0x0106dc79
0x0106dc6c
0x0106dc55
0x0106dc47
0x0106dc43
0x00000000
0x0106dc36
0x0106dc23
0x00000000
0x0106dbff
0x0106dbf1
0x0106dbdf
0x0106db8f
0x0106db92
0x0106db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0106db95
0x0106db8d
0x0106db85
0x0106db74
0x0106dc9f
0x0106dca2
0x0106dcb0
0x0106dcb0
0x0106dad1
0x010bb4e5
0x010bb4c8
0x00000000
0x00000000
0x00000000
0x0106d831
0x00000000
0x0106d800
0x010bb47f
0x010bb485
0x00000000
0x010bb485
0x0106d665
0x0106d652
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab52a0cdc9850580ae35cdebf375d73985cbc60b2ed08eca7416e5cd01e1039f
Instruction ID: 242d99da17b6af1e96b9cb6a7714a66d51c8fe25cd861337fd9d22f489a06696
Opcode Fuzzy Hash: ab52a0cdc9850580ae35cdebf375d73985cbc60b2ed08eca7416e5cd01e1039f
Instruction Fuzzy Hash: D6E1D034B0025ACFEB658F58C884BA9B7FABF45704F0441E9E9C997291DB34AD81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01053ACA Relevance: .3, Instructions: 348
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01053ACA(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t197;
				intOrPtr _t200;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t217;
				signed int _t224;
				signed int _t226;
				signed int _t229;
				signed int _t230;
				signed int _t233;
				intOrPtr _t238;
				signed int _t246;
				signed int _t249;
				char* _t252;
				intOrPtr _t257;
				signed int _t272;
				intOrPtr _t280;
				intOrPtr _t281;
				signed char _t286;
				signed int _t291;
				signed int _t292;
				intOrPtr _t299;
				intOrPtr _t301;
				signed int _t307;
				intOrPtr* _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t312;
				signed int* _t313;
				intOrPtr _t315;
				signed int _t316;
				void* _t317;

				_push(0x84);
				_push(0x112f4d0);
				E010AD0E8(__ebx, __edi, __esi);
				_t312 = __edx;
				 *((intOrPtr*)(_t317 - 0x38)) = __edx;
				 *((intOrPtr*)(_t317 - 0x20)) = __ecx;
				_t307 = 0;
				 *(_t317 - 0x74) = 0;
				 *((intOrPtr*)(_t317 - 0x78)) = 0;
				_t272 = 0;
				 *(_t317 - 0x60) = 0;
				 *((intOrPtr*)(_t317 - 0x68)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t197 = __edx + 0x28;
				 *((intOrPtr*)(_t317 - 0x7c)) = _t197;
				 *((intOrPtr*)(_t317 - 0x88)) = _t197;
				E01072280(_t197, _t197);
				_t280 =  *((intOrPtr*)(_t312 + 0x2c));
				 *((intOrPtr*)(_t317 - 0x34)) = _t280;
				L1:
				while(1) {
					if(_t280 == _t312 + 0x2c) {
						E0106FFB0(_t272, _t307,  *((intOrPtr*)(_t317 - 0x7c)));
						asm("sbb ebx, ebx");
						return E010AD130( ~_t272 & 0xc000022d, _t307, _t312);
					}
					_t15 = _t280 - 4; // -4
					_t200 = _t15;
					 *((intOrPtr*)(_t317 - 0x70)) = _t200;
					 *((intOrPtr*)(_t317 - 0x8c)) = _t200;
					 *((intOrPtr*)(_t317 - 0x6c)) = _t200;
					_t308 = 0x7ffe0010;
					_t313 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x1148628; // 0x0
									 *(_t317 - 0x30) = _t201;
									_t202 =  *0x114862c; // 0x0
									 *(_t317 - 0x44) = _t202;
									 *(_t317 - 0x28) =  *_t313;
									 *(_t317 - 0x58) = _t313[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t281 =  *0x7ffe0008;
										__eflags = _t301 -  *_t308;
										if(_t301 ==  *_t308) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t313 = 0x7ffe03b0;
									_t309 =  *0x7ffe03b0;
									 *(_t317 - 0x40) = _t309;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t317 - 0x3c)) = _t206;
									__eflags =  *(_t317 - 0x28) - _t309;
									_t308 = 0x7ffe0010;
								} while ( *(_t317 - 0x28) != _t309);
								__eflags =  *(_t317 - 0x58) - _t206;
							} while ( *(_t317 - 0x58) != _t206);
							_t207 =  *0x1148628; // 0x0
							_t310 =  *0x114862c; // 0x0
							 *(_t317 - 0x28) = _t310;
							__eflags =  *(_t317 - 0x30) - _t207;
							_t308 = 0x7ffe0010;
						} while ( *(_t317 - 0x30) != _t207);
						__eflags =  *(_t317 - 0x44) -  *(_t317 - 0x28);
					} while ( *(_t317 - 0x44) !=  *(_t317 - 0x28));
					_t315 =  *((intOrPtr*)(_t317 - 0x6c));
					_t307 = 0;
					_t272 =  *(_t317 - 0x60);
					asm("sbb edx, [ebp-0x3c]");
					asm("sbb edx, eax");
					 *(_t317 - 0x28) = _t281 -  *(_t317 - 0x40) -  *(_t317 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x2c]");
					_t209 =  *((intOrPtr*)(_t317 - 0x20));
					_t286 =  *(_t315 + 0x24) &  *(_t209 + 0x18);
					 *(_t317 - 0x40) = _t286;
					__eflags =  *(_t315 + 0x34);
					if( *(_t315 + 0x34) != 0) {
						L37:
						 *((intOrPtr*)(_t317 - 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t317 - 0x34))));
						E0108DF4C(_t317 - 0x78, _t315, _t317 - 0x74, _t317 - 0x78);
						_t316 =  *(_t317 - 0x74);
						__eflags = _t316;
						_t280 =  *((intOrPtr*)(_t317 - 0x34));
						if(_t316 != 0) {
							 *0x114b1e0( *((intOrPtr*)(_t317 - 0x78)));
							 *_t316();
							_t280 =  *((intOrPtr*)(_t317 - 0x34));
						}
						_t312 =  *((intOrPtr*)(_t317 - 0x38));
						continue;
					}
					__eflags = _t286;
					if(_t286 == 0) {
						goto L37;
					}
					 *(_t317 - 0x5c) = _t286;
					_t45 = _t317 - 0x5c;
					 *_t45 =  *(_t317 - 0x5c) & 0x00000001;
					__eflags =  *_t45;
					if( *_t45 == 0) {
						L40:
						__eflags = _t286 & 0xfffffffe;
						if((_t286 & 0xfffffffe) != 0) {
							__eflags =  *((intOrPtr*)(_t315 + 0x64)) - _t307;
							if( *((intOrPtr*)(_t315 + 0x64)) == _t307) {
								L14:
								__eflags =  *(_t315 + 0x40) - _t307;
								if( *(_t315 + 0x40) != _t307) {
									__eflags = _t301 -  *(_t315 + 0x4c);
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t299 =  *((intOrPtr*)(_t317 - 0x20));
										__eflags =  *(_t315 + 0x5c) -  *((intOrPtr*)(_t299 + 0x10));
										if( *(_t315 + 0x5c) >=  *((intOrPtr*)(_t299 + 0x10))) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t317 - 0x28) -  *(_t315 + 0x48);
									if( *(_t317 - 0x28) >=  *(_t315 + 0x48)) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *((intOrPtr*)(_t317 + 8)) - _t307;
								if( *((intOrPtr*)(_t317 + 8)) != _t307) {
									__eflags =  *((intOrPtr*)(_t315 + 0x58)) - _t307;
									if( *((intOrPtr*)(_t315 + 0x58)) != _t307) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t317 - 0x24) = _t307;
								 *(_t317 - 0x30) = _t307;
								 *((intOrPtr*)(_t317 - 0x2c)) =  *((intOrPtr*)(_t315 + 0x10));
								_t217 =  *((intOrPtr*)(_t315 + 0xc));
								 *((intOrPtr*)(_t317 - 0x4c)) =  *((intOrPtr*)(_t217 + 0x10));
								 *((intOrPtr*)(_t317 - 0x48)) =  *((intOrPtr*)(_t217 + 0x14));
								 *(_t317 - 0x58) =  *(_t217 + 0x24);
								 *((intOrPtr*)(_t317 - 0x3c)) =  *((intOrPtr*)(_t315 + 0x14));
								 *((intOrPtr*)(_t317 - 0x64)) =  *((intOrPtr*)(_t315 + 0x18));
								 *(_t315 + 0x60) =  *( *[fs:0x18] + 0x24);
								_t224 =  *((intOrPtr*)(_t317 - 0x38)) + 0x28;
								 *(_t317 - 0x94) = _t224;
								_t291 = _t224;
								 *(_t317 - 0x28) = _t291;
								 *(_t317 - 0x90) = _t291;
								E0106FFB0(_t272, _t307, _t224);
								_t292 = _t307;
								 *(_t317 - 0x54) = _t292;
								_t226 = _t307;
								 *(_t317 - 0x50) = _t226;
								 *(_t317 - 0x44) = _t226;
								__eflags =  *(_t315 + 0x28);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t229 = 0;
									_t230 = _t229 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t317 - 0x50) = _t230;
									 *(_t317 - 0x44) = _t230;
									__eflags = _t230;
									if(_t230 != 0) {
										goto L17;
									}
									__eflags =  *((intOrPtr*)(_t317 + 8)) - 1;
									if( *((intOrPtr*)(_t317 + 8)) == 1) {
										E01072280( *(_t315 + 0x28) + 0x10,  *(_t315 + 0x28) + 0x10);
										_t230 = 1;
										 *(_t317 - 0x50) = 1;
										 *(_t317 - 0x44) = 1;
										goto L17;
									}
									_t233 = _t230 + 1;
									L35:
									 *( *((intOrPtr*)(_t317 - 0x70)) + 0x58) = _t233;
									__eflags = _t292;
									if(_t292 == 0) {
										E01072280(_t233,  *(_t317 - 0x28));
									}
									 *(_t315 + 0x60) = _t307;
									goto L37;
								}
								L17:
								__eflags =  *(_t315 + 0x34) - _t307;
								if( *(_t315 + 0x34) != _t307) {
									L26:
									__eflags =  *(_t317 - 0x50);
									if( *(_t317 - 0x50) != 0) {
										_t230 = E0106FFB0(_t272, _t307,  *(_t315 + 0x28) + 0x10);
									}
									__eflags =  *(_t317 - 0x30);
									if( *(_t317 - 0x30) == 0) {
										L71:
										_t292 =  *(_t317 - 0x54);
										L34:
										_t233 = _t307;
										goto L35;
									}
									E01072280(_t230,  *(_t317 - 0x94));
									_t292 = 1;
									 *(_t317 - 0x54) = 1;
									__eflags =  *(_t317 - 0x24) - 0xc000022d;
									if( *(_t317 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t315 + 0x20) & 0x00000004;
										if(( *(_t315 + 0x20) & 0x00000004) == 0) {
											goto L34;
										}
										_t272 = 1;
										__eflags = 1;
										 *(_t317 - 0x60) = 1;
										E010E30AE(_t315,  *(_t317 - 0x24),  *( *((intOrPtr*)(_t317 - 0x20)) + 0x10));
										goto L71;
									}
									__eflags =  *(_t317 - 0x24) - 0xc0000017;
									if( *(_t317 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t315 + 0x1c);
									if( *(_t315 + 0x1c) != 0) {
										_t238 =  *((intOrPtr*)(_t317 - 0x20));
										__eflags =  *((intOrPtr*)(_t238 + 0x10)) -  *(_t315 + 0x1c);
										if( *((intOrPtr*)(_t238 + 0x10)) -  *(_t315 + 0x1c) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t315 + 0x20) & 0x00000004;
										if(( *(_t315 + 0x20) & 0x00000004) != 0) {
											__eflags =  *(_t315 + 0x50) - _t307;
											if( *(_t315 + 0x50) > _t307) {
												 *(_t315 + 0x40) = _t307;
												 *(_t315 + 0x54) = _t307;
												 *(_t315 + 0x48) = _t307;
												 *(_t315 + 0x4c) = _t307;
												 *(_t315 + 0x50) = _t307;
												 *(_t315 + 0x5c) = _t307;
											}
										}
										goto L34;
									}
									L31:
									 *(_t315 + 0x1c) =  *( *((intOrPtr*)(_t317 - 0x20)) + 0x10);
									goto L32;
								}
								 *(_t317 - 0x30) = 1;
								 *((intOrPtr*)(_t317 - 0x80)) = 1;
								 *((intOrPtr*)(_t317 - 0x64)) = E01053E80( *((intOrPtr*)(_t317 - 0x64)));
								 *(_t317 - 4) = _t307;
								__eflags =  *(_t317 - 0x5c);
								if( *(_t317 - 0x5c) != 0) {
									_t257 =  *((intOrPtr*)(_t317 - 0x20));
									 *0x114b1e0( *((intOrPtr*)(_t317 - 0x4c)),  *((intOrPtr*)(_t317 - 0x48)),  *((intOrPtr*)(_t257 + 0x10)),  *(_t317 - 0x58),  *((intOrPtr*)(_t317 - 0x3c)),  *((intOrPtr*)(_t317 - 0x68)),  *((intOrPtr*)(_t257 + 0x14)));
									 *(_t317 - 0x24) =  *((intOrPtr*)(_t317 - 0x2c))();
								}
								_t246 =  *(_t317 - 0x40);
								__eflags = _t246 & 0x00000010;
								if((_t246 & 0x00000010) != 0) {
									__eflags =  *(_t315 + 0x34) - _t307;
									if( *(_t315 + 0x34) != _t307) {
										goto L21;
									}
									__eflags =  *(_t317 - 0x24);
									if( *(_t317 - 0x24) >= 0) {
										L64:
										 *0x114b1e0( *((intOrPtr*)(_t317 - 0x4c)),  *((intOrPtr*)(_t317 - 0x48)), _t307,  *(_t317 - 0x58),  *((intOrPtr*)(_t317 - 0x3c)), _t307, _t307);
										 *((intOrPtr*)(_t317 - 0x2c))();
										 *(_t317 - 0x24) = _t307;
										_t246 =  *(_t317 - 0x40);
										goto L21;
									}
									__eflags =  *(_t315 + 0x20) & 0x00000004;
									if(( *(_t315 + 0x20) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t246 & 0xffffffee;
									if((_t246 & 0xffffffee) != 0) {
										 *(_t317 - 0x24) = _t307;
										 *0x114b1e0( *((intOrPtr*)(_t317 - 0x4c)),  *((intOrPtr*)(_t317 - 0x48)),  *((intOrPtr*)(_t317 - 0x3c)), _t246);
										 *((intOrPtr*)(_t317 - 0x2c))();
									}
									_t249 = E01077D50();
									__eflags = _t249;
									if(_t249 != 0) {
										_t252 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t252 = 0x7ffe038e;
									}
									__eflags =  *_t252;
									if( *_t252 != 0) {
										_t252 = E010E2E14( *( *((intOrPtr*)(_t317 - 0x20)) + 0x10), _t315,  *((intOrPtr*)(_t317 - 0x38)),  *((intOrPtr*)(_t317 - 0x2c)),  *(_t317 - 0x40),  *(_t317 - 0x24),  *((intOrPtr*)(_t317 - 0x4c)),  *((intOrPtr*)(_t317 - 0x48)));
									}
									 *(_t317 - 4) = 0xfffffffe;
									E01053E6B(_t252);
									_t230 = E01053E80( *((intOrPtr*)(_t317 - 0x64)));
									goto L26;
								}
							}
						}
						__eflags = _t286 & 0x00000010;
						if((_t286 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t315 + 0x1c);
					if( *(_t315 + 0x1c) != 0) {
						__eflags =  *((intOrPtr*)(_t209 + 0x10)) -  *(_t315 + 0x1c);
						if( *((intOrPtr*)(_t209 + 0x10)) -  *(_t315 + 0x1c) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x01053aca
0x01053acf
0x01053ad4
0x01053ad9
0x01053adb
0x01053ae0
0x01053ae3
0x01053ae5
0x01053ae8
0x01053aeb
0x01053aed
0x01053af5
0x01053af8
0x01053afb
0x01053afe
0x01053b05
0x01053b0a
0x01053b0d
0x00000000
0x01053b10
0x01053b15
0x01053b1a
0x01053b21
0x01053b30
0x01053b30
0x01053b33
0x01053b33
0x01053b36
0x01053b39
0x01053b3f
0x01053b47
0x01053b4a
0x01053b4a
0x01053b4f
0x01053b4f
0x01053b4f
0x01053b4f
0x01053b4f
0x01053b4f
0x01053b54
0x01053b57
0x01053b5c
0x01053b61
0x01053b67
0x01053b6f
0x01053b6f
0x01053b71
0x01053b75
0x01053b77
0x00000000
0x00000000
0x01053e6c
0x01053e6c
0x01053b7d
0x01053b7d
0x01053b82
0x01053b84
0x01053b87
0x01053b8a
0x01053b8d
0x01053b90
0x01053b90
0x01053b97
0x01053b97
0x01053b9c
0x01053ba1
0x01053ba7
0x01053baa
0x01053bad
0x01053bad
0x01053bb7
0x01053bb7
0x01053bbc
0x01053bbf
0x01053bc1
0x01053bc7
0x01053bcd
0x01053bd5
0x01053bd8
0x01053bda
0x01053be1
0x01053be4
0x01053be7
0x01053bea
0x01053bed
0x01053d97
0x01053d9c
0x01053da8
0x01053dad
0x01053db0
0x01053db2
0x01053db5
0x010b020b
0x010b0211
0x010b0213
0x010b0213
0x01053dbb
0x00000000
0x01053dbb
0x01053bf3
0x01053bf5
0x00000000
0x00000000
0x01053bfb
0x01053bfe
0x01053bfe
0x01053bfe
0x01053c02
0x01053dd1
0x01053dd1
0x01053dd7
0x010b00c1
0x010b00c4
0x01053c11
0x01053c11
0x01053c14
0x010b00cf
0x010b00d2
0x00000000
0x00000000
0x010b00d8
0x010b00e6
0x010b00e9
0x010b00ec
0x010b00ef
0x00000000
0x00000000
0x00000000
0x010b00f5
0x010b00dd
0x010b00e0
0x00000000
0x00000000
0x00000000
0x010b00e0
0x01053c1a
0x01053c1a
0x01053c1d
0x01053e20
0x01053e23
0x00000000
0x00000000
0x00000000
0x01053e29
0x01053c23
0x01053c23
0x01053c26
0x01053c2c
0x01053c2f
0x01053c35
0x01053c3b
0x01053c41
0x01053c47
0x01053c4d
0x01053c59
0x01053c5f
0x01053c62
0x01053c68
0x01053c6a
0x01053c6d
0x01053c74
0x01053c79
0x01053c7b
0x01053c7e
0x01053c80
0x01053c83
0x01053c89
0x01053c8b
0x01053dea
0x01053df1
0x01053df2
0x01053df5
0x01053df8
0x01053dfb
0x01053dfd
0x00000000
0x00000000
0x01053e03
0x01053e07
0x01053e42
0x01053e49
0x01053e4a
0x01053e4d
0x00000000
0x01053e4d
0x01053e09
0x01053d86
0x01053d89
0x01053d8c
0x01053d8e
0x01053e31
0x01053e31
0x01053d94
0x00000000
0x01053d94
0x01053c91
0x01053c91
0x01053c94
0x01053d23
0x01053d23
0x01053d27
0x01053e16
0x01053e16
0x01053d2d
0x01053d31
0x010b01fe
0x010b01fe
0x01053d84
0x01053d84
0x00000000
0x01053d84
0x01053d3d
0x01053d44
0x01053d45
0x01053d48
0x01053d4f
0x010b01de
0x010b01de
0x010b01e2
0x00000000
0x00000000
0x010b01ea
0x010b01ea
0x010b01eb
0x010b01f9
0x00000000
0x010b01f9
0x01053d55
0x01053d5c
0x00000000
0x00000000
0x01053d62
0x01053d66
0x01053e55
0x01053e5e
0x01053e60
0x00000000
0x00000000
0x01053d75
0x01053d75
0x01053d79
0x01053d7b
0x01053d7e
0x010b01c7
0x010b01ca
0x010b01cd
0x010b01d0
0x010b01d3
0x010b01d6
0x010b01d6
0x01053d7e
0x00000000
0x01053d79
0x01053d6c
0x01053d72
0x00000000
0x01053d72
0x01053c9d
0x01053ca0
0x01053cab
0x01053cae
0x01053cb1
0x01053cb5
0x01053cb7
0x01053cd2
0x01053cdb
0x01053cdb
0x01053cde
0x01053ce1
0x01053ce3
0x010b00fa
0x010b00fd
0x00000000
0x00000000
0x010b0103
0x010b0107
0x010b0113
0x010b0125
0x010b012b
0x010b012e
0x010b0131
0x00000000
0x010b0131
0x010b0109
0x010b010d
0x00000000
0x00000000
0x00000000
0x01053ce9
0x01053ce9
0x01053ce9
0x01053cee
0x010b0139
0x010b0149
0x010b014f
0x010b014f
0x01053cf4
0x01053cf9
0x01053cfb
0x010b0160
0x01053d01
0x01053d01
0x01053d01
0x01053d06
0x01053d09
0x010b0184
0x010b0184
0x01053d0f
0x01053d16
0x01053d1e
0x00000000
0x01053d1e
0x01053ce3
0x010b00ca
0x01053ddd
0x01053de0
0x00000000
0x00000000
0x00000000
0x01053de2
0x01053c08
0x01053c0b
0x01053dc9
0x01053dcb
0x00000000
0x00000000
0x00000000
0x01053dcb
0x00000000
0x01053c0b

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe9ce6f1a8718f900ea5e4966bf4145f1e06dcf74d2ffa5ccdd3ecfdee7bbb6
Instruction ID: 14b8638c350bb291ee83c0c1f850392791d2dad9d2596f9584788e9f8ff6d6ee
Opcode Fuzzy Hash: ebe9ce6f1a8718f900ea5e4966bf4145f1e06dcf74d2ffa5ccdd3ecfdee7bbb6
Instruction Fuzzy Hash: E2E10171D00608DFCBA5DFA9D984AAEFBF1FF48340F10456AE986AB661D730A841CF10

Uniqueness

Uniqueness Score: -1.00%

Function 010588E0 Relevance: .3, Instructions: 346
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E010588E0(signed int* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, signed short* _a4, signed short* _a8, char _a12) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				signed int* _v48;
				char _v53;
				signed int _v56;
				signed int _v60;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v81;
				void* _v85;
				void* _t108;
				intOrPtr* _t110;
				intOrPtr _t124;
				signed int _t128;
				unsigned int _t130;
				signed int _t131;
				signed int _t133;
				signed int* _t141;
				intOrPtr _t143;
				signed int _t152;
				intOrPtr _t153;
				signed int* _t157;
				intOrPtr _t159;
				intOrPtr _t169;
				intOrPtr _t174;
				signed int _t179;
				void* _t180;
				signed int _t182;
				signed int _t185;
				signed int* _t186;
				signed int* _t190;
				intOrPtr _t194;
				unsigned int _t195;
				void* _t200;
				signed short _t201;
				intOrPtr _t203;
				signed int _t206;
				signed int _t207;
				signed int* _t211;
				signed short* _t217;
				signed int _t218;
				intOrPtr* _t219;
				char _t222;
				unsigned int _t226;
				signed int _t231;
				signed short* _t232;
				signed int _t236;
				void* _t238;

				_t215 = __edi;
				_t197 = __ecx;
				_t192 = __ebx;
				_t238 = (_t236 & 0xfffffff8) - 0x34;
				_v8 = _v8 | 0xffffffff;
				_push(__ebx);
				_push(__edi);
				_v12 = 0xfff0bdc0;
				E01072280(_t108, 0x11486b4);
				_t110 =  *0x11453d8; // 0xb20898
				while(_t110 != 0x11453d8) {
					_t4 = _t110 - 0xe8; // 0xb207b0
					_t215 = _t4;
					_v16 =  *_t110;
					_t6 = _t215 + 0xe0; // 0xb20890
					_v28 = _t6;
					L0107FAD0(_t6);
					if( *((char*)(_t215 + 0xe5)) != 0) {
						_push(_v28);
						goto L6;
					} else {
						_t9 = _t215 + 0x2c; // 0xb207dc
						_v20 = _t9;
						E01072280(_t9, _t9);
						_v44 = _v44 & 0x00000000;
						_push(4);
						_push( &_v44);
						_push(0xc);
						_push( *((intOrPtr*)(_t215 + 0x24)));
						_v53 = 1;
						if(E0109AE70() < 0) {
							L5:
							E0106FFB0(_t192, _t215, _v20);
							_push(_v32);
							L6:
							E0107FA00(_t192, _t197, _t215);
							goto L7;
						} else {
							_t222 = _v40;
							if(_t222 != 0) {
								_t192 = 0;
								_t226 = (_t222 + _t222 ^  *(_t215 + 0x10c)) & 0x00000ffe ^  *(_t215 + 0x10c);
								 *(_t215 + 0x10c) = _t226;
								_t197 = _t226 >> 0x0000000b & 0x00000ffe;
								__eflags = (_t226 >> 0x0000000b & 0x00000ffe) - (_t226 & 0x00000ffe);
								if((_t226 >> 0x0000000b & 0x00000ffe) < (_t226 & 0x00000ffe)) {
									while(1) {
										__eflags = _t192 - 0x102;
										if(_t192 == 0x102) {
											goto L11;
										}
										_t190 = E0108C020(_t192, _t215 + 0x110, _t215 + 0x2c,  &_v12, 0);
										_t226 =  *(_t215 + 0x10c);
										_t192 = _t190;
										_t197 = _t226 & 0x00000ffe;
										__eflags = (_t226 >> 0x0000000b & 0x00000ffe) - (_t226 & 0x00000ffe);
										if((_t226 >> 0x0000000b & 0x00000ffe) < (_t226 & 0x00000ffe)) {
											continue;
										}
										goto L11;
									}
								}
								L11:
								__eflags = _t226 & 0x007ff000;
								if((_t226 & 0x007ff000) == 0) {
									 *(_t215 + 0x10c) = _t226 & 0xfffff001;
									goto L5;
								} else {
									_t124 =  *0x11484c4; // 0x0
									_t128 = E01074620(_t197,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t124 + 0x000c0000 | 0x00000008, (_t226 >> 0x0000000c & 0x000007ff) << 2);
									_v56 = _t128;
									_t192 = _t215 + 0x114;
									__eflags = _t128;
									if(_t128 == 0) {
										while(1) {
											_t231 =  *_t192;
											__eflags = _t231 - _t192;
											if(_t231 == _t192) {
												break;
											}
											_t197 =  *_t231;
											__eflags =  *(_t197 + 4) - _t231;
											if( *(_t197 + 4) != _t231) {
												goto L32;
											} else {
												_t141 =  *(_t231 + 4);
												__eflags =  *_t141 - _t231;
												if( *_t141 != _t231) {
													goto L32;
												} else {
													 *_t141 = _t197;
													 *(_t197 + 4) = _t141;
													_push( *((intOrPtr*)(_t231 + 8)));
													E010995D0();
													_t143 =  *0x11484c4; // 0x0
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t143 + 0xc0000, _t231);
													continue;
												}
											}
											goto L59;
										}
										 *(_t215 + 0x10c) =  *(_t215 + 0x10c) & 0xff800001;
										goto L5;
									} else {
										_t203 =  *0x11484c4; // 0x0
										_t197 = _t203 + 0x000c0000 | 0x00000008;
										_t152 = E01074620(_t203 + 0x000c0000 | 0x00000008,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t203 + 0x000c0000 | 0x00000008, ( *(_t215 + 0x10c) >> 0x0000000c & 0x000007ff) << 2);
										_v60 = _t152;
										__eflags = _t152;
										if(_t152 == 0) {
											while(1) {
												_t231 =  *_t192;
												__eflags = _t231 - _t192;
												if(_t231 == _t192) {
													break;
												}
												_t197 =  *_t231;
												__eflags =  *(_t197 + 4) - _t231;
												if( *(_t197 + 4) != _t231) {
													goto L32;
												} else {
													_t157 =  *(_t231 + 4);
													__eflags =  *_t157 - _t231;
													if( *_t157 != _t231) {
														goto L32;
													} else {
														 *_t157 = _t197;
														 *(_t197 + 4) = _t157;
														_push( *((intOrPtr*)(_t231 + 8)));
														E010995D0();
														_t159 =  *0x11484c4; // 0x0
														L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t159 + 0xc0000, _t231);
														continue;
													}
												}
												goto L59;
											}
											 *(_t215 + 0x10c) =  *(_t215 + 0x10c) & 0xff800001;
											goto L29;
										} else {
											_t231 = 0;
											_t206 = _v44 - _t152;
											__eflags = _t206;
											_t211 = _t152;
											_v32 = _t206;
											while(1) {
												_t197 =  *_t192;
												__eflags = _t197 - _t192;
												if(_t197 == _t192) {
													break;
												}
												 *((intOrPtr*)(_t211 + _v32)) =  *((intOrPtr*)(_t197 + 8));
												_t192 = _t215 + 0x114;
												 *_t211 = _t197;
												_t185 =  *_t197;
												_v36 = _t185;
												__eflags =  *((intOrPtr*)(_t185 + 4)) - _t197;
												if( *((intOrPtr*)(_t185 + 4)) != _t197) {
													L32:
													_t200 = 3;
													asm("int 0x29");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(0x14);
													_push(0x112f6c8);
													E010AD08C(_t192, _t215, _t231);
													_t217 = _a8;
													__eflags =  *0x1146d58;
													if(__eflags != 0) {
														_t130 = E010F3490(_t200, __eflags, _t217);
													} else {
														_t130 = ( *_t217 & 0x0000ffff) + 2 >> 1;
														__eflags = _t130;
													}
													__eflags = _t130 - 0xffff;
													if(_t130 > 0xffff) {
														_t131 = 0xc00000f0;
													} else {
														_t71 = _t130 - 1; // -3
														_t201 = _t71;
														_t232 = _a4;
														 *_t232 = _t201;
														__eflags = _a12;
														if(_a12 != 0) {
															_t232[1] = _t130;
															_t133 = E01073A1C(_t130);
															_t232[2] = _t133;
															__eflags = _t133;
															if(_t133 != 0) {
																goto L37;
															} else {
																_t131 = 0xc0000017;
															}
														} else {
															__eflags = _t201 - _t232[1];
															if(_t201 >= _t232[1]) {
																_t131 = 0x80000005;
															} else {
																L37:
																_v32 = _v32 & 0x00000000;
																_v8 = _v8 & 0x00000000;
																_v40 = 1;
																_t218 = E01058CB0(_t192, _t201, _t217, _t232[2],  *_t232 & 0x0000ffff,  &_v36, _t217[2],  *_t217 & 0x0000ffff);
																_v32 = _t218;
																__eflags = _t218;
																if(_t218 >= 0) {
																	_t137 = _v36;
																	 *((char*)(_v36 + _t232[2])) = 0;
																	_t218 = 0;
																	__eflags = 0;
																	_v32 = 0;
																}
																_v8 = 0xfffffffe;
																_v40 = 0;
																E01058C83(_t137, _t218, _t232);
																_t131 = _t218;
															}
														}
													}
													return E010AD0D1(_t131);
												} else {
													_t186 =  *(_t197 + 4);
													__eflags =  *_t186 - _t197;
													if( *_t186 != _t197) {
														goto L32;
													} else {
														_t207 = _v36;
														_t231 = _t231 + 1;
														 *_t186 = _t207;
														_t211 =  &(_t211[1]);
														 *(_t207 + 4) = _t186;
														continue;
													}
												}
												goto L59;
											}
											 *(_t215 + 0x10c) =  *(_t215 + 0x10c) & 0xff800001;
											E0106FFB0(_t192, _t215, _t215 + 0x2c);
											E0107FA00(_t192, _t197, _t215, _t215 + 0xe0);
											_v44 = _v44 & 0x00000000;
											_t194 =  *((intOrPtr*)(_t238 + 0x18));
											_t215 = 0;
											__eflags = 0;
											 *((char*)(_t238 + 0x13)) = 0;
											_v32 = _t231 >> 6;
											while(1) {
												__eflags = _t215 - _t231;
												if(_t215 >= _t231) {
													break;
												}
												_t55 = _t215 + 0x40; // 0x40
												__eflags = _t55 - _t231;
												if(_t55 <= _t231) {
													_t179 = 0x40;
												} else {
													_t179 = _t231 & 0x0000003f;
													__eflags = _t179;
												}
												_t197 =  &_v12;
												_push( &_v12);
												_push(0);
												_push(0);
												_push(_t194);
												_push(_t179);
												_t180 = E01099AB0();
												__eflags = _t180 - 0x102;
												if(_t180 != 0x102) {
													_t215 = _t215 + 0x40;
													_t182 = _v36 + 1;
													_t194 = _t194 + 0x100;
													_v36 = _t182;
													__eflags = _t182 -  *((intOrPtr*)(_t238 + 0x2c));
													if(_t182 <=  *((intOrPtr*)(_t238 + 0x2c))) {
														continue;
													}
												}
												break;
											}
											__eflags = _t231;
											if(_t231 != 0) {
												_t219 = _v48;
												_t195 = _v32;
												do {
													_push( *((intOrPtr*)(_t219 + _t195)));
													E010995D0();
													_t174 =  *0x11484c4; // 0x0
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t174 + 0xc0000,  *_t219);
													_t219 = _t219 + 4;
													_t231 = _t231 - 1;
													__eflags = _t231;
												} while (_t231 != 0);
											}
											_t169 =  *0x11484c4; // 0x0
											_t192 = _v48;
											__eflags = _t169 + 0xc0000;
											L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t169 + 0xc0000, _v48);
											L29:
											_t153 =  *0x11484c4; // 0x0
											L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t153 + 0xc0000, _v44);
											__eflags =  *((char*)(_t238 + 0x13));
											if( *((char*)(_t238 + 0x13)) != 0) {
												goto L5;
											}
											L7:
											_t110 = _v16;
											continue;
										}
									}
								}
							} else {
								goto L5;
							}
						}
					}
					L59:
				}
				return E0106FFB0(_t192, _t215, 0x11486b4);
				goto L59;
			}

0x010588e0
0x010588e0
0x010588e0
0x010588e8
0x010588eb
0x010588f0
0x010588f2
0x010588f8
0x01058900
0x01058905
0x0105890a
0x01058915
0x01058915
0x0105891d
0x01058921
0x01058928
0x0105892c
0x01058938
0x010b32c5
0x00000000
0x0105893e
0x0105893e
0x01058942
0x01058946
0x0105894b
0x01058954
0x01058956
0x01058957
0x01058959
0x0105895c
0x01058968
0x01058972
0x01058976
0x0105897b
0x0105897f
0x0105897f
0x00000000
0x0105896a
0x0105896a
0x01058970
0x01058997
0x0105899b
0x010589a3
0x010589ae
0x010589b2
0x010589b4
0x010589b6
0x010589b6
0x010589bc
0x00000000
0x00000000
0x010589d0
0x010589d5
0x010589db
0x010589eb
0x010589ed
0x010589ef
0x00000000
0x00000000
0x00000000
0x010589ef
0x010589b6
0x010589f1
0x010589f1
0x010589f7
0x010b32d1
0x00000000
0x010589fd
0x010589fd
0x01058a21
0x01058a26
0x01058a2a
0x01058a30
0x01058a32
0x010b32dc
0x010b32dc
0x010b32de
0x010b32e0
0x00000000
0x00000000
0x010b32e2
0x010b32e4
0x010b32e7
0x00000000
0x010b32ed
0x010b32ed
0x010b32f0
0x010b32f2
0x00000000
0x010b32f8
0x010b32f8
0x010b32fa
0x010b32fd
0x010b3300
0x010b3305
0x010b331a
0x00000000
0x010b331a
0x010b32f2
0x00000000
0x010b32e7
0x010b3321
0x00000000
0x01058a38
0x01058a3e
0x01058a52
0x01058a63
0x01058a68
0x01058a6c
0x01058a6e
0x010b3330
0x010b3330
0x010b3332
0x010b3334
0x00000000
0x00000000
0x010b3336
0x010b3338
0x010b333b
0x00000000
0x010b3341
0x010b3341
0x010b3344
0x010b3346
0x00000000
0x010b334c
0x010b334c
0x010b334e
0x010b3351
0x010b3354
0x010b3359
0x010b336e
0x00000000
0x010b336e
0x010b3346
0x00000000
0x010b333b
0x010b3375
0x00000000
0x01058a74
0x01058a78
0x01058a7a
0x01058a7a
0x01058a7c
0x01058a7e
0x01058a82
0x01058a82
0x01058a84
0x01058a86
0x00000000
0x00000000
0x01058a8f
0x01058a92
0x01058a98
0x01058a9a
0x01058a9c
0x01058aa0
0x01058aa3
0x01058bd1
0x01058bd3
0x01058bd4
0x01058bd6
0x01058bd7
0x01058bd8
0x01058bd9
0x01058bda
0x01058bdb
0x01058bdc
0x01058bdd
0x01058bde
0x01058bdf
0x01058be0
0x01058be2
0x01058be7
0x01058bec
0x01058bef
0x01058bf6
0x010b338d
0x01058bfc
0x01058c02
0x01058c02
0x01058c02
0x01058c04
0x01058c09
0x010b3397
0x01058c0f
0x01058c0f
0x01058c0f
0x01058c12
0x01058c15
0x01058c18
0x01058c1c
0x010b33a1
0x010b33a6
0x010b33ab
0x010b33ae
0x010b33b0
0x00000000
0x010b33b6
0x010b33b6
0x010b33b6
0x01058c22
0x01058c22
0x01058c26
0x01058c96
0x01058c28
0x01058c28
0x01058c28
0x01058c2c
0x01058c30
0x01058c4e
0x01058c50
0x01058c53
0x01058c55
0x01058c5a
0x01058c5d
0x01058c61
0x01058c61
0x01058c63
0x01058c63
0x01058c66
0x01058c6d
0x01058c74
0x01058c79
0x01058c79
0x01058c26
0x01058c1c
0x01058c80
0x01058aa9
0x01058aa9
0x01058aac
0x01058aae
0x00000000
0x01058ab4
0x01058ab4
0x01058ab8
0x01058ab9
0x01058abb
0x01058abe
0x00000000
0x01058abe
0x01058aae
0x00000000
0x01058aa3
0x01058ac3
0x01058ad1
0x01058add
0x01058ae2
0x01058ae9
0x01058af0
0x01058af0
0x01058af2
0x01058af7
0x01058afb
0x01058afb
0x01058afd
0x00000000
0x00000000
0x01058aff
0x01058b02
0x01058b04
0x010b3386
0x01058b0a
0x01058b0c
0x01058b0c
0x01058b0c
0x01058b0f
0x01058b13
0x01058b14
0x01058b16
0x01058b18
0x01058b19
0x01058b1a
0x01058b1f
0x01058b24
0x01058b2a
0x01058b2d
0x01058b2e
0x01058b34
0x01058b38
0x01058b3c
0x00000000
0x00000000
0x01058b3c
0x00000000
0x01058b24
0x01058b3e
0x01058b40
0x01058b42
0x01058b46
0x01058b4a
0x01058b4a
0x01058b4d
0x01058b54
0x01058b68
0x01058b6d
0x01058b70
0x01058b70
0x01058b70
0x01058b4a
0x01058b75
0x01058b7a
0x01058b7e
0x01058b8e
0x01058b93
0x01058b97
0x01058bab
0x01058bb0
0x01058bb5
0x00000000
0x01058bbb
0x01058984
0x01058984
0x00000000
0x01058984
0x01058a6e
0x01058a32
0x00000000
0x00000000
0x00000000
0x01058970
0x01058968
0x00000000
0x01058938
0x01058bd0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0a7926d2193cb5000b59e370a174e527a9b9a566af93e77474d46ce95bc5d8
Instruction ID: 073d71fed94ca8e595fc400ff4b92f297152cbb8587e1568a047f0efeb703e83
Opcode Fuzzy Hash: 3f0a7926d2193cb5000b59e370a174e527a9b9a566af93e77474d46ce95bc5d8
Instruction Fuzzy Hash: 1ED1F172A00602EFD755DF28C880BABBBE8FF48700F14856EE9D99B251C774E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0107B236 Relevance: .3, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E0107B236(signed int __ecx, intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t94;
				signed int _t96;
				intOrPtr _t97;
				unsigned int _t101;
				char _t103;
				signed int _t114;
				signed int _t115;
				signed char* _t118;
				intOrPtr _t119;
				signed int _t120;
				signed char* _t123;
				signed int _t129;
				char* _t132;
				unsigned int _t147;
				signed int _t157;
				unsigned int _t158;
				signed int _t159;
				signed int _t165;
				signed int _t168;
				signed char _t175;
				signed char _t185;
				unsigned int _t197;
				unsigned int _t206;
				unsigned int* _t214;
				signed int _t218;

				_t156 = __edx;
				_v24 = __edx;
				_t218 = __ecx;
				_t3 = _t156 + 0xfff; // 0xfff
				_t210 = 0;
				_v16 = _t3 & 0xfffff000;
				if(E0107B477(__ecx,  &_v16) == 0) {
					__eflags =  *(__ecx + 0x40) & 0x00000002;
					if(( *(__ecx + 0x40) & 0x00000002) == 0) {
						L32:
						__eflags =  *(_t218 + 0x40) & 0x00000080;
						if(( *(_t218 + 0x40) & 0x00000080) != 0) {
							_t210 = E010FCB4F(_t218);
							__eflags = _t210;
							if(_t210 == 0) {
								goto L33;
							}
							__eflags = ( *_t210 & 0x0000ffff) - _t156;
							if(( *_t210 & 0x0000ffff) < _t156) {
								goto L33;
							}
							_t157 = _t210;
							goto L3;
						}
						L33:
						_t157 = 0;
						__eflags = _t210;
						if(_t210 != 0) {
							__eflags =  *(_t218 + 0x4c);
							if( *(_t218 + 0x4c) != 0) {
								 *(_t210 + 3) =  *(_t210 + 2) ^  *(_t210 + 1) ^  *_t210;
								 *_t210 =  *_t210 ^  *(_t218 + 0x50);
							}
						}
						goto L3;
					}
					_v12 = _v12 & 0;
					_t158 = __edx + 0x2000;
					_t94 =  *((intOrPtr*)(__ecx + 0x64));
					__eflags = _t158 - _t94;
					if(_t158 > _t94) {
						_t94 = _t158;
					}
					__eflags =  *((char*)(_t218 + 0xda)) - 2;
					if( *((char*)(_t218 + 0xda)) != 2) {
						_t165 = 0;
					} else {
						_t165 =  *(_t218 + 0xd4);
					}
					__eflags = _t165;
					if(_t165 == 0) {
						__eflags = _t94 - 0x3f4000;
						if(_t94 >= 0x3f4000) {
							 *(_t218 + 0x48) =  *(_t218 + 0x48) | 0x20000000;
						}
					}
					_t96 = _t94 + 0x0000ffff & 0xffff0000;
					_v8 = _t96;
					__eflags = _t96 - 0xfd0000;
					if(_t96 >= 0xfd0000) {
						_v8 = 0xfd0000;
					}
					_t97 = E01080678(_t218, 1);
					_push(_t97);
					_push(0x2000);
					_v28 = _t97;
					_push( &_v8);
					_push(0);
					_push( &_v12);
					_push(0xffffffff);
					_t168 = E01099660();
					__eflags = _t168;
					if(_t168 < 0) {
						while(1) {
							_t101 = _v8;
							__eflags = _t101 - _t158;
							if(_t101 == _t158) {
								break;
							}
							_t147 = _t101 >> 1;
							_v8 = _t147;
							__eflags = _t147 - _t158;
							if(_t147 < _t158) {
								_v8 = _t158;
							}
							_push(_v28);
							_push(0x2000);
							_push( &_v8);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t168 = E01099660();
							__eflags = _t168;
							if(_t168 < 0) {
								continue;
							} else {
								_t101 = _v8;
								break;
							}
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t218 + 0x214)) =  *((intOrPtr*)(_t218 + 0x214)) + 1;
						goto L60;
					} else {
						_t101 = _v8;
						L12:
						 *((intOrPtr*)(_t218 + 0x64)) =  *((intOrPtr*)(_t218 + 0x64)) + _t101;
						_t103 = _v24 + 0x1000;
						__eflags = _t103 -  *((intOrPtr*)(_t218 + 0x68));
						if(_t103 <=  *((intOrPtr*)(_t218 + 0x68))) {
							_t103 =  *((intOrPtr*)(_t218 + 0x68));
						}
						_push(_v28);
						_v20 = _t103;
						_push(0x1000);
						_push( &_v20);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						_t159 = E01099660();
						__eflags = _t159;
						if(_t159 < 0) {
							L59:
							E0108174B( &_v12,  &_v8, 0x8000);
							L60:
							_t156 = _v24;
							goto L32;
						} else {
							_t114 = E0108138B(_t218, _v12, 0x40, _t168, 2, _v12, _v20 + _v12, _v8 + 0xfffff000 + _t192);
							__eflags = _t114;
							if(_t114 == 0) {
								_t159 = 0xc0000017;
							}
							__eflags = _t159;
							if(_t159 < 0) {
								goto L59;
							} else {
								_t115 = E01077D50();
								_t212 = 0x7ffe0380;
								__eflags = _t115;
								if(_t115 != 0) {
									_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t118 = 0x7ffe0380;
								}
								__eflags =  *_t118;
								if( *_t118 != 0) {
									_t119 =  *[fs:0x30];
									__eflags =  *(_t119 + 0x240) & 0x00000001;
									if(( *(_t119 + 0x240) & 0x00000001) != 0) {
										E0111138A(0x226, _t218, _v12, _v20, 4);
										__eflags = E01077D50();
										if(__eflags != 0) {
											_t212 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01111582(0x226, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t212 & 0x000000ff);
									}
								}
								_t120 = E01077D50();
								_t213 = 0x7ffe038a;
								__eflags = _t120;
								if(_t120 != 0) {
									_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t123 = 0x7ffe038a;
								}
								__eflags =  *_t123;
								if( *_t123 != 0) {
									__eflags = E01077D50();
									if(__eflags != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									}
									E01111582(0x230, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t213 & 0x000000ff);
								}
								_t129 = E01077D50();
								__eflags = _t129;
								if(_t129 != 0) {
									_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								} else {
									_t132 = 0x7ffe0388;
								}
								__eflags =  *_t132;
								if( *_t132 != 0) {
									E0110FEC0(0x230, _t218, _v12, _v8);
								}
								__eflags =  *(_t218 + 0x4c);
								_t214 =  *(_v12 + 0x24);
								if( *(_t218 + 0x4c) != 0) {
									_t197 =  *(_t218 + 0x50) ^  *_t214;
									 *_t214 = _t197;
									_t175 = _t197 >> 0x00000010 ^ _t197 >> 0x00000008 ^ _t197;
									__eflags = _t197 >> 0x18 - _t175;
									if(__eflags != 0) {
										_push(_t175);
										E0110FA2B(0x230, _t218, _t214, _t214, _t218, __eflags);
									}
								}
								_t157 =  *(_v12 + 0x24);
								goto L3;
							}
						}
					}
				} else {
					_v16 = _v16 >> 3;
					_t157 = E010799BF(__ecx, _t87,  &_v16, 0);
					E0107A830(__ecx, _t157, _v16);
					if( *(_t218 + 0x4c) != 0) {
						_t206 =  *(_t218 + 0x50) ^  *_t157;
						 *_t157 = _t206;
						_t185 = _t206 >> 0x00000010 ^ _t206 >> 0x00000008 ^ _t206;
						if(_t206 >> 0x18 != _t185) {
							_push(_t185);
							E0110FA2B(_t157, _t218, _t157, 0, _t218, __eflags);
						}
					}
					L3:
					return _t157;
				}
			}

0x0107b23f
0x0107b246
0x0107b249
0x0107b24b
0x0107b251
0x0107b258
0x0107b262
0x0107b2b2
0x0107b2b6
0x0107b456
0x0107b456
0x0107b45a
0x010c2912
0x010c2914
0x010c2916
0x00000000
0x00000000
0x010c291f
0x010c2921
0x00000000
0x00000000
0x010c2927
0x00000000
0x010c2927
0x0107b460
0x0107b460
0x0107b462
0x0107b464
0x010c292e
0x010c2931
0x010c293f
0x010c2945
0x010c2945
0x010c2931
0x00000000
0x0107b464
0x0107b2bc
0x0107b2bf
0x0107b2c5
0x0107b2c8
0x0107b2ca
0x010c27af
0x010c27af
0x0107b2d0
0x0107b2d7
0x0107b437
0x0107b2dd
0x0107b2dd
0x0107b2dd
0x0107b2e3
0x0107b2e5
0x0107b43e
0x0107b443
0x010c27b6
0x010c27b6
0x0107b443
0x0107b2f5
0x0107b2fa
0x0107b2fd
0x0107b2ff
0x0107b46f
0x0107b46f
0x0107b30a
0x0107b30f
0x0107b310
0x0107b315
0x0107b31b
0x0107b31c
0x0107b321
0x0107b322
0x0107b329
0x0107b32b
0x0107b32d
0x010c27c2
0x010c27c2
0x010c27c5
0x010c27c7
0x00000000
0x00000000
0x010c27c9
0x010c27cb
0x010c27ce
0x010c27d0
0x010c27d2
0x010c27d2
0x010c27d5
0x010c27db
0x010c27e0
0x010c27e1
0x010c27e6
0x010c27e7
0x010c27ee
0x010c27f0
0x010c27f2
0x00000000
0x010c27f4
0x010c27f4
0x00000000
0x010c27f4
0x010c27f2
0x010c27f7
0x010c27f9
0x00000000
0x00000000
0x010c27ff
0x00000000
0x0107b333
0x0107b333
0x0107b336
0x0107b336
0x0107b33c
0x0107b341
0x0107b344
0x0107b44e
0x0107b44e
0x0107b34a
0x0107b34d
0x0107b353
0x0107b358
0x0107b359
0x0107b35e
0x0107b35f
0x0107b366
0x0107b368
0x0107b36a
0x010c28f2
0x010c28fe
0x010c2903
0x010c2903
0x00000000
0x0107b370
0x0107b38c
0x0107b391
0x0107b393
0x010c280a
0x010c280a
0x0107b399
0x0107b39b
0x00000000
0x0107b3a1
0x0107b3a1
0x0107b3a6
0x0107b3b0
0x0107b3b2
0x010c281d
0x0107b3b8
0x0107b3b8
0x0107b3b8
0x0107b3ba
0x0107b3bd
0x010c2824
0x010c282a
0x010c2831
0x010c2841
0x010c284b
0x010c284d
0x010c2858
0x010c2858
0x010c2858
0x010c2870
0x010c2870
0x010c2831
0x0107b3c3
0x0107b3c8
0x0107b3d2
0x0107b3d4
0x010c2883
0x0107b3da
0x0107b3da
0x0107b3da
0x0107b3dc
0x0107b3df
0x010c288f
0x010c2891
0x010c289c
0x010c289c
0x010c289c
0x010c28b4
0x010c28b4
0x0107b3e5
0x0107b3ea
0x0107b3ec
0x010c28c7
0x0107b3f2
0x0107b3f2
0x0107b3f2
0x0107b3f7
0x0107b3fa
0x010c28d9
0x010c28d9
0x0107b400
0x0107b407
0x0107b40a
0x0107b40f
0x0107b413
0x0107b41f
0x0107b424
0x0107b426
0x010c28e3
0x010c28e8
0x010c28e8
0x0107b426
0x0107b42f
0x00000000
0x0107b42f
0x0107b39b
0x0107b36a
0x0107b264
0x0107b264
0x0107b279
0x0107b27f
0x0107b287
0x0107b28c
0x0107b290
0x0107b29c
0x0107b2a3
0x010c27a0
0x010c27a5
0x010c27a5
0x0107b2a3
0x0107b2a9
0x0107b2b1
0x0107b2b1

