Edit tour

Windows Analysis Report
gsPzUI8EV8RoSMt.exe

Overview

General Information

Sample Name:	gsPzUI8EV8RoSMt.exe
Analysis ID:	830457
MD5:	bf7689cacf1c7ec05684d27628538b3d
SHA1:	9186ece8e710a0d849834538b711fe90cb830c71
SHA256:	85b572a6060bf6d434ab978aa1447096c11f84bcd329d71364de8daf261a4660
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

gsPzUI8EV8RoSMt.exe (PID: 5480 cmdline: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe MD5: BF7689CACF1C7EC05684D27628538B3D)

gsPzUI8EV8RoSMt.exe (PID: 5636 cmdline: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe MD5: BF7689CACF1C7EC05684D27628538B3D)

explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

colorcpl.exe (PID: 5808 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)

cmd.exe (PID: 5916 cmdline: /c del "C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.pickleontop.net/us38/"], "decoy": ["jimsminitours.com", "ezdineros.com", "imtokonapp.art", "54gsyekcpc.one", "triplemcatering.africa", "ntiled.net", "iniyan.click", "cyproducers.com", "instantrule.com", "visefastener.net", "lightscript.ru", "dyshuju.top", "jifenzhigl.com", "himselvepostly.xyz", "jggfj.com", "jbjiif.cfd", "gumpisbuel.ch", "gddeming.com", "huntergatherer.store", "kitchenremodelingtoday.com", "endssheiproduct.com", "installsolar.africa", "flexclark.com", "zerooverhead.net", "mymof.uk", "customgiveawaysplus.com", "qdtlmj.com", "beyouinvestnow.com", "dongyuesm.com", "bameit.xyz", "bhukroofingandbuilding.co.uk", "loxnorth.com", "calihon.com", "algeeml.com", "shedmastersukltd.co.uk", "cuidadores24h.com", "kinogo-cc.online", "onlinextools.net", "codshipin.com", "driver-response.com", "kaydrop.ru", "426664.space", "efefcorn.buzz", "artificial-grass-61758.com", "myhotplug.africa", "earlytechnews.com", "argana-bremen.com", "122874.com", "laposadaapts.com", "91ye260.xyz", "freewriter.online", "jainrishta.com", "jumptaskks.com", "cafeverde.xyz", "xppenetwork.net", "kcam-phnompenhcredit.com", "assinieconcept.com", "3651233.com", "homebodymindco.com", "andara88.info", "greatlakesyouth.com", "fatherlandistanbul.com", "sc-orikomi.com", "fx.foundation"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2abfc1:$a1: 3C 30 50 4F 53 54 74 09 40 0x2c2930:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2b073f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2bb627:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2af678:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2af8f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bb425:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2baf11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2bb527:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2bb69f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2b030a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2ba18c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2b1003:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2c1697:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2c269a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2be5b9:$sqlite3step: 68 34 1C 7B E1 0x2be6cc:$sqlite3step: 68 34 1C 7B E1 0x2be5e8:$sqlite3text: 68 38 2A 90 C5 0x2be70d:$sqlite3text: 68 38 2A 90 C5 0x2be5fb:$sqlite3blob: 68 53 D8 7F 8C 0x2be723:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x70441:$a1: 3C 30 50 4F 53 54 74 09 40 0x9e861:$a1: 3C 30 50 4F 53 54 74 09 40 0x86db0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb51d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x74bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa2fdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x7faa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xadec7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x73af8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x73d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa1f18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa2192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7f8a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xadcc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7f391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xad7b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7f9a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xaddc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7fb1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadf3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7478a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa2baa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x7e60c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xaca2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x75483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa38a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x85b17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb3f37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x86b1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x82a39:$sqlite3step: 68 34 1C 7B E1 0x82b4c:$sqlite3step: 68 34 1C 7B E1 0xb0e59:$sqlite3step: 68 34 1C 7B E1 0xb0f6c:$sqlite3step: 68 34 1C 7B E1 0x82a68:$sqlite3text: 68 38 2A 90 C5 0x82b8d:$sqlite3text: 68 38 2A 90 C5 0xb0e88:$sqlite3text: 68 38 2A 90 C5 0xb0fad:$sqlite3text: 68 38 2A 90 C5 0x82a7b:$sqlite3blob: 68 53 D8 7F 8C 0x82ba3:$sqlite3blob: 68 53 D8 7F 8C 0xb0e9b:$sqlite3blob: 68 53 D8 7F 8C 0xb0fc3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.593835130.0000000007475000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xaa2:$a2: pass 0xaa8:$a3: email 0xaaf:$a4: login 0xab6:$a5: signin 0xac7:$a6: persistent 0xc9a:$r1: C:\Users\user\AppData\Roaming\N51PQ6D4\N51log.ini
00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: gsPzUI8EV8RoSMt.exe PID: 5480	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xb81b2:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: gsPzUI8EV8RoSMt.exe PID: 5636	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x161:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: colorcpl.exe PID: 5808	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2558:$a1: 3C 30 50 4F 53 54 74 09 40 0x18817d:$a1: 3C 30 50 4F 53 54 74 09 40 0x189765:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6f671:$a1: 3C 30 50 4F 53 54 74 09 40 0x9da91:$a1: 3C 30 50 4F 53 54 74 09 40 0x85fe0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb4400:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x73def:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa220f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x7ecd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xad0f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x72d28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x72fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa1148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa13c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ead5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xacef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7e5c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xac9e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x7ebd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xacff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7ed4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xad16f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x739ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa1dda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x7d83c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xabc5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x746b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa2ad3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x84d47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb3167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x85d4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x81c69:$sqlite3step: 68 34 1C 7B E1 0x81d7c:$sqlite3step: 68 34 1C 7B E1 0xb0089:$sqlite3step: 68 34 1C 7B E1 0xb019c:$sqlite3step: 68 34 1C 7B E1 0x81c98:$sqlite3text: 68 38 2A 90 C5 0x81dbd:$sqlite3text: 68 38 2A 90 C5 0xb00b8:$sqlite3text: 68 38 2A 90 C5 0xb01dd:$sqlite3text: 68 38 2A 90 C5 0x81cab:$sqlite3blob: 68 53 D8 7F 8C 0x81dd3:$sqlite3blob: 68 53 D8 7F 8C 0xb00cb:$sqlite3blob: 68 53 D8 7F 8C 0xb01f3:$sqlite3blob: 68 53 D8 7F 8C
0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x147291:$a1: 3C 30 50 4F 53 54 74 09 40 0x15dc00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x14ba0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1568f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x14a948:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14abc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1566f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1561e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1567f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15696f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x14b5da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15545c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x14c2d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x15c967:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x15d96a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x159889:$sqlite3step: 68 34 1C 7B E1 0x15999c:$sqlite3step: 68 34 1C 7B E1 0x1598b8:$sqlite3text: 68 38 2A 90 C5 0x1599dd:$sqlite3text: 68 38 2A 90 C5 0x1598cb:$sqlite3blob: 68 53 D8 7F 8C 0x1599f3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: gsPzUI8EV8RoSMt.exe	ReversingLabs: Detection: 25%
Source: gsPzUI8EV8RoSMt.exe	Virustotal: Detection: 37%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.ntiled.net/us38/	Avira URL Cloud: Label: malware
Source: http://www.qdtlmj.com/us38/?7n=ZVfFkidWioZ1z242CMU5NErFVagRqFscjwTZw32dpH9T5nOFHAt7D4fNn/kr4Wxh+xCU&5jJX=q8td9Nm	Avira URL Cloud: Label: malware
Source: http://www.codshipin.com/us38/	Avira URL Cloud: Label: malware
Source: http://www.customgiveawaysplus.com/us38/	Avira URL Cloud: Label: malware
Source: http://www.fatherlandistanbul.com/us38/www.customgiveawaysplus.com	Avira URL Cloud: Label: malware
Source: http://www.jggfj.com/us38/www.efefcorn.buzz	Avira URL Cloud: Label: malware
Source: http://www.91ye260.xyz/us38/	Avira URL Cloud: Label: malware
Source: http://www.91ye260.xyz/us38/www.fatherlandistanbul.com	Avira URL Cloud: Label: malware
Source: http://www.jggfj.com/us38/	Avira URL Cloud: Label: malware
Source: http://www.qdtlmj.com/us38/	Avira URL Cloud: Label: malware
Source: http://www.huntergatherer.store/us38/	Avira URL Cloud: Label: malware
Source: http://www.huntergatherer.store/us38/www.pickleontop.net	Avira URL Cloud: Label: malware
Source: http://www.qdtlmj.com/us38/www.lightscript.ru	Avira URL Cloud: Label: malware
Source: http://www.artificial-grass-61758.com/us38/	Avira URL Cloud: Label: malware
Source: http://www.efefcorn.buzz/us38/	Avira URL Cloud: Label: malware
Source: http://www.lightscript.ru/us38/	Avira URL Cloud: Label: malware
Source: http://www.codshipin.com/us38/www.bhukroofingandbuilding.co.uk	Avira URL Cloud: Label: malware
Source: http://www.efefcorn.buzz/us38/www.huntergatherer.store	Avira URL Cloud: Label: malware
Source: http://www.ntiled.net/us38/www.artificial-grass-61758.com	Avira URL Cloud: Label: malware
Source: http://www.fatherlandistanbul.com/us38/	Avira URL Cloud: Label: malware
Source: http://www.lightscript.ru/us38/www.ntiled.net	Avira URL Cloud: Label: malware
Source: http://www.mymof.uk/us38/	Avira URL Cloud: Label: malware
Source: http://www.customgiveawaysplus.com/us38/www.codshipin.com	Avira URL Cloud: Label: malware
Source: http://www.artificial-grass-61758.com/us38/www.loxnorth.com	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: gsPzUI8EV8RoSMt.exe

Joe Sandbox ML: detected

Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pickleontop.net/us38/"], "decoy": ["jimsminitours.com", "ezdineros.com", "imtokonapp.art", "54gsyekcpc.one", "triplemcatering.africa", "ntiled.net", "iniyan.click", "cyproducers.com", "instantrule.com", "visefastener.net", "lightscript.ru", "dyshuju.top", "jifenzhigl.com", "himselvepostly.xyz", "jggfj.com", "jbjiif.cfd", "gumpisbuel.ch", "gddeming.com", "huntergatherer.store", "kitchenremodelingtoday.com", "endssheiproduct.com", "installsolar.africa", "flexclark.com", "zerooverhead.net", "mymof.uk", "customgiveawaysplus.com", "qdtlmj.com", "beyouinvestnow.com", "dongyuesm.com", "bameit.xyz", "bhukroofingandbuilding.co.uk", "loxnorth.com", "calihon.com", "algeeml.com", "shedmastersukltd.co.uk", "cuidadores24h.com", "kinogo-cc.online", "onlinextools.net", "codshipin.com", "driver-response.com", "kaydrop.ru", "426664.space", "efefcorn.buzz", "artificial-grass-61758.com", "myhotplug.africa", "earlytechnews.com", "argana-bremen.com", "122874.com", "laposadaapts.com", "91ye260.xyz", "freewriter.online", "jainrishta.com", "jumptaskks.com", "cafeverde.xyz", "xppenetwork.net", "kcam-phnompenhcredit.com", "assinieconcept.com", "3651233.com", "homebodymindco.com", "andara88.info", "greatlakesyouth.com", "fatherlandistanbul.com", "sc-orikomi.com", "fx.foundation"]}

Source: gsPzUI8EV8RoSMt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gsPzUI8EV8RoSMt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: gsPzUI8EV8RoSMt.exe, 00000001.00000002.418940890.0000000001E20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: Roic.pdbSHA256 source: gsPzUI8EV8RoSMt.exe
Source:	Binary string: colorcpl.pdb source: gsPzUI8EV8RoSMt.exe, 00000001.00000002.418940890.0000000001E20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: gsPzUI8EV8RoSMt.exe, 00000001.00000003.368312531.0000000001801000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000003.364658614.000000000166B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.414988735.00000000040B8000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.000000000450F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.00000000043F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.417695049.0000000004254000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gsPzUI8EV8RoSMt.exe, gsPzUI8EV8RoSMt.exe, 00000001.00000003.368312531.0000000001801000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000003.364658614.000000000166B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.414988735.00000000040B8000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.000000000450F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.00000000043F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.417695049.0000000004254000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Roic.pdb source: gsPzUI8EV8RoSMt.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 194.50.194.150 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.qdtlmj.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.pickleontop.net/us38/

Source: Joe Sandbox View

ASN Name: QUICKPACKETUS QUICKPACKETUS

Source: global traffic

HTTP traffic detected: GET /us38/?7n=ZVfFkidWioZ1z242CMU5NErFVagRqFscjwTZw32dpH9T5nOFHAt7D4fNn/kr4Wxh+xCU&5jJX=q8td9Nm HTTP/1.1Host: www.qdtlmj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000002.601106968.000000001593F000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000002.585071927.0000000004E0F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.91ye260.xyz
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.91ye260.xyz/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.91ye260.xyz/us38/www.fatherlandistanbul.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.91ye260.xyzReferer:
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artificial-grass-61758.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artificial-grass-61758.com/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artificial-grass-61758.com/us38/www.loxnorth.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.artificial-grass-61758.comReferer:
Source: explorer.exe, 00000002.00000002.598775114.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.583649197.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.371135857.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bameit.xyz
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bameit.xyz/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bameit.xyz/us38/www.qdtlmj.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bameit.xyzReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bhukroofingandbuilding.co.uk
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bhukroofingandbuilding.co.uk/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bhukroofingandbuilding.co.uk/us38/www.mymof.uk
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bhukroofingandbuilding.co.ukReferer:
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codshipin.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codshipin.com/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codshipin.com/us38/www.bhukroofingandbuilding.co.uk
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.codshipin.comReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.customgiveawaysplus.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.customgiveawaysplus.com/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.customgiveawaysplus.com/us38/www.codshipin.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.customgiveawaysplus.comReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efefcorn.buzz
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efefcorn.buzz/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efefcorn.buzz/us38/www.huntergatherer.store
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.efefcorn.buzzReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fatherlandistanbul.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fatherlandistanbul.com/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fatherlandistanbul.com/us38/www.customgiveawaysplus.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fatherlandistanbul.comReferer:
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgreta(
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commto
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000003.326136171.0000000006542000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000003.325971120.0000000006542000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000003.326349789.0000000006542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.huntergatherer.store
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.huntergatherer.store/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.huntergatherer.store/us38/www.pickleontop.net
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.huntergatherer.storeReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jggfj.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jggfj.com/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jggfj.com/us38/www.efefcorn.buzz
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jggfj.comReferer:
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lightscript.ru
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lightscript.ru/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lightscript.ru/us38/www.ntiled.net
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lightscript.ruReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loxnorth.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loxnorth.com/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loxnorth.com/us38/www.jggfj.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loxnorth.comReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mymof.uk
Source: explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mymof.uk/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mymof.ukReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ntiled.net
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ntiled.net/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ntiled.net/us38/www.artificial-grass-61758.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ntiled.netReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pickleontop.net
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pickleontop.net/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pickleontop.net/us38/www.91ye260.xyz
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pickleontop.netReferer:
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdtlmj.com
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdtlmj.com/us38/
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdtlmj.com/us38/www.lightscript.ru
Source: explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qdtlmj.comReferer:
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000003.326496029.0000000006535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000003.326991378.000000000653A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000002.00000002.601106968.000000001593F000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000002.585071927.0000000004E0F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: unknown

DNS traffic detected: queries for: www.qdtlmj.com

Source: global traffic

Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.370638921.0000000001640000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.593835130.0000000007475000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: gsPzUI8EV8RoSMt.exe PID: 5480, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: gsPzUI8EV8RoSMt.exe PID: 5636, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 5808, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: gsPzUI8EV8RoSMt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.593835130.0000000007475000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: gsPzUI8EV8RoSMt.exe PID: 5480, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: gsPzUI8EV8RoSMt.exe PID: 5636, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 5808, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 0_2_0158C1E4	0_2_0158C1E4
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 0_2_0158E630	0_2_0158E630
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 0_2_0158E620	0_2_0158E620
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041D9A6	1_2_0041D9A6
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041DB5E	1_2_0041DB5E
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041ED56	1_2_0041ED56
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041E560	1_2_0041E560
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041D5A3	1_2_0041D5A3
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_00409E5B	1_2_00409E5B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_00409E60	1_2_00409E60
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041EF85	1_2_0041EF85
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CF900	1_2_019CF900
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E4120	1_2_019E4120
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A920A8	1_2_01A920A8
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DB090	1_2_019DB090
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F20A0	1_2_019F20A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A928EC	1_2_01A928EC
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81002	1_2_01A81002
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FEBB0	1_2_019FEBB0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8DBD2	1_2_01A8DBD2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A92B28	1_2_01A92B28
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A922AE	1_2_01A922AE
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2581	1_2_019F2581
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A925DD	1_2_01A925DD
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DD5E0	1_2_019DD5E0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A92D07	1_2_01A92D07
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C0D20	1_2_019C0D20
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A91D55	1_2_01A91D55
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D841F	1_2_019D841F
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8D466	1_2_01A8D466
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A91FF1	1_2_01A91FF1
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A92EF7	1_2_01A92EF7
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E6E30	1_2_019E6E30
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8D616	1_2_01A8D616

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Code function: String function: 019CB150 appears 35 times

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041A360 NtCreateFile,	1_2_0041A360
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041A410 NtReadFile,	1_2_0041A410
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041A490 NtClose,	1_2_0041A490
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041A540 NtAllocateVirtualMemory,	1_2_0041A540
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A099A0 NtCreateSection,LdrInitializeThunk,	1_2_01A099A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01A09910
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A098F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_01A098F0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01A09860
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09840 NtDelayExecution,LdrInitializeThunk,	1_2_01A09840
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09A20 NtResumeThread,LdrInitializeThunk,	1_2_01A09A20
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01A09A00
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09A50 NtCreateFile,LdrInitializeThunk,	1_2_01A09A50
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A095D0 NtClose,LdrInitializeThunk,	1_2_01A095D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09540 NtReadFile,LdrInitializeThunk,	1_2_01A09540
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A097A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_01A097A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01A09780
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01A09710
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A096E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_01A096E0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01A09660
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A099D0 NtCreateProcessEx,	1_2_01A099D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09950 NtQueueApcThread,	1_2_01A09950
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A098A0 NtWriteVirtualMemory,	1_2_01A098A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09820 NtEnumerateKey,	1_2_01A09820
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A0B040 NtSuspendThread,	1_2_01A0B040
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A0A3B0 NtGetContextThread,	1_2_01A0A3B0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09B00 NtSetValueKey,	1_2_01A09B00
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09A80 NtOpenDirectoryObject,	1_2_01A09A80
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09A10 NtQuerySection,	1_2_01A09A10
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A095F0 NtQueryInformationFile,	1_2_01A095F0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09520 NtWaitForSingleObject,	1_2_01A09520
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A0AD30 NtSetContextThread,	1_2_01A0AD30
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09560 NtWriteFile,	1_2_01A09560
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09FE0 NtCreateMutant,	1_2_01A09FE0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09730 NtQueryVirtualMemory,	1_2_01A09730
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A0A710 NtOpenProcessToken,	1_2_01A0A710
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09760 NtOpenProcess,	1_2_01A09760
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09770 NtSetInformationFile,	1_2_01A09770
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A0A770 NtOpenThread,	1_2_01A0A770
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A096D0 NtCreateKey,	1_2_01A096D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09610 NtEnumerateValueKey,	1_2_01A09610
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09670 NtQueryInformationProcess,	1_2_01A09670
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A09650 NtQueryValueKey,	1_2_01A09650

Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.386569301.0000000007C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll, vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.370638921.0000000001640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.371799937.00000000032DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll, vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000000.317702199.0000000000F22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRoic.exe, vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.377424838.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOutimurs.dll2 vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000000.00000002.386694845.0000000007F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOutimurs.dll2 vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000001.00000002.415316568.0000000001ABF000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000001.00000002.418940890.0000000001E23000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe, 00000001.00000003.368312531.0000000001920000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gsPzUI8EV8RoSMt.exe
Source: gsPzUI8EV8RoSMt.exe	Binary or memory string: OriginalFilenameRoic.exe, vs gsPzUI8EV8RoSMt.exe

Source: gsPzUI8EV8RoSMt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gsPzUI8EV8RoSMt.exe	ReversingLabs: Detection: 25%
Source: gsPzUI8EV8RoSMt.exe	Virustotal: Detection: 37%

Source: gsPzUI8EV8RoSMt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process created: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process created: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gsPzUI8EV8RoSMt.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@1/1

Source: gsPzUI8EV8RoSMt.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Mutant created: \Sessions\1\BaseNamedObjects\wDSnDrJLGdl
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: gsPzUI8EV8RoSMt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gsPzUI8EV8RoSMt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: gsPzUI8EV8RoSMt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: colorcpl.pdbGCTL source: gsPzUI8EV8RoSMt.exe, 00000001.00000002.418940890.0000000001E20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: Roic.pdbSHA256 source: gsPzUI8EV8RoSMt.exe
Source:	Binary string: colorcpl.pdb source: gsPzUI8EV8RoSMt.exe, 00000001.00000002.418940890.0000000001E20000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: gsPzUI8EV8RoSMt.exe, 00000001.00000003.368312531.0000000001801000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000003.364658614.000000000166B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.414988735.00000000040B8000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.000000000450F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.00000000043F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.417695049.0000000004254000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gsPzUI8EV8RoSMt.exe, gsPzUI8EV8RoSMt.exe, 00000001.00000003.368312531.0000000001801000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000001.00000003.364658614.000000000166B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.414988735.00000000040B8000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.000000000450F000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000002.584278555.00000000043F0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000003.00000003.417695049.0000000004254000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Roic.pdb source: gsPzUI8EV8RoSMt.exe

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_00417058 push 0271A60Ah; ret	1_2_0041705D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_004178A4 push es; ret	1_2_004178A5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_004179E9 push ds; retf	1_2_004179EE
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_00417256 push edi; ret	1_2_00417263
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041D4B5 push eax; ret	1_2_0041D508
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041656D push eax; ret	1_2_0041656E
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041D56C push eax; ret	1_2_0041D572
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041D502 push eax; ret	1_2_0041D508
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0041D50B push eax; ret	1_2_0041D572
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_0040EDB9 push edx; ret	1_2_0040EDBA
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A1D0D1 push ecx; ret	1_2_01A1D0E4

Source: gsPzUI8EV8RoSMt.exe

Static PE information: 0x8880963D [Mon Jul 28 02:47:25 2042 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.890438054015532

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x88 0x8E 0xE6

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000002569904 second address: 000000000256990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000002569B7E second address: 0000000002569B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe TID: 5484	Thread sleep time: -40023s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe TID: 5500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6024	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Code function: 1_2_00409AB0 rdtsc

1_2_00409AB0

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 871			Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

API coverage: 8.8 %

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Thread delayed: delay time: 40023			Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000002.00000002.594583330.0000000008645000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000003.536145955.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000002.00000003.536145955.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.375339212.00000000043B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000003.533805235.000000000F043000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.600151764.000000000F046000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000003.536145955.00000000086E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000002.594583330.0000000008645000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Code function: 1_2_00409AB0 rdtsc

1_2_00409AB0

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A469A6 mov eax, dword ptr fs:[00000030h]	1_2_01A469A6
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2990 mov eax, dword ptr fs:[00000030h]	1_2_019F2990
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FA185 mov eax, dword ptr fs:[00000030h]	1_2_019FA185
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A451BE mov eax, dword ptr fs:[00000030h]	1_2_01A451BE
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A451BE mov eax, dword ptr fs:[00000030h]	1_2_01A451BE
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A451BE mov eax, dword ptr fs:[00000030h]	1_2_01A451BE
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A451BE mov eax, dword ptr fs:[00000030h]	1_2_01A451BE
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EC182 mov eax, dword ptr fs:[00000030h]	1_2_019EC182
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F61A0 mov eax, dword ptr fs:[00000030h]	1_2_019F61A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F61A0 mov eax, dword ptr fs:[00000030h]	1_2_019F61A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A541E8 mov eax, dword ptr fs:[00000030h]	1_2_01A541E8
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CB1E1 mov eax, dword ptr fs:[00000030h]	1_2_019CB1E1
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CB1E1 mov eax, dword ptr fs:[00000030h]	1_2_019CB1E1
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CB1E1 mov eax, dword ptr fs:[00000030h]	1_2_019CB1E1
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9100 mov eax, dword ptr fs:[00000030h]	1_2_019C9100
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9100 mov eax, dword ptr fs:[00000030h]	1_2_019C9100
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9100 mov eax, dword ptr fs:[00000030h]	1_2_019C9100
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F513A mov eax, dword ptr fs:[00000030h]	1_2_019F513A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F513A mov eax, dword ptr fs:[00000030h]	1_2_019F513A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E4120 mov eax, dword ptr fs:[00000030h]	1_2_019E4120
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E4120 mov eax, dword ptr fs:[00000030h]	1_2_019E4120
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E4120 mov eax, dword ptr fs:[00000030h]	1_2_019E4120
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E4120 mov eax, dword ptr fs:[00000030h]	1_2_019E4120
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E4120 mov ecx, dword ptr fs:[00000030h]	1_2_019E4120
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EB944 mov eax, dword ptr fs:[00000030h]	1_2_019EB944
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EB944 mov eax, dword ptr fs:[00000030h]	1_2_019EB944
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CB171 mov eax, dword ptr fs:[00000030h]	1_2_019CB171
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CB171 mov eax, dword ptr fs:[00000030h]	1_2_019CB171
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CC962 mov eax, dword ptr fs:[00000030h]	1_2_019CC962
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A090AF mov eax, dword ptr fs:[00000030h]	1_2_01A090AF
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9080 mov eax, dword ptr fs:[00000030h]	1_2_019C9080
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FF0BF mov ecx, dword ptr fs:[00000030h]	1_2_019FF0BF
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FF0BF mov eax, dword ptr fs:[00000030h]	1_2_019FF0BF
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FF0BF mov eax, dword ptr fs:[00000030h]	1_2_019FF0BF
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A43884 mov eax, dword ptr fs:[00000030h]	1_2_01A43884
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A43884 mov eax, dword ptr fs:[00000030h]	1_2_01A43884
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F20A0 mov eax, dword ptr fs:[00000030h]	1_2_019F20A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F20A0 mov eax, dword ptr fs:[00000030h]	1_2_019F20A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F20A0 mov eax, dword ptr fs:[00000030h]	1_2_019F20A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F20A0 mov eax, dword ptr fs:[00000030h]	1_2_019F20A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F20A0 mov eax, dword ptr fs:[00000030h]	1_2_019F20A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F20A0 mov eax, dword ptr fs:[00000030h]	1_2_019F20A0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C58EC mov eax, dword ptr fs:[00000030h]	1_2_019C58EC
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A5B8D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_01A5B8D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A5B8D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A5B8D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A5B8D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A5B8D0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A47016 mov eax, dword ptr fs:[00000030h]	1_2_01A47016
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A47016 mov eax, dword ptr fs:[00000030h]	1_2_01A47016
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A47016 mov eax, dword ptr fs:[00000030h]	1_2_01A47016
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F002D mov eax, dword ptr fs:[00000030h]	1_2_019F002D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F002D mov eax, dword ptr fs:[00000030h]	1_2_019F002D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F002D mov eax, dword ptr fs:[00000030h]	1_2_019F002D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F002D mov eax, dword ptr fs:[00000030h]	1_2_019F002D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F002D mov eax, dword ptr fs:[00000030h]	1_2_019F002D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DB02A mov eax, dword ptr fs:[00000030h]	1_2_019DB02A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DB02A mov eax, dword ptr fs:[00000030h]	1_2_019DB02A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DB02A mov eax, dword ptr fs:[00000030h]	1_2_019DB02A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DB02A mov eax, dword ptr fs:[00000030h]	1_2_019DB02A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A94015 mov eax, dword ptr fs:[00000030h]	1_2_01A94015
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A94015 mov eax, dword ptr fs:[00000030h]	1_2_01A94015
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E0050 mov eax, dword ptr fs:[00000030h]	1_2_019E0050
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E0050 mov eax, dword ptr fs:[00000030h]	1_2_019E0050
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A82073 mov eax, dword ptr fs:[00000030h]	1_2_01A82073
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A91074 mov eax, dword ptr fs:[00000030h]	1_2_01A91074
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2397 mov eax, dword ptr fs:[00000030h]	1_2_019F2397
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A95BA5 mov eax, dword ptr fs:[00000030h]	1_2_01A95BA5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FB390 mov eax, dword ptr fs:[00000030h]	1_2_019FB390
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D1B8F mov eax, dword ptr fs:[00000030h]	1_2_019D1B8F
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D1B8F mov eax, dword ptr fs:[00000030h]	1_2_019D1B8F
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8138A mov eax, dword ptr fs:[00000030h]	1_2_01A8138A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A7D380 mov ecx, dword ptr fs:[00000030h]	1_2_01A7D380
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F4BAD mov eax, dword ptr fs:[00000030h]	1_2_019F4BAD
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F4BAD mov eax, dword ptr fs:[00000030h]	1_2_019F4BAD
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F4BAD mov eax, dword ptr fs:[00000030h]	1_2_019F4BAD
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A453CA mov eax, dword ptr fs:[00000030h]	1_2_01A453CA
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A453CA mov eax, dword ptr fs:[00000030h]	1_2_01A453CA
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EDBE9 mov eax, dword ptr fs:[00000030h]	1_2_019EDBE9
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F03E2 mov eax, dword ptr fs:[00000030h]	1_2_019F03E2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F03E2 mov eax, dword ptr fs:[00000030h]	1_2_019F03E2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F03E2 mov eax, dword ptr fs:[00000030h]	1_2_019F03E2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F03E2 mov eax, dword ptr fs:[00000030h]	1_2_019F03E2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F03E2 mov eax, dword ptr fs:[00000030h]	1_2_019F03E2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F03E2 mov eax, dword ptr fs:[00000030h]	1_2_019F03E2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8131B mov eax, dword ptr fs:[00000030h]	1_2_01A8131B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CF358 mov eax, dword ptr fs:[00000030h]	1_2_019CF358
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CDB40 mov eax, dword ptr fs:[00000030h]	1_2_019CDB40
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F3B7A mov eax, dword ptr fs:[00000030h]	1_2_019F3B7A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F3B7A mov eax, dword ptr fs:[00000030h]	1_2_019F3B7A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A98B58 mov eax, dword ptr fs:[00000030h]	1_2_01A98B58
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CDB60 mov ecx, dword ptr fs:[00000030h]	1_2_019CDB60
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FD294 mov eax, dword ptr fs:[00000030h]	1_2_019FD294
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FD294 mov eax, dword ptr fs:[00000030h]	1_2_019FD294
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DAAB0 mov eax, dword ptr fs:[00000030h]	1_2_019DAAB0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DAAB0 mov eax, dword ptr fs:[00000030h]	1_2_019DAAB0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FFAB0 mov eax, dword ptr fs:[00000030h]	1_2_019FFAB0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C52A5 mov eax, dword ptr fs:[00000030h]	1_2_019C52A5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C52A5 mov eax, dword ptr fs:[00000030h]	1_2_019C52A5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C52A5 mov eax, dword ptr fs:[00000030h]	1_2_019C52A5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C52A5 mov eax, dword ptr fs:[00000030h]	1_2_019C52A5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C52A5 mov eax, dword ptr fs:[00000030h]	1_2_019C52A5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2ACB mov eax, dword ptr fs:[00000030h]	1_2_019F2ACB
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2AE4 mov eax, dword ptr fs:[00000030h]	1_2_019F2AE4
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E3A1C mov eax, dword ptr fs:[00000030h]	1_2_019E3A1C
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CAA16 mov eax, dword ptr fs:[00000030h]	1_2_019CAA16
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CAA16 mov eax, dword ptr fs:[00000030h]	1_2_019CAA16
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A04A2C mov eax, dword ptr fs:[00000030h]	1_2_01A04A2C
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A04A2C mov eax, dword ptr fs:[00000030h]	1_2_01A04A2C
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C5210 mov eax, dword ptr fs:[00000030h]	1_2_019C5210
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C5210 mov ecx, dword ptr fs:[00000030h]	1_2_019C5210
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C5210 mov eax, dword ptr fs:[00000030h]	1_2_019C5210
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C5210 mov eax, dword ptr fs:[00000030h]	1_2_019C5210
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D8A0A mov eax, dword ptr fs:[00000030h]	1_2_019D8A0A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8AA16 mov eax, dword ptr fs:[00000030h]	1_2_01A8AA16
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8AA16 mov eax, dword ptr fs:[00000030h]	1_2_01A8AA16
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A7B260 mov eax, dword ptr fs:[00000030h]	1_2_01A7B260
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A7B260 mov eax, dword ptr fs:[00000030h]	1_2_01A7B260
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A98A62 mov eax, dword ptr fs:[00000030h]	1_2_01A98A62
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A0927A mov eax, dword ptr fs:[00000030h]	1_2_01A0927A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9240 mov eax, dword ptr fs:[00000030h]	1_2_019C9240
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9240 mov eax, dword ptr fs:[00000030h]	1_2_019C9240
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9240 mov eax, dword ptr fs:[00000030h]	1_2_019C9240
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C9240 mov eax, dword ptr fs:[00000030h]	1_2_019C9240
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A54257 mov eax, dword ptr fs:[00000030h]	1_2_01A54257
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8EA55 mov eax, dword ptr fs:[00000030h]	1_2_01A8EA55
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FFD9B mov eax, dword ptr fs:[00000030h]	1_2_019FFD9B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FFD9B mov eax, dword ptr fs:[00000030h]	1_2_019FFD9B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A905AC mov eax, dword ptr fs:[00000030h]	1_2_01A905AC
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A905AC mov eax, dword ptr fs:[00000030h]	1_2_01A905AC
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C2D8A mov eax, dword ptr fs:[00000030h]	1_2_019C2D8A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C2D8A mov eax, dword ptr fs:[00000030h]	1_2_019C2D8A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C2D8A mov eax, dword ptr fs:[00000030h]	1_2_019C2D8A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C2D8A mov eax, dword ptr fs:[00000030h]	1_2_019C2D8A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C2D8A mov eax, dword ptr fs:[00000030h]	1_2_019C2D8A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2581 mov eax, dword ptr fs:[00000030h]	1_2_019F2581
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2581 mov eax, dword ptr fs:[00000030h]	1_2_019F2581
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2581 mov eax, dword ptr fs:[00000030h]	1_2_019F2581
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F2581 mov eax, dword ptr fs:[00000030h]	1_2_019F2581
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F1DB5 mov eax, dword ptr fs:[00000030h]	1_2_019F1DB5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F1DB5 mov eax, dword ptr fs:[00000030h]	1_2_019F1DB5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F1DB5 mov eax, dword ptr fs:[00000030h]	1_2_019F1DB5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F35A1 mov eax, dword ptr fs:[00000030h]	1_2_019F35A1
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_01A8FDE2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_01A8FDE2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_01A8FDE2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8FDE2 mov eax, dword ptr fs:[00000030h]	1_2_01A8FDE2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A78DF1 mov eax, dword ptr fs:[00000030h]	1_2_01A78DF1
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46DC9 mov eax, dword ptr fs:[00000030h]	1_2_01A46DC9
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46DC9 mov eax, dword ptr fs:[00000030h]	1_2_01A46DC9
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46DC9 mov eax, dword ptr fs:[00000030h]	1_2_01A46DC9
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46DC9 mov ecx, dword ptr fs:[00000030h]	1_2_01A46DC9
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46DC9 mov eax, dword ptr fs:[00000030h]	1_2_01A46DC9
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46DC9 mov eax, dword ptr fs:[00000030h]	1_2_01A46DC9
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DD5E0 mov eax, dword ptr fs:[00000030h]	1_2_019DD5E0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DD5E0 mov eax, dword ptr fs:[00000030h]	1_2_019DD5E0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8E539 mov eax, dword ptr fs:[00000030h]	1_2_01A8E539
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A4A537 mov eax, dword ptr fs:[00000030h]	1_2_01A4A537
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A98D34 mov eax, dword ptr fs:[00000030h]	1_2_01A98D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F4D3B mov eax, dword ptr fs:[00000030h]	1_2_019F4D3B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F4D3B mov eax, dword ptr fs:[00000030h]	1_2_019F4D3B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F4D3B mov eax, dword ptr fs:[00000030h]	1_2_019F4D3B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D3D34 mov eax, dword ptr fs:[00000030h]	1_2_019D3D34
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CAD30 mov eax, dword ptr fs:[00000030h]	1_2_019CAD30
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E7D50 mov eax, dword ptr fs:[00000030h]	1_2_019E7D50
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A03D43 mov eax, dword ptr fs:[00000030h]	1_2_01A03D43
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A43540 mov eax, dword ptr fs:[00000030h]	1_2_01A43540
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EC577 mov eax, dword ptr fs:[00000030h]	1_2_019EC577
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EC577 mov eax, dword ptr fs:[00000030h]	1_2_019EC577
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D849B mov eax, dword ptr fs:[00000030h]	1_2_019D849B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A814FB mov eax, dword ptr fs:[00000030h]	1_2_01A814FB
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46CF0 mov eax, dword ptr fs:[00000030h]	1_2_01A46CF0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46CF0 mov eax, dword ptr fs:[00000030h]	1_2_01A46CF0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46CF0 mov eax, dword ptr fs:[00000030h]	1_2_01A46CF0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A98CD6 mov eax, dword ptr fs:[00000030h]	1_2_01A98CD6
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A9740D mov eax, dword ptr fs:[00000030h]	1_2_01A9740D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A9740D mov eax, dword ptr fs:[00000030h]	1_2_01A9740D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A9740D mov eax, dword ptr fs:[00000030h]	1_2_01A9740D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81C06 mov eax, dword ptr fs:[00000030h]	1_2_01A81C06
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46C0A mov eax, dword ptr fs:[00000030h]	1_2_01A46C0A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46C0A mov eax, dword ptr fs:[00000030h]	1_2_01A46C0A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46C0A mov eax, dword ptr fs:[00000030h]	1_2_01A46C0A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A46C0A mov eax, dword ptr fs:[00000030h]	1_2_01A46C0A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FBC2C mov eax, dword ptr fs:[00000030h]	1_2_019FBC2C
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FA44B mov eax, dword ptr fs:[00000030h]	1_2_019FA44B
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019E746D mov eax, dword ptr fs:[00000030h]	1_2_019E746D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5C450 mov eax, dword ptr fs:[00000030h]	1_2_01A5C450
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5C450 mov eax, dword ptr fs:[00000030h]	1_2_01A5C450
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D8794 mov eax, dword ptr fs:[00000030h]	1_2_019D8794
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A47794 mov eax, dword ptr fs:[00000030h]	1_2_01A47794
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A47794 mov eax, dword ptr fs:[00000030h]	1_2_01A47794
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A47794 mov eax, dword ptr fs:[00000030h]	1_2_01A47794
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A037F5 mov eax, dword ptr fs:[00000030h]	1_2_01A037F5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EF716 mov eax, dword ptr fs:[00000030h]	1_2_019EF716
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FA70E mov eax, dword ptr fs:[00000030h]	1_2_019FA70E
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FA70E mov eax, dword ptr fs:[00000030h]	1_2_019FA70E
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A9070D mov eax, dword ptr fs:[00000030h]	1_2_01A9070D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A9070D mov eax, dword ptr fs:[00000030h]	1_2_01A9070D
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FE730 mov eax, dword ptr fs:[00000030h]	1_2_019FE730
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C4F2E mov eax, dword ptr fs:[00000030h]	1_2_019C4F2E
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019C4F2E mov eax, dword ptr fs:[00000030h]	1_2_019C4F2E
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5FF10 mov eax, dword ptr fs:[00000030h]	1_2_01A5FF10
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5FF10 mov eax, dword ptr fs:[00000030h]	1_2_01A5FF10
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A98F6A mov eax, dword ptr fs:[00000030h]	1_2_01A98F6A
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DEF40 mov eax, dword ptr fs:[00000030h]	1_2_019DEF40
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019DFF60 mov eax, dword ptr fs:[00000030h]	1_2_019DFF60
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A446A7 mov eax, dword ptr fs:[00000030h]	1_2_01A446A7
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A90EA5 mov eax, dword ptr fs:[00000030h]	1_2_01A90EA5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A90EA5 mov eax, dword ptr fs:[00000030h]	1_2_01A90EA5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A90EA5 mov eax, dword ptr fs:[00000030h]	1_2_01A90EA5
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A5FE87 mov eax, dword ptr fs:[00000030h]	1_2_01A5FE87
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F36CC mov eax, dword ptr fs:[00000030h]	1_2_019F36CC
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A7FEC0 mov eax, dword ptr fs:[00000030h]	1_2_01A7FEC0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A08EC7 mov eax, dword ptr fs:[00000030h]	1_2_01A08EC7
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F16E0 mov ecx, dword ptr fs:[00000030h]	1_2_019F16E0
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A98ED6 mov eax, dword ptr fs:[00000030h]	1_2_01A98ED6
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D76E2 mov eax, dword ptr fs:[00000030h]	1_2_019D76E2
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FA61C mov eax, dword ptr fs:[00000030h]	1_2_019FA61C
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019FA61C mov eax, dword ptr fs:[00000030h]	1_2_019FA61C
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A7FE3F mov eax, dword ptr fs:[00000030h]	1_2_01A7FE3F
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CC600 mov eax, dword ptr fs:[00000030h]	1_2_019CC600
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CC600 mov eax, dword ptr fs:[00000030h]	1_2_019CC600
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CC600 mov eax, dword ptr fs:[00000030h]	1_2_019CC600
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019F8E00 mov eax, dword ptr fs:[00000030h]	1_2_019F8E00
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A81608 mov eax, dword ptr fs:[00000030h]	1_2_01A81608
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019CE620 mov eax, dword ptr fs:[00000030h]	1_2_019CE620
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D7E41 mov eax, dword ptr fs:[00000030h]	1_2_019D7E41
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D7E41 mov eax, dword ptr fs:[00000030h]	1_2_019D7E41
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D7E41 mov eax, dword ptr fs:[00000030h]	1_2_019D7E41
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D7E41 mov eax, dword ptr fs:[00000030h]	1_2_019D7E41
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D7E41 mov eax, dword ptr fs:[00000030h]	1_2_019D7E41
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D7E41 mov eax, dword ptr fs:[00000030h]	1_2_019D7E41
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8AE44 mov eax, dword ptr fs:[00000030h]	1_2_01A8AE44
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_01A8AE44 mov eax, dword ptr fs:[00000030h]	1_2_01A8AE44
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EAE73 mov eax, dword ptr fs:[00000030h]	1_2_019EAE73
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EAE73 mov eax, dword ptr fs:[00000030h]	1_2_019EAE73
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EAE73 mov eax, dword ptr fs:[00000030h]	1_2_019EAE73
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EAE73 mov eax, dword ptr fs:[00000030h]	1_2_019EAE73
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019EAE73 mov eax, dword ptr fs:[00000030h]	1_2_019EAE73
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Code function: 1_2_019D766D mov eax, dword ptr fs:[00000030h]	1_2_019D766D

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Code function: 1_2_0040ACF0 LdrLoadDll,

1_2_0040ACF0

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 194.50.194.150 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.qdtlmj.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 150000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Thread register set: target process: 3324			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3324			Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Process created: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe"			Jump to behavior

Source: explorer.exe, 00000002.00000000.380251366.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.547817428.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.591112099.0000000005910000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.584016704.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.371786582.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000002.00000002.584016704.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.371786582.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.584016704.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.371786582.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.371135857.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.583649197.0000000000878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanLoc*U