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 6ec12d8ebe4b0656d5ba34132c99e053698db9dd1cc40f86949aac254f58f22d
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: ECB1D331F016069FDB25DBA9C890BBEBBF5EF48604F1441A9E682D7781DB30D941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0108513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0108513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x114d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0109D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01072280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = E01074620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0109F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0106FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x114b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0109B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01085142
0x0108514c
0x01085150
0x01085157
0x01085159
0x0108515e
0x01085165
0x01085169
0x0108516c
0x01085172
0x01085176
0x0108517a
0x0108517a
0x0108517a
0x0108517f
0x010c6d8b
0x010c6d8e
0x010c6d91
0x010c6d95
0x010c6d98
0x010c6d9c
0x010c6da0
0x010c6da3
0x010c6da7
0x010c6e26
0x010c6e26
0x010c6e2a
0x010851f9
0x010851f9
0x010851fe
0x010c6e33
0x010c6e33
0x010c6e39
0x010c6e3d
0x010c6e46
0x010c6e50
0x00000000
0x00000000
0x010c6e52
0x010c6e53
0x010c6e56
0x010c6e5d
0x00000000
0x00000000
0x00000000
0x010c6e5f
0x010c6e67
0x010c6e77
0x010c6e7f
0x010c6e80
0x010c6e88
0x010c6e90
0x010c6e9f
0x010c6ea5
0x010c6ea9
0x010c6eb1
0x010c6ebf
0x00000000
0x00000000
0x010c6ecf
0x010c6ed3
0x00000000
0x00000000
0x010c6edb
0x010c6ede
0x010c6ee1
0x010c6ee8
0x010c6eeb
0x010c6eed
0x010c6ef0
0x010c6ef4
0x010c6ef8
0x010c6efc
0x00000000
0x00000000
0x010c6f0d
0x010c6f11
0x010c6f32
0x010c6f37
0x010c6f3b
0x010c6f3e
0x010c6f41
0x010c6f46
0x00000000
0x00000000
0x010c6f4c
0x010c6f50
0x010c6f50
0x010c6f54
0x010c6f62
0x010c6f65
0x010c6f6d
0x010c6f7b
0x010c6f7b
0x010c6f93
0x010c6f98
0x010c6fa0
0x010c6fa6
0x010c6fb3
0x010c6fb6
0x010c6fbf
0x010c6fc1
0x010c6fd5
0x010c6fda
0x010c6fda
0x010c6fdd
0x010c6fe2
0x010c6fe7
0x010c6feb
0x010c6fef
0x010c6ff3
0x0108520c
0x0108520c
0x0108520f
0x01085215
0x01085234
0x0108523a
0x0108523a
0x01085244
0x01085245
0x01085246
0x01085251
0x01085251
0x010c6f13
0x010c6f17
0x010c6f17
0x010c6f18
0x010c6f1b
0x010c6f1f
0x010c6f23
0x00000000
0x010c6f28
0x01085204
0x01085204
0x01085208
0x00000000
0x01085208
0x01085185
0x01085188
0x0108518a
0x0108518e
0x01085195
0x010c6db1
0x010c6db5
0x010c6db9
0x0108519b
0x0108519b
0x0108519e
0x010851a7
0x010851a9
0x010851a9
0x010851b5
0x010851b8
0x010851bb
0x010851be
0x010851c1
0x010851c5
0x010851c9
0x010851cd
0x010851cd
0x010851d8
0x010851dc
0x010851e0
0x010c6dcc
0x010c6dd0
0x010c6dd5
0x010c6ddd
0x010c6de1
0x010c6de1
0x010c6de5
0x010c6deb
0x010c6df1
0x010c6df7
0x010c6dfd
0x010c6e01
0x010c6e05
0x010c6e09
0x010c6e0d
0x010c6e11
0x010c6e11
0x010851eb
0x010c6e1a
0x010c6e1f
0x010c6e21
0x010c6e23
0x00000000
0x010851f1
0x010851f1
0x00000000
0x010851f1

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb680029d5f0376a42e937e5ba8e39ed3cecaa025ee76ee1b242088960025d
Instruction ID: 77c703b3a8fa28cc843a740ae7dcf88cc6a18b71bf3c04ee9375550bb1d4b2df
Opcode Fuzzy Hash: 39bb680029d5f0376a42e937e5ba8e39ed3cecaa025ee76ee1b242088960025d
Instruction Fuzzy Hash: 3EC110755083818FD364CF28C580A5ABBE1BF89704F1449AEF9D98B392D771E885CF42

Uniqueness

Uniqueness Score: -1.00%

Function 010803E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E010803E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x114d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01080548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0109B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0106B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1147c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01077D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01077D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E010D7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01099830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E010D69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1147c04 != 0) {
						_t118 = _v12;
						_t120 = E010DA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1147bd8;
						if( *0x1147bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E010995D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E010999A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E010D3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0105B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0109AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1148474 - 3;
										if( *0x1148474 != 3) {
											 *0x11479dc =  *0x11479dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01077D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01077D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E010D7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1148708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1147b00; // 0x0
							asm("ror esi, cl");
							 *0x114b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E010995D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E01067F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x010803f1
0x010803f7
0x010803f9
0x010803fb
0x010803fd
0x01080400
0x0108040a
0x010c4c7a
0x01080537
0x01080547
0x01080410
0x01080410
0x01080414
0x01080417
0x0108041a
0x01080421
0x01080424
0x0108042b
0x0108043b
0x0108043e
0x0108043f
0x0108043f
0x01080446
0x01080449
0x0108044c
0x0108044f
0x01080459
0x010c4c8d
0x0108045f
0x0108045f
0x0108045f
0x01080467
0x010c4c97
0x010c4c9d
0x010c4ca4
0x010c4caa
0x010c4caf
0x010c4cb1
0x010c4cc3
0x010c4cb3
0x010c4cbc
0x010c4cbc
0x010c4cc8
0x010c4ccb
0x010c4cd7
0x010c4cda
0x010c4cdf
0x010c4cdf
0x010c4ccb
0x010c4ca4
0x0108046d
0x0108046f
0x0108046f
0x01080471
0x01080476
0x0108047a
0x0108047b
0x01080483
0x01080489
0x0108048d
0x00000000
0x00000000
0x010c4ce9
0x010c4cef
0x010c4d22
0x010c4d22
0x00000000
0x010c4d22
0x010c4cf1
0x010c4cf7
0x00000000
0x00000000
0x010c4cf9
0x010c4cff
0x00000000
0x00000000
0x010c4d05
0x010c4d07
0x00000000
0x00000000
0x010c4d0d
0x010c4d0f
0x010c4d14
0x010c4d16
0x00000000
0x00000000
0x010c4d1c
0x010c4d1c
0x01080499
0x01080535
0x01080535
0x00000000
0x01080535
0x010804a6
0x010c4d2c
0x010c4d37
0x010c4d39
0x010c4d3b
0x00000000
0x00000000
0x010c4d41
0x010c4d48
0x01080527
0x0108052b
0x0108052d
0x01080530
0x01080530
0x00000000
0x0108052b
0x010c4d4e
0x010804ac
0x010804ac
0x010804af
0x010804b2
0x010804b7
0x010804b9
0x010804bb
0x010804bd
0x010804bf
0x010804c5
0x010804c9
0x010c4d53
0x010c4d59
0x010c4db9
0x010c4dba
0x010c4dbf
0x010c4dc2
0x010c4dc4
0x010c4dc7
0x010c4dce
0x00000000
0x010c4dce
0x010c4d5b
0x010c4d61
0x00000000
0x00000000
0x010c4d63
0x010c4d69
0x00000000
0x00000000
0x010c4d6b
0x010c4d6e
0x010c4d74
0x010c4d76
0x010c4d7c
0x010c4d7e
0x010c4d84
0x010c4d89
0x010c4d8c
0x010c4d8d
0x010c4d92
0x010c4d95
0x010c4d96
0x010c4d98
0x010c4d9a
0x010c4d9f
0x010c4da4
0x010c4da6
0x010c4da8
0x010c4daf
0x010c4db1
0x010c4db1
0x010c4daf
0x010c4da6
0x010c4d84
0x010c4d7c
0x00000000
0x010c4d74
0x010804d6
0x010c4de1
0x010804dc
0x010804dc
0x010804dc
0x010804e4
0x010c4deb
0x010c4df1
0x010c4df8
0x010c4dfe
0x010c4e03
0x010c4e05
0x010c4e17
0x010c4e07
0x010c4e10
0x010c4e10
0x010c4e1c
0x010c4e1f
0x010c4e35
0x010c4e35
0x010c4e1f
0x010c4df8
0x010804f1
0x010804fa
0x010c4e3f
0x010c4e47
0x010c4e5b
0x010c4e61
0x010c4e67
0x010c4e69
0x010c4e71
0x010c4e73
0x01080500
0x01080500
0x01080500
0x010804fa
0x01080508
0x0108051d
0x0108051d
0x0108051f
0x01080524
0x00000000
0x01080524
0x01080515
0x01080517
0x010c4e7a
0x010c4e7c
0x00000000
0x00000000
0x010c4e85
0x00000000
0x010c4e85
0x00000000
0x01080517

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3692c987af90b93d945b0d3593a92287e90688b51a9e22d25cf19b86c5eb6cf5
Instruction ID: 1d390535c79561812704528df7bd4d8435722517e27919fa7eee8b15bc816497
Opcode Fuzzy Hash: 3692c987af90b93d945b0d3593a92287e90688b51a9e22d25cf19b86c5eb6cf5
Instruction Fuzzy Hash: 00911671E042159BEB31BB6CC854BAE7BE4BB01B24F0502A9F9D0EB2D5DB749C44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0108DA88 Relevance: .3, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0108DA88(void* __ebx, signed short* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t111;
				signed int _t116;
				signed int _t120;
				signed int _t121;
				signed int _t132;
				signed int _t133;
				signed int _t135;
				signed int _t137;
				signed int _t141;
				signed int _t142;
				intOrPtr _t146;
				signed int _t150;
				signed int _t152;
				signed int _t154;
				signed char _t162;
				signed int _t163;
				signed int* _t164;
				void* _t166;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t178;
				void* _t181;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				void* _t193;
				void* _t200;

				_t165 = __ecx;
				_push(0x20);
				_push(0x1130268);
				E010AD08C(__ebx, __edi, __esi);
				 *(_t193 - 0x1c) = __edx;
				 *(_t193 - 0x24) = __ecx;
				if(__ecx == 0) {
					L23:
					_t111 = 0;
					L22:
					return E010AD0D1(_t111);
				}
				_t162 =  *(_t193 + 0x14);
				if((_t162 & 0xffffffcc) != 0 || (_t162 & 0x00000003) == 3) {
					goto L23;
				} else {
					_t116 = _t162 & 0x00000001;
					 *(_t193 - 0x28) = _t116;
					if(_t116 != 0) {
						__eflags = __edx;
						if(__edx != 0) {
							goto L4;
						} else {
							goto L23;
						}
					}
					L4:
					E01072280(_t116, 0x114861c);
					_t187 = 0;
					 *((intOrPtr*)(_t193 - 4)) = 0;
					_t189 = 0;
					while(1) {
						 *(_t193 - 0x20) = _t189;
						_t200 = _t189 -  *0x1146da4; // 0x0
						if(_t200 >= 0) {
							break;
						}
						_t173 = _t189 << 5;
						 *(_t193 - 0x2c) = _t173;
						_t165 = _t173 +  *0x1146da0;
						if(_t165[2] ==  *(_t193 - 0x24)) {
							__eflags = _t162 & 0x00000002;
							if((_t162 & 0x00000002) != 0) {
								__eflags = _t165[4] - _t187;
								if(_t165[4] != _t187) {
									L21:
									 *((intOrPtr*)(_t193 - 4)) = 0xfffffffe;
									E0108DCE8();
									_t111 = 1;
									goto L22;
								} else {
									goto L27;
								}
							}
							L27:
							__eflags =  *(_t193 - 0x28);
							if( *(_t193 - 0x28) == 0) {
								goto L8;
							}
							__eflags = _t165[8];
							if(_t165[8] == 0) {
								goto L8;
							}
							_t152 =  *((intOrPtr*)(_t193 + 0x10));
							__eflags = _t152;
							if(_t152 == 0) {
								goto L8;
							}
							__eflags =  *_t165 - _t152;
							if( *_t165 != _t152) {
								goto L8;
							}
							_t154 =  *( *(_t193 - 0x1c));
							__eflags = _t154 - 0xffffffff;
							if(_t154 == 0xffffffff) {
								L57:
								_t185 =  *0x1146da0; // 0x0
								_t192 =  *(_t193 - 0x2c);
								 *( *(_t193 - 0x1c)) =  *(_t192 + _t185 + 0x10);
								_t175 =  *(_t193 + 8);
								__eflags = _t175;
								if(_t175 != 0) {
									 *_t175 =  *((intOrPtr*)(_t192 + _t185 + 0x14));
								}
								goto L21;
							} else {
								__eflags = _t162 & 0x00000020;
								if((_t162 & 0x00000020) == 0) {
									_push(_t154 & 0xfffffffc);
									_push(0xffffffff);
									E010997A0();
									_t176 =  *(_t193 + 8);
									__eflags = _t176;
									if(_t176 != 0) {
										_push( *_t176);
										E010995D0();
									}
									goto L57;
								}
								__eflags = _t165[8] - 0xffffffff;
								if(_t165[8] == 0xffffffff) {
									_t165[8] = _t187;
								}
								break;
							}
							L32:
							__eflags = _t162 & 0x00000002;
							if((_t162 & 0x00000002) != 0) {
								__eflags = _t165[4] - _t187;
								if(_t165[4] != _t187) {
									goto L33;
								}
								_t165[4] =  *(_t193 + 0xc);
								_t165[0xe] =  *(_t193 + 0x18);
								goto L21;
							}
							L33:
							__eflags = _t162 & 0x00000001;
							if((_t162 & 0x00000001) == 0) {
								L15:
								_t190 = _t190 + 1;
								while(1) {
									L13:
									 *(_t193 - 0x20) = _t190;
									__eflags = _t190 -  *0x1146da4; // 0x0
									if(__eflags >= 0) {
										_t121 = E0106B060(_t165, _t178 & 0xfffffffc);
										__eflags = _t121;
										if(_t121 != 0) {
											 *((short*)(_t181 + _t166)) =  *((intOrPtr*)(_t193 + 0x10));
											 *(_t181 + _t166 + 0xc) =  *(_t193 - 0x2c);
											 *(_t181 + _t166 + 0x1c) =  *(_t193 + 0x18);
											__eflags =  *0x1146db0;
											if( *0x1146db0 != 0) {
												__eflags = _t163;
												if(_t163 != 0) {
													_t191 = _t190 << 5;
													_t132 = E010E6652(_t166 + _t191, 1);
													__eflags = _t132;
													if(_t132 >= 0) {
														__eflags =  *0x1146db0 & 0x00000002;
														if(( *0x1146db0 & 0x00000002) != 0) {
															_t133 =  *0x1146da0; // 0x0
															__eflags =  *((intOrPtr*)(_t191 + _t133 + 0x1c)) - 0xc0000019;
															if( *((intOrPtr*)(_t191 + _t133 + 0x1c)) == 0xc0000019) {
																 *( *(_t193 - 0x1c)) =  *(_t191 + _t133 + 0x10);
															}
														}
													}
												}
											}
											 *0x1146da4 =  *0x1146da4 + 1;
											__eflags =  *0x1146da4;
										}
										goto L21;
									}
									_t170 = _t190 << 5;
									 *(_t193 - 0x2c) = _t170;
									_t165 = _t170 +  *0x1146da0;
									__eflags = _t165[2] - _t178;
									if(_t165[2] == _t178) {
										goto L32;
									}
									goto L15;
								}
								goto L21;
							}
							__eflags = _t165[8] - _t187;
							if(_t165[8] != _t187) {
								goto L15;
							}
							_t135 =  *_t165 & 0x0000ffff;
							__eflags = _t135 -  *((intOrPtr*)(_t193 + 0x10));
							if(_t135 ==  *((intOrPtr*)(_t193 + 0x10))) {
								L37:
								_t164 =  *(_t193 - 0x1c);
								_t165[8] =  *_t164;
								_t137 =  *(_t193 + 8);
								__eflags = _t137;
								if(_t137 != 0) {
									_t187 =  *_t137;
								}
								_t165[0xa] = _t187;
								 *_t165 =  *((intOrPtr*)(_t193 + 0x10));
								_t165[0xe] =  *(_t193 + 0x18);
								_t165[0xc] =  *(_t193 + 0x1c);
								__eflags =  *0x1146db0;
								if( *0x1146db0 != 0) {
									_t141 = E010E6652(_t165, 1);
									__eflags = _t141;
									if(_t141 >= 0) {
										__eflags =  *0x1146db0 & 0x00000002;
										if(( *0x1146db0 & 0x00000002) != 0) {
											_t171 =  *0x1146da0; // 0x0
											_t142 =  *(_t193 - 0x2c);
											__eflags =  *((intOrPtr*)(_t142 + _t171 + 0x1c)) - 0xc0000019;
											if( *((intOrPtr*)(_t142 + _t171 + 0x1c)) == 0xc0000019) {
												 *_t164 =  *(_t142 + _t171 + 0x10);
											}
										}
									}
								}
								goto L21;
							}
							__eflags = _t135;
							if(_t135 != 0) {
								goto L15;
							}
							goto L37;
						} else {
							if((_t162 & 0x00000010) != 0) {
								__eflags =  *0x1146db0;
								if( *0x1146db0 != 0) {
									__eflags = _t165[0xa];
									if(_t165[0xa] != 0) {
										__eflags = _t165[0xa] - 0xffffffff;
										if(_t165[0xa] != 0xffffffff) {
											E010E6652(_t165, 0);
										}
									}
								}
							}
							L8:
							_t189 = _t189 + 1;
							continue;
						}
					}
					__eflags = _t162 & 0x00000010;
					if((_t162 & 0x00000010) != 0) {
						goto L21;
					}
					__eflags =  *0x1146da0;
					if( *0x1146da0 == 0) {
						_t120 = E01074620(_t165,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x400);
						__eflags = _t120;
						if(_t120 == 0) {
							goto L21;
						} else {
							 *0x1146da0 = _t120;
							 *0x1146da8 = 0x20;
							L12:
							_t190 = _t187;
							_t178 =  *(_t193 - 0x24);
							goto L13;
						}
					}
					_t146 =  *0x1146da8; // 0x0
					__eflags =  *0x1146da4 - _t146; // 0x0
					if(__eflags >= 0) {
						_t150 = L01078E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *0x1146da0, _t146 + 0x20 << 5);
						__eflags = _t150;
						if(_t150 == 0) {
							goto L21;
						}
						 *0x1146da0 = _t150;
						 *0x1146da8 =  *0x1146da8 + 0x20;
					}
					goto L12;
				}
			}

0x0108da88
0x0108da88
0x0108da8a
0x0108da8f
0x0108da94
0x0108da99
0x0108da9e
0x0108dbe5
0x0108dbe5
0x0108dbdd
0x0108dbe2
0x0108dbe2
0x0108daa4
0x0108daad
0x00000000
0x0108dac0
0x0108dac2
0x0108dac5
0x0108dac8
0x0108dbe9
0x0108dbeb
0x00000000
0x0108dbf1
0x00000000
0x0108dbf1
0x0108dbeb
0x0108dace
0x0108dad3
0x0108dad8
0x0108dada
0x0108dadd
0x0108dadf
0x0108dadf
0x0108dae2
0x0108dae8
0x00000000
0x00000000
0x0108daec
0x0108daef
0x0108daf2
0x0108dafe
0x0108dbf3
0x0108dbf6
0x010cb242
0x010cb245
0x0108dbcf
0x0108dbcf
0x0108dbd6
0x0108dbdb
0x00000000
0x010cb24b
0x00000000
0x010cb24b
0x010cb245
0x0108dbfc
0x0108dbfc
0x0108dc00
0x00000000
0x00000000
0x0108dc06
0x0108dc0a
0x00000000
0x00000000
0x0108dc10
0x0108dc14
0x0108dc17
0x00000000
0x00000000
0x0108dc1d
0x0108dc20
0x00000000
0x00000000
0x010cb253
0x010cb255
0x010cb258
0x010cb28a
0x010cb28a
0x010cb290
0x010cb29a
0x010cb29c
0x010cb29f
0x010cb2a1
0x010cb2ab
0x010cb2ab
0x00000000
0x010cb25a
0x010cb25a
0x010cb25d
0x010cb274
0x010cb275
0x010cb277
0x010cb27c
0x010cb27f
0x010cb281
0x010cb283
0x010cb285
0x010cb285
0x00000000
0x010cb281
0x010cb25f
0x010cb263
0x010cb269
0x010cb269
0x00000000
0x010cb263
0x0108dc2b
0x0108dc2b
0x0108dc2e
0x010cb315
0x010cb318
0x00000000
0x00000000
0x010cb321
0x010cb327
0x00000000
0x010cb327
0x0108dc34
0x0108dc34
0x0108dc37
0x0108db5e
0x0108db5e
0x0108db3c
0x0108db3c
0x0108db3c
0x0108db3f
0x0108db45
0x0108db65
0x0108db6a
0x0108db6c
0x0108dbaa
0x0108dbb1
0x0108dbb8
0x0108dbbc
0x0108dbc3
0x010cb36d
0x010cb36f
0x010cb375
0x010cb37c
0x010cb381
0x010cb383
0x010cb389
0x010cb390
0x010cb396
0x010cb39b
0x010cb3a3
0x010cb3b0
0x010cb3b0
0x010cb3a3
0x010cb390
0x010cb383
0x010cb36f
0x0108dbc9
0x0108dbc9
0x0108dbc9
0x00000000
0x0108db6c
0x0108db49
0x0108db4c
0x0108db4f
0x0108db55
0x0108db58
0x00000000
0x00000000
0x00000000
0x0108db58
0x00000000
0x0108db3c
0x0108dc3d
0x0108dc40
0x00000000
0x00000000
0x0108dc46
0x0108dc49
0x0108dc4d
0x0108dc58
0x0108dc58
0x0108dc5d
0x0108dc60
0x0108dc63
0x0108dc65
0x0108dc67
0x0108dc67
0x0108dc69
0x0108dc70
0x0108dc76
0x0108dc7c
0x0108dc7f
0x0108dc86
0x010cb331
0x010cb336
0x010cb338
0x010cb33e
0x010cb345
0x010cb34b
0x010cb351
0x010cb354
0x010cb35c
0x010cb366
0x010cb366
0x010cb35c
0x010cb345
0x010cb338
0x00000000
0x0108dc86
0x0108dc4f
0x0108dc52
0x00000000
0x00000000
0x00000000
0x0108db04
0x0108db07
0x010cb2b2
0x010cb2b9
0x010cb2bf
0x010cb2c3
0x010cb2c9
0x010cb2cd
0x010cb2d5
0x010cb2d5
0x010cb2cd
0x010cb2c3
0x010cb2b9
0x0108db0d
0x0108db0d
0x00000000
0x0108db0d
0x0108dafe
0x0108db10
0x0108db13
0x00000000
0x00000000
0x0108db19
0x0108db20
0x0108dca1
0x0108dca6
0x0108dca8
0x00000000
0x0108dcae
0x0108dcae
0x0108dcb3
0x0108db37
0x0108db37
0x0108db39
0x00000000
0x0108db39
0x0108dca8
0x0108db26
0x0108db2b
0x0108db31
0x010cb2f7
0x010cb2fc
0x010cb2fe
0x00000000
0x00000000
0x010cb304
0x010cb309
0x010cb309
0x00000000
0x0108db31

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba8f74d9829f938ba92d91beb992a1e70dd630c9b06d42e191367f45875cd85
Instruction ID: 20a5339f410b4fa4b6c0bf1232c957cbb5fd50cd83b99c29a0d9ef0461bb3522
Opcode Fuzzy Hash: 3ba8f74d9829f938ba92d91beb992a1e70dd630c9b06d42e191367f45875cd85
Instruction Fuzzy Hash: 2CA17C74908206CFDFA9EF98C4407ADBBE1BF09758F1446A9D8E19B2D2D771D882CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01055AC0 Relevance: .2, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01055AC0(signed char _a4, char _a8, signed int _a12, intOrPtr _a16, char _a20) {
				signed int _v8;
				char _v1036;
				char _v1037;
				char _v1038;
				signed int _v1044;
				char _v1048;
				char _v1052;
				signed int _v1056;
				char _v1060;
				intOrPtr _v1064;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t76;
				char _t80;
				signed int _t81;
				void* _t92;
				char _t108;
				signed int _t111;
				char _t121;
				signed char _t122;
				signed int _t136;
				signed int _t137;
				char _t144;
				char _t145;
				signed int _t147;

				_v8 =  *0x114d360 ^ _t147;
				_t76 = _a16;
				_t140 = _a12;
				_t145 = _a8;
				_v1064 = _t76;
				_t144 = _a20;
				_v1060 = _t144;
				if(_t145 == 0 || _t144 == 0 ||  *_t144 < 0 || _t140 < 0xffffffff ||  *_t144 > 0 && _t76 == 0) {
					L46:
					_t77 = 0xc000000d;
					goto L18;
				} else {
					_t122 = _a4;
					if((_t122 & 0xfffffff0) != 0) {
						goto L46;
					}
					if(_t140 == 0xffffffff) {
						_t140 = 0x203;
						_t80 = E0106347D(_t145, 0x203,  &_v1056);
						__eflags = _t80;
						if(_t80 < 0) {
							L23:
							_t77 = 0xc0000716;
							L18:
							return E0109B640(_t77, _t122, _v8 ^ _t147, _t140, _t144, _t145);
						}
						_t140 = _v1056 + 1;
					}
					_t81 =  *(_t145 + _t140 * 2 - 2) & 0x0000ffff;
					_v1044 = _t81;
					if(_t81 == 0) {
						_t140 = _t140 - 1;
					}
					_v1048 = 0x1ff;
					_v1056 = _t122 & 0x00000004;
					if(E01055C07(_t145, _t140,  &_v1036,  &_v1048, (_t122 >> 0x00000001 & 0 | (_t122 & 0x00000004) != 0x00000000) & 0x000000ff, _t122 >> 0x00000001 & 1,  &_v1038,  &_v1052) < 0) {
						goto L18;
					} else {
						_t145 = _v1048;
						if(_v1044 == 0) {
							__eflags = _t145 - 0x1ff;
							if(_t145 >= 0x1ff) {
								goto L23;
							}
							_t92 = _t145 + _t145;
							_t145 = _t145 + 1;
							_v1048 = _t145;
							__eflags = _t92 - 0x3fe;
							if(_t92 >= 0x3fe) {
								E0109B75A();
								L29:
								__eflags = _v1056;
								if(_v1056 == 0) {
									L32:
									_t140 = _v1052 -  &_v1036 >> 1;
									__eflags = _v1044;
									_t134 = 0 | __eflags == 0x00000000;
									if(__eflags >= 0) {
										L13:
										_t135 = _v1064;
										if(_v1064 == 0 ||  *_t144 == 0) {
											L17:
											 *_t144 = _t145;
											_t77 = 0;
											goto L18;
										} else {
											if(_t145 >  *_t144) {
												_t77 = 0xc0000023;
												goto L18;
											}
											E0109F3E0(_t135,  &_v1036, _t145 + _t145);
											goto L17;
										}
									}
									__eflags = _v1044;
									_t145 = _t145 - (0 | _v1044 == 0x00000000) + 1 - _t140;
									_v1044 = _v1052 + 2;
									_t144 = E01074620(_t134,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t145);
									__eflags = _t144;
									if(_t144 != 0) {
										_t140 = _v1044;
										_t136 = 0;
										__eflags = _t145;
										if(_t145 <= 0) {
											L39:
											_t108 = E0110B0D0(_t136, _t122, _t140, _t145,  &_v1037);
											__eflags = _t108;
											if(_t108 < 0) {
												L22:
												L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t144);
												goto L23;
											}
											__eflags = _v1037;
											if(_v1037 == 0) {
												goto L22;
											}
											_t111 = 0;
											__eflags = _t145;
											if(_t145 <= 0) {
												L45:
												L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t144);
												_t145 = _v1048;
												_t144 = _v1060;
												goto L13;
											} else {
												goto L42;
											}
											do {
												L42:
												__eflags =  *((char*)(_t111 + _t144)) - 1;
												if( *((char*)(_t111 + _t144)) == 1) {
													_t137 = _v1044;
													_t140 = 0xffe0;
													_t67 = _t137 + _t111 * 2;
													 *_t67 =  *((intOrPtr*)(_t137 + _t111 * 2)) + 0xffe0;
													__eflags =  *_t67;
												}
												_t111 = _t111 + 1;
												__eflags = _t111 - _t145;
											} while (_t111 < _t145);
											goto L45;
										} else {
											goto L36;
										}
										do {
											L36:
											__eflags = ( *(_t140 + _t136 * 2) & 0x0000ffff) + 0xffffffbf - 0x19;
											if(( *(_t140 + _t136 * 2) & 0x0000ffff) + 0xffffffbf <= 0x19) {
												_t58 = _t140 + _t136 * 2;
												 *_t58 =  *(_t140 + _t136 * 2) + 0x20;
												__eflags =  *_t58;
												 *((char*)(_t136 + _t144)) = 1;
											}
											_t136 = _t136 + 1;
											__eflags = _t136 - _t145;
										} while (_t136 < _t145);
										goto L39;
									}
									_t77 = 0xc0000017;
									goto L18;
								}
								_t121 = E0110B0D0( &_v1036, 1,  &_v1036, _v1052 -  &_v1036 >> 1,  &_v1037);
								__eflags = _t121;
								if(_t121 < 0) {
									goto L23;
								}
								__eflags = _v1037;
								if(_v1037 == 0) {
									goto L23;
								}
								goto L32;
							}
							 *((short*)(_t147 + _t92 - 0x408)) = 0;
						}
						if((_t122 & 0x00000008) != 0 || _v1038 != 0) {
							goto L13;
						} else {
							goto L29;
						}
					}
				}
			}

0x01055ad2
0x01055ad5
0x01055ad8
0x01055add
0x01055ae0
0x01055ae7
0x01055aea
0x01055af2
0x010b12e6
0x010b12e6
0x00000000
0x01055b1f
0x01055b1f
0x01055b28
0x00000000
0x00000000
0x01055b31
0x010b1142
0x010b114a
0x010b114f
0x010b1151
0x010b1170
0x010b1170
0x01055bed
0x01055bfd
0x01055bfd
0x010b1159
0x010b1159
0x01055b37
0x01055b3e
0x01055b47
0x010b117a
0x010b117a
0x01055b53
0x01055b70
0x01055b9a
0x00000000
0x01055b9c
0x01055ba4
0x01055baa
0x010b1180
0x010b1186
0x00000000
0x00000000
0x010b1188
0x010b118b
0x010b118c
0x010b1192
0x010b1197
0x010b11a8
0x010b11ad
0x010b11ad
0x010b11b4
0x010b11e5
0x010b11f5
0x010b11f9
0x010b1200
0x010b1207
0x01055bc2
0x01055bc2
0x01055bca
0x01055be9
0x01055be9
0x01055beb
0x00000000
0x01055bd1
0x01055bd3
0x01055c00
0x00000000
0x01055c00
0x01055be1
0x00000000
0x01055be6
0x01055bca
0x010b120f
0x010b1225
0x010b1227
0x010b123e
0x010b1240
0x010b1242
0x010b124e
0x010b1254
0x010b1256
0x010b1258
0x010b1275
0x010b128a
0x010b128f
0x010b1291
0x010b115f
0x010b116b
0x00000000
0x010b116b
0x010b1297
0x010b129e
0x00000000
0x00000000
0x010b12a4
0x010b12a6
0x010b12a8
0x010b12c4
0x010b12d0
0x010b12d5
0x010b12db
0x00000000
0x00000000
0x00000000
0x00000000
0x010b12aa
0x010b12aa
0x010b12aa
0x010b12ae
0x010b12b0
0x010b12b6
0x010b12bb
0x010b12bb
0x010b12bb
0x010b12bb
0x010b12bf
0x010b12c0
0x010b12c0
0x00000000
0x00000000
0x00000000
0x00000000
0x010b125a
0x010b125a
0x010b1261
0x010b1265
0x010b1267
0x010b1267
0x010b1267
0x010b126c
0x010b126c
0x010b1270
0x010b1271
0x010b1271
0x00000000
0x010b125a
0x010b1244
0x00000000
0x010b1244
0x010b11d3
0x010b11d8
0x010b11da
0x00000000
0x00000000
0x010b11dc
0x010b11e3
0x00000000
0x00000000
0x00000000
0x010b11e3
0x010b119b
0x010b119b
0x01055bb3
0x00000000
0x00000000
0x00000000
0x00000000
0x01055bb3
0x01055b9a

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a373d424b59fc3ca90de1cf1e29dbb001b9f7109f3b81e9d89b78a33b899dd
Instruction ID: aceb86aa561af785d6a70c14004a53dc2b692ff7291a2671acb23efdff765b54
Opcode Fuzzy Hash: 33a373d424b59fc3ca90de1cf1e29dbb001b9f7109f3b81e9d89b78a33b899dd
Instruction Fuzzy Hash: F881E5B1A0011A8BEB648B28DD94BEE77B8EF44314F0445E9DA95E3281E774DEC1CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0108138B Relevance: .2, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0108138B(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t97;
				signed int _t102;
				void* _t105;
				char* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				signed int* _t122;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				char _t150;
				intOrPtr _t153;
				signed int _t161;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t176;
				signed int _t182;
				signed int* _t183;
				signed int* _t184;

				_t182 = __ecx;
				_t153 = _a24;
				_t183 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t97 = _t153 - _a16;
				if(_t97 > 0xfffff000) {
					L19:
					return 0;
				}
				asm("cdq");
				_t150 = _a20;
				_v16 = _t97 / 0x1000;
				_t102 = _a4 + 0x00000007 & 0xfffffff8;
				_t170 = _t102 + __edx;
				_v20 = _t102 >> 0x00000003 & 0x0000ffff;
				_t105 = _t170 + 0x28;
				_v12 = _t170;
				if(_t105 >= _t150) {
					if(_t105 >= _t153) {
						goto L19;
					}
					_v8 = _t170 - _t150 + 8;
					_push(E01080678(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E01099660() < 0) {
						 *((intOrPtr*)(_t182 + 0x214)) =  *((intOrPtr*)(_t182 + 0x214)) + 1;
						goto L19;
					}
					if(E01077D50() == 0) {
						_t112 = 0x7ffe0380;
					} else {
						_t112 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t112 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0111138A(_t150, _t182, _a20, _v8, 3);
					}
					_t150 = _a20 + _v8;
					_t153 = _a24;
					_a20 = _t150;
				}
				_t183[0] = 1;
				_t113 = _t153 - _t150;
				_t183[1] = 1;
				asm("cdq");
				_t175 = _t113 % 0x1000;
				_v28 = _t113 / 0x1000;
				 *_t183 = _v20;
				_t183[1] =  *(_t182 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t117 = E010816C7(1, _t175);
					_t150 = _a20;
					_t183[0xd] = _t117;
				}
				_t183[0xb] = _t183[0xb] & 0x00000000;
				_t176 = _v12;
				_t183[3] = _a12;
				_t119 = _a16;
				_t183[7] = _t119;
				_t161 = _v16 << 0xc;
				_t183[6] = _t182;
				_t183[0xa] = _t119 + _t161;
				_t183[8] = _v16;
				_t122 =  &(_t183[0xe]);
				_t183[2] = 0xffeeffee;
				_t183[9] = _t176;
				 *((intOrPtr*)(_t182 + 0x1e8)) =  *((intOrPtr*)(_t182 + 0x1e8)) + _t161;
				 *((intOrPtr*)(_t182 + 0x1e4)) =  *((intOrPtr*)(_t182 + 0x1e4)) + _t161;
				_t122[1] = _t122;
				 *_t122 = _t122;
				if(_t183[6] != _t183) {
					_t124 = 1;
				} else {
					_t124 = 0;
				}
				_t183[1] = _t124;
				 *(_t176 + 4) =  *_t183 ^  *(_t182 + 0x54);
				if(_t183[6] != _t183) {
					_t130 = (_t176 - _t183 >> 0x10) + 1;
					_v24 = _t130;
					if(_t130 >= 0xfe) {
						_push(_t161);
						_push(0);
						E0111A80D(_t183[6], 3, _t176, _t183);
						_t150 = _a20;
						_t176 = _v12;
						_t130 = _v24;
					}
				} else {
					_t130 = 0;
				}
				 *(_t176 + 6) = _t130;
				E0107B73D(_t182, _t183, _t150 - 0x18, _v28 << 0xc, _t176,  &_v8);
				if( *((intOrPtr*)(_t182 + 0x4c)) != 0) {
					_t183[0] = _t183[0] ^  *_t183 ^ _t183[0];
					 *_t183 =  *_t183 ^  *(_t182 + 0x50);
				}
				if(_v8 != 0) {
					E0107A830(_t182, _v12, _v8);
				}
				_t136 = _t182 + 0xa4;
				_t184 =  &(_t183[4]);
				_t163 =  *(_t136 + 4);
				if( *_t163 != _t136) {
					_push(_t163);
					_push( *_t163);
					E0111A80D(0, 0xd, _t136, 0);
				} else {
					 *_t184 = _t136;
					_t184[1] = _t163;
					 *_t163 = _t184;
					 *(_t136 + 4) = _t184;
				}
				 *((intOrPtr*)(_t182 + 0x1f4)) =  *((intOrPtr*)(_t182 + 0x1f4)) + 1;
				return 1;
			}

0x0108139f
0x010813a1
0x010813a4
0x010813a6
0x010813ab
0x010813b3
0x010c5522
0x00000000
0x010c5522
0x010813b9
0x010813c1
0x010813c4
0x010813cd
0x010813d0
0x010813d9
0x010813dc
0x010813df
0x010813e4
0x010c552b
0x00000000
0x00000000
0x010c5534
0x010c553f
0x010c5545
0x010c5549
0x010c554a
0x010c554f
0x010c5550
0x010c5559
0x010c551c
0x00000000
0x010c551c
0x010c5562
0x010c5574
0x010c5564
0x010c556d
0x010c556d
0x010c557c
0x010c5597
0x010c5597
0x010c559f
0x010c55a2
0x010c55a5
0x010c55a5
0x010813ec
0x010813f2
0x010813f4
0x010813f8
0x010813fe
0x01081400
0x01081406
0x01081412
0x01081419
0x010c55b0
0x010c55b5
0x010c55b8
0x010c55b8
0x01081425
0x01081429
0x0108142c
0x0108142f
0x01081432
0x01081435
0x0108143a
0x0108143d
0x01081443
0x01081446
0x01081449
0x01081450
0x01081453
0x01081459
0x0108145f
0x01081462
0x01081467
0x010814fa
0x0108146d
0x0108146d
0x0108146d
0x0108146f
0x01081479
0x01081480
0x01081507
0x01081508
0x01081510
0x010c55c1
0x010c55c2
0x010c55cc
0x010c55d1
0x010c55d4
0x010c55d7
0x010c55d7
0x01081482
0x01081482
0x01081482
0x01081484
0x0108149b
0x010814a4
0x010814ae
0x010814b4
0x010814b4
0x010814ba
0x010814c4
0x010814c4
0x010814c9
0x010814cf
0x010814d2
0x010814d7
0x010c55df
0x010c55e0
0x010c55ea
0x010814dd
0x010814dd
0x010814df
0x010814e2
0x010814e4
0x010814e4
0x010814e7
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 8fa8cfa5f1e488e030fea46ec6647f3f2b184f2ab1a6eefda621cf3881d8fc62
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 5F819975A00645AFCB24DF68C880AAABBF5EF58310F14856EE986C7641D730EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0111B2E8 Relevance: .2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0111B2E8(signed int __ecx, signed int __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				char _v28;
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t79;
				char _t80;
				signed int _t95;
				signed int _t96;
				intOrPtr* _t97;
				signed int _t98;
				signed char* _t99;
				intOrPtr _t100;
				signed int _t101;
				void* _t119;
				signed int _t120;
				void* _t143;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				void* _t152;
				signed int _t157;

				_t135 = __edx;
				_t159 = (_t157 & 0xfffffff8) - 0x5c;
				_v8 =  *0x114d360 ^ (_t157 & 0xfffffff8) - 0x0000005c;
				_v92 = _a8;
				_v56 = __edx;
				_v88 = _a12;
				_t150 = __ecx;
				_v80 = __ecx;
				if(__edx <= 0x7fffffff) {
					_t135 = 1;
					_t75 = E0111C23A( &_v92, 1);
					__eflags = _t75;
					if(_t75 < 0) {
						goto L1;
					}
					_push(0);
					_push(0x2c);
					_push( &_v52);
					_push(0);
					_t79 = E01099860();
					__eflags = _t79;
					if(_t79 >= 0) {
						_t80 = _v12;
					} else {
						_t80 = 1;
						_v12 = 1;
					}
					_t144 = _v88;
					_t120 = E0111B0C7(_t150, _t80, _v92, _t144);
					__eflags = _t120;
					if(_t120 != 0) {
						_t16 = _t120 + 0xd8; // 0xd8
						 *(_t120 + 0xc) = _t150;
						_t18 = _t120 + 0x44; // 0x44
						_t19 = _t120 + 0x10; // 0x10
						 *_t120 = _v92;
						_t20 = _t120 + 0x118; // 0x118
						 *((intOrPtr*)(_t120 + 4)) = _t144;
						 *((intOrPtr*)(_t120 + 8)) = 0xddeeddee;
						E0111FC01(_t18, _t120, _t20, _t16, _t19, _v92, _t144);
						_t24 = _t120 + 0x84; // 0x84
						_t127 = _t24;
						E0111FC01(_t24, _t120, 0, 0, _t19, _v116, _t144);
						 *((intOrPtr*)(_t120 + 0x30)) = 0;
						 *((intOrPtr*)(_t120 + 0x34)) = 0;
						 *((intOrPtr*)(_t120 + 0x38)) = 0;
						__eflags =  *(_t120 + 0xc) & 0x20000000;
						 *((intOrPtr*)(_t120 + 0xc8)) = 0;
						if(( *(_t120 + 0xc) & 0x20000000) != 0) {
							_t127 = 0x11120e0;
							 *(_t120 + 0x20) = E0110FD06(0x11120e0) & 0x0000ffff;
						}
						asm("stosd");
						_t34 = _t120 + 0x44; // 0x44
						_t35 = _t120 + 0xd8; // 0xd8
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v60 = 0;
						_v76 = 0x11212e0;
						_v72 = 0x1120200;
						_v68 = 0x1120100;
						_v64 = 0x1120150;
						E01122C75(_t35, _t34,  &_v76, _v92 & 1, _t127, 0x114a748);
						asm("stosd");
						_t44 = _t120 + 0x44; // 0x44
						_t45 = _t120 + 0x118; // 0x118
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t46 = _t120 + 0x10; // 0x10
						_v92 = 0x11200b0;
						_v88 = 0x1120200;
						_v84 = 0x1120100;
						_v80 = 0x1120150;
						_v76 = 0x11200e0;
						E0111CC77(_t45, _t44, _v28, _v92 & 1,  &_v92, _t46, 0x114a73c);
						_t135 = _v92;
						_t56 = _t120 + 0x44; // 0x44
						 *(_t120 + 0xc4) =  *(_t120 + 0xc4) & 0x00000000;
						_t95 = E0111FC94(_t56, _v92, _a4);
						__eflags = _t95;
						if(_t95 >= 0) {
							_t151 = _t120;
							_t120 = 0;
							_t96 = E01077D50();
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = 0x7ffe0388;
							} else {
								_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							}
							__eflags =  *_t97 - _t120;
							if( *_t97 != _t120) {
								_t135 =  *((intOrPtr*)(_t151 + 0xd4)) - _t151;
								__eflags =  *((intOrPtr*)(_t151 + 0xd4)) - _t151;
								E0110FD52(_t120, _t151,  *((intOrPtr*)(_t151 + 0xd4)) - _t151, _v80);
							}
							_t98 = E01077D50();
							_t147 = 0x7ffe0380;
							__eflags = _t98;
							if(_t98 == 0) {
								_t99 = 0x7ffe0380;
							} else {
								_t99 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							__eflags =  *_t99 - _t120;
							if( *_t99 == _t120) {
								goto L27;
							} else {
								_t100 =  *[fs:0x30];
								__eflags =  *(_t100 + 0x240) & 0x00000001;
								if(( *(_t100 + 0x240) & 0x00000001) == 0) {
									goto L27;
								}
								_t101 = E01077D50();
								__eflags = _t101;
								if(_t101 != 0) {
									_t147 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								_t135 = _v80;
								__eflags =  *((intOrPtr*)(_t151 + 0xd4)) - _t151;
								E011114A0(_t120, _t151, _v80, _t147,  *((intOrPtr*)(_t151 + 0xd4)) - _t151,  *((intOrPtr*)(_t151 + 0xd4)) - _t151,  *((intOrPtr*)(_t151 + 0xd0)) - _t151,  *_t147 & 0x000000ff);
								goto L25;
							}
						} else {
							_t151 = 0;
							L25:
							__eflags = _t120;
							if(_t120 != 0) {
								E0111B581(_t120);
							}
							goto L27;
						}
					} else {
						_t135 = 0;
						_t151 = 0;
						E0111C23A( &_v92, 0);
						L27:
						_pop(_t143);
						_pop(_t152);
						_pop(_t119);
						return E0109B640(_t151, _t119, _v8 ^ _t159, _t135, _t143, _t152);
					}
				}
				L1:
				_t151 = 0;
				goto L27;
			}

0x0111b2e8
0x0111b2f0
0x0111b2fa
0x0111b301
0x0111b308
0x0111b30c
0x0111b312
0x0111b314
0x0111b31f
0x0111b32e
0x0111b32f
0x0111b334
0x0111b336
0x00000000
0x00000000
0x0111b338
0x0111b33a
0x0111b340
0x0111b341
0x0111b343
0x0111b348
0x0111b34a
0x0111b354
0x0111b34c
0x0111b34c
0x0111b34e
0x0111b34e
0x0111b358
0x0111b36b
0x0111b36d
0x0111b36f
0x0111b387
0x0111b38f
0x0111b392
0x0111b395
0x0111b398
0x0111b39c
0x0111b3a2
0x0111b3a7
0x0111b3ae
0x0111b3b8
0x0111b3b8
0x0111b3c4
0x0111b3c9
0x0111b3cc
0x0111b3cf
0x0111b3d2
0x0111b3d9
0x0111b3df
0x0111b3e1
0x0111b3ee
0x0111b3ee
0x0111b3f7
0x0111b3f8
0x0111b401
0x0111b407
0x0111b408
0x0111b409
0x0111b40a
0x0111b40f
0x0111b41d
0x0111b427
0x0111b42f
0x0111b437
0x0111b43f
0x0111b44a
0x0111b44b
0x0111b453
0x0111b459
0x0111b45a
0x0111b45b
0x0111b45c
0x0111b45d
0x0111b465
0x0111b475
0x0111b47d
0x0111b485
0x0111b48d
0x0111b495
0x0111b49d
0x0111b4a1
0x0111b4a4
0x0111b4ab
0x0111b4b0
0x0111b4b2
0x0111b4bb
0x0111b4bd
0x0111b4bf
0x0111b4c4
0x0111b4c6
0x0111b4d8
0x0111b4c8
0x0111b4d1
0x0111b4d1
0x0111b4dd
0x0111b4df
0x0111b4ed
0x0111b4ed
0x0111b4ef
0x0111b4ef
0x0111b4f4
0x0111b4f9
0x0111b4fe
0x0111b500
0x0111b512
0x0111b502
0x0111b50b
0x0111b50b
0x0111b514
0x0111b516
0x00000000
0x0111b518
0x0111b518
0x0111b51e
0x0111b525
0x00000000
0x00000000
0x0111b527
0x0111b52c
0x0111b52e
0x0111b539
0x0111b539
0x0111b539
0x0111b544
0x0111b558
0x0111b55b
0x00000000
0x0111b55b
0x0111b4b4
0x0111b4b4
0x0111b560
0x0111b560
0x0111b562
0x0111b566
0x0111b566
0x00000000
0x0111b562
0x0111b371
0x0111b371
0x0111b377
0x0111b379
0x0111b56b
0x0111b571
0x0111b572
0x0111b573
0x0111b57e
0x0111b57e
0x0111b36f
0x0111b321
0x0111b321
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a908478cf8bc60e961c308a8484e26a8b8f4320eabf60f8b44dbbc4b71e3571
Instruction ID: 33288a90a1fdb6ff0bf2f6f6776992e51f451efa3b4021148a570b54ee72a640
Opcode Fuzzy Hash: 1a908478cf8bc60e961c308a8484e26a8b8f4320eabf60f8b44dbbc4b71e3571
Instruction Fuzzy Hash: D4710171208351AFD759CF69C884B6BBBF9EF88744F044529FD899B219D730D808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010EB8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E010EB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1147b9c; // 0x0
				_t124 = E01074620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01099800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E010995B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E010995D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L010777F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01099910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E010995D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1147b9c; // 0x0
									_t92 = E01074620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01099910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0105A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E010EE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E010EE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E010995B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x010eb8d9
0x010eb8e4
0x00000000
0x010eb8e6
0x010eb8f3
0x010eb8f5
0x010eb8f5
0x010eb8f8
0x010eb920
0x010eb924
0x010eb936
0x010eb939
0x010eb93d
0x010eb948
0x010eb9a0
0x010eb9a0
0x010eb9a4
0x010eb9bf
0x010eb9c4
0x010eb9c6
0x010eb9cd
0x010eb9d1
0x010ebad4
0x010ebad8
0x010ebada
0x010ebadc
0x010ebadc
0x010ebadf
0x010ebae0
0x010ebae2
0x010ebae4
0x010ebaec
0x010ebaee
0x010ebaf0
0x010ebaf0
0x010ebaec
0x010ebafb
0x010ebafc
0x010ebafe
0x010ebb01
0x010ebb01
0x00000000
0x010ebb06
0x010eb9d7
0x010eb9db
0x010eb9db
0x010eb9de
0x010eb9de
0x010eb9e4
0x010eb9e7
0x010eb9ea
0x010eb9ec
0x010eb9ef
0x010eb9f3
0x010eba1b
0x010eba1b
0x010eba23
0x010eba24
0x010eba27
0x010eba2a
0x010eba2b
0x010eba2e
0x010eba30
0x010eba37
0x010eba3f
0x010eba9c
0x010ebaa2
0x010ebb13
0x010ebb15
0x010ebaae
0x010ebaae
0x010ebab3
0x010ebab5
0x010ebaba
0x010ebac8
0x010ebac8
0x010ebaba
0x010ebacd
0x010ebacf
0x00000000
0x010ebacf
0x010ebb1a
0x00000000
0x010ebb1c
0x010ebaa7
0x010ebb11
0x00000000
0x010ebb11
0x010ebaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x010eba41
0x010eba41
0x010eba41
0x010eba58
0x010eba5d
0x010eba62
0x00000000
0x00000000
0x010eba64
0x010eba67
0x010eba68
0x010eba69
0x010eba6c
0x010eba6f
0x010eba71
0x010eba78
0x010eba80
0x00000000
0x00000000
0x010eba90
0x010eba90
0x010eba97
0x00000000
0x010eba97
0x010eb9f5
0x010eb9f7
0x010eb9f7
0x010eb9fa
0x010eba03
0x010eba07
0x010eba0c
0x010eba10
0x010eba17
0x00000000
0x010eb9f7
0x010eb9a6
0x010eb9a8
0x010eb9af
0x010eb9b3
0x00000000
0x00000000
0x010eb9b9
0x00000000
0x010eb9b9
0x010eb94d
0x010eb98f
0x010eb995
0x010eb999
0x010eb960
0x010eb967
0x010eb968
0x010eb96a
0x00000000
0x010eb96a
0x010eb99b
0x010eb99e
0x00000000
0x00000000
0x00000000
0x010eb99e
0x010eb951
0x010eb954
0x010eb95a
0x010eb95e
0x010eb972
0x010eb979
0x010eb97d
0x010eb97f
0x010eb980
0x010eb982
0x010eb984
0x00000000
0x010eb984
0x00000000
0x010eb926
0x00000000
0x010eb926

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904fffec2e38225e46226a78a204ade4c9020560fdf330e80c7483e85cf263e6
Instruction ID: ad593711144edf8e06724101c3468ba1e10560434085e3712ad379439dee29ec
Opcode Fuzzy Hash: 904fffec2e38225e46226a78a204ade4c9020560fdf330e80c7483e85cf263e6
Instruction Fuzzy Hash: 6C71F132200706EFEB32DF1AC848FA6BBE5FF44720F144568E695976A0DBB1E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010D6DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E010D6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = E01074620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E010D6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01077D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01099AE0();
					_t87 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E010D795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E010D795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E010D795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E010D795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = E01074620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E010D6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E010D6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E010D6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E010D6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01077D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01099AE0();
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01072400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01072400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01072400( &_v52);
							}
							if(_v28 >= 0) {
								return L01072400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x010d6dd4
0x010d6dde
0x010d6de1
0x010d6de3
0x010d6de6
0x010d6de9
0x010d6dec
0x010d6def
0x010d6df2
0x010d6df5
0x010d6dfe
0x010d6e04
0x010d6e09
0x010d6e0d
0x010d6e18
0x010d6e1b
0x010d6e22
0x010d6e2d
0x010d6e30
0x010d6e36
0x010d6e42
0x010d6e4d
0x010d6e50
0x010d6e55
0x010d6e5c
0x010d6e6e
0x010d6e5e
0x010d6e67
0x010d6e67
0x010d6e73
0x010d6e74
0x010d6e77
0x010d6e7c
0x010d6e7d
0x010d6e8e
0x010d6e93
0x010d6e9c
0x010d6ea8
0x010d6eab
0x010d6eac
0x010d6eb3
0x010d6ecd
0x010d6edc
0x010d6ee2
0x010d6ee5
0x010d6ef2
0x010d6efb
0x010d6f01
0x010d6f06
0x010d6f0b
0x010d6f11
0x010d6f1a
0x010d6f22
0x010d6f26
0x010d6f26
0x010d6f33
0x010d6f41
0x010d6f44
0x010d6f47
0x010d6f54
0x010d6f65
0x010d6f77
0x010d6f7c
0x010d6f82
0x010d6f91
0x010d6f99
0x010d6fa3
0x010d6fae
0x010d6fae
0x010d6fba
0x010d6fbb
0x010d6fbc
0x010d6fc1
0x010d6fc2
0x010d6fd3
0x010d6fd8
0x010d6fd8
0x010d6fdf
0x010d6fe8
0x010d6fee
0x010d6fee
0x010d6ff5
0x010d6ffb
0x010d6ffb
0x010d7004
0x00000000
0x010d700a
0x010d7004
0x010d6eb3
0x010d6e9c
0x010d7015

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: d6bc1f0954ad2916bbf4ef9f1c747b9ff07cc7883663eafc8570f62236b1d463
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 0F717A71E0060AEFDB11DFA8C984AEEBBB9FF48714F104069E545E7290DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0106F370 Relevance: .2, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0106F370(intOrPtr __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				unsigned int _v24;
				unsigned int _v28;
				void* __ebx;
				void* __edi;
				unsigned int _t65;
				signed int _t75;
				signed int _t76;
				intOrPtr* _t101;
				char* _t102;
				unsigned int _t115;
				signed int _t119;
				unsigned int _t124;
				void* _t134;
				signed int _t135;
				unsigned int _t137;
				signed int _t141;
				signed int _t148;
				void* _t152;
				intOrPtr* _t155;
				intOrPtr* _t156;
				unsigned int _t159;

				_v12 = __ecx;
				_v5 = __edx;
				_t65 = ((__edx & 0x000000ff) << 5) + __ecx;
				_t115 = _t65 - 0xa8;
				_v28 = _t65;
				_v24 = _t115;
				 *(_t115 + 0x14) = ( *(_t115 + 0x14) & 0x0000ffff) + 1;
				_v16 = 0x1146dc0 + (_t115 >> 0x00000002 & 0x0000001f) * 4;
				E01072280(_t115 >> 0x00000002 & 0x0000001f, 0x1146dc0 + (_t115 >> 0x00000002 & 0x0000001f) * 4);
				_t155 =  *_t115;
				if(_t155 != 0) {
					 *_t115 =  *_t155;
					 *((intOrPtr*)(_t115 + 4)) =  *((intOrPtr*)(_t115 + 4)) + 0xffff;
				}
				asm("lock cmpxchg [edi], ecx");
				_t119 = 1;
				if(1 != 1) {
					while(1) {
						_t75 = _t119 & 0x00000006;
						_v20 = _t75;
						_t76 = _t119;
						_t134 = (0 | _t75 == 0x00000002) * 4 - 1 + _t119;
						asm("lock cmpxchg [ebx], edi");
						if(_t76 == _t119) {
							break;
						}
						_t119 = _t76;
					}
					_t115 = _v24;
					if(_v20 == 2) {
						E010900C2(_v16, 0, _t134);
					}
					_t135 = 1;
				}
				if(_t155 == 0) {
					_t77 = _v5;
					if(_v5 <= 7) {
						L17:
						_t156 = E0106B433( *((intOrPtr*)(_v12 + 0xc)), _t77, _a4, _a8);
						if(_t156 != 0) {
							asm("lock inc dword [eax]");
						}
						L11:
						_t137 =  *(_t115 + 0x14) & 0x0000ffff;
						if(_t137 > 0x40) {
							_t148 =  *(_t115 + 0x18) & 0x0000ffff;
							if(_t137 >= (( *(_t115 + 0x16) & 0x0000ffff) >> 1) + ( *(_t115 + 0x16) & 0x0000ffff) || _t148 >= _t137 - (_t137 >> 1)) {
								L23:
								 *(_t115 + 0x14) = 0;
								 *(_t115 + 0x16) = 0;
								 *(_t115 + 0x18) = 0;
								goto L12;
							} else {
								if( *((intOrPtr*)(_t115 + 0xc)) >= 2) {
									if( *((intOrPtr*)(_t115 + 0x10)) <= 2) {
										goto L23;
									}
									L26:
									asm("lock cmpxchg [edx], ecx");
									goto L23;
								}
								goto L26;
							}
						}
						L12:
						return _t156;
					}
					_t159 = _v28 + 0xffffff38;
					_v28 = _t159;
					_t150 = 0x1146dc0 + (_t159 >> 0x00000002 & 0x0000001f) * 4;
					E01072280(_t159 >> 0x00000002 & 0x0000001f, 0x1146dc0 + (_t159 >> 0x00000002 & 0x0000001f) * 4);
					_t156 =  *_t159;
					if(_t156 != 0) {
						_t124 = _v28;
						 *_t124 =  *_t156;
						 *((intOrPtr*)(_t124 + 4)) =  *((intOrPtr*)(_t124 + 4)) + 0xffff;
					}
					E0106FFB0(_t115, _t150, _t150);
					if(_t156 != 0) {
						_v5 = _v5 - 1;
						_t135 = 1;
						L5:
						if(_t156 == 0) {
							goto L16;
						}
						_t141 = _t135 <<  *(_t156 + 8);
						if(_t141 > 0x78000) {
							_t141 = 0x78000;
						}
						_t152 = ( *(_t156 + 0xa) & 0x0000ffff) + _t141;
						_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
						if(_t101 != 0) {
							if( *_t101 == 0) {
								goto L8;
							}
							_t102 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							goto L9;
						} else {
							L8:
							_t102 = 0x7ffe0380;
							L9:
							if( *_t102 != 0) {
								if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
									E011118CA(_t115,  *((intOrPtr*)(_v12 + 0xc)), _t156, _t152, _a4);
								}
							}
							asm("lock xadd [eax], edi");
							goto L11;
						}
					} else {
						L16:
						_t77 = _v5;
						goto L17;
					}
				}
				 *(_t115 + 0x18) = ( *(_t115 + 0x18) & 0x0000ffff) + 1;
				goto L5;
			}

0x0106f37a
0x0106f37d
0x0106f386
0x0106f389
0x0106f38f
0x0106f39a
0x0106f39d
0x0106f3b3
0x0106f3b6
0x0106f3bb
0x0106f3bf
0x0106f3c3
0x0106f3ca
0x0106f3ca
0x0106f3d7
0x0106f3db
0x0106f3df
0x010bbc33
0x010bbc37
0x010bbc3d
0x010bbc40
0x010bbc4c
0x010bbc50
0x010bbc56
0x00000000
0x00000000
0x010bbc58
0x010bbc58
0x010bbc60
0x010bbc63
0x010bbc6b
0x010bbc6b
0x010bbc70
0x010bbc70
0x0106f3e7
0x0106f45a
0x0106f45f
0x0106f495
0x0106f4a8
0x0106f4ac
0x0106f4ba
0x0106f4ba
0x0106f43f
0x0106f443
0x0106f449
0x0106f4e2
0x0106f4ee
0x0106f4fa
0x0106f4fc
0x0106f500
0x0106f504
0x00000000
0x0106f50d
0x0106f516
0x0106f52a
0x00000000
0x00000000
0x0106f51b
0x0106f51b
0x00000000
0x0106f51b
0x00000000
0x0106f518
0x0106f4ee
0x0106f44f
0x0106f457
0x0106f457
0x0106f464
0x0106f46c
0x0106f475
0x0106f47d
0x0106f482
0x0106f486
0x0106f4bf
0x0106f4c4
0x0106f4cb
0x0106f4cb
0x0106f489
0x0106f490
0x0106f4d1
0x0106f4d4
0x0106f3f5
0x0106f3f7
0x00000000
0x00000000
0x0106f400
0x0106f408
0x010bbc7a
0x010bbc7a
0x0106f418
0x0106f41a
0x0106f41f
0x010bbc87
0x00000000
0x00000000
0x010bbc96
0x00000000
0x0106f425
0x0106f425
0x0106f425
0x0106f42a
0x0106f42d
0x010bbcad
0x010bbcbf
0x010bbcbf
0x010bbcad
0x0106f43b
0x00000000
0x0106f43b
0x0106f492
0x0106f492
0x0106f492
0x00000000
0x0106f492
0x0106f490
0x0106f3f1
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951f9d13caf67e1d56929a394dc2fa17337f3d43d163a85ca20789f443af45c0
Instruction ID: 27646194c9a9cdbc385dab0ea3f638f2ee2f21292724b2915ff4c3a3973bf174
Opcode Fuzzy Hash: 951f9d13caf67e1d56929a394dc2fa17337f3d43d163a85ca20789f443af45c0
Instruction Fuzzy Hash: 3E611036A052168FCB69CF5CD4903BEBBF5EF85300B1880A9E895DB745DB34D942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0105395E Relevance: .2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0105395E(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t67;
				intOrPtr _t74;
				void* _t77;
				intOrPtr* _t81;
				signed int _t93;
				void* _t94;
				intOrPtr* _t97;
				intOrPtr* _t104;
				intOrPtr _t109;
				signed int _t112;
				intOrPtr* _t113;
				signed int _t114;
				void* _t123;

				_v8 =  *0x114d360 ^ _t114;
				_t54 =  *0x11484cc; // 0x0
				_v16 = __edx;
				_t93 = 0;
				_t112 = __ecx;
				_v12 = _v12 & 0;
				L0107FAD0(_t54 + 4);
				_t109 =  *0x11484cc; // 0x0
				_t110 = _t109 + 8;
				_t97 =  *_t110;
				while(_t97 != _t110) {
					_t113 = _t97 - 0x1c;
					_t67 =  *((intOrPtr*)(_t112 + 0xc));
					if( *((intOrPtr*)(_t113 + 0x10)) !=  *((intOrPtr*)(_t112 + 8)) ||  *((intOrPtr*)(_t113 + 0x14)) != _t67 ||  *((intOrPtr*)(_t113 + 8)) !=  *_t112) {
						L21:
						_t97 =  *_t97;
						continue;
					} else {
						_t69 =  *((intOrPtr*)(_t113 + 0xc));
						if( *((intOrPtr*)(_t113 + 0xc)) !=  *((intOrPtr*)(_t112 + 4))) {
							goto L21;
						}
						_t94 = _t113 + 0x28;
						E01072280(_t69, _t94);
						if( *(_t113 + 0x5c) == 2) {
							__eflags = _v16;
							if(_v16 == 0) {
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *(_t113 + 0x58));
								 *(_t113 + 0x58) =  *(_t113 + 0x58) & 0x00000000;
								 *(_t113 + 0x5c) =  *(_t113 + 0x5c) & 0x00000000;
								L8:
								asm("lock inc dword [esi+0x50]");
								 *(_t113 + 0x5c) = 1;
								E0106FFB0(_t94, _t112, _t94);
								_t74 =  *0x11484cc; // 0x0
								_t123 = _t74 + 4;
								E0107FA00(_t94, _t97, _t112, _t74 + 4);
								while(1) {
									_t95 = 0;
									_t77 = E01053ACA(0, _t112, _t113, _t112, _t113, _t123, 0);
									_t124 = _t77 - 0xc000022d;
									if(_t77 == 0xc000022d) {
										_t95 = 0xc000022d;
									}
									_t110 = _t113;
									if(E01053ACA(_t95, _t112, _t113, _t112, _t113, _t124, 1) == 0xc000022d) {
										_t93 = 0xc000022d;
									}
									E01072280(_t113 + 0x28, _t113 + 0x28);
									_v12 = _v12 + 1;
									_t104 = _t113 + 0x2c;
									_t81 =  *_t104;
									while(_t81 != _t104) {
										 *(_t81 + 0x60) =  *(_t81 + 0x60) & 0x00000000;
										_t81 =  *_t81;
									}
									if( *(_t113 + 0x58) != 0) {
										_t112 =  *(_t113 + 0x58);
										 *(_t113 + 0x58) =  *(_t113 + 0x58) & 0x00000000;
										E0106FFB0(_t93, _t112, _t113 + 0x28);
										continue;
									}
									if(_t93 != 0) {
										__eflags = _t93 - 0xc000022d;
										if(_t93 == 0xc000022d) {
											 *(_t113 + 0x58) = _t112;
											 *(_t113 + 0x5c) = 2;
											E010E2DA1(_t113);
										}
										L17:
										E0106FFB0(_t93, _t112, _t113 + 0x28);
										E0108DE9E(_t113);
										L18:
										if(_v12 > 1) {
											_t113 = 0;
											_t49 = _t112 + 8; // 0x8
											_push(0);
											_push(0);
											_push(_t93);
											_push( *((intOrPtr*)(_t112 + 0x18)));
											_push(_t112);
											E0109A3A0();
											__eflags = _t93;
											if(_t93 == 0) {
												L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t112);
											}
											_t93 = 0x80;
										}
										return E0109B640(_t93, _t93, _v8 ^ _t114, _t110, _t112, _t113);
									}
									 *(_t113 + 0x5c) =  *(_t113 + 0x5c) & _t93;
									if( *((intOrPtr*)(_t113 + 0x18)) != _t93) {
										__eflags =  *((intOrPtr*)(_t112 + 0x10)) -  *((intOrPtr*)(_t113 + 0x18));
										if( *((intOrPtr*)(_t112 + 0x10)) -  *((intOrPtr*)(_t113 + 0x18)) > 0) {
											goto L16;
										}
										goto L17;
									}
									L16:
									 *((intOrPtr*)(_t113 + 0x18)) =  *((intOrPtr*)(_t112 + 0x10));
									goto L17;
								}
							}
							_push(_t94);
							L27:
							E0106FFB0(_t94, _t112);
							_t93 = 0x80;
							break;
						}
						if( *(_t113 + 0x5c) == 1) {
							__eflags = _v16;
							_push(_t94);
							if(_v16 != 0) {
								goto L27;
							}
							 *(_t113 + 0x58) = _t112;
							E0106FFB0(_t94, _t112);
							_t93 = 0x103;
							break;
						}
						goto L8;
					}
				}
				_t57 =  *0x11484cc; // 0x0
				E0107FA00(_t93, _t97, _t112, _t57 + 4);
				goto L18;
			}

0x0105396d
0x01053970
0x0105397b
0x0105397e
0x01053980
0x01053982
0x01053986
0x0105398b
0x01053991
0x01053994
0x01053996
0x010539a1
0x010539a7
0x010539aa
0x01053aa7
0x01053aa7
0x00000000
0x010539c4
0x010539c4
0x010539ca
0x00000000
0x00000000
0x010539d0
0x010539d4
0x010539dd
0x010afffc
0x010b0000
0x010b0020
0x010b0025
0x010b0029
0x010539ed
0x010539ed
0x010539f2
0x010539f9
0x010539fe
0x01053a03
0x01053a07
0x01053a0c
0x01053a0c
0x01053a13
0x01053a1d
0x01053a1f
0x010b004b
0x010b004b
0x01053a27
0x01053a37
0x010b0052
0x010b0052
0x01053a41
0x01053a46
0x01053a49
0x01053a4c
0x01053a4e
0x01053a9f
0x01053aa3
0x01053aa3
0x01053a56
0x010b0059
0x010b005f
0x010b0064
0x00000000
0x010b0064
0x01053a5e
0x010b0073
0x010b0075
0x010b007d
0x010b0080
0x010b0087
0x010b0087
0x01053a72
0x01053a76
0x01053a7d
0x01053a82
0x01053a86
0x010b0091
0x010b0093
0x010b0096
0x010b0097
0x010b0098
0x010b0099
0x010b009c
0x010b009e
0x010b00a3
0x010b00a5
0x010b00b2
0x010b00b2
0x010b00b7
0x010b00b7
0x01053a9e
0x01053a9e
0x01053a64
0x01053a6a
0x01053ac4
0x01053ac6
0x00000000
0x00000000
0x00000000
0x01053ac8
0x01053a6c
0x01053a6f
0x00000000
0x01053a6f
0x01053a0c
0x010b0002
0x010b0003
0x010b0003
0x010b0008
0x00000000
0x010b0008
0x010539e7
0x010b0032
0x010b0036
0x010b0037
0x00000000
0x00000000
0x010b0039
0x010b003c
0x010b0041
0x00000000
0x010b0041
0x00000000
0x010539e7
0x010539aa
0x01053aae
0x01053ab7
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74615469959d256d27332776d465c5bf2d7f1b3dda0fb7069b6190494d555f52
Instruction ID: 7c16fec3fcb5d55bcf37d50ff3f9e511111a2cf8f2c46aaa5ed321043ca8ba14
Opcode Fuzzy Hash: 74615469959d256d27332776d465c5bf2d7f1b3dda0fb7069b6190494d555f52
Instruction Fuzzy Hash: 2A51BD71A007429FDB65EF99C884BABB7F9FF54349F00486DE5828B611DB74E884CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0105B171 Relevance: .2, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0105B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x112f7a8);
				E010AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E010AD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0109D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0109F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L010ADEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0109B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0109B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0109E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0109A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0105b171
0x0105b171
0x0105b171
0x0105b171
0x0105b171
0x0105b176
0x0105b17b
0x0105b180
0x0105b186
0x0105b18f
0x0105b198
0x0105b1a4
0x0105b1aa
0x010b4802
0x010b4802
0x010b4805
0x010b480c
0x010b480e
0x0105b1d1
0x0105b1d3
0x0105b1de
0x0105b1de
0x010b4817
0x010b481e
0x010b4820
0x010b4822
0x010b4822
0x010b4824
0x010b4824
0x010b482a
0x00000000
0x00000000
0x010b4835
0x010b483a
0x010b483d
0x010b483f
0x010b4842
0x010b4842
0x010b4842
0x010b4846
0x010b484c
0x010b484e
0x010b4851
0x010b4851
0x010b4853
0x010b4854
0x010b4854
0x010b4858
0x010b485a
0x010b485a
0x010b485d
0x010b485f
0x010b4861
0x010b4861
0x010b4866
0x010b486b
0x010b486e
0x010b4871
0x010b4876
0x010b4876
0x010b4878
0x010b487b
0x010b4884
0x010b4884
0x00000000
0x010b487d
0x010b487d
0x010b4882
0x010b4889
0x010b4889
0x010b488f
0x010b4891
0x010b48e0
0x010b48e2
0x010b48e4
0x010b48e4
0x010b48e7
0x010b48e7
0x010b48ed
0x010b48f4
0x010b48f6
0x010b4951
0x010b4951
0x010b4953
0x010b4953
0x010b4956
0x010b4956
0x010b4958
0x010b4959
0x010b4959
0x010b495d
0x010b495d
0x010b495f
0x010b495f
0x010b4965
0x010b4969
0x010b49ba
0x010b49ba
0x010b49c1
0x010b49c5
0x010b49cc
0x010b49d4
0x010b49d7
0x010b49da
0x010b49e4
0x010b49e5
0x010b49f3
0x010b4a02
0x00000000
0x010b4a02
0x010b4972
0x010b4974
0x00000000
0x00000000
0x010b4976
0x010b4979
0x010b4982
0x010b4983
0x010b4984
0x010b498b
0x010b498d
0x010b4991
0x010b4993
0x010b4999
0x010b499d
0x010b49a2
0x010b49a2
0x010b49a2
0x010b4999
0x010b49ac
0x00000000
0x010b49b3
0x010b48f8
0x010b48fe
0x00000000
0x00000000
0x00000000
0x010b48fe
0x010b4895
0x010b489c
0x010b48ad
0x010b48b2
0x010b48b5
0x010b48b7
0x010b48ba
0x010b48bc
0x010b48c6
0x010b48c6
0x010b48cb
0x010b48d1
0x010b48d4
0x010b48d8
0x010b48d8
0x00000000
0x010b48d8
0x010b48be
0x010b48c0
0x00000000
0x00000000
0x010b48c2
0x00000000
0x00000000
0x00000000
0x010b48c4
0x00000000
0x010b4882
0x010b487b
0x010b4904
0x010b4906
0x00000000
0x00000000
0x010b4908
0x010b490e
0x00000000
0x00000000
0x010b4910
0x010b4917
0x010b4917
0x00000000
0x010b4917
0x0105b1ba
0x010b47f9
0x010b47fc
0x00000000
0x00000000
0x00000000
0x010b47fc
0x0105b1c0
0x0105b1c0
0x0105b1c3
0x0105b1cb
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7f07b889b1f50ee1beb28ae19e7034ae46645a66ab1edbbdec1d95d8435828
Instruction ID: fde2b42dd6138aacf59466c82b4c7a7175d314c1a97d89b31f971d0278e1993f
Opcode Fuzzy Hash: fc7f07b889b1f50ee1beb28ae19e7034ae46645a66ab1edbbdec1d95d8435828
Instruction Fuzzy Hash: 6B51C071D002698EDF66CF68C894BFEBBF1AF04710F1041A9D89AEB282D7714A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010895EC Relevance: .2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E010895EC(intOrPtr __ecx, signed int __edx, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				signed int _t59;
				signed int* _t62;
				void* _t68;
				intOrPtr _t86;
				void* _t90;
				signed int _t91;
				signed int _t92;
				signed int _t95;
				signed int _t111;
				signed int _t114;
				signed int _t116;

				_v8 =  *0x114d360 ^ _t116;
				_t114 = __edx;
				_v28 = __ecx;
				_v24 = 0;
				_v20 = 0;
				_t115 =  *((intOrPtr*)(__edx + 0x58));
				if(_t115 != 0) {
					_push( &_v20);
					_push(0);
					_push(0);
					E01093720(_t90, __edx, __edx, _t115, __eflags);
				}
				_t91 = _t114 + 0x8c;
				_t95 =  *_t91;
				do {
					_t111 = _t95;
					_t55 = _t95 >> 1;
					if(_t55 == 0) {
						_v16 = _v16 & 0x00000000;
						_v12 = _v12 & 0x00000000;
					} else {
						_v16 = 1;
						_v12 = 1;
						if((_t95 & 0x00000001 | _t55 * 0x00000002 - 0x00000002) < 2) {
							_v12 = _v12 & 0x00000000;
						}
					}
					asm("lock cmpxchg [ebx], ecx");
					_t95 = _t111;
				} while (_t95 != _t111);
				_t92 = _t91 | 0xffffffff;
				if(_t115 != 0) {
					__eflags = _v16;
					if(__eflags != 0) {
						__eflags = E0108EAA0(_t95, 0, _t115);
						if(__eflags >= 0) {
							_t86 = _v28;
							_t35 = _t86 + 0x50;
							 *_t35 =  *(_t86 + 0x50) | 0x00000100;
							__eflags =  *_t35;
							 *((intOrPtr*)(_t86 + 0x64)) = _t115;
						} else {
							_v16 = _v16 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_v24 = 1;
						}
					}
					_push(_v20);
					_push(0);
					E01094520(_t92, _t114, _t115, __eflags);
					__eflags = _v24;
					if(_v24 != 0) {
						_t113 = _t92;
						E01089ED0(_t114 + 0x20, _t92, 0);
						E01128450(_t114);
					}
				}
				if(_v12 != 0) {
					_push(2);
					asm("lock xadd [edi], eax");
					_t59 = E01077D50();
					__eflags = _t59;
					if(_t59 != 0) {
						_t62 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t62 = 0x7ffe0386;
					}
					__eflags =  *_t62;
					if( *_t62 != 0) {
						E01128A62( *(_t114 + 0x5c), _t114 + 0x78,  *((intOrPtr*)(_t114 + 0x30)),  *((intOrPtr*)(_t114 + 0x34)),  *((intOrPtr*)(_t114 + 0x3c)));
					}
					_t113 =  *(_t114 + 0x5c);
					E01089702(_t92, _t114 + 0x78,  *(_t114 + 0x5c),  *((intOrPtr*)(_t114 + 0x74)), 0);
					asm("lock xadd [edi], eax");
					if(__eflags == 0) {
						_t115 =  *((intOrPtr*)( *((intOrPtr*)(_t114 + 4))));
						 *0x114b1e0(_t114);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 4))))))();
					}
				}
				if(_a4 != 0) {
					_t113 = 0;
					__eflags = E0108992F(0);
					if(__eflags != 0) {
						 *((intOrPtr*)(_t114 + 0x70)) = _v0;
						asm("lock xadd [edi], eax");
						if(__eflags == 0) {
							_t115 =  *((intOrPtr*)( *((intOrPtr*)(_t114 + 4))));
							 *0x114b1e0(_t114);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 4))))))();
						}
					}
				}
				if(_v16 == 0) {
					asm("lock xadd [edi], ebx");
					_t92 = _t92 - 1;
					__eflags = _t92;
					if(_t92 == 0) {
						_t115 =  *((intOrPtr*)( *((intOrPtr*)(_t114 + 4))));
						 *0x114b1e0(_t114);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 4))))))();
					}
					_t68 = 0;
				} else {
					_t113 = _t114;
					E0107E63F(_v28, _t114);
					_t68 = 1;
				}
				return E0109B640(_t68, _t92, _v8 ^ _t116, _t113, _t114, _t115);
			}

0x010895fb
0x01089601
0x01089603
0x01089608
0x0108960b
0x0108960e
0x01089613
0x010c967f
0x010c9680
0x010c9681
0x010c9682
0x010c9682
0x01089619
0x0108961f
0x01089621
0x01089623
0x01089625
0x01089627
0x010c968c
0x010c9690
0x0108962d
0x01089634
0x01089643
0x01089649
0x0108964b
0x0108964f
0x01089649
0x01089653
0x01089657
0x01089659
0x0108965d
0x01089662
0x010c969c
0x010c96a0
0x010c96aa
0x010c96ac
0x010c96bf
0x010c96c2
0x010c96c2
0x010c96c2
0x010c96c9
0x010c96ae
0x010c96ae
0x010c96b2
0x010c96b6
0x010c96b6
0x010c96ac
0x010c96cc
0x010c96cf
0x010c96d1
0x010c96d6
0x010c96da
0x010c96e5
0x010c96e7
0x010c96ed
0x010c96ed
0x010c96da
0x0108966c
0x0108969e
0x010896a1
0x010896a5
0x010896aa
0x010896ac
0x010c9700
0x010896b2
0x010896b2
0x010896b2
0x010896b9
0x010896bb
0x010c9719
0x010c9719
0x010896c1
0x010896cc
0x010896d3
0x010896d7
0x010c9727
0x010c972b
0x010c9731
0x010c9731
0x010896d7
0x01089672
0x010896de
0x010896e7
0x010896e9
0x010896ee
0x010896f3
0x010896f7
0x010c973c
0x010c9740
0x010c9746
0x010c9746
0x010896f7
0x010896e9
0x01089678
0x010c974d
0x010c9751
0x010c9751
0x010c9752
0x010c9758
0x010c975c
0x010c9762
0x010c9762
0x010c9764
0x0108967e
0x01089681
0x01089683
0x0108968a
0x0108968a
0x0108969b

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05198c8b7257c011907ed8a62123dab4a67b6d9b2d2d14789190bc6978804f9d
Instruction ID: c77ac1c9807c545c847fcbe6efcef582e86dd269a70dccae2009adae7961c577
Opcode Fuzzy Hash: 05198c8b7257c011907ed8a62123dab4a67b6d9b2d2d14789190bc6978804f9d
Instruction Fuzzy Hash: 0151CE30A0860AAFDB15EF68C844BBEBBB4BF9871CF004169D59297690DB749920CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0111B581 Relevance: .2, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0111B581(char __ecx) {
				signed int _v8;
				signed int _v11;
				intOrPtr _v15;
				short _v41;
				char _v47;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v55;
				signed int _v56;
				char _v60;
				intOrPtr _v63;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t54;
				signed int _t60;
				char* _t66;
				void* _t67;
				signed int _t87;
				signed int _t88;
				void* _t89;
				signed char _t91;
				intOrPtr* _t98;
				signed int _t107;
				signed int _t108;
				signed int _t114;
				signed int _t115;
				char _t117;
				void* _t120;
				signed int* _t123;
				void* _t124;
				signed int _t128;
				signed int _t129;

				_t131 = (_t129 & 0xfffffff8) - 0x3c;
				_v8 =  *0x114d360 ^ (_t129 & 0xfffffff8) - 0x0000003c;
				_t117 = __ecx;
				_v60 = __ecx;
				_t91 =  *((intOrPtr*)(__ecx + 0x38));
				_t54 =  *(__ecx + 0x34);
				_t87 = _t91 & 1;
				if(_t54 == 0) {
					L17:
					 *(_t117 + 0x34) =  *(_t117 + 0x34) & 0x00000000;
					 *(_t117 + 0x38) =  *(_t117 + 0x38) & 0x00000000;
					if((_t91 & 0x00000001) != 0) {
						 *(_t117 + 0x38) = 1;
					}
					_t118 = _v60;
					_t88 = _v60 + 0xe8;
					while(1) {
						_t122 =  *_t88;
						if( *_t88 == 0) {
							break;
						}
						E01122EF7(_t118 + 0xd8, _t122 ^ _t88);
						E01123209(_t118 + 0xd8, _t122 ^ _t88, 1);
					}
					E0111CB82(_v60 + 0x118);
					E0111FA96();
					E0111FA96();
					_t98 = _v60;
					_v48 =  *((intOrPtr*)(_t98 + 4));
					_t60 =  *((intOrPtr*)(_t98 + 0xd4)) - _t98;
					_v52 =  *_t98;
					_v56 = _t60;
					_push( *((intOrPtr*)(_t98 + 4)));
					_push( *_t98);
					if(( *(_t98 + 0x2c) & 0x00000001) == 0) {
						asm("sbb eax, eax");
						_push((_t60 & 0x01000000) + 0x8000);
						E0111AFDE( &_v60,  &_v56);
					} else {
						E0111BCD2(_t98);
					}
					E0111C23A( &_v55, 0);
					if(E01077D50() == 0) {
						_t66 = 0x7ffe0388;
					} else {
						_t66 = ( *[fs:0x30])[0x14] + 0x22e;
					}
					if( *_t66 != 0) {
						E0110FDD3(_v63);
					}
					_t67 = E01077D50();
					_t123 = 0x7ffe0380;
					if(_t67 == 0) {
						_t68 = 0x7ffe0380;
					} else {
						_t68 = ( *[fs:0x30])[0x14] + 0x226;
					}
					if( *_t68 != 0) {
						_t68 =  *[fs:0x30];
						if((( *[fs:0x30])[0x90] & 0x00000001) != 0) {
							if(E01077D50() != 0) {
								_t123 = ( *[fs:0x30])[0x14] + 0x226;
							}
							_v15 = _v63;
							_v41 = 0x1023;
							_push( &_v47);
							_push(4);
							_push(0x402);
							_push( *_t123 & 0x000000ff);
							_t68 = E01099AE0();
						}
					}
					_pop(_t120);
					_pop(_t124);
					_pop(_t89);
					return E0109B640(_t68, _t89, _v11 ^ _t131, 0, _t120, _t124);
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t107 =  *_t54;
					if(_t107 != 0) {
						break;
					}
					_t108 =  *(_t54 + 4);
					if(_t108 == 0) {
						_t128 =  *(_t54 + 8) & 0xfffffffc;
						if(_t87 != 0 && _t128 != 0) {
							_t128 = _t128 ^ _t54;
						}
						E0111E962(_t87, _t108, _t54, _t117);
						if(_t128 == 0) {
							_t91 =  *(_t117 + 0x38);
							goto L17;
						} else {
							_t54 = _t128;
							continue;
						}
					}
					_t115 = _t54;
					if(_t87 == 0) {
						_t54 = _t108;
					} else {
						_t54 = _t54 ^ _t108;
					}
					 *(_t115 + 4) =  *(_t115 + 4) & 0x00000000;
				}
				_t114 = _t54;
				if(_t87 == 0) {
					_t54 = _t107;
				} else {
					_t54 = _t54 ^ _t107;
				}
				 *_t114 =  *_t114 & 0x00000000;
				goto L1;
			}

0x0111b589
0x0111b593
0x0111b59a
0x0111b59c
0x0111b5a0
0x0111b5a3
0x0111b5a9
0x0111b5ae
0x0111b602
0x0111b602
0x0111b606
0x0111b60d
0x0111b60f
0x0111b60f
0x0111b613
0x0111b617
0x0111b61d
0x0111b61d
0x0111b621
0x00000000
0x00000000
0x0111b62d
0x0111b63c
0x0111b63c
0x0111b64d
0x0111b659
0x0111b668
0x0111b66d
0x0111b676
0x0111b680
0x0111b682
0x0111b686
0x0111b68e
0x0111b691
0x0111b693
0x0111b6a7
0x0111b6b3
0x0111b6b4
0x0111b695
0x0111b695
0x0111b695
0x0111b6bf
0x0111b6cb
0x0111b6dd
0x0111b6cd
0x0111b6d6
0x0111b6d6
0x0111b6e5
0x0111b6eb
0x0111b6eb
0x0111b6f0
0x0111b6f5
0x0111b701
0x0111b710
0x0111b703
0x0111b70c
0x0111b70c
0x0111b715
0x0111b717
0x0111b724
0x0111b72d
0x0111b738
0x0111b738
0x0111b740
0x0111b749
0x0111b752
0x0111b753
0x0111b755
0x0111b75d
0x0111b75e
0x0111b75e
0x0111b724
0x0111b767
0x0111b768
0x0111b769
0x0111b774
0x00000000
0x00000000
0x00000000
0x0111b5b0
0x0111b5b0
0x0111b5b0
0x0111b5b4
0x00000000
0x00000000
0x0111b5c7
0x0111b5cc
0x0111b5e3
0x0111b5e8
0x0111b5ee
0x0111b5ee
0x0111b5f2
0x0111b5f9
0x0111b5ff
0x00000000
0x0111b5fb
0x0111b5fb
0x00000000
0x0111b5fb
0x0111b5f9
0x0111b5ce
0x0111b5d2
0x0111b5d8
0x0111b5d4
0x0111b5d4
0x0111b5d4
0x0111b5da
0x0111b5da
0x0111b5b6
0x0111b5ba
0x0111b5c0
0x0111b5bc
0x0111b5bc
0x0111b5bc
0x0111b5c2
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10627510237ec58c081a0c7d981d4a5683cc85a93d489085f585f3371893b3bd
Instruction ID: 44b3d1f261c3a75aaafd6c711e5a1f0b0897fae1a7b47305a7716075a436d033
Opcode Fuzzy Hash: 10627510237ec58c081a0c7d981d4a5683cc85a93d489085f585f3371893b3bd
Instruction Fuzzy Hash: 8451F1316087428BE319DF28C594BAAFBF1BF54714F08097DE9858B294EB34E805CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 010552A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E010552A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0106EEF0(0x11479a0);
					_t104 =  *0x1148210; // 0xb22d28
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0106EB70(_t93, 0x11479a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01099890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0106EEF0(0x11479a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0106EB70(0, 0x11479a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xb22d35
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0108F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0106EEF0(0x11479a0);
									__eflags =  *0x1148210 - _t104; // 0xb22d28
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1148210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E010D4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0106EB70(_t95, 0x11479a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E010995D0();
											L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E010995D0();
											L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0106EB70(_t93, 0x11479a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E010995D0();
										L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E010995D0();
										L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0108F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x010552a5
0x010552ad
0x010552b0
0x010552b3
0x010552b7
0x010552ba
0x010552bf
0x010552c4
0x010552cc
0x00000000
0x00000000
0x010552ce
0x010552d9
0x010552dd
0x010552e7
0x010552f7
0x010552f9
0x010552fd
0x010b0dcf
0x010b0dd5
0x010b0dd6
0x010b0dd7
0x010b0dd8
0x010b0dd9
0x010b0dde
0x010b0ddf
0x010b0de0
0x010b0de1
0x010b0de2
0x010b0de5
0x010b0dea
0x010b0dec
0x010b0f60
0x010b0f64
0x010b0f70
0x010b0f76
0x010b0f79
0x010b0f79
0x00000000
0x010b0f64
0x010b0df2
0x010b0df7
0x010b0e04
0x010b0e0d
0x010b0e0d
0x010b0e10
0x010b0e1a
0x010b0e1c
0x010b0e4c
0x010b0e52
0x010b0e61
0x010b0e67
0x010b0e6b
0x010b0e70
0x010b0e76
0x010b0ed7
0x010b0edc
0x010b0ee0
0x010b0ee6
0x010b0eea
0x010b0eed
0x010b0ef0
0x010b0ef3
0x010b0ef6
0x010b0ef9
0x010b0efe
0x010b0f01
0x010b0f01
0x010b0f0b
0x010b0f12
0x010b0f16
0x010b0f18
0x010b0f1b
0x010b0f2c
0x010b0f31
0x010b0f31
0x010b0f35
0x010b0f39
0x010b0f3a
0x010b0f3c
0x010b0f3f
0x010b0f50
0x010b0f55
0x010b0f55
0x010b0f59
0x010552eb
0x010552f1
0x010552f1
0x010b0e7d
0x010b0e84
0x010b0e88
0x010b0e8a
0x010b0e8d
0x010b0e9e
0x010b0ea3
0x010b0ea3
0x010b0ea7
0x010b0eaf
0x010b0eb3
0x010b0eb9
0x010b0eb9
0x010b0ebc
0x010b0ecd
0x010b0ecd
0x00000000
0x010b0eb3
0x010b0e21
0x010b0e2b
0x010b0e2f
0x010b0e30
0x010b0e3a
0x010b0e3f
0x010b0e41
0x00000000
0x00000000
0x010b0e47
0x00000000
0x010b0e47
0x010b0df9
0x010b0dfe
0x00000000
0x00000000
0x00000000
0x010b0dfe
0x01055303
0x01055307
0x00000000
0x01055309
0x00000000
0x01055309
0x01055307
0x010552e9
0x010552e9
0x00000000
0x010552e9
0x0105530e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bfed5d00c6d863983010f3f443a73853325c2c19e53f380137d605d2c34d44
Instruction ID: ef0c7d5d17a3d6e438d4eeb0bae8bebe742c8ab149e4134c2e16e83de51ec96c
Opcode Fuzzy Hash: 12bfed5d00c6d863983010f3f443a73853325c2c19e53f380137d605d2c34d44
Instruction Fuzzy Hash: 6851BC75205342ABDB21EF68C841BABBBE8FF50B50F14091EF8D587691E770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01082AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01082AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1148204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1148208; // 0x1148207
				_t8 = _t57 + 0x1148208; // 0x1148207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1148450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x114821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1146d5c; // 0x7f980654
							_t72 =  *0x1146d5c; // 0x7f980654
							_t75 =  *0x1146d5c; // 0x7f980654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1146d5c; // 0x7f980654
							_t84 =  *0x1146d5c; // 0x7f980654
							_t87 =  *0x1146d5c; // 0x7f980654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0109F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01082ae4
0x01082aec
0x01082aef
0x01082af4
0x01082af7
0x01082afd
0x01082b92
0x01082b92
0x01082b97
0x01082b9c
0x01082b9c
0x01082b03
0x01082b06
0x01082b09
0x01082b09
0x01082b0f
0x01082b15
0x01082b15
0x01082b1b
0x01082b1e
0x01082b21
0x01082b26
0x01082b29
0x01082b81
0x01082b84
0x01082c0e
0x01082c15
0x01082c24
0x01082c24
0x01082b8a
0x01082b8a
0x01082b8a
0x01082b8a
0x01082b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01082b4a
0x01082b4a
0x01082b4d
0x01082b53
0x00000000
0x00000000
0x01082b55
0x01082b58
0x01082bb7
0x010c5d1b
0x010c5d37
0x010c5d47
0x010c5d53
0x01082bbd
0x01082bbd
0x01082bbd
0x01082bb7
0x01082b5d
0x01082c2f
0x010c5d5b
0x010c5d77
0x010c5d87
0x010c5d93
0x01082c35
0x01082c35
0x01082c35
0x01082c2f
0x01082b65
0x01082b9f
0x01082ba2
0x01082b67
0x01082b67
0x01082b69
0x01082b6b
0x01082b6e
0x01082bc9
0x01082bcc
0x01082bcf
0x01082bd4
0x01082bd6
0x01082bd6
0x01082bdb
0x01082c02
0x01082c05
0x01082c07
0x00000000
0x01082c07
0x01082be0
0x01082c00
0x01082c3f
0x01082c3f
0x00000000
0x01082c00
0x01082be5
0x01082be7
0x01082bec
0x01082bf4
0x01082bf6
0x00000000
0x01082bf6
0x01082b70
0x01082b76
0x01082b2b
0x01082b2b
0x01082b2d
0x01082b2f
0x01082b32
0x01082b35
0x01082b3a
0x00000000
0x01082b40
0x01082b43
0x01082b45
0x01082b47
0x01082b4a
0x01082b4d
0x01082b53
0x00000000
0x00000000
0x00000000
0x01082b53
0x01082b78
0x01082b78
0x01082b7b
0x01082b7e
0x00000000
0x01082b7e
0x01082b76
0x01082ba5
0x01082ba5
0x01082ba8
0x01082bad
0x00000000
0x00000000
0x01082baf
0x01082baf
0x01082bc2
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fce047982fc0d804a8977496c28dcb87b2d3e672ad315a55698dde613f7bfd
Instruction ID: 288f2083a5a1ac45432b33e2aae2636f4091b97ad754235af05675374b333a47
Opcode Fuzzy Hash: c6fce047982fc0d804a8977496c28dcb87b2d3e672ad315a55698dde613f7bfd
Instruction Fuzzy Hash: 8051D47AB05115CFCB18EF5CC8909BDB7F1FB88700715846AE9D69B315E730AA91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0111B0C7 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0111B0C7(signed int __ecx, signed int __edx, unsigned int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __ebx;
				char* _t67;
				signed int _t87;
				char _t96;
				unsigned int _t97;
				signed int _t105;
				signed int _t113;
				signed int _t115;
				signed int _t120;

				_t105 = __edx;
				_v8 = _v8 & 0x00000000;
				_t115 = __ecx;
				if(__edx > 0x40) {
					_t105 = 0x40;
				}
				_push(_a8);
				_t4 = _t105 + 3; // 0x43
				_t113 = 0x1000;
				_v16 = 0x1000;
				_t7 = 0x1fd0 + ((_t4 & 0xfffffffc) + _t105 * 0x24) * 0x81 - 1; // -8078
				_t96 = 0x1fd0 + ((_t4 & 0xfffffffc) + _t105 * 0x24) * 0x81 - (_t7 & 0x00000fff) + 0xfff;
				_v20 = _t96;
				_t87 = 0;
				_v12 = _t96;
				_t97 = _a4;
				if( *((intOrPtr*)(E0111BD32(_t97))) == 0 || ( *0x1145cb8 & 0x00000008) != 0 || (_t115 & 0x40000000) != 0 || _t97 >> 0x10 != 0) {
					asm("sbb ebx, ebx");
					_t87 = _t87 & 0x01000000;
					asm("sbb esi, esi");
					_t119 = ( ~(_t115 & 0x40000000) & 0x0000003c) + 4;
					if(E0111A854( &_v8,  &_v12, 0, _t87 | 0x00002000, ( ~(_t115 & 0x40000000) & 0x0000003c) + 4, 0, _t97, _a8) >= 0) {
						if(E0111A854( &_v8,  &_v16, 0, _t87 | _t113, _t119, 0, _a4, _a8) < 0) {
							goto L9;
						} else {
							if(E01077D50() == 0) {
								_t67 = 0x7ffe0380;
							} else {
								_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							if( *_t67 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
								_t113 = _v16;
							} else {
								_t113 = _v16;
								E0111138A(_t87, _v8, _v8, _t113, 0xb);
							}
							_v16 = _v16 & 0x00000000;
							_t120 = _v8;
							_v8 = _v8 & 0x00000000;
							goto L19;
						}
					} else {
						L9:
						_t120 = 0;
					}
				} else {
					_v16 = 1;
					_t120 = E0111BBBB(_v20, 0x1000, 1, _t97, _a8);
					if(_t120 != 0) {
						L19:
						E0109FA60(_t120, 0, 0x398);
						_t37 = _t120 + 0x398; // 0x398
						 *((intOrPtr*)(_t120 + 0xcc)) = _t37;
						 *((intOrPtr*)(_t120 + 0xd0)) = _t120 + _t113;
						 *((intOrPtr*)(_t120 + 0xd4)) = _v12 + _t120;
						 *(_t120 + 0x2c) =  *(_t120 + 0x2c) & 0xfffffffe | _v16;
						asm("lock xadd [eax], ecx");
						asm("lock xadd [eax], edi");
					}
				}
				if(_v8 != 0) {
					_push(_a8);
					_push(_a4);
					_push(_t87 | 0x00008000);
					E0111AFDE( &_v8,  &_v12);
				}
				return _t120;
			}

0x0111b0c7
0x0111b0cf
0x0111b0d5
0x0111b0db
0x0111b0df
0x0111b0df
0x0111b0e0
0x0111b0e6
0x0111b0f3
0x0111b0fc
0x0111b105
0x0111b10c
0x0111b110
0x0111b113
0x0111b115
0x0111b118
0x0111b123
0x0111b16a
0x0111b175
0x0111b180
0x0111b18a
0x0111b19a
0x0111b1c0
0x00000000
0x0111b1c2
0x0111b1c9
0x0111b1db
0x0111b1cb
0x0111b1d4
0x0111b1d4
0x0111b1e3
0x0111b206
0x0111b1f4
0x0111b1f9
0x0111b1ff
0x0111b1ff
0x0111b209
0x0111b20d
0x0111b210
0x00000000
0x0111b210
0x0111b19c
0x0111b19c
0x0111b19c
0x0111b19c
0x0111b13f
0x0111b14c
0x0111b154
0x0111b158
0x0111b214
0x0111b21c
0x0111b221
0x0111b22a
0x0111b233
0x0111b23e
0x0111b24d
0x0111b259
0x0111b263
0x0111b263
0x0111b158
0x0111b26b
0x0111b26d
0x0111b279
0x0111b27f
0x0111b280
0x0111b280
0x0111b28d

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf606936ea0df74db53300154c24f31f7e384a6cd409149d36c594ebbbfc878d
Instruction ID: d2c480ee4cc36407803438fac30bd0697b7a1d7114f0a3c1d715ab61cf160c3f
Opcode Fuzzy Hash: cf606936ea0df74db53300154c24f31f7e384a6cd409149d36c594ebbbfc878d
Instruction Fuzzy Hash: FF51E772A04208ABDB2ACF58DC80BEEFBB5EF44314F058579E915EB194D774AA04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0107DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0107DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0105CC50(E01054510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01077D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01128ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01072280(_t58, _v44);
						E0107DD82(_v44, _t102, _t98);
						E0107B944(_t102, _v5);
						return E0106FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1148628; // 0x0
							_v28 = _t67;
							_t68 =  *0x114862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1148628; // 0x0
						_t105 = _v28;
						_t80 =  *0x114862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x111fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0107dbe9
0x0107dbf2
0x0107dbf7
0x0107dbf9
0x0107dbfc
0x0107dc00
0x0107dc03
0x0107dc14
0x0107dd54
0x0107dd54
0x0107dd54
0x0107dc18
0x0107dc1d
0x0107dc1d
0x0107dc32
0x0107dc3b
0x0107dc3e
0x0107dc46
0x0107dd5b
0x0107dd62
0x0107dd64
0x0107dd67
0x0107dd69
0x0107dd6b
0x0107dd6e
0x0107dd70
0x0107dd73
0x0107dd73
0x00000000
0x0107dc4c
0x0107dc4e
0x010c3ae3
0x010c3ae8
0x010c3aea
0x0107dce7
0x0107dce9
0x0107dcec
0x0107dcee
0x0107dcf0
0x0107dcf3
0x0107dcf5
0x010c3af2
0x010c3af5
0x010c3af5
0x0107dd06
0x0107dd08
0x0107dd0b
0x0107dd12
0x010c3b08
0x0107dd18
0x0107dd18
0x0107dd18
0x0107dd20
0x0107dd23
0x010c3b16
0x010c3b16
0x0107dd29
0x0107dd2d
0x0107dd36
0x0107dd40
0x0107dd51
0x0107dd51
0x0107dc54
0x0107dc59
0x0107dc59
0x0107dc5e
0x0107dc5e
0x0107dc63
0x0107dc66
0x0107dc6b
0x0107dc78
0x0107dc7b
0x0107dc81
0x0107dc81
0x0107dc83
0x0107dc89
0x00000000
0x00000000
0x0107dd7b
0x0107dd7b
0x0107dc8f
0x0107dc8f
0x0107dc92
0x0107dc99
0x0107dc9f
0x0107dca5
0x0107dcaa
0x0107dcaa
0x0107dcb3
0x0107dcb8
0x0107dcbb
0x0107dcc1
0x0107dccf
0x0107dcd2
0x0107dcd5
0x0107dcd7
0x0107dcda
0x0107dcdc
0x0107dcdc
0x0107dce2
0x0107dce4
0x00000000
0x0107dce4

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b08accc902e53cb593baef38ed10a59cf2827e63d387c80cd95b09e9fbc422
Instruction ID: 40f0a4ebe44768cf032f27e83dd92b449a3ab538fe71996cd73fbb1defd78854
Opcode Fuzzy Hash: c3b08accc902e53cb593baef38ed10a59cf2827e63d387c80cd95b09e9fbc422
Instruction Fuzzy Hash: 5F51AE75E0061ADFCB14DFACC490AAEBBF5BF48310F24819AD995AB341DB31AD44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01094D51 Relevance: .1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01094D51(intOrPtr* __ecx, intOrPtr* __edx) {
				signed int _v8;
				intOrPtr* _v12;
				intOrPtr* _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __ebx;
				signed int* _t57;
				signed int _t63;
				intOrPtr _t68;
				char* _t72;
				signed int _t80;
				signed int _t89;
				signed int _t91;
				intOrPtr* _t97;
				intOrPtr _t99;
				signed int _t100;
				signed int _t101;
				signed int _t105;
				void* _t107;
				intOrPtr* _t108;
				signed int _t113;

				_t97 = __ecx;
				_v16 = __edx;
				_v12 = __ecx;
				if( *__ecx != __edx) {
					asm("sbb eax, eax");
					_t105 = 0;
					_v8 = 0;
					_t80 = 0;
					_t4 = _t97 + 0x10; // 0x10
					_t57 = _t4;
					_v24 = _t57;
					while(1) {
						_t113 =  *_t57;
						_v20 = _t113;
						if((_t113 >> 0x00000010 & 0x00008000) != 0) {
							goto L23;
						}
						if(_t113 == 0) {
							L20:
							goto L2;
						}
						asm("lock cmpxchg [edx], ecx");
						_t97 = _v12;
						if(_t113 != _t113) {
							goto L23;
						}
						L7:
						if(_t113 == 0xffffffff) {
							goto L20;
						}
						if(_t113 == 0) {
							L19:
							 *_v24 = _t113;
							goto L20;
						}
						_t63 =  *_t97 + 0x50;
						_v28 =  ~( *(_t97 + 0x18) & 0x0000ffff);
						_v8 = _t63;
						do {
							_t107 =  *_t63;
							_t99 =  *((intOrPtr*)(_t63 + 4));
							_v32 = _t99;
							asm("lock cmpxchg8b [esi]");
							_t63 = _v8;
						} while (_t107 != _t107 || _t99 != _v32);
						_t113 = _v20;
						_t100 =  *(_v12 + 0x18) & 0x0000ffff;
						_v8 = _t100;
						_t108 = _v16 + 0x50;
						do {
							_t68 =  *_t108;
							_t89 =  *(_t108 + 4);
							_v32 = _t68;
							_v28 = _t89;
							_t31 = _t89 + 1; // 0x1
							_t101 = _t31;
							if(_t100 == 0) {
								_t40 = _t89 - 1; // -1
								_t101 = _t40;
							}
							_v20 = _t101;
							asm("lock cmpxchg8b [edi]");
							_t91 = _t89;
							_t100 = _v8;
						} while (_t68 != _v32 || _t91 != _v28);
						_t84 = _v12;
						 *_v12 = _v16;
						_t105 = 1;
						if(E01077D50() != 0) {
							_t72 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t72 = 0x7ffe0380;
						}
						if( *_t72 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E0111129A(_t84,  *((intOrPtr*)( *((intOrPtr*)( *_v16 + 0xc)) + 0xc)),  *((intOrPtr*)(_t84 + 4)), ( *( *[fs:0x18] + 0xfa8) & 0x0000ffff) - 1);
							}
						}
						goto L19;
						L23:
						_t80 = _t80 + 1;
						if(_t80 <= _v8) {
							_t41 = _t97 + 0x10; // 0x10
							_t57 = _t41;
							continue;
						}
						_t113 = _t113 | 0xffffffff;
						_v20 = _t113;
						goto L7;
					}
				} else {
					_t105 = 1;
					L2:
					return _t105;
				}
			}

0x01094d5b
0x01094d5e
0x01094d61
0x01094d66
0x01094d7d
0x01094d82
0x01094d84
0x01094d87
0x01094d89
0x01094d89
0x01094d8d
0x01094d90
0x01094d90
0x01094d97
0x01094d9f
0x00000000
0x00000000
0x01094da8
0x01094e82
0x00000000
0x01094e83
0x01094dbb
0x01094dbf
0x01094dc4
0x00000000
0x00000000
0x01094dca
0x01094dcd
0x00000000
0x00000000
0x01094dd5
0x01094e7d
0x01094e80
0x00000000
0x01094e80
0x01094de3
0x01094de6
0x01094de9
0x01094dec
0x01094dec
0x01094dee
0x01094df3
0x01094dff
0x01094e08
0x01094e08
0x01094e15
0x01094e18
0x01094e22
0x01094e25
0x01094e27
0x01094e27
0x01094e2b
0x01094e2e
0x01094e31
0x01094e37
0x01094e37
0x01094e3a
0x01094e89
0x01094e89
0x01094e89
0x01094e3c
0x01094e44
0x01094e48
0x01094e4a
0x01094e4d
0x01094e57
0x01094e5d
0x01094e61
0x01094e69
0x010cf2a8
0x01094e6f
0x01094e6f
0x01094e6f
0x01094e77
0x010cf2bf
0x010cf2e2
0x010cf2e2
0x010cf2bf
0x00000000
0x010cf28e
0x010cf28e
0x010cf292
0x010cf286
0x010cf286
0x00000000
0x010cf286
0x010cf294
0x010cf297
0x00000000
0x010cf297
0x01094d68
0x01094d6a
0x01094d6b
0x01094d71
0x01094d71