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.gsPzUI8EV8RoSMt.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4860dd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gsPzUI8EV8RoSMt.exe.4606d30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	512 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Masquerading	1 Input Capture	2 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	112 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gsPzUI8EV8RoSMt.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
gsPzUI8EV8RoSMt.exe	38%	Virustotal		Browse
gsPzUI8EV8RoSMt.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.gsPzUI8EV8RoSMt.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.ntiled.net/us38/	100%	Avira URL Cloud	malware
http://www.qdtlmj.com/us38/?7n=ZVfFkidWioZ1z242CMU5NErFVagRqFscjwTZw32dpH9T5nOFHAt7D4fNn/kr4Wxh+xCU&5jJX=q8td9Nm	100%	Avira URL Cloud	malware
http://www.codshipin.com/us38/	100%	Avira URL Cloud	malware
http://www.bhukroofingandbuilding.co.uk/us38/	0%	Avira URL Cloud	safe
http://www.customgiveawaysplus.com/us38/	100%	Avira URL Cloud	malware
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jggfj.comReferer:	0%	Avira URL Cloud	safe
http://www.fontbureau.comgreta(	0%	Avira URL Cloud	safe
http://www.fatherlandistanbul.com/us38/www.customgiveawaysplus.com	100%	Avira URL Cloud	malware
http://www.mymof.uk	0%	Avira URL Cloud	safe
http://www.codshipin.com/us38/	1%	Virustotal		Browse
http://www.customgiveawaysplus.comReferer:	0%	Avira URL Cloud	safe
http://www.jggfj.com/us38/www.efefcorn.buzz	100%	Avira URL Cloud	malware
http://www.91ye260.xyz/us38/	100%	Avira URL Cloud	malware
http://www.lightscript.ruReferer:	0%	Avira URL Cloud	safe
http://www.91ye260.xyz/us38/www.fatherlandistanbul.com	100%	Avira URL Cloud	malware
http://www.codshipin.com	0%	Avira URL Cloud	safe
http://www.customgiveawaysplus.com	0%	Avira URL Cloud	safe
http://www.jggfj.com/us38/	100%	Avira URL Cloud	malware
http://www.qdtlmj.com/us38/	100%	Avira URL Cloud	malware
http://www.pickleontop.netReferer:	0%	Avira URL Cloud	safe
http://www.91ye260.xyz	0%	Avira URL Cloud	safe
http://www.efefcorn.buzzReferer:	0%	Avira URL Cloud	safe
http://www.huntergatherer.store/us38/	100%	Avira URL Cloud	malware
http://www.huntergatherer.store/us38/www.pickleontop.net	100%	Avira URL Cloud	malware
http://www.mymof.ukReferer:	0%	Avira URL Cloud	safe
http://www.bameit.xyz/us38/	0%	Avira URL Cloud	safe
http://www.pickleontop.net/us38/	0%	Avira URL Cloud	safe
http://www.bhukroofingandbuilding.co.uk/us38/www.mymof.uk	0%	Avira URL Cloud	safe
http://www.bhukroofingandbuilding.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.huntergatherer.store	0%	Avira URL Cloud	safe
http://www.huntergatherer.storeReferer:	0%	Avira URL Cloud	safe
http://www.bameit.xyz	0%	Avira URL Cloud	safe
http://www.efefcorn.buzz	0%	Avira URL Cloud	safe
http://www.91ye260.xyzReferer:	0%	Avira URL Cloud	safe
http://www.loxnorth.comReferer:	0%	Avira URL Cloud	safe
http://www.qdtlmj.com/us38/www.lightscript.ru	100%	Avira URL Cloud	malware
http://www.lightscript.ru	0%	Avira URL Cloud	safe
http://www.qdtlmj.com	0%	Avira URL Cloud	safe
http://www.fontbureau.commto	0%	Avira URL Cloud	safe
http://www.ntiled.net	0%	Avira URL Cloud	safe
http://www.loxnorth.com/us38/www.jggfj.com	0%	Avira URL Cloud	safe
http://www.codshipin.comReferer:	0%	Avira URL Cloud	safe
http://www.fatherlandistanbul.com	0%	Avira URL Cloud	safe
http://www.ntiled.netReferer:	0%	Avira URL Cloud	safe
http://www.pickleontop.net	0%	Avira URL Cloud	safe
http://www.bameit.xyzReferer:	0%	Avira URL Cloud	safe
http://www.artificial-grass-61758.comReferer:	0%	Avira URL Cloud	safe
http://www.bhukroofingandbuilding.co.uk	0%	Avira URL Cloud	safe
www.pickleontop.net/us38/	0%	Avira URL Cloud	safe
http://www.artificial-grass-61758.com/us38/	100%	Avira URL Cloud	malware
http://www.fatherlandistanbul.comReferer:	0%	Avira URL Cloud	safe
http://www.artificial-grass-61758.com	0%	Avira URL Cloud	safe
http://www.efefcorn.buzz/us38/	100%	Avira URL Cloud	malware
http://www.lightscript.ru/us38/	100%	Avira URL Cloud	malware
http://www.codshipin.com/us38/www.bhukroofingandbuilding.co.uk	100%	Avira URL Cloud	malware
http://www.efefcorn.buzz/us38/www.huntergatherer.store	100%	Avira URL Cloud	malware
http://www.ntiled.net/us38/www.artificial-grass-61758.com	100%	Avira URL Cloud	malware
http://www.fatherlandistanbul.com/us38/	100%	Avira URL Cloud	malware
http://www.jggfj.com	0%	Avira URL Cloud	safe
http://www.lightscript.ru/us38/www.ntiled.net	100%	Avira URL Cloud	malware
http://www.pickleontop.net/us38/www.91ye260.xyz	0%	Avira URL Cloud	safe
http://www.loxnorth.com	0%	Avira URL Cloud	safe
http://www.mymof.uk/us38/	100%	Avira URL Cloud	malware
http://www.bameit.xyz/us38/www.qdtlmj.com	0%	Avira URL Cloud	safe
http://www.customgiveawaysplus.com/us38/www.codshipin.com	100%	Avira URL Cloud	malware
http://www.artificial-grass-61758.com/us38/www.loxnorth.com	100%	Avira URL Cloud	malware
http://www.loxnorth.com/us38/	0%	Avira URL Cloud	safe
http://www.qdtlmj.comReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.qdtlmj.com	194.50.194.150	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.qdtlmj.com/us38/?7n=ZVfFkidWioZ1z242CMU5NErFVagRqFscjwTZw32dpH9T5nOFHAt7D4fNn/kr4Wxh+xCU&5jJX=q8td9Nm	true	Avira URL Cloud: malware	unknown
www.pickleontop.net/us38/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ntiled.net/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.bhukroofingandbuilding.co.uk/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.customgiveawaysplus.com/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.codshipin.com/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.jggfj.comReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comgreta(	gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fatherlandistanbul.com/us38/www.customgiveawaysplus.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mymof.uk	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.customgiveawaysplus.comReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jggfj.com/us38/www.efefcorn.buzz	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.91ye260.xyz/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lightscript.ruReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.customgiveawaysplus.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.91ye260.xyz/us38/www.fatherlandistanbul.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.galapagosdesign.com/DPlease	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.codshipin.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pickleontop.net/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	gsPzUI8EV8RoSMt.exe, 00000000.00000003.326991378.000000000653A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jggfj.com/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.qdtlmj.com/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.pickleontop.netReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.91ye260.xyz	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.efefcorn.buzzReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.huntergatherer.store/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000002.598775114.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.583649197.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.371135857.000000000091F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.huntergatherer.store/us38/www.pickleontop.net	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mymof.ukReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bameit.xyz/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bhukroofingandbuilding.co.uk/us38/www.mymof.uk	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bhukroofingandbuilding.co.ukReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.huntergatherer.store	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.huntergatherer.storeReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bameit.xyz	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.efefcorn.buzz	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	gsPzUI8EV8RoSMt.exe, 00000000.00000003.326136171.0000000006542000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000003.325971120.0000000006542000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000003.326349789.0000000006542000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.91ye260.xyzReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loxnorth.comReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qdtlmj.com/us38/www.lightscript.ru	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fontbureau.com/designers/frere-jones.html	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.lightscript.ru	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qdtlmj.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.commto	gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ntiled.net	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loxnorth.com/us38/www.jggfj.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codshipin.comReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fatherlandistanbul.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000003.326496029.0000000006535000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ntiled.netReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://push.zhanzhang.baidu.com/push.js	explorer.exe, 00000002.00000002.601106968.000000001593F000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000002.585071927.0000000004E0F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.goodfont.co.kr	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pickleontop.net	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bameit.xyzReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.artificial-grass-61758.comReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bhukroofingandbuilding.co.uk	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.artificial-grass-61758.com/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fatherlandistanbul.comReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.artificial-grass-61758.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.efefcorn.buzz/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lightscript.ru/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.codshipin.com/us38/www.bhukroofingandbuilding.co.uk	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.sakkal.com	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp, gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.efefcorn.buzz/us38/www.huntergatherer.store	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ntiled.net/us38/www.artificial-grass-61758.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.fatherlandistanbul.com/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.jggfj.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lightscript.ru/us38/www.ntiled.net	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://zz.bdstatic.com/linksubmit/push.js	explorer.exe, 00000002.00000002.601106968.000000001593F000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000003.00000002.585071927.0000000004E0F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.pickleontop.net/us38/www.91ye260.xyz	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loxnorth.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mymof.uk/us38/	explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bameit.xyz/us38/www.qdtlmj.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.customgiveawaysplus.com/us38/www.codshipin.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.fontbureau.comm	gsPzUI8EV8RoSMt.exe, 00000000.00000003.366148339.0000000006530000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	gsPzUI8EV8RoSMt.exe, 00000000.00000002.384267891.0000000007742000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.artificial-grass-61758.com/us38/www.loxnorth.com	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.loxnorth.com/us38/	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qdtlmj.comReferer:	explorer.exe, 00000002.00000003.547317918.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.534148544.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.535419248.000000000ED65000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.598996843.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.533865104.000000000ED57000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.50.194.150	www.qdtlmj.com	United Kingdom		46261	QUICKPACKETUS	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830457
Start date and time:	2023-03-20 11:52:43 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	gsPzUI8EV8RoSMt.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 75.5% (good quality ratio 70.9%) Quality average: 72.2% Quality standard deviation: 30.1%
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 151
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:53:59	API Interceptor	2x Sleep call for process: gsPzUI8EV8RoSMt.exe modified
11:54:36	API Interceptor	411x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
QUICKPACKETUS	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	66.78.28.63
	ye5GHWJ8UG.exe	Get hash	malicious	Grandcrab, Gandcrab	Browse	185.211.7.244
	Aspernatur.html	Get hash	malicious	HtmlDropper	Browse	185.193.66.168
	E-dekont.pdf.exe	Get hash	malicious	FormBook	Browse	172.82.182.141
	AS12023000024196.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.82.158.243
	MeKlKsWOAd.elf	Get hash	malicious	Mirai	Browse	192.255.127.112
	UrQrIdRfCg.exe	Get hash	malicious	Unknown	Browse	185.218.125.70
	doc03400720230214100634.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.82.158.243
	jnZPaf7uYB.exe	Get hash	malicious	Unknown	Browse	104.166.126.10
	ZGh3SwNVn8.exe	Get hash	malicious	RedLine	Browse	185.176.93.30
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	194.50.235.99
	dekont.pdf.exe	Get hash	malicious	FormBook	Browse	172.82.182.141
	E-Dekont.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	194.50.194.217
	nuihp vuwlkuq.exe	Get hash	malicious	FormBook	Browse	160.202.98.143
	Wire Payment02132023.exe	Get hash	malicious	FormBook, GuLoader	Browse	194.50.194.217
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	194.50.194.217
	Product List Pdf.exe	Get hash	malicious	FormBook	Browse	185.145.47.141
	Zfq98Whg5h.exe	Get hash	malicious	FormBook	Browse	103.207.160.247
	PO-49347532 Pdf.exe	Get hash	malicious	FormBook	Browse	195.216.148.21
	PhviZrlpkW.exe	Get hash	malicious	Nanocore	Browse	193.31.30.138

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gsPzUI8EV8RoSMt.exe.log

Download File

Process:	C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	984
Entropy (8bit):	5.2414849034866355
Encrypted:	false
SSDEEP:	24:Yq6CUXyhmbmPlbNdB6hmYmPlz0JahmNmPlHZ6T06Mhm6mPlbxdB6hm3mPl7KTdB2:YqDUXycSNbNdUcVNz0JacQNHZ6T06Mcs
MD5:	4816271302882BDFB06EE40F624169D1
SHA1:	A8F07F0A5940C4A9D4DAD112787FE109CCACA869
SHA-256:	26D30DFFC5E2C493FF97B32C775C98630F0466D49144778BAE2688BA0716C760
SHA-512:	3D46AA6777AF386524E65D8D158201B699F766A5640A3E917CFA78E337475F910A839B93E0097C6651D2FCBE02ED7BFAF9EF8274C9632A88D06985168087823B
Malicious:	false
Preview:	{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4155601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4145601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":4135601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":4125601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4115601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4105601904,"LastSwitchedHighPart":30747926,"PrePopulated":true}]}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.885029457664913
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	gsPzUI8EV8RoSMt.exe
File size:	980992
MD5:	bf7689cacf1c7ec05684d27628538b3d
SHA1:	9186ece8e710a0d849834538b711fe90cb830c71
SHA256:	85b572a6060bf6d434ab978aa1447096c11f84bcd329d71364de8daf261a4660
SHA512:	7414252930a18bb01a91a026fd15473b24133e1a6973aee87b53f6b3b0d64019c2d60991291ecdc8a242aa0a3bc13390aaf3c711c425dc701d07bad346a85090
SSDEEP:	12288:/+BbBU9oRh5IebKqo+tUFwJaXPyKVN3eodapNRunLfJ/ZkBNvTczxmCAG7z4L2pf:GBPRUebR9UFoYT3cpNRKSdAkCr78L2p
TLSH:	0D2512346BAA1339F53B6BBD96B42241177E67B33B03DA0D4DB610CD4B27B025AD0627
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=.................0.............^.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4f0c5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8880963D [Mon Jul 28 02:47:25 2042 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf0c0b	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf2000	0x58c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xeea0c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xeec64	0xeee00	False	0.9401920624018838	data	7.890438054015532	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf2000	0x58c	0x600	False	0.416015625	data	4.02871538646989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xf2090	0x2fc	data
RT_MANIFEST	0xf239c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 11:55:36.738970041 CET	49680	80	192.168.2.5	194.50.194.150
Mar 20, 2023 11:55:36.905034065 CET	80	49680	194.50.194.150	192.168.2.5
Mar 20, 2023 11:55:36.912892103 CET	49680	80	192.168.2.5	194.50.194.150
Mar 20, 2023 11:55:36.913302898 CET	49680	80	192.168.2.5	194.50.194.150
Mar 20, 2023 11:55:37.082736969 CET	80	49680	194.50.194.150	192.168.2.5
Mar 20, 2023 11:55:37.082788944 CET	80	49680	194.50.194.150	192.168.2.5
Mar 20, 2023 11:55:37.082992077 CET	49680	80	192.168.2.5	194.50.194.150
Mar 20, 2023 11:55:37.083051920 CET	49680	80	192.168.2.5	194.50.194.150
Mar 20, 2023 11:55:37.248868942 CET	80	49680	194.50.194.150	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 11:55:36.547223091 CET	58644	53	192.168.2.5	8.8.8.8
Mar 20, 2023 11:55:36.715958118 CET	53	58644	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 11:55:36.547223091 CET	192.168.2.5	8.8.8.8	0xd79	Standard query (0)	www.qdtlmj.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 11:55:36.715958118 CET	8.8.8.8	192.168.2.5	0xd79	No error (0)	www.qdtlmj.com		194.50.194.150	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.qdtlmj.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49680	194.50.194.150	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 20, 2023 11:55:36.913302898 CET	3	OUT	GET /us38/?7n=ZVfFkidWioZ1z242CMU5NErFVagRqFscjwTZw32dpH9T5nOFHAt7D4fNn/kr4Wxh+xCU&5jJX=q8td9Nm HTTP/1.1 Host: www.qdtlmj.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 20, 2023 11:55:37.082736969 CET	4	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 20 Mar 2023 10:55:36 GMT Content-Type: text/html Content-Length: 785 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e ba d3 d4 b4 b8 ce d6 ce bd cc d3 fd d7 c9 d1 af d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE6
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE6
GetMessageW	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE6
GetMessageA	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE6

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: gsPzUI8EV8RoSMt.exePID: 5480, Parent PID: 3324

General

Target ID:	0
Start time:	11:53:47
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe
Imagebase:	0xe30000
File size:	980992 bytes
MD5 hash:	BF7689CACF1C7EC05684D27628538B3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.377424838.00000000044A2000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.377424838.0000000004860000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: gsPzUI8EV8RoSMt.exePID: 5636, Parent PID: 5480

General

Target ID:	1
Start time:	11:54:08
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe
Imagebase:	0xed0000
File size:	980992 bytes
MD5 hash:	BF7689CACF1C7EC05684D27628538B3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3324, Parent PID: 5636

General

Target ID:	2
Start time:	11:54:11
Start date:	20/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69bc80000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.593835130.0000000007475000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: colorcpl.exePID: 5808, Parent PID: 3324

General

Target ID:	3
Start time:	11:54:29
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0x150000
File size:	86528 bytes
MD5 hash:	746F3B5E7652EA0766BA10414D317981
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.583708430.0000000000400000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.583748187.0000000002460000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.583808848.0000000002560000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5916, Parent PID: 5808

General

Target ID:	6
Start time:	11:54:34
Start date:	20/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\gsPzUI8EV8RoSMt.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5924, Parent PID: 5916

General

Target ID:	7
Start time:	11:54:34
Start date:	20/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: gsPzUI8EV8RoSMt.exePID: 5480, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	98
Total number of Limit Nodes:	8

Executed Functions

Function 0158B740 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0158B7B0
GetCurrentThread.KERNEL32 ref: 0158B7ED
GetCurrentProcess.KERNEL32 ref: 0158B82A
GetCurrentThreadId.KERNEL32 ref: 0158B883

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1f4a3a8287da6538176fd78ec9315db8a85f446381515a812a4319926a0ce3c3
Instruction ID: 214c61dedcaad02c8fa6641366611a327e99da808e5784faf9b35800140e7ae0
Opcode Fuzzy Hash: 1f4a3a8287da6538176fd78ec9315db8a85f446381515a812a4319926a0ce3c3
Instruction Fuzzy Hash: 745133B4D002498FDB14DFAAD588BEEBBF4BF88300F24846AE419BB250D7745884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0158B750 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0158B7B0
GetCurrentThread.KERNEL32 ref: 0158B7ED
GetCurrentProcess.KERNEL32 ref: 0158B82A
GetCurrentThreadId.KERNEL32 ref: 0158B883

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 36cd5a86998f6d7c04afb55f532b25e9f5d6f2b585a2632deaa286874faeaef3
Instruction ID: 977b4210ec7ca1c16edff13fa0f8a6148d2579d69e5fd1cf5b94bd7dc79fa2f3
Opcode Fuzzy Hash: 36cd5a86998f6d7c04afb55f532b25e9f5d6f2b585a2632deaa286874faeaef3
Instruction Fuzzy Hash: 765132B4D002498FDB14DFAAD588BDEBBF4BF88304F248469E419BB250C7749984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0158FDAC Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0158FECA

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 43417fcecbc758c3d8587ece5e1c7d5f9190bc67368baa553db67afac9b38c48
Instruction ID: c72cd946f36c694c12fe70f1a39f6855c4a24a2a014481627687c6b58c712099
Opcode Fuzzy Hash: 43417fcecbc758c3d8587ece5e1c7d5f9190bc67368baa553db67afac9b38c48
Instruction Fuzzy Hash: 2151C0B1D10309DFDB14DFAAC884ADEBFB5BF48710F24852AE419AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0158FDB8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0158FECA

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4cf5e9a062b7e11be1561ad5718b9b2bb7b48142404aca938fae5bee205ffb32
Instruction ID: fefecf1bcabebab75e7b2ac9757fab902e18d8723af4d5e8f085c4d39b064bc1
Opcode Fuzzy Hash: 4cf5e9a062b7e11be1561ad5718b9b2bb7b48142404aca938fae5bee205ffb32
Instruction Fuzzy Hash: 9241B0B1D00309DFDB14DFAAD884ADEBFB5BF48710F24852AE419AB250D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01583DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01585421

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ec430e981c8b6a045bd4d9a1b7e7860017a39bbb3b7bbb094a26232a796ce9aa
Instruction ID: fce791a476957fa09d9dc68bd3830f03bd7427b37451cf1da51bc0452fe42185
Opcode Fuzzy Hash: ec430e981c8b6a045bd4d9a1b7e7860017a39bbb3b7bbb094a26232a796ce9aa
Instruction Fuzzy Hash: FA41CF71D0061CCEDB24EFAAC888BCDBBB5BF48304F20846AD409AB251DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0158536E Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01585421

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 73493ad2a2130394f4a51999e3a6d18e65f3fc9b71374f8366ee7b80c99ce3f5
Instruction ID: ec3a3e602b814081fe4a08b5199af224df5ea307b8d7f9920a1fcf14cd842647
Opcode Fuzzy Hash: 73493ad2a2130394f4a51999e3a6d18e65f3fc9b71374f8366ee7b80c99ce3f5
Instruction Fuzzy Hash: 1D41B071D00618CEDB24DFA9C888BDDBBB5BF58304F20846AD409AB251D7755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0158B970 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158B9FF

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 05df1dce5750f609042096040415b7213659a92beec6185b1eab24a63b619f53
Instruction ID: 2a43178984b867d637e3bd8b34fcbcc35e11b1e57835273c643ffb6a2c0c3de1
Opcode Fuzzy Hash: 05df1dce5750f609042096040415b7213659a92beec6185b1eab24a63b619f53
Instruction Fuzzy Hash: 6021D2B5D002099FDB10CFA9D984AEEFBF8FB48324F14842AE915B7250D374A945DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0158B978 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158B9FF

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6944ed0fc718e6f026ed107d48de6ceca0fa86ccf34493278f66ac959dde1483
Instruction ID: 3d33d058e1764c0c1006868dca3693bacec321e12fc4e52a3db517b01e4612d1
Opcode Fuzzy Hash: 6944ed0fc718e6f026ed107d48de6ceca0fa86ccf34493278f66ac959dde1483
Instruction Fuzzy Hash: 8D21E0B59002099FDB10CFAAD984ADEBBF8FB48320F14841AE915B7210D374A944DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01589538 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01589A11,00000800,00000000,00000000), ref: 01589C22

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6ba61a44590db897066a79896948ce039ae670ae2f8e1b0d936ae1d56ac4c978
Instruction ID: 0cb1363428ec22df27c4cf7c22208f246291f33ea0cbf147457fe5597f43d7bf
Opcode Fuzzy Hash: 6ba61a44590db897066a79896948ce039ae670ae2f8e1b0d936ae1d56ac4c978
Instruction Fuzzy Hash: DF1114B6D002098FDB10DF9AD484AEEFBF4FB88314F14842AD515BB200C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01589BB4 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01589A11,00000800,00000000,00000000), ref: 01589C22

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe1a3d8874a469eb0e62f76c58f90dbd121f2f2d6bd95855d93079fadaf57e33
Instruction ID: 8ac86907f75499f6851714bd7beec8f20802d5268acc3cfe96919baafc7cbd02
Opcode Fuzzy Hash: fe1a3d8874a469eb0e62f76c58f90dbd121f2f2d6bd95855d93079fadaf57e33
Instruction Fuzzy Hash: 4F1114B6D002098FDB14CFAAD484AEEFBF4BB88314F14842ED815B7200C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01589928 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01589996

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e51452375a215c2d223b0b8dba554a6300d15acceae96daf45f6fd7965a7e4d8
Instruction ID: e984d77db0000c580987068a6519763bd59fea8322beafc9d22ae4f8eac70f29
Opcode Fuzzy Hash: e51452375a215c2d223b0b8dba554a6300d15acceae96daf45f6fd7965a7e4d8
Instruction Fuzzy Hash: DA11F0B5C0060A8FDB10DF9AC484ADEBBF4EB89224F14852AD459BB610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01589930 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01589996

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c9a4917d70839e62e3fc0166d2ccaea5fee37e2b47230b47afe6431345ca30f2
Instruction ID: 8ebce1e3bb2011b627b74bdfe895dc577dd6b13ac4003a92bf3c30a4b1bd4506
Opcode Fuzzy Hash: c9a4917d70839e62e3fc0166d2ccaea5fee37e2b47230b47afe6431345ca30f2
Instruction Fuzzy Hash: 191110B6C0020A8FDB10DF9AC484ADEFBF4EF88324F14842AD459BB610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07C00530 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec38fbd396a5665331cc45b362c003190b5808e085f1657e1ce46656d9f4bf7
Instruction ID: 5a108f62f594f41b3996f0652dfb9fc50ef49eb99726476effa363ece936ee34
Opcode Fuzzy Hash: aec38fbd396a5665331cc45b362c003190b5808e085f1657e1ce46656d9f4bf7
Instruction Fuzzy Hash: 81718F78A01209EFCB14DF59D484DAEBBB6FF89714B114498F901AB361DB31ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07C04160 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3165e23b45b391fad7c2d1333046624b88477aa72c10e8a1df3091f73a6abe
Instruction ID: 38f90f6d79e1c2b491777d9edba6226d4c1c6192b6097e9849d31066e8eb6727
Opcode Fuzzy Hash: 3c3165e23b45b391fad7c2d1333046624b88477aa72c10e8a1df3091f73a6abe
Instruction Fuzzy Hash: 5D410674E012198FCB08DFA9D5916EEBBF2FB89310F14906AD815B7354DB359A02CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369632412.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fcefd8de04f9251e86d1ebbcbce5e367f6f37dfc355db0bc852d182e386508
Instruction ID: 542dbb2a47702405d13932709398705e9f64002cd4df9fa97668f2df5dc2d696
Opcode Fuzzy Hash: 70fcefd8de04f9251e86d1ebbcbce5e367f6f37dfc355db0bc852d182e386508
Instruction Fuzzy Hash: E1212871904240EFDF15DF58D9E0B27BF65FB88328F24866AD8450B3A6C336E846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369676374.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2bbe177d8ac4903238f91391348258964249d45054554924ba9ed9046579d2
Instruction ID: 6afd56890e300f91cf5f6b1938a0143738542306f023e2a0454a88ce49e80b3b
Opcode Fuzzy Hash: 2c2bbe177d8ac4903238f91391348258964249d45054554924ba9ed9046579d2
Instruction Fuzzy Hash: B82125B1904240DFDB15CF58D8C8B16BFA1FB84359F28C96AD84A0B356C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 014ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369676374.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24faaeb3413eb572e2b233e7c4c1bc99a1554392eeac2c80feb3d3021a867c8a
Instruction ID: 1965646df3927614f55eea76a0134aadba93152b6d60ac69f8fdac201434ff6a
Opcode Fuzzy Hash: 24faaeb3413eb572e2b233e7c4c1bc99a1554392eeac2c80feb3d3021a867c8a
Instruction Fuzzy Hash: B0213775904240EFDB01CF98D9C4B16BBE1FB84324F20CA6ED8494B362C336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07C00470 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f96d6058a306119def56dfd64950e1b5b12b863f5bcc9be494a6a909edb628
Instruction ID: 8da2d928b9f6076ce9d6339a4fe20a384f59dca6fbbfab96e5f106c7a264b9bd
Opcode Fuzzy Hash: a5f96d6058a306119def56dfd64950e1b5b12b863f5bcc9be494a6a909edb628
Instruction Fuzzy Hash: 3A215EB67006059FCB249E59D5C4F6AB3AAFBC4620F12442EE90687791C771F9818BE4

Uniqueness

Uniqueness Score: -1.00%

Function 07C0454C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204c4f1ea7c456831be53ad49ab8616c28e547349f355fdf450ff5d966b26a1
Instruction ID: 9775db17b71344acca29e1a3dd2d4d2b0456bba531a8336ac1310d0b71bc55fc
Opcode Fuzzy Hash: 6204c4f1ea7c456831be53ad49ab8616c28e547349f355fdf450ff5d966b26a1
Instruction Fuzzy Hash: 5731EEB0D003589FDB24CF9AC588B8EBFF4AB49714F248069E504BB290C7B55A85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 014ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369676374.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788906fe40dd9981969100a8ff25861f0c2819ccca935db1c2e6dc208a6e4d31
Instruction ID: 9d954c0624239b7a9d82cc31ca39f6968e973f91668af6a82e5f43403dd0aab1
Opcode Fuzzy Hash: 788906fe40dd9981969100a8ff25861f0c2819ccca935db1c2e6dc208a6e4d31
Instruction Fuzzy Hash: C92171755093808FDB02CF24D594716BFB1EB46214F28C5DAD8458B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07C034CA Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e889b7baad0b00d9a70ed8e1d86ff0852b94ce8707e0b851ee7ab09d9511999
Instruction ID: c56132a534df3bb09b9ee33d797377688fa602962a104f6052bc165adce56a4a
Opcode Fuzzy Hash: 6e889b7baad0b00d9a70ed8e1d86ff0852b94ce8707e0b851ee7ab09d9511999
Instruction Fuzzy Hash: 6611DDB4959695CFDB11CBA9C8C4AEDBBF4AB0F200F145159D81AAB291D331D941CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 07C03750 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58cbde50c64299092917b6cac1b3eff544167e19fbd1d900fd1d60d5c07b3bc
Instruction ID: fac2a8b7938ace78847d2e58cff6ff831ef6e2ab6f1684c2d03b6feffc7c51e9
Opcode Fuzzy Hash: f58cbde50c64299092917b6cac1b3eff544167e19fbd1d900fd1d60d5c07b3bc
Instruction Fuzzy Hash: D411F5F4D2815ADBCB00CFAAD6485FEBBB8AB4B250F00542AD816B3380D7305A158BE0

Uniqueness

Uniqueness Score: -1.00%

Function 014DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369632412.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction ID: 60a05b2fd2b66277bb422f8524570750f9482ece4b446f6687dca3aaccf2121f
Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
Instruction Fuzzy Hash: 4911E172804280CFCF12CF14D9D0B16BF71FB84324F24C6AAD8440B66AC336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369676374.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction ID: 4f7327f225df933cfcbcd836c58c763ba23903624df1a508129417e74678ae35
Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
Instruction Fuzzy Hash: E5118B75904280DFDB16CF54D6C4B16BBA1FB84324F28C6AED8494B766C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 07C03134 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb931bd5bd96ccdf8d8ade76a159e7ec1bd14210543c52b026489aee4345d69b
Instruction ID: 8da3876d67fb9fa30c5225bd7332ae68f88e726c5708bab997b23a066dc63f3f
Opcode Fuzzy Hash: eb931bd5bd96ccdf8d8ade76a159e7ec1bd14210543c52b026489aee4345d69b
Instruction Fuzzy Hash: 971198B4E19259CFCB04CFA9E984AADBBB5BB49340F10506AE80AE7355D7309944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014DD5D9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369632412.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf53e41bc8f4e61357bda8d70f4b1f30ab956620846c12f29387ab093aced0c9
Instruction ID: 5cfae5d0a1aa00b5f7596f6853d412640f9f177f1c4c6a87f8bf0169c26ec18a
Opcode Fuzzy Hash: cf53e41bc8f4e61357bda8d70f4b1f30ab956620846c12f29387ab093aced0c9
Instruction Fuzzy Hash: B201D4319083449AEB208AA9C894763BF98EF41624F08855BE94D5B3D6C7799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 014DD5D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369632412.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68686c2f489576ad1836de9a8bc0b1223b9122ea9b52df050884061b49f04e53
Instruction ID: 04d37582dafe284e23c5ab4377f58b869fb2de7b3f93472e8afdb7eb3e372d01
Opcode Fuzzy Hash: 68686c2f489576ad1836de9a8bc0b1223b9122ea9b52df050884061b49f04e53
Instruction Fuzzy Hash: F1F0AF718042449AEB218A5ACC84B63FFA8EB81634F18C55AED085B396C2799844CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 07C05158 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbed0d8c5cf4f36bcd8df49908afb4002ddaeaf2a91a6fe3a5f7618139e3c85
Instruction ID: 0a37be5dfde94d11fe2741853f0a71e98f403788592d92793236d6534ddd47c9
Opcode Fuzzy Hash: ffbed0d8c5cf4f36bcd8df49908afb4002ddaeaf2a91a6fe3a5f7618139e3c85
Instruction Fuzzy Hash: 2B01ECB1C0021ADFEB15CF5AD8447AE7BF1EF45354F148129E424AA2A0D7744A50CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 07C036E8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9ff7498cb19374a19f24f6ec9ac3ae36c93f0f0d85c48b1f543541a24a853f
Instruction ID: 120eaeb6a9ed34c42e70aaebe56341bcd47009311e7952da3b0b7207cd59774e
Opcode Fuzzy Hash: fc9ff7498cb19374a19f24f6ec9ac3ae36c93f0f0d85c48b1f543541a24a853f
Instruction Fuzzy Hash: C8F097F4D15249EFCB40DFADD5445AEFBF4BB0A240F1055AA9915A3340E7305A10CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 07C051F8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09fd441dcc6d93846a53edd03bdde2c00f62f65f69b142c99da54ba9ac82cdb
Instruction ID: 21271715ee5e65629d0594e1d454f83629a7413db1e71c9f8391506bcd8a6b27
Opcode Fuzzy Hash: b09fd441dcc6d93846a53edd03bdde2c00f62f65f69b142c99da54ba9ac82cdb
Instruction Fuzzy Hash: E3E03972B001246F9704DB6EDC84C6BBBEEFBCD660351813AF908C7310D9309C00C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 07C03413 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284534224475df7bae56891c1917c75d09c06d7fe9d3b0b38ac83ab24029d303
Instruction ID: 5a6f1ea75fce371ef08be5188440ac98970fd8568fa9b2c269ac8b2e61ea9716
Opcode Fuzzy Hash: 284534224475df7bae56891c1917c75d09c06d7fe9d3b0b38ac83ab24029d303
Instruction Fuzzy Hash: F0F074B4E042588FCB51CFA9C984A8DBFF1BF4A320F148199D459AB3A5D7745D82CF01

Uniqueness

Uniqueness Score: -1.00%

Function 07C09159 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977da4d7807e084a56d21b125f57afa33c7badd476e99b5b7297588e4c6dac69
Instruction ID: 8e2877f0f92396328fbf54a6a6706c4f40fe766f560d3c3b970da1915cebb988
Opcode Fuzzy Hash: 977da4d7807e084a56d21b125f57afa33c7badd476e99b5b7297588e4c6dac69
Instruction Fuzzy Hash: D5E09A74E54218CFEB10DFA8D85849DBB71FB89715F20452DE416A7392DB355810CF41

Uniqueness

Uniqueness Score: -1.00%

Function 07C020D8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8d7995dd5cd02d7e376e5aedf19161583b4a83b5985a9055d10c61f3cf7880
Instruction ID: cd7666cfd635107d701ba630928a23e2c1d387b1de6b4e44ec53688c925c6b36
Opcode Fuzzy Hash: cc8d7995dd5cd02d7e376e5aedf19161583b4a83b5985a9055d10c61f3cf7880
Instruction Fuzzy Hash: 13C08C37300208BFDB80AFD4CC04D963BADEB48700F609100FE080E201C232E862EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07C00440 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613c67901b154e526b23eb8f0fd3bc87d3abf5bbbb66ac2ca4f88a8e832c8dbf
Instruction ID: 5d9b82780c348088a6c29dd7159cafeaae190a8b2a6ff2b19de3ebee2b8fff0f
Opcode Fuzzy Hash: 613c67901b154e526b23eb8f0fd3bc87d3abf5bbbb66ac2ca4f88a8e832c8dbf
Instruction Fuzzy Hash: 52C01232204108BBCB826A80CC04E09BB2AAB44250F208404FA040D021D2B39522AB84

Uniqueness

Uniqueness Score: -1.00%

Function 07C042C0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec795c54ef95c52827b5d3c64120289c775744382a183a779730ae9b37801d01
Instruction ID: f48e8ea747f2d4b0f9731161755a82be5f76a3fde4414eaf39cf7fe3ec7ff5ad
Opcode Fuzzy Hash: ec795c54ef95c52827b5d3c64120289c775744382a183a779730ae9b37801d01
Instruction Fuzzy Hash: 2DB09B6015764541F51D27ACA515736F78CD741244F80013D9709119D25D655675C2D6

Uniqueness

Uniqueness Score: -1.00%

Function 07C032F2 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.386450306.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c00000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305216ee6270591536c0ea09874d666fb8ea8c3091c71aa6540c22cf23c448d2
Instruction ID: b9fd9c603b5e94cc4b4e875f11d4cd8cf662f775d6ea92c1614c9bf25c7aac69
Opcode Fuzzy Hash: 305216ee6270591536c0ea09874d666fb8ea8c3091c71aa6540c22cf23c448d2
Instruction Fuzzy Hash: 42A01130028220CFC200AA00C8282A8BB28BB0A202F800080A00E200828E202888CF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0158E630 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2938ade533c6c6a6f35d5d6a117949a309a23411697d9ce2e8f1a4a02f7743e
Instruction ID: 243c7707b7a41c0491bd3208d31455916e6ed741d431fd0fb04ec5b57063569e
Opcode Fuzzy Hash: c2938ade533c6c6a6f35d5d6a117949a309a23411697d9ce2e8f1a4a02f7743e
Instruction Fuzzy Hash: 0112EAF1421B468BD330DF65E5981893BA1B74132AF92420CD2B29FAD8E7F4116EEF44

Uniqueness

Uniqueness Score: -1.00%

Function 0158C1E4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269ac83e9acddafb3a05631bb38e087f7ae067137a9465310b6992606281d837
Instruction ID: f96ece8d1d9e8f4ea189b13d41421e2fdedc2be32cfa5ff34897874845a7c835
Opcode Fuzzy Hash: 269ac83e9acddafb3a05631bb38e087f7ae067137a9465310b6992606281d837
Instruction Fuzzy Hash: 09A13A32E0021A8FCF15EFA5C8449DDBBF2BF85300B15856AE905BF2A1EB75A915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0158E620 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.370062144.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a806e0fbf34f6f9e2b87b545de94cee50aabb969f3fe8bbdf0d11c2bf65874cf
Instruction ID: aea5ffdb83bd42513026db20cfbc090532f12f847979f416e06e1df41da686fa
Opcode Fuzzy Hash: a806e0fbf34f6f9e2b87b545de94cee50aabb969f3fe8bbdf0d11c2bf65874cf
Instruction Fuzzy Hash: 5CC12BB182174A8BD724DF64E9881893BB1FB45325F52420CD1B2AF6D8E7F8106EEF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gsPzUI8EV8RoSMt.exePID: 5636, Parent PID: 5480COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.7%
Total number of Nodes:	557
Total number of Limit Nodes:	66

Executed Functions

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A44D, 0041A454
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A432, 0041A440

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040ACF0(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040ad0c
0x0040ad0f
0x0040ad14
0x0040ad19
0x0040ad23
0x0040ad28
0x0040ad2b
0x0040ad2d
0x0040ad35
0x0040ad3a
0x0040ad3a
0x0040ad41
0x0040ad49
0x0040ad4c
0x0040ad4e
0x0040ad62
0x00000000
0x0040ad64
0x0040ad6a
0x0040ad1e
0x0040ad1e
0x0040ad1e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041a36f
0x0041a377
0x0041a3ad
0x0041a3b1

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a54f
0x0041a557
0x0041a579
0x0041a57d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a493
0x0041a496
0x0041a49f
0x0041a4a7
0x0041a4b5
0x0041a4b9

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A099A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A099AA

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1754efebc16c082cd6e604d899a70a0a33ff31375d663e8342b5b6888797832
Instruction ID: 82b13dfb72844ecd570884641677cf6ac1ee5f5dd6f48b3b8ce348bec0821d73
Opcode Fuzzy Hash: c1754efebc16c082cd6e604d899a70a0a33ff31375d663e8342b5b6888797832
Instruction Fuzzy Hash: 8B9002A134101442D10061A94418B160405E7E1341F51C415E1054554DC659CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 01A09910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A0991A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b2cf74a7be2db994ef1f44004f87c7369442066799178e2f9423272193f7199
Instruction ID: 0a6d7d3af0e6f0e6a3f69af53bd5d640856c3224ec05587b394d75d927c9cfdb
Opcode Fuzzy Hash: 7b2cf74a7be2db994ef1f44004f87c7369442066799178e2f9423272193f7199
Instruction Fuzzy Hash: 659002B120101402D14071A944087560405A7D0341F51C411A5054554EC6998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A098F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A098FA

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90681e7cb85e22dc13f44271b4159a87e8354867ee99927102a3780ef95efa14
Instruction ID: 05c019d3dbed0ee7bbd569a7cebbbbb56a1c683e14ffc4c48a5f71399c8e7588
Opcode Fuzzy Hash: 90681e7cb85e22dc13f44271b4159a87e8354867ee99927102a3780ef95efa14
Instruction Fuzzy Hash: 8190026160101502D10171A94408626040AA7D0281F91C422A1014555ECA658992B171

Uniqueness

Uniqueness Score: -1.00%

Function 01A09860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A0986A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2909f5f10ccaa2e5c1379eb3ceead7d7aad9c1b09a8dbe0bb151ce8346b481e
Instruction ID: f0691784b1d8988c16cca2554161c18949e456a1dd86bda2e8aef6cdcd28b8d1
Opcode Fuzzy Hash: b2909f5f10ccaa2e5c1379eb3ceead7d7aad9c1b09a8dbe0bb151ce8346b481e
Instruction Fuzzy Hash: A690027120101413D11161A945087170409A7D0281F91C812A0414558DD6968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 01A09840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A0984A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52b219c13495b01d8daa78d0638225f8027aebb23ae926468a134538c0be1897
Instruction ID: d2a55fda7c0baf032d7fc9aa99a4abcdd47aa0147ccc2cd1bb0e6341cbbec587
Opcode Fuzzy Hash: 52b219c13495b01d8daa78d0638225f8027aebb23ae926468a134538c0be1897
Instruction Fuzzy Hash: 6E900261242051525545B1A944085174406B7E0281791C412A1404950CC5669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 01A09A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A09A2A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3cb2dca20aaf7525b6b794c4655486f058016c1c133e5885d716d2820ab7975d
Instruction ID: 7525e12265868c85a6be1b2dafcc0bebe099e6c8400857817db1e699df4d120a
Opcode Fuzzy Hash: 3cb2dca20aaf7525b6b794c4655486f058016c1c133e5885d716d2820ab7975d
Instruction Fuzzy Hash: A590026160101042414071B988489164405BBE1251751C521A0988550DC599886566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A09A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A09A0A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9ac4f93fe72303c4b6b9ec16d1f680b9319c08066c723cb767988e0a40f184c
Instruction ID: 54c7666fd31da66a318a0f01216b83ce11f0dd039f6ac1feba9bc5ebd92543de
Opcode Fuzzy Hash: f9ac4f93fe72303c4b6b9ec16d1f680b9319c08066c723cb767988e0a40f184c
Instruction Fuzzy Hash: AD90027120141402D10061A9481871B0405A7D0342F51C411A1154555DC665885175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01A09A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A09A5A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5314dbd205aef5e5007816891d75b04a978e76d61de27779fa1b140c613a3005
Instruction ID: 4feb3de2602c15b4bd6a9499646a7637d85fc51b5ec04e5067f98cc7321a44f9
Opcode Fuzzy Hash: 5314dbd205aef5e5007816891d75b04a978e76d61de27779fa1b140c613a3005
Instruction Fuzzy Hash: 1D90026121181042D20065B94C18B170405A7D0343F51C515A0144554CC95588616561

Uniqueness

Uniqueness Score: -1.00%

Function 01A095D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A095DA

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 852c142b507a9b8906d046005de854c83b3356c367c1d35b79feb4571c1ca907
Instruction ID: 5bc6ccb5071846fe26cd58a1203192b5d47e4319c0ed7adc88d613ecd0bd9aa3
Opcode Fuzzy Hash: 852c142b507a9b8906d046005de854c83b3356c367c1d35b79feb4571c1ca907
Instruction Fuzzy Hash: 179002A120201003410571A94418626440AA7E0241B51C421E1004590DC56588917165

Uniqueness

Uniqueness Score: -1.00%

Function 01A09540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A0954A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3cec21dc5ab01faf8d540837f95257cee06dc58e721892f69d93f4fc9be6191
Instruction ID: 44998fff7f338ace65cb868c2e6c793b4c81efa1a3d95c0283a2034475c32905
Opcode Fuzzy Hash: a3cec21dc5ab01faf8d540837f95257cee06dc58e721892f69d93f4fc9be6191
Instruction Fuzzy Hash: 00900475311010030105F5FD070C5170447F7D53D1351C431F1005550CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 01A097A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A097AA