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction ID: b73669fbcc112d8f08d4033ba801db0ef71bdefd8aa9d8afcaa55f7968816f19
Opcode Fuzzy Hash: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction Fuzzy Hash: 2A515636A00215CFCB55CF88C590AADF7F2BF88714F2481A9D895EB350D730AE82DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01082990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01082990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x112ff00);
				E010AD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1031664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0109E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1031668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E010D51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x103166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01082AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E01066600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01082C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0106EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01082AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01082C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01082ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E010AD0D1(_t62);
				goto L28;
			}

0x01082990
0x01082992
0x01082997
0x010829a3
0x010829a6
0x010829ab
0x010829ad
0x010829b2
0x010c5c80
0x010829b8
0x010829b8
0x010829bb
0x010829c0
0x010829c5
0x010829c6
0x010829c6
0x010829cb
0x00000000
0x00000000
0x010829cd
0x010829d0
0x010829d9
0x010829db
0x010829dd
0x01082a7f
0x01082a84
0x01082a87
0x01082a89
0x010c5ca1
0x010c5ca3
0x00000000
0x01082a8f
0x01082a8f
0x00000000
0x01082a8f
0x00000000
0x010829e3
0x010829e3
0x010829e3
0x00000000
0x010829e3
0x010829dd
0x00000000
0x010829db
0x010829e6
0x010829e9
0x010829eb
0x010829ed
0x010829f3
0x010829f5
0x010829f8
0x010829fa
0x01082a97
0x01082a9a
0x01082a9d
0x01082add
0x00000000
0x01082a9f
0x01082aa2
0x01082aa5
0x01082aa8
0x01082aab
0x010c5cab
0x010c5caf
0x010c5cc5
0x010c5cda
0x010c5cdc
0x010c5cdf
0x010c5ce5
0x00000000
0x010c5ceb
0x010c5ced
0x010c5cee
0x00000000
0x010c5cee
0x010c5cb1
0x010c5cb4
0x010c5cb9
0x010c5cbb
0x00000000
0x010c5cbd
0x010c5cbd
0x00000000
0x010c5cbd
0x010c5cbb
0x01082ab1
0x01082ab1
0x01082ac4
0x01082ac6
0x01082ac6
0x00000000
0x01082ac6
0x01082aab
0x00000000
0x01082a00
0x01082a09
0x01082a0e
0x01082a21
0x01082a24
0x01082a35
0x01082a3a
0x01082a3d
0x01082a42
0x01082a59
0x01082a59
0x01082a5c
0x01082a5f
0x01082a5f
0x010829fa
0x010829f3
0x01082a64
0x01082a64
0x01082a6b
0x01082a6b
0x01082a6d
0x01082a72
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3324c6510a765f9a3ffa0ac729fc967032e7f7462308ffddae3f6f7d134373a5
Instruction ID: 3cf1ea3494feaca6cff8a98e34801ad9c54d4f52df7e42775e59a3286514f102
Opcode Fuzzy Hash: 3324c6510a765f9a3ffa0ac729fc967032e7f7462308ffddae3f6f7d134373a5
Instruction Fuzzy Hash: E6517875A0420ADFDF25EF99C880AEEBBB5BF18710F058159E994AB260C331DD52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01055050 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01055050(void* _a4) {
				char _v24;
				signed int _v28;
				void* _v30;
				intOrPtr _v32;
				void* _v44;
				void* _v46;
				void* _v48;
				void* _v52;
				void* _v60;
				void* _v72;
				intOrPtr _t34;
				short _t36;
				signed int _t38;
				signed short _t41;
				signed int _t51;
				short _t60;
				intOrPtr _t68;
				intOrPtr _t73;
				signed int _t77;
				short _t78;
				short _t79;
				intOrPtr _t80;
				signed int _t81;
				void* _t83;

				_t83 = (_t81 & 0xfffffff8) - 0x1c;
				_t34 =  *[fs:0x30];
				_t58 =  *((intOrPtr*)(_t34 + 0x18));
				_t73 =  *((intOrPtr*)(_t34 + 0x10));
				_v28 =  *((intOrPtr*)(_t34 + 0x18));
				if(E0105519E(_a4) != 0) {
					_t36 = 0;
					L14:
					return _t36;
				}
				_t62 = _a4;
				if(E010774C0(_a4) != 0) {
					_t36 = 0xc0000103;
				} else {
					_t77 =  *(_t73 + 0x26) & 0x0000ffff;
					while(1) {
						_t38 = E01074620(_t62, _t58, 0, _t77);
						_v28 = _t38;
						if(_t38 == 0) {
							break;
						}
						 *((short*)(_t83 + 0x18)) = 0;
						if(_t77 > 0xffff) {
							 *(_t83 + 0x1a) = 0xffff;
							L25:
							_t78 = 0xc0000095;
							L26:
							L010777F0(_t58, 0, _t38);
							_t36 = _t78;
							goto L14;
						}
						 *(_t83 + 0x1a) = _t77;
						_t79 = E01076E30(_a4, _t77, _t38, 0, 0, _t83 + 0x20);
						if(_t79 == 0) {
							_t78 = 0xc0000033;
							L23:
							_t38 =  *((intOrPtr*)(_t83 + 0x1c));
							goto L26;
						}
						_t41 =  *(_t83 + 0x1a);
						_t62 = (_t41 & 0x0000ffff) - 4;
						if(_t79 > (_t41 & 0x0000ffff) - 4) {
							__eflags =  *((char*)( *[fs:0x30] + 3));
							if(__eflags >= 0) {
								_t41 =  *(_t83 + 0x1a);
								goto L7;
							}
							L010777F0(_t58, 0,  *((intOrPtr*)(_t83 + 0x1c)));
							_t77 = _t79 + 4;
							continue;
						}
						L7:
						_t71 = _t41 & 0x0000ffff;
						if(_t79 > (_t41 & 0x0000ffff)) {
							_t78 = 0xc0000106;
							goto L23;
						}
						_t91 = _t79 - 0xffff;
						if(_t79 > 0xffff) {
							 *((short*)(_t83 + 0x18)) = 0xffff;
							_t38 =  *((intOrPtr*)(_t83 + 0x1c));
							goto L25;
						}
						 *((short*)(_t83 + 0x18)) = _t79;
						_t60 = E0108F0BF(_t83 + 0x1c, _t71, _t91,  &_v24);
						L010777F0(_v32, 0,  *((intOrPtr*)(_t83 + 0x1c)));
						if(_t60 >= 0) {
							E0106EEF0(0x11479a0);
							_t68 = _v28;
							_t80 =  *0x1148210; // 0xb22d28
							 *((intOrPtr*)(_t73 + 0x2c)) =  *((intOrPtr*)(_t68 + 4));
							 *((intOrPtr*)(_t73 + 0x28)) =  *((intOrPtr*)(_t68 + 0x10));
							 *((short*)(_t73 + 0x24)) =  *((intOrPtr*)(_t68 + 0xc));
							 *0x1148210 = _t68;
							_t51 = E0106EB70(_t68, 0x11479a0);
							if(_t80 != 0) {
								asm("lock xadd [esi], eax");
								if((_t51 | 0xffffffff) == 0) {
									_push( *((intOrPtr*)(_t80 + 4)));
									E010995D0();
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t80);
								}
							}
						}
						_t36 = _t60;
						goto L14;
					}
					_t36 = 0xc0000017;
				}
			}

0x01055058
0x0105505b
0x01055066
0x0105506a
0x0105506d
0x01055078
0x0105519a
0x01055191
0x01055197
0x01055197
0x0105507e
0x01055088
0x010b0c21
0x0105508e
0x0105508e
0x01055092
0x01055096
0x0105509b
0x010550a1
0x00000000
0x00000000
0x010550ae
0x010550b5
0x010b0c72
0x010b0c77
0x010b0c77
0x010b0c7c
0x010b0c80
0x010b0c85
0x00000000
0x010b0c85
0x010550bf
0x010550d4
0x010550d8
0x010b0c67
0x010b0c6c
0x010b0c6c
0x00000000
0x010b0c6c
0x010550de
0x010550e6
0x010550eb
0x010b0c31
0x010b0c35
0x010b0c4b
0x00000000
0x010b0c4b
0x010b0c3e
0x010b0c43
0x00000000
0x010b0c43
0x010550f1
0x010550f1
0x010550f6
0x010b0c55
0x00000000
0x010b0c55
0x01055101
0x01055103
0x010b0c5c
0x010b0c61
0x00000000
0x010b0c61
0x0105510d
0x01055120
0x01055128
0x0105512f
0x01055136
0x0105513b
0x0105513f
0x0105514d
0x01055153
0x0105515a
0x0105515e
0x01055164
0x0105516b
0x01055170
0x01055174
0x01055176
0x01055179
0x0105518a
0x0105518a
0x01055174
0x0105516b
0x0105518f
0x00000000
0x0105518f
0x010b0c8c
0x010b0c8c

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e18b17aef73619775d108eec9bc2247a24dc3288066c974c1a34c08fa0a174
Instruction ID: dc3333e5b5befa44ff59321faa6da5bae205e1fe870d4a4c3f9bbfac6ddf1a03
Opcode Fuzzy Hash: a0e18b17aef73619775d108eec9bc2247a24dc3288066c974c1a34c08fa0a174
Instruction Fuzzy Hash: 9841CD36604312ABD320EF28CC80BABBBA4AF54750F114929FDD69B291E770DC42C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 01084BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01084BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x114d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0105CC50(_t86);
					L11:
					return E0109B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1148504
				E01072280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0109FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0109B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = E01074620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0105CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1148504
								E0106FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01084F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01084bad
0x01084bbf
0x01084bc2
0x01084bc6
0x01084bcd
0x01084bd9
0x010c67fe
0x010c6800
0x01084ccc
0x01084ccd
0x01084cb7
0x01084cc9
0x01084cc9
0x01084bdf
0x01084be5
0x00000000
0x00000000
0x01084beb
0x01084bef
0x00000000
0x00000000
0x01084bf5
0x01084bf9
0x01084c06
0x01084c0b
0x01084c17
0x01084c1c
0x01084c1f
0x01084c25
0x01084c33
0x01084c3d
0x01084c40
0x01084c43
0x01084c47
0x01084c4d
0x01084c53
0x01084c54
0x01084c55
0x01084c56
0x01084c5b
0x01084c5c
0x01084c63
0x01084c6b
0x00000000
0x00000000
0x010c6776
0x010c6784
0x010c6784
0x010c679f
0x010c67a7
0x010c67af
0x010c67ce
0x00000000
0x010c67b1
0x010c67b7
0x010c67b8
0x010c67c1
0x010c67d3
0x010c67d9
0x010c67dd
0x01084c94
0x01084c94
0x01084c98
0x01084c9c
0x01084ca3
0x010c67f4
0x010c67f4
0x01084cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01084cb5
0x01084c79
0x01084c7e
0x01084c89
0x01084c8b
0x01084c8f
0x01084c8f
0x00000000
0x01084c89
0x010c67c3
0x00000000
0x010c67c3
0x010c67af
0x01084c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bde7f83f6250c4f348ccb1ab70cfd00f8d3eaced0e08f1f7339b118dd377c93
Instruction ID: ea529e0f9d07f4b426d4f7e251d6624033fa0de78879182cb72b067d578eb477
Opcode Fuzzy Hash: 6bde7f83f6250c4f348ccb1ab70cfd00f8d3eaced0e08f1f7339b118dd377c93
Instruction Fuzzy Hash: 2F41B131A002299ADB71EF68C940BEE77F8FF45B10F0105A9E988EB341D6749E81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01084D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01084D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x114d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0109FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1147bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0109B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = E01074620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0105CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0109B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0109F380(_t67 + 0xc, 0x1035138, 0x10) == 0) {
								 *0x11460d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01084F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01084E70(0x11486b0, 0x1085690, 0, 0) != 0) {
					_t46 = E0105CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01084d3b
0x01084d4d
0x01084d53
0x01084d58
0x01084d65
0x01084d6c
0x01084d71
0x01084d77
0x01084d7f
0x01084d8c
0x01084d8e
0x01084dad
0x01084db0
0x01084db7
0x01084db8
0x01084db9
0x01084dba
0x01084dbb
0x01084dc1
0x01084dc8
0x01084dcc
0x01084dd5
0x01084dde
0x01084ddf
0x01084de0
0x01084de1
0x01084de6
0x01084de7
0x01084de9
0x01084df3
0x00000000
0x00000000
0x010c6c7c
0x010c6c8a
0x010c6c8a
0x010c6c9d
0x010c6ca7
0x010c6cac
0x010c6cb2
0x010c6cb9
0x00000000
0x010c6cbf
0x010c6cbf
0x00000000
0x010c6cbf
0x010c6cb9
0x01084dfb
0x010c6ccf
0x010c6cd3
0x01084e32
0x01084e39
0x010c6ce0
0x010c6cf2
0x010c6cf2
0x010c6ce0
0x01084e3f
0x01084e41
0x01084e51
0x01084e51
0x01084e03
0x01084e03
0x01084e09
0x01084e0f
0x01084e57
0x00000000
0x00000000
0x01084e1b
0x01084e30
0x01084e5b
0x01084e5b
0x00000000
0x01084e30
0x01084e11
0x01084e11
0x01084e16
0x00000000
0x01084e16
0x01084e01
0x00000000
0x01084e01
0x01084da5
0x010c6c6b
0x00000000
0x01084dab
0x01084dab
0x00000000
0x01084dab

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bae4b40ea66a5d67b1c89951c7f82ec68c42e54ce772e3aeecadd184b26ba1f
Instruction ID: 94c798992174e6d05473361c144850eb6311e4134a007b579704b36d85036884
Opcode Fuzzy Hash: 1bae4b40ea66a5d67b1c89951c7f82ec68c42e54ce772e3aeecadd184b26ba1f
Instruction Fuzzy Hash: F741B271A483199FEB71EF14CC80FAAB7A9EB54710F0040A9E9C5DB281D775DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0107F86D Relevance: .1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0107F86D(void* __ebx, signed int __ecx, unsigned int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t31;
				signed int _t40;
				signed int _t45;
				signed int _t46;
				signed int _t48;
				signed int _t50;
				signed int _t53;
				unsigned int* _t60;
				signed int* _t66;
				signed int _t67;
				signed int* _t70;
				void* _t71;

				_t64 = __edx;
				_t61 = __ecx;
				_push(0x1c);
				_push(0x112feb8);
				E010AD08C(__ebx, __edi, __esi);
				_t60 = __edx;
				 *((intOrPtr*)(_t71 - 0x28)) = __edx;
				_t70 = __ecx;
				 *((intOrPtr*)(_t71 - 0x2c)) = __ecx;
				_t66 =  *(_t71 + 8);
				if(_t66 == 0 || __ecx == 0 || __edx == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					E011288F5(_t60, _t61, _t64, _t66, _t70, __eflags);
					_t31 = 0xc000000d;
					goto L9;
				} else {
					if( *__ecx == 0) {
						L10:
						 *(_t71 - 0x20) =  *(_t71 - 0x20) & 0x00000000;
						_t67 = E01083E70(_t71 - 0x20, 0);
						 *(_t71 - 0x24) = _t67;
						__eflags = _t67;
						if(_t67 < 0) {
							L24:
							_t31 = _t67;
							L9:
							return E010AD0D1(_t31);
						}
						E01072280(_t36, _t60);
						 *(_t71 - 4) = 1;
						__eflags =  *_t70;
						if( *_t70 != 0) {
							asm("lock inc dword [eax]");
							L21:
							 *(_t71 - 4) = 0xfffffffe;
							E0107F9DD(_t60);
							_t40 =  *(_t71 - 0x20);
							__eflags = _t40;
							if(__eflags != 0) {
								_push(_t40);
								E01059100(_t60, _t61, _t67, _t70, __eflags);
							}
							__eflags = _t67;
							if(_t67 >= 0) {
								 *( *(_t71 + 8)) =  *_t70;
							}
							goto L24;
						}
						__eflags = _t70 - 0x11486c0;
						if(_t70 != 0x11486c0) {
							__eflags = _t70 - 0x11486b8;
							if(_t70 != 0x11486b8) {
								L20:
								 *_t70 =  *(_t71 - 0x20);
								_t20 = _t71 - 0x20;
								 *_t20 =  *(_t71 - 0x20) & 0x00000000;
								__eflags =  *_t20;
								goto L21;
							}
							E01085AA0(_t61,  *(_t71 - 0x20), 1);
							_t45 = E010595F0( *(_t71 - 0x20), 1);
							L27:
							_t67 = _t45;
							__eflags = _t67;
							 *(_t71 - 0x24) = _t67;
							if(_t67 >= 0) {
								goto L20;
							}
							goto L21;
						}
						_t46 =  *0x1148754; // 0x0
						__eflags = _t46;
						if(_t46 != 0) {
							E01085AA0(_t61,  *(_t71 - 0x20), _t46);
						} else {
							_t50 =  *0x7ffe03c0 << 3;
							__eflags = _t50 - 0x300;
							if(_t50 < 0x300) {
								_t50 = 0x300;
							}
							E01085AA0(0x300,  *(_t71 - 0x20), _t50);
							_t53 =  *0x7ffe03c0 << 2;
							_t61 = 0x180;
							__eflags = _t53 - 0x180;
							if(_t53 < 0x180) {
								_t53 = 0x180;
							}
							E01095C70( *(_t71 - 0x20), _t53);
						}
						_t48 =  *0x1148750; // 0x0
						__eflags = _t48;
						if(_t48 != 0) {
							_t45 = E0105B8F0( *(_t71 - 0x20), _t48);
							goto L27;
						} else {
							goto L20;
						}
					}
					 *((char*)(_t71 - 0x19)) = 0;
					L0107FAD0(__edx);
					 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
					if( *_t70 != 0) {
						asm("lock inc dword [eax]");
						 *_t66 =  *_t70;
						 *((char*)(_t71 - 0x19)) = 1;
					}
					 *(_t71 - 4) = 0xfffffffe;
					E0107F9D6(_t60);
					if( *((char*)(_t71 - 0x19)) == 0) {
						goto L10;
					} else {
						_t31 = 0;
						goto L9;
					}
				}
			}

0x0107f86d
0x0107f86d
0x0107f86d
0x0107f86f
0x0107f874
0x0107f879
0x0107f87b
0x0107f87e
0x0107f880
0x0107f883
0x0107f888
0x010c47c9
0x010c47ce
0x00000000
0x0107f8b1
0x0107f8b4
0x0107f8f1
0x0107f8f1
0x0107f900
0x0107f902
0x0107f905
0x0107f907
0x0107f9a9
0x0107f9a9
0x0107f8e9
0x0107f8ee
0x0107f8ee
0x0107f90e
0x0107f913
0x0107f91c
0x0107f91e
0x0107f9e4
0x0107f98b
0x0107f98b
0x0107f992
0x0107f997
0x0107f99a
0x0107f99c
0x0107f9e9
0x0107f9ea
0x0107f9ea
0x0107f99e
0x0107f9a0
0x0107f9a7
0x0107f9a7
0x00000000
0x0107f9a0
0x0107f924
0x0107f92a
0x0107f9b0
0x0107f9b6
0x0107f982
0x0107f985
0x0107f987
0x0107f987
0x0107f987
0x00000000
0x0107f987
0x0107f9be
0x0107f9c6
0x0107f9cb
0x0107f9cb
0x0107f9cd
0x0107f9cf
0x0107f9d2
0x00000000
0x00000000
0x00000000
0x0107f9d4
0x0107f930
0x0107f935
0x0107f937
0x010c47a3
0x0107f93d
0x0107f942
0x0107f94a
0x0107f94c
0x0107f94e
0x0107f94e
0x0107f954
0x0107f95e
0x0107f961
0x0107f966
0x0107f968
0x0107f96a
0x0107f96a
0x0107f970
0x0107f970
0x0107f975
0x0107f97a
0x0107f97c
0x010c47b1
0x00000000
0x00000000
0x00000000
0x00000000
0x0107f97c
0x0107f8b6
0x0107f8bb
0x0107f8c0
0x0107f8c8
0x0107f8ca
0x0107f8cf
0x0107f8d1
0x0107f8d1
0x0107f8d5
0x0107f8dc
0x0107f8e5
0x00000000
0x0107f8e7
0x0107f8e7
0x00000000
0x0107f8e7
0x0107f8e5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3b5a89c49f63c825b0f3254d2ccbc4adffbf9dc5bb8cb0ba245538878bc3db
Instruction ID: c39b280ac750ff1d3a9db90fbbd46a48454f9b77aa5c353f568989634bf442bf
Opcode Fuzzy Hash: ee3b5a89c49f63c825b0f3254d2ccbc4adffbf9dc5bb8cb0ba245538878bc3db
Instruction Fuzzy Hash: 2041AE71E00217AFEB62AFACC880BEEB6F5BF58B14F140159E5E1E7251D7749840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 010E6365 Relevance: .1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E010E6365(void* __ecx, void* __edx, signed short _a4, signed int* _a8, intOrPtr* _a12, intOrPtr* _a16, char* _a20) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t39;
				intOrPtr* _t40;
				signed int* _t41;
				char* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t49;
				signed int _t52;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				signed int _t65;
				void* _t67;
				void* _t68;

				_t65 = _a4 & 0x0000ffff;
				_v12 = __edx;
				_t63 = __ecx;
				_t47 = E01074620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t65);
				_t30 = 0;
				_v8 = 0;
				if(_t47 == 0) {
					_t64 = 0xc0000017;
					L8:
					if(_t47 != 0) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t30, _t47);
					}
					return _t64;
				}
				_push( &_v16);
				_push(_t65);
				_push(_t47);
				_push(2);
				_push(_t63);
				_push(0xffffffff);
				_t64 = E01099730();
				if(_t64 < 0) {
					L7:
					_t30 = 0;
					goto L8;
				}
				_t49 =  *((intOrPtr*)(_t47 + 4));
				_t61 = _t49 + 2;
				do {
					_t36 =  *_t49;
					_t49 = _t49 + 2;
				} while (_t36 != _v8);
				_t52 = 2 + (_t49 - _t61 >> 1) * 2;
				_v16 = _t52;
				if(_t52 >= _t65) {
					_t64 = 0x80000005;
					goto L7;
				}
				E0109F3E0(_v12,  *((intOrPtr*)(_t47 + 4)), _t52);
				_t67 = L010A13D0(_v12, 0x5c);
				if(_t67 != 0) {
					_t68 = _t67 + 2;
					_t53 = _t68;
					_t15 = _t53 + 2; // 0x0
					_t62 = _t15;
					do {
						_t39 =  *_t53;
						_t53 = _t53 + 2;
					} while (_t39 != _v8);
					_t56 = (_t53 - _t62 >> 1) + (_t53 - _t62 >> 1);
					_v8 = _t56;
					if(_a12 == 0) {
						L17:
						_t40 = _a16;
						if(_t40 != 0) {
							 *_t40 = _t56;
						}
						_t41 = _a8;
						if(_t41 != 0) {
							 *_t41 = _t68 - _v12 & 0xfffffffe;
						}
						_t42 = _a20;
						if(_t42 != 0) {
							 *_t42 = 1;
						}
						goto L7;
					}
					_t19 = _t56 + 2; // -2
					_t45 = E01074620(_t56,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
					 *_a12 = _t45;
					if(_t45 != 0) {
						E0109F3E0(_t45, _t68, _v8 + 2);
						_t56 = _v8;
						goto L17;
					}
					_t64 = 0xc0000017;
					goto L7;
				}
				_t64 = 0xc0000039;
				goto L7;
			}

0x010e6375
0x010e6380
0x010e6383
0x010e638a
0x010e638c
0x010e638e
0x010e6393
0x010e64ab
0x010e63fc
0x010e63fe
0x010e640b
0x010e640b
0x010e6418
0x010e6418
0x010e639c
0x010e639d
0x010e639e
0x010e639f
0x010e63a1
0x010e63a2
0x010e63a9
0x010e63ad
0x010e63fa
0x010e63fa
0x00000000
0x010e63fa
0x010e63af
0x010e63b2
0x010e63b5
0x010e63b5
0x010e63b8
0x010e63bb
0x010e63c5
0x010e63cc
0x010e63d1
0x010e64a1
0x00000000
0x010e64a1
0x010e63df
0x010e63ec
0x010e63f3
0x010e641b
0x010e641e
0x010e6420
0x010e6420
0x010e6423
0x010e6423
0x010e6426
0x010e6429
0x010e6433
0x010e6439
0x010e643c
0x010e6476
0x010e6476
0x010e647b
0x010e647d
0x010e647d
0x010e647f
0x010e6484
0x010e648c
0x010e648c
0x010e648e
0x010e6493
0x010e6499
0x010e6499
0x00000000
0x010e6493
0x010e643e
0x010e644d
0x010e6455
0x010e6459
0x010e646b
0x010e6470
0x00000000
0x010e6473
0x010e645b
0x00000000
0x010e645b
0x010e63f5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction ID: 7e6e129138b31e97ec16dbbfcb49c7edc6e31939db336d002e7365e879be5b51
Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction Fuzzy Hash: 4A41D276A00105EFDB25DF69D854BAF7BF9EF54710F1980A8EA429B250DB32DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01051AA0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction ID: e874648bb473d6d8ed416f916644ecbbe8b22072beaf1b653b9cf4faca4ab29f
Opcode Fuzzy Hash: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction Fuzzy Hash: 48412E71A00605EFDB65CF99C980BABBBF9FF08300B1045ADE996D7650E330EA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01060100 Relevance: .1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01060100(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				char _t38;
				intOrPtr _t42;
				signed int* _t43;
				signed int _t44;
				signed int _t48;
				char _t59;
				intOrPtr* _t61;
				intOrPtr _t62;
				signed int _t65;
				intOrPtr _t67;
				signed int _t70;
				signed int _t72;
				void* _t73;

				_push(0x1c);
				_push(0x112f848);
				_t37 = E010AD08C(__ebx, __edi, __esi);
				_t59 = 0;
				 *((char*)(_t73 - 0x19)) = 0;
				if( *((intOrPtr*)(_t73 + 8)) == 0) {
					_t38 = 0;
					L7:
					return E010AD0D1(_t38);
				}
				E01072280(_t37, 0x114861c);
				 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
				_t72 =  *0x1146da4; // 0x0
				if(_t72 == 0) {
					_t59 = 1;
					L26:
					 *((char*)(_t73 - 0x19)) = _t59;
					L6:
					 *(_t73 - 4) = 0xfffffffe;
					E0106021A();
					_t38 = _t59;
					goto L7;
				}
				_t70 = _t72;
				 *(_t73 - 0x24) = _t70;
				_t42 =  *0x1146da0; // 0x0
				 *((intOrPtr*)(_t73 - 0x20)) = _t42;
				while(_t70 > 0) {
					_t65 = _t70 << 5;
					if( *((intOrPtr*)(_t65 + _t42 - 0x1c)) ==  *((intOrPtr*)(_t73 + 8))) {
						_t12 = _t42 - 0x20; // -32
						_t61 = _t12 + _t65;
						 *((intOrPtr*)(_t73 - 0x28)) = _t61;
						_t14 = _t61 + 0x10; // -16
						_t43 = _t14;
						 *(_t73 - 0x2c) = _t43;
						_t44 =  *_t43;
						if(_t44 == 0) {
							L21:
							_t62 =  *((intOrPtr*)(_t73 - 0x20));
							L16:
							if(_t70 != _t72) {
								_t27 = _t70 - 1; // -1
								E01059FF0(_t27);
							}
							_t72 = _t72 - 1;
							 *0x1146da4 = _t72;
							if(_t72 == 0) {
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t62);
								_t42 = 0;
								 *((intOrPtr*)(_t73 - 0x20)) = 0;
								 *0x1146da0 = 0;
								 *0x1146da8 =  *0x1146da8 & 0;
								L32:
								_t70 =  *(_t73 - 0x24);
								_t72 =  *0x1146da4; // 0x0
								L20:
								_t59 = 1;
								 *((char*)(_t73 - 0x19)) = 1;
								goto L5;
							}
							_t48 =  *0x1146da8; // 0x0
							_t49 = _t48 + 0xffffffe0;
							if(_t72 < _t48 + 0xffffffe0) {
								_t42 = L01078E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t62, _t49 << 5);
								 *((intOrPtr*)(_t73 - 0x20)) = _t42;
								if(_t42 != 0) {
									 *0x1146da0 = _t42;
									 *0x1146da8 =  *0x1146da8 - 0x20;
									goto L32;
								}
								_t59 = 0;
								goto L26;
							}
							_t42 =  *((intOrPtr*)(_t73 - 0x20));
							goto L20;
						}
						_t67 =  *((intOrPtr*)(_t73 + 0xc));
						if(_t67 != 0) {
							if(_t67 !=  *_t61) {
								goto L21;
							}
						}
						if(_t44 == 0xffffffff) {
							goto L21;
						}
						_push(_t44 & 0xfffffffc);
						if( *((intOrPtr*)(_t61 + 0x1c)) == 0xc0000019) {
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							L010777F0();
							_t70 =  *(_t73 - 0x24);
							_t61 =  *((intOrPtr*)(_t73 - 0x28));
						} else {
							_push(0xffffffff);
							E010997A0();
						}
						if( *(_t61 + 0x14) != 0) {
							_push( *(_t61 + 0x14));
							E010995D0();
							 *(_t61 + 0x14) =  *(_t61 + 0x14) & 0x00000000;
						}
						 *( *(_t73 - 0x2c)) =  *( *(_t73 - 0x2c)) & 0x00000000;
						_t72 =  *0x1146da4; // 0x0
						_t62 =  *0x1146da0; // 0x0
						 *((intOrPtr*)(_t73 - 0x20)) = _t62;
						goto L16;
					}
					L5:
					_t70 = _t70 - 1;
					 *(_t73 - 0x24) = _t70;
				}
				goto L6;
			}

0x01060100
0x01060102
0x01060107
0x0106010c
0x0106010e
0x01060115
0x010b6127
0x0106016a
0x0106016f
0x0106016f
0x01060120
0x01060125
0x01060129
0x01060131
0x010b612e
0x010b6134
0x010b6134
0x0106015c
0x0106015c
0x01060163
0x01060168
0x00000000
0x01060168
0x01060137
0x01060139
0x0106013c
0x01060141
0x01060144
0x0106014a
0x01060154
0x01060172
0x01060175
0x01060177
0x0106017a
0x0106017a
0x0106017d
0x01060180
0x01060184
0x0106020b
0x0106020b
0x010601db
0x010601dd
0x01060210
0x01060213
0x01060213
0x010601df
0x010601e2
0x010601e8
0x010b6171
0x010b6176
0x010b6178
0x010b617b
0x010b6180
0x010b6194
0x010b6194
0x010b6197
0x01060201
0x01060201
0x01060203
0x00000000
0x01060203
0x010601ee
0x010601f3
0x010601f8
0x010b61b2
0x010b61b7
0x010b61bc
0x010b6188
0x010b618d
0x00000000
0x010b618d
0x010b6132
0x00000000
0x010b6132
0x010601fe
0x00000000
0x010601fe
0x0106018a
0x01060191
0x010b613f
0x00000000
0x00000000
0x010b6145
0x0106019a
0x00000000
0x00000000
0x0106019f
0x010601a7
0x010b614a
0x010b6152
0x010b6155
0x010b615a
0x010b615d
0x010601ad
0x010601ad
0x010601af
0x010601af
0x010601b8
0x010601ba
0x010601bd
0x010601c2
0x010601c2
0x010601c9
0x010601cc
0x010601d2
0x010601d8
0x00000000
0x010601d8
0x01060156
0x01060156
0x01060157
0x01060157
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022d7d8ab6dfb0a0fc4d4f116d6766d6b37337a50534add2570be1376ae24879
Instruction ID: ae74b6a3365bec43d1c20196ecce5d40be0a6b306e69eff79bf50b35a29d6520
Opcode Fuzzy Hash: 022d7d8ab6dfb0a0fc4d4f116d6766d6b37337a50534add2570be1376ae24879
Instruction Fuzzy Hash: 2B41EF31985205DFCFA5DF68C8907EE7BB4FF15758F080569E4E1AB29AC3318980CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0111AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0111AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0111ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0111AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0111AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E010FCB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L010777F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E01077D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0111131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E010FCB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0111aa1f
0x0111aa21
0x0111aa23
0x0111aa2b
0x0111aa30
0x0111aa36
0x0111aa39
0x0111aa42
0x0111aa75
0x0111aa7a
0x0111aa7c
0x0111aa7c
0x0111aa88
0x0111aa8a
0x0111aa8f
0x0111ab02
0x0111ab04
0x0111aa99
0x0111aaa8
0x0111aaaf
0x0111aab3
0x0111aacc
0x0111aad1
0x0111aad6
0x0111aae0
0x0111aaf3
0x0111aaf9
0x0111aafe
0x0111aafe
0x0111aaf3
0x0111aad6
0x0111aab3
0x0111ab07
0x0111ab0a
0x0111ab11
0x0111ab23
0x0111ab13
0x0111ab1c
0x0111ab1c
0x0111ab2b
0x0111ab44
0x0111ab44
0x0111ab51
0x0111ab51
0x0111aa44
0x0111aa47
0x0111aa4c
0x00000000
0x00000000
0x0111aa5a
0x0111aa64
0x0111aa72
0x00000000
0x0111aa66
0x0111aa66
0x0111aa68
0x0111aa6a
0x00000000
0x0111aa6a

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: ecc85a9084b9bff18b1b3dd0f5850d4bc1ea72c50a868b9cfe4d9b44eb0f9b56
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 1D312432F025C96BEB198B69D945BAFFFBAEF80210F094479E901A7245DB749D00C654

Uniqueness

Uniqueness Score: -1.00%

Function 01068A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01068A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x114d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0109B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0106E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1031180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01081DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01093C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E01068999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x01068a0a
0x01068a1c
0x01068a23
0x01068a2e
0x01068a30
0x01068a36
0x01068a3c
0x01068a3e
0x01068a4a
0x01068a52
0x01068a9c
0x01068aae
0x01068a58
0x01068a5e
0x01068a6a
0x01068a6f
0x01068a75
0x01068a7d
0x01068a85
0x01068a86
0x01068a89
0x01068a93
0x01068a99
0x01068a9b
0x00000000
0x01068aaf
0x01068abe
0x01068ac3
0x01068acb
0x01068ad7
0x01068ae0
0x01068af1
0x00000000
0x01068af1
0x01068acd
0x01068ad5
0x01068afb
0x01068afd
0x01068aff
0x01068b07
0x01068b22
0x01068b24
0x01068b2a
0x01068b2e
0x01068b3f
0x01068b78
0x01068b41
0x01068b52
0x01068b54
0x01068b5c
0x01068b74
0x01068b74
0x01068b5c
0x01068b3f
0x01068b5e
0x01068b61
0x01068b64
0x01068b64
0x01068b6c
0x01068b6c
0x01068b11
0x010b9cd5
0x010b9cd5
0x01068b17
0x01068b1a
0x01068b1a
0x00000000
0x01068ad5
0x01068a89

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01baa5ff450d3303a567f92ce8b5f78ded75f3ad60d51e0214126474ba2cd864
Instruction ID: 553e16ec536eac68bfedae96d4f55896b18751d593762d88ffe97961c47e02cd
Opcode Fuzzy Hash: 01baa5ff450d3303a567f92ce8b5f78ded75f3ad60d51e0214126474ba2cd864
Instruction Fuzzy Hash: B24162B4A4032D9BDB64DF59C888AEDB7F8FB54300F1085EAD95997252E7709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010899BC Relevance: .1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E010899BC(void* __ebx, intOrPtr __ecx, signed int __edi, void* __esi, void* __eflags, signed int _a12) {
				signed int _v4;
				intOrPtr _v128;
				intOrPtr* _v132;
				char _v180;
				intOrPtr _v184;
				signed int _t40;
				void* _t65;
				intOrPtr _t69;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				intOrPtr _t77;
				intOrPtr* _t78;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				intOrPtr* _t85;
				intOrPtr _t88;
				signed int _t89;
				void* _t103;

				_t65 = __ebx;
				_push(0xa8);
				_push(0x1130198);
				E010AD0E8(__ebx, __edi, __esi);
				_t88 = __ecx;
				_v184 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					E0105716E(__ebx, __ecx, __edi, __ecx, __eflags);
					_t69 =  *((intOrPtr*)(__ecx + 8));
					_t82 = __edi | 0xffffffff;
					__eflags = _t82;
					asm("lock xadd [ecx], eax");
					if(_t82 == 0) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)),  *0x11484c4, _t69);
					}
				} else {
					_t82 = __edi | 0xffffffff;
				}
				if( *((intOrPtr*)(_t88 + 0x38)) != _t82) {
					_push( *((intOrPtr*)(_t88 + 0x38)));
					L20();
				}
				_t38 =  *((intOrPtr*)(_t88 + 0x5c));
				if( *((intOrPtr*)(_t88 + 0x5c)) == 0) {
					E01072280(_t38, 0x114a74c);
					_v4 = 1;
					_t40 = _t88 + 0x60;
					_t79 =  *_t40;
					_t70 =  *(_t40 + 4);
					__eflags =  *(_t79 + 4) - _t40;
					if( *(_t79 + 4) != _t40) {
						goto L19;
					} else {
						__eflags =  *_t70 - _t40;
						if( *_t70 != _t40) {
							goto L19;
						} else {
							 *_t70 = _t79;
							 *(_t79 + 4) = _t70;
							 *(_t40 + 4) = _t40;
							 *_t40 = _t40;
							_v4 = 0xfffffffe;
							E010C97DE();
							goto L10;
						}
					}
				} else {
					E01072280(_t38 + 0x2c, _t38 + 0x2c);
					_v4 = _v4 & 0x00000000;
					_t40 = _t88 + 0x60;
					_t79 =  *_t40;
					_t76 =  *(_t40 + 4);
					if( *(_t79 + 4) != _t40 ||  *_t76 != _t40) {
						L19:
						_t71 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t65);
						_push(_t88);
						_t89 = _a12;
						_push(_t82);
						__eflags = _t89;
						if(_t89 != 0) {
							_t40 = _t89 - 0x00000001 | 0x00000007;
							__eflags = _t40 - 0xffffffff;
							if(_t40 != 0xffffffff) {
								__eflags =  *_t89;
								if( *_t89 > 0) {
									__eflags =  *_t89 - 0x7fffffff;
									if( *_t89 != 0x7fffffff) {
										while(1) {
											_t80 =  *_t89;
											__eflags = _t80 - 0x7fffffff;
											if(_t80 == 0x7fffffff) {
												break;
											}
											_t84 = _t80 - 1;
											_t40 = _t80;
											_t71 = _t84;
											asm("lock cmpxchg [esi], ecx");
											__eflags = _t40 - _t80;
											if(_t40 != _t80) {
												continue;
											}
											L26:
											__eflags =  *0x114871c;
											if( *0x114871c != 0) {
												asm("lock xadd [esi+0xe8], eax");
												_t40 = E01088690(_t71, 1, 4, 0xbadc99 + _t89, 0);
											}
											__eflags = _t84;
											if(_t84 == 0) {
												__eflags =  *0x114871d;
												_t72 = _t89;
												if(__eflags != 0) {
													_t40 = E010E4257(0x7fffffff, _t72, _t84, _t89, __eflags);
												} else {
													_t40 = L01057055(_t72);
												}
											}
											goto L28;
										}
										_t84 = 0x7fffffff;
										goto L26;
									}
								}
							}
						}
						L28:
						return _t40;
					} else {
						 *_t76 = _t79;
						 *(_t79 + 4) = _t76;
						 *(_t40 + 4) = _t40;
						 *_t40 = _t40;
						_v4 = 0xfffffffe;
						E01089AF3(_t88);
						_t77 =  *((intOrPtr*)(_t88 + 0x5c));
						_t103 = _t77 -  *0x11486c0; // 0xb207b0
						if(_t103 != 0) {
							__eflags = _t77 -  *0x11486b8; // 0x0
							if(__eflags == 0) {
								_t79 = 0x11486bc;
								_t78 = 0x11486b8;
								goto L9;
							} else {
								asm("lock xadd [ecx], edi");
								_t86 = _t82 - 1;
								__eflags = _t82 - 1;
								if(__eflags == 0) {
									E01059240(_t65, _t77, _t86, _t88, __eflags);
								}
							}
						} else {
							_t79 = 0x11486c4;
							_t78 = 0x11486c0;
							L9:
							E01089B82(_t65, _t78, _t79, _t82, _t88, _t103);
						}
						L10:
						_t85 =  *((intOrPtr*)(_t88 + 0x10));
						if(_t85 != 0) {
							E0109FA60( &_v180, 0, 0x98);
							_v132 = _t85;
							_t88 =  *((intOrPtr*)(_t88 + 0x34));
							_v128 = _t88;
							E0107DB6D( &_v180);
							 *0x114b1e0( &_v180, _t88);
							 *_t85();
							E0107CFEB( &_v180, _t79);
						}
						return E010AD130(_t65, _t85, _t88);
					}
				}
			}

0x010899bc
0x010899bc
0x010899c1
0x010899c6
0x010899cb
0x010899cd
0x010899d7
0x01089aab
0x01089ab0
0x01089ab3
0x01089ab3
0x01089ab8
0x01089abc
0x010c977b
0x010c977b
0x010899dd
0x010899dd
0x010899dd
0x010899e3
0x010899e5
0x010899e8
0x010899e8
0x010899ed
0x010899f2
0x010c9798
0x010c979d
0x010c97a4
0x010c97a7
0x010c97a9
0x010c97ac
0x010c97af
0x00000000
0x010c97b5
0x010c97b5
0x010c97b7
0x00000000
0x010c97bd
0x010c97bd
0x010c97bf
0x010c97c2
0x010c97c5
0x010c97c7
0x010c97ce
0x00000000
0x010c97ce
0x010c97b7
0x010899f8
0x010899fc
0x01089a01
0x01089a05
0x01089a08
0x01089a0a
0x01089a10
0x01089b00
0x01089b02
0x01089b03
0x01089b05
0x01089b06
0x01089b07
0x01089b08
0x01089b09
0x01089b0a
0x01089b0b
0x01089b0c
0x01089b0d
0x01089b0e
0x01089b0f
0x01089b15
0x01089b16
0x01089b17
0x01089b1a
0x01089b1b
0x01089b1d
0x01089b22
0x01089b25
0x01089b28
0x01089b2a
0x01089b2d
0x01089b34
0x01089b36
0x01089b38
0x01089b38
0x01089b3a
0x01089b3c
0x00000000
0x00000000
0x01089b3e
0x01089b41
0x01089b43
0x01089b45
0x01089b49
0x01089b4b
0x00000000
0x00000000
0x01089b4d
0x01089b4d
0x01089b54
0x010c97ec
0x010c9809
0x010c9809
0x01089b5a
0x01089b5c
0x01089b65
0x01089b6c
0x01089b6e
0x01089b7b
0x01089b70
0x01089b70
0x01089b70
0x01089b6e
0x00000000
0x01089b5c
0x01089b77
0x00000000
0x01089b77
0x01089b36
0x01089b2d
0x01089b28
0x01089b5e
0x01089b62
0x01089a1e
0x01089a1e
0x01089a20
0x01089a23
0x01089a26
0x01089a28
0x01089a2f
0x01089a34
0x01089a37
0x01089a3d
0x01089ac7
0x01089acd
0x01089ae4
0x01089ae9
0x00000000
0x01089acf
0x01089acf
0x01089ad3
0x01089ad3
0x01089ad4
0x01089ada
0x01089ada
0x01089ad4
0x01089a43
0x01089a43
0x01089a48
0x01089a4d
0x01089a4d
0x01089a4d
0x01089a52
0x01089a52
0x01089a57
0x01089a6d
0x01089a75
0x01089a7b
0x01089a7e
0x01089a87
0x01089a96
0x01089a9c
0x01089aa4
0x01089aa4
0x01089a5e
0x01089a5e
0x01089a10

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b13e4528c998e151274865eb5324625cd8ab37f814637b8539785d20f56d0c
Instruction ID: 784079aa131c895a9950fdecf5816404159f4e572d93c203e1aef2ba3abe0829
Opcode Fuzzy Hash: 58b13e4528c998e151274865eb5324625cd8ab37f814637b8539785d20f56d0c
Instruction Fuzzy Hash: 6F41E170905701CFCBA5FF68CA00BA9B7F5FF90718F1582A9C0C69B6A1DB309A40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0111FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0111FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0111FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01120A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E01077D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01111608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01122B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0111C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0111DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E01077D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0111A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0111fde7
0x0111fde8
0x0111fdec
0x0111fdee
0x0111fdf5
0x0111fdf7
0x0111fdfc
0x0111fe19
0x0111fe22
0x0111fe26
0x0111fec6
0x0111fecd
0x0111fed5
0x0111fee7
0x0111fed7
0x0111fee0
0x0111fee0
0x0111feef
0x0111ff00
0x0111ff02
0x0111ff07
0x0111ff07
0x00000000
0x0111feef
0x0111fe33
0x0111fe55
0x0111fe59
0x0111fe5b
0x0111fe5e
0x0111fe69
0x0111fe6d
0x0111fe6d
0x0111fe69
0x0111fe35
0x0111fe41
0x0111fe41
0x0111fe79
0x0111fe8b
0x0111fe7b
0x0111fe84
0x0111fe84
0x0111fe93
0x00000000
0x0111fea8
0x0111feba
0x00000000
0x0111feba
0x0111fdfe
0x0111fe01
0x0111fe02
0x0111fe08
0x0111ff0c
0x0111ff14
0x0111ff14

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 8293940a1c52bb2f21ae6ea95ea5b7062316376668b6ac0ad4745f2a382450a6
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 59314A32300A436FD72E9B6CC844F6AFBA6EBC5650F094178E5458B34ADB70DC06C751

Uniqueness

Uniqueness Score: -1.00%

Function 01057B70 Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01057B70(signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t26;
				signed int _t28;
				signed int _t39;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t49;
				signed int _t50;
				signed int _t53;
				void* _t59;

				_t26 = _a8;
				if(_t26 == 0x80000002) {
					_t54 = _a12;
					__eflags = _a12;
					if(_a12 == 0) {
						L16:
						return 0xc0000001;
					}
					__eflags = _a16 - 0x1c;
					if(_a16 != 0x1c) {
						goto L16;
					}
					_t28 = E010FC4C1(_a4, _t54);
					L12:
					__eflags = _t28;
					if(_t28 >= 0) {
						L4:
						return 0;
					}
					return _t28;
				}
				if(_t26 == 0) {
					__eflags = _a16 - 4;
					if(_a16 < 4) {
						return 0xc0000023;
					}
					__eflags =  *_a12 - 2;
					if( *_a12 != 2) {
						goto L16;
					}
					_t49 = _a4;
					__eflags =  *((intOrPtr*)(_t49 + 8)) - 0xddeeddee;
					if( *((intOrPtr*)(_t49 + 8)) == 0xddeeddee) {
						goto L4;
					}
					__eflags = ( *(_t49 + 0x40) & 0x75010f63) - 2;
					if(( *(_t49 + 0x40) & 0x75010f63) != 2) {
						L15:
						return 0xc000000d;
					}
					__eflags =  *( *[fs:0x30] + 0x68) & 0x00000800;
					if(__eflags != 0) {
						goto L15;
					}
					_t28 = E01057BFA(_t46, _t49, 0, _t59, __eflags);
					goto L12;
				}
				if(_t26 != 1) {
					__eflags = _t26 - 3;
					if(_t26 == 3) {
						_t50 = _a12;
						__eflags = _t50;
						if(_t50 == 0) {
							goto L15;
						}
						__eflags = _a16 - 4;
						if(_a16 < 4) {
							goto L15;
						}
						__eflags =  *_t50 != 1;
						if( *_t50 != 1) {
							goto L15;
						}
						__eflags = _a16 - 8;
						if(_a16 != 8) {
							goto L15;
						}
						__eflags =  *(_t50 + 4);
						if( *(_t50 + 4) != 0) {
							goto L15;
						}
						__eflags = _a4;
						if(__eflags != 0) {
							E0106EEF0(0x1146620);
							_t51 = _a4;
							_t39 = E01057C8D(_a4);
							__eflags = _t39;
							if(_t39 == 0) {
								E011025D1(_t51);
							}
							E0106EB70(_t51, 0x1146620);
							goto L4;
						}
						_push(0);
						E010FCD04(_t46, 0x10fd290, 0, 0, _t59, __eflags);
						goto L4;
					}
					__eflags = _t26 - 4;
					if(_t26 == 4) {
						__eflags =  *0x1148724 & 0x00000001;
						if(( *0x1148724 & 0x00000001) == 0) {
							goto L15;
						}
						_t43 = E01084E70(0x11486a4, 0x1112ca0, 0x11465a0, 0);
						__eflags = _t43;
						if(_t43 < 0) {
							return _t43;
						}
						 *0x1148724 =  *0x1148724 | 0x00000002;
						goto L4;
					}
					__eflags = _t26 - 5;
					if(_t26 != 5) {
						goto L4;
					}
					_t53 = _a12;
					__eflags = _t53;
					if(_t53 == 0) {
						goto L15;
					}
					__eflags = _a16 - 8;
					if(_a16 < 8) {
						goto L15;
					}
					__eflags =  *_t53 - 1;
					if( *_t53 != 1) {
						goto L15;
					}
					_t44 =  *(_t53 + 2) & 0x0000ffff;
					__eflags = _t44 & 0xfffffffe;
					if((_t44 & 0xfffffffe) != 0) {
						goto L15;
					}
					E0111079E(_t53, 0);
					goto L4;
				}
				 *0x114849c = 0;
				goto L4;
			}

0x01057b75
0x01057b81
0x010b2b81
0x010b2b84
0x010b2b86
0x01057bf3
0x00000000
0x01057bf3
0x010b2b8c
0x010b2b90
0x00000000
0x00000000
0x010b2b99
0x01057bdf
0x01057bdf
0x01057be1
0x01057b9c
0x00000000
0x01057b9c
0x00000000
0x01057be1
0x01057b89
0x01057ba4
0x01057ba8
0x00000000
0x01057be5
0x01057bad
0x01057bb0
0x00000000
0x00000000
0x01057bb2
0x01057bb5
0x01057bbc
0x00000000
0x00000000
0x01057bc6
0x01057bc9
0x01057bec
0x00000000
0x01057bec
0x01057bd1
0x01057bd8
0x00000000
0x00000000
0x01057bda
0x00000000
0x01057bda
0x01057b90
0x010b2a90
0x010b2a93
0x010b2b10
0x010b2b13
0x010b2b15
0x00000000
0x00000000
0x010b2b1b
0x010b2b1f
0x00000000
0x00000000
0x010b2b27
0x010b2b2a
0x00000000
0x00000000
0x010b2b30
0x010b2b34
0x00000000
0x00000000
0x010b2b3a
0x010b2b3d
0x00000000
0x00000000
0x010b2b43
0x010b2b46
0x010b2b60
0x010b2b65
0x010b2b68
0x010b2b6d
0x010b2b6f
0x010b2b71
0x010b2b71
0x010b2b77
0x00000000
0x010b2b77
0x010b2b48
0x010b2b50
0x00000000
0x010b2b50
0x010b2a95
0x010b2a98
0x010b2ada
0x010b2ae1
0x00000000
0x00000000
0x010b2af7
0x010b2afc
0x010b2afe
0x01057ba1
0x01057ba1
0x010b2b04
0x00000000
0x010b2b04
0x010b2a9a
0x010b2a9d
0x00000000
0x00000000
0x010b2aa3
0x010b2aa6
0x010b2aa8
0x00000000
0x00000000
0x010b2aae
0x010b2ab2
0x00000000
0x00000000
0x010b2ab8
0x010b2abb
0x00000000
0x00000000
0x010b2ac1
0x010b2ac5
0x010b2aca
0x00000000
0x00000000
0x010b2ad0
0x00000000
0x010b2ad0
0x01057b96
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0745444204aa89b676aa3d90fd4a182361e2ffe5233c26d7c681d2ff0365e4
Instruction ID: 43da4594a6c72670ef74ff8c3a68f036ba3a8b08944f24d9635205fd99e5bd20
Opcode Fuzzy Hash: 6f0745444204aa89b676aa3d90fd4a182361e2ffe5233c26d7c681d2ff0365e4
Instruction Fuzzy Hash: 4B31D3302042058BFFE5DE2DCD817AB37D9EB81618F94846AEFD287151D732D881E752

Uniqueness

Uniqueness Score: -1.00%

Function 0111EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0111EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E01072280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0111E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0105F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0106FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0111AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0111BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E01077D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0110FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0106FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0111A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0111ea55
0x0111ea66
0x0111ea68
0x0111ea6c
0x0111ea6f
0x0111ea72
0x0111ea75
0x0111ea7a
0x0111ea7a
0x0111ea7e
0x0111ea80
0x0111ea85
0x0111ea8b
0x0111eab5
0x0111eabc
0x0111eabf
0x0111eabf
0x0111eaca
0x0111eace
0x0111ead0
0x0111eae4
0x0111eaeb
0x0111eaf0
0x0111eaf5
0x0111eb09
0x0111eb0d
0x0111eb1d
0x0111eb2d
0x0111eb38
0x0111eb3d
0x0111eb41
0x0111eb4a
0x0111eb60
0x0111eb4c
0x0111eb52
0x0111eb59
0x0111eb59
0x0111eb68
0x0111eb71
0x0111eb71
0x0111ea8d
0x0111ea8f
0x0111ea92
0x0111ea97
0x0111ea97
0x0111ea9b
0x0111ea9c
0x0111ea9e
0x0111eaa6
0x0111eaa6
0x0111eb7e

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: da6ba991ae440ff9039e21394415a23588dbb05720d0ff190a813ce654bf7d4a
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 4431A3726057069BC71ADF68C884A5BF7A9FFC4210F04492DF99687685EF30E805CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010D69A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E010D69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x114d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L01066C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E010D6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01099980() >= 0) {
							E01072280(_t56, 0x1148778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1148774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1148774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0105B6F0(0x103c338, 0x103c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01099520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E010995D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0106FFB0(_t68, _t77, 0x1148778);
				}
				_pop(_t78);
				return E0109B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x010d69b5
0x010d69be
0x010d69c3
0x010d69c9
0x010d69cc
0x010d69d1
0x010d69d3
0x010d69de
0x010d69e1
0x010d69ea
0x010d69f6
0x010d69fe
0x010d6a13
0x010d6a14
0x010d6a15
0x010d6a16
0x010d6a1e
0x010d6a26
0x010d6a31
0x010d6a36
0x010d6a37
0x010d6a40
0x010d6a49
0x010d6a4a
0x010d6a53
0x010d6a59
0x010d6a5d
0x010d6a5e
0x010d6a64
0x010d6a67
0x010d6a6a
0x010d6a6d
0x010d6a70
0x010d6a77
0x010d6a7d
0x010d6a86
0x010d6a89
0x010d6a9c
0x010d6a9f
0x010d6aa2
0x010d6aa5
0x010d6aaf
0x010d6ab1
0x010d6ab8
0x010d6ab9
0x010d6abb
0x010d6abe
0x010d6ac5
0x010d6ac5
0x010d6aaf
0x010d6a40
0x010d6a26
0x010d69fe
0x010d6ace
0x010d6ad0
0x010d6ad3
0x010d6ad8
0x010d6adf
0x010d6adf
0x010d6ae8
0x010d6aef
0x010d6aef
0x010d6af9
0x010d6b06

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174af9a0e1c34232cd48351c550ed615cba9ba87b0e05baab72920e43ede0138
Instruction ID: 2901e608d8d48bf39e56b03763713eef4060b2f1ff1a7ba4413166cedb6782d4
Opcode Fuzzy Hash: 174af9a0e1c34232cd48351c550ed615cba9ba87b0e05baab72920e43ede0138
Instruction Fuzzy Hash: 2F417CB1D00309AFDB24DFA9D940BFEBBF8EF48714F04816AE994A7240DB75A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01055210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01055210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E010552A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E010995D0();
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0106EB70(_t54, 0x11479a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E010995D0();
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0106EB70(_t54, 0x11479a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0109F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0106EB70(_t54, 0x11479a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E010995D0();
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x01055220
0x01055224
0x010b0d13
0x010b0d16
0x010b0d19
0x0105522a
0x0105522a
0x0105522d
0x0105522d
0x01055231
0x01055235
0x01055239
0x010b0d5c
0x010b0d62
0x00000000
0x00000000
0x010b0d6a
0x010b0d7b
0x010b0d7f
0x010b0d81
0x010b0d84
0x010b0d95
0x010b0d95
0x010b0d6c
0x010b0d71
0x010b0d71
0x010b0d9a
0x00000000
0x0105524a
0x0105524a
0x01055250
0x010b0d24
0x010b0d35
0x010b0d39
0x010b0d3b
0x010b0d3e
0x010b0d50
0x010b0d50
0x010b0d26
0x010b0d2b
0x010b0d2b
0x00000000
0x010b0d55
0x01055256
0x0105525b
0x01055265
0x010b0da7
0x0105526b
0x0105526e
0x01055272
0x010b0db1
0x010b0db4
0x010b0dc5
0x010b0dc5
0x01055272
0x01055278
0x0105527e
0x0105528a
0x0105528c
0x0105528d
0x00000000
0x01055280
0x01055282
0x01055288
0x0105529f
0x01055292
0x00000000
0x01055292
0x00000000
0x01055288
0x0105527e

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9efd9c7977cc4f091e3d0c33cc9bc47ef59afe259164dcb9c06346883adb18
Instruction ID: 2dcd50aae33b9196a32dc90887c3f1aab34a71c930bae4d4292cb3f35db440d4
Opcode Fuzzy Hash: fd9efd9c7977cc4f091e3d0c33cc9bc47ef59afe259164dcb9c06346883adb18
Instruction Fuzzy Hash: 16310631641601EBCB66AB18CC81BAF77B5FF607A0F114A59F9D54B5E4EB70E840C790

Uniqueness

Uniqueness Score: -1.00%

Function 01093D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01093D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E01067B60(0, _t61, 0x10311c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E01067B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = E01074620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01093d4c
0x01093d50
0x01093d55
0x01093d5e
0x010ce79a
0x00000000
0x010ce79a
0x01093d68
0x010ce789
0x01093d9d
0x01093da3
0x01093daf
0x01093db5
0x01093dbc
0x01093dc4
0x01093dc9
0x01093dce
0x010ce7ae
0x010ce7ae
0x01093dde
0x01093de2
0x01093de7
0x01093e0d
0x01093e13
0x01093e16
0x01093e1e
0x01093e25
0x01093e28
0x00000000
0x00000000
0x01093e2a
0x01093e2f
0x01093e37
0x01093e37
0x00000000
0x01093e37
0x01093e31
0x00000000
0x01093e31
0x01093e20
0x01093e20
0x01093e35
0x00000000
0x01093de9
0x01093de9
0x01093de9
0x01093dee
0x01093dfd
0x01093dff
0x01093e02
0x01093e05
0x01093e05
0x00000000
0x01093df0
0x01093de7
0x010ce78f
0x010ce794
0x01093d79
0x01093d84
0x01093d89
0x01093d8e
0x00000000
0x010ce7a4
0x01093d96
0x01093d9a
0x00000000
0x01093d9a
0x00000000
0x010ce794
0x01093d6e
0x01093d73
0x00000000
0x010ce7b5
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1355cc4b74370be825fc2ff79155614159de90fd572f844a1e8f3962208fb025
Instruction ID: 1cd051651601611f93168566d4d8195c713ad1f6f57b50ba3dbb5095fbc41c10
Opcode Fuzzy Hash: 1355cc4b74370be825fc2ff79155614159de90fd572f844a1e8f3962208fb025
Instruction Fuzzy Hash: B8319E31605615DBDB259F3DD461A6EBBE5FF4570070580AEE986CF390E630D840EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0107C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0107C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01077D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01128D34(_v8, _t80);
					}
					E01072280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0106FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01128833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0106FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0109B180();
						if(_a4 != 0) {
							E01072280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0107BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0107BB2D(_t16, _t15);
						E0107B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0106FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0106FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0106FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0107c18d
0x0107c18f
0x0107c191
0x0107c19b
0x0107c1a0
0x0107c1d4
0x0107c1de
0x010c2d6e
0x0107c1e4
0x0107c1e4
0x0107c1e4
0x0107c1ec
0x010c2d7d
0x010c2d7d
0x0107c1f3
0x0107c1ff
0x010c2d88
0x010c2d8d
0x010c2d94
0x010c2d94
0x010c2d9f
0x010c2da4
0x010c2dab
0x010c2db0
0x010c2db2
0x010c2db3
0x010c2db4
0x010c2dbc
0x010c2dc3
0x010c2dc3
0x0107c205
0x0107c205
0x0107c208
0x0107c20e
0x0107c211
0x0107c216
0x0107c219
0x0107c21f
0x0107c222
0x0107c22c
0x0107c234
0x0107c23a
0x0107c23f
0x0107c245
0x0107c24b
0x0107c251
0x0107c25a
0x0107c276
0x0107c27d
0x0107c27d
0x0107c25c
0x0107c25c
0x00000000
0x0107c25e
0x0107c1a4
0x0107c1aa
0x0107c1b3
0x0107c265
0x0107c26c
0x0107c26c
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: b23f696a1aaea682eb6859f126a7086bf032d1637408cb9eca1767863b242782
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: E7317A72E01547BEE704EBB4D590BEDFB98BF62204F0441AAC49C47201DB746A1ACBE4

Uniqueness

Uniqueness Score: -1.00%

Function 010D7016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E010D7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x114d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E010D6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E010D6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01077D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01099AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0109B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = E01074620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x010d7016
0x010d701e
0x010d702b
0x010d7033
0x010d7037
0x010d703c
0x010d703e
0x010d7041
0x010d7045
0x010d704a
0x010d7050
0x010d7055
0x010d705a
0x010d7062
0x010d7062
0x010d705a
0x010d7064
0x010d7064
0x010d7067
0x010d7071
0x010d7096
0x010d709b
0x010d70a2
0x010d70a6
0x010d70a7
0x010d70ad
0x010d70b3
0x010d70b6
0x010d70bb
0x010d70c3
0x010d70c3
0x010d70c6
0x010d70cd
0x010d70dd
0x010d70e0
0x010d70e2
0x010d70e2
0x010d70ee
0x010d7101
0x010d70f0
0x010d70f9
0x010d70f9
0x010d710a
0x010d710e
0x010d7112
0x010d7117
0x010d7118
0x010d7118
0x010d70bb
0x010d711d
0x010d7123
0x010d7131
0x010d7131
0x010d7136
0x010d713d
0x010d713e
0x010d713f
0x010d714a
0x010d714a
0x010d7084
0x010d7088
0x00000000
0x010d708e
0x010d708e
0x010d7092
0x00000000
0x010d7092

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46184e10d72555c52bf91c8a91d222ea6583c88529128d5d3ea8b183d6a498da
Instruction ID: 26becf8d26700160594a99f473ff83406c31dc459c459170cd31fc88b0a222e8
Opcode Fuzzy Hash: 46184e10d72555c52bf91c8a91d222ea6583c88529128d5d3ea8b183d6a498da
Instruction Fuzzy Hash: 3D31A2766047519BC320DF6CC940AAAB7E9FF88704F044A69F9D587690E730E914CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 010853C5 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E010853C5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t56;
				unsigned int _t58;
				char _t63;
				unsigned int _t72;
				signed int _t77;
				intOrPtr _t79;
				void* _t80;

				_push(0x18);
				_push(0x112ff80);
				E010AD08C(__ebx, __edi, __esi);
				_t79 = __ecx;
				 *((intOrPtr*)(_t80 - 0x28)) = __ecx;
				 *((char*)(_t80 - 0x1a)) = 0;
				 *((char*)(_t80 - 0x19)) = 0;
				 *((intOrPtr*)(_t80 - 0x20)) = 0;
				 *((intOrPtr*)(_t80 - 4)) = 0;
				if(( *(__ecx + 0x40) & 0x75010f61) != 0 || ( *(__ecx + 0x40) & 0x00000002) == 0 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					_t47 = 0;
					_t63 = 1;
				} else {
					_t63 = 1;
					_t47 = 1;
				}
				if(_t47 == 0) {
					_t77 = 0xc000000d;
					goto L18;
				} else {
					E0106EEF0( *((intOrPtr*)(_t79 + 0xc8)));
					 *((char*)(_t80 - 0x19)) = _t63;
					if( *((char*)(_t79 + 0xda)) == 2) {
						_t47 =  *(_t79 + 0xd4);
					} else {
						_t47 = 0;
					}
					if(_t47 != 0) {
						_t77 = 0;
						goto L18;
					} else {
						if( *((intOrPtr*)(_t79 + 0xd8)) != 0) {
							_t77 = 0xc000001e;
							L18:
							 *((intOrPtr*)(_t80 - 0x20)) = _t77;
							L19:
							_t64 = 0xffff;
							L14:
							 *((intOrPtr*)(_t80 - 4)) = 0xfffffffe;
							E01085520(_t47, _t64, _t79);
							return E010AD0D1(_t77);
						}
						 *((short*)(_t79 + 0xd8)) = _t63;
						 *((char*)(_t80 - 0x1a)) = _t63;
						_t72 =  *0x1145cb4; // 0x4000
						_t69 = _t79;
						_t77 = E010855C8(_t79, (_t72 >> 3) + 2);
						 *((intOrPtr*)(_t80 - 0x20)) = _t77;
						if(_t77 < 0) {
							goto L19;
						}
						E01085539(_t79,  *((intOrPtr*)(_t79 + 0xb4)), _t69);
						 *(_t79 + 0xd4) =  *(_t79 + 0xd4) & 0x00000000;
						 *((char*)(_t79 + 0xda)) = 0;
						E0106EB70(_t79,  *((intOrPtr*)(_t79 + 0xc8)));
						 *((char*)(_t80 - 0x19)) = 0;
						_t71 = _t79;
						 *(_t80 - 0x24) = E01083C3E(_t79);
						E0106EEF0( *((intOrPtr*)(_t79 + 0xc8)));
						 *((char*)(_t80 - 0x19)) = _t63;
						_t56 =  *(_t80 - 0x24);
						if(_t56 == 0) {
							_t77 = 0xc0000017;
							 *((intOrPtr*)(_t80 - 0x20)) = 0xc0000017;
						} else {
							 *(_t79 + 0xd4) = _t56;
							 *((short*)(_t79 + 0xda)) = 0x202;
							if((E01084190() & 0x00010000) == 0) {
								_t58 =  *0x1145cb4; // 0x4000
								 *(_t79 + 0x6c) = _t58 >> 3;
							}
						}
						_t64 = 0xffff;
						 *((intOrPtr*)(_t79 + 0xd8)) =  *((intOrPtr*)(_t79 + 0xd8)) + 0xffff;
						 *((char*)(_t80 - 0x1a)) = 0;
						 *((char*)(_t80 - 0x19)) = 0;
						_t47 = E0106EB70(_t71,  *((intOrPtr*)(_t79 + 0xc8)));
						goto L14;
					}
				}
			}

0x010853c5
0x010853c7
0x010853cc
0x010853d1
0x010853d3
0x010853d8
0x010853db
0x010853de
0x010853e1
0x010853eb
0x010c70b0
0x010c70b4
0x0108540e
0x01085410
0x01085411
0x01085411
0x01085415
0x010c70ba
0x00000000
0x0108541b
0x01085421
0x01085426
0x01085432
0x010c70d3
0x01085438
0x01085438
0x01085438
0x0108543c
0x010c70de
0x00000000
0x01085442
0x01085449
0x010c70c1
0x010c70c6
0x010c70c6
0x010c70c9
0x010c70c9
0x0108550c
0x0108550c
0x01085513
0x0108551f
0x0108551f
0x0108544f
0x01085456
0x01085459
0x01085465
0x0108546c
0x0108546e
0x01085473
0x00000000
0x00000000
0x01085482
0x01085487
0x0108548e
0x0108549b
0x010854a0
0x010854a4
0x010854ab
0x010854b4
0x010854b9
0x010854bc
0x010854c1
0x010c70e2
0x010c70e7
0x010854c7
0x010854c7
0x010854cd
0x010854e0
0x010854e2
0x010854ea
0x010854ea
0x010854e0
0x010854ed
0x010854f2
0x010854f9
0x010854fd
0x01085507
0x00000000
0x01085507
0x0108543c

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d32eb6da93ddefe794e9879a4567c755c69b314cf630c4356056b7c0b880fd8
Instruction ID: a9386d8b08f136ed0ba629f8c70a8e35ddd5cd23cffc3f145bcad6ee6d656026
Opcode Fuzzy Hash: 7d32eb6da93ddefe794e9879a4567c755c69b314cf630c4356056b7c0b880fd8
Instruction Fuzzy Hash: B241E034A08746CBDB62DBB8C8107EFBAE2AF51704F24056ED0C6AB341DB755905CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 01103D40 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01103D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x114d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E01072280(_t34, 0x1148a6c);
				_t64 =  *0x1145768; // 0x771a5768
				if(_t64 != 0x1145768) {
					while(1) {
						_t8 = _t64 + 8; // 0x771a5770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0106FFB0(_t53, _t64, 0x1148a6c);
						 *0x114b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E01072280(_t45, 0x1148a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x1145768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0106FFB0(_t51, _t64, 0x1148a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0109B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x01103d40
0x01103d48
0x01103d52
0x01103d59
0x01103d5d
0x01103d61
0x01103d63
0x01103d67
0x01103d69
0x01103d72
0x01103d76
0x01103d7a
0x01103d7f
0x01103d8b
0x01103d91
0x01103d91
0x01103d91
0x01103d94
0x01103d96
0x01103d9d
0x01103da1
0x01103db0
0x01103dba
0x01103dbc
0x01103dbc
0x01103dc6
0x01103dcb
0x01103dcf
0x01103dd1
0x01103dd4
0x00000000
0x00000000
0x01103dd9
0x01103e0c
0x01103e0c
0x01103e0f
0x01103ddb
0x01103ddb
0x01103de0
0x00000000
0x01103de2
0x01103de2
0x01103de4
0x01103de8
0x01103deb
0x01103df1
0x00000000
0x01103df3
0x01103df3
0x01103df5
0x01103df8
0x01103dfa
0x00000000
0x01103dfa
0x01103df1
0x01103de0
0x01103e11
0x01103e11
0x00000000
0x01103dfe
0x01103e04
0x01103e06
0x00000000
0x01103e06
0x00000000
0x01103e04
0x01103d91
0x01103e15
0x01103e1a
0x01103e1f
0x01103e1f
0x01103e23
0x01103e29
0x00000000
0x00000000
0x01103e2e
0x00000000
0x01103e30
0x01103e30
0x01103e35
0x00000000
0x01103e37
0x01103e3e
0x01103e42
0x01103e48
0x01103e4e
0x00000000
0x01103e4e
0x01103e35
0x00000000
0x01103e2e
0x01103e5b
0x01103e5c
0x01103e5d
0x01103e68
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e0d6c46f482f424c8985541045a250941a425869b1945b49c06c7aeb8bac6e
Instruction ID: 148516611b40277802b7b25507c50bb9612ad55b6f5abd6c52bae509d485c99f
Opcode Fuzzy Hash: 47e0d6c46f482f424c8985541045a250941a425869b1945b49c06c7aeb8bac6e
Instruction Fuzzy Hash: BA31DE71909302CFCB19CF18D58095ABBE1FF85A14F444A6EF4A89B281D370DD44CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 01053880 Relevance: .1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E01053880(intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				signed int _t28;
				signed int _t30;
				signed int* _t42;
				signed int _t45;
				signed int* _t46;
				void* _t47;

				_v20 = _v20 | 0xffffffff;
				_t28 = 0;
				_t42 = 0;
				_v24 = 0xfd050f80;
				_t46 = 0;
				_v16 = 0;
				_t45 = 0;
				_v12 = 0;
				_v8 = 0;
				_t47 =  *0x11484cc - _t28; // 0x0
				if(_t47 != 0) {
					E0107ECE0(_a12, _a8, 0, 0);
					_t30 = 0;
					L2:
					while(1) {
						do {
							L2:
							while(1) {
								if(_t46 != 0) {
									L5:
									_push(0x1030);
									_push(_t46);
									_push(_t45);
									_push(_t30);
									_push( &_v16);
									_push(_t42);
									if(E0109A3A0() >= 0) {
										_t43 = _t46;
										_t45 = E0105395E(_t46, 0);
										if(_t45 == 0x103) {
											_t42 = 0;
											_t30 = 0;
											_v16 = _v16 & 0;
											_t45 = 0;
											_v12 = _v12 & 0;
											_t46 = 0;
											_v8 = 0;
											continue;
										} else {
											break;
										}
										goto L9;
									}
								} else {
									_t46 = E01074620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t46, 0x1030);
									if(_t46 == 0) {
										_t28 = 0xc0000017;
									} else {
										_t30 = _v8;
										goto L5;
									}
								}
								if(_t28 != 0x8000001a) {
									_t28 = E0107ECE0(_a12, _a8,  &_v24, 0);
								}
								if(_t46 != 0) {
									return L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t46);
								}
								goto L9;
							}
							_t13 =  &(_t46[2]); // 0x8
							_t42 = _t13;
							_v16 =  *_t46;
							_v12 = _t46[1];
							_t30 = _t46[6];
							_v8 = _t30;
						} while (_t45 != 0xc000022d);
						E010E2D0B(_t43);
						_t30 = _v8;
						_t46 = 0;
					}
				}
				L9:
				return _t28;
			}

0x01053888
0x0105388c
0x0105388f
0x01053891
0x01053899
0x0105389b
0x0105389f
0x010538a1
0x010538a4
0x010538a7
0x010538ad
0x010538b7
0x010538bc
0x00000000
0x010538be
0x010538be
0x00000000
0x010538be
0x010538c0
0x010538e3
0x010538e3
0x010538e8
0x010538e9
0x010538ea
0x010538ee
0x010538ef
0x010538f7
0x01053924
0x0105392b
0x01053933
0x010affb7
0x010affb9
0x010affbb
0x010affbe
0x010affc0
0x010affc3
0x010affc5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01053933
0x010538c2
0x010538d6
0x010538da
0x010affdc
0x010538e0
0x010538e0
0x00000000
0x010538e0
0x010538da
0x010538fe
0x010afff2
0x010afff2
0x01053906
0x00000000
0x01053914
0x00000000
0x01053906
0x0105393b
0x0105393b
0x0105393e
0x01053944
0x01053947
0x0105394a
0x0105394d
0x010affcd
0x010affd2
0x010affd5
0x010affd5
0x010538be
0x0105391f
0x0105391f

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c03ef9ff2b052ba05b0f2db7d436aa01ffacc4defdc2b7da51e755a3a079c4
Instruction ID: c106321d731c01fa0051638c3ff71af70aff45cd65060149871d566118bb68e6
Opcode Fuzzy Hash: 63c03ef9ff2b052ba05b0f2db7d436aa01ffacc4defdc2b7da51e755a3a079c4
Instruction Fuzzy Hash: E031A472E0121AAFDB61DEA9C840AAFBBF8FF04790F014565E995DB250D6709E00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0111A189 Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0111A189(signed int __ecx, signed char __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* __ebx;
				void* __edi;
				intOrPtr _t29;
				intOrPtr* _t30;
				intOrPtr _t40;
				void* _t44;
				signed int _t50;
				intOrPtr* _t51;
				intOrPtr _t52;

				_v20 = __edx;
				_t50 = __ecx;
				if(__edx != 0) {
					E01072280(__edx, 0x1146220);
					_t42 = _t50;
					_t40 = E0111A166(_t50);
					if(_t40 != 0) {
						L15:
						E0106FFB0(_t40, _t50, 0x1146220);
						 *_v20 = _t40;
						return 0;
					}
					_t44 = E0111A166(_t42 ^ 0x00000100);
					if(_t44 != 0) {
						_v12 =  *((intOrPtr*)(_t44 + 4));
						_v8 =  *((intOrPtr*)(_t44 + 8));
						L7:
						_t51 = E01074620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x50);
						if(_t51 != 0) {
							_t10 = _t51 + 0xc; // 0xc
							_t40 = _t10;
							_t29 = E0110A708(_t50, _v12, _v8, _t40);
							_v16 = _t29;
							if(_t29 >= 0) {
								 *(_t51 + 8) = _t50;
								_t30 =  *0x11453d4; // 0x771a53d0
								if( *_t30 != 0x11453d0) {
									0x11453d0 = 3;
									asm("int 0x29");
								}
								 *_t51 = 0x11453d0;
								 *((intOrPtr*)(_t51 + 4)) = _t30;
								 *_t30 = _t51;
								 *0x11453d4 = _t51;
								goto L15;
							}
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t51);
							_t52 = _v16;
							L11:
							E0106FFB0(_t40, _t50, 0x1146220);
							return _t52;
						}
						_t52 = 0xc0000017;
						goto L11;
					}
					_push( &_v8);
					_push( &_v12);
					_push(_t44);
					_push(_t50 & 0xfffffeff);
					_push(0xc);
					_t52 = E0109A420();
					if(_t52 >= 0) {
						goto L7;
					}
					goto L11;
				}
				return 0xc00000f0;
			}

0x0111a194
0x0111a199
0x0111a19d
0x0111a1ae
0x0111a1b3
0x0111a1ba
0x0111a1be
0x0111a27e
0x0111a283
0x0111a28b
0x00000000
0x0111a28d
0x0111a1cf
0x0111a1d3
0x0111a1f8
0x0111a1fe
0x0111a201
0x0111a213
0x0111a217
0x0111a223
0x0111a223
0x0111a22c
0x0111a231
0x0111a236
0x0111a25b
0x0111a263
0x0111a26a
0x0111a26e
0x0111a26f
0x0111a26f
0x0111a271
0x0111a273
0x0111a276
0x0111a278
0x00000000
0x0111a278
0x0111a245
0x0111a24a
0x0111a24d
0x0111a252
0x00000000
0x0111a257
0x0111a219
0x00000000
0x0111a219
0x0111a1d8
0x0111a1dc
0x0111a1dd
0x0111a1e5
0x0111a1e6
0x0111a1ed
0x0111a1f1
0x00000000
0x00000000
0x00000000
0x0111a1f3
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b26fd5de38393f693ba3ba02f338b882c6554152fc5b1e604493e44ed48e3a0
Instruction ID: baf94c98dc5f869ad2c46cba73ca6c4e0a5ab5b98cf6d84ea416abefe7092342
Opcode Fuzzy Hash: 3b26fd5de38393f693ba3ba02f338b882c6554152fc5b1e604493e44ed48e3a0
Instruction Fuzzy Hash: 3A312131A01656EBCB2A9B98E840BAAFFB9EF55B14F100079F505EB344DBB0DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 010861A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E010861A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01085E50(0x10367cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01129D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0105F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x010861b3
0x010861b5
0x010861bd
0x010861c3
0x010861c7
0x010861d2
0x010861ff
0x010861ff
0x01086201
0x01086207
0x01086207
0x010861d4
0x010861d9
0x00000000
0x00000000
0x010861df
0x010861e2
0x00000000
0x00000000
0x010861e6
0x010861e8
0x010861ee
0x010861ee
0x010861f9
0x010c762f
0x010c7632
0x010c7635
0x010c7639
0x010c7640
0x010c766e
0x010c7675
0x00000000
0x00000000
0x010c7681
0x010c7689
0x010c768d
0x010c7691
0x010c7695
0x010c7699
0x010c76af
0x010c76b5
0x010c76b7
0x010c76b7
0x010c76d7
0x010c76dc
0x00000000
0x010c76dc
0x010c76a2
0x010c76a9
0x010c7651
0x010c7653
0x010c7653
0x010c7656
0x010c7656
0x00000000
0x010c7656
0x010c7644
0x010c7646
0x010c7648
0x010c7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97be449a88affe17b4c1f43144aef1fd3c7f66208ed8b08ae45e0412f53c980a
Instruction ID: d8ae63a519a6631aa821a18d00e9b1c90f2880dabd3ac4cc34e44a7cdcc1d456
Opcode Fuzzy Hash: 97be449a88affe17b4c1f43144aef1fd3c7f66208ed8b08ae45e0412f53c980a
Instruction Fuzzy Hash: EA316B716097018FE7A0DF1DC800B2ABBE4FB88B00F0949ADE9D49B252E771D804CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0105AA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0105AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x114d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1147b9c; // 0x0
					_t53 = E01074620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0109B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0109F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L01066C59(_t53, _t51, _t58) != 0) {
							_t28 = E01085E50(0x103c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0108B230(_v32, _v28, 0x103c2d8, 1,  &_v24);
								_t28 = E0105F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0105aa25
0x0105aa29
0x0105aa2d
0x0105aa30
0x0105aa37
0x0105aa3c
0x010b4458
0x010b4458
0x010b4472
0x010b4474
0x010b4476
0x0105aa64
0x0105aa74
0x010b447c
0x010b4483
0x010b4492
0x0105aa52
0x0105aa54
0x0105aa5e
0x010b44a8
0x010b44ad
0x010b44af
0x010b44b6
0x010b44b6
0x010b44b9
0x010b44bc
0x010b44cd
0x010b44d3
0x010b44d6
0x010b44e1
0x010b44e1
0x010b44e6
0x010b44e8
0x010b44fb
0x010b44fb
0x010b44e8
0x00000000
0x0105aa5e
0x010b4476
0x0105aa42
0x0105aa46
0x0105aa48
0x0105aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e48fd5e7d31961c59e28e22acf421893dbc44da491a429509a9485f27a928df
Instruction ID: c4ba00940c428f075a77de01e27f9ac441672ce2c5e5d2132fb8f1e06e9c8a7c
Opcode Fuzzy Hash: 4e48fd5e7d31961c59e28e22acf421893dbc44da491a429509a9485f27a928df
Instruction Fuzzy Hash: 5E31F771A0021AEBCF15AF68CD81ABFB7B8FF04700F014069F982E7150EB789A11D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01094A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01094A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x114d360 ^ _t62;
				_v8 =  *0x114d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01072280(_t26, 0x1148608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0106FFB0(_t41, _t51, 0x1148608);
						L2:
						 *0x114b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0109B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01072280(_t28, 0x1148608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0106FFB0(_t42, _t53, 0x1148608);
							if(_t53 != 0) {
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0106FFB0(_t41, _t51, 0x1148608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01094a2c
0x01094a34
0x01094a3c
0x01094a3e
0x01094a48
0x01094a4b
0x01094a4d
0x01094a51
0x01094a9c
0x00000000
0x00000000
0x01094aa3
0x01094aa8
0x01094aad
0x01094ab1
0x01094ade
0x01094ae3
0x01094a5a
0x01094a62
0x01094a6a
0x01094a6e
0x010cf203
0x01094a84
0x01094a88
0x01094a89
0x01094a8a
0x01094a95
0x01094a95
0x01094a79
0x01094a80
0x01094af2
0x01094af4
0x01094af9
0x01094aff
0x01094b01
0x01094b03
0x01094b08
0x010cf20a
0x010cf212
0x010cf216
0x010cf216
0x01094b08
0x01094b13
0x01094b1a
0x010cf229
0x010cf229
0x01094b1a
0x01094a82
0x00000000
0x01094a82
0x01094ab7
0x01094acd
0x01094acd
0x01094ad5
0x01094ada
0x00000000
0x01094ada
0x01094ac2
0x01094acb
0x00000000
0x00000000
0x00000000
0x01094acb
0x01094a53
0x01094a53
0x01094a58
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a5d616c81bb7ca1429f484897f09dd324eb361cce48a97f4efa6e270fc14d2
Instruction ID: 37bba1e3884cb8324a869080f47fc59a1fcc4399d8dbe5609c4865f3502e9bc8
Opcode Fuzzy Hash: 86a5d616c81bb7ca1429f484897f09dd324eb361cce48a97f4efa6e270fc14d2
Instruction Fuzzy Hash: EF3124326053119BCBA1DF58CA94B2EBBE5FF81B10F00456DE8D687641CB74D802DB86

Uniqueness

Uniqueness Score: -1.00%

Function 010578D6 Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E010578D6(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr* _v12;
				void* __ebp;
				void* _t29;
				void* _t56;
				intOrPtr _t58;
				signed int _t65;
				void* _t67;
				intOrPtr* _t69;
				void* _t71;

				_t57 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t69 = __ecx;
				_push(__edx);
				_v8 = __edx;
				_v12 = __ecx;
				if(E0106A860(__eflags) == 0) {
					_t29 = 0xc000000d;
				} else {
					_t56 =  *_t69;
					_t65 = 0x00000017 + ( *(__edx + 1) & 0x000000ff) * 0x00000004 & 0xfffffff8;
					_t32 =  *((intOrPtr*)(_t56 + 8)) + _t65;
					if( *((intOrPtr*)(_t56 + 8)) + _t65 < _t65) {
						_t29 = 0xc0000173;
					} else {
						_t71 = E01074620(_t57,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t32);
						if(_t71 == 0) {
							_t29 = 0xc000009a;
						} else {
							E0109F3E0(_t71, _t56,  *((intOrPtr*)(_t56 + 8)));
							 *((intOrPtr*)(_t71 + 8)) =  *((intOrPtr*)(_t56 + 8)) + _t65;
							 *((intOrPtr*)(_t71 + 4)) =  *((intOrPtr*)(_t56 + 4)) + 1;
							_t58 =  *((intOrPtr*)(_t56 + 8));
							 *((intOrPtr*)(_t58 + _t71)) = (0 | _a4 != 0x00000000) + 2;
							 *(_t58 + _t71 + 4) = _t65;
							E0109F3E0(_t58 + 8 + _t71, _v8, 8 + ( *(_v8 + 1) & 0x000000ff) * 4);
							_t67 = E01057672(_t71);
							if(_t67 < 0) {
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t71);
								_t29 = _t67;
							} else {
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
								 *_v12 = _t71;
								_t29 = 0;
							}
						}
					}
				}
				return _t29;
			}

0x010578d6
0x010578db
0x010578dc
0x010578e1
0x010578e3
0x010578e4
0x010578e7
0x010578f1
0x010b29b5
0x010578f7
0x010578fb
0x01057908
0x0105790b
0x0105790f
0x010b29bf
0x01057915
0x01057926
0x0105792a
0x010b29c9
0x01057930
0x01057935
0x01057942
0x01057949
0x01057951
0x0105795a
0x0105795d
0x01057974
0x01057983
0x01057987
0x010b29e0
0x010b29e5
0x0105798d
0x01057999
0x010579a1
0x010579a3
0x010579a3
0x01057987
0x0105792a
0x010579a5
0x010579ab

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
Instruction ID: 5e7cf42988cad76c5dd44f10f7759daef59dab492a163577b697940aa82a5402
Opcode Fuzzy Hash: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
Instruction Fuzzy Hash: E231E4B2600544AFD711DF59CC80F9ABBB9FF89650F188099E988CF351D635ED41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01059100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01059100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x112f6e8);
				E010AD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E011288F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E010AD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x11486c0; // 0xb207b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x11486b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01072280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E011288F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0109AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x114b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x11484c0;
										if(_t69 >=  *0x11484c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01129063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0105922A(_t82);
							_t53 = E01077D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01128B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x11486c0; // 0xb207b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x11486b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x11486bc;
										_t72 = 0x11486b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E01059240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x11486c4;
									_t72 = 0x11486c0;
									L18:
									E01089B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x01059100
0x01059100
0x01059100
0x01059100
0x01059102
0x01059107
0x0105910c
0x01059110
0x01059115
0x01059136
0x01059143
0x010b37e4
0x010b37e4
0x01059149
0x0105914e
0x0105914e
0x01059117
0x0105911d
0x00000000
0x00000000
0x0105911f
0x01059125
0x00000000
0x01059151
0x01059158
0x0105915d
0x01059161
0x01059168
0x010b3715
0x00000000
0x0105916e
0x0105916e
0x01059175
0x01059177
0x0105917e
0x0105917f
0x01059182
0x01059182
0x01059187
0x01059187
0x0105918a
0x0105918d
0x0105918f
0x01059192
0x01059195
0x01059198
0x01059198
0x01059198
0x0105919a
0x00000000
0x00000000
0x010b371f
0x010b3721
0x010b3727
0x010b372f
0x010b3733
0x010b3735
0x010b3738
0x010b373b
0x010b373d
0x010b3740
0x00000000
0x00000000
0x010b3746
0x010b3749
0x00000000
0x00000000
0x010b374f
0x010b3751
0x00000000
0x00000000
0x010b3757
0x010b3759
0x010b375c
0x010b375c
0x010b375e
0x010b375e
0x010b3761
0x010b3764
0x00000000
0x00000000
0x010b3766
0x010b3768
0x010b37a3
0x010b37a3
0x010b37a5
0x010b37a7
0x010b37ad
0x010b37b0
0x010b37b2
0x010b37bc
0x010b37c2
0x010b37c2
0x010b37b2
0x01059187
0x01059187
0x0105918a
0x0105918d
0x0105918f
0x01059192
0x01059195
0x00000000
0x01059195
0x00000000
0x01059187
0x010b376a
0x010b376a
0x010b376c
0x010b376c
0x010b376f
0x010b3775
0x00000000
0x00000000
0x010b3777
0x010b3779
0x00000000
0x00000000
0x010b3782
0x010b3787
0x010b3789
0x010b3790
0x010b3790
0x010b378b
0x010b378b
0x010b378b
0x010b3792
0x010b3795
0x010b3795
0x010b3798
0x010b3798
0x010b379b
0x010b379b
0x010591a3
0x010591a9
0x010591b0
0x010591b4
0x010591b4
0x010591bb
0x010591c0
0x010591c5
0x010591c7
0x010b37da
0x010591cd
0x010591cd
0x010591cd
0x010591d2
0x010591d5
0x01059239
0x01059239
0x010591d7
0x010591db
0x010591e1
0x010591e7
0x010591fd
0x01059203
0x0105921e
0x01059223
0x00000000
0x01059223
0x01059205
0x01059208
0x0105920c
0x01059214
0x01059214
0x010591e9
0x010591e9
0x010591ee
0x010591f3
0x010591f3
0x010591f3
0x010591e7
0x00000000
0x010591db
0x01059187
0x01059168

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02c96c013c03c5fc713a04804712f00c00237d7703aff5a8acf39d5caf3e788
Instruction ID: 5e7ebd10e68761a2fb1f2c8bf7b79ec04a126f0d78f299f428bbfee66e06f2d9
Opcode Fuzzy Hash: b02c96c013c03c5fc713a04804712f00c00237d7703aff5a8acf39d5caf3e788
Instruction Fuzzy Hash: EA31E675A01255DFDBE5DFACC088BEEBBF1BB48358F18819DC99467241C334A980CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0108F527 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0108F527(void* __ecx, void* __edx, signed int* _a4) {
				char _v8;
				signed int _v12;
				void* __ebx;
				signed int _t28;
				signed int _t32;
				signed int _t34;
				signed char* _t37;
				intOrPtr _t38;
				intOrPtr* _t50;
				signed int _t53;
				void* _t69;

				_push(__ecx);
				_push(__ecx);
				_t69 = __ecx;
				_t53 =  *(__ecx + 0x10);
				_t50 = __ecx + 0x14;
				_t28 = _t53 + __edx;
				_v12 = _t28;
				if(_t28 >  *_t50) {
					_v8 = _t28 -  *_t50;
					_push(E01080678( *((intOrPtr*)(__ecx + 0xc)), 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push(_t50);
					_push(0xffffffff);
					_t32 = E01099660();
					__eflags = _t32;
					if(_t32 < 0) {
						 *_a4 =  *_a4 & 0x00000000;
						L2:
						return _t32;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) =  *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1e8)) + _v8;
					_t34 = E01077D50();
					_t66 = 0x7ffe0380;
					__eflags = _t34;
					if(_t34 != 0) {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					} else {
						_t37 = 0x7ffe0380;
					}
					__eflags =  *_t37;
					if( *_t37 != 0) {
						_t38 =  *[fs:0x30];
						__eflags =  *(_t38 + 0x240) & 0x00000001;
						if(( *(_t38 + 0x240) & 0x00000001) == 0) {
							goto L7;
						}
						__eflags = E01077D50();
						if(__eflags != 0) {
							_t66 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01111582(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, __eflags, _v8,  *( *((intOrPtr*)(_t69 + 0xc)) + 0x74) << 3,  *_t66 & 0x000000ff);
						E0111138A(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, _v8, 9);
						goto L7;
					} else {
						L7:
						 *_t50 =  *_t50 + _v8;
						_t53 =  *(_t69 + 0x10);
						goto L1;
					}
				}
				L1:
				 *_a4 = _t53;
				 *(_t69 + 0x10) = _v12;
				_t32 = 0;
				goto L2;
			}

0x0108f52c
0x0108f52d
0x0108f530
0x0108f533
0x0108f536
0x0108f539
0x0108f53c
0x0108f541
0x0108f561
0x0108f569
0x0108f56a
0x0108f572
0x0108f573
0x0108f575
0x0108f576
0x0108f578
0x0108f57d
0x0108f57f
0x0108f5b7
0x0108f550
0x0108f556
0x0108f556
0x0108f587
0x0108f58d
0x0108f592
0x0108f597
0x0108f599
0x010cbcc9
0x0108f59f
0x0108f59f
0x0108f59f
0x0108f5a1
0x0108f5a4
0x010cbcd3
0x010cbcd9
0x010cbce0
0x00000000
0x00000000
0x010cbceb
0x010cbced
0x010cbcf8
0x010cbcf8
0x010cbcf8
0x010cbd11
0x010cbd20
0x00000000
0x0108f5aa
0x0108f5aa
0x0108f5ad
0x0108f5af
0x00000000
0x0108f5af
0x0108f5a4
0x0108f543
0x0108f546
0x0108f54b
0x0108f54e
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: f54e740b44c5268b13a34d3b851014bd70ecd0f5ffcba949dfa08002c83172d5
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: 2E319A31604649EFD721DF68C884F6AB7F9EF44354F1005A9EA958B290E730EE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01081DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01081DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0107F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = E01074620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0107F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01081dc2
0x01081dc5
0x01081dc7
0x01081dcc
0x01081dce
0x01081dd6
0x01081ddf
0x01081de0
0x01081de1
0x01081de5
0x01081de8
0x01081def
0x01081df0
0x01081df6
0x01081df7
0x01081dfe
0x01081e1a
0x00000000
0x00000000
0x01081e0b
0x01081e12
0x01081e12
0x01081e00
0x01081e00
0x01081e05
0x01081e1e
0x01081e23
0x010c570f
0x010c5713
0x00000000
0x00000000
0x010c5719
0x010c5719
0x01081e2c
0x01081e2d
0x01081e2e
0x01081e2f
0x01081e31
0x01081e32
0x01081e35
0x01081e3d
0x010c5723
0x010c573d
0x010c573d
0x00000000
0x010c5723
0x01081e49
0x01081e4e
0x01081e4e
0x01081e09
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 1eef81219ed4e87e000a10cd038c0e974f6db807d86e7d042a8a038e05e68570
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: E0218D72A04519EFD721DF99CC80EAABBB9FF89740F114095EA8197250D670AE02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01078D76 Relevance: .1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01078D76(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				signed int _t24;
				intOrPtr* _t26;
				char* _t27;
				intOrPtr* _t32;
				char* _t33;
				signed char _t43;
				signed char _t44;
				signed char _t52;
				void* _t56;
				intOrPtr* _t57;

				_t56 = __edx;
				_t57 = __ecx;
				if(( *(__edx + 0x10) & 0x0000ffff) == 0) {
					L14:
					_t52 = 0;
				} else {
					_t52 = 1;
					if(( *0x11484b4 & 0x00000004) == 0) {
						_t24 =  *(__ecx + 0x5c) & 0x0000ffff;
						if(_t24 > 0x70 ||  *((intOrPtr*)(__ecx + 0x50)) < ( *(0x103ade8 + _t24 * 2) & 0x0000ffff) << 4) {
							goto L2;
						} else {
							asm("sbb bl, bl");
							_t44 = _t43 & 1;
							goto L3;
						}
						goto L10;
					} else {
						L2:
						_t44 = 0;
					}
					L3:
					_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t26 != 0) {
						if( *_t26 == 0) {
							goto L4;
						} else {
							_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							goto L5;
						}
						L23:
					} else {
						L4:
						_t27 = 0x7ffe038a;
					}
					L5:
					if( *_t27 != 0) {
						L21:
						if(_t44 != 0) {
							E01111751(_t44,  *((intOrPtr*)( *((intOrPtr*)( *_t57 + 0xc)) + 0xc)),  *((intOrPtr*)(_t56 + 4)),  *(_t57 + 0x5c) & 0x0000ffff);
							_t52 = 1;
							goto L9;
						}
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
						if(_t32 != 0) {
							if( *_t32 == 0) {
								goto L7;
							} else {
								_t33 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								goto L8;
							}
							goto L23;
						} else {
							L7:
							_t33 = 0x7ffe0380;
						}
						L8:
						if( *_t33 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
								goto L9;
							} else {
								goto L21;
							}
						} else {
							L9:
							if(_t44 != 0) {
								goto L14;
							}
						}
					}
				}
				L10:
				return _t52;
				goto L23;
			}

0x01078d7b
0x01078d7d
0x01078d89
0x01078e01
0x01078e01
0x01078d8b
0x01078d8d
0x01078d95
0x01078de1
0x01078de8
0x00000000
0x01078dfc
0x010c0592
0x010c0594
0x00000000
0x010c0594
0x00000000
0x01078d97
0x01078d97
0x01078d97
0x01078d97
0x01078d99
0x01078d9f
0x01078da4
0x010c059e
0x00000000
0x010c05a4
0x010c05ad
0x00000000
0x010c05ad
0x00000000
0x01078daa
0x01078daa
0x01078daa
0x01078daa
0x01078daf
0x01078db2
0x010c05e6
0x010c05e8
0x010c05fe
0x010c0605
0x00000000
0x010c0605
0x01078db8
0x01078dbe
0x01078dc3
0x010c05ba
0x00000000
0x010c05c0
0x010c05c9
0x00000000
0x010c05c9
0x00000000
0x01078dc9
0x01078dc9
0x01078dc9
0x01078dc9
0x01078dce
0x01078dd1
0x010c05e0
0x00000000
0x00000000
0x00000000
0x00000000
0x01078dd7
0x01078dd7
0x01078dd9
0x00000000
0x00000000
0x01078dd9
0x01078dd1
0x01078db2
0x01078ddd
0x01078de0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a151618bd9bfa9ad1a939a3ecea2c6698f020cb452e547e9e0f573e4f1eeb33
Instruction ID: a5c06e39db87d095e9cbb2d093b0bda855373df97a173b6a2b6f540a1fa64f5b
Opcode Fuzzy Hash: 3a151618bd9bfa9ad1a939a3ecea2c6698f020cb452e547e9e0f573e4f1eeb33
Instruction Fuzzy Hash: 5721D238601A80CFE3A59B2CC098B7A77E4EB51704F088497E9C28B651D328EC81CA24

Uniqueness

Uniqueness Score: -1.00%

Function 01070050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01070050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x114d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01089ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0109B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01128A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01089702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x114b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x01070055
0x0107005d
0x01070062
0x0107006c
0x0107006f
0x01070074
0x0107007a
0x0107007a
0x01070080
0x01070080
0x01070087
0x0107008d
0x0107008f
0x01070093
0x01070095
0x0107009b
0x010700f8
0x010700fb
0x010700fc
0x010700ff
0x01070108
0x01070108
0x010700a2
0x010700a6
0x010700b3
0x010700bc
0x010700c5
0x010700ca
0x010bc01e
0x00000000
0x00000000
0x010bc02d
0x010700d5
0x010700d9
0x010bc03d
0x010bc046
0x010bc046
0x010700df
0x010700e2
0x010700ea
0x010700ef
0x010700f2
0x010700f6
0x01070111
0x01070117
0x01070117
0x00000000
0x010700f6
0x010700d0
0x010700d0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a15368fa9e910bc3a0f90f813910679c874777539a24019282267d01ebd5518
Instruction ID: 40be226d24e96bf0136a292c1edd605ffec2151922c3c411591bd267bbc66cd8
Opcode Fuzzy Hash: 1a15368fa9e910bc3a0f90f813910679c874777539a24019282267d01ebd5518
Instruction Fuzzy Hash: C731BF31601B04CFDB66CF28C840B9AB7E5FF89724F1446ADF59687A94DB35A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010FCD04 Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E010FCD04(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				signed char _t60;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				void* _t72;

				_t66 = __edx;
				_push(0x24);
				_push(0x1130c68);
				E010AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t72 - 0x2c)) = __edx;
				 *((intOrPtr*)(_t72 - 0x20)) = __ecx;
				_t44 =  *[fs:0x30];
				 *((intOrPtr*)(_t72 - 0x28)) = _t44;
				_t70 = 0;
				 *((intOrPtr*)(_t72 - 0x30)) = 0;
				_t60 =  *(_t72 + 8);
				if((_t60 & 0x00000001) == 0) {
					E0106EEF0(0x1146620);
					_t44 =  *((intOrPtr*)(_t72 - 0x28));
					_t66 =  *((intOrPtr*)(_t72 - 0x2c));
				}
				 *(_t72 - 4) = _t70;
				_t68 = _t70;
				 *(_t72 - 0x24) = _t68;
				while(_t68 <  *((intOrPtr*)(_t44 + 0x88))) {
					 *0x114b1e0( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x90)) + _t68 * 4)), _t66);
					_t57 =  *((intOrPtr*)(_t72 - 0x20))();
					 *((intOrPtr*)(_t72 - 0x30)) = _t57;
					if(_t57 >= 0) {
						_t68 = _t68 + 1;
						 *(_t72 - 0x24) = _t68;
						_t44 =  *((intOrPtr*)(_t72 - 0x28));
						_t66 =  *((intOrPtr*)(_t72 - 0x2c));
						continue;
					}
					L15:
					 *(_t72 - 4) = 0xfffffffe;
					E010FCDFD(_t60);
					return E010AD130(_t60, _t68, _t70);
				}
				if((_t60 & 0x00000002) != 0) {
					_t68 = _t70;
					while(1) {
						 *(_t72 - 0x24) = _t68;
						if(_t68 >= ( *0x1148498 & 0x0000ffff)) {
							goto L11;
						}
						_t52 =  *0x11456f4; // 0x771a6640
						 *0x114b1e0( *((intOrPtr*)(_t52 + _t68 * 4)), _t66);
						_t54 =  *((intOrPtr*)(_t72 - 0x20))();
						 *((intOrPtr*)(_t72 - 0x30)) = _t54;
						if(_t54 >= 0) {
							_t68 = _t68 + 1;
							_t66 =  *((intOrPtr*)(_t72 - 0x2c));
							continue;
						}
						goto L15;
					}
					while(1) {
						L11:
						 *(_t72 - 0x24) = _t70;
						if(_t70 >= 3) {
							goto L15;
						}
						_t49 =  *((intOrPtr*)(0x114a724 + _t70 * 8));
						 *((intOrPtr*)(_t72 - 0x28)) = _t49;
						if(_t49 == 0) {
							L14:
							_t70 =  *(_t72 - 0x24) + 1;
							_t66 =  *((intOrPtr*)(_t72 - 0x2c));
							continue;
						} else {
							 *0x114b1e0(_t49, _t66);
							_t51 =  *((intOrPtr*)(_t72 - 0x20))();
							 *((intOrPtr*)(_t72 - 0x30)) = _t51;
							if(_t51 >= 0) {
								goto L14;
							}
						}
						goto L15;
					}
				}
				goto L15;
			}

0x010fcd04
0x010fcd04
0x010fcd06
0x010fcd0b
0x010fcd10
0x010fcd13
0x010fcd16
0x010fcd1c
0x010fcd1f
0x010fcd21
0x010fcd24
0x010fcd2a
0x010fcd31
0x010fcd39
0x010fcd3c
0x010fcd3c
0x010fcd3f
0x010fcd42
0x010fcd44
0x010fcd47
0x010fcd59
0x010fcd5f
0x010fcd62
0x010fcd67
0x010fcd69
0x010fcd6a
0x010fcd70
0x010fcd73
0x00000000
0x010fcd73
0x010fcde3
0x010fcde3
0x010fcdea
0x010fcdf7
0x010fcdf7
0x010fcd7b
0x010fcd7d
0x010fcd7f
0x010fcd7f
0x010fcd8b
0x00000000
0x00000000
0x010fcd8e
0x010fcd96
0x010fcd9c
0x010fcd9f
0x010fcda4
0x010fcda6
0x010fcdaa
0x00000000
0x010fcdaa
0x00000000
0x010fcda4
0x010fcdaf
0x010fcdaf
0x010fcdaf
0x010fcdb5
0x00000000
0x00000000
0x010fcdb7
0x010fcdbe
0x010fcdc3
0x010fcdd7
0x010fcdda
0x010fcdde
0x00000000
0x010fcdc5
0x010fcdc7
0x010fcdcd
0x010fcdd0
0x010fcdd5
0x00000000
0x00000000
0x010fcdd5
0x00000000
0x010fcdc3
0x010fcdaf
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b0fc6b0d6d178b85e82ab6801fff4974cf965ffad79964da4006a15fcad7cb
Instruction ID: 12904ccded2432546f4f22ae4f37905b19b2399aef357d8e146eb93348654070
Opcode Fuzzy Hash: e5b0fc6b0d6d178b85e82ab6801fff4974cf965ffad79964da4006a15fcad7cb
Instruction Fuzzy Hash: 60310674E1021D9BDB14EFA8C946EECBBF5BF88610F184169EA41B7651C7309840CF60

Uniqueness

Uniqueness Score: -1.00%

Function 010D6C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010D6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E01077D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1147b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = E01074620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0109F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E01077D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01099AE0();
						_t23 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x010d6c0a
0x010d6c0f
0x010d6c10
0x010d6c13
0x010d6c15
0x010d6c19
0x010d6c1c
0x010d6c21
0x010d6c28
0x010d6c3a
0x010d6c2a
0x010d6c33
0x010d6c33
0x010d6c3f
0x010d6c48
0x010d6c4d
0x010d6c60
0x010d6c65
0x010d6c69
0x010d6c73
0x010d6c79
0x010d6c7f
0x010d6c86
0x010d6c90
0x010d6c94
0x010d6ca6
0x010d6cb2
0x010d6cbd
0x010d6cbd
0x010d6cc3
0x010d6cc7
0x010d6ccb
0x010d6cd0
0x010d6cd1
0x010d6ce2
0x010d6ce2
0x010d6c69
0x010d6ced