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f810116bba109062933853e4d9a6554a9d675d43f28891a94a7604ac8d6eeec
Instruction ID: 4fcd09f504b2d758be392b93689dd7979ef5bb84a0331147bfe6eded49e03b7c
Opcode Fuzzy Hash: 2f810116bba109062933853e4d9a6554a9d675d43f28891a94a7604ac8d6eeec
Instruction Fuzzy Hash: 1390047130101003D14071FD541C7174405F7F1341F51D411F0404554CDD55CC577373

Uniqueness

Uniqueness Score: -1.00%

Function 01A09780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A0978A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 772516fd66e238387b176f09bedae145b74f1d7456cbec6677cf778de487bed5
Instruction ID: 879268fc5228208d52a790414264d06348af1ccad1d859d93803001270b1697e
Opcode Fuzzy Hash: 772516fd66e238387b176f09bedae145b74f1d7456cbec6677cf778de487bed5
Instruction Fuzzy Hash: 9F90026921301002D18071A9540C61A0405A7D1242F91D815A0005558CC95588696361

Uniqueness

Uniqueness Score: -1.00%

Function 01A09710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A0971A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c553350de56adeb5b3a13970af413abe5b3642de736d9a24463e512734c869e
Instruction ID: 89dbd704b57a6cfa3f9981d74485be93a23a1304f06350185468e267c9d3470f
Opcode Fuzzy Hash: 7c553350de56adeb5b3a13970af413abe5b3642de736d9a24463e512734c869e
Instruction Fuzzy Hash: 6790027120101402D10065E9540C6560405A7E0341F51D411A5014555EC6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 01A096E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A096EA

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03e780e3334fd3676e0d69020e14990bedb98334bc8f061edd7641b8de429fb0
Instruction ID: 203f6ceb0730a40d302918c7ae8f3c6dc1f59a723a0af2f7f8d0c0a2b7613690
Opcode Fuzzy Hash: 03e780e3334fd3676e0d69020e14990bedb98334bc8f061edd7641b8de429fb0
Instruction Fuzzy Hash: 0B90027120109802D11061A9840875A0405A7D0341F55C811A4414658DC6D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 01A09660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A0966A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e0d8b853680d54c77d0aa64d9f3bd1d1e5a4109e7919482a838ab4157a95345
Instruction ID: 99860a05711616215afb3f26a558d5c01a0a589c897ae03b3ccd3dc89e37be07
Opcode Fuzzy Hash: 6e0d8b853680d54c77d0aa64d9f3bd1d1e5a4109e7919482a838ab4157a95345
Instruction Fuzzy Hash: B790027120101802D18071A9440865A0405A7D1341F91C415A0015654DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409abb
0x00409ac3
0x00409ac5
0x00409aca
0x00409acf
0x00409ae2
0x00409ae7
0x00409af0
0x00409afc
0x00409b0f
0x00409b14
0x00409b17
0x00409b20
0x00409b32
0x00409b37
0x00409b3c
0x00000000
0x00000000
0x00409b3e
0x00409b42
0x00000000
0x00000000
0x00409b44
0x00000000
0x00409b42
0x00409b46
0x00409b49
0x00409b4f
0x00409b51
0x00409b5c
0x00409b61
0x00409b64
0x00409b71
0x00409b7c
0x00409b7e
0x00409b84
0x00409b88
0x00409b8b
0x00409b8b
0x00409b92
0x00409b95
0x00409b9a
0x00409ba7
0x00409ad6
0x00409ad6
0x00409ad6

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x0041a647
0x0041a652
0x0041a65d
0x0041a661

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A2 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A6A2() {
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t16 = _t13;
				_pop(_t14);
				asm("rcl dword [ebx-0x16], cl");
				asm("adc [ecx+0x23], dl");
				asm("loopne 0x40");
				_t15 = _t16;
				_t5 =  *((intOrPtr*)(_t15 + 8));
				_push(0xca4cd4a6);
				E0041AF60(_t10,  *((intOrPtr*)(_t15 + 8)),  *((intOrPtr*)(_t15 + 8)) + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess( *(_t15 + 0xc));
			}

0x0041a6a7
0x0041a6a7
0x0041a6a8
0x0041a6ab
0x0041a6ae
0x0041a6b1
0x0041a6b3
0x0041a6bc
0x0041a6ca
0x0041a6d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6e684d20db1a25045f241662727975bf96a27156a884f98a65e9ae65b6c5f98a
Instruction ID: 1c7c4f0c0d8dbaec47f93a81cae665122097aea4bc3235dc74791556a01d188c
Opcode Fuzzy Hash: 6e684d20db1a25045f241662727975bf96a27156a884f98a65e9ae65b6c5f98a
Instruction Fuzzy Hash: A61118B2201108BBDB14DF99CC80EEB77ADAF8C758F158259FA1DA7241C634ED518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t12 = E0040ACF0(_a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x0040831f
0x00408323
0x0040832e
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x00000000
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a7ea
0x0041a800
0x0041a804

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A669 Relevance: 1.5, APIs: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0041A669(char __eax, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t12;
				void* _t17;

				asm("out dx, eax");
				 *0x17ca5f69 = __eax;
				_t9 = _a4;
				_t3 = _t9 + 0xc74; // 0xc74
				E0041AF60(_t17, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}

0x0041a669
0x0041a66a
0x0041a673
0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 586430b2c08b94c63a17fd2c3710b5ab49dcaa9250e8d12dc24b617e9eb43f50
Instruction ID: 363509257564cd739b0742c38b21b455962b6bc85c775f4afc3dd0d6373ef687
Opcode Fuzzy Hash: 586430b2c08b94c63a17fd2c3710b5ab49dcaa9250e8d12dc24b617e9eb43f50
Instruction Fuzzy Hash: 91E026F81142854FDB00EF69D8C089737D2EF85314725895BE84C87307C138C42A8771

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a6b3
0x0041a6ca
0x0041a6d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000001.00000002.414573868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_gsPzUI8EV8RoSMt.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 01A0967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A09694

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5021f497aecd378204d9095eb98f46beeadd561f003bc0abe27e4ed301acf9cf
Instruction ID: 33fee5871208294b01f492fd1f401286588f335a02d64deaefcaeec3c5ccf1f2
Opcode Fuzzy Hash: 5021f497aecd378204d9095eb98f46beeadd561f003bc0abe27e4ed301acf9cf
Instruction Fuzzy Hash: B9B092B29024D5CAEA12E7B45A0CB2B7E00BBD0745F26C562E2060685F8778C091F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A7B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** enter .cxr %p for the context, xrefs: 01A7B50D
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A7B38F
an invalid address, %p, xrefs: 01A7B4CF
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A7B484
Go determine why that thread has not released the critical section., xrefs: 01A7B3C5
*** Inpage error in %ws:%s, xrefs: 01A7B418
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01A7B2F3
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A7B2DC
This failed because of error %Ix., xrefs: 01A7B446
The instruction at %p tried to %s , xrefs: 01A7B4B6
write to, xrefs: 01A7B4A6
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A7B47D
*** then kb to get the faulting stack, xrefs: 01A7B51C
read from, xrefs: 01A7B4AD, 01A7B4B2
<unknown>, xrefs: 01A7B27E, 01A7B2D1, 01A7B350, 01A7B399, 01A7B417, 01A7B48E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A7B53F
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A7B39B
The resource is owned exclusively by thread %p, xrefs: 01A7B374
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A7B323
The instruction at %p referenced memory at %p., xrefs: 01A7B432
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A7B3D6
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A7B314
The resource is owned shared by %d threads, xrefs: 01A7B37E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A7B476
*** Resource timeout (%p) in %ws:%s, xrefs: 01A7B352
*** An Access Violation occurred in %ws:%s, xrefs: 01A7B48F
a NULL pointer, xrefs: 01A7B4E0
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A7B305
*** enter .exr %p for the exception record, xrefs: 01A7B4F1
The critical section is owned by thread %p., xrefs: 01A7B3B9

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 0bfda4903c4ee567362f175a6fe9001bcf5510ac42ed990b6e268c0621342865
Instruction ID: 92f009080db9b12d3c0e3c43f93d7502787e1bc3734235ede2a79efdb4a0d558
Opcode Fuzzy Hash: 0bfda4903c4ee567362f175a6fe9001bcf5510ac42ed990b6e268c0621342865
Instruction Fuzzy Hash: 248154B5A04200FFDB216B4ACE89DBB3F76EF96B55F440048F9092B112D3719641CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01A81C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01A81C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x19a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019CB150();
				} else {
					E019CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1ab589c);
				E019CB150("Heap error detected at %p (heap handle %p)\n",  *0x1ab58a0);
				_t27 =  *0x1ab5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01A81E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019CB150();
				} else {
					E019CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E019CB150("Error code: %d - %s\n",  *0x1ab5898);
				_t113 =  *0x1ab58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019CB150();
					} else {
						E019CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019CB150("Parameter1: %p\n",  *0x1ab58a4);
				}
				_t115 =  *0x1ab58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019CB150();
					} else {
						E019CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019CB150("Parameter2: %p\n",  *0x1ab58a8);
				}
				_t117 =  *0x1ab58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019CB150();
					} else {
						E019CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019CB150("Parameter3: %p\n",  *0x1ab58ac);
				}
				_t119 =  *0x1ab58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019CB150();
					} else {
						E019CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1ab58b4);
					E019CB150("Last known valid blocks: before - %p, after - %p\n",  *0x1ab58b0);
				} else {
					_t120 =  *0x1ab58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019CB150();
				} else {
					E019CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E019CB150("Stack trace available at %p\n", 0x1ab58c0);
			}

0x01a81c10
0x01a81c16
0x01a81c1e
0x01a81c3d
0x01a81c3e
0x01a81c20
0x01a81c35
0x01a81c3a
0x01a81c44
0x01a81c55
0x01a81c5a
0x01a81c65
0x01a81c67
0x00000000
0x01a81c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01a81c67
0x01a81cdc
0x01a81ce5
0x01a81d04
0x01a81d05
0x01a81ce7
0x01a81cfc
0x01a81d01
0x01a81d0b
0x01a81d17
0x01a81d1f
0x01a81d25
0x01a81d30
0x01a81d4f
0x01a81d50
0x01a81d32
0x01a81d47
0x01a81d4c
0x01a81d61
0x01a81d67
0x01a81d68
0x01a81d6e
0x01a81d79
0x01a81d98
0x01a81d99
0x01a81d7b
0x01a81d90
0x01a81d95
0x01a81daa
0x01a81db0
0x01a81db1
0x01a81db7
0x01a81dc2
0x01a81de1
0x01a81de2
0x01a81dc4
0x01a81dd9
0x01a81dde
0x01a81df3
0x01a81df9
0x01a81dfa
0x01a81e00
0x01a81e0a
0x01a81e13
0x01a81e32
0x01a81e33
0x01a81e15
0x01a81e2a
0x01a81e2f
0x01a81e39
0x01a81e4a
0x01a81e02
0x01a81e02
0x01a81e08
0x00000000
0x00000000
0x01a81e08
0x01a81e5b
0x01a81e7a
0x01a81e7b
0x01a81e5d
0x01a81e72
0x01a81e77
0x01a81e95

Strings

heap_failure_cross_heap_operation, xrefs: 01A81CC2
heap_failure_freelists_corruption, xrefs: 01A81CC9
heap_failure_invalid_argument, xrefs: 01A81CAD
heap_failure_lfh_bitmap_mismatch, xrefs: 01A81CD7
HEAP: , xrefs: 01A81C16, 01A81C3D, 01A81D04, 01A81D4F, 01A81D98, 01A81DE1, 01A81E32, 01A81E7A
heap_failure_usage_after_free, xrefs: 01A81CBB
heap_failure_buffer_underrun, xrefs: 01A81C9F
heap_failure_block_not_busy, xrefs: 01A81CA6
Parameter2: %p, xrefs: 01A81DA5
Parameter1: %p, xrefs: 01A81D5C
HEAP[%wZ]: , xrefs: 01A81C30, 01A81CF7, 01A81D42, 01A81D8B, 01A81DD4, 01A81E25, 01A81E6D
heap_failure_internal, xrefs: 01A81C6E
heap_failure_invalid_allocation_type, xrefs: 01A81CB4
Parameter3: %p, xrefs: 01A81DEE
heap_failure_virtual_block_corruption, xrefs: 01A81C91
Error code: %d - %s, xrefs: 01A81D12
Stack trace available at %p, xrefs: 01A81E86
Last known valid blocks: before - %p, after - %p, xrefs: 01A81E45
Heap error detected at %p (heap handle %p), xrefs: 01A81C50
heap_failure_generic, xrefs: 01A81C7C
heap_failure_multiple_entries_corruption, xrefs: 01A81C8A
heap_failure_buffer_overrun, xrefs: 01A81C98
heap_failure_unknown, xrefs: 01A81C75
heap_failure_listentry_corruption, xrefs: 01A81CD0
heap_failure_entry_corruption, xrefs: 01A81C83

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 2da6bf26a97df6ab5034ee43036abe4fdce304354727dd0c987fd03a0caac74f
Instruction ID: bf5da9ada3702a3aad6eae6f81c07774cec8f02cfef7eb7f97d3c176a1ded86b
Opcode Fuzzy Hash: 2da6bf26a97df6ab5034ee43036abe4fdce304354727dd0c987fd03a0caac74f
Instruction Fuzzy Hash: 9D61D136911285DFD622BB89D5C6EB0B7F8FB84D60B0D806EF40F5B311D6649C468B0A

Uniqueness

Uniqueness Score: -1.00%

Function 019D3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E019D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E019D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E019D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E019D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E019D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E019D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L019E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E01A0F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01A11370(_t276, 0x19a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E01A0BB40(0,  &_v68, _t170);
									if(L019D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E01A0BB40(_t257,  &_v68, _t243);
								if(L019D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01A11370(_t278, 0x19a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L019E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E01A0F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01A11370(_v16, 0x19a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E01A0BB40(_t262,  &_v68, _t244);
								if(L019D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01A11370(_t282, 0x19a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E01A0BB40(_t262,  &_v68, _t201);
							if(L019D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L019E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E01A0F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01A11370(_t280, 0x19a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E01A0BB40(_t267,  &_v68, _t245);
							if(L019D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01A11370(_t284, 0x19a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E01A0BB40(_t267,  &_v68, _t224);
						if(L019D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x019d3d3c
0x019d3d42
0x019d3d44
0x019d3d46
0x019d3d49
0x019d3d4c
0x019d3d4f
0x019d3d52
0x019d3d55
0x019d3d58
0x019d3d5b
0x019d3d5f
0x019d3d61
0x019d3d66
0x01a28213
0x01a28218
0x019d4085
0x019d4088
0x019d408e
0x019d4094
0x019d409a
0x019d40a0
0x019d40a6
0x019d40a9
0x019d40af
0x019d40b6
0x019d40bd
0x019d40bd
0x019d3d83
0x01a2821f
0x01a28229
0x01a28238
0x01a28238
0x01a2823d
0x01a2823d
0x019d3da0
0x019d3daf
0x019d3db5
0x019d3dba
0x019d3dba
0x019d3dd4
0x019d3e94
0x019d3eab
0x019d3f6d
0x019d3f84
0x019d406b
0x019d406b
0x019d406e
0x019d406e
0x019d4070
0x019d4074
0x01a28351
0x01a28351
0x019d407a
0x019d407f
0x01a2835d
0x01a28370
0x01a28377
0x01a28379
0x01a2837c
0x01a2837c
0x01a2835d
0x00000000
0x019d407f
0x019d3f8a
0x019d3f8d
0x019d3f90
0x019d3f95
0x01a2830d
0x01a2830f
0x019d3f9b
0x019d3fac
0x019d3fae
0x019d3fb1
0x019d3fb1
0x019d3fb6
0x01a28317
0x01a2831a
0x00000000
0x019d3fbc
0x019d3fc1
0x019d3fc9
0x019d3fd7
0x019d3fda
0x019d3fdd
0x019d4021
0x019d4021
0x019d4029
0x019d4030
0x019d4044
0x019d4046
0x019d4046
0x019d4044
0x019d4049
0x01a28327
0x01a28334
0x01a28339
0x01a2833c
0x019d404f
0x019d404f
0x019d404f
0x019d4051
0x019d4056
0x019d4063
0x019d4063
0x019d4068
0x00000000
0x019d4068
0x019d3fdf
0x019d3fe2
0x019d3fe4
0x019d3fe7
0x019d3fef
0x019d4003
0x019d4005
0x019d4005
0x019d400c
0x019d4013
0x019d4016
0x019d4017
0x019d401b
0x019d401e
0x00000000
0x019d401e
0x019d3fb6
0x019d3eb1
0x019d3eb4
0x019d3eb7
0x019d3ebc
0x01a282a9
0x01a282ab
0x019d3ec2
0x019d3ed3
0x019d3ed5
0x019d3ed8
0x019d3ed8
0x019d3edd
0x01a282b3
0x01a282b6
0x00000000
0x019d3ee3
0x019d3ee8
0x019d3eed
0x019d3ef0
0x019d3ef3
0x019d3f02
0x019d3f05
0x019d3f08
0x01a282c0
0x01a282c3
0x01a282c5
0x01a282c8
0x01a282d0
0x01a282e4
0x01a282e6
0x01a282e6
0x01a282ed
0x01a282f4
0x01a282f7
0x01a282f8
0x01a282fc
0x01a282ff
0x01a282ff
0x019d3f0e
0x019d3f11
0x019d3f16
0x019d3f1d
0x019d3f31
0x01a28307
0x01a28307
0x019d3f31
0x019d3f39
0x019d3f48
0x019d3f4d
0x019d3f50
0x019d3f50
0x019d3f53
0x019d3f58
0x019d3f65
0x019d3f65
0x019d3f6a
0x00000000
0x019d3f6a
0x019d3edd
0x019d3dda
0x019d3ddd
0x019d3de0
0x019d3de5
0x01a28245
0x019d3deb
0x019d3df7
0x019d3dfc
0x019d3dfe
0x019d3e01
0x019d3e01
0x019d3e06
0x01a2824d
0x01a2824f
0x01a28254
0x00000000
0x019d3e0c
0x019d3e11
0x019d3e16
0x019d3e19
0x019d3e29
0x019d3e2c
0x019d3e2f
0x01a2825c
0x01a2825f
0x01a28261
0x01a28264
0x01a2826c
0x01a28280
0x01a28282
0x01a28282
0x01a28289
0x01a28290
0x01a28293
0x01a28294
0x01a28298
0x01a2829b
0x01a2829b
0x019d3e35
0x019d3e38
0x019d3e3d
0x019d3e44
0x019d3e58
0x01a282a3
0x01a282a3
0x019d3e58
0x019d3e60
0x019d3e6f
0x019d3e74
0x019d3e77
0x019d3e77
0x019d3e7a
0x019d3e7f
0x019d3e8c
0x019d3e8c
0x019d3e91
0x00000000
0x019d3e91

Strings

Kernel-MUI-Language-SKU, xrefs: 019D3F70
Kernel-MUI-Language-Disallowed, xrefs: 019D3E97
Kernel-MUI-Number-Allowed, xrefs: 019D3D8C
Kernel-MUI-Language-Allowed, xrefs: 019D3DC0
WindowsExcludedProcs, xrefs: 019D3D6F

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 81b64f0d184b44f151088ce7552d9a8428d4ffdcd4e30e266490ea5cf347fe9e
Instruction ID: b2ac988691ff194e4e708543389552cb90a36fb911d09ad51925130ab8887bf5
Opcode Fuzzy Hash: 81b64f0d184b44f151088ce7552d9a8428d4ffdcd4e30e266490ea5cf347fe9e
Instruction Fuzzy Hash: B5F15B72D00619EFCB16DF98C980EEEBBF9FF58650F14446AE909A7650D7749E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019F8E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E019F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1abd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1ab8464; // 0x76690110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1ab5780 & 0x00000003) != 0) {
							E01A45510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1ab5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E01A0B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1ab7984; // 0x1562b80
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1ab8464; // 0x76690110
					 *0x1abb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E019F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1ab5780 & 0x00000005) != 0) {
						_push(_t49);
						E01A45510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x019f8e0f
0x019f8e16
0x019f8e19
0x019f8e1b
0x019f8e21
0x019f8e7f
0x019f8e85
0x01a39354
0x01a3936c
0x01a39371
0x01a3937b
0x01a39381
0x01a39381
0x01a3937b
0x019f8e9d
0x019f8e9d
0x019f8e29
0x019f8e2c
0x019f8e38
0x019f8e3e
0x019f8e43
0x019f8eb5
0x019f8eb9
0x01a392aa
0x01a392af
0x01a392e8
0x01a392e8
0x01a392af
0x019f8eb9
0x019f8e45
0x019f8e53
0x019f8e5b
0x019f8e5f
0x019f8e78
0x019f8e78
0x019f8e7d
0x019f8ec3
0x019f8ecd
0x019f8ed2
0x019f8ed2
0x019f8ec5
0x019f8ec5
0x00000000
0x019f8e7d
0x019f8e67
0x019f8ea4
0x01a3931a
0x00000000
0x00000000
0x01a39320
0x019f8ea4
0x019f8e70
0x01a39325
0x01a39340
0x01a39345
0x01a39345
0x019f8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 01A39357
LdrpFindDllActivationContext, xrefs: 01A39331, 01A3935D
minkernel\ntdll\ldrsnap.c, xrefs: 01A3933B, 01A39367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 01A3932A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: f88217b0c814ca63364536fc2bc499d31e8944bee183d0ffde7ccfb8c311df7f
Instruction ID: f2272a17c33642792d5e712ed87c312ea732625fef4865d8cbcd001796c75b51
Opcode Fuzzy Hash: f88217b0c814ca63364536fc2bc499d31e8944bee183d0ffde7ccfb8c311df7f
Instruction Fuzzy Hash: BD411776A00315BFDBB6BE1C9C8DB7A7AA8AB41349F09456DEB1C57152E7707C8083C1

Uniqueness

Uniqueness Score: -1.00%

Function 019D8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E019D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E019D934A() != 0) {
								_t159 = E01A4A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1ab5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01A45510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1ab5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E019D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E019D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E019D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1ab5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1ab5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E019E2280(_t92, 0x1ab86cc);
															_t94 = E01A99DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E019F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1ab5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E019D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1ab5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1ab5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E01A0F380(_t136, 0x19a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E019E2280(_t108, 0x1ab86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E019F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01A99D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E019DFFB0(_t118, _t156, 0x1ab86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01A09A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x019d8799
0x019d879d
0x019d87a1
0x019d87a3
0x019d87a8
0x019d87c3
0x019d87c3
0x019d87c8
0x019d87d1
0x019d87d4
0x019d87d8
0x019d87e5
0x019d87ec
0x01a29bfe
0x01a29c00
0x01a29c02
0x01a29c08
0x01a29c0d
0x01a29c0f
0x01a29c14
0x01a29c2d
0x01a29c32
0x01a29c37
0x01a29c3a
0x01a29c3c
0x01a29c42
0x01a29c42
0x01a29c3c
0x01a29c02
0x019d87da
0x019d87df
0x019d87e3
0x00000000
0x00000000
0x019d87e3
0x019d87f2
0x00000000
0x019d87fb
0x019d87fd
0x019d87fe
0x019d880e
0x019d880f
0x019d8810
0x019d8814
0x019d881a
0x019d881c
0x019d881f
0x019d8821
0x019d8822
0x019d8824
0x019d8826
0x019d882c
0x019d882e
0x01a29c48
0x01a29c48
0x019d8834
0x019d8834
0x019d8837
0x00000000
0x00000000
0x019d8837
0x019d882e
0x019d883d
0x019d8840
0x019d8843
0x019d8846
0x019d8849
0x019d884c
0x019d884e
0x019d8850
0x019d8852
0x019d8854
0x019d8857
0x019d88b4
0x019d88b6
0x019d88b6
0x019d8859
0x019d8859
0x019d8859
0x019d8861
0x019d8866
0x019d886a
0x019d893d
0x019d8941
0x00000000
0x019d8947
0x019d8947
0x019d894a
0x019d894c
0x00000000
0x019d8952
0x019d8955
0x019d895a
0x019d895d
0x019d895d
0x019d895f
0x019d8961
0x019d8961
0x019d8968
0x00000000
0x00000000
0x019d896a
0x019d896b
0x019d896e
0x00000000
0x019d8970
0x019d8970
0x019d8970
0x019d8970
0x019d8972
0x019d8972
0x019d8974
0x00000000
0x019d897a
0x019d897a
0x019d897d
0x00000000
0x019d8983
0x01a29c65
0x01a29c6d
0x01a29c72
0x01a29c75
0x01a29c75
0x01a29c82
0x01a29c86
0x01a29c87
0x01a29c88
0x01a29c89
0x01a29c8c
0x01a29c90
0x01a29c95
0x01a29c97
0x01a29ca0
0x01a29ca3
0x01a29ca9
0x01a29ca9
0x00000000
0x01a29ca9
0x01a29ca3
0x00000000
0x01a29c97
0x019d897d
0x00000000
0x019d8974
0x019d8988
0x019d8992
0x019d8996
0x00000000
0x019d8996
0x019d894c
0x00000000
0x019d8870
0x019d887b
0x019d887d
0x019d887f
0x019d8881
0x019d8884
0x019d8884
0x019d8886
0x019d8889
0x019d888c
0x019d888e
0x019d8891
0x019d8891
0x019d8898
0x00000000
0x00000000
0x019d889a
0x019d889b
0x019d889e
0x00000000
0x00000000
0x019d88a0
0x019d88a8
0x019d88b0
0x019d88b2
0x019d88d3
0x019d88d5
0x00000000
0x019d88d7
0x019d88db
0x019d88dc
0x019d88e0
0x019d88e8
0x019d88ee
0x019d88f0
0x019d88f3
0x019d88fc
0x019d8901
0x019d8906
0x019d890c
0x019d890c
0x019d890f
0x019d8916
0x019d8917
0x019d8918
0x019d8919
0x019d891a
0x019d891f
0x019d8921
0x01a29c52
0x01a29c55
0x01a29c5b
0x01a29cac
0x01a29cc0
0x01a29cc0
0x01a29c55
0x019d8927
0x019d8927
0x019d892f
0x019d8933
0x00000000
0x019d88f5
0x019d88f5
0x00000000
0x019d88f7
0x019d88f7
0x019d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x019d88fa
0x019d88f5
0x019d88f3
0x00000000
0x019d88d5
0x00000000
0x019d88b2
0x019d88c9
0x00000000
0x019d88c9
0x019d887f
0x019d886a
0x019d8857
0x019d8852
0x019d88bf
0x019d88bf
0x019d87aa
0x019d87ad
0x019d87ae
0x019d87b4
0x019d87b5
0x019d87b6
0x019d87b8
0x019d87bd
0x019d87c1
0x019d87f4
0x019d87fa
0x00000000
0x00000000
0x00000000
0x019d87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01A29C28
LdrpDoPostSnapWork, xrefs: 01A29C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01A29C18

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 3dcd1fbc04343627ef7e40680906319d18071236d18d650e0766758c7d3e96e3
Instruction ID: f3bbd4d126f52199a8969c24e33984567088d4b2c2bab5968a419dc1680ef52d
Opcode Fuzzy Hash: 3dcd1fbc04343627ef7e40680906319d18071236d18d650e0766758c7d3e96e3
Instruction Fuzzy Hash: EE911271A00216AFEF19DF5DD4C1ABAB7B9FF84315F458069E909AB242E730ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019D7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E019D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E019DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E019CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1ab5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01A45510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1ab5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E019E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E019E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01A47016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E019E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E019E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01A47016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E019FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E019CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x019d7e4c
0x019d7e50
0x019d7e55
0x019d7e58
0x019d7e5d
0x019d7e71
0x019d7f33
0x019d7e77
0x019d7e77
0x019d7e79
0x019d7e79
0x019d7e7e
0x019d7f45
0x01a29848
0x00000000
0x01a29848
0x019d7f4e
0x019d7f53
0x019d7f5a
0x00000000
0x00000000
0x01a2985a
0x01a29862
0x01a29866
0x00000000
0x01a2986c
0x00000000
0x01a2986c
0x019d7e84
0x019d7e84
0x019d7e8d
0x01a29871
0x019d7eb8
0x019d7ec0
0x019d7ec0
0x019d7e9a
0x01a2987e
0x00000000
0x00000000
0x01a29884
0x01a2988b
0x01a298a7
0x01a298ac
0x01a298b1
0x01a298b6
0x01a298b8
0x01a298b8
0x01a298b9
0x00000000
0x01a298b9
0x019d7ea0
0x019d7ea7
0x00000000
0x00000000
0x019d7eac
0x019d7eb1
0x019d7ec6
0x019d7ed0
0x01a298cc
0x019d7ed6
0x019d7ed6
0x019d7ed6
0x019d7ede
0x019d7ee3
0x01a298e3
0x01a298f0
0x01a29902
0x01a298f2
0x01a298fb
0x01a298fb
0x01a29907
0x01a2991d
0x01a2991d
0x01a29907
0x01a298e3
0x019d7ef0
0x019d7f14
0x019d7f14
0x019d7f1e
0x01a29946
0x019d7f24
0x019d7f24
0x019d7f24
0x019d7f2c
0x01a2996a
0x01a29975
0x01a29975
0x01a2997e
0x01a29993
0x01a29993
0x01a2997e
0x00000000
0x019d7ef2
0x019d7efc
0x019d7f0a
0x019d7f0e
0x01a29933
0x00000000
0x01a29933
0x00000000
0x019d7f0e
0x00000000
0x00000000
0x00000000
0x019d7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01A29891
minkernel\ntdll\ldrmap.c, xrefs: 01A298A2
LdrpCompleteMapModule, xrefs: 01A29898

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: cdb5c2fd95e65241e6e1e60ab5f4310173902904535a0e5cec88e0bdbb01895b
Instruction ID: 3ba3b5a8aa80fc95ed944423314873172ab12669ddde673aade3fd778149d29a
Opcode Fuzzy Hash: cdb5c2fd95e65241e6e1e60ab5f4310173902904535a0e5cec88e0bdbb01895b
Instruction Fuzzy Hash: D7511231A00755DBE72ACBACC944B2A7BE4EB40718F044699E9599B7E2C770FD00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 019CE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E019CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E019CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E01A095D0();
						}
						if(_t78 != 0) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E01A0FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E01A0BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01A09600();
					if(_t97 < 0) {
						goto L6;
					}
					E01A0BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L019CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E01A0BB40(_t83, _t102 + 0x24, _t78);
								if(L019D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E01A0BB40(_t84, _t102 + 0x24, _t94);
									if(L019D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x019ce620
0x019ce628
0x019ce62f
0x019ce631
0x019ce635
0x019ce637
0x019ce63e
0x01a25503
0x01a25503
0x019ce64c
0x019ce64c
0x019ce651
0x00000000
0x00000000
0x019ce661
0x019ce665
0x01a2542a
0x019ce715
0x019ce71a
0x019ce71c
0x019ce720
0x019ce720
0x019ce727
0x019ce736
0x019ce736
0x019ce743
0x019ce743
0x019ce673
0x019ce678
0x019ce67d
0x019ce682
0x019ce685
0x019ce692
0x019ce69b
0x019ce6a3
0x019ce6ad
0x019ce6b1
0x019ce6b2
0x019ce6bb
0x019ce6bf
0x019ce6c0
0x019ce6c8
0x019ce6cc
0x019ce6d5
0x019ce6d9
0x00000000
0x00000000
0x019ce6e5
0x019ce6ea
0x019ce6f9
0x019ce70b
0x019ce70f
0x01a25439
0x01a2545e
0x01a2545e
0x00000000
0x01a2545e
0x01a2543b
0x01a2543e
0x01a25440
0x01a25445
0x01a25472
0x01a25475
0x01a2548d
0x01a25493
0x01a254a9
0x00000000
0x00000000
0x01a254ab
0x01a254b4
0x01a254bc
0x01a254c8
0x01a254de
0x01a254fb
0x01a254e0
0x01a254e6
0x01a254eb
0x01a254eb
0x01a254de
0x00000000
0x01a254bc
0x01a25477
0x01a2547a
0x01a25480
0x01a25483
0x01a25486
0x01a2548b
0x00000000
0x00000000
0x00000000
0x01a2548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01a25447
0x01a25447
0x01a25447
0x01a25447
0x01a2544e
0x00000000
0x00000000
0x01a25450
0x01a25452
0x01a25455
0x01a2545a
0x00000000
0x00000000
0x00000000
0x01a2545c
0x01a2546a
0x01a2546d
0x01a2546f
0x00000000
0x01a2546f
0x019ce70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 019CE68C
@, xrefs: 019CE6C0
InstallLanguageFallback, xrefs: 019CE6DB

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 39a3b335b4792a39dea991091add32f773b6908d7907bbfb22bf8fc81cea042c
Instruction ID: fb9524b12d3bce7e49abb26a37330f7be1d21fa90227acd035e792660ff30999
Opcode Fuzzy Hash: 39a3b335b4792a39dea991091add32f773b6908d7907bbfb22bf8fc81cea042c
Instruction Fuzzy Hash: 2A51E6769083169BD715DF68C440AABB7E9BF88714F05092EF989D7241F734DD04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A8E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01A8E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E01A8BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E01A8BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E01A8AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01A09730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E01A8A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E01A8A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01A09730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E01A8A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E01A8A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E019E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E019DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E019DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E019E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E01A7FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x01a8e547
0x01a8e549
0x01a8e54f
0x01a8e553
0x01a8e557
0x01a8e55a
0x01a8e55c
0x01a8e55f
0x01a8e561
0x01a8e567
0x01a8e56b
0x01a8e7e2
0x00000000
0x01a8e571
0x01a8e575
0x01a8e577
0x01a8e57b
0x01a8e57c
0x01a8e57d
0x01a8e57e
0x01a8e57f
0x01a8e588
0x01a8e58f
0x01a8e591
0x01a8e592
0x01a8e592
0x01a8e596
0x01a8e59e
0x01a8e5a0
0x01a8e5a6
0x01a8e61d
0x01a8e61d
0x01a8e621
0x01a8e623
0x01a8e630
0x01a8e630
0x01a8e7e6
0x01a8e7eb
0x01a8e7ed
0x01a8e7f4
0x01a8e7fa
0x01a8e7ff
0x01a8e7ff
0x01a8e80a
0x01a8e812
0x01a8e812
0x01a8e5ab
0x01a8e5b4
0x01a8e5b9
0x01a8e5be
0x01a8e5c0
0x01a8e5c2
0x01a8e5c8
0x01a8e5c9
0x01a8e5cb
0x01a8e5cc
0x01a8e5d5
0x01a8e5e4
0x01a8e5f1
0x01a8e5f8
0x01a8e5f8
0x01a8e5d5
0x01a8e602
0x01a8e616
0x01a8e63d
0x01a8e644
0x01a8e64d
0x01a8e652
0x01a8e657
0x01a8e659
0x01a8e65b
0x01a8e661
0x01a8e662
0x01a8e664
0x01a8e665
0x01a8e66e
0x01a8e67d
0x01a8e68a
0x01a8e691
0x01a8e691
0x01a8e66e
0x01a8e6b0
0x00000000
0x01a8e6b6
0x01a8e6bd
0x01a8e6c7
0x01a8e6d7
0x01a8e6d9
0x01a8e6db
0x01a8e6de
0x01a8e6e3
0x01a8e6f3
0x01a8e6fc
0x01a8e700
0x01a8e700
0x01a8e704
0x01a8e70a
0x01a8e70a
0x01a8e713
0x01a8e716
0x01a8e719
0x01a8e720
0x01a8e761
0x01a8e76b
0x01a8e774
0x01a8e77a
0x01a8e77a
0x01a8e78a
0x01a8e791
0x01a8e799
0x01a8e79b
0x01a8e79f
0x01a8e7aa
0x01a8e7c0
0x01a8e7ac
0x01a8e7b2
0x01a8e7b9
0x01a8e7b9
0x01a8e7c7
0x01a8e806
0x00000000
0x01a8e7c9
0x01a8e7d1
0x01a8e7d8
0x00000000
0x01a8e7d8
0x00000000
0x00000000
0x01a8e722
0x01a8e72e
0x01a8e748
0x01a8e74c
0x01a8e754
0x01a8e756
0x01a8e75c
0x01a8e75c
0x00000000
0x01a8e75c
0x01a8e758
0x01a8e758
0x00000000
0x01a8e758
0x01a8e750
0x00000000
0x00000000
0x01a8e752
0x00000000
0x01a8e752
0x01a8e730
0x01a8e735
0x01a8e73d
0x01a8e73f
0x00000000
0x00000000
0x01a8e741
0x01a8e741
0x00000000
0x01a8e741
0x01a8e739
0x00000000
0x00000000
0x01a8e73b
0x00000000
0x01a8e73b
0x01a8e722
0x01a8e720
0x01a8e6b0
0x01a8e618
0x00000000
0x01a8e618

Strings

`, xrefs: 01A8E670
`, xrefs: 01A8E5D7

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: ce7f3748d09419f06a726abd88647a6f17f89fe0ebb0583328491752085b5175
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 979180316043429FE725EF29C945B1BBBE5BF84714F18892DF6A9CB280E774E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01A451BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01A451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x1aa05f0);
				E01A1D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E019DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E01A453CA(0);
						return E01A1D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E01A0F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E019E3690(1, _t117, 0x19a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E01A0AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L019E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E01A0AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E01A4500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01A09860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x01a451be
0x01a451c3
0x01a451c8
0x01a451cd
0x01a451d0
0x01a451d3
0x01a451d8
0x01a451db
0x01a451de
0x01a451e0
0x01a451e3
0x01a451e6
0x01a451e8
0x01a45342
0x01a45351
0x01a45356
0x01a4535a
0x01a45360
0x01a45363
0x01a45366
0x01a45369
0x01a45369
0x01a4536b
0x01a4536b
0x01a45370
0x01a453a3
0x01a453a4
0x01a453a6
0x01a453ab
0x01a453ab
0x01a453ae
0x01a453ae
0x01a453b5
0x01a453bf
0x01a453bf
0x01a45375
0x01a45396
0x01a453a0
0x01a453a0
0x00000000
0x01a45396
0x01a45377
0x01a45379
0x01a4537f
0x01a4538c
0x01a45390
0x00000000
0x01a45390
0x01a451ee
0x01a451f1
0x01a45301
0x01a45310
0x01a45315
0x01a45318
0x01a4531b
0x01a45320
0x01a4532e
0x01a45331
0x00000000
0x01a45331
0x01a45328
0x01a45329
0x00000000
0x01a45329
0x01a451fa
0x01a45235
0x01a45236
0x01a45239
0x01a4523f
0x01a45240
0x01a45241
0x01a45242
0x01a45246
0x01a45247
0x01a4524e
0x01a45251
0x01a45267
0x01a45269
0x01a4526e
0x01a4527d
0x01a4527e
0x01a45281
0x01a45282
0x01a45287
0x01a45288
0x01a4528a
0x01a4528f
0x01a45294
0x00000000
0x00000000
0x01a4529a
0x01a4529c
0x01a4529e
0x01a4529e
0x01a452a4
0x01a452b0
0x00000000
0x00000000
0x01a452ba
0x01a452bc
0x01a452bc
0x01a452d4
0x01a452d9
0x01a452dc
0x01a452e1
0x00000000
0x00000000
0x01a452e7
0x01a452f4
0x00000000
0x01a452f4
0x01a45270
0x00000000
0x01a45270
0x01a451fc
0x01a451fd
0x01a45202
0x01a45203
0x01a45205
0x01a4520a
0x01a4520f
0x00000000
0x00000000
0x01a4521b
0x01a45226
0x01a4522b
0x01a4521d
0x01a4521d
0x01a45222
0x01a45222
0x01a4522d
0x00000000

Strings

Legacy, xrefs: 01A45226
UEFI, xrefs: 01A4521D

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d61bbd7f8d6ebc54dfdd400102e6586503abec5a5c39a839e46405d95be5a844
Instruction ID: 2c57bd4aa927dc1b847cafc67a1ed1b5eb2b2b25127d4559272d6f066e51ab72
Opcode Fuzzy Hash: d61bbd7f8d6ebc54dfdd400102e6586503abec5a5c39a839e46405d95be5a844
Instruction Fuzzy Hash: 0E514D71E007199FDB25DFA9C950AAEBBF8FF88700F14406DE649EB291D671E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019EB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E019EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1abd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E019E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01A98CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01A09E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E01A0B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E01A0CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E019E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01A98F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E01A0AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1ab8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x1ab862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1ab8628; // 0x0
							_t116 =  *0x1ab862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x019eb94c
0x019eb956
0x019eb95c
0x019eb95e
0x019eb964
0x019eb969
0x019eb96d
0x019eb96d
0x019eb970
0x019eb974
0x019eb97a
0x019ebadf
0x019ebadf
0x019ebae2
0x019ebae4
0x019ebae6
0x019ebaf0
0x01a32cb8
0x019ebaf6
0x019ebaf6
0x019ebaf6
0x019ebafd
0x019ebb1f
0x019ebb1f
0x019ebaff
0x019ebb00
0x019ebb00
0x019ebb03
0x019ebb03
0x019ebacb
0x019ebacf
0x019ebad0
0x019ebad1
0x019ebadc
0x019ebadc
0x019eb980
0x019eb980
0x019eb988
0x019eb98b
0x019eb98d
0x019eb990
0x019eb993
0x019eb999
0x019eb99b
0x019eb9a1
0x019eb9a5
0x019eb9aa
0x019eb9b0
0x019eb9bb
0x019eb9c0
0x019eb9c3
0x019eb9ca
0x019eb9cc
0x019eb9cf
0x019eb9d3
0x019eb9d7
0x019eba94
0x019eba94
0x019eba98
0x019ebaa3
0x01a32ccb
0x019ebaa9
0x019ebaa9
0x019ebaa9
0x019ebab1
0x01a32cd5
0x01a32cdd
0x01a32cdd
0x019ebabb
0x019ebabc
0x019ebac2
0x019ebac3
0x019ebac3
0x019ebac6
0x00000000
0x019eb9dd
0x019eb9dd
0x019eb9e7
0x019eb9e7
0x019eb9ec
0x019eb9ec
0x019eb9f1
0x019eb9f5
0x019eb9fa
0x019eba00
0x019eba0c
0x019eba10
0x019eba10
0x019eba12
0x019eba18
0x00000000
0x00000000
0x019ebb26
0x019ebb26
0x019eba1e
0x019eba1e
0x019eba23
0x019eba25
0x019eba2c
0x019eba30
0x019eba35
0x019eba35
0x019eba41
0x019eba46
0x019eba4c
0x019eba50
0x019eba54
0x019eba6a
0x019eba6e
0x019eba70
0x019eba74
0x019eba78
0x019eba7a
0x019eba7c
0x019eba8e
0x019eba90
0x019eba92
0x019ebb14
0x019ebb14
0x019ebb16
0x019ebb16
0x00000000
0x019eba7c
0x019ebb0a
0x019ebb0d
0x00000000
0x00000000
0x00000000
0x019ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019EB9A5