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f846fa0471797272095a6741b194064404cde77b35040a8c08d629c88ae04b
Instruction ID: 5ed011516e13294959a86cf8c2d9fb4437a206159fb9e6d246d3c9b9a1458246
Opcode Fuzzy Hash: c1f846fa0471797272095a6741b194064404cde77b35040a8c08d629c88ae04b
Instruction Fuzzy Hash: 1D21ABB1A00649AFD715DB68D880E6AB7B8FF48740F0440A9F948C7791E635ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0112F1B5 Relevance: .1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0112F1B5(intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, void* _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _t26;
				intOrPtr* _t32;
				intOrPtr* _t34;
				void* _t36;
				void* _t38;
				void* _t39;

				_v8 = _v8 & 0x00000000;
				_t32 = _a12;
				_v12 = __edx;
				_v16 = __ecx;
				if(_t32 != 0) {
					_t38 =  *_t32 + 0xc;
					_t36 = E01074620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t38);
					if(_t36 != 0) {
						_t39 =  *0x1036cd4(_v16, _v12, 2, _t36, _t38,  &_v8);
						if(_t39 < 0) {
							L12:
							if(_t39 == 0x80000005 || _t39 == 0xc0000023) {
								L14:
								_t39 = 0xc0000023;
								 *_t32 =  *((intOrPtr*)(_t36 + 8));
								goto L15;
							} else {
								L15:
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
								return _t39;
							}
						}
						_t26 =  *((intOrPtr*)(_t36 + 8));
						if(_t26 != 0) {
							if(_t26 >  *_t32) {
								goto L14;
							}
							 *_t32 = _t26;
							if(_a8 != 0) {
								_t12 = _t36 + 0xc; // 0xc
								E0109F3E0(_a8, _t12, _t26);
							}
							_t34 = _a4;
							if(_t34 != 0) {
								 *_t34 =  *((intOrPtr*)(_t36 + 4));
							}
							goto L12;
						}
						_t39 = 0xc000000d;
						goto L15;
					}
					return 0xc000009a;
				}
				return 0xc000000d;
			}

0x0112f1bd
0x0112f1c2
0x0112f1c5
0x0112f1c8
0x0112f1cf
0x0112f1e3
0x0112f1f1
0x0112f1f5
0x0112f212
0x0112f216
0x0112f24e
0x0112f254
0x0112f25e
0x0112f261
0x0112f266
0x00000000
0x0112f268
0x0112f268
0x0112f274
0x00000000
0x0112f279
0x0112f254
0x0112f218
0x0112f21d
0x0112f228
0x00000000
0x00000000
0x0112f22e
0x0112f230
0x0112f233
0x0112f23a
0x0112f23f
0x0112f242
0x0112f247
0x0112f24c
0x0112f24c
0x00000000
0x0112f247
0x0112f21f
0x00000000
0x0112f21f
0x00000000
0x0112f1f7
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c46d762a92e981359495fdd8a6ac9f5be70f3c5b027e980f93a203346577ef
Instruction ID: b75041d8200bfc0ec7d75bce5c937f06d8900a0024e6e5767fb239f27af42373
Opcode Fuzzy Hash: 82c46d762a92e981359495fdd8a6ac9f5be70f3c5b027e980f93a203346577ef
Instruction Fuzzy Hash: 4821D03AA00626AFDB299F49D884F9ABBB8FF47750F014065E9049B250D335ED22CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01054A20 Relevance: .1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E01054A20(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				void* __ebp;
				char* _t21;
				void* _t32;
				intOrPtr* _t34;
				intOrPtr _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t40;
				void* _t50;

				if(E01077D50() != 0) {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t21 = 0x7ffe0386;
				}
				_t40 = _a4;
				if( *_t21 != 0) {
					E01129BBE(_t40,  *((intOrPtr*)(_t40 + 0x20)),  *((intOrPtr*)(_t40 + 0x24)),  *((intOrPtr*)(_t40 + 0x34)));
				}
				if(_a8 == 0 && ( *(_t40 + 0x1c) & 0x000000c0) != 0) {
					_push(2);
					_pop(0);
				}
				_t34 =  *((intOrPtr*)(_t40 + 0x14));
				_t36 =  *0x11486b8; // 0x0
				if(_t34 == 0) {
					_t34 = _t36;
					if(0 == 0) {
						_t34 =  *0x11486c0; // 0xb207b0
					}
				}
				_t50 = _t34 -  *0x11486c0; // 0xb207b0
				if(_t50 != 0) {
					__eflags = _t34 - _t36;
					if(__eflags != 0) {
						__eflags = 0xffffffff;
						asm("lock xadd [ecx], eax");
						if(0xffffffff == 0) {
							E01059240(_t32, _t34, _t38, _t40, 0xffffffff);
						}
						L11:
						if( *((intOrPtr*)(_t40 + 0x18)) != 0) {
							_push( *((intOrPtr*)(_t40 + 0x18)));
							E010995D0();
						}
						if( *((intOrPtr*)(_t40 + 0x28)) != 0xffffffff) {
							E01089B10( *((intOrPtr*)(_t40 + 0x28)));
						}
						if( *((intOrPtr*)(_t40 + 0x2c)) != 0) {
							E01060840(_t34,  *((intOrPtr*)(_t40 + 0x2c)));
						}
						return L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t40);
					}
					_t37 = 0x11486bc;
					_t34 = 0x11486b8;
					L10:
					E01089B82(_t32, _t34, _t37, _t38, _t40, _t50);
					goto L11;
				}
				_t37 = 0x11486c4;
				_t34 = 0x11486c0;
				goto L10;
			}

0x01054a31
0x010b0a89
0x01054a37
0x01054a37
0x01054a37
0x01054a3f
0x01054a42
0x010b0a9e
0x010b0a9e
0x01054a4d
0x01054abf
0x01054ac1
0x01054ac1
0x01054a55
0x01054a58
0x01054a60
0x01054a62
0x01054a66
0x01054a68
0x01054a68
0x01054a66
0x01054a6e
0x01054a74
0x010b0aa8
0x010b0aaa
0x010b0abb
0x010b0abe
0x010b0ac2
0x010b0ac8
0x010b0ac8
0x01054a89
0x01054a8d
0x010b0ad2
0x010b0ad5
0x010b0ad5
0x01054a97
0x010b0ae2
0x010b0ae2
0x01054aa1
0x010b0aef
0x010b0aef
0x01054abc
0x01054abc
0x010b0aac
0x010b0ab1
0x01054a84
0x01054a84
0x00000000
0x01054a84
0x01054a7a
0x01054a7f
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605ca09aedc0d7fff75ee644a6196e5311786b657023d232ed50e0edfcc0f683
Instruction ID: a96159438b1192bdea997bb60965c71fd484649fe847f2b1f5a4383e936d1c5d
Opcode Fuzzy Hash: 605ca09aedc0d7fff75ee644a6196e5311786b657023d232ed50e0edfcc0f683
Instruction Fuzzy Hash: EA213831600601DFCFF6AA68C950BAB77F5FB50624F104B69E8D6865E5F730A8C1CB85

Uniqueness

Uniqueness Score: -1.00%

Function 010990AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010990AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E010AD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0108E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = E01074620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0109F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0108A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x010990af
0x010990b8
0x010990bb
0x010990bf
0x010990c2
0x010990c2
0x010990c8
0x010990cb
0x010990cd
0x010d14d7
0x010d14eb
0x010d14eb
0x00000000
0x010d14eb
0x010d14db
0x010d14e6
0x00000000
0x010d14f2
0x010d14e8
0x00000000
0x010d14e8
0x010990d8
0x010990da
0x010990dd
0x010990e5
0x00000000
0x01099139
0x010990fa
0x010990fe
0x01099142
0x00000000
0x01099142
0x01099104
0x01099107
0x0109910b
0x01099110
0x01099118
0x01099147
0x01099148
0x0109914f
0x01099150
0x01099151
0x01099152
0x01099156
0x0109915d
0x01099160
0x01099168
0x0109916c
0x010991bc
0x010991be
0x00000000
0x010991be
0x0109916e
0x01099173
0x01099176
0x00000000
0x00000000
0x0109917c
0x01099180
0x010991b5
0x00000000
0x010991b5
0x01099182
0x01099185
0x01099189
0x00000000
0x00000000
0x0109918e
0x01099190
0x01099198
0x00000000
0x00000000
0x010991a0
0x00000000
0x010991ad
0x010991ad
0x010991b0
0x010991b1
0x00000000
0x01099185
0x0109911a
0x0109911c
0x0109911f
0x01099125
0x01099127
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 972fbd6d8e33f7a4fe304406287f2343a6c571b6aa63b9eb3781d5fb86c4d796
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 8C217CB1A00305EFDB21DF59C844AAABBF8FB54314F1488AEE989A7210D730AD009B90

Uniqueness

Uniqueness Score: -1.00%

Function 01083B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01083B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x11484c4; // 0x0
				_v12 = 1;
				_v8 =  *0x11484c0 * 0x4c;
				_t41 = __ecx;
				_t35 = E01074620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x11484c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0109AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0109FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x11484c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x11484c4; // 0x0
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01083b89
0x01083b96
0x01083ba1
0x01083bab
0x01083bb5
0x01083bb9
0x010c6298
0x01083bbf
0x01083bc2
0x01083bc3
0x01083bc9
0x01083bca
0x01083bcc
0x01083bcd
0x01083bd4
0x01083bd6
0x01083bdb
0x01083bea
0x01083bf7
0x01083bfb
0x01083bff
0x01083c09
0x01083c0a
0x01083c0b
0x01083c0f
0x01083c14
0x01083c18
0x01083c18
0x01083bfb
0x01083c1b
0x01083c30
0x01083c30
0x01083c3d

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7982adf6799bf78d7813de3a1d4865b0cab54b0778ef2289149527b12687affa
Instruction ID: b2ee6262679b703bf0d371e87f7a997fc619794e77c0680c2ca99eaf4ffd2b89
Opcode Fuzzy Hash: 7982adf6799bf78d7813de3a1d4865b0cab54b0778ef2289149527b12687affa
Instruction Fuzzy Hash: 61218072A00109AFC714EF98CD81B9EBBBDFB44B48F190068E644AB251D771ED41DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01054B94 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01054B94(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				signed int _t42;
				intOrPtr* _t46;
				intOrPtr* _t47;
				signed short _t50;
				intOrPtr _t51;
				signed int _t52;
				signed int _t54;
				intOrPtr _t56;
				signed int _t57;
				intOrPtr _t58;
				intOrPtr* _t59;

				_t58 = __ecx;
				_t56 =  *[fs:0x30];
				_v20 = __ecx;
				_v16 = _t56;
				if( *((intOrPtr*)(__ecx + 8)) == 0xddeeddee) {
					_t50 =  *(__ecx + 0x24) & 0x0000ffff;
				} else {
					_t50 =  *(__ecx + 0x7c) & 0x0000ffff;
				}
				_t38 =  *(_t56 + 0x88);
				if(_t38 == 0 || _t50 == 0) {
					L8:
					return _t38;
				} else {
					_t54 = _t50 & 0x0000ffff;
					if(_t54 > _t38) {
						goto L8;
					}
					_t51 =  *((intOrPtr*)(_t56 + 0x90));
					_v8 = _t38;
					_t46 = _t51 + _t54 * 4;
					_v12 = _t46;
					_t47 = _t46 + 0xfffffffc;
					_t11 =  &_v8;
					 *_t11 = _v8 - _t54;
					if( *_t11 != 0) {
						_t59 = _v12;
						_t57 = _v8;
						do {
							_t39 =  *_t59;
							_t59 = _t59 + 4;
							 *_t47 = _t39;
							if( *((intOrPtr*)(_t39 + 8)) == 0xddeeddee) {
								_t52 =  *(_t39 + 0x24) & 0x0000ffff;
							} else {
								_t52 =  *(_t39 + 0x7c) & 0x0000ffff;
							}
							E01054C73(_t39, _t52, _t52 - 1);
							_t41 =  *_t47;
							if( *((intOrPtr*)(_t41 + 8)) == 0xddeeddee) {
								 *((intOrPtr*)(_t41 + 0x24)) =  *((intOrPtr*)(_t41 + 0x24)) + 0xffff;
							} else {
								 *((intOrPtr*)(_t41 + 0x7c)) =  *((intOrPtr*)(_t41 + 0x7c)) + 0xffff;
							}
							_t47 = _t47 + 4;
							_t57 = _t57 - 1;
						} while (_t57 != 0);
						_t56 = _v16;
						_t58 = _v20;
						_t38 =  *(_t56 + 0x88);
						_t51 =  *((intOrPtr*)(_t56 + 0x90));
					}
					_t42 = _t38 - 1;
					 *(_t56 + 0x88) = _t42;
					 *(_t51 + _t42 * 4) =  *(_t51 + _t42 * 4) & 0x00000000;
					if( *((intOrPtr*)(_t58 + 8)) == 0xddeeddee) {
						 *((short*)(_t58 + 0x24)) = 0;
						return 0;
					}
					 *((short*)(_t58 + 0x7c)) = 0;
					return 0;
				}
			}

0x01054b9d
0x01054ba0
0x01054ba7
0x01054bb1
0x01054bb4
0x010b0b4d
0x01054bba
0x01054bba
0x01054bba
0x01054bbe
0x01054bc6
0x01054c0c
0x01054c0c
0x01054bcd
0x01054bcd
0x01054bd2
0x00000000
0x00000000
0x01054bd4
0x01054bdb
0x01054bde
0x01054be1
0x01054be4
0x01054be7
0x01054be7
0x01054bea
0x01054c0d
0x01054c10
0x01054c13
0x01054c13
0x01054c15
0x01054c18
0x01054c21
0x01054c5f
0x01054c23
0x01054c23
0x01054c23
0x01054c2a
0x01054c2f
0x01054c3d
0x01054c65
0x01054c3f
0x01054c3f
0x01054c3f
0x01054c43
0x01054c46
0x01054c46
0x01054c4b
0x01054c4e
0x01054c51
0x01054c57
0x01054c57
0x01054bec
0x01054bed
0x01054bf4
0x01054bff
0x01054c6d
0x00000000
0x01054c6d
0x01054c03
0x00000000
0x01054c03

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction ID: 6e40eb8e58865f245cd20971a9450c578286442113181006f2ca029ef09220a6
Opcode Fuzzy Hash: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction Fuzzy Hash: EB31BD35900629DFD7E8CF68C4846BABBF4FF84210F1586A9CCA9D7660F770A980CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010628AE Relevance: .1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010628AE(signed int __edx) {
				void* _t14;
				char* _t17;
				signed char* _t27;
				void* _t31;
				signed int _t35;
				signed char* _t37;
				char* _t39;

				_t35 = __edx;
				_t14 = E01077D50();
				_t39 = 0x7ffe0384;
				if(_t14 != 0) {
					_t17 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t17 = 0x7ffe0384;
				}
				_t37 = 0x7ffe0385;
				if( *_t17 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
						if(E01077D50() == 0) {
							_t27 = 0x7ffe0385;
						} else {
							_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t27 & 0x00000020) != 0) {
							E010D7016(0x1480, _t35, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				_t31 = E0106EEF0(0x1145350);
				if(E01077D50() != 0) {
					_t39 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t39 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
						if(E01077D50() != 0) {
							_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t37 & 0x00000020) != 0) {
							E010D7016(0x1481, _t35 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				return _t31;
			}

0x010628ae
0x010628b3
0x010628b8
0x010628bf
0x010b7692
0x010628c5
0x010628c5
0x010628c5
0x010628ca
0x010628cf
0x010b76a9
0x010b76b6
0x010b76c8
0x010b76b8
0x010b76c1
0x010b76c1
0x010b76cd
0x010b76e3
0x010b76e3
0x010b76cd
0x010b76a9
0x010628df
0x010628e8
0x010b76f7
0x010b76f7
0x010628f1
0x010b770f
0x010b771c
0x010b7727
0x010b7727
0x010b7730
0x010b7746
0x010b7746
0x010b7730
0x010b770f
0x010628fc

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda93515c775d55578d84fe63fc743b5639263953a7698a99f47ba46cdcbbc92
Instruction ID: 2cf7b8d65bcbaf95d6b43972833e4a09ec5f5a4e65ab9d1502df8453c9c77f3f
Opcode Fuzzy Hash: cda93515c775d55578d84fe63fc743b5639263953a7698a99f47ba46cdcbbc92
Instruction Fuzzy Hash: 8421C9326067819FF722976C8D48F643BD8EF45774F1907A1FAE09B6E2EB6898408215

Uniqueness

Uniqueness Score: -1.00%

Function 0105519E Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0105519E(signed short* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t17;
				signed int _t18;
				char _t27;
				signed short _t32;
				signed short* _t34;
				void* _t35;

				_t34 = __ecx;
				_t27 = 0;
				_t29 = 0;
				_t35 = E010552A5(0);
				if(_t35 == 0) {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_v12 =  *((intOrPtr*)(_t29 + 0x24));
					_t17 =  *((intOrPtr*)(_t29 + 0x28));
				} else {
					_v12 =  *((intOrPtr*)(_t35 + 0xc));
					_t17 =  *((intOrPtr*)(_t35 + 0x10));
				}
				_t32 = _v12;
				_v8 = _t17;
				_t18 =  *_t34 & 0x0000ffff;
				if(_t32 <= 6) {
					if(_t32 != _t18) {
						goto L4;
					}
					goto L10;
				} else {
					_t29 = (_t32 & 0x0000ffff) - 2;
					if((_t32 & 0x0000ffff) - 2 == _t18) {
						_v12 = _t32 + 0xfffe;
						L10:
						_t18 = E01079DA0(_t29,  &_v12, _t34, 1);
						if(_t18 != 0) {
							_t27 = 1;
						}
					}
					L4:
					if(_t35 == 0) {
						E0106EB70(_t29, 0x11479a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t18 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t35 + 4)));
							E010995D0();
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t35);
						}
					}
					return _t27;
				}
			}

0x010551a9
0x010551ab
0x010551ad
0x010551b4
0x010551b8
0x010b0c9c
0x010b0ca2
0x010b0ca5
0x010551be
0x010551c1
0x010551c4
0x010551c4
0x010551c7
0x010551cb
0x010551ce
0x010551d5
0x010b0cbe
0x00000000
0x00000000
0x00000000
0x010551db
0x010551de
0x010551e3
0x010b0cb5
0x010b0cc4
0x010b0ccb
0x010b0cd2
0x010b0cd8
0x010b0cd8
0x010b0cd2
0x010551e9
0x010551eb
0x010b0ce4
0x010551f1
0x010551f4
0x010551f8
0x010b0cee
0x010b0cf1
0x010b0d03
0x010b0d03
0x010551f8
0x01055206
0x01055206

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bddff81b2911fca4c06768ca3a4c3d0d8b9873a119ef2e03fadcbe6e75641f
Instruction ID: 9ff110ef2cf43f79015924c479386e35ebd2ca3990144e0621f4a9e0a864e82e
Opcode Fuzzy Hash: d3bddff81b2911fca4c06768ca3a4c3d0d8b9873a119ef2e03fadcbe6e75641f
Instruction Fuzzy Hash: 7C11E135901309ABCBA0AB68C980AEBBFF5EF15720F1401AAF8C697684E731DC41C794

Uniqueness

Uniqueness Score: -1.00%

Function 010512D4 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E010512D4(intOrPtr __ecx, intOrPtr* _a4) {
				char _v8;
				char _v12;
				void* _t20;
				intOrPtr _t32;
				signed int _t35;
				void* _t39;
				void* _t41;
				intOrPtr* _t44;

				_push(__ecx);
				_push(__ecx);
				_t41 = 0;
				_t32 = __ecx;
				if( *_a4 != 0) {
					L8:
					_t20 = _t41;
					L9:
					return _t20;
				}
				if(__ecx <= 1) {
					_t32 = 0x25;
				}
				_t35 = 0x10;
				_t2 = _t32 - 1; // 0x24
				_t20 = E0108F3D5( &_v12, _t2 * _t35, _t2 * _t35 >> 0x20);
				if(_t20 < 0) {
					goto L9;
				} else {
					_t37 = _v12;
					_push( &_v8);
					_t39 = 0x34;
					_t41 = E01051C45(_v12, _t39);
					if(_t41 >= 0) {
						_t44 = E01074620(_t37,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
						if(_t44 == 0) {
							_t41 = 0xc0000017;
						} else {
							E0109FA60(_t44, 0, _v8);
							 *((intOrPtr*)(_t44 + 0x2c)) = _t32;
							_t14 = _t44 + 0xc; // 0xc
							E010958F0(0x3fff, 0x80000008, _t14);
							 *(_t44 + 8) =  *(_t44 + 8) & 0x00000000;
							 *_t44 = 0x6d6f7441;
							 *((intOrPtr*)(_t44 + 4)) = 1;
							 *_a4 = _t44;
						}
					}
					goto L8;
				}
			}

0x010512d9
0x010512da
0x010512e0
0x010512e2
0x010512e6
0x01051374
0x01051374
0x01051376
0x0105137b
0x0105137b
0x010512ef
0x010512f3
0x010512f3
0x010512f6
0x010512f7
0x01051301
0x01051308
0x00000000
0x0105130a
0x0105130a
0x01051310
0x01051313
0x01051319
0x0105131d
0x01051333
0x01051337
0x0105137e
0x01051339
0x0105133f
0x01051347
0x0105134a
0x01051358
0x01051360
0x01051364
0x0105136a
0x01051371
0x01051371
0x01051373
0x00000000
0x0105131d

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction ID: e1612fcf217c965be16cb030e66c9ccf81086666092251583a1ce0b0ce600505
Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction Fuzzy Hash: 5A11E6B2600609EFDB229E54CC51FDBBBB8EB84750F104069EE858F580D671EE44D754

Uniqueness

Uniqueness Score: -1.00%

Function 0108FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0108FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E010676E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = E01074620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0108fd9b
0x0108fda0
0x0108fda1
0x0108fdab
0x0108fdad
0x0108fdb0
0x0108fdb8
0x0108fe0f
0x0108fde6
0x0108fde9
0x0108fdec
0x010cc0c0
0x0108fdfe
0x0108fe06
0x0108fe06
0x010cc0c8
0x0108fe2d
0x0108fe2d
0x00000000
0x0108fe2d
0x010cc0d1
0x010cc0e0
0x010cc0e5
0x010cc0e5
0x010cc0e8
0x00000000
0x010cc0e8
0x0108fdf4
0x00000000
0x00000000
0x0108fdf6
0x0108fdfa
0x0108fe1a
0x0108fe1f
0x0108fe1f
0x0108fdfc
0x00000000
0x0108fdfc
0x0108fdcc
0x0108fdd0
0x0108fe26
0x00000000
0x0108fe26
0x0108fdd8
0x0108fddb
0x0108fddd
0x0108fde0
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: bc122ad6785cda403302160052e8dc93817f348ffb439f93fbf34c414ccd6893
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 39217F71608642DBD731EF1DC540A66F7E5FB94B10F2485AEEACA87611DB309C00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010812BD Relevance: .1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E010812BD(intOrPtr __ecx) {
				signed int _v8;
				signed int _t22;
				signed int _t23;
				intOrPtr _t37;
				signed int _t40;
				signed int _t41;
				signed int _t44;
				intOrPtr _t47;

				_push(__ecx);
				_t47 =  *[fs:0x30];
				_t37 = __ecx;
				_t40 =  *(_t47 + 0x88);
				_t44 = ( *0x1148498 & 0x0000ffff) + _t40;
				if(_t44 >= 0xfffe) {
					L4:
					return _t22;
				}
				_t23 =  *(_t47 + 0x8c);
				if(_t44 == _t23) {
					 *(_t47 + 0x8c) = _t23 + _t23;
					_t22 = E01074620(_t40,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t23 + _t23 << 2);
					_t41 = _t22;
					_v8 = _t41;
					if(_t41 == 0) {
						 *(_t47 + 0x8c) = _t44;
						goto L4;
					}
					E0109F3E0(_t41,  *(_t47 + 0x90),  *(_t47 + 0x88) << 2);
					_t30 =  *(_t47 + 0x90);
					if( *(_t47 + 0x90) != 0x1146660) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t30);
					}
					_t40 =  *(_t47 + 0x88);
					 *(_t47 + 0x90) = _v8;
				}
				 *((intOrPtr*)( *(_t47 + 0x90) + _t40 * 4)) = _t37;
				_t22 =  *(_t47 + 0x88) + 1;
				 *(_t47 + 0x88) = _t22;
				if( *((intOrPtr*)(_t37 + 8)) == 0xddeeddee) {
					 *(_t37 + 0x24) = _t22;
				} else {
					 *(_t37 + 0x7c) = _t22;
				}
				goto L4;
			}

0x010812c2
0x010812c5
0x010812cc
0x010812d6
0x010812dc
0x010812e4
0x01081313
0x01081319
0x01081319
0x010812e6
0x010812ee
0x0108131c
0x01081331
0x01081336
0x01081338
0x0108133d
0x0108137d
0x00000000
0x0108137d
0x01081350
0x01081355
0x01081363
0x010c5512
0x010c5512
0x0108136c
0x01081372
0x01081372
0x010812f6
0x010812ff
0x01081300
0x0108130d
0x01081385
0x0108130f
0x0108130f
0x0108130f
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2bffbd3eba77b2110fe326c045ad1bd78416c9b6a051ba9244f0bb6cb09c00
Instruction ID: ee0a7ac0045a629a331559a706e0785c3386103a4a3de50313a3fecc865b2f8a
Opcode Fuzzy Hash: cd2bffbd3eba77b2110fe326c045ad1bd78416c9b6a051ba9244f0bb6cb09c00
Instruction Fuzzy Hash: 04214775604600EFD774EF68C880BAAB7E9FF48650F14886DE5EEC7651DA70A841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01095A69 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E01095A69(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				signed int _t18;
				char* _t22;
				char* _t28;
				signed char _t34;
				signed char _t35;
				void* _t47;
				intOrPtr* _t48;

				_t47 = __edx;
				_t48 = __ecx;
				if(( *0x11484b4 & 0x00000004) == 0) {
					_t18 =  *(__ecx + 0x5c) & 0x0000ffff;
					if(_t18 > 0x70 ||  *((intOrPtr*)(__ecx + 0x50)) < ( *(0x103ade8 + _t18 * 2) & 0x0000ffff) << 4) {
						goto L1;
					} else {
						asm("sbb bl, bl");
						_t35 = _t34 & 0x00000001;
						L2:
						if(E01077D50() != 0) {
							_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t22 = 0x7ffe038a;
						}
						if( *_t22 != 0) {
							L16:
							if(_t35 != 0) {
								E01111751(_t35,  *((intOrPtr*)( *((intOrPtr*)( *_t48 + 0xc)) + 0xc)),  *((intOrPtr*)(_t47 + 4)),  *(_t48 + 0x5c) & 0x0000ffff);
							}
							goto L8;
						} else {
							if(E01077D50() != 0) {
								_t28 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t28 = 0x7ffe0380;
							}
							if( *_t28 != 0) {
								if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
									goto L8;
								}
								goto L16;
							} else {
								L8:
								return _t35;
							}
						}
					}
				}
				L1:
				_t35 = 0;
				goto L2;
			}

0x01095a73
0x01095a75
0x01095a77
0x01095ab7
0x01095abe
0x00000000
0x01095ad2
0x010cfb3a
0x010cfb3c
0x01095a7b
0x01095a82
0x010cfb4c
0x01095a88
0x01095a88
0x01095a88
0x01095a90
0x010cfb7c
0x010cfb7e
0x010cfb94
0x010cfb94
0x00000000
0x01095a96
0x01095a9d
0x010cfb5f
0x01095aa3
0x01095aa3
0x01095aa3
0x01095aab
0x010cfb76
0x00000000
0x00000000
0x00000000
0x01095ab3
0x01095ab3
0x01095ab6
0x01095ab6
0x01095aab
0x01095a90
0x01095abe
0x01095a79
0x01095a79
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f026930e89a8ebcc9d08b02fc0fe749a740ed9145d15a2b031513d15e701d0c2
Instruction ID: ba0d9d1bb08da76cf16f0ba656106892cf1ed89d234731cec4a6849a1baa68d7
Opcode Fuzzy Hash: f026930e89a8ebcc9d08b02fc0fe749a740ed9145d15a2b031513d15e701d0c2
Instruction Fuzzy Hash: 031133392416428FD7268B2EC8F07B9B3E5EB05B04F08009BE9C287341E36DDC80DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0108B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0108B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01072280(_t12, 0x1148608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E010900C2(0x1148608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0108b395
0x0108b3a2
0x0108b3a5
0x0108b3aa
0x0108b3b2
0x0108b3ba
0x0108b3bd
0x0108b3c0
0x0108b3c4
0x0108b3c9
0x010ca3e9
0x010ca3ed
0x010ca3f0
0x010ca3ff
0x010ca403
0x010ca409
0x00000000
0x00000000
0x010ca40b
0x010ca40b
0x010ca40f
0x010ca415
0x010ca423
0x010ca423
0x010ca415
0x0108b3d1
0x0108b3e8
0x0108b3e8
0x0108b3d9

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17eedd04d13d9522ed59fc90a7c866b1dd6b2484571e8ef77f42fbe48a737811
Instruction ID: e2c4584e484b65619ee49ca03b67284afcbc4d6c4b1d3b93d991a50e862aeaa3
Opcode Fuzzy Hash: 17eedd04d13d9522ed59fc90a7c866b1dd6b2484571e8ef77f42fbe48a737811
Instruction Fuzzy Hash: 52116B337051109BCB19DA588E81A6F76A6EBC5B70B28816DED9AD7380DA319C02C694

Uniqueness

Uniqueness Score: -1.00%

Function 01059240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01059240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x112f708);
				E010AD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E010995D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E010995D0();
				_t33 =  *0x11484c4; // 0x0
				L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x11484c4; // 0x0
				L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x11484c4; // 0x0
				E01072280(L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x11486b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E010995D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E010995D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E01059325();
					_t50 =  *0x11484c4; // 0x0
					return E010AD0D1(L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x01059240
0x01059242
0x01059247
0x0105924c
0x0105924e
0x01059255
0x01059257
0x0105925a
0x0105925f
0x0105925f
0x01059266
0x01059271
0x01059276
0x01059279
0x0105927e
0x01059295
0x0105929a
0x010592b1
0x010592b6
0x010592d7
0x010592dc
0x010592e0
0x010592e6
0x010592e8
0x010592ee
0x01059332
0x01059333
0x01059337
0x01059338
0x0105933a
0x0105933a
0x0105933d
0x01059342
0x01059342
0x01059345
0x01059349
0x0105934e
0x01059352
0x01059357
0x010592f4
0x010592f4
0x010592f6
0x010592f9
0x01059300
0x01059306
0x01059324
0x01059324

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d52c6dd3c17aeb92b960547c3dc5b98fa5a034facfb00c33f7187b3020ba226
Instruction ID: a34256f71dfe71efc8d8c9593ea8c209eb28c3b0b2b5f65f7773ad2da84faaa5
Opcode Fuzzy Hash: 7d52c6dd3c17aeb92b960547c3dc5b98fa5a034facfb00c33f7187b3020ba226
Instruction Fuzzy Hash: 5B216F31441601DFC766EFA8CA40F9AB7F9FF28708F1545ACE189876A2CB34E942DB44

Uniqueness

Uniqueness Score: -1.00%

Function 01053138 Relevance: .1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01053138(void* __ecx) {
				signed int _v8;
				char _v12;
				void* _t18;
				intOrPtr _t19;
				void* _t26;
				intOrPtr* _t28;
				char* _t32;
				intOrPtr* _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t45;

				_push(__ecx);
				_push(__ecx);
				_t43 = __ecx;
				if(( *(__ecx + 0xc) & 0x00000001) != 0) {
					_t18 = 0;
				} else {
					_t34 = __ecx + 0x10;
					_t19 =  *_t34;
					_t28 =  *((intOrPtr*)(_t34 + 4));
					_t40 =  *((intOrPtr*)(_t19 + 4));
					if( *_t28 !=  *((intOrPtr*)(_t19 + 4)) ||  *_t28 != _t34) {
						_push(_t28);
						_push( *_t28);
						E0111A80D(0, 0xd, _t34, _t40);
					} else {
						 *_t28 = _t19;
						 *((intOrPtr*)(_t19 + 4)) = _t28;
					}
					_t41 =  *((intOrPtr*)(_t43 + 0x18));
					_v8 = _v8 & 0x00000000;
					_v12 =  *((intOrPtr*)(_t43 + 0x1c));
					_t45 = E0108174B( &_v12,  &_v8, 0x8000);
					if(E01077D50() != 0) {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					} else {
						_t32 = 0x7ffe0388;
					}
					if( *_t32 != 0) {
						E0110FE3F(_t26, _t41, _v12, _v8);
					}
					_t18 = _t45;
				}
				return _t18;
			}

0x0105313d
0x0105313e
0x01053140
0x01053147
0x010531ac
0x01053149
0x01053149
0x0105314c
0x0105314e
0x01053151
0x01053156
0x010afdb3
0x010afdb4
0x010afdbd
0x01053164
0x01053164
0x01053166
0x01053166
0x0105316f
0x01053172
0x01053176
0x01053187
0x01053190
0x010afdd1
0x01053196
0x01053196
0x01053196
0x0105319e
0x010afde4
0x010afde4
0x010531a4
0x010531a4
0x010531ab

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction ID: eb8b054558c4cac38f6d515c49614dcfa0c5d07769f967bae56894fbc798d822
Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction Fuzzy Hash: D0119031A01305EFDB66DFA4C804F6AB7FAFB85354F14859DE8819B241EB71AC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0111E962 Relevance: .1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0111E962(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				signed int _v12;
				char* _t26;
				void* _t31;
				unsigned int _t33;
				intOrPtr _t49;
				intOrPtr* _t57;

				_t31 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t49 = _a4;
				_v12 =  *(_t49 + 0xc) & 0xffff0000;
				_t33 =  *(_t49 + 0x10);
				_t44 = 1 << (_t33 >> 0x00000002 & 0x0000003f);
				_t5 = _t44 - 1; // 0x0
				_t6 = _t44 - 1; // 0x0
				_t57 = _a8;
				_v8 = ((_t33 >> 0x00000001 & 1) + (_t33 >> 0xc) << 0xc) - 1 + (1 << (_t33 >> 0x00000002 & 0x0000003f)) - (_t5 + ((_t33 >> 0x00000001 & 1) + (_t33 >> 0x0000000c) << 0x0000000c) & _t6);
				_push( *((intOrPtr*)(_t57 + 4)));
				_push( *_t57);
				_push(0x8000);
				E0111AFDE( &_v12,  &_v8);
				if(E01077D50() == 0) {
					_t26 = 0x7ffe0388;
				} else {
					_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t26 != 0) {
					E0110FE3F(_t31, _t57, _v12, _v8);
				}
				return E0111BCD2(_t49,  *_t57,  *((intOrPtr*)(_t57 + 4)));
			}

0x0111e962
0x0111e967
0x0111e968
0x0111e96b
0x0111e976
0x0111e979
0x0111e990
0x0111e997
0x0111e99a
0x0111e9a4
0x0111e9b1
0x0111e9b4
0x0111e9b7
0x0111e9b9
0x0111e9be
0x0111e9ca
0x0111e9dc
0x0111e9cc
0x0111e9d5
0x0111e9d5
0x0111e9e4
0x0111e9ee
0x0111e9ee
0x0111ea04

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction ID: 8f17bc24a50c24d6262b3a02cce9284d944224ad4c6e64e382e06619b01fb803
Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction Fuzzy Hash: 1F11B232A00519AFDB1ECB58C805AADFBB6EF84210F058269EC4597354EB71AD51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010E4257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E010E4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x11308d0);
				E010AD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E010E41E8(__ebx, __edi, __ecx, _t39);
				E0106EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x11487e4;
					_t18 =  *0x11487e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1145cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x11487e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x11487e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L01057055(_t31 + 0xfffffff8);
								_t24 =  *0x11487e0; // 0x0
								_t18 = _t24 - 1;
								 *0x11487e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1145cd0;
				if( *0x1145cd0 <= 0) {
					L01057055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x11487e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x11487e8 = _t30;
						 *0x11487e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E010AD0D1(L010E4320());
			}

0x010e4257
0x010e4257
0x010e4257
0x010e4259
0x010e425e
0x010e4263
0x010e4265
0x010e4273
0x010e4278
0x010e427c
0x010e427f
0x010e4281
0x010e4287
0x010e42d7
0x010e42d7
0x010e42da
0x010e428d
0x010e428d
0x010e428f
0x010e4292
0x010e4297
0x010e429c
0x010e42a0
0x010e42a6
0x010e42a8
0x010e42ae
0x010e42b3
0x00000000
0x010e42ba
0x010e42ba
0x010e42bf
0x010e42c5
0x010e42ca
0x010e42cf
0x010e42d0
0x00000000
0x010e42d0
0x010e42b3
0x00000000
0x010e42a6
0x010e429c
0x010e42dc
0x010e42dc
0x010e42e3
0x010e4309
0x010e42e5
0x010e42e5
0x010e42e8
0x010e42ee
0x010e42f0
0x00000000
0x010e42f2
0x010e42f2
0x010e42f4
0x010e42f7
0x010e42f9
0x010e4300
0x010e4300
0x010e42f0
0x010e430e
0x010e431f

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bf45669420a4b5e399788d459214aec925604870a1c9a0006f04537098cadb
Instruction ID: d3524f8652f09b6de5a6cf7e4ea744c749bee31469ebba157449125e78358843
Opcode Fuzzy Hash: 53bf45669420a4b5e399788d459214aec925604870a1c9a0006f04537098cadb
Instruction Fuzzy Hash: 57219074900B01CFCB69DFAAD014A647BF1FB85725B90C2AED1A5CB699D731D491CF00

Uniqueness

Uniqueness Score: -1.00%

Function 010628FD Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010628FD(char __edx, signed int _a4) {
				void* __ecx;
				void* _t8;
				char* _t13;
				signed char* _t17;
				void* _t21;
				void* _t22;
				char _t28;

				_t28 = __edx;
				_t8 = E0106EB70(_t22, 0x1145350);
				_t23 = _a4;
				_t21 = _t8;
				if( !_a4 >= 0) {
					E0105B1E1(_t23, 0x14a2, _t28, 0);
				}
				if(E01077D50() != 0) {
					_t13 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
						if(E01077D50() == 0) {
							_t17 = 0x7ffe0385;
						} else {
							_t17 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t17 & 0x00000020) != 0) {
							E010D7016(0x14a2, 0, 0, _t28, 0, 0);
						}
					}
				}
				return _t21;
			}

0x0106290b
0x0106290d
0x01062912
0x01062915
0x0106291d
0x010b7758
0x010b7758
0x0106292a
0x010b776b
0x01062930
0x01062930
0x01062930
0x01062938
0x010b7782
0x010b778f
0x010b77a1
0x010b7791
0x010b779a
0x010b779a
0x010b77a9
0x010b77bd
0x010b77bd
0x010b77a9
0x010b7782
0x01062945

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9849bd2b155bbffbd66cb46cddfb43820d9b24e6e8664c1748880918c8785bdb
Instruction ID: 2bcc3dc80b88b4643ae00e6ceb4f9169fc57d7e2a6bbfd11d2beeefd5c79fabd
Opcode Fuzzy Hash: 9849bd2b155bbffbd66cb46cddfb43820d9b24e6e8664c1748880918c8785bdb
Instruction Fuzzy Hash: A111C835784740ABF366936DCD44F663BDDEFD0B94F1400A5B9C19B2D1DAA4DC008175

Uniqueness

Uniqueness Score: -1.00%

Function 01082397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01082397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x114848c != 0) {
					L0107FAD0(0x1148610);
					if( *0x114848c == 0) {
						E0107FA00(0x1148610, _t19, _t27, 0x1148610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01082581(0x1148610, 0x10350a0, _t26, _t27, _t28);
						E0107FA00(0x1148610, 0x10350a0, _t27, 0x1148610);
					}
				} else {
					L1:
					_t11 =  *0x1148614; // 0x0
					if(_t11 == 0) {
						_t11 = E01094886(0x1031088, 1, 0x1148614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01082581(0x1148610, (_t11 << 4) + 0x1035070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x010823b0
0x010823b6
0x01082409
0x01082415
0x010c5ae9
0x00000000
0x0108241b
0x0108241b
0x0108241d
0x01082427
0x0108242e
0x01082430
0x01082430
0x010823b8
0x010823b8
0x010823b8
0x010823bf
0x010823fc
0x010823fc
0x010823c1
0x010823c3
0x010823d0
0x010823d8
0x010823d8
0x010823dc
0x010823de
0x010823e1
0x010823e1
0x010823ec

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5c84cea0cbdb35e2fff9ffbc8c4300b8400e7f479602a06acfeb088ec51e19
Instruction ID: fc8ec2a6343ff5c52fa3835edc78f9386183e1147a64bfb4981714e594d1bb10
Opcode Fuzzy Hash: 0c5c84cea0cbdb35e2fff9ffbc8c4300b8400e7f479602a06acfeb088ec51e19
Instruction Fuzzy Hash: 8E114E7174830167E774BA6DDC90B5AB6DCFBA0A10F14807AF6C2A7290DAB0E841C754

Uniqueness

Uniqueness Score: -1.00%

Function 0105C962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0105C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x114d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0106EEF0(0x11470a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E010DF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0106EB70(_t29, 0x11470a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0109B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E010DF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x11470c0; // 0x0
					while(_t38 != 0x11470c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x114b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0105c96a
0x0105c974
0x0105c988
0x0105c98a
0x010c7c9d
0x010c7c9f
0x010c7ca4
0x010c7cae
0x010c7cf0
0x010c7cf5
0x010c7cfa
0x0105c992
0x0105c996
0x0105c997
0x0105c998
0x0105c9a3
0x0105c9a3
0x010c7cb0
0x010c7cb7
0x010c7cbb
0x00000000
0x00000000
0x010c7cbd
0x010c7ce8
0x010c7cc5
0x010c7cc8
0x010c7cca
0x010c7cd0
0x010c7cd6
0x010c7cde
0x010c7ce4
0x010c7ce4
0x010c7cd0
0x00000000
0x010c7ce8
0x0105c990
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfbf47c5b81a0c7560faf61cdcae06fc4226a71bbb9f5813780d3f1e520bdbe
Instruction ID: adc7a4bcf12652a7fa322d82d4aafb0f515211dc721f100c775946e120b3eccb
Opcode Fuzzy Hash: 3cfbf47c5b81a0c7560faf61cdcae06fc4226a71bbb9f5813780d3f1e520bdbe
Instruction Fuzzy Hash: D811C23530070B9BCB65AF69DC85A6B77E5BB95A10B00053CE98583691EB20EC50CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0108002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0108002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01077D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01077D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01077D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01077D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01080032
0x01080037
0x01080043
0x010c4b3a
0x01080049
0x01080049
0x01080049
0x0108004e
0x01080053
0x010c4b48
0x010c4b5a
0x010c4b4a
0x010c4b53
0x010c4b53
0x010c4b5f
0x00000000
0x010c4b61
0x00000000
0x010c4b61
0x01080059
0x01080059
0x01080060
0x010c4b6f
0x010c4b6f
0x01080069
0x010c4b83
0x00000000
0x00000000
0x010c4b90
0x010c4b9b
0x010c4b9b
0x010c4ba4
0x00000000
0x00000000
0x010c4baa
0x00000000
0x0108006f
0x0108006f
0x00000000
0x0108006f
0x01080069

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 3f19933366633dd55d4ff79294a281796d26fc4156fe5ac8136192721636fef9
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: E311E5326056818FE763A72CC968B7937E4BB40B94F0900E4FDD4C7692E729D852CA64

Uniqueness

Uniqueness Score: -1.00%

Function 01059080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01059080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x11485ec;
				E01072280(_t48, 0x11485ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0106FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x114538c; // 0x771a6828
					if( *_t84 != 0x1145388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x112f6e8);
						E010AD0E8(0x11485ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E011288F5(_t80, _t85, 0x1145388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x11486c0; // 0xb207b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x11486b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01072280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E011288F5(0x11485ec, _t85, 0x1145388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0109AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x114b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x11484c0;
																			if(_t82 >=  *0x11484c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01129063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0105922A(_t99);
										_t64 = E01077D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01128B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x11486c0; // 0xb207b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x11486b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x11486bc;
													_t87 = 0x11486b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E01059240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x11486c4;
												_t87 = 0x11486c0;
												L27:
												E01089B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E010AD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1145388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x114538c = _t51;
						goto L6;
					}
				}
			}

0x01059082
0x01059083
0x01059084
0x01059085
0x01059087
0x01059096
0x01059098
0x01059098
0x0105909e
0x010590a8
0x010590e7
0x010590e7
0x010590aa
0x010590b0
0x010590b7
0x010590bd
0x010590dd
0x010590e6
0x010590bf
0x010590bf
0x010590c7
0x010590cf
0x010590f1
0x010590f2
0x010590f4
0x010590f5
0x010590f6
0x010590f7
0x010590f8
0x010590f9
0x010590fa
0x010590fb
0x010590fc
0x010590fd
0x010590fe
0x010590ff
0x01059100
0x01059102
0x01059107
0x0105910c
0x01059110
0x01059113
0x01059115
0x01059136
0x0105913f
0x01059143
0x010b37e4
0x010b37e4
0x01059117
0x01059117
0x0105911d
0x00000000
0x0105911f
0x0105911f
0x01059125
0x00000000
0x01059127
0x0105912d
0x01059130
0x01059134
0x01059158
0x0105915d
0x01059161
0x01059168
0x010b3715
0x0105916e
0x0105916e
0x01059175
0x01059177
0x0105917e
0x0105917f
0x01059182
0x01059182
0x01059187
0x01059187
0x0105918a
0x0105918d
0x0105918f
0x01059192
0x01059195
0x01059198
0x01059198
0x01059198
0x0105919a
0x00000000
0x00000000
0x010b371f
0x010b3721
0x010b3727
0x010b372f
0x010b3733
0x010b3735
0x010b3738
0x010b373b
0x010b373d
0x010b3740
0x00000000
0x010b3746
0x010b3746
0x010b3749
0x00000000
0x010b374f
0x010b374f
0x010b3751
0x010b3757
0x010b3759
0x010b375c
0x010b375c
0x010b375e
0x010b375e
0x010b3761
0x010b3764
0x00000000
0x00000000
0x010b3766
0x010b3768
0x010b37a3
0x010b37a3
0x010b37a5
0x010b37a7
0x010b37ad
0x010b37b0
0x010b37b2
0x010b37bc
0x010b37c2
0x010b37c2
0x010b37b2
0x01059187
0x01059187
0x0105918a
0x0105918d
0x0105918f
0x01059192
0x01059195
0x00000000
0x01059195
0x00000000
0x010b376a
0x010b376a
0x010b376a
0x010b376c
0x010b376c
0x010b376f
0x010b3775
0x00000000
0x00000000
0x010b3777
0x010b3779
0x010b3782
0x010b3787
0x010b3789
0x010b3790
0x010b3790
0x010b378b
0x010b378b
0x010b378b
0x010b3792
0x010b3795
0x00000000
0x010b3795
0x00000000
0x010b3779
0x010b3798
0x00000000
0x010b3798
0x00000000
0x010b3768
0x010b379b
0x010b379b
0x010b3751
0x010b3749
0x00000000
0x010b3740
0x010591a0
0x010591a3
0x010591a9
0x010591b0
0x00000000
0x010591b0
0x01059187
0x010591b4
0x010591b4
0x010591bb
0x010591c0
0x010591c5
0x010591c7
0x010b37da
0x010591cd
0x010591cd
0x010591cd
0x010591d2
0x010591d5
0x01059239
0x01059239
0x010591d7
0x010591db
0x010591e1
0x010591e7
0x010591fd
0x01059203
0x0105921e
0x01059223
0x00000000
0x01059205
0x01059205
0x01059208
0x0105920c
0x01059214
0x01059214
0x0105920c
0x010591e9
0x010591e9
0x010591ee
0x010591f3
0x010591f3
0x010591f3
0x010591e7
0x00000000
0x00000000
0x00000000
0x01059134
0x01059125
0x0105911d
0x0105914e
0x010590d1
0x010590d1
0x010590d3
0x010590d6
0x010590d8
0x00000000
0x010590d8
0x010590cf

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6559fe85951ad3b429ab2a93ca88f6b611aa3786de6026787203d9678a8cf195
Instruction ID: ac1f048d93bb20e3b8088eeac3cd29cd244c8462d7c6a1a4f3e821aa9ad651b2
Opcode Fuzzy Hash: 6559fe85951ad3b429ab2a93ca88f6b611aa3786de6026787203d9678a8cf195
Instruction Fuzzy Hash: 3B01F472505200CFC3A98F08D840B227BF9EF41B24F259466E9419B692C370DC81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01058190 Relevance: .1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01058190(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				intOrPtr _t15;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr* _t27;

				E01072280(_t10, 0x114864c);
				_t27 = E0105820E(_a4);
				if(_t27 == 0) {
					_t26 = 0xc000002a;
				} else {
					_t2 = _t27 + 0x10;
					 *_t2 =  *((intOrPtr*)(_t27 + 0x10)) - 1;
					if( *_t2 != 0) {
						L8:
						_t26 = 0;
					} else {
						_t15 =  *_t27;
						if( *((intOrPtr*)(_t15 + 4)) != _t27) {
							L7:
							_push(3);
							asm("int 0x29");
							goto L8;
						} else {
							_t24 =  *((intOrPtr*)(_t27 + 4));
							if( *_t24 != _t27) {
								goto L7;
							} else {
								 *_t24 = _t15;
								 *((intOrPtr*)(_t15 + 4)) = _t24;
								_t7 = _t27 + 0xc; // 0xc
								_push(1);
								_t8 = _t27 + 8; // 0x8
								_push(0xffffffff);
								_t26 = E0109B130();
								L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t27);
							}
						}
					}
				}
				E0106FFB0(0x114864c, _t26, 0x114864c);
				return _t26;
			}

0x0105819e
0x010581ab
0x010581af
0x010581fe
0x010581b1
0x010581b1
0x010581b1
0x010581b5
0x0105820a
0x0105820a
0x010581b7
0x010581b7
0x010581bc
0x01058205
0x01058205
0x01058208
0x00000000
0x010581be
0x010581be
0x010581c3
0x00000000
0x010581c5
0x010581c5
0x010581c7
0x010581ca
0x010581cd
0x010581d0
0x010581d4
0x010581e2
0x010581ea
0x010581ea
0x010581c3
0x010581bc
0x010581b5
0x010581f0
0x010581fb

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bf8166fd951aaf3b4b399ceb67970965e8f81d5b2c703b8d56922549f78a6d
Instruction ID: f9a4f1c6795056a253df9564053f415150da2549dc3180e6b1055df7daa72831
Opcode Fuzzy Hash: 54bf8166fd951aaf3b4b399ceb67970965e8f81d5b2c703b8d56922549f78a6d
Instruction Fuzzy Hash: F001D872101605EBD3629B56CC44E67BBDDEF817A0F15816AEDA54B251CB30D902C794

Uniqueness

Uniqueness Score: -1.00%

Function 01083B5A Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01083B5A(void* __eax, intOrPtr __ebx, void* __edi, intOrPtr __esi) {
				void* _t14;
				intOrPtr _t15;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				intOrPtr _t27;
				intOrPtr _t31;
				intOrPtr _t37;
				void* _t39;

				_t37 = __esi;
				_t31 = __ebx;
				_t14 = __eax;
				if( *((intOrPtr*)(_t39 - 0x40)) != __ebx || __edi < 0) {
					if(_t37 == 0) {
						goto L2;
					}
					_t32 =  *((intOrPtr*)(_t39 - 0x24));
					if( *((intOrPtr*)(_t39 - 0x24)) != 0) {
						_t27 =  *0x11484c4; // 0x0
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27 + 0xc0000, _t32);
						_t37 =  *((intOrPtr*)(_t39 - 0x20));
					}
					_t33 =  *((intOrPtr*)(_t37 + 0x1c));
					if( *((intOrPtr*)(_t37 + 0x1c)) != 0) {
						_t23 =  *0x11484c4; // 0x0
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t23 + 0xc0000, _t33);
						_t37 =  *((intOrPtr*)(_t39 - 0x20));
					}
					_t34 =  *((intOrPtr*)(_t37 + 0x20));
					if( *((intOrPtr*)(_t37 + 0x20)) != 0) {
						_t19 =  *0x11484c4; // 0x0
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t19 + 0xc0000, _t34);
						_t37 =  *((intOrPtr*)(_t39 - 0x20));
					}
					_t15 =  *0x11484c4; // 0x0
					_t18 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t15 + 0xc0000, _t37);
					 *((intOrPtr*)(_t39 - 0x20)) = _t31;
					return _t18;
				} else {
					L2:
					return _t14;
				}
			}

0x01083b5a
0x01083b5a
0x01083b5a
0x01083b5d
0x010c61e6
0x00000000
0x00000000
0x010c61ec
0x010c61f1
0x010c61f3
0x010c6208
0x010c620d
0x010c620d
0x010c6210
0x010c6215
0x010c6217
0x010c622c
0x010c6231
0x010c6231
0x010c6234
0x010c6239
0x010c623b
0x010c6250
0x010c6255
0x010c6255
0x010c6258
0x010c626d
0x010c6274
0x00000000
0x01083b6b
0x01083b6b
0x01083b6b
0x01083b6b

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7caf07348df1610dba7c8ba84318581354053fa46f55ea61d86ff18d69de1351
Instruction ID: bf619dc29f7f338c1170b3f2000955b965fdd836a34c1703e7b7f0cb9dba3ceb
Opcode Fuzzy Hash: 7caf07348df1610dba7c8ba84318581354053fa46f55ea61d86ff18d69de1351
Instruction Fuzzy Hash: C1110A76901554DFCB69EF48CA40F6EB7B9FF48A00F1A00ACE945A7752C329EC01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01111A5F Relevance: .0, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E01111A5F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				void* _t23;
				signed char* _t24;
				intOrPtr _t30;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				signed int _t42;

				_t35 = __edx;
				_t30 = __ebx;
				_v8 =  *0x114d360 ^ _t42;
				_t37 = __edx;
				_t40 = __ecx;
				E0109FA60( &_v60, 0, 0x34);
				_v28 = _t40;
				_v54 = 0x1035;
				_v20 = _a4;
				_v16 = _a8;
				_v24 = _t37;
				_v12 = _a12;
				_t23 = E01077D50();
				_t38 = _t36;
				_t41 = _t39;
				if(_t23 == 0) {
					_t24 = 0x7ffe0380;
				} else {
					_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v60);
				_push(0x14);
				_push(0x20402);
				_push( *_t24 & 0x000000ff);
				return E0109B640(E01099AE0(), _t30, _v8 ^ _t42, _t35, _t38, _t41);
			}

0x01111a5f
0x01111a5f
0x01111a6e
0x01111a78
0x01111a7d
0x01111a7f
0x01111a89
0x01111a8c
0x01111a96
0x01111a9c
0x01111aa2
0x01111aa5
0x01111aa8
0x01111aad
0x01111aae
0x01111ab1
0x01111ac3
0x01111ab3
0x01111abc
0x01111abc
0x01111ace
0x01111acf
0x01111ad1
0x01111ad6
0x01111ae9

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d78929da2c83182836357fd079474d6ba1527d10f8eda388bcf68f136583334
Instruction ID: 5f58e19518d8bcb4eb9740e6e3d5451c05a3cd68cbbb05ebae7fd782e3faa462
Opcode Fuzzy Hash: 3d78929da2c83182836357fd079474d6ba1527d10f8eda388bcf68f136583334
Instruction Fuzzy Hash: 76116D71A01249ABCB14DFA8D845EAEBBF8EF54710F04406AF914EB380D674AA00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010531E0 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010531E0(intOrPtr _a4, intOrPtr _a8) {
				char* _t12;
				signed int* _t13;
				signed int _t26;
				intOrPtr _t28;

				_t28 = _a4;
				_t26 = 0;
				_t12 = E0105354C(_t28, 0);
				if(_t12 == 0) {
					L3:
					return _t12;
				}
				if(_a8 != 0) {
					_t13 = _t28 + 0xa8;
					_t26 =  *_t13;
					 *_t13 = 0;
				}
				_t12 = E01089ED0(_t28 + 0x20,  ~_t26, 1);
				if(_t26 != 0) {
					if(E01077D50() == 0) {
						_t12 = 0x7ffe0386;
					} else {
						_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					}
					if( *_t12 == 0) {
						goto L3;
					}
					return E01128966( *((intOrPtr*)(_t28 + 0x5c)), _t28 + 0x78, _t28 + 0x30,  *((intOrPtr*)(_t28 + 0x34)),  *((intOrPtr*)(_t28 + 0x3c)), _t26);
				} else {
					goto L3;
				}
			}

0x010531e6
0x010531ec
0x010531f1
0x010531f8
0x0105321c
0x0105321c
0x0105321c
0x010531fd
0x010afe1e
0x010afe24
0x010afe24
0x010afe24
0x0105320c
0x01053213
0x010afe32
0x010afe44
0x010afe34
0x010afe3d
0x010afe3d
0x010afe4c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction ID: 83aa7ff1a1aa657cbbca8ffda5e4d651dff757d1bf6af22e3e97d2f1c1d140d6
Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction Fuzzy Hash: 8E01DD32200B019FDB62D6AAD504AAB77EDFFD1794F4444599FC68B551DA30E841C750

Uniqueness

Uniqueness Score: -1.00%

Function 01124015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01124015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01072280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01072280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x11486ac);
					E0105F900(0x11486d4, _t28);
					E0106FFB0(0x11486ac, _t28, 0x11486ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0106FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0112401a
0x0112401e
0x01124023
0x01124028
0x01124029
0x0112402b
0x0112402f
0x01124043
0x01124046
0x01124051
0x01124057
0x0112405f
0x01124062
0x01124067
0x0112406f
0x0112407c
0x0112407c
0x0112408c
0x0112408c
0x01124097

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84781f613d64b5ec3b852707324dd25db782ff2b1cfb0549a1ec730c21fec135
Instruction ID: bff019ae50db16e18e26685138fafe049bc0b45a027aa28202d584fda73b145f
Opcode Fuzzy Hash: 84781f613d64b5ec3b852707324dd25db782ff2b1cfb0549a1ec730c21fec135
Instruction Fuzzy Hash: AA01A2726019467FD355AF79CE84E93F7ACFF55A60B000229F54883A11DB24EC52C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 01111951 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E01111951(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x114d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0109FA60( &_v60, 0, 0x30);
				_v28 = _t34;
				_v54 = 0x1030;
				_v20 = _a4;
				_v24 = _t33;
				_v16 = _a8;
				if(E01077D50() == 0) {
					_t21 = 0x7ffe0380;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0109B640(E01099AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01111951
0x01111951
0x01111960
0x0111196a
0x0111196f
0x01111971
0x0111197b
0x0111197e
0x01111988
0x0111198e
0x01111991
0x0111199b
0x011119ad
0x0111199d
0x011119a6
0x011119a6
0x011119b8
0x011119b9
0x011119bb
0x011119c0
0x011119d5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd50d379b5702194606253cf12905994018560016a4e135ea21792df342fec00
Instruction ID: 1ca342c8136faf42ce20c5f10c1822d0d3884ac05c0eafcce480201ff01a866c
Opcode Fuzzy Hash: cd50d379b5702194606253cf12905994018560016a4e135ea21792df342fec00
Instruction Fuzzy Hash: 75019271A0120DABCB14DFA8D845EAFBBB8EF44710F004066B950EB380E6749A00C795

Uniqueness

Uniqueness Score: -1.00%

Function 011119D8 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E011119D8(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x114d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0109FA60( &_v60, 0, 0x30);
				_v28 = _t34;
				_v54 = 0x1032;
				_v20 = _a4;
				_v24 = _t33;
				_v16 = _a8;
				if(E01077D50() == 0) {
					_t21 = 0x7ffe0380;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0109B640(E01099AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x011119d8
0x011119d8
0x011119e7
0x011119f1
0x011119f6
0x011119f8
0x01111a02
0x01111a05
0x01111a0f
0x01111a15
0x01111a18
0x01111a22
0x01111a34
0x01111a24
0x01111a2d
0x01111a2d
0x01111a3f
0x01111a40
0x01111a42
0x01111a47
0x01111a5c

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a528bdc7fa0fe7ba87b7ef491b0d7383f3f02ce1ef4715d7534efd5dc9e1fecc
Instruction ID: 84537a9fe89820579024994a08fbdcdcca7077ec938665692dcb3cff53c8176d
Opcode Fuzzy Hash: a528bdc7fa0fe7ba87b7ef491b0d7383f3f02ce1ef4715d7534efd5dc9e1fecc
Instruction Fuzzy Hash: 2D019271A01259ABCB14DFA9D845EEEBBB8EF44710F004066B940EB380D6749A01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01111843 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E01111843(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x114d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0109FA60( &_v60, 0, 0x30);
				_v28 = _t34;
				_v54 = 0x102f;
				_v20 = _a4;
				_v24 = _t33;
				_v16 = _a8;
				if(E01077D50() == 0) {
					_t21 = 0x7ffe0380;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0109B640(E01099AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01111843
0x01111843
0x01111852
0x0111185c
0x01111861
0x01111863
0x0111186d
0x01111870
0x0111187a
0x01111880
0x01111883
0x0111188d
0x0111189f
0x0111188f
0x01111898
0x01111898
0x011118aa
0x011118ab
0x011118ad
0x011118b2
0x011118c7

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ba43df7a595a6a2bc7992d4ac65a7a064846b04a5cbc555d924fcb9eca1ecf
Instruction ID: e1a8458afb53ed10691467a2fa165032a247a1385cf44665e9688f3faf262290
Opcode Fuzzy Hash: f3ba43df7a595a6a2bc7992d4ac65a7a064846b04a5cbc555d924fcb9eca1ecf
Instruction Fuzzy Hash: 91019271E01209ABCB14EFA8D845EEEBBB8EF44710F044066F940EB380D6749A00C795

Uniqueness

Uniqueness Score: -1.00%

Function 010570C0 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E010570C0(signed int* __ecx) {
				signed int _t27;
				intOrPtr _t34;
				signed int _t38;
				signed int* _t40;

				_t40 = __ecx;
				if(__ecx == 0) {
					return _t27;
				}
				_t38 = 0;
				if( *((intOrPtr*)(__ecx + 4)) <= 0) {
					L6:
					if(( *_t40 & 0x00000001) != 0) {
						_t27 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t40[2]);
					}
					_t40[2] = _t40[2] & 0x00000000;
					_t40[1] = _t40[1] & 0x00000000;
					 *_t40 =  *_t40 & 0x00000000;
					return _t27;
				}
				do {
					_t27 = _t40[2];
					_t34 =  *((intOrPtr*)(_t27 + _t38 * 4));
					if(_t34 != 0) {
						 *(_t34 + 8) =  *(_t34 + 8) & 0;
						 *((intOrPtr*)(_t34 + 4)) = 0;
						if( *(_t34 + 0xc) != 0) {
							_push( *(_t34 + 0xc));
							E010995D0();
							 *(_t34 + 0xc) =  *(_t34 + 0xc) & 0x00000000;
						}
						 *(_t40[2] + _t38 * 4) =  *(_t40[2] + _t38 * 4) & 0x00000000;
						_t27 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t34);
					}
					_t38 = _t38 + 1;
				} while (_t38 < _t40[1]);
				goto L6;
			}

0x010570c3
0x010570c7
0x010570f9
0x010570f9
0x010570ca
0x010570cf
0x010570e3
0x010570e7
0x010b22e0
0x010b22e0
0x010570ed
0x010570f1
0x010570f5
0x00000000
0x010570f5
0x010570d2
0x010570d2
0x010570d5
0x010570da
0x010570fc
0x010570ff
0x01057105
0x01057107
0x0105710a
0x0105710f
0x0105710f
0x01057119
0x01057126
0x01057126
0x010570dc
0x010570dd
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction ID: d99402440927f8744397880ad388f300630a0635c1a2c2f80ef9034b2742f941
Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction Fuzzy Hash: 6C118B32410B02DFD7B29F18C880B63B7E5BB10762F1588A8E9C94A5A2C778E881DB10

Uniqueness

Uniqueness Score: -1.00%

Function 011118CA Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E011118CA(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x114d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0109FA60( &_v60, 0, 0x30);
				_v28 = _t34;
				_v54 = 0x1031;
				_v20 = _a4;
				_v24 = _t33;
				_v16 = _a8;
				if(E01077D50() == 0) {
					_t21 = 0x7ffe0380;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0109B640(E01099AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x011118ca
0x011118ca
0x011118d9
0x011118e3
0x011118e8
0x011118ea
0x011118f4
0x011118f7
0x01111901
0x01111907
0x0111190a
0x01111914
0x01111926
0x01111916
0x0111191f
0x0111191f
0x01111931
0x01111932
0x01111934
0x01111939
0x0111194e

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223be047b35c80da3dd09217cdc107df7c6f84901064942b615cee7d1ca225b8
Instruction ID: ae36a1978829643f007ed4f933dbbbb131e77ff3b70caf2b5bc1695d76e7fad0
Opcode Fuzzy Hash: 223be047b35c80da3dd09217cdc107df7c6f84901064942b615cee7d1ca225b8
Instruction Fuzzy Hash: D5019271A0120DABCB14EFA9D845EEEBBB8EF44710F004066F955EB380E6749A00C794

Uniqueness

Uniqueness Score: -1.00%

Function 0111138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0111138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x114d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0109FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01077D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0109B640(E01099AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0111138a
0x0111138a
0x01111399
0x011113a3
0x011113a8
0x011113aa
0x011113b5
0x011113bb
0x011113c3
0x011113c6
0x011113c9
0x011113d4
0x011113e6
0x011113d6
0x011113df
0x011113df
0x011113f1
0x011113f2
0x011113f4
0x011113f9
0x0111140e

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eedec5af4be13bdac89a3a1c3d040f65e9eb218f179ffffafdb795f5a8bec56
Instruction ID: 71359d2c0d134c0f45ad744cd5f4c491241abeaeaebda7271d38be455432c00d
Opcode Fuzzy Hash: 5eedec5af4be13bdac89a3a1c3d040f65e9eb218f179ffffafdb795f5a8bec56
Instruction Fuzzy Hash: 8C019271A05219AFCB14DFA8D841EAEBBB8EF44710F004066B904EB280D6749A00C794

Uniqueness

Uniqueness Score: -1.00%

Function 010558EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E010558EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x114d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1035c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E01055943() != 0 &&  *0x1145320 > 5) {
					E010D7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E010D7B5E( &_v28, _t28);
					_t11 = E010D7B9C(0x1145320, 0x103bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0109B640(_t11, _t17, _v8 ^ _t29, 0x103bf15, _t27, _t28);
			}

0x010558fb
0x010558fe
0x01055906
0x0105590a
0x0105593c
0x0105593c
0x0105590c
0x0105590c
0x01055911
0x00000000
0x01055913
0x01055913
0x01055913
0x01055911
0x0105591d
0x010b1035
0x010b103c
0x010b103f
0x010b1056
0x010b1056
0x0105593b

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad11a48a11a91f2f6a16143d5fd92bb6d3c10306096fd50b856407398be8e38
Instruction ID: 00ed5b89c7d3d69fdefc82a9b6effbc15a72b79d2260633552113a650675bd2d
Opcode Fuzzy Hash: 0ad11a48a11a91f2f6a16143d5fd92bb6d3c10306096fd50b856407398be8e38
Instruction Fuzzy Hash: 63018F31A00609ABCB54EB69DC10ABF77B9EB85674F5500A9AE85A7244DE34DD02C790

Uniqueness

Uniqueness Score: -1.00%

Function 010595F0 Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E010595F0(intOrPtr _a4, char _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t10;
				void* _t17;
				void* _t18;
				char* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				intOrPtr _t29;

				_t29 = _a4;
				_push(_t25);
				if(_t29 == 0 || _a8 < 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					E011288F5(_t17, _t18, _t23, _t25, _t29, __eflags);
					_t10 = 0xc000000d;
				} else {
					_push(4);
					_push( &_a8);
					_push(4);
					_push( *((intOrPtr*)(_t29 + 0x24)));
					_t27 = E0109AE70();
					if(E01077D50() != 0) {
						_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t21 = 0x7ffe0386;
					}
					if( *_t21 != 0) {
						__eflags = _t27;
						if(_t27 >= 0) {
							E01128C75(_t29, _a8);
						}
					}
					_t10 = _t27;
				}
				return _t10;
			}

0x010595f9
0x010595fc
0x010595ff
0x0105964d
0x01059652
0x01059616
0x01059616
0x0105961b
0x0105961c
0x0105961e
0x01059626
0x0105962f
0x010b3a8b
0x01059635
0x01059635
0x01059635
0x0105963d
0x010b3a96
0x010b3a98
0x010b3aa3
0x010b3aa3
0x010b3a98
0x01059643
0x01059643
0x0105964a

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction ID: f0a1e41b37cfd909a1ce5b4c70cbbe0a05979da4128f0cfe4baa58ff9d984c24
Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction Fuzzy Hash: 23017B32A00140EBDF519B58C840FAA37E9EB98B38F204155EE898F290DB34ED04C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 01128966 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E01128966(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t21;
				signed int _t35;

				_t32 = __edx;
				_v8 =  *0x114d360 ^ _t35;
				_t34 = _a8;
				_t33 = _a12;
				_v28 = _a4;
				_v62 = 0x1c24;
				_v36 = __ecx;
				_v32 = __edx;
				_v24 = _a8;
				_v20 = _a12;
				_v16 = _a16;
				if(E01077D50() == 0) {
					_t21 = 0x7ffe0386;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x18);
				_push(0x403);
				_push( *_t21 & 0x000000ff);
				return E0109B640(E01099AE0(), 0x1c24, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01128966
0x01128975
0x0112897d
0x01128986
0x01128989
0x0112898f
0x01128993
0x01128996
0x01128999
0x0112899c
0x0112899f
0x011289a9
0x011289bb
0x011289ab
0x011289b4
0x011289b4
0x011289c6
0x011289c7
0x011289c9
0x011289ce
0x011289e4

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d6980c60fd8829746a5025646ea4f3b10d665b98c8a1c784625150e4412b05
Instruction ID: 0f7d57756824d7b1b2285ca6e4fbb102df256b32bf89290fdfafb9b410ba4100
Opcode Fuzzy Hash: d7d6980c60fd8829746a5025646ea4f3b10d665b98c8a1c784625150e4412b05
Instruction Fuzzy Hash: A10129B1A0021DABCF04DFA9D8419EEB7F8FF58700F10446AE905E7340E774AA10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0106B02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0106B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01077D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E010D7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0106b037
0x0106b039
0x0106b03b
0x0106b040
0x010ba60e
0x00000000
0x00000000
0x010ba61d
0x0106b04b
0x0106b04e
0x010ba627
0x010ba634
0x00000000
0x00000000
0x010ba641
0x010ba653
0x010ba643
0x010ba64c
0x010ba64c
0x010ba65b
0x00000000
0x00000000
0x00000000
0x010ba66c
0x0106b057
0x0106b057
0x0106b057
0x0106b046
0x0106b046
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: efc646ceb31e11d70f99b52cf9c031d3ef98a22e4c810b295bc2b7fb74b34f3e
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: FE0184B2700684DFE326871CC988FAA7FDCEB95750F0900E1FA55CB651D628DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 01121074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01121074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0112165E(__ebx, 0x1148ae4, (__edx -  *0x1148b04 >> 0x14) + (__edx -  *0x1148b04 >> 0x14), __edi, __ecx, (__edx -  *0x1148b04 >> 0x14) + (__edx -  *0x1148b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0111AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E01077D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0110FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01121074
0x01121080
0x01121082
0x0112108a
0x0112108f
0x01121093
0x011210ab
0x011210ab
0x011210c3
0x011210cf
0x011210e1
0x011210d1
0x011210da
0x011210da
0x011210e9
0x011210f5
0x011210f5
0x011210fe

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434b762455f0f638c246aa58221df9083d9db3f29408dfc9123442f12d02d71f
Instruction ID: 596d3ca2fdb914ce18b7d779010acab215ab9ca76ce1d893d1c50adb5690c0cf
Opcode Fuzzy Hash: 434b762455f0f638c246aa58221df9083d9db3f29408dfc9123442f12d02d71f
Instruction Fuzzy Hash: 95019772604342AFC328EF68C804B1ABBE5BB80314F00C629F88183290EF74D860CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0111129A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0111129A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				void* __edi;
				void* __esi;
				void* _t17;
				signed char* _t18;
				intOrPtr _t24;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t36;

				_t29 = __edx;
				_t24 = __ebx;
				_v8 =  *0x114d360 ^ _t36;
				_t31 = __edx;
				_t34 = __ecx;
				E0109FA60( &_v52, 0, 0x2c);
				_v20 = _t34;
				_v46 = 0x1039;
				_v16 = _t31;
				_v12 = _a4;
				_t17 = E01077D50();
				_t32 = _t30;
				_t35 = _t33;
				if(_t17 == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0109B640(E01099AE0(), _t24, _v8 ^ _t36, _t29, _t32, _t35);
			}

0x0111129a
0x0111129a
0x011112a9
0x011112b3
0x011112b8
0x011112ba
0x011112c4
0x011112ca
0x011112d1
0x011112d4
0x011112d7
0x011112dc
0x011112dd
0x011112e0
0x011112f2
0x011112e2
0x011112eb
0x011112eb
0x011112fd
0x011112fe
0x01111300
0x01111305
0x01111318

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be3c1b4b3fff1a0b8d22b305a7120ad1f0b55ce3e3374b2cb772f62a257555d
Instruction ID: 9d6e2f7ad41dfe392c32bf56900ad4f3d4be60c1d031ae775abd6da48b561790
Opcode Fuzzy Hash: 7be3c1b4b3fff1a0b8d22b305a7120ad1f0b55ce3e3374b2cb772f62a257555d
Instruction Fuzzy Hash: 7B018471A00259ABDB14EFA9D815EEFBBB8EF54700F04406AF945EB280D674D900C795

Uniqueness

Uniqueness Score: -1.00%

Function 0110FD52 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0110FD52(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x114d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0109FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x265;
				if(E01077D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0109B640(E01099AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0110fd52
0x0110fd52
0x0110fd61
0x0110fd6b
0x0110fd70
0x0110fd72
0x0110fd7d
0x0110fd85
0x0110fd88
0x0110fd8b
0x0110fd96
0x0110fda8
0x0110fd98
0x0110fda1
0x0110fda1
0x0110fdb3
0x0110fdb4
0x0110fdb6
0x0110fdbb
0x0110fdd0

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d7033208495c1cd78d754337a51657a7068197eabf8e7dec81bacd1476596a
Instruction ID: 9d5f24b562141729bc72a07979d36779e1a8460a537617358f60d0ed1d18d563
Opcode Fuzzy Hash: 72d7033208495c1cd78d754337a51657a7068197eabf8e7dec81bacd1476596a
Instruction Fuzzy Hash: 73018471E00219ABDB14DFA9D846FAEBBB8EF54710F004066B910EB290DA749901C799

Uniqueness

Uniqueness Score: -1.00%

Function 011289E7 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E011289E7(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x114d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c21;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01077D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x403);
				_push( *_t18 & 0x000000ff);
				return E0109B640(E01099AE0(), 0x1c21, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x011289e7
0x011289f6
0x011289fe
0x01128a07
0x01128a0a
0x01128a0e
0x01128a11
0x01128a14
0x01128a17
0x01128a1a
0x01128a24
0x01128a36
0x01128a26
0x01128a2f
0x01128a2f
0x01128a41
0x01128a42
0x01128a44
0x01128a49
0x01128a5f

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243020ad5e36fc1cb665c8bc5f0ac7e67ba4f426605e4588902b66c45bfeb983
Instruction ID: efa25a6fa39404b86a0a98e10b573e5d10d33748893309ae7259e3cd2eefea38
Opcode Fuzzy Hash: 243020ad5e36fc1cb665c8bc5f0ac7e67ba4f426605e4588902b66c45bfeb983
Instruction Fuzzy Hash: C7015EB1A002199FCB04DFA8D9419EEBBB8EF58710F10405AE904E7340D634AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01128A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01128A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x114d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01077D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0109B640(E01099AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01128a62
0x01128a71
0x01128a79
0x01128a82
0x01128a85
0x01128a89
0x01128a8c
0x01128a8f
0x01128a92
0x01128a95
0x01128a9f
0x01128ab1
0x01128aa1
0x01128aaa
0x01128aaa
0x01128abc
0x01128abd
0x01128abf
0x01128ac4
0x01128ada

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55cc43ced7c88c46d616f0b1962927287eeee3f780a6a829a01b95ae45b2830
Instruction ID: 239e4fa7ff1c48bebc5f9cdcc97cf4dd08e2ecb37cea31d3a57702b9c721eccc
Opcode Fuzzy Hash: e55cc43ced7c88c46d616f0b1962927287eeee3f780a6a829a01b95ae45b2830
Instruction Fuzzy Hash: 30012CB1A0021DAFCB04DFA9D9419EEBBF8EF58710F10405AF904E7351EB34A910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01128ADD Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01128ADD(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x114d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c23;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01077D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x403);
				_push( *_t18 & 0x000000ff);
				return E0109B640(E01099AE0(), 0x1c23, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01128add
0x01128aec
0x01128af4
0x01128afd
0x01128b00
0x01128b04
0x01128b07
0x01128b0a
0x01128b0d
0x01128b10
0x01128b1a
0x01128b2c
0x01128b1c
0x01128b25
0x01128b25
0x01128b37
0x01128b38
0x01128b3a
0x01128b3f
0x01128b55

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f08878a66213453532a9a5c5acfd96b116da1e40798455e83d8dc61da79db39
Instruction ID: 1ddb82c6501a53f9945026b9767f33addb87f3f17055c0d895aae1613b67d0ed
Opcode Fuzzy Hash: 3f08878a66213453532a9a5c5acfd96b116da1e40798455e83d8dc61da79db39
Instruction Fuzzy Hash: FF011AB1A00219ABDB04DFA9E9519EEBBB8EF58710F10405AF904E7350D634AA11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0105DB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0105DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0105DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0105E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0105E8B0(__ecx, _t14, 0xfff);
							L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0105db64
0x0105db66
0x0105db6b
0x0105dbaa
0x0105db71
0x0105db76
0x0105db7a
0x0105dba3
0x0105db7c
0x0105db87
0x0105db8b
0x010b4fa1
0x010b4fb3
0x010b4fb8
0x0105db91
0x0105db96
0x0105db98
0x0105db98
0x0105db8b
0x0105db7a
0x0105db9d
0x0105dba2

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: df9d2a4f492e2edf794de67e7ef6e5468511e1097491a4bea4db099c663658e6
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 5AF0CD33101523DBF7725AD98494B5BB6979F91591F150037FA8597244C960880287D0

Uniqueness

Uniqueness Score: -1.00%

Function 0105B1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0105B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01077D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01077D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E010D7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0105b1e8
0x0105b1ea
0x0105b1f3
0x010b4a17
0x0105b1f9
0x0105b1f9
0x0105b1f9
0x0105b201
0x010b4a21
0x010b4a2e
0x00000000
0x00000000
0x010b4a3b
0x010b4a4d
0x010b4a3d
0x010b4a46
0x010b4a46
0x010b4a55
0x00000000
0x00000000
0x00000000
0x0105b20a
0x0105b20a
0x0105b20a
0x0105b20a

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: ec3553c87fe4508c71a1e280b1490f6aebda92b40756d4bcafb350348d4ed27b
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 3301F932200684DBD362A75DC84CFAA7FD9EF51794F0800A1FE95CB6B2D674D900C329

Uniqueness

Uniqueness Score: -1.00%

Function 01057057 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432551092bd03bd4672281b6497a45b830909dceb5f7d86198af7cf22f21bd55
Instruction ID: 19b5dab454ec46c9d74eac586686fa2c9b937c425f0e4b0a2c02d7b3a61ffb2b
Opcode Fuzzy Hash: 432551092bd03bd4672281b6497a45b830909dceb5f7d86198af7cf22f21bd55
Instruction Fuzzy Hash: 5901AD35200608ABDB35DF68EC05FABBBF9EF44A10F1001ADF94583190CAA1AA04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01129BBE Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E01129BBE(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v66;
				char _v72;
				void* __edi;
				void* __esi;
				signed char* _t19;
				intOrPtr _t25;
				signed int _t33;

				_t30 = __edx;
				_v12 =  *0x114d360 ^ _t33;
				_v40 = _v40 & 0x00000000;
				_t32 = _a12;
				_v36 = __edx;
				_v66 = 0x1c21;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01077D50() == 0) {
					_t19 = 0x7ffe0386;
				} else {
					_t19 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x403);
				_push( *_t19 & 0x000000ff);
				return E0109B640(E01099AE0(), _t25, _v12 ^ _t33, _t30, 0x1c21, _t32);
			}

0x01129bbe
0x01129bcd
0x01129bd6
0x01129bdb
0x01129be4
0x01129be7
0x01129beb
0x01129bee
0x01129bf1
0x01129bfb
0x01129c0d
0x01129bfd
0x01129c06
0x01129c06
0x01129c18
0x01129c19
0x01129c1b
0x01129c20
0x01129c35

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67f3164b648d768282a08bdaf4987862cc75f8566adf82274e95473ec9e0c92
Instruction ID: fd4b709c75ea981f1132d7de05c905786430791dcaf341488a43e063d86535dd
Opcode Fuzzy Hash: e67f3164b648d768282a08bdaf4987862cc75f8566adf82274e95473ec9e0c92
Instruction Fuzzy Hash: D3017C71A0021D9BCF04DFA8D841AEEBBB8EF58710F14005AE904AB280D734AA10CB98

Uniqueness

Uniqueness Score: -1.00%

Function 01111229 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01111229(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				void* __edi;
				void* __esi;
				signed char* _t16;
				intOrPtr _t22;
				signed int _t24;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				signed int _t33;

				_t29 = __edx;
				_v8 =  *0x114d360 ^ _t33;
				_t32 = __ecx;
				_t30 =  &_v48;
				_t24 = 0xa;
				memset(_t30, 0, _t24 << 2);
				_t31 = _t30 + _t24;
				_v16 = _t32;
				_v42 = 0x1036;
				_v12 = _t29;
				if(E01077D50() == 0) {
					_t16 = 0x7ffe0380;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t16 & 0x000000ff);
				return E0109B640(E01099AE0(), _t22, _v8 ^ _t33, _t29, _t31, _t32);
			}

0x01111229
0x01111238
0x0111123d
0x0111123f
0x01111246
0x01111247
0x01111247
0x0111124e
0x01111251
0x01111255
0x0111125f
0x01111271
0x01111261
0x0111126a
0x0111126a
0x0111127c
0x0111127d
0x0111127f
0x01111284
0x01111299

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c3d620749994faa46a34ed293533418cb2ae59662608d4e5fee700ec4b2a32
Instruction ID: db3c0ccda941206c0bec5b663fddfce1c5c9087424334c32f726589235568a3d
Opcode Fuzzy Hash: 09c3d620749994faa46a34ed293533418cb2ae59662608d4e5fee700ec4b2a32
Instruction Fuzzy Hash: 1C01A472A00618ABDF14DBF9D8059EFF7B8EF58710F1080AAE911EB290EA7499008791

Uniqueness

Uniqueness Score: -1.00%

Function 010E3DE3 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010E3DE3(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				signed char _t4;
				void* _t9;
				void* _t13;
				void* _t19;
				void* _t20;

				E01072280(_t4, 0x1148608);
				_t13 = E0108F6B2(0x1146e48);
				_t19 = E0108F6B2(0x1146e4c);
				_t20 = E0108F6B2(0x1146e44);
				_t9 = E0106FFB0(_t13, _t19, 0x1148608);
				if(_t13 != 0) {
					_t9 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t13);
				}
				if(_t19 != 0) {
					_t9 = L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t19);
				}
				if(_t20 != 0) {
					return L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t20);
				}
				return _t9;
			}

0x010e3ded
0x010e3e01
0x010e3e0d
0x010e3e19
0x010e3e1b
0x010e3e22
0x010e3e31
0x010e3e31
0x010e3e38
0x010e3e46
0x010e3e46
0x010e3e4d
0x00000000
0x010e3e5b
0x010e3e63

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e672e7454dc8548043c112a37be248323ff5c79d29544ac1ee37bbb3f00e14e
Instruction ID: 001b73140af2f42b3ee218bfd15f246c8f7e5757f5fc3a93924fd27178ad4c0a
Opcode Fuzzy Hash: 6e672e7454dc8548043c112a37be248323ff5c79d29544ac1ee37bbb3f00e14e
Instruction Fuzzy Hash: 8BF0C8336416526BD636B7B58E58F5679E5FBE5E54F140068A7805F390CE64CC03C294

Uniqueness

Uniqueness Score: -1.00%

Function 01085AA0 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01085AA0(void* __ecx, intOrPtr _a4, char _a8) {
				void* __esi;
				void* __ebp;
				char* _t9;
				void* _t17;
				void* _t20;
				void* _t22;
				intOrPtr _t24;

				_t18 = __ecx;
				_push(__ecx);
				_t24 = _a4;
				if(_t24 == 0 || _a8 < 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					_t9 = E011288F5(_t17, _t18, _t20, _t22, _t24, __eflags);
				} else {
					_push(4);
					_push( &_a8);
					_push(5);
					_push( *((intOrPtr*)(_t24 + 0x24)));
					E0109AE70();
					if(E01077D50() != 0) {
						_t9 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t9 = 0x7ffe0386;
					}
					if( *_t9 != 0) {
						_t9 = E01128C14(_t24, _a8);
					}
				}
				return _t9;
			}

0x01085aa0
0x01085aa8
0x01085aaa
0x01085aaf
0x01085af8
0x01085ac6
0x01085ac6
0x01085acb
0x01085acc
0x01085ace
0x01085ad1
0x01085add
0x010c71de
0x01085ae3
0x01085ae3
0x01085ae3
0x01085aeb
0x010c71ed
0x010c71ed
0x01085aeb
0x01085af5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction ID: 659f6d127f2ab2e89790dc5b3f82e8dd2d55f63856233c8b39ecc73bf83cf8dd
Opcode Fuzzy Hash: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction Fuzzy Hash: 6101D6315446459FDB21AB18CCC4F59B7D8AB10720F004181FDD48B291DBB4DD508B51

Uniqueness

Uniqueness Score: -1.00%

Function 01053591 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01053591(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t19;
				void* _t25;
				intOrPtr _t26;

				_t22 = __edx;
				_t20 = __ecx;
				if(__ecx == 0 || __edx == 0) {
					L7:
					E011288F5(_t19, _t20, _t22, _t25, _t26, __eflags);
					return 0xc000000d;
				}
				_t26 = _a4;
				if(_t26 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L7;
				}
				_push(0x1e);
				_v12 =  *((intOrPtr*)(_t26 + 0x28));
				_push(8);
				_push( &_v12);
				_v8 = __edx;
				_push( &_v20);
				_push(__ecx);
				_t16 = E01099770();
				if(_t16 >= 0) {
					E0107F0AE(_t26, 1);
					return 0;
				}
				return _t16;
			}

0x01053591
0x01053591
0x0105359c
0x010535ea
0x010535ea
0x00000000
0x010535ef
0x010535a2
0x010535a7
0x00000000
0x00000000
0x010535bb
0x010535bd
0x010535c3
0x010535c5
0x010535c9
0x010535cc
0x010535cd
0x010535ce
0x010535d5
0x010535dc
0x00000000
0x010535e1
0x010535e7

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction ID: 629a1fa33ab0648546561c8728ffa917ea7b70722a111b164dfe9ba679f5bf0f
Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction Fuzzy Hash: 35F04C31A013059BEB94DBA88410FAFBBECFF50754F0481D5EE41DB200DA31DA409390

Uniqueness

Uniqueness Score: -1.00%

Function 0110FDD3 Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0110FDD3(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				void* __edi;
				signed char* _t15;
				intOrPtr _t21;
				signed int _t23;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_v8 =  *0x114d360 ^ _t32;
				_t28 = __ecx;
				_t29 =  &_v52;
				_t23 = 0xa;
				memset(_t29, 0, _t23 << 2);
				_t30 = _t29 + _t23;
				_v20 = _t28;
				_v46 = 0x268;
				if(E01077D50() == 0) {
					_t15 = 0x7ffe0388;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v52);
				_push(8);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0109B640(E01099AE0(), _t21, _v8 ^ _t32, _t28, _t30, _t31);
			}

0x0110fde2
0x0110fde6
0x0110fde8
0x0110fdef
0x0110fdf0
0x0110fdf0
0x0110fdf7
0x0110fdfa
0x0110fe05
0x0110fe17
0x0110fe07
0x0110fe10
0x0110fe10
0x0110fe22
0x0110fe23
0x0110fe25
0x0110fe2a
0x0110fe3e

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df153c129ea31f474ce6a27a3b5a50886db20a8c89427c4a405756ccb0fe051a
Instruction ID: 50d533750312065dfcacc06ee0df8a87f47bbf89aeb0a9d42ae9514c8e248bf5
Opcode Fuzzy Hash: df153c129ea31f474ce6a27a3b5a50886db20a8c89427c4a405756ccb0fe051a
Instruction Fuzzy Hash: 31F0C871B04259ABDF14EBA9D805EBEB3B4FF54A00F010069B501EB6D0EA74DD11C745

Uniqueness

Uniqueness Score: -1.00%

Function 01051BE9 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E01051BE9(void* __ecx, signed int** __edx, void* __eflags) {
				char _v8;
				signed int* _t9;
				signed int* _t12;
				void* _t14;
				signed int* _t15;
				signed int** _t22;

				_push(__ecx);
				_v8 = 0x10;
				_push( &_v8);
				_t22 = __edx;
				_t14 = 0x10;
				if(E01051C45(_t14, __ecx) < 0) {
					L4:
					_t9 = 0;
				} else {
					_t15 = E01074620(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					if(_t15 == 0) {
						goto L4;
					} else {
						 *_t15 =  *_t15 & 0x00000000;
						_t5 =  &(_t15[2]); // 0x8
						_t12 = _t5;
						 *_t12 = 1;
						_t15[2] = 0;
						 *_t22 = _t12;
						_t9 = _t15;
					}
				}
				return _t9;
			}

0x01051bee
0x01051bf3
0x01051bfa
0x01051bfb
0x01051c01
0x01051c09
0x01051c41
0x01051c41
0x01051c0b
0x01051c1e
0x01051c22
0x00000000
0x01051c24
0x01051c24
0x01051c27
0x01051c27
0x01051c2d
0x01051c32
0x01051c36
0x01051c38
0x01051c38
0x01051c22
0x01051c3e

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction ID: af7f779a29581d04e43924af858480fdeb838b768ac8670b9f9f029c22536afe
Opcode Fuzzy Hash: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction Fuzzy Hash: 27F0F031614208ABEB58DB29CC00B96BBEDEF98301F1080B89989C7260EAB3ED01D354

Uniqueness

Uniqueness Score: -1.00%

Function 0111131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0111131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x114d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01077D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0109B640(E01099AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0111131b
0x0111132a
0x01111330
0x01111336
0x0111133e
0x01111341
0x01111344
0x0111134f
0x01111361
0x01111351
0x0111135a
0x0111135a
0x0111136c
0x0111136d
0x0111136f
0x01111374
0x01111387

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be763ebad1a9f047d200f69008d654ba0d07ef07f94ea906ed940f966ebbd5fb
Instruction ID: e503dd2f3466a2f90b63e3d0a704fcb90e72c10cc6e9351888eb94b310e68020
Opcode Fuzzy Hash: be763ebad1a9f047d200f69008d654ba0d07ef07f94ea906ed940f966ebbd5fb
Instruction Fuzzy Hash: A6013C71A05209AFCF04EFA9D545AAEB7F4FF18700F004069B945EB391E634AA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01086B90 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01086B90(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _t11;
				signed int _t12;
				intOrPtr _t19;
				void* _t20;
				intOrPtr* _t21;

				_t21 = _a4;
				_t19 =  *_t21;
				if(_t19 != 0) {
					if(_t19 < 0x1fff) {
						_t19 = _t19 + _t19;
					}
					L3:
					 *_t21 = _t19;
					asm("rdtsc");
					_v8 = 0;
					_t12 = _t11 & _t19 - 0x00000001;
					_t20 = _t19 + _t12;
					if(_t20 == 0) {
						L5:
						return _t12;
					} else {
						goto L4;
					}
					do {
						L4:
						asm("pause");
						_t12 = _v8 + 1;
						_v8 = _t12;
					} while (_t12 < _t20);
					goto L5;
				}
				_t12 =  *( *[fs:0x18] + 0x30);
				if( *((intOrPtr*)(_t12 + 0x64)) == 1) {
					goto L5;
				}
				_t19 = 0x40;
				goto L3;
			}

0x01086b96
0x01086b99
0x01086b9d
0x01086be9
0x01086beb
0x01086beb
0x01086bb3
0x01086bb3
0x01086bb5
0x01086bba
0x01086bc1
0x01086bc3
0x01086bc5
0x01086be0
0x01086be0
0x00000000
0x00000000
0x00000000
0x01086bc7
0x01086bc7
0x01086bd0
0x01086bd5
0x01086bd6
0x01086bd9
0x00000000
0x01086bc7
0x01086ba5
0x01086bac
0x00000000
0x00000000
0x01086bae
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction ID: d3f6c42028a2dce25abce87559cc9c616c49605d4e1b1d91532487a570f530af
Opcode Fuzzy Hash: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction Fuzzy Hash: 31F04975A08248DFDB58DE48C690AACBBB1EB44318F2540A8E6869B700D63A9E80DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0107C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0107C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0107C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x10311cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E011288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0107c577
0x0107c57d
0x0107c581
0x0107c5b5
0x0107c5b9
0x0107c5ce
0x0107c5ce
0x0107c5ca
0x00000000
0x0107c5ca
0x0107c5c4
0x0107c5c8
0x00000000
0x00000000
0x00000000
0x0107c5ad
0x00000000
0x0107c5af

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01fc23ef74bb81f07501977817c92420f77ac6ecd126c697838ffd63f42572d
Instruction ID: 24b3fd848ed6a8eb98707cd12c3c83f7605c03199094df184c87e6314d6eceb5
Opcode Fuzzy Hash: a01fc23ef74bb81f07501977817c92420f77ac6ecd126c697838ffd63f42572d
Instruction Fuzzy Hash: 7BF090F2D15B939FF7768B1CC244B617FD89B05770F4444A6D58687102C6A6DCC0C258

Uniqueness

Uniqueness Score: -1.00%

Function 01112073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01112073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0110FD22(__ecx);
				_t19 =  *0x114849c - _t3; // 0x610524a4
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1148748; // 0x0
					if(__eflags <= 0) {
						E01111C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1148724 & 0x00000004;
							if(( *0x1148724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1148724; // 0x0
					return E01108DF1(__ebx, 0xc0000374, 0x1145890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01112076
0x01112078
0x0111207d
0x01112083
0x011120a4
0x011120aa
0x011120ac
0x011120b7
0x011120ba
0x011120bc
0x011120c9
0x011120c9
0x011120d0
0x011120d2
0x00000000
0x011120d2
0x011120be
0x011120c3
0x011120c5
0x011120c7
0x00000000
0x00000000
0x011120c7
0x011120bc
0x011120d4
0x01112085
0x01112085
0x011120a3
0x011120a3

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42727336b6aae5b5fbb7ca3f8b5b55e567b00c81fb030d5a24417c55d416cb59
Instruction ID: cc80155811082a19be897608add7b968da78dbd6c78e1e482698c0920101bc4d
Opcode Fuzzy Hash: 42727336b6aae5b5fbb7ca3f8b5b55e567b00c81fb030d5a24417c55d416cb59
Instruction Fuzzy Hash: 80F0203E81558A4BDE3FAB7C21113E9BB92D755914B2A02B5D4A01720ECB3888D3CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0109927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0109927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = E01074620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0109FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E010992C6(_t11, _t14);
				}
				return _t11;
			}

0x01099295
0x01099299
0x0109929f
0x010992aa
0x010992ad
0x010992ae
0x010992af
0x010992b0
0x010992b4
0x010992bb
0x010992bb
0x010992c5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 48f644047c31fd3854c56fc874cfb8712016d42730958c55f977fc45f9178890
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 42E02B323405016BEB119E09CC90F47379DEF92724F0440BCB5405E242C6E5DC0887A4

Uniqueness

Uniqueness Score: -1.00%

Function 01128D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01128D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x114d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01077D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0109B640(E01099AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01128d34
0x01128d43
0x01128d4b
0x01128d4e
0x01128d52
0x01128d5c
0x01128d6e
0x01128d5e
0x01128d67
0x01128d67
0x01128d79
0x01128d7a
0x01128d7c
0x01128d81
0x01128d94

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b568cf99b103b470f412ae31c8e323fd96786f9ecc6445bd233b6f6a268ed8a8
Instruction ID: 9ad8d28f98a0ec85dcb299c4e68abb7ed7dfc9a58bdc08ad80108f81448b4fde
Opcode Fuzzy Hash: b568cf99b103b470f412ae31c8e323fd96786f9ecc6445bd233b6f6a268ed8a8
Instruction Fuzzy Hash: 48F0B470E0461C9FDB18EFB8E445AAE77B4EF18700F108099E905EB290EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01128C14 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01128C14(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x114d360 ^ _t26;
				_v20 = __ecx;
				_v46 = 0x1c28;
				_v16 = __edx;
				if(E01077D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0109B640(E01099AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01128c14
0x01128c23
0x01128c2b
0x01128c2e
0x01128c32
0x01128c3c
0x01128c4e
0x01128c3e
0x01128c47
0x01128c47
0x01128c59
0x01128c5a
0x01128c5c
0x01128c61
0x01128c74

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a1bcab587bf5de474c31dbdd27069c015d130b2238ed5f1de6f3512b748cde
Instruction ID: ebed8b1f9c90b6896730ae2a6cc41cbc93ee0e6f676ac5de925eaef929e8e008
Opcode Fuzzy Hash: f3a1bcab587bf5de474c31dbdd27069c015d130b2238ed5f1de6f3512b748cde
Instruction Fuzzy Hash: B0F09070A042199BDB18EBA8E905AAE77B4EB14600F004459A915EB280EB389910C794

Uniqueness

Uniqueness Score: -1.00%

Function 01128B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01128B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x114d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01077D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0109B640(E01099AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01128b67
0x01128b6f
0x01128b72
0x01128b7d
0x01128b8f
0x01128b7f
0x01128b88
0x01128b88
0x01128b9a
0x01128b9b
0x01128b9d
0x01128ba2
0x01128bb5

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e6f0ae934455ca03dab49df7488fcd6727d1c3871484335b50336fea17d71c
Instruction ID: 02f99fd298b6e70ad0bc1b32e48f84239e63b566b96845aac149b5ca850cc150
Opcode Fuzzy Hash: 45e6f0ae934455ca03dab49df7488fcd6727d1c3871484335b50336fea17d71c
Instruction Fuzzy Hash: 22F082B0A14259AFDF14EBA8E916EBE77B4EF14700F040459FA05DB390EB34D910C798

Uniqueness

Uniqueness Score: -1.00%

Function 01128BB6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01128BB6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x114d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c25;
				if(E01077D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x20402);
				_push( *_t11 & 0x000000ff);
				return E0109B640(E01099AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01128bc5
0x01128bcd
0x01128bd0
0x01128bdb
0x01128bed
0x01128bdd
0x01128be6
0x01128be6
0x01128bf8
0x01128bf9
0x01128bfb
0x01128c00
0x01128c13

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b690d840a7b00006028b5a345414f80ce77f759f49f73c76c5c9e23ecb03ab
Instruction ID: d3d6c8ec8d336f1984c388438242eacf1aad9b6847cb4fdb1a8dfe93e7095565
Opcode Fuzzy Hash: 66b690d840a7b00006028b5a345414f80ce77f759f49f73c76c5c9e23ecb03ab
Instruction Fuzzy Hash: 04F082B0A04259AFDF18EFA8E915EBE77B4EF14700F440059F955DB291EA34E910C798

Uniqueness

Uniqueness Score: -1.00%

Function 01111BA8 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01111BA8(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x114d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x102e;
				if(E01077D50() == 0) {
					_t11 = 0x7ffe0380;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v44);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0109B640(E01099AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01111bb7
0x01111bbf
0x01111bc2
0x01111bcd
0x01111bdf
0x01111bcf
0x01111bd8
0x01111bd8
0x01111bea
0x01111beb
0x01111bed
0x01111bf2
0x01111c05

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17b71702fddd898021617d82d7734eeb7f1613ab860515b02ea9fb2612e0917
Instruction ID: 6596abf037e0bbc158f7f1c3595f99c18e00d60db47a2ef4809a03727486944e
Opcode Fuzzy Hash: a17b71702fddd898021617d82d7734eeb7f1613ab860515b02ea9fb2612e0917
Instruction Fuzzy Hash: 06F08971A05248ABDF18DBF9D456EAEB7B4EF18704F400069E645EB280E978DD00C759

Uniqueness

Uniqueness Score: -1.00%

Function 0105354C Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0105354C(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t20;

				_t17 = __ecx;
				_t20 = __ecx;
				if(__ecx == 0 || E0107C5D5(__ecx, _t18) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x1031008 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E011288F5(_t16, _t17, _t18, _t19, _t20, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x0105354c
0x01053552
0x01053556
0x010afef1
0x010afef5
0x010aff06
0x010aff06
0x010aff0b
0x00000000
0x010aff0b
0x010aff00
0x010aff04
0x00000000
0x00000000
0x00000000
0x01053589
0x00000000
0x0105358b

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaeba2c61b2593e9cd38465b4589b0a972214832669411382f98007d737c9d5
Instruction ID: 8410bc36142baa786cabdae1e1b7116e63ecc4bd1b7c15870a1bc94c74af2d6d
Opcode Fuzzy Hash: ebaeba2c61b2593e9cd38465b4589b0a972214832669411382f98007d737c9d5
Instruction Fuzzy Hash: 67F0273191169A8FD7B2C39CC140F1ABBD89B05B70FA540A1EA8587903C778CC80C380

Uniqueness

Uniqueness Score: -1.00%

Function 0105F358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0105F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0108F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = E01074620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0105f35d
0x0105f361
0x0105f367
0x0105f372
0x0105f38c
0x0105f38c
0x0105f394

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 4593f1fe35eeaf9fe29958f9041957bcccf50e44ca5d3e46fa0219341fee0cff
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 07E0DF32A42119FBEB61AAD99E05FABBFACEB58AA0F008195BE44D7150D5659E00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 010515C1 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010515C1(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4) {
				intOrPtr* _t17;

				_t14 = __ecx;
				_t17 = __ecx;
				if(( *(__edx + 2) & 0x00000001) != 0) {
					L5:
					return 0;
				}
				 *__edx =  *__edx + 0xffff;
				if( *__edx != 0) {
					goto L5;
				}
				_t4 = _t17 + 8; // 0x8
				if(__edx != _t4) {
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __edx);
					_t14 = _t17;
				}
				E01051480(_t14, _a4);
				return 1;
			}

0x010515c1
0x010515cb
0x010515cd
0x010515f3
0x00000000
0x010515f3
0x010515d4
0x010515d7
0x00000000
0x00000000
0x010515d9
0x010515de
0x010aef10
0x010aef15
0x010aef15
0x010515e7
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction ID: 2cc081750c01e36dc3c1799506c84bfc32436f02149eca299a36c9d87c333d5d
Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction Fuzzy Hash: F3E02B31600146D3CFB2AA48C400FB7B7DDAF51708F0881B1ED428B142DA70DC42C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 010E41E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010E41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x11308f0);
				_t5 = E010AD08C(__ebx, __edi, __esi);
				if( *0x11487ec == 0) {
					E0106EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x11487ec == 0) {
						 *0x11487f0 = 0x11487ec;
						 *0x11487ec = 0x11487ec;
						 *0x11487e8 = 0x11487e4;
						 *0x11487e4 = 0x11487e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L010E4248();
				}
				return E010AD0D1(_t5);
			}

0x010e41e8
0x010e41ea
0x010e41ef
0x010e41fb
0x010e4206
0x010e420b
0x010e4216
0x010e421d
0x010e4222
0x010e422c
0x010e4231
0x010e4231
0x010e4236
0x010e423d
0x010e423d
0x010e4247

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5626bc6723beb81e68d3cd3bdb91fd127c1a8de7586606eb4e61dde01662b803
Instruction ID: b6b7f18caa70fe32461dcfdf23c56c66fbece9aac7ca323a6c18fadbb2a84f32
Opcode Fuzzy Hash: 5626bc6723beb81e68d3cd3bdb91fd127c1a8de7586606eb4e61dde01662b803
Instruction Fuzzy Hash: BFF01578890B01CFCBB8EFEAD5247683AE4F794B23F80816A91A0C76C8D73444A4CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0110D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0110D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0105E8B0(__ecx, _a4, 0xfff);
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0110d38a
0x0110d39b
0x0110d3b1
0x00000000
0x0110d3b6
0x00000000

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 1fe519b862c0d497dd60a9e96fb8b8bfc8a4bc61521d51c21f6b64fc536f35ad
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 61E0C231684205BBDF275E84DC00FB9BB1AEB507A1F104031FE485E6D0C6B19D91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0108A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0108A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x11467e4 >= 0xa) {
					if(_t5 < 0x1146800 || _t5 >= 0x1146900) {
						return L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01070010(0x11467e0, _t5);
				}
			}

0x0108a190
0x0108a1a6
0x0108a1c2
0x00000000
0x00000000
0x00000000
0x0108a192
0x0108a192
0x0108a19f
0x0108a19f

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e071cc2a9e10a14a19c2a866b89b325c54773601a68c336a83a24236ac934d
Instruction ID: da8a3c399978123b3b73dc98781b542c12e04dcf7a30b3927fb35aeb1ceb7117
Opcode Fuzzy Hash: 72e071cc2a9e10a14a19c2a866b89b325c54773601a68c336a83a24236ac934d
Instruction Fuzzy Hash: F8D02BB12650009BCB2D7300CE14BA53612F781F79F34840EF2C35BD94EB5488D1C10C