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 361460f5565e91472204ec436619b36566bb7dea2690f1014bd48df1a1f432fe
Instruction ID: 6ea94202aeb012017388b1732a1cd164af33f0337c4aa8665df5a63be88a7dfa
Opcode Fuzzy Hash: 361460f5565e91472204ec436619b36566bb7dea2690f1014bd48df1a1f432fe
Instruction Fuzzy Hash: 8D515D71608341CFCB22CF6DC1C492ABBE9FB88614F14496EF68A97355D731E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019CB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E019CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x1a9f7a8);
				E01A1D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E01A1D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E01A0D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E01A0F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L01A1DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E01A0B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E01A0B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E01A0E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E01A0A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x019cb171
0x019cb171
0x019cb171
0x019cb171
0x019cb171
0x019cb176
0x019cb17b
0x019cb180
0x019cb186
0x019cb18f
0x019cb198
0x019cb1a4
0x019cb1aa
0x01a24802
0x01a24802
0x01a24805
0x01a2480c
0x01a2480e
0x019cb1d1
0x019cb1d3
0x019cb1de
0x019cb1de
0x01a24817
0x01a2481e
0x01a24820
0x01a24822
0x01a24822
0x01a24824
0x01a24824
0x01a2482a
0x00000000
0x00000000
0x01a24835
0x01a2483a
0x01a2483d
0x01a2483f
0x01a24842
0x01a24842
0x01a24842
0x01a24846
0x01a2484c
0x01a2484e
0x01a24851
0x01a24851
0x01a24853
0x01a24854
0x01a24854
0x01a24858
0x01a2485a
0x01a2485a
0x01a2485d
0x01a2485f
0x01a24861
0x01a24861
0x01a24866
0x01a2486b
0x01a2486e
0x01a24871
0x01a24876
0x01a24876
0x01a24878
0x01a2487b
0x01a24884
0x01a24884
0x00000000
0x01a2487d
0x01a2487d
0x01a24882
0x01a24889
0x01a24889
0x01a2488f
0x01a24891
0x01a248e0
0x01a248e2
0x01a248e4
0x01a248e4
0x01a248e7
0x01a248e7
0x01a248ed
0x01a248f4
0x01a248f6
0x01a24951
0x01a24951
0x01a24953
0x01a24953
0x01a24956
0x01a24956
0x01a24958
0x01a24959
0x01a24959
0x01a2495d
0x01a2495d
0x01a2495f
0x01a2495f
0x01a24965
0x01a24969
0x01a249ba
0x01a249ba
0x01a249c1
0x01a249c5
0x01a249cc
0x01a249d4
0x01a249d7
0x01a249da
0x01a249e4
0x01a249e5
0x01a249f3
0x01a24a02
0x00000000
0x01a24a02
0x01a24972
0x01a24974
0x00000000
0x00000000
0x01a24976
0x01a24979
0x01a24982
0x01a24983
0x01a24984
0x01a2498b
0x01a2498d
0x01a24991
0x01a24993
0x01a24999
0x01a2499d
0x01a249a2
0x01a249a2
0x01a249a2
0x01a24999
0x01a249ac
0x00000000
0x01a249b3
0x01a248f8
0x01a248fe
0x00000000
0x00000000
0x00000000
0x01a248fe
0x01a24895
0x01a2489c
0x01a248ad
0x01a248b2
0x01a248b5
0x01a248b7
0x01a248ba
0x01a248bc
0x01a248c6
0x01a248c6
0x01a248cb
0x01a248d1
0x01a248d4
0x01a248d8
0x01a248d8
0x00000000
0x01a248d8
0x01a248be
0x01a248c0
0x00000000
0x00000000
0x01a248c2
0x00000000
0x00000000
0x00000000
0x01a248c4
0x00000000
0x01a24882
0x01a2487b
0x01a24904
0x01a24906
0x00000000
0x00000000
0x01a24908
0x01a2490e
0x00000000
0x00000000
0x01a24910
0x01a24917
0x01a24917
0x00000000
0x01a24917
0x019cb1ba
0x01a247f9
0x01a247fc
0x00000000
0x00000000
0x00000000
0x01a247fc
0x019cb1c0
0x019cb1c0
0x019cb1c3
0x019cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 01A248AD

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 92462be6107b3c3883765aaa4eaf8817928272a631549f89fef4f76f60478237
Instruction ID: ed036adc9847185e56b0481365457a3037ceabae94927bb0e3f0fd9ce1e1e63b
Opcode Fuzzy Hash: 92462be6107b3c3883765aaa4eaf8817928272a631549f89fef4f76f60478237
Instruction Fuzzy Hash: BB51D171E102698EEF36CF6CC945BBEBBB1BF08710F1441ADD859AB282D7B04945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019F2581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E019F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t239;
				signed int _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t248;
				signed int _t250;
				intOrPtr _t252;
				signed int _t255;
				signed int _t262;
				signed int _t265;
				signed int _t273;
				intOrPtr _t279;
				signed int _t281;
				signed int _t283;
				void* _t284;
				signed int _t285;
				signed int _t286;
				unsigned int _t289;
				signed int _t293;
				signed int _t295;
				signed int _t299;
				intOrPtr _t311;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t327;
				signed int _t328;
				intOrPtr* _t330;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				void* _t336;
				void* _t338;

				_t333 = _t335;
				_t336 = _t335 - 0x4c;
				_v8 =  *0x1abd360 ^ _t333;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t327 = 0x1abb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t289 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t338 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t279 = 0x48;
				_t309 = 0 | _t338 == 0x00000000;
				_t320 = 0;
				_v37 = _t338 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t279 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t328 = 0xc0000106;
						goto L32;
					} else {
						_t327 = L019E4620(_t289,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t279);
						_v52 = _t327;
						__eflags = _t327;
						if(_t327 == 0) {
							_t328 = 0xc0000017;
							goto L32;
						} else {
							 *(_t327 + 0x44) =  *(_t327 + 0x44) & 0x00000000;
							_t50 = _t327 + 0x48; // 0x48
							_t322 = _t50;
							_t309 = _v32;
							 *((intOrPtr*)(_t327 + 0x3c)) = _t279;
							_t281 = 0;
							 *((short*)(_t327 + 0x30)) = _v48;
							__eflags = _t309;
							if(_t309 != 0) {
								 *(_t327 + 0x18) = _t322;
								__eflags = _t309 - 0x1ab8478;
								 *_t327 = ((0 | _t309 == 0x01ab8478) - 0x00000001 & 0xfffffffb) + 7;
								E01A0F3E0(_t322,  *((intOrPtr*)(_t309 + 4)),  *_t309 & 0x0000ffff);
								_t309 = _v32;
								_t336 = _t336 + 0xc;
								_t281 = 1;
								__eflags = _a8;
								_t322 = _t322 + (( *_t309 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t273 = E01A539F2(_t322);
									_t309 = _v32;
									_t322 = _t273;
								}
							}
							_t293 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t328 = _v68;
								__eflags = 0;
								 *((short*)(_t322 - 2)) = 0;
								goto L32;
							} else {
								_t283 = _t327 + _t281 * 4;
								_v56 = _t283;
								do {
									__eflags = _t309;
									if(_t309 != 0) {
										_t239 =  *(_v60 + _t293 * 4);
										__eflags = _t239;
										if(_t239 == 0) {
											goto L30;
										} else {
											__eflags = _t239 == 5;
											if(_t239 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t283 =  *(_v60 + _t293 * 4);
										 *(_t283 + 0x18) = _t322;
										_t243 =  *(_v60 + _t293 * 4);
										__eflags = _t243 - 8;
										if(_t243 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t243 * 4 +  &M019F2959))) {
												case 0:
													__ax =  *0x1ab8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E01A0F3E0(__edi,  *0x1ab848c, __ax & 0x0000ffff);
														__eax =  *0x1ab8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E01A0F3E0(_t322, _v80, _v64);
													_t268 = _v64;
													goto L26;
												case 2:
													 *0x1ab8480 & 0x0000ffff = E01A0F3E0(__edi,  *0x1ab8484,  *0x1ab8480 & 0x0000ffff);
													__eax =  *0x1ab8480 & 0x0000ffff;
													__eax = ( *0x1ab8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E01A0F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E01A0F3E0(_t322, _v76, _v36);
														_t268 = _v36;
													}
													L26:
													_t336 = _t336 + 0xc;
													_t322 = _t322 + (_t268 >> 1) * 2 + 2;
													__eflags = _t322;
													L27:
													_push(0x3b);
													_pop(_t270);
													 *((short*)(_t322 - 2)) = _t270;
													goto L28;
												case 6:
													__ebx =  *0x1ab575c;
													__eflags = __ebx - 0x1ab575c;
													if(__ebx != 0x1ab575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E01A0F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1ab575c;
														} while (__ebx != 0x1ab575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1ab8478 & 0x0000ffff = E01A0F3E0(__edi,  *0x1ab847c,  *0x1ab8478 & 0x0000ffff);
													__eax =  *0x1ab8478 & 0x0000ffff;
													__eax = ( *0x1ab8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E01A539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1ab6e58 & 0x0000ffff = E01A0F3E0(__edi,  *0x1ab6e5c,  *0x1ab6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1ab6e58 & 0x0000ffff;
													__eax = ( *0x1ab6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t293 = _v16;
													_t309 = _v32;
													L29:
													_t283 = _t283 + 4;
													__eflags = _t283;
													_v56 = _t283;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t293 = _t293 + 1;
									_v16 = _t293;
									__eflags = _t293 - _v48;
								} while (_t293 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t243 =  *(_v60 + _t320 * 4);
						if(_t243 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t243 * 4 +  &M019F2935))) {
							case 0:
								__ax =  *0x1ab8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t309 =  &_v64;
								_v80 = E019F2E3E(0,  &_v64);
								_t279 = _t279 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1ab8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1ab8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E019DEEF0(0x1ab79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E019DEB70(__ecx, 0x1ab79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t217 = _v72;
											__eflags = _t217;
											if(_t217 != 0) {
												L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
											}
											_t218 = _v52;
											__eflags = _t218;
											if(_t218 != 0) {
												__eflags = _t328;
												if(_t328 < 0) {
													L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
													_t218 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t289 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1ab7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E019DEB70(__ecx, 0x1ab79a0);
										__eax = _v52;
										L36:
										_pop(_t321);
										_pop(_t329);
										__eflags = _v8 ^ _t333;
										_pop(_t280);
										return E01A0B640(_t218, _t280, _v8 ^ _t333, _t309, _t321, _t329);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t275 = _v56;
								if(_v56 != 0) {
									_t309 =  &_v36;
									_t277 = E019F2E3E(_t275,  &_v36);
									_t289 = _v36;
									_v76 = _t277;
								}
								if(_t289 == 0) {
									goto L44;
								} else {
									_t279 = _t279 + 2 + _t289;
								}
								goto L14;
							case 6:
								__eax =  *0x1ab5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1ab8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1ab8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1ab6e58 & 0x0000ffff;
								__eax = ( *0x1ab6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t320 = _t320 + 1;
								if(_t320 >= _v48) {
									goto L16;
								} else {
									_t309 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("lahf");
					 *((intOrPtr*)(_t327 + 0x28)) =  *((intOrPtr*)(_t327 + 0x28)) + _t336;
					asm("lahf");
					_t244 = _t243 + _t336;
					asm("daa");
					asm("lahf");
					 *_t327 =  *_t327 + _t333;
					asm("lahf");
					 *((intOrPtr*)(_t327 + 0x28)) =  *((intOrPtr*)(_t327 + 0x28)) + _t244;
					asm("lahf");
					 *0x1f019f26 =  *0x1f019f26 + _t244;
					_t284 = 0x25;
					 *0x9f289401 = _t244;
					 *0x201a35b =  *0x201a35b + _t327;
					 *((intOrPtr*)(_t322 - 0x60d77fff)) =  *((intOrPtr*)(_t322 - 0x60d77fff)) - _t284;
					_t330 = _t327 + _t327;
					asm("daa");
					asm("lahf");
					 *_t330 =  *_t330 + _t284;
					 *((intOrPtr*)(_t322 - 0x60d7b1ff)) =  *((intOrPtr*)(_t322 - 0x60d7b1ff)) - _t284;
					_a35 = _a35 + _t284;
					asm("lahf");
					_t245 = _t244 + _t284;
					_pop(_t285);
					 *0x9f28b401 = _t245;
					 *((intOrPtr*)(_t336 + _t285 * 2)) =  *((intOrPtr*)(_t336 + _t285 * 2)) + _t330;
					 *0xcccccc01 = _t245;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1a9ff00);
					E01A1D08C(_t285, _t322, _t330);
					_v44 =  *[fs:0x18];
					_t323 = 0;
					 *_a24 = 0;
					_t286 = _a12;
					__eflags = _t286;
					if(_t286 == 0) {
						_t248 = 0xc0000100;
					} else {
						_v8 = 0;
						_t331 = 0xc0000100;
						_v52 = 0xc0000100;
						_t250 = 4;
						while(1) {
							_v40 = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								break;
							}
							_t299 = _t250 * 0xc;
							_v48 = _t299;
							__eflags = _t286 -  *((intOrPtr*)(_t299 + 0x19a1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t265 = E01A0E5C0(_a8,  *((intOrPtr*)(_t299 + 0x19a1668)), _t286);
									_t336 = _t336 + 0xc;
									__eflags = _t265;
									if(__eflags == 0) {
										_t331 = E01A451BE(_t286,  *((intOrPtr*)(_v48 + 0x19a166c)), _a16, _t323, _t331, __eflags, _a20, _a24);
										_v52 = _t331;
										break;
									} else {
										_t250 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t250 = _t250 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t331;
						__eflags = _t331;
						if(_t331 < 0) {
							__eflags = _t331 - 0xc0000100;
							if(_t331 == 0xc0000100) {
								_t295 = _a4;
								__eflags = _t295;
								if(_t295 != 0) {
									_v36 = _t295;
									__eflags =  *_t295 - _t323;
									if( *_t295 == _t323) {
										_t331 = 0xc0000100;
										goto L76;
									} else {
										_t311 =  *((intOrPtr*)(_v44 + 0x30));
										_t252 =  *((intOrPtr*)(_t311 + 0x10));
										__eflags =  *((intOrPtr*)(_t252 + 0x48)) - _t295;
										if( *((intOrPtr*)(_t252 + 0x48)) == _t295) {
											__eflags =  *(_t311 + 0x1c);
											if( *(_t311 + 0x1c) == 0) {
												L106:
												_t331 = E019F2AE4( &_v36, _a8, _t286, _a16, _a20, _a24);
												_v32 = _t331;
												__eflags = _t331 - 0xc0000100;
												if(_t331 != 0xc0000100) {
													goto L69;
												} else {
													_t323 = 1;
													_t295 = _v36;
													goto L75;
												}
											} else {
												_t255 = E019D6600( *(_t311 + 0x1c));
												__eflags = _t255;
												if(_t255 != 0) {
													goto L106;
												} else {
													_t295 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t331 = E019F2C50(_t295, _a8, _t286, _a16, _a20, _a24, _t323);
											L76:
											_v32 = _t331;
											goto L69;
										}
									}
									goto L108;
								} else {
									E019DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t331 = _a24;
									_t262 = E019F2AE4( &_v36, _a8, _t286, _a16, _a20, _t331);
									_v32 = _t262;
									__eflags = _t262 - 0xc0000100;
									if(_t262 == 0xc0000100) {
										_v32 = E019F2C50(_v36, _a8, _t286, _a16, _a20, _t331, 1);
									}
									_v8 = _t323;
									E019F2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t248 = _t331;
					}
					L70:
					return E01A1D0D1(_t248);
				}
				L108:
			}

0x019f2584
0x019f2586
0x019f2590
0x019f2596
0x019f2597
0x019f2598
0x019f2599
0x019f259e
0x019f25a4
0x019f25a9
0x019f25ac
0x019f25ae
0x019f25b1
0x019f25b2
0x019f25b5
0x019f25b8
0x019f25bb
0x019f25bc
0x019f25bf
0x019f25c2
0x019f25c5
0x019f25c6
0x019f25cb
0x019f25ce
0x019f25d8
0x019f25db
0x019f25dd
0x019f25de
0x019f25e1
0x019f25e3
0x019f25e9
0x019f26da
0x019f26da
0x019f26dd
0x019f26e2
0x01a35b56
0x00000000
0x019f26e8
0x019f26f9
0x019f26fb
0x019f26fe
0x019f2700
0x01a35b60
0x00000000
0x019f2706
0x019f2706
0x019f270a
0x019f270a
0x019f270d
0x019f2713
0x019f2716
0x019f2718
0x019f271c
0x019f271e
0x01a35b6c
0x01a35b6f
0x01a35b7f
0x01a35b89
0x01a35b8e
0x01a35b93
0x01a35b96
0x01a35b9c
0x01a35ba0
0x01a35ba3
0x01a35bab
0x01a35bb0
0x01a35bb3
0x01a35bb3
0x01a35ba3
0x019f2724
0x019f2726
0x019f2729
0x019f272c
0x019f279d
0x019f279d
0x019f27a0
0x019f27a2
0x00000000
0x019f272e
0x019f272e
0x019f2731
0x019f2734
0x019f2734
0x019f2736
0x01a35bc1
0x01a35bc1
0x01a35bc4
0x00000000
0x01a35bca
0x01a35bca
0x01a35bcd
0x00000000
0x01a35bd3
0x00000000
0x01a35bd3
0x01a35bcd
0x019f273c
0x019f273c
0x019f2742
0x019f2747
0x019f274a
0x019f274d
0x019f2750
0x00000000
0x019f2756
0x019f2756
0x00000000
0x019f2902
0x019f2908
0x019f290b
0x00000000
0x019f2911
0x019f291c
0x019f2921
0x00000000
0x019f2921
0x00000000
0x00000000
0x019f2880
0x019f2887
0x019f288c
0x00000000
0x00000000
0x019f2805
0x019f280a
0x019f2814
0x019f2816
0x00000000
0x00000000
0x019f281e
0x019f2821
0x019f2823
0x00000000
0x019f2829
0x019f2829
0x019f2831
0x019f283c
0x019f283e
0x00000000
0x019f283e
0x00000000
0x00000000
0x019f284e
0x019f2850
0x019f2851
0x019f2854
0x019f2857
0x019f285a
0x019f285c
0x019f285d
0x00000000
0x00000000
0x019f275d
0x019f2761
0x00000000
0x019f2767
0x019f276e
0x019f2773
0x019f2773
0x019f2776
0x019f2778
0x019f277e
0x019f277e
0x019f2781
0x019f2781
0x019f2783
0x019f2784
0x00000000
0x00000000
0x01a35bd8
0x01a35bde
0x01a35be4
0x01a35be6
0x01a35be8
0x01a35be9
0x01a35bee
0x01a35bf8
0x01a35bff
0x01a35c01
0x01a35c04
0x01a35c07
0x01a35c0b
0x01a35c0d
0x01a35c0d
0x01a35c15
0x01a35c18
0x01a35c1b
0x01a35c1b
0x01a35c1e
0x00000000
0x00000000
0x019f28c3
0x019f28c8
0x019f28d2
0x019f28d4
0x019f28d8
0x019f28db
0x01a35c26
0x01a35c28
0x01a35c2d
0x01a35c2d
0x00000000
0x00000000
0x01a35c34
0x01a35c36
0x01a35c49
0x01a35c4e
0x01a35c54
0x01a35c5b
0x01a35c5d
0x01a35c60
0x019f2788
0x019f2788
0x019f278b
0x019f278e
0x019f278e
0x019f278e
0x019f2791
0x00000000
0x00000000
0x019f2756
0x019f2750
0x00000000
0x019f2794
0x019f2794
0x019f2795
0x019f2798
0x019f2798
0x00000000
0x019f2734
0x019f272c
0x019f2700
0x019f25ef
0x019f25ef
0x019f25ef
0x019f25f2
0x019f25f8
0x00000000
0x00000000
0x019f25fe
0x00000000
0x019f28e6
0x019f28ec
0x019f28ef
0x019f28f5
0x019f28f8
0x019f28f8
0x00000000
0x019f28f8
0x00000000
0x00000000
0x019f2866
0x019f2866
0x019f2876
0x019f2879
0x00000000
0x00000000
0x019f27e0
0x019f27e7
0x019f27e9
0x019f27eb
0x01a35afd
0x00000000
0x01a35afd
0x00000000
0x00000000
0x019f2633
0x019f2638
0x019f263b
0x019f263c
0x019f263e
0x019f2640
0x019f2642
0x019f2647
0x019f2649
0x019f264e
0x019f2650
0x019f2653
0x019f2659
0x019f26a2
0x019f26a7
0x019f26ac
0x019f26b2
0x01a35b11
0x01a35b15
0x01a35b17
0x00000000
0x019f26b8
0x019f26b8
0x019f26ba
0x019f27a6
0x019f27a6
0x019f27a9
0x019f27ab
0x019f27b9
0x019f27b9
0x019f27be
0x019f27c1
0x019f27c3
0x019f27c5
0x019f27c7
0x01a35c74
0x01a35c79
0x01a35c79
0x019f27c7
0x00000000
0x019f26c0
0x019f26c0
0x019f26c3
0x019f26c6
0x019f26c6
0x019f26c9
0x019f26c9
0x00000000
0x019f26c9
0x019f26ba
0x019f265b
0x019f265b
0x019f265e
0x019f2667
0x019f266d
0x019f2677
0x019f267c
0x019f267f
0x019f2681
0x01a35b49
0x01a35b4e
0x019f27cd
0x019f27d0
0x019f27d1
0x019f27d2
0x019f27d4
0x019f27dd
0x019f2687
0x019f2687
0x019f268a
0x019f268b
0x019f268e
0x019f268f
0x019f2691
0x019f2696
0x019f2698
0x019f269d
0x019f269f
0x00000000
0x019f269f
0x019f2681
0x00000000
0x00000000
0x019f2846
0x00000000
0x00000000
0x019f2605
0x019f260a
0x019f260c
0x019f2611
0x019f2616
0x019f2619
0x019f2619
0x019f261e
0x00000000
0x019f2624
0x019f2627
0x019f2627
0x00000000
0x00000000
0x01a35b1f
0x00000000
0x00000000
0x019f2894
0x019f289b
0x019f289d
0x019f28a1
0x01a35b2b
0x01a35b2e
0x01a35b2e
0x019f28a7
0x019f28a9
0x01a35b04
0x01a35b09
0x01a35b09
0x01a35b09
0x00000000
0x00000000
0x01a35b35
0x01a35b3c
0x019f28fb
0x019f28fb
0x019f26cc
0x019f26cc
0x019f26d0
0x00000000
0x019f26d2
0x019f26d2
0x00000000
0x019f26d2
0x00000000
0x00000000
0x019f25fe
0x019f292d
0x019f2930
0x019f2935
0x019f2937
0x019f2938
0x019f293b
0x019f293c
0x019f293e
0x019f293f
0x019f2940
0x019f2942
0x019f2944
0x019f2947
0x019f2948
0x019f294e
0x019f294f
0x019f2954
0x019f295a
0x019f2960
0x019f2962
0x019f2963
0x019f2964
0x019f2966
0x019f296c
0x019f296f
0x019f2970
0x019f2972
0x019f2973
0x019f2978
0x019f297b
0x019f2980
0x019f2981
0x019f2982
0x019f2983
0x019f2984
0x019f2985
0x019f2986
0x019f2987
0x019f2988
0x019f2989
0x019f298a
0x019f298b
0x019f298c
0x019f298d
0x019f298e
0x019f298f
0x019f2990
0x019f2992
0x019f2997
0x019f29a3
0x019f29a6
0x019f29ab
0x019f29ad
0x019f29b0
0x019f29b2
0x01a35c80
0x019f29b8
0x019f29b8
0x019f29bb
0x019f29c0
0x019f29c5
0x019f29c6
0x019f29c6
0x019f29c9
0x019f29cb
0x00000000
0x00000000
0x019f29cd
0x019f29d0
0x019f29d9
0x019f29db
0x019f29dd
0x019f2a7f
0x019f2a84
0x019f2a87
0x019f2a89
0x01a35ca1
0x01a35ca3
0x00000000
0x019f2a8f
0x019f2a8f
0x00000000
0x019f2a8f
0x00000000
0x019f29e3
0x019f29e3
0x019f29e3
0x00000000
0x019f29e3
0x019f29dd
0x00000000
0x019f29db
0x019f29e6
0x019f29e9
0x019f29eb
0x019f29ed
0x019f29f3
0x019f29f5
0x019f29f8
0x019f29fa
0x019f2a97
0x019f2a9a
0x019f2a9d
0x019f2add
0x00000000
0x019f2a9f
0x019f2aa2
0x019f2aa5
0x019f2aa8
0x019f2aab
0x01a35cab
0x01a35caf
0x01a35cc5
0x01a35cda
0x01a35cdc
0x01a35cdf
0x01a35ce5
0x00000000
0x01a35ceb
0x01a35ced
0x01a35cee
0x00000000
0x01a35cee
0x01a35cb1
0x01a35cb4
0x01a35cb9
0x01a35cbb
0x00000000
0x01a35cbd
0x01a35cbd
0x00000000
0x01a35cbd
0x01a35cbb
0x019f2ab1
0x019f2ab1
0x019f2ac4
0x019f2ac6
0x019f2ac6
0x00000000
0x019f2ac6
0x019f2aab
0x00000000
0x019f2a00
0x019f2a09
0x019f2a0e
0x019f2a21
0x019f2a24
0x019f2a35
0x019f2a3a
0x019f2a3d
0x019f2a42
0x019f2a59
0x019f2a59
0x019f2a5c
0x019f2a5f
0x019f2a5f
0x019f29fa
0x019f29f3
0x019f2a64
0x019f2a64
0x019f2a6b
0x019f2a6b
0x019f2a6d
0x019f2a72
0x019f2a72
0x00000000

Strings

PATH, xrefs: 019F2642, 019F2691

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 3dff42dcc293f7e54513f08fbdd69012cd972a8de2ab853cc8e0d775645141b3
Instruction ID: c3988b33a2c106a08b97dbcef66f02d68a9611747e62a939127e867bbbe239c1
Opcode Fuzzy Hash: 3dff42dcc293f7e54513f08fbdd69012cd972a8de2ab853cc8e0d775645141b3
Instruction Fuzzy Hash: 01C19075E00219EFDB25DF99D880BAEBBB5FF88710F14442DE609AB290D774E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019FFAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E019FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E019DEEF0(0x1ab7b60);
					_t134 =  *0x1ab7b84; // 0x771a7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1ab7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1ab7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E019D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E019D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01A68938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E019CB150();
													}
													_t116 = E01A66D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E019D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1ab8638; // 0x0
																	_t122 = L019D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E019D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E019D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L019FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L019D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E019FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E019FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E019FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E019FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E019FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1ab7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1ab7b84 = _t75;
						_t73 = E019DEB70(_t134, 0x1ab7b60);
						if( *0x1ab7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E019DFF60( *0x1ab7b20);
							}
						}
						goto L5;
					}
				}
			}

0x019ffab0
0x019ffab2
0x019ffab3
0x019ffab4
0x019ffabc
0x019ffac0
0x019ffb14
0x019ffb17
0x019ffac2
0x019ffac8
0x019ffacd
0x019ffad3
0x019ffad3
0x019ffadd
0x019ffb18
0x019ffb1b
0x019ffb1d
0x019ffb1e
0x019ffb1f
0x019ffb20
0x019ffb21
0x019ffb22
0x019ffb23
0x019ffb24
0x019ffb25
0x019ffb26
0x019ffb27
0x019ffb28
0x019ffb29
0x019ffb2a
0x019ffb2b
0x019ffb2c
0x019ffb2d
0x019ffb2e
0x019ffb2f
0x019ffb3a
0x019ffb3b
0x019ffb3e
0x019ffb41
0x019ffb44
0x019ffb47
0x019ffb4a
0x019ffb4d
0x019ffb53
0x01a3bdcb
0x01a3bdcb
0x019ffb59
0x019ffb5b
0x019ffb5b
0x019ffb5e
0x01a3bdd5
0x01a3bdd8
0x00000000
0x01a3bdda
0x00000000
0x01a3bdda
0x019ffb64
0x019ffb64
0x019ffb64
0x019ffb67
0x019ffb6e
0x019ffb70
0x019ffb72
0x00000000
0x019ffb78
0x019ffb7a
0x019ffb7a
0x019ffb7d
0x019ffb80
0x01a3bddf
0x01a3bde1
0x00000000
0x01a3bde3
0x00000000
0x01a3bde3
0x019ffb86
0x019ffb86
0x019ffb86
0x019ffb8b
0x019ffb90
0x019ffb92
0x019ffb94
0x019ffb9a
0x019ffb9b
0x019ffba1
0x01a3bde8
0x01a3bdeb
0x01a3bded
0x01a3beb5
0x01a3beb5
0x01a3bebb
0x01a3bebd
0x01a3bec3
0x01a3bed2
0x01a3bedd
0x01a3bedd
0x01a3beed
0x00000000
0x01a3bdf3
0x01a3bdfe
0x01a3be06
0x01a3be0b
0x01a3be0d
0x01a3be0f
0x01a3be14
0x01a3be19
0x01a3be20
0x01a3be25
0x01a3be27
0x01a3be35
0x01a3be39
0x01a3be46
0x01a3be4f
0x01a3be54
0x01a3be56
0x01a3bef8
0x01a3bef8
0x00000000
0x01a3be5c
0x01a3be5c
0x01a3be60
0x00000000
0x01a3be66
0x01a3be66
0x01a3be7f
0x01a3be84
0x01a3be87
0x01a3be89
0x01a3be8b
0x01a3be99
0x01a3be9d
0x01a3bea0
0x01a3beac
0x01a3beaf
0x01a3beb1
0x01a3beb3
0x01a3beb3
0x00000000
0x01a3bea2
0x01a3bea2
0x00000000
0x01a3bea2
0x01a3be8d
0x01a3be8d
0x01a3be92
0x00000000
0x01a3be92
0x01a3be8b
0x01a3be60
0x01a3be3b
0x01a3be3b
0x01a3be3e
0x00000000
0x01a3be40
0x01a3be40
0x01a3be44
0x00000000
0x00000000
0x00000000
0x00000000
0x01a3be44
0x01a3be3e
0x01a3be29
0x01a3be29
0x00000000
0x01a3be29
0x01a3be27
0x00000000
0x019ffba7
0x019ffba7
0x019ffbab
0x01a3bf02
0x019ffbb1
0x019ffbb1
0x019ffbb8
0x019ffbbd
0x019ffbbd
0x019ffbbf
0x019ffbbf
0x019ffbc5
0x019ffbcb
0x019ffbf8
0x019ffbf8
0x019ffbfa
0x00000000
0x019ffc00
0x019ffc00
0x019ffc03
0x00000000
0x019ffc09
0x019ffc09
0x019ffc0f
0x019ffc15
0x019ffc23
0x019ffc23
0x019ffc25
0x019ffc27
0x019ffc75
0x019ffc7c
0x019ffc84
0x00000000
0x019ffc29
0x019ffc29
0x019ffc2d
0x019ffc30
0x01a3bf0f
0x00000000
0x019ffc36
0x019ffc38
0x019ffc3b
0x019ffc41
0x01a3bf17
0x01a3bf19
0x01a3bf48
0x01a3bf4b
0x00000000
0x01a3bf1b
0x01a3bf22
0x01a3bf24
0x01a3bf26
0x00000000
0x01a3bf2c
0x01a3bf37
0x01a3bf39
0x01a3bf3b
0x00000000
0x01a3bf41
0x01a3bf41
0x01a3bf41
0x01a3bf41
0x01a3bf45
0x00000000
0x01a3bf45
0x01a3bf3b
0x01a3bf26
0x00000000
0x019ffc47
0x019ffc47
0x019ffc49
0x019ffcb2
0x019ffcb4
0x019ffcb6
0x019ffcdc
0x019ffcdc
0x00000000
0x019ffcb8
0x019ffcc3
0x019ffcc5
0x019ffcc7
0x00000000
0x019ffcc9
0x019ffcc9
0x019ffccd
0x00000000
0x019ffccd
0x019ffcc7
0x00000000
0x019ffc4b
0x019ffc4b
0x019ffc4e
0x019ffc4e
0x019ffc51
0x019ffc51
0x019ffc54
0x019ffc5a
0x019ffc5c
0x019ffc5f
0x019ffc61
0x019ffc63
0x019ffc65
0x019ffc67
0x019ffc6e
0x019ffc72
0x019ffc72
0x019ffc72
0x019ffc72
0x019ffc67
0x019ffc61
0x00000000
0x019ffc5a
0x019ffc49
0x019ffc41
0x019ffc30
0x019ffc27
0x019ffc03
0x019ffbcd
0x019ffbd3
0x019ffbd9
0x019ffbdc
0x019ffbde
0x019ffc99
0x019ffc9b
0x019ffc9d
0x019ffcd5
0x019ffcd5
0x019ffc89
0x019ffc89
0x00000000
0x019ffc9f
0x019ffc9f
0x019ffca3
0x00000000
0x019ffca3
0x00000000
0x019ffbe4
0x019ffbe4
0x019ffbe4
0x019ffbe4
0x019ffbe9
0x019ffbf2
0x00000000
0x019ffbf2
0x019ffbde
0x019ffbcb
0x019ffbab
0x019ffc8b
0x019ffc8b
0x019ffc8c
0x019ffb80
0x019ffb72
0x019ffb5e
0x019ffc8d
0x019ffc91
0x019ffadf
0x019ffadf
0x019ffae1
0x019ffae4
0x019ffae7
0x019ffaec
0x019ffaf8
0x019ffb00
0x019ffb07
0x019ffb0f
0x019ffb0f
0x019ffb07
0x00000000
0x019ffaf8
0x019ffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 01A3BE0F

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 3f1e00d66d11d2793d26f7daf365297f4f56bae400ded0b5687fb6923e193220
Instruction ID: d322585fe5887ce3ce4cbe1265806074e5aa6fc76b3f85ae724a09e76b37a7ac
Opcode Fuzzy Hash: 3f1e00d66d11d2793d26f7daf365297f4f56bae400ded0b5687fb6923e193220
Instruction Fuzzy Hash: D2A12572F00616EBEB25CF6CC450B7AB7A9AF84711F04456DEB1ACB691DB30D801CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019C2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E019C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1ab5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1ab7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E01A097C0();
				}
				if( *0x1ab79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x1ab79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E019F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E019E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E01A5FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01A09520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E019FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L01A1DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1ab6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1ab6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01A09980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E01A095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E019E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E019E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01A47016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E01A5FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1ab5350;
							if(_t109 != 0x1ab5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E01A5FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01A55720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x019c2d8a
0x019c2d8a
0x019c2d92
0x019c2d96
0x019c2d9e
0x019c2da0
0x019c2da3
0x019c2da5
0x019c2da8
0x019c2dab
0x019c2db2
0x01a1f9aa
0x01a1f9ab
0x01a1f9ae
0x01a1f9ae
0x019c2db8
0x019c2dc2
0x01a1f9b9
0x01a1f9be
0x01a1f9bf
0x01a1f9bf
0x019c2dcf
0x01a1f9c9
0x019c2dd5
0x019c2dd5
0x019c2dd5
0x019c2dde
0x019c2de1
0x019c2e70
0x019c2e72
0x019c2e72
0x019c2de7
0x019c2deb
0x019c2e7c
0x019c2e83
0x019c2e85
0x019c2e8b
0x019c2e8d
0x019c2e92
0x019c2e92
0x019c2e85
0x019c2df1
0x019c2df7
0x019c2df9
0x019c2df9
0x019c2dfc
0x019c2dff
0x019c2e02
0x00000000
0x019c2e05
0x019c2e0c
0x01a1f9d9
0x019c2e12
0x019c2e12
0x019c2e12
0x019c2e1a
0x01a1f9e3
0x01a1f9e9
0x01a1f9f0
0x01a1f9f6
0x01a1f9f8
0x01a1f9f8
0x01a1f9f0
0x019c2e23
0x01a1fa02
0x01a1fa03
0x01a1fa05
0x01a1fa06
0x00000000
0x019c2e29
0x019c2e29
0x019c2e2e
0x019c2e34
0x019c2e3e
0x00000000
0x00000000
0x019c2e44
0x019c2e47
0x019c2e4d
0x00000000
0x00000000
0x019c2e4f
0x019c2e54
0x00000000
0x00000000
0x019c2e5a
0x019c2e5f
0x019c2e9a
0x019c2ea4
0x019c2ea5
0x019c2ea8
0x019c2eaf
0x019c2eb2
0x019c2eb5
0x01a1fae9
0x01a1faeb
0x01a1faed
0x01a1faef
0x01a1faf7
0x01a1faf8
0x01a1fafd
0x01a1faff
0x01a1fb04
0x01a1fb04
0x01a1faff
0x019c2ec0
0x019c2ec4
0x019c2ec6
0x019c2ec8
0x01a1fb14
0x01a1fb18
0x01a1fb1e
0x01a1fb21
0x01a1fb21
0x019c2ece
0x019c2ece
0x019c2ece
0x019c2ed7
0x019c2e61
0x019c2e63
0x01a1fa6b
0x01a1fa71
0x01a1fa76
0x01a1fa78
0x01a1fa8a
0x01a1fa7a
0x01a1fa83
0x01a1fa83
0x01a1fa8f
0x01a1fa91
0x01a1fa97
0x01a1fa9d
0x01a1faa4
0x01a1faaa
0x01a1faaf
0x01a1fab1
0x01a1fac3
0x01a1fab3
0x01a1fabc
0x01a1fabc
0x01a1fac8
0x01a1facb
0x01a1fadf
0x01a1fadf
0x01a1facb
0x01a1faa4
0x01a1fa91
0x019c2e6f
0x019c2e6f
0x019c2e5f
0x01a1fa13
0x01a1fa15
0x01a1fa17
0x01a1fa1f
0x01a1fa21
0x01a1fa22
0x01a1fa25
0x01a1fa28
0x01a1fa2f
0x01a1fa2f
0x01a1fa2a
0x01a1fa2a
0x01a1fa2a
0x01a1fa31
0x01a1fa34
0x01a1fa36
0x01a1fa3c
0x01a1fa3e
0x01a1fa41
0x01a1fa43
0x01a1fa45
0x01a1fa45
0x01a1fa41
0x01a1fa3c
0x01a1fa4a
0x01a1fa4f
0x01a1fa51
0x01a1fa53
0x01a1fa56
0x01a1fa5b
0x01a1fa5e
0x00000000
0x01a1fa5e
0x019c2e23

Strings

RTL: Re-Waiting, xrefs: 01A1FA4A

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 6547df4c41bb58ea8c16cb41c65ec9598fbcc775a6eb826ba9c2a1e4e4b699bd
Instruction ID: 4e77b82150c702b3d805c73314a03edec66678ce72a2c823ab7bf546a1baaac3
Opcode Fuzzy Hash: 6547df4c41bb58ea8c16cb41c65ec9598fbcc775a6eb826ba9c2a1e4e4b699bd
Instruction Fuzzy Hash: 64614931A00685AFDB32DF6CC884B7E7BE5EB40B10F140669D959A72C1C734A945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A90EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01A90EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E01A8FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01A91074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01A09730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E01A8A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E01A8A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1ab8b04 >> 0x14) + (_v44 -  *0x1ab8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E019E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E01A8138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E019E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E01A7FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1ab8724 & 0x00000008) != 0) {
						E01A852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E01A915B5(0x1ab8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01a90eb7
0x01a90eb9
0x01a90ec0
0x01a90ec2
0x01a90ecd
0x01a9105b
0x01a9105b
0x01a91061
0x01a91066
0x01a91066
0x01a9106b
0x01a91073
0x01a91073
0x01a90ed3
0x01a90ed6
0x01a90edc
0x01a90ee0
0x01a90ee7
0x01a90ef0
0x01a90ef5
0x01a90efa
0x01a90efc
0x01a90efd
0x01a90f03
0x01a90f04
0x01a90f06
0x01a90f07
0x01a90f09
0x01a90f0e
0x01a90f14
0x01a90f23
0x01a90f2d
0x01a90f34
0x01a90f34
0x01a90f14
0x01a90f52
0x00000000
0x00000000
0x01a90f58
0x01a90f73
0x01a90f74
0x01a90f79
0x01a90f7d
0x01a90f80
0x01a90f86
0x01a90fab
0x01a90fb5
0x01a90fc6
0x01a90fd1
0x01a90fe3
0x01a90fd3
0x01a90fdc
0x01a90fdc
0x01a90feb
0x01a91009
0x01a91009
0x01a91015
0x01a91027
0x01a91017
0x01a91020
0x01a91020
0x01a9102f
0x01a9103c
0x01a9103c
0x01a91048
0x01a91050
0x01a91050
0x01a91055
0x00000000
0x01a91055
0x01a90f88
0x01a90f9e
0x01a90fa2
0x01a90fa9
0x00000000
0x00000000
0x00000000
0x01a90fa9
0x00000000

Strings

`, xrefs: 01A90F16

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 38f9c4480f00226059ac35579c78e5806527db6d7acce0abd86fd1f89f269e6a
Instruction ID: c15df36483ac79a8a151d3c012e0814948da46017ec5bfbe84b82f1397a25e8d
Opcode Fuzzy Hash: 38f9c4480f00226059ac35579c78e5806527db6d7acce0abd86fd1f89f269e6a
Instruction Fuzzy Hash: 4D51E2713043429FDB25DF28D980B1BBBE9EBC4364F04092CFA9687291D731E985CB62

Uniqueness

Uniqueness Score: -1.00%

Function 019FF0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E019FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E019E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01A09830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01A09990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E01A095D0();
							goto L11;
						} else {
							_t109 = L019E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E01A0F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E01A095D0();
										L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x019ff0d3
0x019ff0d9
0x019ff0e0
0x019ff0e7
0x019ff0f2
0x019ff0f4
0x019ff0f8
0x019ff100
0x019ff108
0x019ff10d
0x019ff115
0x019ff116
0x019ff11f
0x019ff123
0x019ff124
0x019ff12c
0x019ff130
0x019ff134
0x019ff13d
0x019ff144
0x019ff14b
0x019ff152
0x01a3bab0
0x01a3bab0
0x019ff158
0x019ff158
0x019ff15a
0x019ff160
0x019ff165
0x019ff166
0x019ff16f
0x019ff173
0x01a3baa7
0x01a3baa7
0x01a3baab
0x00000000
0x019ff179
0x019ff18d
0x019ff191
0x01a3baa2
0x00000000
0x019ff197
0x019ff19b
0x019ff1a2
0x019ff1a9
0x019ff1af
0x019ff1b2
0x019ff1b6
0x019ff1b9
0x019ff1c4
0x019ff1d8
0x019ff1df
0x019ff1e3
0x019ff1eb
0x019ff1ee
0x019ff1f4
0x019ff20f
0x01a3bab7
0x01a3babb
0x01a3bacc
0x01a3bad1
0x019ff215
0x019ff218
0x019ff226
0x019ff22b
0x00000000
0x019ff22b
0x019ff1f6
0x019ff1f6
0x019ff1f9
0x019ff1fb
0x019ff1fb
0x019ff1f4
0x019ff191
0x019ff173
0x019ff152
0x019ff203

Strings

@, xrefs: 019FF124

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: c0986dca79ec8ade736fb0650425fa577d89183ce70c24b9ec1bb31107bfea4c
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: F7518F72604711AFC321DF29C840A67BBF9FF88710F00892DFA9997690E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A43540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01A43540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x1abd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01A00BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01A43706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E01A0FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01A43540;
						E01A0FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E01A1DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01A50C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E01A097C0();
					}
					return E01A0B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01A43971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01A43884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E01A0FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01A09650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01A43787(_a4,  &_v352, _t80);
						}
					}
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E01A095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01a43552
0x01a4355a
0x01a4355d
0x01a43566
0x01a43567
0x01a4357e
0x01a4358f
0x01a435a1
0x01a435a5
0x01a4366b
0x01a4366b
0x01a4366d
0x01a43672
0x01a43679
0x01a43685
0x01a4368d
0x01a4369d
0x01a436a7
0x01a436b8
0x01a436c6
0x01a436c7
0x01a436dc
0x01a436e1
0x01a436e7
0x01a436e9
0x01a436e9
0x01a43703
0x01a43703
0x01a435b5
0x01a435c0
0x01a435c4
0x00000000
0x00000000
0x01a435ca
0x01a435d7
0x01a435e2
0x01a435e6
0x01a435e8
0x01a435f5
0x01a435fa
0x01a43603
0x01a43604
0x01a43609
0x01a4360a
0x01a43612
0x01a43613
0x01a4361e
0x01a43622
0x01a43628
0x01a4362f
0x01a4362f
0x01a43636
0x01a43638
0x01a4363b
0x01a43642
0x01a43642
0x01a43636
0x01a43657
0x01a43657
0x01a4365c
0x01a43662
0x01a43669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 01A4358F

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 359f30a5f180c12d983b536959b89801d7ebcab7e0889fad3f4d3754ffd11dbc
Instruction ID: f865d6bfceda866d3c5fc00c3da43478dc82efbf08b6e44283457538957587bf
Opcode Fuzzy Hash: 359f30a5f180c12d983b536959b89801d7ebcab7e0889fad3f4d3754ffd11dbc
Instruction Fuzzy Hash: 3A4152B2D0152DABDF21DA50DD80FEEB77CAF54714F0045A5EA08AB281DB309E888F94

Uniqueness

Uniqueness Score: -1.00%

Function 01A905AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01A905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E01A907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01A09730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E01A8A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E01A8A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01A91293(_t79, _v40, E01A907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E019E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E01A8138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x01a905c5
0x01a905ca
0x01a905d3
0x01a906db
0x01a906db
0x01a906dd
0x01a906e3
0x01a906e3
0x01a905dd
0x01a905e7
0x01a905f6
0x01a90600
0x01a90607
0x01a90610
0x01a90615
0x01a9061a
0x01a9061c
0x01a9061e
0x01a90624
0x01a90625
0x01a90627
0x01a90628
0x01a90631
0x01a90640
0x01a9064d
0x01a90654
0x01a90654
0x01a90631
0x01a9066d
0x01a90674
0x00000000
0x00000000
0x01a90692
0x01a9069e
0x01a906b0
0x01a906a0
0x01a906a9
0x01a906a9
0x01a906b8
0x01a906d6
0x01a906d6
0x00000000

Strings

`, xrefs: 01A90633

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 61b7a6cd437231d9e82df8dc3ddaa2dc71e2613b7b754c44385447a3cc4674c3
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 4131D2326043066BEB10DF18CE44F9A7BDDABC4794F144125BA58DB280D7B0E944C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A43884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01A43884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01A09650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L019E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01A09650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01a43893
0x01a43896
0x01a43899
0x01a4389f
0x01a438a0
0x01a438a4
0x01a438a9
0x01a438ac
0x01a438ad
0x01a438ae
0x01a438af
0x01a438b1
0x01a438b4
0x01a438bb
0x01a438bc
0x01a438bd
0x01a438c4
0x01a438c8
0x01a438ca
0x01a438ca
0x01a438d5
0x01a4393e
0x01a43940
0x01a43942
0x01a43952
0x01a43954
0x01a43961
0x01a43961
0x01a43967
0x01a4396e
0x01a4396e
0x01a43947
0x01a4394c
0x00000000
0x01a4394c
0x01a438ea
0x01a438ee
0x01a438f8
0x01a438f9
0x01a438ff
0x01a43900
0x01a43902
0x01a43903
0x01a4390b
0x01a4390f
0x01a43950
0x00000000
0x01a43950
0x01a43915
0x01a4391d
0x01a4391d
0x01a43922
0x01a43926
0x00000000
0x01a43928
0x01a4392b
0x01a4392b
0x01a43935
0x01a43937
0x01a43937
0x00000000
0x01a43935
0x01a43926
0x01a438f0
0x00000000

Strings

BinaryName, xrefs: 01A438B4

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 5dcc8243925bad144b4fa2985374498ad382cc99986ed8d1652889a8527b4872
Instruction ID: a7a251453bc59f6f2dea2a9ba36304733bbf738e3b0b1e036bdd4f12d3d42720
Opcode Fuzzy Hash: 5dcc8243925bad144b4fa2985374498ad382cc99986ed8d1652889a8527b4872
Instruction Fuzzy Hash: 2431E23690152ABFEF16DB59C955D6BBBB4FF80B20F014169A918A7282D6309E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019FD294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E019FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1abd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E019E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E01A0B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E01A098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E01A095D0();
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x019fd29c
0x019fd2a6
0x019fd2b1
0x019fd2b5
0x019fd2b6
0x019fd2bc
0x019fd2bd
0x019fd2be
0x019fd2bf
0x019fd2c2
0x019fd2c4
0x019fd2cc
0x019fd384
0x019fd34b
0x019fd34f
0x019fd350
0x019fd351
0x019fd35c
0x019fd35c
0x019fd2d6
0x019fd2da
0x019fd2e1
0x019fd361
0x019fd369
0x019fd36d
0x019fd2e3
0x019fd2e3
0x019fd2e3
0x019fd2e5
0x019fd2ed
0x019fd2f5
0x019fd2fa
0x019fd302
0x019fd303
0x019fd30b
0x019fd30f
0x019fd313
0x019fd318
0x019fd31c
0x019fd320
0x019fd379
0x019fd37d
0x00000000
0x00000000
0x01a3affe
0x01a3b001
0x01a3b011
0x00000000
0x019fd322
0x019fd322
0x019fd330
0x019fd337
0x019fd35d
0x019fd339
0x019fd33f
0x019fd38c
0x019fd38c
0x019fd33f
0x019fd349
0x00000000
0x019fd349

Strings

@, xrefs: 019FD303

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 569f6660b6b26e30d28bd51cfd7708faeb4d0ce714ee0048bb87fd3d19c5a0b5
Instruction ID: e80a67e366b21b95ea30b365ae9cd4bde7e57a33475865bda5014c20da1f74db
Opcode Fuzzy Hash: 569f6660b6b26e30d28bd51cfd7708faeb4d0ce714ee0048bb87fd3d19c5a0b5
Instruction Fuzzy Hash: F831B3B6508305AFC712DF68D98095BBBE8FBD5758F00092EFB9883251D675DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019D1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E019D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E01A0BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E01A0A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E01A0A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L019E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x019d1b8f
0x019d1b9a
0x019d1b9c
0x019d1b9e
0x019d1ba3
0x01a27010
0x01a27010
0x00000000
0x019d1ba9
0x019d1ba9
0x019d1bae
0x00000000
0x019d1bc5
0x019d1bca
0x019d1bcf
0x019d1bd0
0x019d1bd1
0x019d1bd2
0x019d1bd6
0x019d1bdc
0x019d1be0
0x01a26ffc
0x01a27000
0x00000000
0x01a27006
0x01a27009
0x01a27009
0x019d1be6
0x019d1bec
0x019d1c0b
0x019d1c0b
0x019d1c0c
0x019d1c11
0x019d1c12
0x019d1c15
0x019d1c1b
0x019d1c1f
0x019d1c31
0x019d1c33
0x01a27026
0x01a27026
0x019d1c21
0x019d1c24
0x019d1c24
0x019d1bee
0x019d1bee
0x019d1bf2
0x019d1c3a
0x019d1bf4
0x019d1bf4
0x019d1c05
0x019d1c05
0x019d1c09
0x019d1c3e
0x00000000
0x00000000
0x00000000
0x019d1c09
0x019d1bec
0x019d1be0
0x019d1bae
0x019d1c2e

Strings

WindowsExcludedProcs, xrefs: 019D1BC5

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 9265529fb89afc43f9c8a8e5f031411091a1fbf0e4fb093ff455f018f5944ec6
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: F221FC7BE01229ABDB229BADC940F5B7BADEF55661F058435FE08DB200D634DD00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019EF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x019ef71d
0x019ef722
0x019ef726
0x01a34770
0x019ef765
0x019ef769
0x019ef769
0x019ef732
0x01a3477a
0x00000000
0x01a3477a
0x019ef738
0x019ef73a
0x019ef73c
0x019ef73f
0x019ef746
0x019ef778
0x019ef7a9
0x019ef7a9
0x019ef754
0x019ef75a
0x019ef75d
0x019ef75f
0x019ef761
0x019ef76f
0x019ef771
0x019ef771
0x019ef76f
0x019ef763
0x00000000
0x019ef763
0x019ef77d
0x019ef7a3
0x019ef7a5
0x00000000
0x019ef7a5
0x019ef77f
0x019ef782
0x019ef784
0x019ef786
0x00000000
0x00000000
0x00000000
0x019ef788
0x019ef748
0x019ef74d
0x019ef78d
0x019ef793
0x019ef7b7
0x019ef7bc
0x00000000
0x019ef7bc
0x019ef798
0x00000000
0x00000000
0x019ef79d
0x019ef7b0
0x00000000
0x019ef7b0
0x019ef79f
0x00000000
0x019ef74f
0x019ef74f
0x00000000
0x019ef74f

Strings

Actx , xrefs: 019EF73F

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: a45393c957ec23f407a83de2f80331b7ac82f6838d906eecb378823c014c0228
Instruction ID: f8a285c97626353fb6c912d9f21cab762f5e4657d6e49aa827a1cdee671a777a
Opcode Fuzzy Hash: a45393c957ec23f407a83de2f80331b7ac82f6838d906eecb378823c014c0228
Instruction Fuzzy Hash: 8D11B635384B028BF7274E1DC498B3676DAEB85725F25492BE96DCB391D772CC408380

Uniqueness

Uniqueness Score: -1.00%

Function 01A78DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01A78DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1aa0d50);
				E01A1D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01A55720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L01A1DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L01A1DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E01A1D130(_t34, _t39, _t40);
			}

0x01a78df1
0x01a78df1
0x01a78df1
0x01a78df1
0x01a78df1
0x01a78df1
0x01a78df3
0x01a78df8
0x01a78dfd
0x01a78e00
0x01a78e0e
0x01a78e2a
0x01a78e36
0x01a78e38
0x01a78e3c
0x01a78e46
0x01a78e46
0x01a78e36
0x01a78e50
0x01a78e56
0x01a78e59
0x01a78e5c
0x01a78e60
0x01a78e67
0x01a78e6d
0x01a78e73
0x01a78e74
0x01a78eb1
0x01a78ebd

Strings

Critical error detected %lx, xrefs: 01A78E21

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: f6dba888586fc5290d0c68abc363f8380028142e8a4295bc3560473294acb799
Instruction ID: ecd194881d9e51f33330520b933e89ada47688baee4ac239a9b829d0606669a6
Opcode Fuzzy Hash: f6dba888586fc5290d0c68abc363f8380028142e8a4295bc3560473294acb799
Instruction Fuzzy Hash: 3E1169B1D14348EBDF29CFA88A097DCBFB0BB14715F24465EE529AB282C3384602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01A5FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01A5FF60

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: f9762a39ae8091665590cf7b475341c8d72425265567e9a98556f77ee354528a
Instruction ID: cff9a57fd21ecffe1308350b610da8bf75e8ade4a8ac749e4d38154a12e03f5a
Opcode Fuzzy Hash: f9762a39ae8091665590cf7b475341c8d72425265567e9a98556f77ee354528a
Instruction Fuzzy Hash: 2E112671910244EFDB62DF54CA88F987BB1FF44714F148444F508576A1C7399A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A95BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01A95BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1aa1178);
				E01A1D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01A94C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E01A0D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01A95542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x1ab60e8;
								if( *0x1ab60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x1ab60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01A09710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01A06DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E01A0F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E01A0F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E01A0F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E01A0FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E01A0FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E01A0F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E01A0F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01A94CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E01A1D130(_t427, _t494, _t511);
				}
			}

0x01a95ba5
0x01a95baa
0x01a95baf
0x01a95bb4
0x01a95bb6
0x01a95bbc
0x01a95bbe
0x01a95bc4
0x01a95bcd
0x01a95bd3
0x01a95bd6
0x01a95bdc
0x01a95be0
0x01a95be3
0x01a95beb
0x01a95bf2
0x01a95bf8
0x01a95bfe
0x01a95c04
0x01a95c0e
0x01a95c18
0x01a95c1f
0x01a95c25
0x01a95c2a
0x01a95c2c
0x01a95c32
0x01a95c3a
0x01a95c3f
0x01a95c42
0x01a95c48
0x01a95c5b
0x01a95c5b
0x01a95c2c
0x01a95cb7
0x01a95cb9
0x01a95cbf
0x01a95cc2
0x01a95cca
0x01a95ccb
0x01a95ccb
0x01a95cd1
0x01a95cd7
0x01a95cda
0x01a95ce1
0x01a95ce4
0x01a95ce7
0x01a95ced
0x01a95cf3
0x01a95cf9
0x01a95cff
0x01a95d08
0x01a95d0a
0x01a95d0e
0x01a95d10
0x00000000
0x00000000
0x01a95d16
0x01a95d1a
0x00000000
0x00000000
0x01a95d20
0x01a95d22
0x01a95d25
0x01a95d2f
0x01a95d2f
0x01a95d33
0x01a95d3d
0x01a95d49
0x01a95d4b
0x00000000
0x00000000
0x01a95d5a
0x01a95d5d
0x01a95d60
0x00000000
0x00000000
0x01a95d66
0x01a95d69
0x00000000
0x00000000
0x01a95d6f
0x01a95d6f
0x01a95d73
0x01a95d79
0x01a95d7f
0x01a95d86
0x01a95d95
0x01a95d98
0x01a95dba
0x01a95dcb
0x01a95dce
0x01a95dd3
0x01a95dd6
0x01a95dd8
0x01a95de6
0x01a95dec
0x01a95dee
0x01a95df1
0x01a95df3
0x01a9635a
0x01a9635a
0x00000000
0x01a9635a
0x01a95dfe
0x01a95e02
0x01a95e05
0x01a95e07
0x01a95e10
0x01a95e13
0x01a95e1b
0x01a95e1c
0x01a95e21
0x01a95e22
0x01a95e23
0x01a95e25
0x01a95e2a
0x01a95e2c
0x01a95e2e
0x01a95e36
0x01a95e39
0x01a95e42
0x01a95e47
0x01a95e4d
0x01a95e54
0x01a95e54
0x01a95e54
0x01a95e2e
0x01a95e5c
0x01a95e5f
0x01a95e62
0x01a95e64
0x01a95e6b
0x01a95e70
0x01a95e7a
0x01a95e7a
0x01a95e7a
0x01a95e6b
0x01a95e7e
0x01a95e7f
0x01a95e7f
0x01a95e81
0x01a95e87
0x01a95e8b
0x01a95e8c
0x01a95e8c
0x01a95e8c
0x01a95e9a
0x01a95e9c
0x01a95ea2
0x01a95ea6
0x01a95f50
0x01a95f50
0x01a95f57
0x01a95f66
0x01a95f66
0x01a95f66
0x01a95f68
0x01a95f6a
0x01a963d0
0x00000000
0x01a95f70
0x01a95f70
0x01a95f91
0x01a95f9c
0x01a95f9e
0x01a95fa4
0x01a95fa6
0x01a9638c
0x01a96392
0x01a963a1
0x01a963a7
0x01a963af
0x01a963af
0x01a963bd
0x01a963d8
0x00000000
0x01a963d8
0x01a95fac
0x01a95fb2
0x01a95fb4
0x01a95fbd
0x01a95fc6
0x01a95fce
0x01a95fd4
0x01a95fdc
0x01a95fec
0x01a95fed
0x01a95fee
0x01a95fef
0x01a95ff9
0x01a95ffa
0x01a95ffb
0x01a95ffc
0x01a96000
0x01a96004
0x01a96012
0x01a96012
0x01a96018
0x01a96019
0x01a9601a
0x01a9601b
0x01a9601c
0x01a96020
0x01a96059
0x01a9605c
0x01a96061
0x01a96061
0x01a96022
0x01a96022
0x01a96022
0x01a96025
0x01a9602a
0x01a9602b
0x01a96031
0x01a96037
0x01a96038
0x01a9603e
0x01a96048
0x01a96049
0x01a9604a
0x01a9604b
0x01a9604c
0x01a9604d
0x01a96053
0x01a96054
0x01a96054
0x01a96062
0x01a96065
0x01a96067
0x01a9606a
0x01a96070
0x01a96075
0x01a96076
0x01a96081
0x01a96087
0x01a96095
0x01a96099
0x01a9609e
0x01a960a4
0x01a960ae
0x01a960b0
0x01a960b3
0x01a960b6
0x01a960b8
0x01a960ba
0x01a960ba
0x01a960ba
0x01a960ba
0x01a960be
0x01a960c0
0x01a960c5
0x01a960c5
0x01a960c5
0x01a960c6
0x01a960cd
0x01a96114
0x01a960cf
0x01a960cf
0x01a960d4
0x01a960d5
0x01a960da
0x01a960db
0x01a960e1
0x01a960e2
0x01a960e8
0x01a960f8
0x01a960fd
0x01a960fe
0x01a96102
0x01a96104
0x01a96107
0x01a96109
0x01a9610b
0x01a9610b
0x01a9610b
0x01a9610b
0x01a9610f
0x01a9610f
0x01a96117
0x01a9611a
0x01a9611f
0x01a96125
0x01a96134
0x01a96139
0x01a9613f
0x01a96146
0x01a96148
0x01a9614b
0x01a9614d
0x01a9614f
0x01a9614f
0x01a9614f
0x01a9614f
0x01a96153
0x01a96159
0x01a96159
0x01a9615c
0x01a96163
0x01a96169
0x01a9616c
0x01a96172
0x01a96181
0x01a96186
0x01a96187
0x01a9618b
0x01a96191
0x01a96195
0x01a961a3
0x01a961bb
0x01a961c0
0x01a961c3
0x01a961cc
0x01a961d0
0x01a961dc
0x01a961de
0x01a961e1
0x01a961e4
0x01a961e6
0x01a961e8
0x01a961e8
0x01a961e8
0x01a961e8
0x01a961e6
0x01a961ec
0x01a961f3
0x01a96203
0x01a96209
0x01a9620a
0x01a96216
0x01a9621d
0x01a96227
0x01a96241
0x01a96246
0x01a9624c
0x01a96257
0x01a96259
0x01a9625c
0x01a9625e
0x01a96260
0x01a96260
0x01a96260
0x01a96260
0x01a9625e
0x01a96264
0x01a96267
0x01a96269
0x01a96315
0x01a96315
0x01a9631b
0x01a9631e
0x01a96324
0x01a96327
0x01a9632f
0x01a96330
0x01a96333
0x01a9633a
0x01a9633c
0x01a96335
0x01a96335
0x01a96335
0x01a9633f
0x01a96342
0x01a9634c
0x01a96352
0x01a96355
0x01a96355
0x01a96359
0x00000000
0x01a9626f
0x01a96275
0x01a96275
0x01a96278
0x01a9627e
0x01a9627e
0x01a96281
0x01a96287
0x01a9628d
0x01a96298
0x01a9629c
0x01a962a2
0x01a9629e
0x01a9629e
0x01a9629e
0x01a962a7
0x01a962a7
0x01a962aa
0x01a962b0
0x01a962f0
0x01a962f0
0x01a962f2
0x01a962f8
0x01a962fd
0x01a962b2
0x01a962b2
0x01a962b2
0x01a962b5
0x01a962dd
0x01a962e2
0x01a962e5
0x01a962b7
0x01a962b8
0x01a962bb
0x01a962bd
0x01a962c0
0x01a962c4
0x01a962cd
0x01a962cd
0x01a962c0
0x01a962bb
0x01a962b5
0x01a96302
0x01a96303
0x01a96305
0x01a96305
0x01a96305
0x01a9630c
0x01a9630c
0x00000000
0x01a9627e
0x01a96269
0x01a95eac
0x01a95ebb
0x01a95ebe
0x01a95ecb
0x01a95ecb
0x01a95ece
0x01a95ece
0x01a95ed4
0x01a95ed7
0x01a95ed9
0x01a95edb
0x01a95edb
0x01a95ee1
0x01a95ee1
0x01a95ee3
0x01a95f20
0x01a95f20
0x01a95ee5
0x01a95ee5
0x01a95ee5
0x01a95ee8
0x01a95f11
0x01a95f18
0x01a95eea
0x01a95eea
0x01a95eed
0x01a95ef2
0x01a95ef8
0x01a95efb
0x01a95f0a
0x01a95f0a
0x01a95eed
0x01a95ee8
0x01a95f22
0x01a95f28
0x00000000
0x00000000
0x01a95f30
0x01a95f31
0x01a95f37
0x01a95f3a
0x01a95f3d
0x01a95f44
0x00000000
0x00000000
0x00000000
0x01a95f46
0x01a95f48
0x01a95f4d
0x00000000
0x01a95f4d
0x01a95dda
0x01a95ddf
0x00000000
0x01a95ddf
0x01a95dd8
0x01a95da7
0x01a95da9
0x01a95dac
0x01a95dae
0x00000000
0x01a95db4
0x01a95db4
0x00000000
0x01a95db4
0x01a95dae
0x01a95d88
0x01a95d8d
0x01a96363
0x01a96369
0x01a9636a
0x01a96370
0x01a96372
0x01a9637a
0x01a9637b
0x01a9637d
0x00000000
0x00000000
0x01a9637f
0x01a96385
0x00000000
0x01a96385
0x01a95d38
0x01a95d3b
0x00000000
0x00000000
0x00000000
0x01a95d3b
0x01a95d27
0x01a95d29
0x00000000
0x00000000
0x00000000
0x01a96360
0x00000000
0x01a96360
0x01a95c10
0x01a95c10
0x01a963da
0x01a963e5
0x01a963e5

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1830226dc9e35464d61793491fca8b1af809587f80f6da3565dc329235f58518
Instruction ID: f944c52ef9bc64a668adaaf6b35c44e78ac01b3616703afc0a1bd3a617a4ba0d
Opcode Fuzzy Hash: 1830226dc9e35464d61793491fca8b1af809587f80f6da3565dc329235f58518
Instruction Fuzzy Hash: F1424775D002298FDF25CF68C981BAABBF1FF49314F1481AAD94DAB242D7349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019E4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E019E4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1abd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E019FF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E019E6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L019E4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E019E6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M019E45F8))) {
												case 0:
													_v568 = 0x19a1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x19a11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L019E4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E01A0F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E01A0F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E019C52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E019DEB70(1, 0x1ab79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E019DAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E01A095D0();
																			L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E01A0B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01A03D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E01A0B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x019e4128
0x019e4135
0x019e413c
0x019e4141
0x019e4145
0x019e4147
0x019e414e
0x019e4151
0x019e4159
0x019e415c
0x019e4160
0x019e4164
0x019e4168
0x019e416c
0x019e417f
0x019e4181
0x019e446a
0x019e446a
0x019e418c
0x019e4195
0x019e4199
0x019e4432
0x019e4439
0x019e443d
0x019e4442
0x019e4447
0x00000000
0x019e419f
0x019e41a3
0x019e41b1
0x019e41b9
0x019e41bd
0x019e45db
0x019e45db
0x00000000
0x019e41c3
0x019e41c3
0x019e41ce
0x019e41d4
0x01a2e138
0x01a2e13e
0x01a2e169
0x01a2e16d
0x01a2e19e
0x01a2e16f
0x01a2e16f
0x01a2e175
0x01a2e179
0x01a2e18f
0x01a2e193
0x00000000
0x01a2e199
0x00000000
0x01a2e199
0x01a2e193
0x00000000
0x00000000
0x00000000
0x019e41da
0x019e41da
0x019e41df
0x019e41e4
0x019e41ec
0x019e4203
0x019e4207
0x01a2e1fd
0x019e4222
0x019e4226
0x01a2e1f3
0x01a2e1f3
0x019e422c
0x019e422c
0x019e4233
0x01a2e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x019e4239
0x019e4239
0x019e4239
0x019e4239
0x019e4233
0x019e4226
0x019e41ee
0x019e41ee
0x019e41f4
0x019e4575
0x01a2e1b1
0x01a2e1b1
0x00000000
0x019e457b
0x019e457b
0x019e4582
0x01a2e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x019e4588
0x019e4588
0x019e458c
0x01a2e1c4
0x01a2e1c4
0x00000000
0x019e4592
0x019e4592
0x019e4599
0x01a2e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x019e459f
0x019e459f
0x019e45a3
0x01a2e1d7
0x01a2e1e4
0x00000000
0x019e45a9
0x019e45a9
0x019e45b0
0x01a2e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x019e45b6
0x019e45b6
0x019e45b6
0x00000000
0x019e45b6
0x019e45b0
0x019e45a3
0x019e4599
0x019e458c
0x019e4582
0x00000000
0x00000000
0x00000000
0x00000000
0x019e41f4
0x019e423e
0x019e4241
0x019e45c0
0x019e45c4
0x00000000
0x019e45ca
0x019e45ca
0x00000000
0x01a2e207
0x01a2e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x019e45d1
0x00000000
0x00000000
0x019e45ca
0x00000000
0x019e4247
0x019e4247
0x019e4247
0x019e4249
0x019e4249
0x019e4249
0x019e4251
0x019e4251
0x019e4257
0x019e425f
0x019e426e
0x019e4270
0x019e427a
0x01a2e219
0x01a2e219
0x019e4280
0x019e4282
0x019e4456
0x019e45ea
0x00000000
0x019e45f0
0x01a2e223
0x00000000
0x01a2e223
0x019e445c
0x019e445c
0x00000000
0x019e445c
0x00000000
0x019e4288
0x019e428c
0x01a2e298
0x019e4292
0x019e4292
0x019e429e
0x019e42a3
0x019e42a7
0x019e42ac
0x01a2e22d
0x019e42b2
0x019e42b2
0x019e42b9
0x019e42bc
0x019e42c2
0x019e42ca
0x019e42cd
0x019e42cd
0x019e42d4
0x019e433f
0x019e433f
0x019e42d6
0x019e42d6
0x019e42d9
0x019e42dd
0x019e42eb
0x01a2e23a
0x019e42f1
0x019e4305
0x019e430d
0x019e4315
0x019e4318
0x019e431f
0x019e4322
0x019e432e
0x019e433b
0x019e433b
0x00000000
0x019e432e
0x019e42eb
0x019e434c
0x019e434e
0x019e4352
0x019e4359
0x019e435e
0x019e4361
0x019e436e
0x019e438a
0x019e438e
0x019e4396
0x019e439e
0x019e43a1
0x019e43ad
0x019e43bb
0x019e43bb
0x019e43ad
0x019e436e
0x019e43bf
0x019e43c5
0x019e4463
0x019e4463
0x019e43ce
0x019e43d5
0x019e43d9
0x019e43df
0x019e4475
0x019e4479
0x019e4491
0x019e4491
0x019e4479
0x019e43e5
0x019e43eb
0x019e43f4
0x019e43f6
0x019e43f9
0x019e43fc
0x019e43ff
0x019e44e8
0x019e44ed
0x019e44f3
0x01a2e247
0x00000000
0x019e44f9
0x019e4504
0x019e4508
0x019e450f
0x01a2e269
0x00000000
0x019e4515
0x019e4519
0x019e4531
0x019e4534
0x019e4537
0x019e453e
0x019e4541
0x019e454a
0x01a2e255
0x01a2e255
0x01a2e25b
0x01a2e25e
0x01a2e261
0x01a2e261
0x019e4555
0x019e4559
0x019e455d
0x01a2e26d
0x01a2e270
0x01a2e274
0x01a2e27a
0x01a2e27d
0x01a2e28e
0x01a2e28e
0x019e4563
0x019e4563
0x019e4569
0x019e4569
0x00000000
0x019e455d
0x019e450f
0x00000000
0x019e44f3
0x019e43ff
0x019e4405
0x019e4405
0x019e4405
0x019e42ac
0x019e428c
0x019e4282
0x019e4407
0x019e440d
0x01a2e2af
0x01a2e2af
0x019e4413
0x019e4413
0x00000000
0x019e41d4
0x00000000
0x019e41c3
0x019e41bd
0x019e4415
0x019e4415
0x019e4416
0x019e4417
0x019e4429
0x019e416e
0x019e416e
0x019e4175
0x019e4498
0x019e449f
0x01a2e12d
0x00000000
0x01a2e133
0x00000000
0x01a2e133
0x019e44a5
0x019e44a5
0x019e44aa
0x00000000
0x019e44bb
0x019e44ca
0x019e44d6
0x019e44d7
0x019e44d8
0x019e44e3
0x019e44e3
0x019e44aa
0x019e417b
0x019e417b
0x019e417b
0x00000000
0x019e417b
0x019e4175
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fe97e1a8a6dfbf20c6ce7fa79348c4ef82adda58b83fe14f1402186bda025c
Instruction ID: ea4906fe8bd71b9438517148a79404f85c223cfa9fe6bb19e5b528408c301c56
Opcode Fuzzy Hash: f6fe97e1a8a6dfbf20c6ce7fa79348c4ef82adda58b83fe14f1402186bda025c
Instruction Fuzzy Hash: C6F18C706083118FCB26CF19C488A7AB7E5FF99714F14492EF98ACB291E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019F20A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E019F20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1ab8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E019F2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E019F2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E019C58EC(_t240);
									_t221 =  *0x1ab5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1ab5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01A04A2C(0x1ab6e40, 0x1a04b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E019E7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x19a5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E019FF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E019FF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01A47016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L019E2400(_t267 + 0x20);
															}
															L019E2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E019F2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E019E2280(_t134, 0x1ab8608);
									__eflags =  *0x1ab6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E019DFFB0(_t198, _t241, 0x1ab8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1ab6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1ab8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E019F6B90(_t210,  &_v64);
										_t262 =  *0x1ab8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E019FE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E01A097C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E01A0006A(0x1ab8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1ab8608);
												E01A0B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1ab6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1ab6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E019DFFB0(_t198, _t240, 0x1ab8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E01A000C2(0x1ab8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x019f20a0
0x019f20a8
0x019f20ad
0x019f20b3
0x019f20b8
0x019f20c2
0x019f20c7
0x019f20cb
0x019f20d2
0x019f2263
0x019f2266
0x01a35836
0x01a35836
0x00000000
0x019f226c
0x019f226c
0x019f2270
0x019f2274
0x019f20e2
0x019f20e2
0x019f20e6
0x019f20ee
0x01a357dc
0x01a357de
0x01a357ec
0x01a357ec
0x01a357f1
0x01a357f3
0x01a357f8
0x00000000
0x01a357f8
0x01a357e0
0x01a357e4
0x01a357ea
0x00000000
0x00000000
0x00000000
0x01a357ea
0x019f20f4
0x019f20f4
0x019f20f8
0x019f20f8
0x019f20fc
0x019f2100
0x019f2106
0x019f2201
0x019f2206
0x019f220b
0x019f220e
0x019f22a9
0x019f22ac
0x00000000
0x00000000
0x019f22b2
0x019f22b5
0x01a35801
0x01a35806
0x00000000
0x00000000
0x01a35810
0x01a35815
0x01a35818
0x00000000
0x00000000
0x01a3581e
0x019f22bb
0x019f22bb
0x019f2218
0x019f2218
0x019f221c
0x019f2220
0x019f2222
0x019f22c2
0x019f22c4
0x019f22dc
0x019f22dc
0x019f22e1
0x00000000
0x00000000
0x00000000
0x019f22e7
0x019f22c8
0x019f22cd
0x019f22d3
0x019f22d6
0x01a35823
0x01a35825
0x01a35827
0x00000000
0x00000000
0x01a3582d
0x00000000
0x01a3582d
0x00000000
0x019f2228
0x019f2228
0x00000000
0x019f2228
0x019f2222
0x019f2214
0x019f2214
0x00000000
0x019f2114
0x019f2114
0x019f2114
0x019f211a
0x019f211c
0x019f2348
0x019f234d
0x01a35840
0x01a35845
0x01a35848
0x01a3584e
0x01a3584e
0x01a35848
0x019f2353
0x019f2355
0x019f2388
0x019f2388
0x019f2368
0x019f236a
0x019f236c
0x019f238f
0x00000000
0x019f236e
0x019f236e
0x019f218e
0x019f218e
0x019f2191
0x019f2195
0x01a35a03
0x01a35a06
0x01a35a0c
0x01a35a0f
0x01a35a11
0x01a35a13
0x01a35a13
0x01a35a19
0x01a35a1f
0x00000000
0x019f219b
0x019f219b
0x019f21a0
0x019f2282
0x019f2284
0x019f2284
0x019f2284
0x019f2284
0x019f21a6
0x019f21a9
0x019f21ac
0x019f21ae
0x019f21b3
0x019f228b
0x019f2290
0x019f2379
0x019f2296
0x019f2298
0x019f2298
0x019f2290
0x019f21b9
0x019f21be
0x019f22a2
0x019f22a2
0x019f21c4
0x019f21c8
0x019f21cc
0x019f21d0
0x019f21d4
0x019f21de
0x019f21e3
0x01a35a29
0x01a35a2c
0x00000000
0x00000000
0x01a35a3b
0x00000000
0x019f21e9
0x019f21e9
0x019f21e9
0x019f21ee
0x019f21f1
0x01a35a45
0x01a35a4b
0x01a35a52
0x01a35a58
0x01a35a5d
0x01a35a5f
0x01a35a71
0x01a35a61
0x01a35a6a
0x01a35a6a
0x01a35a76
0x01a35a79
0x01a35a7f
0x01a35a83
0x01a35a85
0x01a35a87
0x01a35a87
0x01a35a8c
0x01a35a91
0x01a35a97
0x01a35a9f
0x01a35aa0
0x01a35aa1
0x01a35aa6
0x01a35aab
0x01a35ab1
0x01a35ab3
0x01a35ab9
0x01a35aca
0x01a35ad4
0x01a35ad4
0x01a35ade
0x01a35ade
0x01a35aab
0x01a35a79
0x01a35a52
0x019f21f7
0x019f21f9
0x019f21fe
0x019f21fe
0x019f21e3
0x019f2195
0x019f236c
0x019f2122
0x019f2122
0x019f2124
0x019f2231
0x019f2236
0x019f2236
0x019f2238
0x019f2238
0x019f2240
0x019f2242
0x019f2244
0x01a359fc
0x019f218c
0x019f218c
0x00000000
0x019f218c
0x019f224a
0x019f224f
0x019f2256
0x019f2304
0x019f2309
0x019f230f
0x019f231e
0x019f231e
0x019f231e
0x019f2320
0x019f2325
0x019f232a
0x019f232c
0x019f233e
0x019f233e
0x00000000
0x019f232c
0x019f2311
0x019f2317
0x019f231a
0x019f231c
0x019f2380
0x019f2380
0x019f2380
0x019f2384
0x00000000
0x00000000
0x019f2386
0x00000000
0x019f231c
0x019f225c
0x019f225c
0x00000000
0x019f225c
0x019f212a
0x019f2134
0x019f2138
0x019f213d
0x01a35858
0x01a35863
0x01a35863
0x01a35867
0x01a3586a
0x00000000
0x00000000
0x01a3586c
0x01a3586c
0x01a35871
0x01a35875
0x01a35877
0x01a35997
0x01a3599c
0x01a359a1
0x01a359a7
0x01a359a7
0x00000000
0x01a359a7
0x01a3587d
0x00000000
0x01a3588b
0x01a3588b
0x01a35890
0x01a35892
0x01a35894
0x01a35899
0x01a3589b
0x01a358a0
0x01a358a0
0x01a358aa
0x01a358b2
0x01a358b6
0x01a358be
0x01a358c6
0x01a358c9
0x01a3590d
0x01a35917
0x01a3591a
0x01a3591c
0x01a35920
0x01a35928
0x01a3592a
0x01a3592c
0x01a3592e
0x01a3592e
0x01a358cb
0x01a358cd
0x01a358d8
0x01a358e0
0x01a358f4
0x01a358fe
0x01a358fe
0x01a3593a
0x01a3593e
0x01a35940
0x01a35942
0x00000000
0x01a35944
0x01a35944
0x01a35949
0x01a3594e
0x01a3594e
0x01a35953
0x01a3595b
0x01a35976
0x01a35976
0x01a3597a
0x01a3597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01a35981
0x01a35981
0x01a35981
0x01a35983
0x01a35988
0x01a3598d
0x01a35991
0x01a35991
0x00000000
0x01a3595d
0x01a3595d
0x01a35963
0x01a35965
0x00000000
0x00000000
0x00000000
0x00000000
0x01a35967
0x01a35967
0x01a3596b
0x01a3596d
0x00000000
0x00000000
0x01a3596f
0x01a35971
0x01a35971
0x01a35974
0x00000000
0x00000000
0x00000000
0x01a35974
0x00000000
0x01a35967
0x01a3595b
0x01a35942
0x01a35863
0x019f2143
0x019f2143
0x019f2149
0x019f214f
0x019f22f1
0x019f22f6
0x00000000
0x019f2173
0x019f2173
0x019f217d
0x019f2181
0x019f2186
0x01a359ae
0x01a359b2
0x01a359b5
0x01a359b7
0x01a359ba
0x01a359cd
0x01a359d1
0x01a359d5
0x01a359d9
0x01a359db
0x00000000
0x00000000
0x01a359dd
0x01a359dd
0x01a359e1
0x01a359e4
0x01a359e7
0x01a359ee
0x01a359ee
0x01a359f3
0x01a359f3
0x00000000
0x019f2186
0x019f214f
0x019f2106
0x019f2266
0x019f20d8
0x019f20da
0x019f20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6b7d5398f3ff20f54fdb607c28bb558b318c8654066791caaf5045256c7189
Instruction ID: 61ae7d49c6639f91fb2228ebc753f25a0a44c43cfe320198d7caca8b4cfb4745
Opcode Fuzzy Hash: ec6b7d5398f3ff20f54fdb607c28bb558b318c8654066791caaf5045256c7189
Instruction Fuzzy Hash: 2DF1D575A08341AFD726CF2CC480B6A7BE9BFC5724F04891DFA999B291D774D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 019DD5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E019DD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1abd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E019D6600(0x1ab52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1ab7b9c; // 0x0
							_t281 = L019E4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E01A0F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1ab7b90; // 0x77090000
								if(_t384 == 0) {
									_t353 =  *0x1ab7b8c; // 0x1562a98
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E019E2280(_t200, 0x1ab84d8);
									_t277 =  *0x1ab85f4; // 0x1562f88
									_t351 =  *0x1ab85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1562f20
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E019DFFB0(_t287, _t353, 0x1ab84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E01A1CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E019D6600(0x1ab52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E019D7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1abb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E01A4E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1ab8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x1abb1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x1abb218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E019E2280(_t250, 0x1ab84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01A03898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E019DFFB0(_t293, _t353, 0x1ab84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E01A037F5(_t353, 0);
																}
																E01A00413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E019F9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E019F02D6(_t174);
																}
																L019E77F0( *0x1ab7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E019FC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L019DEC7F(_t353);
										L019F19B8(_t287, 0, _t353, 0);
										_t200 = E019CF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x1abb2f8 |  *0x1abb2fc) == 0 || ( *0x1abb2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E01A0B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x1abb2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01A76B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01A76AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E019DE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L019DEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01A09730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E019DE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L019D8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01A03C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x019dd5f2
0x019dd5f5
0x019dd5f5
0x019dd5fd
0x019dd600
0x019dd60a
0x019dd60d
0x019dd617
0x019dd61d
0x019dd627
0x019dd62e
0x019dd911
0x019dd913
0x00000000
0x019dd919
0x019dd919
0x019dd919
0x019dd634
0x019dd634
0x019dd634
0x019dd634
0x019dd640
0x019dd8bf
0x00000000
0x019dd646
0x019dd646
0x019dd64d
0x019dd652
0x01a2b2fc
0x01a2b2fc
0x01a2b302
0x01a2b33b
0x01a2b341
0x00000000
0x01a2b304
0x01a2b304
0x01a2b319
0x01a2b31e
0x01a2b324
0x01a2b326
0x01a2b332
0x01a2b347
0x01a2b34c
0x01a2b351
0x01a2b35a
0x00000000
0x01a2b328
0x01a2b328
0x00000000
0x01a2b328
0x01a2b326
0x019dd658
0x019dd658
0x019dd65b
0x019dd665
0x00000000
0x019dd66b
0x019dd66b
0x019dd66b
0x019dd66b
0x019dd66d
0x019dd672
0x019dd67a
0x00000000
0x00000000
0x019dd680
0x019dd686
0x019dd8ce
0x019dd8d4
0x019dd8dd
0x019dd8e0
0x019dd68c
0x019dd691
0x019dd69d
0x019dd6a2
0x019dd6a7
0x019dd6b0
0x019dd6b5
0x019dd6e0
0x019dd6b7
0x019dd6b7
0x019dd6b9
0x019dd6b9
0x019dd6bb
0x019dd6bd
0x019dd6ce
0x019dd6d0
0x019dd6d2
0x01a2b363
0x01a2b365
0x00000000
0x01a2b36b
0x00000000
0x01a2b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x019dd6bf
0x019dd6bf
0x019dd6e5
0x019dd6e7
0x019dd6e9
0x019dd6ec
0x019dd6ec
0x019dd6ef
0x019dd6f5
0x019dd6f9
0x019dd6fb
0x019dd6fd
0x019dd701
0x019dd703
0x019dd70a
0x019dd70a
0x019dd701
0x019dd710
0x019dd710
0x019dd6c1
0x019dd6c1
0x019dd6c6
0x01a2b36d
0x01a2b36f
0x00000000
0x01a2b375
0x01a2b375
0x01a2b375
0x00000000
0x01a2b375
0x00000000
0x019dd6cc
0x019dd6d8
0x019dd6d8
0x019dd6d8
0x00000000
0x019dd6c6
0x019dd6bf
0x00000000
0x019dd6da
0x019dd6da
0x019dd716
0x019dd71b
0x019dd720
0x019dd726
0x019dd726
0x019dd72d
0x00000000
0x019dd733
0x019dd739
0x019dd742
0x019dd750
0x019dd758
0x019dd764
0x019dd776
0x019dd77a
0x019dd783
0x019dd928
0x019dd92c
0x019dd93d
0x019dd944
0x019dd94f
0x019dd954
0x019dd956
0x019dd95f
0x019dd961
0x019dd973
0x019dd973
0x019dd956
0x019dd944
0x019dd92c
0x019dd78b
0x01a2b394
0x019dd791
0x019dd798
0x01a2b3a3
0x01a2b3bb
0x01a2b3bb
0x019dd7a5
0x019dd866
0x019dd870
0x019dd892
0x019dd898
0x019dd89e
0x019dd8a0
0x019dd8a6
0x019dd8ac
0x019dd8ae
0x019dd8b4
0x019dd8b4
0x019dd8ae
0x019dd7a5
0x019dd78b
0x019dd7b1
0x01a2b3c5
0x01a2b3c5
0x019dd7c3
0x019dd7ca
0x019dd7e5
0x019dd7eb
0x019dd8eb
0x019dd8ed
0x00000000
0x019dd8f3
0x019dd8f3
0x019dd8f3
0x00000000
0x019dd8ed
0x019dd7cc
0x019dd7cc
0x019dd7d2
0x00000000
0x019dd7d4
0x019dd7d4
0x019dd7d7
0x019dd7df
0x01a2b3d4
0x01a2b3d9
0x01a2b3dc
0x01a2b3dc
0x01a2b3df
0x01a2b3e2
0x01a2b468
0x01a2b46d
0x01a2b46f
0x01a2b46f
0x01a2b475
0x019dd8f8
0x019dd8f9
0x019dd8fd
0x01a2b3e8
0x01a2b3e8
0x01a2b3eb
0x01a2b3ed
0x00000000
0x01a2b3ef
0x01a2b3ef
0x01a2b3f1
0x01a2b3f4
0x01a2b3fe
0x01a2b404
0x01a2b409
0x01a2b40e
0x01a2b410
0x01a2b410
0x01a2b414
0x01a2b414
0x01a2b41b
0x01a2b420
0x01a2b423
0x01a2b425
0x01a2b427
0x01a2b42a
0x01a2b42d
0x01a2b42d
0x01a2b42a
0x01a2b432
0x01a2b436
0x01a2b438
0x01a2b43b
0x01a2b43b
0x01a2b449
0x01a2b44e
0x01a2b454
0x01a2b458
0x01a2b458
0x01a2b45d
0x00000000
0x01a2b45d
0x01a2b3ed
0x00000000
0x00000000
0x00000000
0x019dd7df
0x019dd7d2
0x019dd7ca
0x01a2b37c
0x01a2b37e
0x01a2b385
0x01a2b38a
0x00000000
0x01a2b38a
0x019dd742
0x019dd7f1
0x019dd7f8
0x01a2b49b
0x01a2b49b
0x019dd800
0x019dd837
0x019dd843
0x019dd845
0x019dd847
0x019dd84a
0x019dd84b
0x019dd84e
0x019dd857
0x019dd818
0x019dd824
0x019dd831
0x01a2b4a5
0x01a2b4ab
0x01a2b4b3
0x01a2b4b8
0x01a2b4bb
0x00000000
0x01a2b4c1
0x01a2b4c1
0x01a2b4c8
0x00000000
0x01a2b4ce
0x01a2b4d4
0x01a2b4e1
0x01a2b4e3
0x01a2b4e5
0x00000000
0x01a2b4eb
0x01a2b4f0
0x01a2b4f2
0x019ddac9
0x019ddacc
0x019ddacf
0x019ddad1
0x019ddd78
0x019ddd78
0x019ddcf2
0x00000000
0x019ddad7
0x019ddad9
0x019ddadb
0x00000000
0x00000000
0x019ddae1
0x019ddae1
0x019ddae4
0x019ddae6
0x01a2b4f9
0x01a2b4f9
0x01a2b500
0x019ddaec
0x019ddaec
0x019ddaf5
0x019ddaf8
0x019ddafb
0x019ddb03
0x019ddb11
0x019ddb16
0x019ddb19
0x019ddb1b
0x01a2b52c
0x01a2b531
0x01a2b534
0x019ddb21
0x019ddb21
0x019ddb24
0x019ddcd9
0x019ddce2
0x019ddce5
0x019ddd6a
0x019ddd6d
0x00000000
0x019ddd73
0x01a2b51a
0x01a2b51c
0x01a2b51f
0x01a2b524
0x00000000
0x01a2b524
0x019ddce7
0x019ddce7
0x019ddce7
0x00000000
0x019ddce7
0x00000000
0x019ddb2a
0x019ddb2c
0x019ddb31
0x019ddb33
0x019ddb36
0x019ddb39
0x019ddb3b
0x019ddb66
0x019ddb66
0x019ddb3d
0x019ddb3d
0x019ddb3e
0x019ddb46
0x019ddb47
0x019ddb49
0x019ddb4c
0x019ddb53
0x019ddb55
0x019ddb58
0x019ddb5a
0x01a2b50a
0x01a2b50f
0x01a2b512
0x019ddb60
0x019ddb60
0x019ddb63
0x019ddb63
0x00000000
0x019ddb63
0x019ddb5a
0x019ddb3b
0x019ddb24
0x019ddb69
0x019ddb69
0x019ddb6c
0x019ddb6f
0x019ddb74
0x01a2b557
0x01a2b557
0x01a2b55e
0x019ddb7a
0x019ddb7c
0x019ddb7f
0x019ddb82
0x019ddb85
0x00000000
0x019ddb8b
0x019ddb8b
0x019ddb8d
0x019ddb9b
0x019ddb9b
0x019ddb9d
0x019ddba0
0x019ddba2
0x019ddba4
0x019ddba7
0x019ddba9
0x019ddbae
0x019ddbae
0x019ddbb1
0x019ddbb4
0x019ddbb4
0x019ddbb7
0x019ddbba
0x019ddcd2
0x019ddcd4
0x00000000
0x019ddbc0
0x019ddbc0
0x019ddbd2
0x019ddbd7
0x019ddbda
0x019ddbdd
0x019ddbdf
0x00000000
0x019ddbe5
0x019ddbe5
0x019ddbee
0x019ddbf1
0x01a2b541
0x01a2b544
0x00000000
0x01a2b546
0x01a2b546
0x00000000
0x01a2b546
0x019ddbf7
0x019ddbf7
0x019ddbfd
0x019ddbfd
0x019ddbff
0x019ddc0b
0x019ddc15
0x019ddc1b
0x019ddc1d
0x019ddc21
0x019ddc21
0x019ddc23
0x019ddc23
0x019ddc26
0x019ddc29
0x019ddc2b
0x00000000
0x00000000
0x019ddc31
0x019ddc34
0x019ddc36
0x019ddcbf
0x019ddcbf
0x019ddcc2
0x00000000
0x019ddc3c
0x019ddc41
0x019ddc43
0x00000000
0x019ddc45
0x019ddc45
0x019ddc47
0x00000000
0x019ddc4d
0x019ddc4d
0x019ddc50
0x019ddc52
0x019ddc55
0x019ddcfa
0x019ddcfe
0x019ddd08
0x019ddd0a
0x019ddd0c
0x00000000
0x019ddd12
0x019ddd15
0x019ddd2d
0x019ddd2f
0x019ddd32
0x019ddd35
0x00000000
0x019ddd35
0x019ddc5b
0x019ddc5b
0x019ddc5e
0x019ddc61
0x019ddc64
0x019ddc67
0x019ddc67
0x019ddc6a
0x019ddc6c
0x019ddc8e
0x019ddc8e
0x019ddc91
0x019ddc93
0x019ddcce
0x019ddcce
0x019ddc95
0x019ddc9c
0x019ddc6e
0x019ddc72
0x019ddc75
0x019ddc77
0x019ddc79
0x01a2b551
0x01a2b551
0x00000000
0x019ddc7f
0x019ddc7f
0x019ddc81
0x00000000
0x019ddc83
0x019ddc86
0x019ddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x019ddc88
0x019ddc81
0x019ddc79
0x019ddc6c
0x019ddc55
0x019ddc47
0x019ddc43
0x00000000
0x019ddc36
0x019ddc23
0x00000000
0x019ddbff
0x019ddbf1
0x019ddbdf
0x019ddb8f
0x019ddb92
0x019ddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x019ddb95
0x019ddb8d
0x019ddb85
0x019ddb74
0x019ddc9f
0x019ddca2
0x019ddcb0
0x019ddcb0
0x019ddad1
0x01a2b4e5
0x01a2b4c8
0x00000000
0x00000000
0x00000000
0x019dd831
0x00000000
0x019dd800
0x01a2b47f
0x01a2b485
0x00000000
0x01a2b485
0x019dd665
0x019dd652
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc0e91465f6415b690683280a8f09f6260ab8a7735b108d689ddcec8b15ff4c
Instruction ID: bd05c7e0f0f51e1f9899172a84c9de666ace6e54204c1fde04bab9153fddccf7
Opcode Fuzzy Hash: 6cc0e91465f6415b690683280a8f09f6260ab8a7735b108d689ddcec8b15ff4c
Instruction Fuzzy Hash: FCE1B174A0039A8FEB25CF6CC980BA9BBF5BF85304F0581D9D90D972D2D774A981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019D849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E019D849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x1a9f9c0);
				E01A1D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1ab7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E019DCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E019E2280( *[fs:0x30], 0x1ab8550);
						_t139 =  *0x1ab7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E019FF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E019DFFB0(_t193, _t235, 0x1ab8550);
								L5:
								return E01A1D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E019C1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1ab7b9c; // 0x0
							_t235 = L019E4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1ab7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E019FA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E019DFFB0(_t193, _t235, 0x1ab8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L019E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L019E77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1ab7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1ab7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E01A037C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1ab7b9c; // 0x0
									_t214 = L019E4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E01A037F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1ab7b10 =  *0x1ab7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1ab7b04 =  *0x1ab7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L019E77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L019E77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1ab7b08 =  *0x1ab7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E01A057C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E01A0F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L019E77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E019FA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L019E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E01A096C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x019d849b
0x019d849b
0x019d849b
0x019d849b
0x019d849d
0x019d84a2
0x019d84a7
0x019d84b1
0x019d84d8
0x00000000
0x019d84b3
0x019d84c4
0x019d84c9
0x019d84cd
0x019d84cf
0x019d84cf
0x019d84d6
0x019d84e6
0x019d84e9
0x019d84ec
0x019d84ef
0x019d84f2
0x019d84f4
0x019d84fc
0x019d8501
0x019d8506
0x019d8509
0x019d86e0
0x019d86e5
0x019d86e8
0x019d86ed
0x019d86f0
0x019d86f2
0x01a29afd
0x01a29b02
0x019d84da
0x019d84df
0x019d84df
0x019d86fa
0x019d86fd
0x019d86fe
0x019d8701
0x019d8706
0x019d8709
0x019d870b
0x00000000
0x00000000
0x019d8711
0x019d8725
0x019d8727
0x019d872a
0x019d872c
0x01a29af0
0x01a29af5
0x019d8732
0x019d8732
0x019d8732
0x019d8735
0x019d8737
0x019d8515
0x019d8515
0x019d8518
0x019d851d
0x019d8523
0x019d8527
0x019d852b
0x019d8537
0x019d8539
0x019d853c
0x019d853e
0x019d868c
0x019d8691
0x019d8699
0x019d869b
0x019d8744
0x019d8748
0x019d86a1
0x019d86a1
0x019d86a1
0x019d86a4
0x019d86a8
0x01a29bdf
0x01a29bdf
0x019d86ae
0x019d86b0
0x00000000
0x019d86b6
0x00000000
0x01a29be9
0x019d86b0
0x019d8544
0x019d854a
0x019d854d
0x019d8551
0x019d876e
0x019d8778
0x019d877b
0x019d8780
0x019d8557
0x019d8557
0x019d855d
0x019d855d
0x019d856b
0x019d856e
0x019d8570
0x019d8573
0x019d8576
0x019d8576
0x019d8579
0x019d857b
0x00000000
0x00000000
0x019d8581
0x019d85a0
0x019d85a2
0x019d85a5
0x019d85a7
0x01a29b1b
0x01a29b1b
0x019d862e
0x019d862e
0x019d8631
0x019d8631
0x019d8634
0x019d8636
0x019d8669
0x019d8669
0x019d866b
0x01a29bbf
0x01a29bc4
0x01a29bc8
0x01a29bce
0x01a29bce
0x019d8671
0x019d8671
0x019d8674
0x019d8676
0x01a29bae
0x01a29bae
0x019d8676
0x019d867c
0x019d867e
0x019d8688
0x019d8688
0x00000000
0x019d867e
0x019d8638
0x019d8638
0x019d863b
0x019d863e
0x019d863f
0x019d8642
0x019d8645
0x019d8648
0x019d864d
0x01a29b69
0x01a29b6e
0x01a29b7b
0x01a29b81
0x01a29b85
0x01a29b89
0x01a29ba7
0x01a29b8b
0x01a29b91
0x01a29b9a
0x01a29b9f
0x01a29b9f
0x019d8788
0x019d878d
0x019d8763
0x019d8763
0x019d8766
0x00000000
0x019d8766
0x01a29b70
0x00000000
0x01a29b70
0x019d8656
0x019d865a
0x019d865c
0x019d8752
0x019d8756
0x00000000
0x00000000
0x019d875e
0x00000000
0x019d875e
0x019d8662
0x019d8662
0x019d8662
0x019d8666
0x00000000
0x019d8666
0x019d85b7
0x019d85b9
0x019d85bc
0x019d85bf
0x019d85cc
0x019d85d1
0x019d85d4
0x019d85db
0x019d85de
0x019d85e0
0x01a29b5f
0x00000000
0x01a29b5f
0x019d85e6
0x019d85ea
0x019d86c3
0x019d86c5
0x019d86c8
0x019d86ca
0x01a29b16
0x00000000
0x01a29b16
0x019d86d6
0x019d85f6
0x019d85f6
0x019d85f9
0x019d8602
0x019d8606
0x019d860a
0x019d860b
0x019d860e
0x019d8611
0x00000000
0x019d8611
0x019d85f3
0x00000000
0x019d85f3
0x019d8619
0x019d861e
0x019d861e
0x019d8621
0x019d8622
0x019d8623
0x019d8625
0x019d862c
0x00000000
0x019d873d
0x00000000
0x019d873d
0x019d8737
0x019d850f
0x019d8512
0x00000000
0x019d8512
0x00000000
0x019d84d6

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0985f64d50ad73a1920416e2483b2ca77baf453cbe15e36b6f94374ff09ec8f
Instruction ID: 9d443304952a57992cfb8175b2cec619193a0ebc8b3b90a4385c905419af1762
Opcode Fuzzy Hash: d0985f64d50ad73a1920416e2483b2ca77baf453cbe15e36b6f94374ff09ec8f
Instruction Fuzzy Hash: D2B18E74E00259DFDB19CFD9C984AAEBBB9FF88704F108529E509AB246D770A842CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019F513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E019F513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1abd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E01A0D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E019E2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L019E4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E01A0F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E019DFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x1abb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E01A0B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x019f5142
0x019f514c
0x019f5150
0x019f5157
0x019f5159
0x019f515e
0x019f5165
0x019f5169
0x019f516c
0x019f5172
0x019f5176
0x019f517a
0x019f517a
0x019f517a
0x019f517f
0x01a36d8b
0x01a36d8e
0x01a36d91
0x01a36d95
0x01a36d98
0x01a36d9c
0x01a36da0
0x01a36da3
0x01a36da7
0x01a36e26
0x01a36e26
0x01a36e2a
0x019f51f9
0x019f51f9
0x019f51fe
0x01a36e33
0x01a36e33
0x01a36e39
0x01a36e3d
0x01a36e46
0x01a36e50
0x00000000
0x00000000
0x01a36e52
0x01a36e53
0x01a36e56
0x01a36e5d
0x00000000
0x00000000
0x00000000
0x01a36e5f
0x01a36e67
0x01a36e77
0x01a36e7f
0x01a36e80
0x01a36e88
0x01a36e90
0x01a36e9f
0x01a36ea5
0x01a36ea9
0x01a36eb1
0x01a36ebf
0x00000000
0x00000000
0x01a36ecf
0x01a36ed3
0x00000000
0x00000000
0x01a36edb
0x01a36ede
0x01a36ee1
0x01a36ee8
0x01a36eeb
0x01a36eed
0x01a36ef0
0x01a36ef4
0x01a36ef8
0x01a36efc
0x00000000
0x00000000
0x01a36f0d
0x01a36f11
0x01a36f32
0x01a36f37
0x01a36f3b
0x01a36f3e
0x01a36f41
0x01a36f46
0x00000000
0x00000000
0x01a36f4c
0x01a36f50
0x01a36f50
0x01a36f54
0x01a36f62
0x01a36f65
0x01a36f6d
0x01a36f7b
0x01a36f7b
0x01a36f93
0x01a36f98
0x01a36fa0
0x01a36fa6
0x01a36fb3
0x01a36fb6
0x01a36fbf
0x01a36fc1
0x01a36fd5
0x01a36fda
0x01a36fda
0x01a36fdd
0x01a36fe2
0x01a36fe7
0x01a36feb
0x01a36fef
0x01a36ff3
0x019f520c
0x019f520c
0x019f520f
0x019f5215
0x019f5234
0x019f523a
0x019f523a
0x019f5244
0x019f5245
0x019f5246
0x019f5251
0x019f5251
0x01a36f13
0x01a36f17
0x01a36f17
0x01a36f18
0x01a36f1b
0x01a36f1f
0x01a36f23
0x00000000
0x01a36f28
0x019f5204
0x019f5204
0x019f5208
0x00000000
0x019f5208
0x019f5185
0x019f5188
0x019f518a
0x019f518e
0x019f5195
0x01a36db1
0x01a36db5
0x01a36db9
0x019f519b
0x019f519b
0x019f519e
0x019f51a7
0x019f51a9
0x019f51a9
0x019f51b5
0x019f51b8
0x019f51bb
0x019f51be
0x019f51c1
0x019f51c5
0x019f51c9
0x019f51cd
0x019f51cd
0x019f51d8
0x019f51dc
0x019f51e0
0x01a36dcc
0x01a36dd0
0x01a36dd5
0x01a36ddd
0x01a36de1
0x01a36de1
0x01a36de5
0x01a36deb
0x01a36df1
0x01a36df7
0x01a36dfd
0x01a36e01
0x01a36e05
0x01a36e09
0x01a36e0d
0x01a36e11
0x01a36e11
0x019f51eb
0x01a36e1a
0x01a36e1f
0x01a36e21
0x01a36e23
0x00000000
0x019f51f1
0x019f51f1
0x00000000
0x019f51f1

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed3b4191fb78d8556a3b971b6b4d85dcea293c90f12d5ab64a61e917e194415
Instruction ID: 2c7bf9385eb0e7e004020c2e293f040cb2e96989e60385ca8e210ca8c5cfffd1
Opcode Fuzzy Hash: aed3b4191fb78d8556a3b971b6b4d85dcea293c90f12d5ab64a61e917e194415
Instruction Fuzzy Hash: 48C131B55083819FE355CF28C580A5AFBF1BF88304F188A6EF9998B352D370E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019F03E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E019F03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x1abd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E019F0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E01A0B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E019DB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1ab7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E019E7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E019E7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01A47016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01A09830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E01A469A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1ab7c04 != 0) {
						_t118 = _v12;
						_t120 = E01A4A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1ab7bd8;
						if( *0x1ab7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E01A095D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E01A099A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01A43540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E019CB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E01A0AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1ab8474 - 3;
										if( *0x1ab8474 != 3) {
											 *0x1ab79dc =  *0x1ab79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E019E7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E019E7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01A47016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1ab8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1ab7b00; // 0x0
							asm("ror esi, cl");
							 *0x1abb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E01A095D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E019D7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x019f03f1
0x019f03f7
0x019f03f9
0x019f03fb
0x019f03fd
0x019f0400
0x019f040a
0x01a34c7a
0x019f0537
0x019f0547
0x019f0410
0x019f0410
0x019f0414
0x019f0417
0x019f041a
0x019f0421
0x019f0424
0x019f042b
0x019f043b
0x019f043e
0x019f043f
0x019f043f
0x019f0446
0x019f0449
0x019f044c
0x019f044f
0x019f0459
0x01a34c8d
0x019f045f
0x019f045f
0x019f045f
0x019f0467
0x01a34c97
0x01a34c9d
0x01a34ca4
0x01a34caa
0x01a34caf
0x01a34cb1
0x01a34cc3
0x01a34cb3
0x01a34cbc
0x01a34cbc
0x01a34cc8
0x01a34ccb
0x01a34cd7
0x01a34cda
0x01a34cdf
0x01a34cdf
0x01a34ccb
0x01a34ca4
0x019f046d
0x019f046f
0x019f046f
0x019f0471
0x019f0476
0x019f047a
0x019f047b
0x019f0483
0x019f0489
0x019f048d
0x00000000
0x00000000
0x01a34ce9
0x01a34cef
0x01a34d22
0x01a34d22
0x00000000
0x01a34d22
0x01a34cf1
0x01a34cf7
0x00000000
0x00000000
0x01a34cf9
0x01a34cff
0x00000000
0x00000000
0x01a34d05
0x01a34d07
0x00000000
0x00000000
0x01a34d0d
0x01a34d0f
0x01a34d14
0x01a34d16
0x00000000
0x00000000
0x01a34d1c
0x01a34d1c
0x019f0499
0x019f0535
0x019f0535
0x00000000
0x019f0535
0x019f04a6
0x01a34d2c
0x01a34d37
0x01a34d39
0x01a34d3b
0x00000000
0x00000000
0x01a34d41
0x01a34d48
0x019f0527
0x019f052b
0x019f052d
0x019f0530
0x019f0530
0x00000000
0x019f052b
0x01a34d4e
0x019f04ac
0x019f04ac
0x019f04af
0x019f04b2
0x019f04b7
0x019f04b9
0x019f04bb
0x019f04bd
0x019f04bf
0x019f04c5
0x019f04c9
0x01a34d53
0x01a34d59
0x01a34db9
0x01a34dba
0x01a34dbf
0x01a34dc2
0x01a34dc4
0x01a34dc7
0x01a34dce
0x00000000
0x01a34dce
0x01a34d5b
0x01a34d61
0x00000000
0x00000000
0x01a34d63
0x01a34d69
0x00000000
0x00000000
0x01a34d6b
0x01a34d6e
0x01a34d74
0x01a34d76
0x01a34d7c
0x01a34d7e
0x01a34d84
0x01a34d89
0x01a34d8c
0x01a34d8d
0x01a34d92
0x01a34d95
0x01a34d96
0x01a34d98
0x01a34d9a
0x01a34d9f
0x01a34da4
0x01a34da6
0x01a34da8
0x01a34daf
0x01a34db1
0x01a34db1
0x01a34daf
0x01a34da6
0x01a34d84
0x01a34d7c
0x00000000
0x01a34d74
0x019f04d6
0x01a34de1
0x019f04dc
0x019f04dc
0x019f04dc
0x019f04e4
0x01a34deb
0x01a34df1
0x01a34df8
0x01a34dfe
0x01a34e03
0x01a34e05
0x01a34e17
0x01a34e07
0x01a34e10
0x01a34e10
0x01a34e1c
0x01a34e1f
0x01a34e35
0x01a34e35
0x01a34e1f
0x01a34df8
0x019f04f1
0x019f04fa
0x01a34e3f
0x01a34e47
0x01a34e5b
0x01a34e61
0x01a34e67
0x01a34e69
0x01a34e71
0x01a34e73
0x019f0500
0x019f0500
0x019f0500
0x019f04fa
0x019f0508
0x019f051d
0x019f051d
0x019f051f
0x019f0524
0x00000000
0x019f0524
0x019f0515
0x019f0517
0x01a34e7a
0x01a34e7c
0x00000000
0x00000000
0x01a34e85
0x00000000
0x01a34e85
0x00000000
0x019f0517

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b39ff63667c64fd08fbd4e6b958e163095097d89cac6ac765688de1fb827f75
Instruction ID: 08f404a26b94453bb5c54615356f4a9e5b0ebb5e039eb4b982095e715dd0250c
Opcode Fuzzy Hash: 2b39ff63667c64fd08fbd4e6b958e163095097d89cac6ac765688de1fb827f75
Instruction Fuzzy Hash: 53917C31E00255AFEB32CB6CC848BBD7BE9EB85724F090265FA15A72D2E7749C40C781

Uniqueness

Uniqueness Score: -1.00%

Function 019CC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E019CC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x1abd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E019D6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E01A0B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1ab7b9c; // 0x0
					_t74 = L019E4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01A09650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L019E77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E01A0F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E01A013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L019E77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01A09650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x019cc608
0x019cc615
0x019cc625
0x019cc62d
0x019cc635
0x019cc640
0x019cc680
0x019cc687
0x019cc688
0x019cc689
0x019cc694
0x019cc694
0x019cc642
0x019cc64a
0x019cc697
0x01a37a25
0x01a37a2b
0x01a37a2e
0x01a37a30
0x01a37bea
0x01a37bea
0x00000000
0x01a37bea
0x01a37a36
0x01a37a43
0x01a37a48
0x01a37a4c
0x01a37a4e
0x00000000
0x00000000
0x01a37a58
0x01a37a5a
0x01a37a5b
0x01a37a5c
0x01a37a5d
0x01a37a63
0x01a37a64
0x01a37a6a
0x01a37a6c
0x01a37a6e
0x01a379cb
0x01a379cb
0x01a379ce
0x01a379d0
0x01a37a98
0x01a37a9b
0x01a37a9b
0x01a37a9e
0x01a37aa1
0x01a37bbe
0x01a37bbe
0x01a37bc0
0x01a37be0
0x01a37be0
0x01a37a01
0x01a37a01
0x01a37a05
0x01a37a07
0x01a37a15
0x01a37a15
0x01a37a1a
0x00000000
0x01a37a1a
0x01a37bc2
0x01a37bc6
0x01a37bc9
0x01a37bcd
0x01a37bcf
0x01a379e6
0x01a379e6
0x01a379eb
0x01a379eb
0x01a379ef
0x01a379f1
0x00000000
0x00000000
0x01a379f3
0x01a379f5
0x01a379ff
0x01a379ff
0x00000000
0x01a379ff
0x01a379f7
0x01a379fd
0x00000000
0x00000000
0x00000000
0x01a379fd
0x01a37bd5
0x01a37bd8
0x00000000
0x00000000
0x01a37ba9
0x01a37bac
0x01a37bb0
0x01a37bb1
0x01a37bb1
0x01a37bb6
0x00000000
0x01a37bb6
0x01a37aa7
0x01a37aaa
0x00000000
0x00000000
0x01a37ab2
0x01a37ab3
0x01a37ab5
0x01a37aec
0x01a37aef
0x01a37b25
0x01a37b28
0x01a37b62
0x01a37b64
0x01a37b8f
0x01a37b92
0x01a37b96
0x01a37b98
0x00000000
0x00000000
0x01a37b9e
0x01a37b9f
0x01a37ba3
0x00000000
0x01a37ba3
0x01a37b66
0x01a37b68
0x01a37ae2
0x01a37ae2
0x00000000
0x01a37ae2
0x01a37b6e
0x01a37b72
0x01a37b75
0x01a37b81
0x01a37b85
0x01a37b87
0x00000000
0x00000000
0x01a37b31
0x01a37b34
0x01a37b3c
0x01a37b45
0x01a37b46
0x01a37b4f
0x01a37b51
0x01a37b57
0x01a37b59
0x01a37b59
0x00000000
0x01a37b59
0x01a37b77
0x00000000
0x01a37b77
0x01a37b2a
0x00000000
0x01a37b2a
0x01a37af1
0x01a37af3
0x00000000
0x00000000
0x01a37afb
0x01a37afc
0x01a37afe
0x00000000
0x00000000
0x01a37b00
0x01a37b03
0x00000000
0x00000000
0x01a37b05
0x01a37b09
0x01a37b0d
0x01a37b0f
0x00000000
0x00000000
0x01a37b18
0x01a37b1d
0x00000000
0x01a37b1d
0x01a37ab7
0x01a37ab9
0x00000000
0x00000000
0x01a37abf
0x01a37ac1
0x00000000
0x00000000
0x01a37ac3
0x01a37ac6
0x00000000
0x00000000
0x01a37ac8
0x01a37acc
0x01a37ad0
0x01a37ad2
0x00000000
0x00000000
0x01a37adb
0x00000000
0x01a37adb
0x01a379d6
0x01a379d9
0x01a379dc
0x01a37a91
0x01a37a94
0x00000000
0x01a37a94
0x01a379e2
0x00000000
0x01a379e2
0x01a37a74
0x01a37a7a
0x00000000
0x00000000
0x01a37a8a
0x01a37a21
0x01a37a21
0x00000000
0x01a37a21
0x019cc650
0x019cc651
0x019cc656
0x019cc65c
0x019cc65d
0x019cc663
0x019cc664
0x019cc66a
0x019cc66e
0x01a379c5
0x01a379c7
0x00000000
0x01a379c7
0x019cc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd36c53b8432763021525d5499ba4ad91090e298a865dc3e9c140f739e29509
Instruction ID: fed8673cf2528930f9209a0bd88470f4ddc63c32d21183cc9f5a97055acc1dd6
Opcode Fuzzy Hash: 6fd36c53b8432763021525d5499ba4ad91090e298a865dc3e9c140f739e29509
Instruction Fuzzy Hash: 1F8181B5A442429FDB26CF98C880B7AB7E4EBC4354F18495AFE46DB241D330DD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A5B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E01A5B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1ab7b9c; // 0x0
				_t124 = L019E4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01A09800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E01A095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E01A095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L019E77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01A09910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E01A095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1ab7b9c; // 0x0
									_t92 = L019E4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01A09910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E019CA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E01A5E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E01A5E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E01A095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x01a5b8d9
0x01a5b8e4
0x00000000
0x01a5b8e6
0x01a5b8f3
0x01a5b8f5
0x01a5b8f5
0x01a5b8f8
0x01a5b920
0x01a5b924
0x01a5b936
0x01a5b939
0x01a5b93d
0x01a5b948
0x01a5b9a0
0x01a5b9a0
0x01a5b9a4
0x01a5b9bf
0x01a5b9c4
0x01a5b9c6
0x01a5b9cd
0x01a5b9d1
0x01a5bad4
0x01a5bad8
0x01a5bada
0x01a5badc
0x01a5badc
0x01a5badf
0x01a5bae0
0x01a5bae2
0x01a5bae4
0x01a5baec
0x01a5baee
0x01a5baf0
0x01a5baf0
0x01a5baec
0x01a5bafb
0x01a5bafc
0x01a5bafe
0x01a5bb01
0x01a5bb01
0x00000000
0x01a5bb06
0x01a5b9d7
0x01a5b9db
0x01a5b9db
0x01a5b9de
0x01a5b9de
0x01a5b9e4
0x01a5b9e7
0x01a5b9ea
0x01a5b9ec
0x01a5b9ef
0x01a5b9f3
0x01a5ba1b
0x01a5ba1b
0x01a5ba23
0x01a5ba24
0x01a5ba27
0x01a5ba2a
0x01a5ba2b
0x01a5ba2e
0x01a5ba30
0x01a5ba37
0x01a5ba3f
0x01a5ba9c
0x01a5baa2
0x01a5bb13
0x01a5bb15
0x01a5baae
0x01a5baae
0x01a5bab3
0x01a5bab5
0x01a5baba
0x01a5bac8
0x01a5bac8
0x01a5baba
0x01a5bacd
0x01a5bacf
0x00000000
0x01a5bacf
0x01a5bb1a
0x00000000
0x01a5bb1c
0x01a5baa7
0x01a5bb11
0x00000000
0x01a5bb11
0x01a5baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x01a5ba41
0x01a5ba41
0x01a5ba41
0x01a5ba58
0x01a5ba5d
0x01a5ba62
0x00000000
0x00000000
0x01a5ba64
0x01a5ba67
0x01a5ba68
0x01a5ba69
0x01a5ba6c
0x01a5ba6f
0x01a5ba71
0x01a5ba78
0x01a5ba80
0x00000000
0x00000000
0x01a5ba90
0x01a5ba90
0x01a5ba97
0x00000000
0x01a5ba97
0x01a5b9f5
0x01a5b9f7
0x01a5b9f7
0x01a5b9fa
0x01a5ba03
0x01a5ba07
0x01a5ba0c
0x01a5ba10
0x01a5ba17
0x00000000
0x01a5b9f7
0x01a5b9a6
0x01a5b9a8
0x01a5b9af
0x01a5b9b3
0x00000000
0x00000000
0x01a5b9b9
0x00000000
0x01a5b9b9
0x01a5b94d
0x01a5b98f
0x01a5b995
0x01a5b999
0x01a5b960
0x01a5b967
0x01a5b968
0x01a5b96a
0x00000000
0x01a5b96a
0x01a5b99b
0x01a5b99e
0x00000000
0x00000000
0x00000000
0x01a5b99e
0x01a5b951
0x01a5b954
0x01a5b95a
0x01a5b95e
0x01a5b972
0x01a5b979
0x01a5b97d
0x01a5b97f
0x01a5b980
0x01a5b982
0x01a5b984
0x00000000
0x01a5b984
0x00000000
0x01a5b926
0x00000000
0x01a5b926

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2d521eea1b230f781e2f45ddd0c82f2b5708fb9861d4990cff07f8e914ab51
Instruction ID: c81f5445a0cae245e3f89c8fa62c993d6171ce90af79b990f07805b1207acf6a
Opcode Fuzzy Hash: fa2d521eea1b230f781e2f45ddd0c82f2b5708fb9861d4990cff07f8e914ab51
Instruction Fuzzy Hash: C8712332204702EFE772CF28C945F66BBF6EB40722F154528EA59872E1DB71E940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A46DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01A46DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01A46B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E019E7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01A09AE0();
					_t87 = L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E01A4795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E01A4795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E01A4795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E01A4795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L019E4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01A46B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01A46B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01A46B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01A46B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E019E7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01A09AE0();
								L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L019E2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L019E2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L019E2400( &_v52);
							}
							if(_v28 >= 0) {
								return L019E2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01a46dd4
0x01a46dde
0x01a46de1
0x01a46de3
0x01a46de6
0x01a46de9
0x01a46dec
0x01a46def
0x01a46df2
0x01a46df5
0x01a46dfe
0x01a46e04
0x01a46e09
0x01a46e0d
0x01a46e18
0x01a46e1b
0x01a46e22
0x01a46e2d
0x01a46e30
0x01a46e36
0x01a46e42
0x01a46e4d
0x01a46e50
0x01a46e55
0x01a46e5c
0x01a46e6e
0x01a46e5e
0x01a46e67
0x01a46e67
0x01a46e73
0x01a46e74
0x01a46e77
0x01a46e7c
0x01a46e7d
0x01a46e8e
0x01a46e93
0x01a46e9c
0x01a46ea8
0x01a46eab
0x01a46eac
0x01a46eb3
0x01a46ecd
0x01a46edc
0x01a46ee2
0x01a46ee5
0x01a46ef2
0x01a46efb
0x01a46f01
0x01a46f06
0x01a46f0b
0x01a46f11
0x01a46f1a
0x01a46f22
0x01a46f26
0x01a46f26
0x01a46f33
0x01a46f41
0x01a46f44
0x01a46f47
0x01a46f54
0x01a46f65
0x01a46f77
0x01a46f7c
0x01a46f82
0x01a46f91
0x01a46f99
0x01a46fa3
0x01a46fae
0x01a46fae
0x01a46fba
0x01a46fbb
0x01a46fbc
0x01a46fc1
0x01a46fc2
0x01a46fd3
0x01a46fd8
0x01a46fd8
0x01a46fdf
0x01a46fe8
0x01a46fee
0x01a46fee
0x01a46ff5
0x01a46ffb
0x01a46ffb
0x01a47004
0x00000000
0x01a4700a
0x01a47004
0x01a46eb3
0x01a46e9c
0x01a47015

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: fbc435ebfc84e6dc52679b5a8e1cdb69a9ba98ad83e7cde185c5d16cb910901b
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: D8716E71A00209EFDB11DFA8C984EEEBBF9FF88710F144569E509E7250DB30AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019C52A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E019C52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E019DEEF0(0x1ab79a0);
					_t104 =  *0x1ab8210; // 0x1562c68
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E019DEB70(_t93, 0x1ab79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01A09890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E019DEEF0(0x1ab79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E019DEB70(0, 0x1ab79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1562c75
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E019FF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E019DEEF0(0x1ab79a0);
									__eflags =  *0x1ab8210 - _t104; // 0x1562c68
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1ab8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01A44888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E019DEB70(_t95, 0x1ab79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E01A095D0();
											L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E01A095D0();
											L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E019DEB70(_t93, 0x1ab79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E01A095D0();
										L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E01A095D0();
										L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E019FF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x019c52a5
0x019c52ad
0x019c52b0
0x019c52b3
0x019c52b7
0x019c52ba
0x019c52bf
0x019c52c4
0x019c52cc
0x00000000
0x00000000
0x019c52ce
0x019c52d9
0x019c52dd
0x019c52e7
0x019c52f7
0x019c52f9
0x019c52fd
0x01a20dcf
0x01a20dd5
0x01a20dd6
0x01a20dd7
0x01a20dd8
0x01a20dd9
0x01a20dde
0x01a20ddf
0x01a20de0
0x01a20de1
0x01a20de2
0x01a20de5
0x01a20dea
0x01a20dec
0x01a20f60
0x01a20f64
0x01a20f70
0x01a20f76
0x01a20f79
0x01a20f79
0x00000000
0x01a20f64
0x01a20df2
0x01a20df7
0x01a20e04
0x01a20e0d
0x01a20e0d
0x01a20e10
0x01a20e1a
0x01a20e1c
0x01a20e4c
0x01a20e52
0x01a20e61
0x01a20e67
0x01a20e6b
0x01a20e70
0x01a20e76
0x01a20ed7
0x01a20edc
0x01a20ee0
0x01a20ee6
0x01a20eea
0x01a20eed
0x01a20ef0
0x01a20ef3
0x01a20ef6
0x01a20ef9
0x01a20efe
0x01a20f01
0x01a20f01
0x01a20f0b
0x01a20f12
0x01a20f16
0x01a20f18
0x01a20f1b
0x01a20f2c
0x01a20f31
0x01a20f31
0x01a20f35
0x01a20f39
0x01a20f3a
0x01a20f3c
0x01a20f3f
0x01a20f50
0x01a20f55
0x01a20f55
0x01a20f59
0x019c52eb
0x019c52f1
0x019c52f1
0x01a20e7d
0x01a20e84
0x01a20e88
0x01a20e8a
0x01a20e8d
0x01a20e9e
0x01a20ea3
0x01a20ea3
0x01a20ea7
0x01a20eaf
0x01a20eb3
0x01a20eb9
0x01a20eb9
0x01a20ebc
0x01a20ecd
0x01a20ecd
0x00000000
0x01a20eb3
0x01a20e21
0x01a20e2b
0x01a20e2f
0x01a20e30
0x01a20e3a
0x01a20e3f
0x01a20e41
0x00000000
0x00000000
0x01a20e47
0x00000000
0x01a20e47
0x01a20df9
0x01a20dfe
0x00000000
0x00000000
0x00000000
0x01a20dfe
0x019c5303
0x019c5307
0x00000000
0x019c5309
0x00000000
0x019c5309
0x019c5307
0x019c52e9
0x019c52e9
0x00000000
0x019c52e9
0x019c530e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6e7c5616b6b03d1f93e33c1ae41135f2a47b34281cf0930761fdf406cf005e
Instruction ID: d58e96d9af95a466414882dac5e3a120d2f10d4ae37933fd0a5b655e6305b0f4
Opcode Fuzzy Hash: ec6e7c5616b6b03d1f93e33c1ae41135f2a47b34281cf0930761fdf406cf005e
Instruction Fuzzy Hash: 5251F271205782ABE322EF68C941B17BBE9FF90B10F14491DF49987692E7B4F844C792

Uniqueness

Uniqueness Score: -1.00%

Function 019F2AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019F2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1ab8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1ab8208; // 0x1ab8207
				_t8 = _t57 + 0x1ab8208; // 0x1ab8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1ab8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x1ab821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1ab6d5c; // 0x7f020654
							_t72 =  *0x1ab6d5c; // 0x7f020654
							_t75 =  *0x1ab6d5c; // 0x7f020654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1ab6d5c; // 0x7f020654
							_t84 =  *0x1ab6d5c; // 0x7f020654
							_t87 =  *0x1ab6d5c; // 0x7f020654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E01A0F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x019f2ae4
0x019f2aec
0x019f2aef
0x019f2af4
0x019f2af7
0x019f2afd
0x019f2b92
0x019f2b92
0x019f2b97
0x019f2b9c
0x019f2b9c
0x019f2b03
0x019f2b06
0x019f2b09
0x019f2b09
0x019f2b0f
0x019f2b15
0x019f2b15
0x019f2b1b
0x019f2b1e
0x019f2b21
0x019f2b26
0x019f2b29
0x019f2b81
0x019f2b84
0x019f2c0e
0x019f2c15
0x019f2c24
0x019f2c24
0x019f2b8a
0x019f2b8a
0x019f2b8a
0x019f2b8a
0x019f2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x019f2b4a
0x019f2b4a
0x019f2b4d
0x019f2b53
0x00000000
0x00000000
0x019f2b55
0x019f2b58
0x019f2bb7
0x01a35d1b
0x01a35d37
0x01a35d47
0x01a35d53
0x019f2bbd
0x019f2bbd
0x019f2bbd
0x019f2bb7
0x019f2b5d
0x019f2c2f
0x01a35d5b
0x01a35d77
0x01a35d87
0x01a35d93
0x019f2c35
0x019f2c35
0x019f2c35
0x019f2c2f
0x019f2b65
0x019f2b9f
0x019f2ba2
0x019f2b67
0x019f2b67
0x019f2b69
0x019f2b6b
0x019f2b6e
0x019f2bc9
0x019f2bcc
0x019f2bcf
0x019f2bd4
0x019f2bd6
0x019f2bd6
0x019f2bdb
0x019f2c02
0x019f2c05
0x019f2c07
0x00000000
0x019f2c07
0x019f2be0
0x019f2c00
0x019f2c3f
0x019f2c3f
0x00000000
0x019f2c00
0x019f2be5
0x019f2be7
0x019f2bec
0x019f2bf4
0x019f2bf6
0x00000000
0x019f2bf6
0x019f2b70
0x019f2b76
0x019f2b2b
0x019f2b2b
0x019f2b2d
0x019f2b2f
0x019f2b32
0x019f2b35
0x019f2b3a
0x00000000
0x019f2b40
0x019f2b43
0x019f2b45
0x019f2b47
0x019f2b4a
0x019f2b4d
0x019f2b53
0x00000000
0x00000000
0x00000000
0x019f2b53
0x019f2b78
0x019f2b78
0x019f2b7b
0x019f2b7e
0x00000000
0x019f2b7e
0x019f2b76
0x019f2ba5
0x019f2ba5
0x019f2ba8
0x019f2bad
0x00000000
0x00000000
0x019f2baf
0x019f2baf
0x019f2bc2
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69e8e3f753ac4377cbf4cc33437fbc3144cb65b3565e70af9310845d09868da
Instruction ID: 090cd0513d7fefa50542d2129b1a6c65e5d2c44436b19cd45790408ea0ab61ed
Opcode Fuzzy Hash: c69e8e3f753ac4377cbf4cc33437fbc3144cb65b3565e70af9310845d09868da
Instruction Fuzzy Hash: 7951E076A0011A9FCB19CF0CC880ABDB7B1FB89702715845EED5AAB325D734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A8AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01A8AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E01A8C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E01A8ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E01A8FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E01A8EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E019E7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01A81608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01A91536(0x1ab8ae4, (_t74 -  *0x1ab8b04 >> 0x14) + (_t74 -  *0x1ab8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L01A8C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E01A8A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E01A6CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E01A8ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x01a8ae44
0x01a8ae4c
0x01a8ae53
0x01a8ae55
0x01a8ae5c
0x01a8ae64
0x01a8ae68
0x01a8ae75
0x01a8ae75
0x01a8ae78
0x01a8ae7a
0x01a8ae7c
0x01a8ae7f
0x01a8aea8
0x01a8aeab
0x01a8aead
0x00000000
0x00000000
0x01a8aeb3
0x01a8aeb8
0x01a8aebb
0x01a8aebd
0x00000000
0x01a8ae81
0x01a8ae88
0x01a8ae8f
0x01a8ae9b
0x01a8ae96
0x01a8ae96
0x01a8ae96
0x01a8aea0
0x01a8aea3
0x01a8aebf
0x01a8aebf
0x01a8aec3
0x01a8aec9
0x01a8af0d
0x01a8af14
0x01a8af3d
0x01a8af3d
0x01a8af41
0x01a8af44
0x01a8af67
0x01a8af67
0x01a8af6a
0x01a8afca
0x01a8afd1
0x00000000
0x01a8afd1
0x01a8af6c
0x01a8af6d
0x01a8af75
0x01a8af7c
0x01a8af7e
0x01a8af80
0x01a8af85
0x01a8af87
0x01a8af99
0x01a8af89
0x01a8af92
0x01a8af92
0x01a8af9e
0x01a8afa1
0x01a8afa3
0x01a8afa9
0x01a8afb0
0x01a8afb2
0x01a8afb4
0x01a8afbc
0x01a8afbc
0x01a8afb4
0x01a8afb0
0x00000000
0x01a8afa1
0x01a8af4f
0x01a8af57
0x01a8af5c
0x01a8af5e
0x00000000
0x00000000
0x01a8af60
0x01a8af64
0x01a8af64
0x00000000
0x01a8af64
0x01a8af1a
0x01a8af25
0x00000000
0x00000000
0x01a8af27
0x01a8af28
0x01a8af33
0x00000000
0x01a8aed0
0x01a8aed0
0x01a8aed2
0x01a8aee1
0x01a8aee4
0x00000000
0x00000000
0x01a8aee6
0x01a8aeec
0x00000000
0x00000000
0x01a8aefb
0x01a8af07
0x01a8afd3
0x01a8afdb
0x01a8afdb
0x00000000
0x01a8af07
0x01a8aed6
0x01a8aed8
0x01a8aedf
0x00000000
0x00000000
0x00000000
0x01a8aedf
0x01a8aec9

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d03267ad3851c9d3d9b7d1656e967572b66affaef2c1c53c7110c60cb783829
Instruction ID: 64f17795621fbdc542f146a2b0471b80a566209e2d03e671c5d1828ce61b784c
Opcode Fuzzy Hash: 9d03267ad3851c9d3d9b7d1656e967572b66affaef2c1c53c7110c60cb783829
Instruction Fuzzy Hash: 5E4129B17006119BE72AFB2DC884B7BBB99EF94620F08861AF956C72D0DB34DC01C791

Uniqueness

Uniqueness Score: -1.00%

Function 019EDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E019EDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E019CCC50(E019C4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E019E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01A98ED6(_t102, _t98);
						}
						_t76 = _v44;
						E019E2280(_t58, _v44);
						E019EDD82(_v44, _t102, _t98);
						E019EB944(_t102, _v5);
						return E019DFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1ab8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x1ab862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1ab8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x1ab862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x1a8fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x019edbe9
0x019edbf2
0x019edbf7
0x019edbf9
0x019edbfc
0x019edc00
0x019edc03
0x019edc14
0x019edd54
0x019edd54
0x019edd54
0x019edc18
0x019edc1d
0x019edc1d
0x019edc32
0x019edc3b
0x019edc3e
0x019edc46
0x019edd5b
0x019edd62
0x019edd64
0x019edd67
0x019edd69
0x019edd6b
0x019edd6e
0x019edd70
0x019edd73
0x019edd73
0x00000000
0x019edc4c
0x019edc4e
0x01a33ae3
0x01a33ae8
0x01a33aea
0x019edce7
0x019edce9
0x019edcec
0x019edcee
0x019edcf0
0x019edcf3
0x019edcf5
0x01a33af2
0x01a33af5
0x01a33af5
0x019edd06
0x019edd08
0x019edd0b
0x019edd12
0x01a33b08
0x019edd18
0x019edd18
0x019edd18
0x019edd20
0x019edd23
0x01a33b16
0x01a33b16
0x019edd29
0x019edd2d
0x019edd36
0x019edd40
0x019edd51
0x019edd51
0x019edc54
0x019edc59
0x019edc59
0x019edc5e
0x019edc5e
0x019edc63
0x019edc66
0x019edc6b
0x019edc78
0x019edc7b
0x019edc81
0x019edc81
0x019edc83
0x019edc89
0x00000000
0x00000000
0x019edd7b
0x019edd7b
0x019edc8f
0x019edc8f
0x019edc92
0x019edc99
0x019edc9f
0x019edca5
0x019edcaa
0x019edcaa
0x019edcb3
0x019edcb8
0x019edcbb
0x019edcc1
0x019edccf
0x019edcd2
0x019edcd5
0x019edcd7
0x019edcda
0x019edcdc
0x019edcdc
0x019edce2
0x019edce4
0x00000000
0x019edce4

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b1553bc853f32f8b95fa11b208df84bbc7f202b0795c3d55f0f442f53336b3
Instruction ID: 7cbef10b0e13e2f4b1c3ac443d73fa5e90aa2df5bffb71cad78506bbe99a7116
Opcode Fuzzy Hash: b4b1553bc853f32f8b95fa11b208df84bbc7f202b0795c3d55f0f442f53336b3
Instruction Fuzzy Hash: 2051DC71E00206DFCB16CFACC494AAEFBF5BF88350F20855AD959A7341DB31A980CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019DEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E019DEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E019C9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7709c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E019C2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x019def4b
0x019def4d
0x019def57
0x019df0bd
0x019df0c2
0x019df0d2
0x019df0d2
0x019df0c2
0x019def5d
0x019def5f
0x019def67
0x019def6a
0x019def6d
0x019def74
0x019def7f
0x019def82
0x019def82
0x019def86
0x019def88
0x019def8c
0x019def8f
0x019def8f
0x019def8f
0x00000000
0x019def91
0x019def93
0x019defc4
0x019defc4
0x019defc4
0x019defca
0x019defd0
0x019df0a6
0x00000000
0x00000000
0x019df0af
0x01a2bb06
0x01a2bb0a
0x019df0b5
0x019df0b5
0x019df0b5
0x019df0b5
0x00000000
0x019defd6
0x019defd9
0x019df0de
0x019df0e2
0x019defdf
0x019defdf
0x019defdf
0x019defe5
0x01a2bafc
0x01a2bafc
0x019defe5
0x019defeb
0x019defed
0x019df00f
0x019df011
0x019df01a
0x019df01d
0x019df021
0x019df028
0x019df029
0x019df029
0x019df02c
0x00000000
0x019df02c
0x019deff3
0x019deff9
0x019df0ea
0x019df0ed
0x019df0ef
0x00000000
0x019df0ef
0x019df003
0x01a2bb12
0x019df045
0x019df049
0x019df051
0x019df09e
0x019df0a0
0x019df0a0
0x019df09e
0x019df053
0x019df064
0x019df064
0x019df06b
0x01a2bb1a
0x01a2bb1a
0x019df071
0x019df071
0x019df07d
0x019df082
0x019df08f
0x019df08f
0x019df009
0x019df00d
0x00000000
0x019df00d
0x019defd0
0x019def97
0x019defa5
0x019defaa
0x00000000
0x019defac
0x019defac
0x019defac
0x00000000
0x019defb2
0x019df036
0x019df03a
0x019df040
0x019df090
0x00000000
0x019df092
0x019df042
0x00000000
0x019df042
0x019defb7
0x019defb9
0x019defbc
0x019defb0
0x019defb0
0x00000000
0x019defbe
0x019defbe
0x019defc1
0x00000000
0x019defc1
0x019defbc
0x019defaa
0x019def91

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 78ce1865c3d78419ae08f85a6a4287ec627c9240b39307d736756d9c8f53bfeb
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 6F51F330E04249DFEB25CF6CC1D1BAEBBB5AF05314F18C1A8D55A5B282C375A98AC791

Uniqueness

Uniqueness Score: -1.00%

Function 01A9740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E01A9740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E01A1D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E01A0F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L019E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L019E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E01A0F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L019E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x01a9740d
0x01a9740d
0x01a97412
0x01a97413
0x01a97416
0x01a97418
0x01a9741c
0x01a9741f
0x01a97422
0x01a97422
0x01a97428
0x01a9742a
0x01a9742a
0x01a97451
0x01a97432
0x01a9744f
0x01a9744f
0x00000000
0x01a97434
0x01a97438
0x01a97443
0x01a97517
0x01a97517
0x01a9751a
0x01a97535
0x01a97520
0x01a97527
0x01a9752c
0x01a97531
0x01a97533
0x00000000
0x01a97533
0x00000000
0x01a97531
0x01a9754b
0x01a9754f
0x01a9755c
0x01a9755c
0x01a9755f
0x01a97560
0x01a97561
0x01a97562
0x01a97563
0x01a97568
0x01a9756a
0x01a9756c
0x01a9756d
0x01a9756d
0x01a9756f
0x01a97572
0x01a97574
0x01a97577
0x01a9757c
0x01a9757f
0x00000000
0x01a97551
0x01a97551
0x01a97551
0x01a97553
0x01a97553
0x01a97449
0x01a97449
0x01a9744c
0x01a9744c
0x00000000
0x01a9744c
0x01a97443
0x01a9750e
0x01a97514
0x01a97514
0x01a97455
0x01a97469
0x01a9746d
0x00000000
0x01a97473
0x01a97473
0x01a97476
0x01a97480
0x01a97484
0x01a9748e
0x01a97493
0x01a97493
0x01a97496
0x01a97499
0x01a974a1
0x01a974b1
0x01a974b5
0x00000000
0x01a974bb
0x01a974c1
0x01a974c1
0x01a974c4
0x01a974c5
0x01a974c6
0x01a974c7
0x01a974c8
0x01a974cd
0x00000000
0x01a974d3
0x01a974d3
0x01a974d6
0x01a974d8
0x01a974db
0x01a974dd
0x01a974e0
0x01a974e7
0x01a974ee
0x01a974ee
0x01a974f4
0x01a974f9
0x00000000
0x01a974fb
0x01a974fb
0x01a974fd
0x01a97500
0x01a97503
0x01a97505
0x01a97505
0x01a974f9
0x00000000
0x01a974cd
0x01a974b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 975fb3086e10582a7c257e26d5619112bc1de4d152e7da138a760a594145a32d
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: B2516C71600646EFDF16CF68C580A56BBF5FF45704F1480AAE9089F252E771E986CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 019F2990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E019F2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x1a9ff00);
				E01A1D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x19a1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E01A0E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x19a1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E01A451BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x19a166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E019F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E019D6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E019F2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E019DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E019F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E019F2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E019F2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E01A1D0D1(_t62);
				goto L28;
			}

0x019f2990
0x019f2992
0x019f2997
0x019f29a3
0x019f29a6
0x019f29ab
0x019f29ad
0x019f29b2
0x01a35c80
0x019f29b8
0x019f29b8
0x019f29bb
0x019f29c0
0x019f29c5
0x019f29c6
0x019f29c6
0x019f29cb
0x00000000
0x00000000
0x019f29cd
0x019f29d0
0x019f29d9
0x019f29db
0x019f29dd
0x019f2a7f
0x019f2a84
0x019f2a87
0x019f2a89
0x01a35ca1
0x01a35ca3
0x00000000
0x019f2a8f
0x019f2a8f
0x00000000
0x019f2a8f
0x00000000
0x019f29e3
0x019f29e3
0x019f29e3
0x00000000
0x019f29e3
0x019f29dd
0x00000000
0x019f29db
0x019f29e6
0x019f29e9
0x019f29eb
0x019f29ed
0x019f29f3
0x019f29f5
0x019f29f8
0x019f29fa
0x019f2a97
0x019f2a9a
0x019f2a9d
0x019f2add
0x00000000
0x019f2a9f
0x019f2aa2
0x019f2aa5
0x019f2aa8
0x019f2aab
0x01a35cab
0x01a35caf
0x01a35cc5
0x01a35cda
0x01a35cdc
0x01a35cdf
0x01a35ce5
0x00000000
0x01a35ceb
0x01a35ced
0x01a35cee
0x00000000
0x01a35cee
0x01a35cb1
0x01a35cb4
0x01a35cb9
0x01a35cbb
0x00000000
0x01a35cbd
0x01a35cbd
0x00000000
0x01a35cbd
0x01a35cbb
0x019f2ab1
0x019f2ab1
0x019f2ac4
0x019f2ac6
0x019f2ac6
0x00000000
0x019f2ac6
0x019f2aab
0x00000000
0x019f2a00
0x019f2a09
0x019f2a0e
0x019f2a21
0x019f2a24
0x019f2a35
0x019f2a3a
0x019f2a3d
0x019f2a42
0x019f2a59
0x019f2a59
0x019f2a5c
0x019f2a5f
0x019f2a5f
0x019f29fa
0x019f29f3
0x019f2a64
0x019f2a64
0x019f2a6b
0x019f2a6b
0x019f2a6d
0x019f2a72
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949cd5ae6b418142e539d0231f7e4c7f2e97dcddb4266deeca17b4a40084dfa4
Instruction ID: ea4268b58d3b96bea6a12d89a08e7300112460a4e2a4da08603c59144d3a633a
Opcode Fuzzy Hash: 949cd5ae6b418142e539d0231f7e4c7f2e97dcddb4266deeca17b4a40084dfa4
Instruction Fuzzy Hash: A1516E7190021AEFDF25DF99C940ADEBBB5BF48354F148159EA18AB250C335D952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 019F4BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E019F4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x1abd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E019CCC50(_t86);
					L11:
					return E01A0B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1ab8504
				E019E2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E01A0FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E01A0B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L019E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E019CCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1ab8504
								E019DFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E019F4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x019f4bad
0x019f4bbf
0x019f4bc2
0x019f4bc6
0x019f4bcd
0x019f4bd9
0x01a367fe
0x01a36800
0x019f4ccc
0x019f4ccd
0x019f4cb7
0x019f4cc9
0x019f4cc9
0x019f4bdf
0x019f4be5
0x00000000
0x00000000
0x019f4beb
0x019f4bef
0x00000000
0x00000000
0x019f4bf5
0x019f4bf9
0x019f4c06
0x019f4c0b
0x019f4c17
0x019f4c1c
0x019f4c1f
0x019f4c25
0x019f4c33
0x019f4c3d
0x019f4c40
0x019f4c43
0x019f4c47
0x019f4c4d
0x019f4c53
0x019f4c54
0x019f4c55
0x019f4c56
0x019f4c5b
0x019f4c5c
0x019f4c63
0x019f4c6b
0x00000000
0x00000000
0x01a36776
0x01a36784
0x01a36784
0x01a3679f
0x01a367a7
0x01a367af
0x01a367ce
0x00000000
0x01a367b1
0x01a367b7
0x01a367b8
0x01a367c1
0x01a367d3
0x01a367d9
0x01a367dd
0x019f4c94
0x019f4c94
0x019f4c98
0x019f4c9c
0x019f4ca3
0x01a367f4
0x01a367f4
0x019f4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x019f4cb5
0x019f4c79
0x019f4c7e
0x019f4c89
0x019f4c8b
0x019f4c8f
0x019f4c8f
0x00000000
0x019f4c89
0x01a367c3
0x00000000
0x01a367c3
0x01a367af
0x019f4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d09378cda6bcf951a8f7e8a87430d1cd024a32193f4ae34229d7606ec071f88
Instruction ID: 6c2b28d7456f7d18ce587367ebccbb019b863f838cb007ca7b45a6b3fd2e8097
Opcode Fuzzy Hash: 4d09378cda6bcf951a8f7e8a87430d1cd024a32193f4ae34229d7606ec071f88
Instruction Fuzzy Hash: CC41B735E40229ABDB22DF68C940FEA77F4EF85710F4104A9EA0CAB241D774DE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019F4D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E019F4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x1abd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E01A0FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1ab7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E01A0B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L019E4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E019CCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E01A0B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E01A0F380(_t67 + 0xc, 0x19a5138, 0x10) == 0) {
								 *0x1ab60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E019F4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E019F4E70(0x1ab86b0, 0x19f5690, 0, 0) != 0) {
					_t46 = E019CCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x019f4d3b
0x019f4d4d
0x019f4d53
0x019f4d58
0x019f4d65
0x019f4d6c
0x019f4d71
0x019f4d77
0x019f4d7f
0x019f4d8c
0x019f4d8e
0x019f4dad
0x019f4db0
0x019f4db7
0x019f4db8
0x019f4db9
0x019f4dba
0x019f4dbb
0x019f4dc1
0x019f4dc8
0x019f4dcc
0x019f4dd5
0x019f4dde
0x019f4ddf
0x019f4de0
0x019f4de1
0x019f4de6
0x019f4de7
0x019f4de9
0x019f4df3
0x00000000
0x00000000
0x01a36c7c
0x01a36c8a
0x01a36c8a
0x01a36c9d
0x01a36ca7
0x01a36cac
0x01a36cb2
0x01a36cb9
0x00000000
0x01a36cbf
0x01a36cbf
0x00000000
0x01a36cbf
0x01a36cb9
0x019f4dfb
0x01a36ccf
0x01a36cd3
0x019f4e32
0x019f4e39
0x01a36ce0
0x01a36cf2
0x01a36cf2
0x01a36ce0
0x019f4e3f
0x019f4e41
0x019f4e51
0x019f4e51
0x019f4e03
0x019f4e03
0x019f4e09
0x019f4e0f
0x019f4e57
0x00000000
0x00000000
0x019f4e1b
0x019f4e30
0x019f4e5b
0x019f4e5b
0x00000000
0x019f4e30
0x019f4e11
0x019f4e11
0x019f4e16
0x00000000
0x019f4e16
0x019f4e01
0x00000000
0x019f4e01
0x019f4da5
0x01a36c6b
0x00000000
0x019f4dab
0x019f4dab
0x00000000
0x019f4dab

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054e83bd9b0f5dafcbc39e5e4886e81c933fdd9232395cb14290687f83f7eb41
Instruction ID: d3396e1548a7281a721ee09c634aa8b41b91432a441e376e8898c8b059082df6
Opcode Fuzzy Hash: 054e83bd9b0f5dafcbc39e5e4886e81c933fdd9232395cb14290687f83f7eb41
Instruction Fuzzy Hash: 9641B275A44318AFEB32DF18CC80FA7BBA9EB94610F00049DEA4D97281D774ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019D8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E019D8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x1abd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E01A0B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E019DE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x19a1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E019F1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01A03C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E019D8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x019d8a0a
0x019d8a1c
0x019d8a23
0x019d8a2e
0x019d8a30
0x019d8a36
0x019d8a3c
0x019d8a3e
0x019d8a4a
0x019d8a52
0x019d8a9c
0x019d8aae
0x019d8a58
0x019d8a5e
0x019d8a6a
0x019d8a6f
0x019d8a75
0x019d8a7d
0x019d8a85
0x019d8a86
0x019d8a89
0x019d8a93
0x019d8a99
0x019d8a9b
0x00000000
0x019d8aaf
0x019d8abe
0x019d8ac3
0x019d8acb
0x019d8ad7
0x019d8ae0
0x019d8af1
0x00000000
0x019d8af1
0x019d8acd
0x019d8ad5
0x019d8afb
0x019d8afd
0x019d8aff
0x019d8b07
0x019d8b22
0x019d8b24
0x019d8b2a
0x019d8b2e
0x019d8b3f
0x019d8b78
0x019d8b41
0x019d8b52
0x019d8b54
0x019d8b5c
0x019d8b74
0x019d8b74
0x019d8b5c
0x019d8b3f
0x019d8b5e
0x019d8b61
0x019d8b64
0x019d8b64
0x019d8b6c
0x019d8b6c
0x019d8b11
0x01a29cd5
0x01a29cd5
0x019d8b17
0x019d8b1a
0x019d8b1a
0x00000000
0x019d8ad5
0x019d8a89

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17b484dbd130ff9564f4c3766a6bc127dd0b390a4528579d37131f192118fcd
Instruction ID: 61f4b323f1386fe495a5e1e3fbb8aebf330ad3b3dc0775d81e1cb2b4564c1225
Opcode Fuzzy Hash: b17b484dbd130ff9564f4c3766a6bc127dd0b390a4528579d37131f192118fcd
Instruction Fuzzy Hash: 71416EB4A002299BDB24DF59CC88AA9B7F8FB94300F1085EAD91D97242E7749E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A8AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A8AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E01A8ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E01A8AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E01A8AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E01A6CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L019E77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E019E7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E01A8131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E01A6CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x01a8aa1f
0x01a8aa21
0x01a8aa23
0x01a8aa2b
0x01a8aa30
0x01a8aa36
0x01a8aa39
0x01a8aa42
0x01a8aa75
0x01a8aa7a
0x01a8aa7c
0x01a8aa7c
0x01a8aa88
0x01a8aa8a
0x01a8aa8f
0x01a8ab02
0x01a8ab04
0x01a8aa99
0x01a8aaa8
0x01a8aaaf
0x01a8aab3
0x01a8aacc
0x01a8aad1
0x01a8aad6
0x01a8aae0
0x01a8aaf3
0x01a8aaf9
0x01a8aafe
0x01a8aafe
0x01a8aaf3
0x01a8aad6
0x01a8aab3
0x01a8ab07
0x01a8ab0a
0x01a8ab11
0x01a8ab23
0x01a8ab13
0x01a8ab1c
0x01a8ab1c
0x01a8ab2b
0x01a8ab44
0x01a8ab44
0x01a8ab51
0x01a8ab51
0x01a8aa44
0x01a8aa47
0x01a8aa4c
0x00000000
0x00000000
0x01a8aa5a
0x01a8aa64
0x01a8aa72
0x00000000
0x01a8aa66
0x01a8aa66
0x01a8aa68
0x01a8aa6a
0x00000000
0x01a8aa6a

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 5cc83c23cf5de3c7de26261367facb7bdbeb40fd22d28dfd88cfbcc84142a698
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 57312832F005056BEB15AB69CC49BBFFBBBEF80210F09846AE905A7351DA74CD00C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A8FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01A8FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E01A8FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01A90A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E019E7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01A81608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01A92B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E01A8C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E01A8DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E019E7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E01A8A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x01a8fde7
0x01a8fde8
0x01a8fdec
0x01a8fdee
0x01a8fdf5
0x01a8fdf7
0x01a8fdfc
0x01a8fe19
0x01a8fe22
0x01a8fe26
0x01a8fec6
0x01a8fecd
0x01a8fed5
0x01a8fee7
0x01a8fed7
0x01a8fee0
0x01a8fee0
0x01a8feef
0x01a8ff00
0x01a8ff02
0x01a8ff07
0x01a8ff07
0x00000000
0x01a8feef
0x01a8fe33
0x01a8fe55
0x01a8fe59
0x01a8fe5b
0x01a8fe5e
0x01a8fe69
0x01a8fe6d
0x01a8fe6d
0x01a8fe69
0x01a8fe35
0x01a8fe41
0x01a8fe41
0x01a8fe79
0x01a8fe8b
0x01a8fe7b
0x01a8fe84
0x01a8fe84
0x01a8fe93
0x00000000
0x01a8fea8
0x01a8feba
0x00000000
0x01a8feba
0x01a8fdfe
0x01a8fe01
0x01a8fe02
0x01a8fe08
0x01a8ff0c
0x01a8ff14
0x01a8ff14

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 06e7bba37a58f79c2306cb946fecdc794c66a0e1fe85603b69a75f2cf2dd0c18
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: F9313572700646AFD722AB6CC944F6ABBEAEBC5A50F184058E946CB382DB74DC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 01A8EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01A8EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E019E2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E01A8E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E019CF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E019DFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E01A8AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E01A8BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E019E7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E01A7FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E019DFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E01A8A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x01a8ea55
0x01a8ea66
0x01a8ea68
0x01a8ea6c
0x01a8ea6f
0x01a8ea72
0x01a8ea75
0x01a8ea7a
0x01a8ea7a
0x01a8ea7e
0x01a8ea80
0x01a8ea85
0x01a8ea8b
0x01a8eab5
0x01a8eabc
0x01a8eabf
0x01a8eabf
0x01a8eaca
0x01a8eace
0x01a8ead0
0x01a8eae4
0x01a8eaeb
0x01a8eaf0
0x01a8eaf5
0x01a8eb09
0x01a8eb0d
0x01a8eb1d
0x01a8eb2d
0x01a8eb38
0x01a8eb3d
0x01a8eb41
0x01a8eb4a
0x01a8eb60
0x01a8eb4c
0x01a8eb52
0x01a8eb59
0x01a8eb59
0x01a8eb68
0x01a8eb71
0x01a8eb71
0x01a8ea8d
0x01a8ea8f
0x01a8ea92
0x01a8ea97
0x01a8ea97
0x01a8ea9b
0x01a8ea9c
0x01a8ea9e
0x01a8eaa6
0x01a8eaa6
0x01a8eb7e

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 109b8b5474b8c9f0210bbdc96bf562e70d72503fdcbb02ab52f2a7ec10579b7f
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 4231A3726047069BC719EF28CD84A6BF7A9FBC4710F04892DE55687641DA30E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A469A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01A469A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x1abd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L019D6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01A46BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01A09980() >= 0) {
							E019E2280(_t56, 0x1ab8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1ab8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1ab8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E019CB6F0(0x19ac338, 0x19ac288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01A09520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E01A095D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E019DFFB0(_t68, _t77, 0x1ab8778);
				}
				_pop(_t78);
				return E01A0B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x01a469b5
0x01a469be
0x01a469c3
0x01a469c9
0x01a469cc
0x01a469d1
0x01a469d3
0x01a469de
0x01a469e1
0x01a469ea
0x01a469f6
0x01a469fe
0x01a46a13
0x01a46a14
0x01a46a15
0x01a46a16
0x01a46a1e
0x01a46a26
0x01a46a31
0x01a46a36
0x01a46a37
0x01a46a40
0x01a46a49
0x01a46a4a
0x01a46a53
0x01a46a59
0x01a46a5d
0x01a46a5e
0x01a46a64
0x01a46a67
0x01a46a6a
0x01a46a6d
0x01a46a70
0x01a46a77
0x01a46a7d
0x01a46a86
0x01a46a89
0x01a46a9c
0x01a46a9f
0x01a46aa2
0x01a46aa5
0x01a46aaf
0x01a46ab1
0x01a46ab8
0x01a46ab9
0x01a46abb
0x01a46abe
0x01a46ac5
0x01a46ac5
0x01a46aaf
0x01a46a40
0x01a46a26
0x01a469fe
0x01a46ace
0x01a46ad0
0x01a46ad3
0x01a46ad8
0x01a46adf
0x01a46adf
0x01a46ae8
0x01a46aef
0x01a46aef
0x01a46af9
0x01a46b06

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f79d7643c66d94b7f5e727d2a8ef43397b2ead9f4820ae203b46053f663a03b
Instruction ID: d0704d4212fc355bcb814803370a2435ec4879273bde8d6c8a9abd485bc9b1f3
Opcode Fuzzy Hash: 4f79d7643c66d94b7f5e727d2a8ef43397b2ead9f4820ae203b46053f663a03b
Instruction Fuzzy Hash: 1441C2B1D00609AFDB25CFA9D940BFEBBF8FF88714F14812AE918A7251DB749905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019C5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E019C5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E019C52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E01A095D0();
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E019DEB70(_t54, 0x1ab79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E01A095D0();
								L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E019DEB70(_t54, 0x1ab79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E01A0F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E019DEB70(_t54, 0x1ab79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E01A095D0();
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x019c5220
0x019c5224
0x01a20d13
0x01a20d16
0x01a20d19
0x019c522a
0x019c522a
0x019c522d
0x019c522d
0x019c5231
0x019c5235
0x019c5239
0x01a20d5c
0x01a20d62
0x00000000
0x00000000
0x01a20d6a
0x01a20d7b
0x01a20d7f
0x01a20d81
0x01a20d84
0x01a20d95
0x01a20d95
0x01a20d6c
0x01a20d71
0x01a20d71
0x01a20d9a
0x00000000
0x019c524a
0x019c524a
0x019c5250
0x01a20d24
0x01a20d35
0x01a20d39
0x01a20d3b
0x01a20d3e
0x01a20d50
0x01a20d50
0x01a20d26
0x01a20d2b
0x01a20d2b
0x00000000
0x01a20d55
0x019c5256
0x019c525b
0x019c5265
0x01a20da7
0x019c526b
0x019c526e
0x019c5272
0x01a20db1
0x01a20db4
0x01a20dc5
0x01a20dc5
0x019c5272
0x019c5278
0x019c527e
0x019c528a
0x019c528c
0x019c528d
0x00000000
0x019c5280
0x019c5282
0x019c5288
0x019c529f
0x019c5292
0x00000000
0x019c5292
0x00000000
0x019c5288
0x019c527e

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa525736e05ad9e2c48d468d757e664fd3b02db1634329d8227c2296999fb7e
Instruction ID: 7ffcb6ade70b6cc89eb1637ed3320fedd3395b95cfc3bf19c4c65e7e6fad9186
Opcode Fuzzy Hash: 6aa525736e05ad9e2c48d468d757e664fd3b02db1634329d8227c2296999fb7e
Instruction Fuzzy Hash: DE312631242611EBD736AB2CCA80F6A7BA6FF50B60F114A19F49D4B1E1D770F804C691

Uniqueness

Uniqueness Score: -1.00%

Function 01A03D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A03D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E019D7B60(0, _t61, 0x19a11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E019D7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L019E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01a03d4c
0x01a03d50
0x01a03d55
0x01a03d5e
0x01a3e79a
0x00000000
0x01a3e79a
0x01a03d68
0x01a3e789
0x01a03d9d
0x01a03da3
0x01a03daf
0x01a03db5
0x01a03dbc
0x01a03dc4
0x01a03dc9
0x01a03dce
0x01a3e7ae
0x01a3e7ae
0x01a03dde
0x01a03de2
0x01a03de7
0x01a03e0d
0x01a03e13
0x01a03e16
0x01a03e1e
0x01a03e25
0x01a03e28
0x00000000
0x00000000
0x01a03e2a
0x01a03e2f
0x01a03e37
0x01a03e37
0x00000000
0x01a03e37
0x01a03e31
0x00000000
0x01a03e31
0x01a03e20
0x01a03e20
0x01a03e35
0x00000000
0x01a03de9
0x01a03de9
0x01a03de9
0x01a03dee
0x01a03dfd
0x01a03dff
0x01a03e02
0x01a03e05
0x01a03e05
0x00000000
0x01a03df0
0x01a03de7
0x01a3e78f
0x01a3e794
0x01a03d79
0x01a03d84
0x01a03d89
0x01a03d8e
0x00000000
0x01a3e7a4
0x01a03d96
0x01a03d9a
0x00000000
0x01a03d9a
0x00000000
0x01a3e794
0x01a03d6e
0x01a03d73
0x00000000
0x01a3e7b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4df18565e8f122984562ee07756ae629161db686cb120fbf4eda38e6ac84c17
Instruction ID: 777d3199907197e8b7272c7840d35aa240a1896e435efbd51fcf04be1b19b9de
Opcode Fuzzy Hash: b4df18565e8f122984562ee07756ae629161db686cb120fbf4eda38e6ac84c17
Instruction Fuzzy Hash: 2D31BE71A00615DFDB2A8F2EE841A7ABBF5FF85700B09846AE949CB390E730D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 019FA61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E019FA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1aa0220);
				E01A1D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1ab7b9c; // 0x0
				_t55 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E01A1D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1ab7b10 =  *0x1ab7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x1ab536c; // 0x771a5368
					if( *_t51 != 0x1ab5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1ab5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x1ab536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E019FA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x019fa61c
0x019fa61e
0x019fa623
0x019fa628
0x019fa62b
0x019fa62d
0x019fa648
0x019fa64a
0x019fa64f
0x01a39b44
0x019fa6ec
0x019fa6f1
0x019fa6f1
0x019fa655
0x019fa657
0x019fa65a
0x019fa65d
0x019fa662
0x019fa663
0x019fa667
0x019fa668
0x019fa66d
0x019fa706
0x019fa706
0x01a39bda
0x01a39be6
0x01a39beb
0x00000000
0x01a39beb
0x019fa679
0x01a39b7a
0x00000000
0x01a39b7a
0x019fa683
0x019fa6f4
0x019fa6f7
0x019fa6f9
0x019fa6fd
0x019fa6a0
0x019fa6a0
0x019fa6ad
0x019fa6af
0x019fa6b4
0x01a39ba7
0x01a39bac
0x00000000
0x00000000
0x01a39bc6
0x01a39bce
0x01a39bd1
0x01a39bd3
0x01a39bd3
0x00000000
0x01a39bd1
0x019fa6bd
0x019fa6c3
0x019fa6c6
0x019fa6d2
0x019fa701
0x019fa704
0x00000000
0x019fa704
0x019fa6d4
0x019fa6d6
0x019fa6d9
0x019fa6db
0x019fa6e1
0x019fa6e6
0x019fa6e8
0x019fa6e8
0x019fa6ea
0x00000000
0x019fa6ea
0x019fa688
0x019fa692
0x019fa694
0x019fa699
0x00000000
0x00000000
0x019fa69d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087456304e2a875bf38bcf41453434ec9fccb7f1c3dcb8e115df212b313b27da
Instruction ID: 64378cc2483ea0af1a67cfc30647a317798f3f06e2e19a369881e4e13d97b711
Opcode Fuzzy Hash: 087456304e2a875bf38bcf41453434ec9fccb7f1c3dcb8e115df212b313b27da
Instruction Fuzzy Hash: 0D417975E00205EFDB19CF58C490B9ABBF1BF89314F1880ADEA09AB345C7B4A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 019EC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E019EC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E019E7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01A98D34(_v8, _t80);
					}
					E019E2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E019DFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01A98833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E019DFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E01A0B180();
						if(_a4 != 0) {
							E019E2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E019EBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E019EBB2D(_t16, _t15);
						E019EB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E019DFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E019DFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E019DFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x019ec18d
0x019ec18f
0x019ec191
0x019ec19b
0x019ec1a0
0x019ec1d4
0x019ec1de
0x01a32d6e
0x019ec1e4
0x019ec1e4
0x019ec1e4
0x019ec1ec
0x01a32d7d
0x01a32d7d
0x019ec1f3
0x019ec1ff
0x01a32d88
0x01a32d8d
0x01a32d94
0x01a32d94
0x01a32d9f
0x01a32da4
0x01a32dab
0x01a32db0
0x01a32db2
0x01a32db3
0x01a32db4
0x01a32dbc
0x01a32dc3
0x01a32dc3
0x019ec205
0x019ec205
0x019ec208
0x019ec20e
0x019ec211
0x019ec216
0x019ec219
0x019ec21f
0x019ec222
0x019ec22c
0x019ec234
0x019ec23a
0x019ec23f
0x019ec245
0x019ec24b
0x019ec251
0x019ec25a
0x019ec276
0x019ec27d
0x019ec27d
0x019ec25c
0x019ec25c
0x00000000
0x019ec25e
0x019ec1a4
0x019ec1aa
0x019ec1b3
0x019ec265
0x019ec26c
0x019ec26c
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: bea1adabe89b548b832be9501c3f10eba45521db067f0d28610b917ea0c08f2d
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: B6312B7260154BBEDB06EBB8C484BE9FBD8BF96204F08815AD45C57301DB34A94AC7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A47016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01A47016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x1abd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01A46B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01A46B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E019E7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01A09AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E01A0B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L019E4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01a47016
0x01a4701e
0x01a4702b
0x01a47033
0x01a47037
0x01a4703c
0x01a4703e
0x01a47041
0x01a47045
0x01a4704a
0x01a47050
0x01a47055
0x01a4705a
0x01a47062
0x01a47062
0x01a4705a
0x01a47064
0x01a47064
0x01a47067
0x01a47071
0x01a47096
0x01a4709b
0x01a470a2
0x01a470a6
0x01a470a7
0x01a470ad
0x01a470b3
0x01a470b6
0x01a470bb
0x01a470c3
0x01a470c3
0x01a470c6
0x01a470cd
0x01a470dd
0x01a470e0
0x01a470e2
0x01a470e2
0x01a470ee
0x01a47101
0x01a470f0
0x01a470f9
0x01a470f9
0x01a4710a
0x01a4710e
0x01a47112
0x01a47117
0x01a47118
0x01a47118
0x01a470bb
0x01a4711d
0x01a47123
0x01a47131
0x01a47131
0x01a47136
0x01a4713d
0x01a4713e
0x01a4713f
0x01a4714a
0x01a4714a
0x01a47084
0x01a47088
0x00000000
0x01a4708e
0x01a4708e
0x01a47092
0x00000000
0x01a47092

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af1009083833ce9501b1e33e7db5bd9f24c396ef580f2dd89763cda3b6e5b57
Instruction ID: 7d277587a17d8869072b7a34b5bdd8330d879412b397f6c8042b7675d3de63f9
Opcode Fuzzy Hash: 1af1009083833ce9501b1e33e7db5bd9f24c396ef580f2dd89763cda3b6e5b57
Instruction Fuzzy Hash: CB31C2766047919BD321DF6CC940A6AB7E9FFC8700F044A29F99987690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 019FA70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E019FA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1ab7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1ab7b10 = 8;
					 *0x1ab7b14 = 0x1ab7b0c;
					 *0x1ab7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E019FA990(0x1ab7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L019FA840(__edx, __ecx, __ecx, _t52, 0x1ab7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1ab7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1ab7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1ab7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L019E4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1ab7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E01A0F3E0(_t50,  *0x1ab7b14, _t8 >> 3);
						_t28 =  *0x1ab7b14; // 0x0
						__eflags = _t28 - 0x1ab7b0c;
						if(_t28 != 0x1ab7b0c) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1ab7b14 = _t50;
						_t48 = _v12;
						 *0x1ab7b10 = _t9;
						goto L6;
					}
					 *0x1ab7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x019fa713
0x019fa714
0x019fa717
0x019fa71d
0x019fa720
0x019fa722
0x019fa727
0x019fa74a
0x019fa754
0x019fa75e
0x019fa768
0x019fa76a
0x019fa773
0x019fa78b
0x019fa790
0x019fa792
0x019fa741
0x019fa741
0x019fa743
0x019fa749
0x019fa749
0x019fa732
0x019fa73a
0x019fa797
0x019fa79d
0x019fa7a3
0x019fa7a9
0x019fa7b6
0x019fa7bc
0x019fa7ca
0x019fa7e0
0x019fa7e2
0x019fa7e4
0x01a39bf2
0x00000000
0x01a39bf2
0x019fa7ed
0x019fa7f2
0x019fa800
0x019fa805
0x019fa80d
0x019fa812
0x01a39c08
0x01a39c08
0x019fa818
0x019fa81b
0x019fa821
0x019fa824
0x00000000
0x019fa824
0x019fa7ae
0x00000000
0x019fa7ae
0x019fa73c
0x019fa73e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc336d9a664d729305a75096afc305fc763bacffcb9499fbf0bc55413b0d5ddb
Instruction ID: 9daa30070d122d4af205f78680d79973e5c195be11e81d4c7db025662b1d01f7
Opcode Fuzzy Hash: dc336d9a664d729305a75096afc305fc763bacffcb9499fbf0bc55413b0d5ddb
Instruction Fuzzy Hash: F931BEB5620281AFC725CB88D8C1F697BF9FBC4710F14495AE20AD76A5D3F0A902DF91

Uniqueness

Uniqueness Score: -1.00%

Function 019F61A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E019F61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E019F5E50(0x19a67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01A99D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E019CF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x019f61b3
0x019f61b5
0x019f61bd
0x019f61c3
0x019f61c7
0x019f61d2
0x019f61ff
0x019f61ff
0x019f6201
0x019f6207
0x019f6207
0x019f61d4
0x019f61d9
0x00000000
0x00000000
0x019f61df
0x019f61e2
0x00000000
0x00000000
0x019f61e6
0x019f61e8
0x019f61ee
0x019f61ee
0x019f61f9
0x01a3762f
0x01a37632
0x01a37635
0x01a37639
0x01a37640
0x01a3766e
0x01a37675
0x00000000
0x00000000
0x01a37681
0x01a37689
0x01a3768d
0x01a37691
0x01a37695
0x01a37699
0x01a376af
0x01a376b5
0x01a376b7
0x01a376b7
0x01a376d7
0x01a376dc
0x00000000
0x01a376dc
0x01a376a2
0x01a376a9
0x01a37651
0x01a37653
0x01a37653
0x01a37656
0x01a37656
0x00000000
0x01a37656
0x01a37644
0x01a37646
0x01a37648
0x01a37648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968f3dc3a336cb813ea0e4320e90052efe288ca9adb94b7e27f91eb15913ee54
Instruction ID: 3e0216c4b1aa0909c953ef2526cc961ff27df535a097b9312e27c24f7a497814
Opcode Fuzzy Hash: 968f3dc3a336cb813ea0e4320e90052efe288ca9adb94b7e27f91eb15913ee54
Instruction Fuzzy Hash: BE3169B16157019FE360CF5DC950B2ABBE9FB88B10F05496DFA989B251E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019CAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E019CAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x1abd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1ab7b9c; // 0x0
					_t53 = L019E4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E01A0B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E01A0F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L019D6C59(_t53, _t51, _t58) != 0) {
							_t28 = E019F5E50(0x19ac338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E019FB230(_v32, _v28, 0x19ac2d8, 1,  &_v24);
								_t28 = E019CF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x019caa25
0x019caa29
0x019caa2d
0x019caa30
0x019caa37
0x019caa3c
0x01a24458
0x01a24458
0x01a24472
0x01a24474
0x01a24476
0x019caa64
0x019caa74
0x01a2447c
0x01a24483
0x01a24492
0x019caa52
0x019caa54
0x019caa5e
0x01a244a8
0x01a244ad
0x01a244af
0x01a244b6
0x01a244b6
0x01a244b9
0x01a244bc
0x01a244cd
0x01a244d3
0x01a244d6
0x01a244e1
0x01a244e1
0x01a244e6
0x01a244e8
0x01a244fb
0x01a244fb
0x01a244e8
0x00000000
0x019caa5e
0x01a24476
0x019caa42
0x019caa46
0x019caa48
0x019caa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4c4024166d33bc254d517fd01535890570512289a37884af8811f93a8642bb
Instruction ID: 7a71dad0994f337f238bc0d513cfa71eb702b17cafc35e7b9e27f6dfb3c3e558
Opcode Fuzzy Hash: 7a4c4024166d33bc254d517fd01535890570512289a37884af8811f93a8642bb
Instruction Fuzzy Hash: 9931C571A0012AAFCF159F68CD81A7FB7B9EF58B00F01446DF905E7151E7749911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A04A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01A04A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x1abd360 ^ _t62;
				_v8 =  *0x1abd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E019E2280(_t26, 0x1ab8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E019DFFB0(_t41, _t51, 0x1ab8608);
						L2:
						 *0x1abb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E01A0B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E019E2280(_t28, 0x1ab8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E019DFFB0(_t42, _t53, 0x1ab8608);
							if(_t53 != 0) {
								L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E019DFFB0(_t41, _t51, 0x1ab8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01a04a2c
0x01a04a34
0x01a04a3c
0x01a04a3e
0x01a04a48
0x01a04a4b
0x01a04a4d
0x01a04a51
0x01a04a9c
0x00000000
0x00000000
0x01a04aa3
0x01a04aa8
0x01a04aad
0x01a04ab1
0x01a04ade
0x01a04ae3
0x01a04a5a
0x01a04a62
0x01a04a6a
0x01a04a6e
0x01a3f203
0x01a04a84
0x01a04a88
0x01a04a89
0x01a04a8a
0x01a04a95
0x01a04a95
0x01a04a79
0x01a04a80
0x01a04af2
0x01a04af4
0x01a04af9
0x01a04aff
0x01a04b01
0x01a04b03
0x01a04b08
0x01a3f20a
0x01a3f212
0x01a3f216
0x01a3f216
0x01a04b08
0x01a04b13
0x01a04b1a
0x01a3f229
0x01a3f229
0x01a04b1a
0x01a04a82
0x00000000
0x01a04a82
0x01a04ab7
0x01a04acd
0x01a04acd
0x01a04ad5
0x01a04ada
0x00000000
0x01a04ada
0x01a04ac2
0x01a04acb
0x00000000
0x00000000
0x00000000
0x01a04acb
0x01a04a53
0x01a04a53
0x01a04a58
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be702242ee2450ac7becca2a943a93d24efa256149cf6317c7f06d80b8a39a09
Instruction ID: f29f2a381db5f45ea0afce95a7fdbf641a427121edafc2712a5c0f7dd073edb8
Opcode Fuzzy Hash: be702242ee2450ac7becca2a943a93d24efa256149cf6317c7f06d80b8a39a09
Instruction Fuzzy Hash: 4431F432605751EFC7239F58D984B2ABBE8FFC9710F04456DEA564B282C774D840CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01A08EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01A08EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x1abd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E019F4E70(0x1ab86e4, 0x1a09490, 0, 0);
					if( *0x1ab53e8 > 5 && E01A08F33(0x1ab53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x1ab53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x1ab53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x19abc46;
						_t48 = E01A47B9C(0x1ab53e8, 0x19abc46, _t67, 0x1ab53e8, _t70,  &_v140);
					}
				}
				return E01A0B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01a08ec7
0x01a08ed9
0x01a08edc
0x01a08ee6
0x01a08ee9
0x01a08eee
0x01a08efc
0x01a08f08
0x01a41349
0x01a41353
0x01a4135d
0x01a41366
0x01a4136f
0x01a41375
0x01a4137c
0x01a41385
0x01a41390
0x01a41391
0x01a4139c
0x01a4139d
0x01a413a6
0x01a413ac
0x01a413b2
0x01a413b5
0x01a413bc
0x01a413bf
0x01a413c2
0x01a413c5
0x01a413c8
0x01a413cb
0x01a413ce
0x01a413d1
0x01a413d4
0x01a413d7
0x01a413da
0x01a413dd
0x01a413e0
0x01a413e3
0x01a413e6
0x01a413e9
0x01a413f6
0x01a41400
0x01a41400
0x01a08f08
0x01a08f32

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0696678fa53246aceac50a3897bb310d298871ca51593ece4d0b6dbeb001c69
Instruction ID: 990904f2fd651c350cb3a2b43a0f450b998a70637a53ccd2dd15809f6d7ccc94
Opcode Fuzzy Hash: f0696678fa53246aceac50a3897bb310d298871ca51593ece4d0b6dbeb001c69
Instruction Fuzzy Hash: 0E41A1B1D013589FDB20CFAAD980AADFBF8FB48310F5041AEE509A7241E7745A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 019FE730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E019FE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01A09670() < 0) {
					L01A1DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1ab7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L019E4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M019FE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x019fe730
0x019fe736
0x019fe738
0x019fe73d
0x019fe73e
0x019fe740
0x019fe749
0x019fe765
0x019fe76a
0x019fe76b
0x019fe76c
0x019fe76d
0x019fe76e
0x019fe76f
0x019fe775
0x019fe777
0x019fe77e
0x01a3b675
0x019fe784
0x019fe784
0x019fe789
0x019fe7a8
0x019fe7ac
0x019fe807
0x019fe7ae
0x019fe7ae
0x019fe7b1
0x019fe7b4
0x019fe7b9
0x019fe7c0
0x019fe7c4
0x019fe7ca
0x019fe7cc
0x00000000
0x019fe7d3
0x019fe7d6
0x00000000
0x00000000
0x019fe7ff
0x019fe802
0x00000000
0x00000000
0x019fe7f9
0x019fe7fc
0x00000000
0x00000000
0x019fe7f3
0x019fe7f6
0x00000000
0x00000000
0x019fe7ed
0x019fe7f0
0x00000000
0x00000000
0x019fe7e7
0x019fe7ea
0x00000000
0x00000000
0x01a3b685
0x01a3b688
0x00000000
0x00000000
0x01a3b682
0x00000000
0x00000000
0x019fe7cc
0x019fe7d9
0x019fe7dc
0x019fe7de
0x019fe7de
0x019fe7ac
0x019fe7e4
0x019fe74b
0x019fe751
0x019fe759
0x019fe761
0x019fe761

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8b4b1f8e8b57f1d3928814e919fdb70134091c6c6b3f7f626a0e0d0fcdfedc
Instruction ID: ac1c611701418ce35d230c332f053702ed04dacfe5948bca2b169c3d9825f8fc
Opcode Fuzzy Hash: 6b8b4b1f8e8b57f1d3928814e919fdb70134091c6c6b3f7f626a0e0d0fcdfedc
Instruction Fuzzy Hash: C631A075A14249EFD704CF58D841F9ABBE8FB08314F15865AFA08CB351D631ED80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019FBC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E019FBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1ab6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E019E2280(0xd, 0x858f1a0);
				_t41 =  *0x1ab60f8; // 0x0
				if(_t41 != 0) {
					 *0x1ab60f8 =  *_t41;
					 *0x1ab60fc =  *0x1ab60fc + 0xffff;
				}
				E019DFFB0(_t41, 0x800, 0x858f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x1ab60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L019E4620(0x1ab6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1ab6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x019fbc36
0x019fbc42
0x019fbc45
0x019fbc4a
0x019fbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x019fbc50
0x019fbc50
0x019fbc58
0x019fbc5a
0x019fbc60
0x00000000
0x00000000
0x01a3a4f2
0x01a3a4f6
0x00000000
0x00000000
0x00000000
0x01a3a4fc
0x019fbc79
0x019fbc7e
0x019fbc86
0x019fbd16
0x019fbd20
0x019fbd20
0x019fbc8d
0x019fbc94
0x019fbcbd
0x019fbcca
0x019fbccb
0x019fbccc
0x019fbccd
0x019fbcce
0x019fbcd4
0x019fbcea
0x019fbcee
0x019fbcf2
0x019fbd00
0x019fbd04
0x00000000
0x019fbc96
0x019fbcab
0x019fbcaf
0x019fbd2c
0x019fbd2c
0x019fbd09
0x00000000
0x019fbd09
0x019fbcb1
0x019fbcb5
0x019fbcbb
0x00000000
0x00000000
0x00000000
0x019fbcbb

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6557ff079bed44f371a58d5063fef64b376db53eb9822b63dc4ab447de5ca584
Instruction ID: 576faccdf97e48d69b396ee179fd7ffbe8f5b271c5edfc28d972b0052f2663b3
Opcode Fuzzy Hash: 6557ff079bed44f371a58d5063fef64b376db53eb9822b63dc4ab447de5ca584
Instruction Fuzzy Hash: 1B310176A00656ABCB12DF58D4C07A677B8FB18321F044479EE4EDB246E774D906CB81

Uniqueness

Uniqueness Score: -1.00%

Function 019C9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E019C9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x1a9f6e8);
				E01A1D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E01A988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E01A1D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x1ab86c0; // 0x15607b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x1ab86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E019E2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E01A988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E01A0AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x1abb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x1ab84c0;
										if(_t69 >=  *0x1ab84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01A99063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E019C922A(_t82);
							_t53 = E019E7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01A98B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x1ab86c0; // 0x15607b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x1ab86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x1ab86bc;
										_t72 = 0x1ab86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E019C9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x1ab86c4;
									_t72 = 0x1ab86c0;
									L18:
									E019F9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x019c9100
0x019c9100
0x019c9100
0x019c9100
0x019c9102
0x019c9107
0x019c910c
0x019c9110
0x019c9115
0x019c9136
0x019c9143
0x01a237e4
0x01a237e4
0x019c9149
0x019c914e
0x019c914e
0x019c9117
0x019c911d
0x00000000
0x00000000
0x019c911f
0x019c9125
0x00000000
0x019c9151
0x019c9158
0x019c915d
0x019c9161
0x019c9168
0x01a23715
0x00000000
0x019c916e
0x019c916e
0x019c9175
0x019c9177
0x019c917e
0x019c917f
0x019c9182
0x019c9182
0x019c9187
0x019c9187
0x019c918a
0x019c918d
0x019c918f
0x019c9192
0x019c9195
0x019c9198
0x019c9198
0x019c9198
0x019c919a
0x00000000
0x00000000
0x01a2371f
0x01a23721
0x01a23727
0x01a2372f
0x01a23733
0x01a23735
0x01a23738
0x01a2373b
0x01a2373d
0x01a23740
0x00000000
0x00000000
0x01a23746
0x01a23749
0x00000000
0x00000000
0x01a2374f
0x01a23751
0x00000000
0x00000000
0x01a23757
0x01a23759
0x01a2375c
0x01a2375c
0x01a2375e
0x01a2375e
0x01a23761
0x01a23764
0x00000000
0x00000000
0x01a23766
0x01a23768
0x01a237a3
0x01a237a3
0x01a237a5
0x01a237a7
0x01a237ad
0x01a237b0
0x01a237b2
0x01a237bc
0x01a237c2
0x01a237c2
0x01a237b2
0x019c9187
0x019c9187
0x019c918a
0x019c918d
0x019c918f
0x019c9192
0x019c9195
0x00000000
0x019c9195
0x00000000
0x019c9187
0x01a2376a
0x01a2376a
0x01a2376c
0x01a2376c
0x01a2376f
0x01a23775
0x00000000
0x00000000
0x01a23777
0x01a23779
0x00000000
0x00000000
0x01a23782
0x01a23787
0x01a23789
0x01a23790
0x01a23790
0x01a2378b
0x01a2378b
0x01a2378b
0x01a23792
0x01a23795
0x01a23795
0x01a23798
0x01a23798
0x01a2379b
0x01a2379b
0x019c91a3
0x019c91a9
0x019c91b0
0x019c91b4
0x019c91b4
0x019c91bb
0x019c91c0
0x019c91c5
0x019c91c7
0x01a237da
0x019c91cd
0x019c91cd
0x019c91cd
0x019c91d2
0x019c91d5
0x019c9239
0x019c9239
0x019c91d7
0x019c91db
0x019c91e1
0x019c91e7
0x019c91fd
0x019c9203
0x019c921e
0x019c9223
0x00000000
0x019c9223
0x019c9205
0x019c9208
0x019c920c
0x019c9214
0x019c9214
0x019c91e9
0x019c91e9
0x019c91ee
0x019c91f3
0x019c91f3
0x019c91f3
0x019c91e7
0x00000000
0x019c91db
0x019c9187
0x019c9168

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a4c1b6063ca09bcbcaa5c55588ef279756e95d5b5c6caaec0aa07e1da33949
Instruction ID: 1024f4c55c70e8935c9d5e8ec60e8af89b6da019684643edf07a005c799dfd7d
Opcode Fuzzy Hash: 78a4c1b6063ca09bcbcaa5c55588ef279756e95d5b5c6caaec0aa07e1da33949
Instruction Fuzzy Hash: 1831E675A00285DFDF26DF6CC589B9CBBF5BF89728F18814DC58867252C339A980CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019F1DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E019F1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E019EF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L019E4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E019EF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x019f1dc2
0x019f1dc5
0x019f1dc7
0x019f1dcc
0x019f1dce
0x019f1dd6
0x019f1ddf
0x019f1de0
0x019f1de1
0x019f1de5
0x019f1de8
0x019f1def
0x019f1df0
0x019f1df6
0x019f1df7
0x019f1dfe
0x019f1e1a
0x00000000
0x00000000
0x019f1e0b
0x019f1e12
0x019f1e12
0x019f1e00
0x019f1e00
0x019f1e05
0x019f1e1e
0x019f1e23
0x01a3570f
0x01a35713
0x00000000
0x00000000
0x01a35719
0x01a35719
0x019f1e2c
0x019f1e2d
0x019f1e2e
0x019f1e2f
0x019f1e31
0x019f1e32
0x019f1e35
0x019f1e3d
0x01a35723
0x01a3573d
0x01a3573d
0x00000000
0x01a35723
0x019f1e49
0x019f1e4e
0x019f1e4e
0x019f1e09
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 9b240b719ab3be53919a724b2a27d15a212526d331b8e167fd3b04a60215443d
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: D6219072A00119FFD725CF99CC84EABBBBDEF85641F154469FA0997220D634AE01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 019E0050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E019E0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x1abd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E019F9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E01A0B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01A98A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E019F9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x1abb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x019e0055
0x019e005d
0x019e0062
0x019e006c
0x019e006f
0x019e0074
0x019e007a
0x019e007a
0x019e0080
0x019e0080
0x019e0087
0x019e008d
0x019e008f
0x019e0093
0x019e0095
0x019e009b
0x019e00f8
0x019e00fb
0x019e00fc
0x019e00ff
0x019e0108
0x019e0108
0x019e00a2
0x019e00a6
0x019e00b3
0x019e00bc
0x019e00c5
0x019e00ca
0x01a2c01e
0x00000000
0x00000000
0x01a2c02d
0x019e00d5
0x019e00d9
0x01a2c03d
0x01a2c046
0x01a2c046
0x019e00df
0x019e00e2
0x019e00ea
0x019e00ef
0x019e00f2
0x019e00f6
0x019e0111
0x019e0117
0x019e0117
0x00000000
0x019e00f6
0x019e00d0
0x019e00d0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684136ea2ce58c1482cbabde666de6e2b65460a419798dcdf8ee3c3d44ac1ddc
Instruction ID: 09a13289f617043f5708cb5956785c06731dc15bc49aa999e3a5e07b0ad10a1c
Opcode Fuzzy Hash: 684136ea2ce58c1482cbabde666de6e2b65460a419798dcdf8ee3c3d44ac1ddc
Instruction Fuzzy Hash: 7E318F31301B04DFD722CF2CC944B9AB7E5FF89715F18496DE59A87A90EB75A801CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A46C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01A46C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E019E7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1ab7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L019E4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E01A0F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E019E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01A09AE0();
						_t23 = L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01a46c0a
0x01a46c0f
0x01a46c10
0x01a46c13
0x01a46c15
0x01a46c19
0x01a46c1c
0x01a46c21
0x01a46c28
0x01a46c3a
0x01a46c2a
0x01a46c33
0x01a46c33
0x01a46c3f
0x01a46c48
0x01a46c4d
0x01a46c60
0x01a46c65
0x01a46c69
0x01a46c73
0x01a46c79
0x01a46c7f
0x01a46c86
0x01a46c90
0x01a46c94
0x01a46ca6
0x01a46cb2
0x01a46cbd
0x01a46cbd
0x01a46cc3
0x01a46cc7
0x01a46ccb
0x01a46cd0
0x01a46cd1
0x01a46ce2
0x01a46ce2
0x01a46c69
0x01a46ced

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f86fe97dcac052cf7ca47465b26ec4a5310eba833973c9294fbb14c81323ab
Instruction ID: ca2cc9515185a74a0d965aef5b69eb2d5f502fa9a8be285cb43b4f78919d93c5
Opcode Fuzzy Hash: 37f86fe97dcac052cf7ca47465b26ec4a5310eba833973c9294fbb14c81323ab
Instruction Fuzzy Hash: 0521ABB1A00645AFD716DFA8D984E2AB7F8FF88700F040069F908D7791D635ED50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 01A090AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01A090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E01A1D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E019FE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L019E4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E01A0F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E019FA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x01a090af
0x01a090b8
0x01a090bb
0x01a090bf
0x01a090c2
0x01a090c2
0x01a090c8
0x01a090cb
0x01a090cd
0x01a414d7
0x01a414eb
0x01a414eb
0x00000000
0x01a414eb
0x01a414db
0x01a414e6
0x00000000
0x01a414f2
0x01a414e8
0x00000000
0x01a414e8
0x01a090d8
0x01a090da
0x01a090dd
0x01a090e5
0x00000000
0x01a09139
0x01a090fa
0x01a090fe
0x01a09142
0x00000000
0x01a09142
0x01a09104
0x01a09107
0x01a0910b
0x01a09110
0x01a09118
0x01a09147
0x01a09148
0x01a0914f
0x01a09150
0x01a09151
0x01a09152
0x01a09156
0x01a0915d
0x01a09160
0x01a09168
0x01a0916c
0x01a091bc
0x01a091be
0x00000000
0x01a091be
0x01a0916e
0x01a09173
0x01a09176
0x00000000
0x00000000
0x01a0917c
0x01a09180
0x01a091b5
0x00000000
0x01a091b5
0x01a09182
0x01a09185
0x01a09189
0x00000000
0x00000000
0x01a0918e
0x01a09190
0x01a09198
0x00000000
0x00000000
0x01a091a0
0x00000000
0x01a091ad
0x01a091ad
0x01a091b0
0x01a091b1
0x00000000
0x01a09185
0x01a0911a
0x01a0911c
0x01a0911f
0x01a09125
0x01a09127
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: c3ad7c0eb462c4429e44eb96e2233d64a934129594eb6279d87c878ad2c485ec
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 40219571A00305EFDB22DF59D544E5AFBF8EB58314F14886EE949A7251D370ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019F3B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E019F3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x1ab84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x1ab84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x1ab84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E01A0AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E01A0FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x1ab84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x1ab84c4; // 0x0
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x019f3b89
0x019f3b96
0x019f3ba1
0x019f3bab
0x019f3bb5
0x019f3bb9
0x01a36298
0x019f3bbf
0x019f3bc2
0x019f3bc3
0x019f3bc9
0x019f3bca
0x019f3bcc
0x019f3bcd
0x019f3bd4
0x019f3bd6
0x019f3bdb
0x019f3bea
0x019f3bf7
0x019f3bfb
0x019f3bff
0x019f3c09
0x019f3c0a
0x019f3c0b
0x019f3c0f
0x019f3c14
0x019f3c18
0x019f3c18
0x019f3bfb
0x019f3c1b
0x019f3c30
0x019f3c30
0x019f3c3d

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176f2c14de24b8f08a87ced7b492a8fa2f2a8ed8d48ce72e1b7c57bd3620f6d1
Instruction ID: 5bc195891e0e17b7a5eab23ff3313a53a7ef8ee37cf0d5130026b30ecfe121d5
Opcode Fuzzy Hash: 176f2c14de24b8f08a87ced7b492a8fa2f2a8ed8d48ce72e1b7c57bd3620f6d1
Instruction Fuzzy Hash: CE21A472A00109BFC715DF98DD81F5ABBBDFB44708F150468EA08AB252D375EE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A46CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01A46CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E019E7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E019E7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x19a5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E019FF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E019FF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01A47016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L019E2400( &_v52);
								}
								_t21 = L019E2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01a46cfb
0x01a46d00
0x01a46d02
0x01a46d06
0x01a46d0a
0x01a46d0e
0x01a46d19
0x01a46d2b
0x01a46d1b
0x01a46d24
0x01a46d24
0x01a46d33
0x01a46d39
0x01a46d46
0x01a46d4f
0x01a46d61
0x01a46d51
0x01a46d5a
0x01a46d5a
0x01a46d69
0x01a46d6b
0x01a46d6d
0x01a46d6f
0x01a46d6f
0x01a46d74
0x01a46d79
0x01a46d7a
0x01a46d7f
0x01a46d82
0x01a46d88
0x01a46d89
0x01a46d90
0x01a46d94
0x01a46da7
0x01a46db1
0x01a46db1
0x01a46dbb
0x01a46dbb
0x01a46d90
0x01a46d69
0x01a46d46
0x01a46dc6

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326023cb7ac620b9cf2df5d07ca454657b144276135c946d8b507334799ff9d6
Instruction ID: d76754c9846a2cc742a72a5ef88a085e911d6b1af30e6095dbc7cd6ab8084ce6
Opcode Fuzzy Hash: 326023cb7ac620b9cf2df5d07ca454657b144276135c946d8b507334799ff9d6
Instruction Fuzzy Hash: 1621D072500B499BD712DF68C944B6BBBECAFD2640F080556BA8887251EB34C98CC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A9070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E01A9070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E01A907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E01A8AFDE( &_v8,  &_v12);
					E01A91293(_t38, _v28, _t60);
					if(E019E7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E01A814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x01a9071b
0x01a90724
0x01a90734
0x01a90738
0x01a9074b
0x01a9074b
0x01a90753
0x01a90753
0x01a90759
0x01a9075d
0x01a90774
0x01a90779
0x01a9077d
0x01a90789
0x01a90795
0x01a907a7
0x01a90797
0x01a907a0
0x01a907a0
0x01a907af
0x01a907c4
0x01a907cd
0x01a907cd
0x01a907af
0x01a907dc

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 9c6bf4464873b67ac450dcdabf585ce18d5d8893976b4d47a40e243139138eca
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 2A210436204604AFDB05DF1CC984B6ABBE9EFD4360F048569F9958B381D730D949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A47794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01A47794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1ab7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E01A0F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E019E7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01A09AE0();
					_t24 = L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01a47799
0x01a4779a
0x01a4779b
0x01a477a3
0x01a477ab
0x01a477ae
0x01a477b1
0x01a477b1
0x01a477bf
0x01a477c4
0x01a477c8
0x01a477ce
0x01a477d4
0x01a477e0
0x01a477e0
0x01a477d6
0x01a477d6
0x01a477de
0x00000000
0x00000000
0x01a477de
0x01a477e5
0x01a477f0
0x01a477f3
0x01a477f6
0x01a477fd
0x01a47800
0x01a4780c
0x01a47818
0x01a4782b
0x01a4781a
0x01a47823
0x01a47823
0x01a47830
0x01a47831
0x01a47838
0x01a4783d
0x01a4783e
0x01a4784f
0x01a4784f
0x01a4785a

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1e69a2f8101d9e4965035c613df8043dbf335e8017b052734a463e4c8c24bb
Instruction ID: d318d783ba9c0424d808d3692a0292e0a74eae0398e657246bdd24be761a2d63
Opcode Fuzzy Hash: 6f1e69a2f8101d9e4965035c613df8043dbf335e8017b052734a463e4c8c24bb
Instruction Fuzzy Hash: 65219D72900644ABC726DFA9D894E6BBBA8EF88740F100569E60AD7690D734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019EAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E019EAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E019E7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E019E7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E019E7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E019E7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01A47794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x019eae78
0x019eae7c
0x019eae7e
0x019eae81
0x019eae86
0x019eae8d
0x01a32691
0x019eae93
0x019eae93
0x019eae93
0x019eae98
0x019eae9d
0x01a326a2
0x01a326b4
0x01a326a4
0x01a326ad
0x01a326ad
0x01a326b9
0x00000000
0x01a326bb
0x00000000
0x01a326bb
0x019eaea3
0x019eaea3
0x019eaea3
0x019eaeaa
0x01a326c0
0x01a326c9
0x01a326c9
0x019eaeb3
0x01a326d4
0x01a326e1
0x00000000
0x00000000
0x01a326e7
0x01a326ee
0x01a326f0
0x01a326f9
0x01a326f9
0x01a32702
0x01a32708
0x01a32708
0x01a3270b
0x01a3270f
0x01a32711
0x01a32711
0x01a32725
0x01a32725
0x00000000
0x019eaeb9
0x019eaeb9
0x019eaebf
0x019eaebf
0x019eaeb3

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 61776fbc138a770f1f88d275ab7d6c5575f87ceb6e734c1c33e868bf462f6a4e
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 2C210872601685DFE727DB6DC948B2577E8EF84340F0900A5ED088B7A2E735EC40C791

Uniqueness

Uniqueness Score: -1.00%

Function 019FFD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E019FFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E019D76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x019ffd9b
0x019ffda0
0x019ffda1
0x019ffdab
0x019ffdad
0x019ffdb0
0x019ffdb8
0x019ffe0f
0x019ffde6
0x019ffde9
0x019ffdec
0x01a3c0c0
0x019ffdfe
0x019ffe06
0x019ffe06
0x01a3c0c8
0x019ffe2d
0x019ffe2d
0x00000000
0x019ffe2d
0x01a3c0d1
0x01a3c0e0
0x01a3c0e5
0x01a3c0e5
0x01a3c0e8
0x00000000
0x01a3c0e8
0x019ffdf4
0x00000000
0x00000000
0x019ffdf6
0x019ffdfa
0x019ffe1a
0x019ffe1f
0x019ffe1f
0x019ffdfc
0x00000000
0x019ffdfc
0x019ffdcc
0x019ffdd0
0x019ffe26
0x00000000
0x019ffe26
0x019ffdd8
0x019ffddb
0x019ffddd
0x019ffde0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 2554f8b67e87155d5dcee0dd75bbf2bb3bccabfb0f8b9392fe0986ec6078babb
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 7821BB72A00A40EFDB35CF4DC540E62F7E9EB94B11F20847EEA4987651D730AC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019FB390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E019FB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E019E2280(_t12, 0x1ab8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E01A000C2(0x1ab8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x019fb395
0x019fb3a2
0x019fb3a5
0x019fb3aa
0x019fb3b2
0x019fb3ba
0x019fb3bd
0x019fb3c0
0x019fb3c4
0x019fb3c9
0x01a3a3e9
0x01a3a3ed
0x01a3a3f0
0x01a3a3ff
0x01a3a403
0x01a3a409
0x00000000
0x00000000
0x01a3a40b
0x01a3a40b
0x01a3a40f
0x01a3a415
0x01a3a423
0x01a3a423
0x01a3a415
0x019fb3d1
0x019fb3e8
0x019fb3e8
0x019fb3d9

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7ceebb32a884455234faa50be8d506ee2db7e4815463248b75c8ed4903795d
Instruction ID: e2da00dfd720013fafb2ebf8670815ea9bc89e02aeb60783c64b48bdca0db976
Opcode Fuzzy Hash: ac7ceebb32a884455234faa50be8d506ee2db7e4815463248b75c8ed4903795d
Instruction Fuzzy Hash: 9E114837342120ABCB1ADE18DD81A6BB29EEBC5330B29012DEE1AC7381C9759C02C790

Uniqueness

Uniqueness Score: -1.00%

Function 019C9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E019C9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x1a9f708);
				E01A1D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E01A095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E01A095D0();
				_t33 =  *0x1ab84c4; // 0x0
				L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x1ab84c4; // 0x0
				L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x1ab84c4; // 0x0
				E019E2280(L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x1ab86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E01A095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E01A095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E019C9325();
					_t50 =  *0x1ab84c4; // 0x0
					return E01A1D0D1(L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x019c9240
0x019c9242
0x019c9247
0x019c924c
0x019c924e
0x019c9255
0x019c9257
0x019c925a
0x019c925f
0x019c925f
0x019c9266
0x019c9271
0x019c9276
0x019c9279
0x019c927e
0x019c9295
0x019c929a
0x019c92b1
0x019c92b6
0x019c92d7
0x019c92dc
0x019c92e0
0x019c92e6
0x019c92e8
0x019c92ee
0x019c9332
0x019c9333
0x019c9337
0x019c9338
0x019c933a
0x019c933a
0x019c933d
0x019c9342
0x019c9342
0x019c9345
0x019c9349
0x019c934e
0x019c9352
0x019c9357
0x019c92f4
0x019c92f4
0x019c92f6
0x019c92f9
0x019c9300
0x019c9306
0x019c9324
0x019c9324

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c570fa16f63f2fd258af9f6d2cdf6a7fd7fb40a31d0c61c678929c6def7ac558
Instruction ID: cdb0e614f952f508f7ff0d134bc764bd3ed2fd5f0de5b6b21a99c50c9a0eb091
Opcode Fuzzy Hash: c570fa16f63f2fd258af9f6d2cdf6a7fd7fb40a31d0c61c678929c6def7ac558
Instruction Fuzzy Hash: DA213C31041A42DFC726EF68CA44F5AB7F9BF18708F14496CE04D966A2C739E942CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01A54257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01A54257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x1aa08d0);
				E01A1D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E01A541E8(__ebx, __edi, __ecx, _t39);
				E019DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x1ab87e4;
					_t18 =  *0x1ab87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1ab5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x1ab87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x1ab87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L019C7055(_t31 + 0xfffffff8);
								_t24 =  *0x1ab87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x1ab87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1ab5cd0;
				if( *0x1ab5cd0 <= 0) {
					L019C7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x1ab87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x1ab87e8 = _t30;
						 *0x1ab87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E01A1D0D1(L01A54320());
			}

0x01a54257
0x01a54257
0x01a54257
0x01a54259
0x01a5425e
0x01a54263
0x01a54265
0x01a54273
0x01a54278
0x01a5427c
0x01a5427f
0x01a54281
0x01a54287
0x01a542d7
0x01a542d7
0x01a542da
0x01a5428d
0x01a5428d
0x01a5428f
0x01a54292
0x01a54297
0x01a5429c
0x01a542a0
0x01a542a6
0x01a542a8
0x01a542ae
0x01a542b3
0x00000000
0x01a542ba
0x01a542ba
0x01a542bf
0x01a542c5
0x01a542ca
0x01a542cf
0x01a542d0
0x00000000
0x01a542d0
0x01a542b3
0x00000000
0x01a542a6
0x01a5429c
0x01a542dc
0x01a542dc
0x01a542e3
0x01a54309
0x01a542e5
0x01a542e5
0x01a542e8
0x01a542ee
0x01a542f0
0x00000000
0x01a542f2
0x01a542f2
0x01a542f4
0x01a542f7
0x01a542f9
0x01a54300
0x01a54300
0x01a542f0
0x01a5430e
0x01a5431f

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9571893f61facee1a66fd78df5f34dfdf44d049bb1b79e23827924c653ce05
Instruction ID: 05fc51ba85561f6e7678e0559efd17820cbfc8edf2da92e61acef85abbb9ee6c
Opcode Fuzzy Hash: 1f9571893f61facee1a66fd78df5f34dfdf44d049bb1b79e23827924c653ce05
Instruction Fuzzy Hash: 46219F74505B41CFC7A5DF68D1806187BF9FB89359F2482AEC5098B2AAE73494D3CF40

Uniqueness

Uniqueness Score: -1.00%

Function 019F2397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E019F2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x1ab848c != 0) {
					L019EFAD0(0x1ab8610);
					if( *0x1ab848c == 0) {
						E019EFA00(0x1ab8610, _t19, _t27, 0x1ab8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E019F2581(0x1ab8610, 0x19a50a0, _t26, _t27, _t28);
						E019EFA00(0x1ab8610, 0x19a50a0, _t27, 0x1ab8610);
					}
				} else {
					L1:
					_t11 =  *0x1ab8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01A04886(0x19a1088, 1, 0x1ab8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E019F2581(0x1ab8610, (_t11 << 4) + 0x19a5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x019f23b0
0x019f23b6
0x019f2409
0x019f2415
0x01a35ae9
0x00000000
0x019f241b
0x019f241b
0x019f241d
0x019f2427
0x019f242e
0x019f2430
0x019f2430
0x019f23b8
0x019f23b8
0x019f23b8
0x019f23bf
0x019f23fc
0x019f23fc
0x019f23c1
0x019f23c3
0x019f23d0
0x019f23d8
0x019f23d8
0x019f23dc
0x019f23de
0x019f23e1
0x019f23e1
0x019f23ec

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d9749065cd267711323e04bf6ed3e9518e93a15af6a916a15dd3c3339acd5f
Instruction ID: 2a02ecf7b8e9aa8d34957f1589fe8bd47cd2d8cb32a34f465b781b75b373a346
Opcode Fuzzy Hash: 93d9749065cd267711323e04bf6ed3e9518e93a15af6a916a15dd3c3339acd5f
Instruction Fuzzy Hash: 5C11E172740351B7E731A72DAC94B16B6DDFBA0A10F14442EB70E9B292D6B8E8058794

Uniqueness

Uniqueness Score: -1.00%

Function 01A446A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01A446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E01A0F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E019FD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L019E77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x01a446b7
0x01a446ba
0x01a446c5
0x01a446c8
0x01a446d0
0x01a446d4
0x01a446e6
0x01a446e9
0x01a446f4
0x01a446ff
0x01a44705
0x01a44706
0x01a4470c
0x01a44713
0x01a4471b
0x01a44723
0x01a44725
0x01a446d6
0x01a446d9
0x01a446db
0x01a446db
0x01a44732

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: cbbf2d0c32f7fd37ab60fd4d64b0fe220a8267694f990706d7b4a92fe15a37cf
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 3511C272504208BBCB169F5CE8809BEB7B9EFD9314F10806AF944C7351DA318D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 019CC962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E019CC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x1abd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E019DEEF0(0x1ab70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E01A4F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E019DEB70(_t29, 0x1ab70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E01A0B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E01A4F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x1ab70c0; // 0x0
					while(_t38 != 0x1ab70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x1abb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x019cc96a
0x019cc974
0x019cc988
0x019cc98a
0x01a37c9d
0x01a37c9f
0x01a37ca4
0x01a37cae
0x01a37cf0
0x01a37cf5
0x01a37cfa
0x019cc992
0x019cc996
0x019cc997
0x019cc998
0x019cc9a3
0x019cc9a3
0x01a37cb0
0x01a37cb7
0x01a37cbb
0x00000000
0x00000000
0x01a37cbd
0x01a37ce8
0x01a37cc5
0x01a37cc8
0x01a37cca
0x01a37cd0
0x01a37cd6
0x01a37cde
0x01a37ce4
0x01a37ce4
0x01a37cd0
0x00000000
0x01a37ce8
0x019cc990
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d2708e1ce0f0bdadcec257ffa30db0052b5fb69cd17d1457451f2b88f21b50
Instruction ID: 38c93ec07c9e47af577a8b7136455cc99a44b02638fc658773e26af34e07bae9
Opcode Fuzzy Hash: 74d2708e1ce0f0bdadcec257ffa30db0052b5fb69cd17d1457451f2b88f21b50
Instruction Fuzzy Hash: 2A11CE353006869BC721AFADDD85A6ABBA5BBC4624B00052AF945876A2DB60EC11C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A037F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E01A037F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E019E2280(_t6, 0x1ab8550);
				}
				_t29 = E01A0387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E019DFFB0(0x1ab8550, _t27, 0x1ab8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x01a037fa
0x01a037fc
0x01a03805
0x01a03808
0x01a03808
0x01a03814
0x01a03818
0x01a03846
0x01a03848
0x01a0384b
0x01a0384b
0x01a03852
0x00000000
0x01a03854
0x01a03856
0x00000000
0x00000000
0x01a03863
0x00000000
0x01a03863
0x01a0381a
0x01a0381a
0x01a0381f
0x01a0386e
0x01a0386e
0x01a03871
0x01a03873
0x01a03873
0x01a03868
0x00000000
0x01a03868
0x01a03821
0x01a03826
0x00000000
0x00000000
0x01a03828
0x01a0382a
0x01a03841
0x00000000
0x01a03841

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96141f9d8d6d8a7784d5822cf646a8b40b95d1863c8aa85334df71ce5e6a750e
Instruction ID: 46abd5095120beae6ad4004613bb9e5aea34f67bdfe79676255e6c81222eb6b7
Opcode Fuzzy Hash: 96141f9d8d6d8a7784d5822cf646a8b40b95d1863c8aa85334df71ce5e6a750e
Instruction Fuzzy Hash: 5101D6729016119FCB3B8B5EE940E26BBEAFFC5B50B1540E9E9498B396D730CA05C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 019F002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019F002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E019E7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E019E7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E019E7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E019E7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x019f0032
0x019f0037
0x019f0043
0x01a34b3a
0x019f0049
0x019f0049
0x019f0049
0x019f004e
0x019f0053
0x01a34b48
0x01a34b5a
0x01a34b4a
0x01a34b53
0x01a34b53
0x01a34b5f
0x00000000
0x01a34b61
0x00000000
0x01a34b61
0x019f0059
0x019f0059
0x019f0060
0x01a34b6f
0x01a34b6f
0x019f0069
0x01a34b83
0x00000000
0x00000000
0x01a34b90
0x01a34b9b
0x01a34b9b
0x01a34ba4
0x00000000
0x00000000
0x01a34baa
0x00000000
0x019f006f
0x019f006f
0x00000000
0x019f006f
0x019f0069

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: e6ab197ee7087bccd1739f4680ac3e6e16c1eb82e0aecf1af103bfe52eaebc00
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 9311E132601681DFE72B9B6CC948B353BD9EF84754F0D00A4FE08876A3D329C881C361

Uniqueness

Uniqueness Score: -1.00%

Function 019D766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E019D766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E019FF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E019FF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L019E4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x019d7672
0x019d767f
0x019d7689
0x019d76de
0x019d76de
0x019d768b
0x019d7691
0x019d7693
0x019d7697
0x00000000
0x019d7699
0x019d76a8
0x00000000
0x019d76aa
0x019d76ad
0x019d76b1
0x00000000
0x019d76b3
0x019d76b3
0x019d76b5
0x019d76ba
0x019d76bc
0x019d76bc
0x019d76c0
0x00000000
0x019d76c2
0x019d76ce
0x019d76ce
0x019d76c0
0x019d76b1
0x019d76a8
0x019d7697
0x019d76d9

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 023f5dcde14eeff71859b1fecff5f0046a65121050136b76e88a2f6edbb73551
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: DB01843270011DABD725DE9ECC45E5B7BADFB84AA4B684528BA0CCB250EA70DD0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 019C9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E019C9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x1ab85ec;
				E019E2280(_t48, 0x1ab85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E019DFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x1ab538c; // 0x771a6828
					if( *_t84 != 0x1ab5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x1a9f6e8);
						E01A1D0E8(0x1ab85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E01A988F5(_t80, _t85, 0x1ab5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x1ab86c0; // 0x15607b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x1ab86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E019E2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E01A988F5(0x1ab85ec, _t85, 0x1ab5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E01A0AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x1abb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x1ab84c0;
																			if(_t82 >=  *0x1ab84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01A99063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E019C922A(_t99);
										_t64 = E019E7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01A98B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x1ab86c0; // 0x15607b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x1ab86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x1ab86bc;
													_t87 = 0x1ab86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E019C9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x1ab86c4;
												_t87 = 0x1ab86c0;
												L27:
												E019F9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E01A1D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1ab5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x1ab538c = _t51;
						goto L6;
					}
				}
			}

0x019c9082
0x019c9083
0x019c9084
0x019c9085
0x019c9087
0x019c9096
0x019c9098
0x019c9098
0x019c909e
0x019c90a8
0x019c90e7
0x019c90e7
0x019c90aa
0x019c90b0
0x019c90b7
0x019c90bd
0x019c90dd
0x019c90e6
0x019c90bf
0x019c90bf
0x019c90c7
0x019c90cf
0x019c90f1
0x019c90f2
0x019c90f4
0x019c90f5
0x019c90f6
0x019c90f7
0x019c90f8
0x019c90f9
0x019c90fa
0x019c90fb
0x019c90fc
0x019c90fd
0x019c90fe
0x019c90ff
0x019c9100
0x019c9102
0x019c9107
0x019c910c
0x019c9110
0x019c9113
0x019c9115
0x019c9136
0x019c913f
0x019c9143
0x01a237e4
0x01a237e4
0x019c9117
0x019c9117
0x019c911d
0x00000000
0x019c911f
0x019c911f
0x019c9125
0x00000000
0x019c9127
0x019c912d
0x019c9130
0x019c9134
0x019c9158
0x019c915d
0x019c9161
0x019c9168
0x01a23715
0x019c916e
0x019c916e
0x019c9175
0x019c9177
0x019c917e
0x019c917f
0x019c9182
0x019c9182
0x019c9187
0x019c9187
0x019c918a
0x019c918d
0x019c918f
0x019c9192
0x019c9195
0x019c9198
0x019c9198
0x019c9198
0x019c919a
0x00000000
0x00000000
0x01a2371f
0x01a23721
0x01a23727
0x01a2372f
0x01a23733
0x01a23735
0x01a23738
0x01a2373b
0x01a2373d
0x01a23740
0x00000000
0x01a23746
0x01a23746
0x01a23749
0x00000000
0x01a2374f
0x01a2374f
0x01a23751
0x01a23757
0x01a23759
0x01a2375c
0x01a2375c
0x01a2375e
0x01a2375e
0x01a23761
0x01a23764
0x00000000
0x00000000
0x01a23766
0x01a23768
0x01a237a3
0x01a237a3
0x01a237a5
0x01a237a7
0x01a237ad
0x01a237b0
0x01a237b2
0x01a237bc
0x01a237c2
0x01a237c2
0x01a237b2
0x019c9187
0x019c9187
0x019c918a
0x019c918d
0x019c918f
0x019c9192
0x019c9195
0x00000000
0x019c9195
0x00000000
0x01a2376a
0x01a2376a
0x01a2376a
0x01a2376c
0x01a2376c
0x01a2376f
0x01a23775
0x00000000
0x00000000
0x01a23777
0x01a23779
0x01a23782
0x01a23787
0x01a23789
0x01a23790
0x01a23790
0x01a2378b
0x01a2378b
0x01a2378b
0x01a23792
0x01a23795
0x00000000
0x01a23795
0x00000000
0x01a23779
0x01a23798
0x00000000
0x01a23798
0x00000000
0x01a23768
0x01a2379b
0x01a2379b
0x01a23751
0x01a23749
0x00000000
0x01a23740
0x019c91a0
0x019c91a3
0x019c91a9
0x019c91b0
0x00000000
0x019c91b0
0x019c9187
0x019c91b4
0x019c91b4
0x019c91bb
0x019c91c0
0x019c91c5
0x019c91c7
0x01a237da
0x019c91cd
0x019c91cd
0x019c91cd
0x019c91d2
0x019c91d5
0x019c9239
0x019c9239
0x019c91d7
0x019c91db
0x019c91e1
0x019c91e7
0x019c91fd
0x019c9203
0x019c921e
0x019c9223
0x00000000
0x019c9205
0x019c9205
0x019c9208
0x019c920c
0x019c9214
0x019c9214
0x019c920c
0x019c91e9
0x019c91e9
0x019c91ee
0x019c91f3
0x019c91f3
0x019c91f3
0x019c91e7
0x00000000
0x00000000
0x00000000
0x019c9134
0x019c9125
0x019c911d
0x019c914e
0x019c90d1
0x019c90d1
0x019c90d3
0x019c90d6
0x019c90d8
0x00000000
0x019c90d8
0x019c90cf

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a6355cbcfb08d4246424c829f0795c920acb95ab850d15b9d29cd00f08b7c9
Instruction ID: 757617b9c37f7de7519e97dc7cc75b6ad251963af8f42a2bef738c77682939d4
Opcode Fuzzy Hash: 66a6355cbcfb08d4246424c829f0795c920acb95ab850d15b9d29cd00f08b7c9
Instruction Fuzzy Hash: C101A4729026449FD3299F1CD880B117BADEB85B26F25406AE5498B792C774DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A5C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01A5C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01A09910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E01A095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E01A095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E01A095D0();
				return L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x01a5c458
0x01a5c45d
0x01a5c466
0x01a5c468
0x01a5c469
0x01a5c46a
0x01a5c46b
0x01a5c46e
0x01a5c46f
0x01a5c471
0x01a5c476
0x01a5c476
0x01a5c47c
0x01a5c47e
0x01a5c480
0x01a5c480
0x01a5c483
0x01a5c484
0x01a5c486
0x01a5c488
0x01a5c48f
0x01a5c491
0x01a5c493
0x01a5c493
0x01a5c48f
0x01a5c498
0x01a5c49e
0x01a5c4ad
0x01a5c4ad
0x01a5c4b2
0x01a5c4b4
0x01a5c4cd

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 0c0446979632e4a52a16423867ae9e3ff580ce7b4ccddd01f0e57d466b45334d
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: FE019671140606BFE726AF69DD84E63FB7DFF543A4F004525F618425A5C732ACA1C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A94015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01A94015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E019E2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E019E2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x1ab86ac);
					E019CF900(0x1ab86d4, _t28);
					E019DFFB0(0x1ab86ac, _t28, 0x1ab86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E019DFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x01a9401a
0x01a9401e
0x01a94023
0x01a94028
0x01a94029
0x01a9402b
0x01a9402f
0x01a94043
0x01a94046
0x01a94051
0x01a94057
0x01a9405f
0x01a94062
0x01a94067
0x01a9406f
0x01a9407c
0x01a9407c
0x01a9408c
0x01a9408c
0x01a94097

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ff561591d7c579ddaa06a838820c92d65ce7f949f366335510286c93a93a9f
Instruction ID: d03b6cedcb04c37bab50167a8024ed74fd21cc0756e1df9809ab9103c8335732
Opcode Fuzzy Hash: f5ff561591d7c579ddaa06a838820c92d65ce7f949f366335510286c93a93a9f
Instruction Fuzzy Hash: FD0184722415467FD715AB6DCD84E53B7ECFB99760B000229B50C87A11DB24EC52C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01A8138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E01A8138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1abd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E01A0FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E019E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01a8138a
0x01a8138a
0x01a81399
0x01a813a3
0x01a813a8
0x01a813aa
0x01a813b5
0x01a813bb
0x01a813c3
0x01a813c6
0x01a813c9
0x01a813d4
0x01a813e6
0x01a813d6
0x01a813df
0x01a813df
0x01a813f1
0x01a813f2
0x01a813f4
0x01a813f9
0x01a8140e

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783ec3f7e52b40382c3867724ad067c02956c3271fdcd5acc42ce50e33b92539
Instruction ID: cd3361ed6860e7fde5c32a54215cbad4f9d9b99446466ee2844d4e9cc872c559
Opcode Fuzzy Hash: 783ec3f7e52b40382c3867724ad067c02956c3271fdcd5acc42ce50e33b92539
Instruction Fuzzy Hash: DA01B571A0020CAFCB14EFA8D941FAEBBB8EF44700F004066F904EB381D670DA41C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A814FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E01A814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1abd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E01A0FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E019E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01a814fb
0x01a814fb
0x01a8150a
0x01a81514
0x01a81519
0x01a8151b
0x01a81526
0x01a8152c
0x01a81534
0x01a81537
0x01a8153a
0x01a81545
0x01a81557
0x01a81547
0x01a81550
0x01a81550
0x01a81562
0x01a81563
0x01a81565
0x01a8156a
0x01a8157f

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b491584121595c2f751f584d106121d04bede4aa4c325f344bf3fcc01e5122f
Instruction ID: f02fde7e19ab046088accfd3b1e32289a2950450559fe5249bd69b5b4a8dcba2
Opcode Fuzzy Hash: 1b491584121595c2f751f584d106121d04bede4aa4c325f344bf3fcc01e5122f
Instruction Fuzzy Hash: F401B171A0124CAFCB14EFA8D945EEEBBB8EF44700F044066F904EB381DA71DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019C58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E019C58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x1abd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x19a5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E019C5943() != 0 &&  *0x1ab5320 > 5) {
					E01A47B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01A47B5E( &_v28, _t28);
					_t11 = E01A47B9C(0x1ab5320, 0x19abf15,  &_v28, _t22, 4,  &_v76);
				}
				return E01A0B640(_t11, _t17, _v8 ^ _t29, 0x19abf15, _t27, _t28);
			}

0x019c58fb
0x019c58fe
0x019c5906
0x019c590a
0x019c593c
0x019c593c
0x019c590c
0x019c590c
0x019c5911
0x00000000
0x019c5913
0x019c5913
0x019c5913
0x019c5911
0x019c591d
0x01a21035
0x01a2103c
0x01a2103f
0x01a21056
0x01a21056
0x019c593b

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee80a8da53cab410e90d548e4ad87e0545debc19e117bf9a4972044fefd0731
Instruction ID: 8bee25f95953415af171be6510f47c95b8d3e16af8218c67cacc7ce5cacfd54f
Opcode Fuzzy Hash: 9ee80a8da53cab410e90d548e4ad87e0545debc19e117bf9a4972044fefd0731
Instruction Fuzzy Hash: 1801DF31B001059BE714EE68DD009EEB7ACEB95520F8600A99A0A97244DF30ED06C791

Uniqueness

Uniqueness Score: -1.00%

Function 019DB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019DB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E019E7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01A47016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x019db037
0x019db039
0x019db03b
0x019