Uniqueness

Uniqueness Score: -1.00%

Function 010D53CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0106EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x010d53ca
0x010d53ce
0x010d53d9
0x010d53de
0x010d53e1
0x010d53e1
0x010d53e6
0x010d53f3
0x00000000
0x010d53f8
0x010d53fb

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: df9a2cd20c9271dfb20fd1c9b042d0dc22f106c83b82b274144b8fb7c328579e
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: CAE08C319007809BCF12DB48CA50F8EBBF9FB84B40F140044A5485B620CA34AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01059515 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01059515(void* __ecx) {
				signed int _t6;
				signed int _t7;

				_t7 = _t6 ^ _t6;
				if(__ecx == 0) {
					_t7 = 0xc000000d;
				} else {
					L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t7, __ecx);
				}
				return _t7;
			}

0x01059518
0x0105951c
0x01059533
0x0105951e
0x0105952a
0x0105952a
0x01059532

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c16d2f1afa17dba0d206c0069360ca6c78a37c15bc0f17052bee8c994bb9e9
Instruction ID: c9b26adc5f55c690142d4dc4297e901cbecddd85fc2da7ab0ce5a8bc99304e6c
Opcode Fuzzy Hash: c0c16d2f1afa17dba0d206c0069360ca6c78a37c15bc0f17052bee8c994bb9e9
Instruction Fuzzy Hash: 31D02232202070D3CF685B48B904FA7BA05EF80A98F0A00AC7D0983900C0108C03C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 01058410 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01058410(intOrPtr _a4) {
				void* __ebp;
				intOrPtr _t5;
				void* _t9;
				void* _t11;
				void* _t12;
				void* _t13;

				E010899BC(_t9, _a4, _t11, _t12, _t13);
				_t5 =  *0x11484c4; // 0x0
				return L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t5 + 0x200000, _a4);
			}

0x01058418
0x01058420
0x0105843a

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a715ee89944f68158ec6d61c547c168a8fa13f2630e275b22335b6b250be9c7
Instruction ID: 916664d27be57f482f7ab1f1dce6de1e51949fd17034355b7ba2593d1bb9dd44
Opcode Fuzzy Hash: 4a715ee89944f68158ec6d61c547c168a8fa13f2630e275b22335b6b250be9c7
Instruction Fuzzy Hash: 1CD0A732040104ABC711FF4CDD40F557BADEB94750F040024B44887262CA30EC61C648

Uniqueness

Uniqueness Score: -1.00%

Function 0106AAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0106AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0106aab6
0x0106aabb
0x010ba442
0x00000000
0x010ba448
0x010ba454
0x010ba454
0x0106aac1
0x0106aac1
0x0106aac6
0x0106aac6

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: b086fd51be3a3832614b9be24d7a0fd91da364cd2fce36cc523b19f0d5fbdaf0
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: C7D0E935352980CFD657DB1DC594B5577E8BB44B44FC504E0E541CB762E72CD944CA14

Uniqueness

Uniqueness Score: -1.00%

Function 010835A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010835A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0106EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x010835a1
0x010835a1
0x010835a5
0x010835ab
0x010835ab
0x010835b5
0x00000000
0x010835c1
0x010835b7

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 9af5449f7c5869b11387cb1ef7fd0c59ad2e3450611da913d3d6db3eb35af09c
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: F3D0A73140918199DB41FB14C1147ACB7B1BB80A24F58249580C10D452C336C909C710

Uniqueness

Uniqueness Score: -1.00%

Function 0105DB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0105DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = E01074620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0105db4d
0x0105db54
0x0105db5f
0x0105db56
0x0105db56
0x0105db5c
0x0105db5c

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: d3f6d680285d5d2d080e26a8efc0249c2f83f263520c503d231bbe0d9ee59ca1
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 4FC08C30280A01EAFB622F20CD01B413AA1BB10B01F4400A06740DA0F0EBB8D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 010DA537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010DA537(intOrPtr _a4, intOrPtr _a8) {

				return L01078E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x010da553

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: b1bf310d84b14e91424c3c4d06004337fe034d4b64101df7470288e01f79bce7
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: ECC08C3308024CBBCB126F81CC04F467F2AFBA4B60F108411FA480B570C632E970EB88

Uniqueness

Uniqueness Score: -1.00%

Function 01073A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01073A1C(intOrPtr _a4) {
				void* _t5;

				return E01074620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x01073a35

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: d6ee2927fd18f285e89b07339b961a45fc545cc23ab74552bbb04fc82ce0de90
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 66C08C32080248FBC7126E41DC00F017B29E7A4B60F000020B6040A5608572EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 0105AD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0105AD30(intOrPtr _a4) {

				return L010777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0105ad49

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: cd108830fb2f923fc20607f1e5d32aa67a61a214401c6757ff12846f2e73c153
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: C0C08C32080248BBC7126A45CD00F01BB29E7A0BA0F000020F6040A661C932E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 01084190 Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01084190() {

				if(E01077D50() != 0) {
					return  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x14));
				} else {
					return  *0x7ffe02d0;
				}
			}

0x01084197
0x010c641c
0x0108419d
0x010841a2
0x010841a2

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: 7e599e030c4fbf2ebf957e00e2491523782db98fa25a089fd0afe587ed37f10a
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: 8BC04C357115418FCF15DB29C284F5977F4B744B45F1508D0E845CB721EA24EC50DA10

Uniqueness

Uniqueness Score: -1.00%

Function 01108D47 Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01108D47() {
				intOrPtr _t5;

				_t5 =  *((intOrPtr*)( *[fs:0x30] + 2));
				if(_t5 == 0) {
					return  *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003;
				}
				return _t5;
			}

0x01108d4d
0x01108d52
0x00000000
0x01108d5d
0x01108d60

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 3836779f18a428bbc2e28a96450103345ad26c2d017546244beae78d543a2ff8
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 73C09B2F5596C54DCD278F3443127D5BF60D7469D4F1D14C1D4D11F553C1544513D725

Uniqueness

Uniqueness Score: -1.00%

Function 01077D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01077D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x01077d56
0x01077d5b
0x01077d60
0x01077d5d
0x01077d5d
0x01077d5d

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 8115e89d67a7513e7391b546e432c2a442581021f184d582a6ee8c1d98fe1332
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: C5B092353019408FCE56EF18C084B1533F4BB48A80B8400D0E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01082ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01082ACB() {
				void* _t5;

				return E0106EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01082adc

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 96c1ac536728ba2dc27381a83879fd78edc761f92595e662956518862b163111
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 69B01232C10541CFCF02EF40C610B5A7335FB40750F054490900127930C229AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01099910 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b510f668499c9c46a1404e0bd6c38391c3ff14ce4e0ad623f96ca40cde9984b
Instruction ID: 8acb8571683d0a7ed1d450a952389fff80d46763aae379811ccd30bb69d12a05
Opcode Fuzzy Hash: 9b510f668499c9c46a1404e0bd6c38391c3ff14ce4e0ad623f96ca40cde9984b
Instruction Fuzzy Hash: A39002B120100912D14071D984047461105A7D0341FD1C011A5454594ECA998DD577A5

Uniqueness

Uniqueness Score: -1.00%

Function 01099950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa81c823f0649310d306477c9c0cd1d99abdae42a0244e42a6574f1e4843eee0
Instruction ID: 963731b3196db3733fbe484c9f54671cef5de31399c76238d6aab8cdec053ea0
Opcode Fuzzy Hash: aa81c823f0649310d306477c9c0cd1d99abdae42a0244e42a6574f1e4843eee0
Instruction Fuzzy Hash: 8D9002A120140913D14065D988046071105A7D0342FD1C011A2454595ECE698C517275

Uniqueness

Uniqueness Score: -1.00%

Function 010999A0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c543a88a7e3b69cd45bbbf1588bbb0eaf417e766c24fb4d4db4f7350afebf4
Instruction ID: 943402010ef5da316befbaeb4f8cba97c620dfcd0c07446a32989444130047c1
Opcode Fuzzy Hash: f6c543a88a7e3b69cd45bbbf1588bbb0eaf417e766c24fb4d4db4f7350afebf4
Instruction Fuzzy Hash: E29002A134100952D10061D98414B061105E7E1341FD1C015E1454594DCA59CC527266

Uniqueness

Uniqueness Score: -1.00%

Function 010999D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e191db5fe574c4c7cab80beb7266c13df4caa65478e8f5a2758c195f342ca4
Instruction ID: 93b0a15bef9bcc1a6f8908fde8cd53b106a1ef81f2221510bed18ebc828f0d9c
Opcode Fuzzy Hash: 30e191db5fe574c4c7cab80beb7266c13df4caa65478e8f5a2758c195f342ca4
Instruction Fuzzy Hash: 929002A121100552D10461D984047061145A7E1241FD1C012A2544594CC9698C616265

Uniqueness

Uniqueness Score: -1.00%

Function 01099820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798515fe81977df8424e6c39d1fe06ab8892a53f08875dc3191184611802b26e
Instruction ID: 4de89228b31be740786b18c0174a0896fe65a02050184d7d243bea180c9402ed
Opcode Fuzzy Hash: 798515fe81977df8424e6c39d1fe06ab8892a53f08875dc3191184611802b26e
Instruction Fuzzy Hash: 2790027124100912D14171D984046061109B7D0281FD1C012A0814594ECA958A56BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0109B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275cba6342963ce47b86f306788158e90217635eb4b26cc5588d13e6f6b3831d
Instruction ID: 3ed20d98e266138b8aec2dd2d8a685e0493a03fad6ce7079cb832ab47d09fa2f
Opcode Fuzzy Hash: 275cba6342963ce47b86f306788158e90217635eb4b26cc5588d13e6f6b3831d
Instruction Fuzzy Hash: C09002A1601145538540B1D988044066115B7E13413D1C121A08445A0CCAA88855A3A5

Uniqueness

Uniqueness Score: -1.00%

Function 01099840 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20658b7261f37683836df4597b580046dc3ea059f149de10b7a6f9225675bf5
Instruction ID: b3dee4324e0af550cd8d325a320bdd00a46b2e05bfbef0c43f64552a2415af04
Opcode Fuzzy Hash: d20658b7261f37683836df4597b580046dc3ea059f149de10b7a6f9225675bf5
Instruction Fuzzy Hash: 0D900261242046629545B1D984045075106B7E02817D1C012A1804990CC9669856E761

Uniqueness

Uniqueness Score: -1.00%

Function 010998A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c560a828848f4369cd34a3d983e5f57936e34b9a78983ecc530d8a869cde7a9
Instruction ID: a22a6184a8e254d03549f73e8fcf046e013e6448497b67c7df170085ec594c5a
Opcode Fuzzy Hash: 6c560a828848f4369cd34a3d983e5f57936e34b9a78983ecc530d8a869cde7a9
Instruction Fuzzy Hash: 5890026130100912D10261D984146061109E7D1385FD1C012E1814595DCA658953B272

Uniqueness

Uniqueness Score: -1.00%

Function 010998F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee91cf8cfa9ed0d531c9ca44ce5c8a35e5809b9437ca7e81223ffe2e7056b9d
Instruction ID: a06e1b37833ba6142ebb5ab81e2f2d0e5302a2d300746629d97ad764e977c9ce
Opcode Fuzzy Hash: 6ee91cf8cfa9ed0d531c9ca44ce5c8a35e5809b9437ca7e81223ffe2e7056b9d
Instruction Fuzzy Hash: 8090026160100A12D10171D98404616110AA7D0281FD1C022A1414595ECE658992B271

Uniqueness

Uniqueness Score: -1.00%

Function 01099B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81258cbc6f6486ff92f90331b84e75cd1cd68e79a87b01b9838fcdafd18f0f30
Instruction ID: 9c92f1dfc6badcd35c7e8529eb1f0375262b5d49db47d15a8ee4d4dd5a1c2044
Opcode Fuzzy Hash: 81258cbc6f6486ff92f90331b84e75cd1cd68e79a87b01b9838fcdafd18f0f30
Instruction Fuzzy Hash: AE90026124100D12D14071D9C4147071106E7D0641FD1C011A0414594DCA56896577F1

Uniqueness

Uniqueness Score: -1.00%

Function 0109A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260eb91d98faa26a7c64e14a78aaa3558f1414e56d13a9d448e90c14b27823db
Instruction ID: 32e3a3768ec73227ae5c204847ae66ea5122d75f573fb5fc6a20b74969e5515f
Opcode Fuzzy Hash: 260eb91d98faa26a7c64e14a78aaa3558f1414e56d13a9d448e90c14b27823db
Instruction Fuzzy Hash: 8990027120144512D14071D9C44460B6105B7E0341FD1C411E0815594CCA558856A361

Uniqueness

Uniqueness Score: -1.00%

Function 01099A00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd7b38c83963d6bb2a646a3ec32a63acc2a397cded7cc9ebe2adcee9ae66028
Instruction ID: a86cd4c1780243f3c8ec41e2a192c696bfe3d874ca56b49d00c61fd9d93954ee
Opcode Fuzzy Hash: 3bd7b38c83963d6bb2a646a3ec32a63acc2a397cded7cc9ebe2adcee9ae66028
Instruction Fuzzy Hash: 6890027120140912D10061D9881470B1105A7D0342FD1C011A1554595DCA65885176B1

Uniqueness

Uniqueness Score: -1.00%

Function 01099A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec36d8336342321a40407cdaabfe3ee8e7f06571dad2c8bd3d157efc10743875
Instruction ID: f58d86051c6b8a6b6131ee49af52b5d010aeda07b7d792b8be2b2d572dc0927a
Opcode Fuzzy Hash: ec36d8336342321a40407cdaabfe3ee8e7f06571dad2c8bd3d157efc10743875
Instruction Fuzzy Hash: 8890027120140912D10061D988087471105A7D0342FD1C011A5554595ECAA5C8917671

Uniqueness

Uniqueness Score: -1.00%

Function 01099A20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4b4794d94ba22c1827e4c753908c1cb3a571e6f9f3d9d89fc37b3846f96683
Instruction ID: 223b51555ff12ce2db457f477222ec7e4513f3e0da7c27243f66ef49580c471e
Opcode Fuzzy Hash: 2b4b4794d94ba22c1827e4c753908c1cb3a571e6f9f3d9d89fc37b3846f96683
Instruction Fuzzy Hash: F090026160100552814071E9C8449065105BBE12517D1C121A0D88590DC999886567A5

Uniqueness

Uniqueness Score: -1.00%

Function 01099A50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9add71f5f661fc794ca4a3ffb2adf586e176e171514fcaf1471deb283167a5
Instruction ID: f3dbf8f7e16076d6bcfb85cbcccaa49b47a243abfffb2f1b0892f4f6cd06f2f1
Opcode Fuzzy Hash: 0a9add71f5f661fc794ca4a3ffb2adf586e176e171514fcaf1471deb283167a5
Instruction Fuzzy Hash: 0490026121180552D20065E98C14B071105A7D0343FD1C115A0544594CCD5588616661

Uniqueness

Uniqueness Score: -1.00%

Function 01099A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1345d6acf47527c943132e025331b1a5e9e387e310f6bd46c758d49358caeedf
Instruction ID: e7fb809276f45069425b5e6feb326ddf6ceefef89b29c127a0e81b5cc27d0ad5
Opcode Fuzzy Hash: 1345d6acf47527c943132e025331b1a5e9e387e310f6bd46c758d49358caeedf
Instruction Fuzzy Hash: FC90026120144952D14062D98804B0F5205A7E1242FD1C019A4546594CCD5588556761

Uniqueness

Uniqueness Score: -1.00%

Function 01099520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b51128e1811560e5e5032d07b85cc00c11ff6569bd713a64520d916030240f7
Instruction ID: 47f0c4644d1974663bcf5cda6a41b9007a8309cb266f476452f946d7c956bd4c
Opcode Fuzzy Hash: 7b51128e1811560e5e5032d07b85cc00c11ff6569bd713a64520d916030240f7
Instruction Fuzzy Hash: 419002E1201145A28500A2D9C404B0A5605A7E0241BD1C016E14445A0CC9658851A275

Uniqueness

Uniqueness Score: -1.00%

Function 0109AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb18592b448e727f14b2bb434a3ec115cf797030de9cfc08241e1016bcbceae1
Instruction ID: afc0911b5021f6ddfd12a516f97dba070cacccb207fe40598d2f7f99f6dda6e5
Opcode Fuzzy Hash: eb18592b448e727f14b2bb434a3ec115cf797030de9cfc08241e1016bcbceae1
Instruction Fuzzy Hash: FC900271A0500522D14071D988146465106B7E0781BD5C011A0904594CCD948A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01099540 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71413fa9a127f8021a20e52313766e97ee148bc7d94c8c8c5adc2828d6b194d2
Instruction ID: b8f0d693717e04ab84ffc8f59d10442128546b657a20728194e70a35f2fe7966
Opcode Fuzzy Hash: 71413fa9a127f8021a20e52313766e97ee148bc7d94c8c8c5adc2828d6b194d2
Instruction Fuzzy Hash: 3D900265211005134105A5D947045071146A7D53913D1C021F1405590CDA6188616261

Uniqueness

Uniqueness Score: -1.00%

Function 01099560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889f59831c380a0dd15fc8430234bf8226764cf8dafa4f3c06058b9afaf2d169
Instruction ID: eb40477afa98690faed42eb9819dfefbac7cd26cc5792571d2c3671a17f2e617
Opcode Fuzzy Hash: 889f59831c380a0dd15fc8430234bf8226764cf8dafa4f3c06058b9afaf2d169
Instruction Fuzzy Hash: 48900265221005124145A5D9460450B1545B7D63913D1C015F18065D0CCA6188656361

Uniqueness

Uniqueness Score: -1.00%

Function 010995D0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c64880f685cea1635893e07038176fea54a6385ce3b62634fed92a3b7653a1
Instruction ID: 1ce3cc9070eb3244e6dd013e59b8d02cf4fba5bfe6549c4f618595fcadbe0af4
Opcode Fuzzy Hash: e1c64880f685cea1635893e07038176fea54a6385ce3b62634fed92a3b7653a1
Instruction Fuzzy Hash: B29002A120200513810571D98414616510AA7E0241BD1C021E14045D0DC96588917265

Uniqueness

Uniqueness Score: -1.00%

Function 010995F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e4d927c32269e23384a9517814c53e8e555818548cd55295aa1a57f7427f5a
Instruction ID: 54772bf88bf486ccc2844748f678dfdb226f8bb1db09582a40b30faf34317abb
Opcode Fuzzy Hash: d8e4d927c32269e23384a9517814c53e8e555818548cd55295aa1a57f7427f5a
Instruction Fuzzy Hash: 4C90027120100D12D10461D988046861105A7D0341FD1C011A6414695EDAA588917271

Uniqueness

Uniqueness Score: -1.00%

Function 0109A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb2982e5ae4568b4828a5058d998ffe1db75201031f18c7d0916fa7cc234e3e
Instruction ID: 83c9f871174d43c38bdbf684d95c2e23cbaa1e44f0dfa936905459bbda969281
Opcode Fuzzy Hash: fbb2982e5ae4568b4828a5058d998ffe1db75201031f18c7d0916fa7cc234e3e
Instruction Fuzzy Hash: 5590027130100562D500A6D99804A4A5205A7F0341BD1D015A4404594CC99488616261

Uniqueness

Uniqueness Score: -1.00%

Function 01099710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1efa0e1dad13cae576967b9cb1df07d2e11199191408d185775b618dbf6982
Instruction ID: 38e287de16e15ea90687ac503cfb24e5a2acc692362dbbe7694b682019bb7a36
Opcode Fuzzy Hash: 2d1efa0e1dad13cae576967b9cb1df07d2e11199191408d185775b618dbf6982
Instruction Fuzzy Hash: 2790027120100912D10065D994086461105A7E0341FD1D011A5414595ECAA588917271

Uniqueness

Uniqueness Score: -1.00%

Function 01099730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea7290ca4c433d7a6a3605967d3e25cb46f1b8df286ee46c8eaef5f4daf8f29
Instruction ID: 0f8f24bc16071941571a6c690b2230370ac04e27533b2f15e30474f49b088bca
Opcode Fuzzy Hash: 8ea7290ca4c433d7a6a3605967d3e25cb46f1b8df286ee46c8eaef5f4daf8f29
Instruction Fuzzy Hash: 7590026160500912D14071D994187061115A7D0241FD1D011A0414594DCA998A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01099760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2c88b361f849b829d427ecde32a1ec333cfe5241a65d3bc72e515bd2678573
Instruction ID: 76214434c700d7f5acf8ebfeb18ae7a7c428dca9bb34e519cc45ff3615d5740d
Opcode Fuzzy Hash: ab2c88b361f849b829d427ecde32a1ec333cfe5241a65d3bc72e515bd2678573
Instruction Fuzzy Hash: 7F90027120100913D10061D995087071105A7D0241FD1D411A0814598DDA9688517261

Uniqueness

Uniqueness Score: -1.00%

Function 0109A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539442b7a41935c3705ab98477f815b2246459c6b0ac3fdaf8d491ff2c70e61d
Instruction ID: 1981211ffde1d44bf2577c2ab86097ee6d3bb5543b5afa1f1c6fde72bd457428
Opcode Fuzzy Hash: 539442b7a41935c3705ab98477f815b2246459c6b0ac3fdaf8d491ff2c70e61d
Instruction Fuzzy Hash: BC90027520504952D50065D99804A871105A7D0345FD1D411A08145DCDCA948861B261

Uniqueness

Uniqueness Score: -1.00%

Function 01099770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91500fbd63de2588ecad1cce497d4e82433ed8e8408d679230879f670f555348
Instruction ID: 04c04a0981731d46b1ac63aa48f2ee5446642fa5b8202f4f467677cf1900a830
Opcode Fuzzy Hash: 91500fbd63de2588ecad1cce497d4e82433ed8e8408d679230879f670f555348
Instruction Fuzzy Hash: F190026120504952D10065D99408A061105A7D0245FD1D011A14545D5DCA758851B271

Uniqueness

Uniqueness Score: -1.00%

Function 01099780 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f4a0a9093886a6d2a3c986b725ac5ea940bc8bb708693862ed62a6690ba82f
Instruction ID: ca79ded156e519af0683b98b52d4a7e5d107208dcdd63ff208b3fa8e0443611b
Opcode Fuzzy Hash: c5f4a0a9093886a6d2a3c986b725ac5ea940bc8bb708693862ed62a6690ba82f
Instruction Fuzzy Hash: 6A90026921300512D18071D9940860A1105A7D1242FD1D415A0405598CCD5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 010997A0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c0a44f23cab0a56647de47ad9c5d9c67c52b4acb339f428cb3b9066a07cca8
Instruction ID: 3bef53eefb80b92dc24efba933e744e99504f5c2424636908513baf6ad75c3d3
Opcode Fuzzy Hash: f5c0a44f23cab0a56647de47ad9c5d9c67c52b4acb339f428cb3b9066a07cca8
Instruction Fuzzy Hash: 8690026130100513D14071D994186065105F7E1341FD1D011E0804594CDD5588566362

Uniqueness

Uniqueness Score: -1.00%

Function 01099FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3cb8c88e5fad52bc92ff35aadf1e75ed0da61ff45b88b177899afb23d1e496
Instruction ID: b5333861030d24e7c2e9d4837228a988900c2eb908d978b64b20fb5a4551d30b
Opcode Fuzzy Hash: 8f3cb8c88e5fad52bc92ff35aadf1e75ed0da61ff45b88b177899afb23d1e496
Instruction Fuzzy Hash: 7B90027131114912D11061D9C4047061105A7D1241FD1C411A0C14598DCAD588917262

Uniqueness

Uniqueness Score: -1.00%

Function 01099610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f6d8c2e0e441113876ceee0f415eebd945279a81e3f3a70b0f1b534dca0075
Instruction ID: 9b344e99b8081ebf95bb288805d596e82b6ae156633616f5ac2a37d500b8354a
Opcode Fuzzy Hash: 35f6d8c2e0e441113876ceee0f415eebd945279a81e3f3a70b0f1b534dca0075
Instruction Fuzzy Hash: A890027160500D12D15071D984147461105A7D0341FD1C011A0414694DCB958A5577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01099650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09de8dba1902356fe2db57954efcf0dbe3ee13d56fcdb1b9fe0ac061b4b895d
Instruction ID: 03848604723968375012739360d2a8fa4ea7808a55ea572e0f1e2e8b2eb982bf
Opcode Fuzzy Hash: c09de8dba1902356fe2db57954efcf0dbe3ee13d56fcdb1b9fe0ac061b4b895d
Instruction Fuzzy Hash: 0990027120504D52D14071D98404A461115A7D0345FD1C011A04546D4DDA658D55B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010996D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7554d145dfa40f535ba95572c0a81cb3e200cc69dcef95ce6029b4c12777a73
Instruction ID: 62c607a2a7ca9d1ef782cf5ba7352f49ca4f8c3779b359530c8dc7bd35d35615
Opcode Fuzzy Hash: c7554d145dfa40f535ba95572c0a81cb3e200cc69dcef95ce6029b4c12777a73
Instruction Fuzzy Hash: 8F90027120100D52D10061D98404B461105A7E0341FD1C016A0514694DCA55C8517661

Uniqueness

Uniqueness Score: -1.00%

Function 01099670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: dddf09ab3d8bf91644b256478fe6806a52ca6245f13973fa3c05baee1ff7cff8
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01057CC0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E01057CC0(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _t60;
				signed int _t65;
				void* _t70;
				void* _t73;
				signed int _t86;
				void* _t92;
				signed int _t94;
				intOrPtr _t101;
				signed int _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t115;
				intOrPtr _t116;
				signed char _t117;
				void* _t118;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;

				_t101 = _a8;
				_t120 = _a4;
				_t121 = 0;
				_t104 = _t101 + 0x2e;
				_v24 = 8;
				_v16 = _t104;
				if( *_t120 == 0) {
					__eflags =  *(_t120 + 2);
					if( *(_t120 + 2) != 0) {
						goto L1;
					}
					__eflags =  *(_t120 + 4);
					if( *(_t120 + 4) != 0) {
						goto L1;
					}
					__eflags =  *(_t120 + 6);
					if( *(_t120 + 6) != 0) {
						goto L1;
					}
					_t117 =  *(_t120 + 0xc) & 0x0000ffff;
					_v20 = _t117 >> 8;
					__eflags = _t117;
					if(_t117 == 0) {
						goto L1;
					}
					_t86 =  *(_t120 + 8) & 0x0000ffff;
					__eflags = _t86;
					if(_t86 != 0) {
						_v12 = 0xffff;
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L1;
						}
						__eflags =  *(_t120 + 0xa);
						if( *(_t120 + 0xa) != 0) {
							goto L1;
						}
						__eflags = _t104 - _t101;
						_push( *(_t120 + 0xf) & 0x000000ff);
						_push( *(_t120 + 0xe) & 0x000000ff);
						_push(_v20 & 0x000000ff);
						_t92 = E010A6B30(_t101, _t104 - _t101, "::ffff:0:%u.%u.%u.%u", _t117 & 0x000000ff);
						L29:
						return _t92 + _t101;
					}
					_t94 =  *(_t120 + 0xa) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 == 0) {
						_t118 = 0x10348a4;
						L27:
						_push( *(_t120 + 0xf) & 0x000000ff);
						_push( *(_t120 + 0xe) & 0x000000ff);
						_push(_v20 & 0x000000ff);
						_push( *(_t120 + 0xc) & 0xff);
						_t92 = E010A6B30(_t101, _t104 - _t101, "::%hs%u.%u.%u.%u", _t118);
						goto L29;
					}
					__eflags = _t94 - 0xffff;
					if(_t94 != 0xffff) {
						goto L1;
					}
					_t118 = 0x104d700;
					goto L27;
				}
				L1:
				_t105 = _t121;
				_t60 = _t121;
				_v8 = _t105;
				_v20 = _t60;
				if(( *(_t120 + 8) & 0x0000fffd) == 0) {
					__eflags =  *(_t120 + 0xa) - 0xfe5e;
					if( *(_t120 + 0xa) == 0xfe5e) {
						_v24 = 6;
					}
				}
				_t115 = _t121;
				_t102 = _t60;
				do {
					if( *((intOrPtr*)(_t120 + _t115 * 2)) == _t121) {
						__eflags = _t115 - _t60 + 1 - _v8 - _t102;
						_t60 = _v20;
						if(__eflags <= 0) {
							_t105 = _v8;
						} else {
							_t49 = _t115 + 1; // 0x1
							_t105 = _t49;
							_t102 = _t60;
							_v8 = _t105;
						}
					} else {
						_t13 = _t115 + 1; // 0x1
						_t60 = _t13;
						_v20 = _t60;
					}
					_t115 = _t115 + 1;
				} while (_t115 < _v24);
				_v12 = _t102;
				_t103 = _a8;
				if(_t105 - _t102 > 1) {
					_t65 = _v12;
				} else {
					_t105 = _t121;
					_t65 = _t121;
					_v8 = _t105;
					_v12 = _t65;
				}
				do {
					if(_t121 < _t105) {
						__eflags = _t65 - _t121;
						if(_t65 > _t121) {
							goto L9;
						}
						_push("::");
						_push(_v16 - _t103);
						_push(_t103);
						_t70 = E010A6B30();
						_t105 = _v8;
						_t122 = _t122 + 0xc;
						_t121 = _t105 - 1;
						goto L13;
					}
					L9:
					if(_t121 != 0 && _t121 != _t105) {
						_push(":");
						_push(_v16 - _t103);
						_push(_t103);
						_t73 = E010A6B30();
						_t122 = _t122 + 0xc;
						_t103 = _t103 + _t73;
					}
					_t70 = E010A6B30(_t103, _v16 - _t103, "%x",  *(_t120 + _t121 * 2) & 0x0000ffff);
					_t105 = _v8;
					_t122 = _t122 + 0x10;
					L13:
					_t116 = _v24;
					_t103 = _t103 + _t70;
					_t65 = _v12;
					_t121 = _t121 + 1;
				} while (_t121 < _t116);
				if(_t116 < 8) {
					_push( *(_t120 + 0xf) & 0x000000ff);
					_push( *(_t120 + 0xe) & 0x000000ff);
					_push( *(_t120 + 0xd) & 0x000000ff);
					_t103 = _t103 + E010A6B30(_t103, _v16 - _t103, ":%u.%u.%u.%u",  *(_t120 + 0xc) & 0x000000ff);
				}
				return _t103;
			}

0x01057cc9
0x01057cce
0x01057cd1
0x01057cd3
0x01057cd6
0x01057cdd
0x01057ce3
0x010b2bbb
0x010b2bbf
0x00000000
0x00000000
0x010b2bc5
0x010b2bc9
0x00000000
0x00000000
0x010b2bcf
0x010b2bd3
0x00000000
0x00000000
0x010b2bd9
0x010b2be2
0x010b2be5
0x010b2be8
0x00000000
0x00000000
0x010b2bee
0x010b2bf2
0x010b2bf5
0x010b2c74
0x010b2c7b
0x010b2c7f
0x00000000
0x00000000
0x010b2c85
0x010b2c89
0x00000000
0x00000000
0x010b2c4b
0x010b2c4d
0x010b2c52
0x010b2c59
0x010b2c65
0x010b2c6d
0x00000000
0x010b2c6d
0x010b2bf7
0x010b2bfb
0x010b2bfe
0x010b2c15
0x010b2c1a
0x010b2c20
0x010b2c25
0x010b2c2c
0x010b2c34
0x010b2c3d
0x00000000
0x010b2c42
0x010b2c05
0x010b2c08
0x00000000
0x00000000
0x010b2c0e
0x00000000
0x010b2c0e
0x01057ce9
0x01057cee
0x01057cf0
0x01057cf2
0x01057cf5
0x01057cfc
0x010b2c96
0x010b2c9a
0x010b2ca0
0x010b2ca0
0x010b2c9a
0x01057d02
0x01057d04
0x01057d06
0x01057d0a
0x010b2cb6
0x010b2cb8
0x010b2cbb
0x010b2cca
0x010b2cbd
0x010b2cbd
0x010b2cbd
0x010b2cc0
0x010b2cc2
0x010b2cc2
0x01057d10
0x01057d10
0x01057d10
0x01057d13
0x01057d13
0x01057d16
0x01057d17
0x01057d1e
0x01057d23
0x01057d29
0x01057d9f
0x01057d2b
0x01057d2b
0x01057d2d
0x01057d2f
0x01057d32
0x01057d32
0x01057d35
0x01057d37
0x010b2cd2
0x010b2cd4
0x00000000
0x00000000
0x010b2cdd
0x010b2ce4
0x010b2ce5
0x010b2ce6
0x010b2ceb
0x010b2cee
0x010b2cf1
0x00000000
0x010b2cf1
0x01057d3d
0x01057d3f
0x01057d48
0x01057d4f
0x01057d50
0x01057d51
0x01057d56
0x01057d59
0x01057d59
0x01057d73
0x01057d78
0x01057d7b
0x01057d7e
0x01057d7e
0x01057d81
0x01057d83
0x01057d86
0x01057d87
0x01057d8e
0x010b2cfd
0x010b2d02
0x010b2d07
0x010b2d21
0x010b2d21
0x00000000

APIs

___swprintf_l.LIBCMT ref: 01057D51
___swprintf_l.LIBCMT ref: 01057D73
___swprintf_l.LIBCMT ref: 010B2C3D

Strings

::%hs%u.%u.%u.%u, xrefs: 010B2C36
:%u.%u.%u.%u, xrefs: 010B2D10
ffff:, xrefs: 010B2C0E, 010B2C35
::ffff:0:%u.%u.%u.%u, xrefs: 010B2C5E

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: dc1ddcf4059545d51afa49ccb4374dc7fb18a2632c3fd2152f498a7171d8fa46
Instruction ID: 203b7e08814f4793c28dae54899a92df5246d641b87a2e2344f8dde5a84bd1c5
Opcode Fuzzy Hash: dc1ddcf4059545d51afa49ccb4374dc7fb18a2632c3fd2152f498a7171d8fa46
Instruction Fuzzy Hash: D861D6A2A00116ABCB51DF9DC8C09BFFBF8BB582007508169ECD4D7641D235EE50D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 010540FD Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E010540FD(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x114d360 ^ _t107;
				_v8 =  *0x114d360 ^ _t107;
				_t105 = __ecx;
				if( *0x11484d4 == 0) {
					L5:
					return E0109B640(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E0106E9C0(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v552 = _t85;
					_t49 = E010542EB(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v552 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E010541EA(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v552 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v552);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E010996C0();
						}
						goto L4;
					}
					_v556 = _t85;
					_t102 =  &_v556;
					_t55 = E0105429E(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v556 - _t85;
						if(_v556 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E010E5720(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v556);
						_v560 = 0x214;
						E0109FA60( &_v548, 0, 0x214);
						_t106 =  *0x11484d4;
						_t110 = _t108 + 0x20;
						 *0x114b1e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x11484d4))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E0109B75A();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E010E5720(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E010A1480( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E010E5720(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v556 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E010A1150(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E010E5720(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E010D3E13(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v556;
							} while (_t106 < _v556);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E010E5720();
						goto L15;
					}
					L8:
					_t56 = E010541F7(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v552;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x0105410d
0x0105410f
0x0105411c
0x0105411e
0x01054158
0x01054168
0x01054168
0x01054126
0x01054130
0x0105413c
0x010b04a2
0x01054142
0x0105414b
0x0105414b
0x0105414f
0x0105416b
0x01054171
0x01054176
0x01054178
0x010541d0
0x010541d2
0x010541d3
0x010541a7
0x010541ae
0x010541b0
0x010541db
0x010541b2
0x010541b8
0x010541bf
0x010541c1
0x010541c1
0x010541c1
0x010541c3
0x010541c5
0x010541df
0x010541e2
0x010541e2
0x010541c7
0x010541c9
0x010b0628
0x010b0628
0x010b0630
0x010b0631
0x010b0633
0x010b0635
0x010b0635
0x00000000
0x010541c9
0x0105417d
0x01054183
0x01054189
0x0105418e
0x01054190
0x010b04a9
0x010b04af
0x00000000
0x00000000
0x010b04b5
0x010b04c8
0x010b04d5
0x010b04e5
0x010b04ea
0x010b04f6
0x010b0518
0x010b051e
0x010b0520
0x010b0522
0x00000000
0x00000000
0x010b0528
0x010b052e
0x010b0530
0x00000000
0x00000000
0x010b053b
0x010b053d
0x00000000
0x00000000
0x010b0545
0x010b054c
0x010b054e
0x010b0623
0x00000000
0x010b0623
0x010b0556
0x010b0557
0x010b056f
0x010b0574
0x010b0583
0x010b058a
0x010b058b
0x010b058d
0x010b05b5
0x010b05c0
0x010b05c6
0x010b05c8
0x010b05cb
0x010b05cd
0x010b05d3
0x010b05d5
0x00000000
0x00000000
0x00000000
0x00000000
0x010b05db
0x010b05db
0x010b05e3
0x010b05e7
0x010b05e9
0x010b05eb
0x010b05ed
0x010b05ed
0x010b05fa
0x010b05ff
0x010b0606
0x010b060b
0x010b060d
0x00000000
0x00000000
0x010b0613
0x010b0613
0x010b0616
0x010b0616
0x00000000
0x010b061e
0x010b058f
0x010b0594
0x010b0596
0x010b0598
0x00000000
0x010b059d
0x01054196
0x01054198
0x0105419d
0x0105419f
0x00000000
0x00000000
0x010541a1
0x00000000
0x01054151
0x01054151
0x01054151
0x00000000
0x01054151

Strings

Execute=1, xrefs: 010B057D
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 010B05AC
ExecuteOptions, xrefs: 010B050A
CLIENT(ntdll): Processing section info %ws..., xrefs: 010B05F1
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 010B04BF
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 010B058F
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010B0566

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: de6d94f96f34d2aadb744226b2f08a5308cf8c23afd2691ddb4a02b46c4c1892
Instruction ID: 7c23a9af5aa6cd2a69a570ee494af8715d908045a936cf62d5104f07aa1ddfa3
Opcode Fuzzy Hash: de6d94f96f34d2aadb744226b2f08a5308cf8c23afd2691ddb4a02b46c4c1892
Instruction Fuzzy Hash: 0B615D757402197AEF60DA95EC95FEB77BCBF68700F0400D9E985E7180FB709A808B64

Uniqueness

Uniqueness Score: -1.00%

Function 010577A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E010577A0(void* __ecx, void* __edx, intOrPtr _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t16;
				char _t17;
				char _t21;
				void* _t23;
				char _t28;
				intOrPtr* _t30;
				char _t32;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t39;
				char _t42;
				signed int _t49;
				signed int _t50;
				void* _t51;

				_t37 = __edx;
				_t50 = _t49 & 0xfffffff8;
				_push(__ecx);
				_t39 = _a4;
				_t30 = _t39 + 0x28;
				_t42 =  *_t30;
				if(_t42 < 0) {
					_t34 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t39 + 0x2c)) -  *((intOrPtr*)(_t34 + 0x24));
					if( *((intOrPtr*)(_t39 + 0x2c)) !=  *((intOrPtr*)(_t34 + 0x24))) {
						while(1) {
							L7:
							__eflags = _t42;
							if(_t42 >= 0) {
								goto L1;
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L19:
								_t17 = 0;
								L3:
								return _t17;
							}
							_t18 =  *((intOrPtr*)(_t39 + 0x34));
							_t36 = _t39 + 0x1c;
							 *((intOrPtr*)(_t18 + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t39 + 0x34)) + 0x14)) + 1;
							asm("lock inc dword [ecx]");
							_t42 =  *_t30;
							__eflags = _t42;
							if(_t42 < 0) {
								L11:
								_t32 = 0;
								__eflags = 0;
								while(1) {
									asm("sbb esi, esi");
									_t47 =  !( ~( *(_t39 + 0x30) & 1)) & 0x011479c8;
									_push( !( ~( *(_t39 + 0x30) & 1)) & 0x011479c8);
									_push(0);
									_push( *((intOrPtr*)(_t39 + 0x18)));
									_t21 = E01099520();
									__eflags = _t21 - 0x102;
									if(_t21 != 0x102) {
										break;
									}
									_t23 = E0109CE00( *_t47,  *((intOrPtr*)(_t47 + 4)), 0xff676980, 0xffffffff);
									_push(_t37);
									_push(_t23);
									E010E5720(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t32);
									E010E5720(0x65, 0, "RTL: Resource at %p\n", _t39);
									_t51 = _t50 + 0x28;
									_t32 = _t32 + 1;
									__eflags = _t32 - 2;
									if(__eflags > 0) {
										_t36 = _t39;
										E010EFFB9(_t32, _t39, _t37, _t39, 0, __eflags);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E010E5720();
									_t50 = _t51 + 0xc;
								}
								_t30 = _t39 + 0x28;
								__eflags = _t21;
								if(_t21 < 0) {
									L010ADF30(_t36, _t37, _t21);
									goto L19;
								}
								_t42 =  *_t30;
								continue;
							}
							_t28 = E010947E7(_t36);
							__eflags = _t28;
							if(_t28 != 0) {
								continue;
							}
							goto L11;
						}
						goto L1;
					}
					asm("lock dec dword [ebx]");
					L2:
					_t17 = 1;
					goto L3;
				}
				L1:
				_t16 = _t42;
				asm("lock cmpxchg [ebx], ecx");
				if(_t16 != _t42) {
					_t42 = _t16;
					goto L7;
				}
				goto L2;
			}

0x010577a0
0x010577a5
0x010577a8
0x010577ac
0x010577af
0x010577b2
0x010577b6
0x010577d4
0x010577de
0x010577e1
0x010b28f2
0x010b28f2
0x010b28f2
0x010b28f4
0x00000000
0x00000000
0x010b28fa
0x010b28fe
0x010b29ae
0x010b29ae
0x010577cb
0x010577d1
0x010577d1
0x010b2904
0x010b2907
0x010b290a
0x010b290d
0x010b2910
0x010b2912
0x010b2914
0x010b291f
0x010b291f
0x010b291f
0x010b2921
0x010b292b
0x010b292f
0x010b2935
0x010b2936
0x010b2938
0x010b293b
0x010b2940
0x010b2945
0x00000000
0x00000000
0x010b2953
0x010b2958
0x010b2959
0x010b2965
0x010b2973
0x010b2978
0x010b297b
0x010b297c
0x010b297f
0x010b2981
0x010b2983
0x010b2983
0x010b2988
0x010b298d
0x010b298e
0x010b2990
0x010b2995
0x010b2995
0x010b299a
0x010b299d
0x010b299f
0x010b29a9
0x00000000
0x010b29a9
0x010b29a1
0x00000000
0x010b29a1
0x010b2916
0x010b291b
0x010b291d
0x00000000
0x00000000
0x00000000
0x010b291d
0x00000000
0x010b28f2
0x010577e7
0x010577c9
0x010577c9
0x00000000
0x010577c9
0x010577b8
0x010577bb
0x010577bd
0x010577c3
0x010b28f0
0x00000000
0x010b28f0
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010B2953

Strings

RTL: Resource at %p, xrefs: 010B296B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 010B295B
RTL: Re-Waiting, xrefs: 010B2988

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d0e1943b57342dd4e5d8c4ab529400c080dbaaa46e0060c7b36fe1f7d00ac7b0
Instruction ID: fc4736050774966fb35c73e3865e2e71220ef2aa6782c61e02eeabac74f43d1f
Opcode Fuzzy Hash: d0e1943b57342dd4e5d8c4ab529400c080dbaaa46e0060c7b36fe1f7d00ac7b0
Instruction Fuzzy Hash: 1C314935A00626BBDB214A16CCC0E9B7BA8FF11B60F500258EDD86B641D711BC11D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01091CC7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01091CC7(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t91;
				intOrPtr _t95;
				short _t96;
				intOrPtr _t104;
				intOrPtr _t111;
				short _t119;
				signed int _t131;
				intOrPtr _t134;
				intOrPtr _t138;
				intOrPtr* _t144;
				intOrPtr* _t147;
				intOrPtr* _t149;
				void* _t151;

				_t139 = __edx;
				_push(0x154);
				_push(0x1130348);
				E010AD0E8(__ebx, __edi, __esi);
				 *(_t151 - 0xf0) = __edx;
				_t147 = __ecx;
				 *((intOrPtr*)(_t151 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t151 - 0xf8)) =  *((intOrPtr*)(_t151 + 8));
				 *((intOrPtr*)(_t151 - 0xe8)) =  *((intOrPtr*)(_t151 + 0xc));
				 *((intOrPtr*)(_t151 - 0xf4)) =  *((intOrPtr*)(_t151 + 0x10));
				 *((intOrPtr*)(_t151 - 0xe4)) = 0;
				 *((intOrPtr*)(_t151 - 0xdc)) = 0;
				 *((intOrPtr*)(_t151 - 0xd8)) = 0;
				 *(_t151 - 0xe0) = 0;
				 *((intOrPtr*)(_t151 - 0x140)) = 0x40;
				E0109FA60(_t151 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t151 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t151 - 0x160)) = 1;
				_t131 = 7;
				memset(_t151 - 0x15c, 0, _t131 << 2);
				_t144 =  *((intOrPtr*)(_t151 - 0xe8));
				_t91 = E01072430(1, _t147, 0,  *((intOrPtr*)(_t151 - 0xf8)), _t144,  *((intOrPtr*)(_t151 - 0xf4)), _t151 - 0xe0, 0, 0);
				_t148 = _t91;
				if(_t91 >= 0) {
					if( *0x1148460 != 0 && ( *(_t151 - 0xe0) & 0x00000001) == 0) {
						_t95 = E01072D50(7, 0, 2,  *((intOrPtr*)(_t151 - 0xfc)), _t151 - 0x140);
						_t148 = _t95;
						if(_t95 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t151 - 0x13c)) == 1) {
							if(( *(_t151 - 0x118) & 0x00000001) == 0) {
								if(( *(_t151 - 0x118) & 0x00000002) != 0) {
									 *(_t151 - 0x120) = 0xfffffffc;
								}
							} else {
								 *(_t151 - 0x120) =  *(_t151 - 0x120) & 0x00000000;
							}
							_t134 =  *((intOrPtr*)(_t151 - 0x114));
							_t96 =  *((intOrPtr*)(_t134 + 0x5c));
							 *((short*)(_t151 - 0xda)) = _t96;
							 *((short*)(_t151 - 0xdc)) = _t96;
							 *((intOrPtr*)(_t151 - 0xd8)) =  *((intOrPtr*)(_t134 + 0x60)) +  *((intOrPtr*)(_t151 - 0x110));
							 *((intOrPtr*)(_t151 - 0xe8)) = _t151 - 0xd0;
							 *((short*)(_t151 - 0xea)) = 0xaa;
							_t104 = E01064720(_t139,  *(_t151 - 0xf0) & 0x0000ffff, _t151 - 0xec, 2, 0);
							_t148 = _t104;
							if(_t104 < 0 || E01069660(_t151 - 0xdc, _t151 - 0xec, 1) == 0) {
								goto L1;
							} else {
								_t149 =  *0x1148460; // 0x7668ff90
								 *0x114b1e0( *(_t151 - 0x120),  *(_t151 - 0xf0), _t151 - 0xe4);
								_t148 =  *_t149();
								 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
								if(_t148 < 0) {
									goto L1;
								}
								_t111 =  *((intOrPtr*)(_t151 - 0xe4));
								if(_t111 == 0xffffffff) {
									L25:
									 *((intOrPtr*)(_t151 - 4)) = 1;
									_t144 =  *0x1148468;
									if(_t144 != 0) {
										 *0x114b1e0(_t111);
										 *_t144();
									}
									 *((intOrPtr*)(_t151 - 4)) = 0xfffffffe;
									goto L1;
								}
								E0106F540(_t151 - 0x164, _t111);
								 *((intOrPtr*)(_t151 - 4)) = 0;
								if( *((intOrPtr*)(_t144 + 4)) != 0) {
									L01072400(_t144);
								}
								_t145 =  *((intOrPtr*)(_t151 - 0xfc));
								_t148 = E01072430(0,  *((intOrPtr*)(_t151 - 0xfc)), 0,  *((intOrPtr*)(_t151 - 0xf8)), _t144,  *((intOrPtr*)(_t151 - 0xf4)), _t151 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
								if(_t148 < 0) {
									L24:
									 *((intOrPtr*)(_t151 - 4)) = 0xfffffffe;
									_t111 = E010CD704();
									goto L25;
								} else {
									_t148 = E01072D50(7, 0, 2, _t145, _t151 - 0x140);
									 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
									if(_t148 < 0) {
										goto L24;
									}
									if( *((intOrPtr*)(_t151 - 0x13c)) == 1) {
										_t138 =  *((intOrPtr*)(_t151 - 0x114));
										_t119 =  *((intOrPtr*)(_t138 + 0x5c));
										 *((short*)(_t151 - 0xda)) = _t119;
										 *((short*)(_t151 - 0xdc)) = _t119;
										 *((intOrPtr*)(_t151 - 0xd8)) =  *((intOrPtr*)(_t138 + 0x60)) +  *((intOrPtr*)(_t151 - 0x110));
										if(E01069660(_t151 - 0xdc, _t151 - 0xec, 1) == 0) {
											goto L24;
										}
										_t148 = 0xc0150004;
										L23:
										 *((intOrPtr*)(_t151 - 0xd4)) = _t148;
										goto L24;
									}
									_t148 = 0xc0150005;
									goto L23;
								}
							}
						}
						_t148 = 0xc0150005;
					}
				}
				L1:
				return E010AD130(1, _t144, _t148);
			}

0x01091cc7
0x01091cc7
0x01091ccc
0x01091cd1
0x01091cd6
0x01091cdc
0x01091cde
0x01091ce7
0x01091cf0
0x01091cf9
0x01091d01
0x01091d09
0x01091d0f
0x01091d15
0x01091d1b
0x01091d2f
0x01091d37
0x01091d44
0x01091d4c
0x01091d55
0x01091d68
0x01091d78
0x01091d7d
0x01091d81
0x010cd4e3
0x010cd509
0x010cd50e
0x010cd512
0x00000000
0x00000000
0x010cd51e
0x010cd531
0x010cd543
0x010cd545
0x010cd545
0x010cd533
0x010cd533
0x010cd533
0x010cd54f
0x010cd555
0x010cd559
0x010cd560
0x010cd570
0x010cd57c
0x010cd587
0x010cd5a3
0x010cd5a8
0x010cd5ac
0x00000000
0x010cd5ce
0x010cd5e1
0x010cd5e9
0x010cd5f1
0x010cd5f3
0x010cd5fb
0x00000000
0x00000000
0x010cd601
0x010cd60a
0x010cd6e1
0x010cd6e1
0x010cd6e4
0x010cd6ec
0x010cd6f1
0x010cd6f7
0x010cd6f7
0x010cd730
0x00000000
0x010cd730
0x010cd618
0x010cd61f
0x010cd625
0x010cd628
0x010cd628
0x010cd644
0x010cd651
0x010cd653
0x010cd65b
0x010cd6d5
0x010cd6d5
0x010cd6dc
0x00000000
0x010cd65d
0x010cd670
0x010cd672
0x010cd67a
0x00000000
0x00000000
0x010cd682
0x010cd68b
0x010cd691
0x010cd695
0x010cd69c
0x010cd6ac
0x010cd6c8
0x00000000
0x00000000
0x010cd6ca
0x010cd6cf
0x010cd6cf
0x00000000
0x010cd6cf
0x010cd684
0x00000000
0x010cd684
0x010cd65b
0x010cd5ac
0x010cd520
0x010cd520
0x010cd4e3
0x01091d87
0x01091d8e

Strings

@, xrefs: 01091D1B
$, xrefs: 01091D37

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 819fd6a4da02d916357f8d151e45bfd9f624e53c0b5fc310b71b3cdeda2b44e3
Instruction ID: 95d57ca5df710677442dc2a99a14401cf057877113486422ca6d7f1ab7678de1
Opcode Fuzzy Hash: 819fd6a4da02d916357f8d151e45bfd9f624e53c0b5fc310b71b3cdeda2b44e3
Instruction Fuzzy Hash: A3813B71D0026A9BDB35DF94CC44BEEBAB8AF08714F0441EAAA5DB7240D7705E85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010EFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E010EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0109CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E010E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E010E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x010efdda
0x010efde2
0x010efde5
0x010efdec
0x010efdfa
0x010efdff
0x010efe0a
0x010efe0f
0x010efe17
0x010efe1e
0x010efe19
0x010efe19
0x010efe19
0x010efe20
0x010efe21
0x010efe22
0x010efe25
0x010efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010EFE2B

Memory Dump Source

Source File: 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1030000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 28695da2e791578d6929f8c86363c5c13691b093ae02a62cc1f2702e5c9797ff
Instruction ID: 5f6342129ae9bd37123a1a5dfd511321daad1073cd88da7315abe03ef40c334b
Opcode Fuzzy Hash: 28695da2e791578d6929f8c86363c5c13691b093ae02a62cc1f2702e5c9797ff
Instruction Fuzzy Hash: 3FF0FC76640102BFE6201A46DC05F637F9AEB44730F140314F694561E1D962F83096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\owFIYUUG.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwzfto0e.i5p.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwi5re21.2w2.psm1

C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp

C:\Users\user\AppData\Local\Temp\tmpE80B.tmp

C:\Users\user\AppData\Roaming\owFIYUUG.exe

C:\Users\user\AppData\Roaming\owFIYUUG.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe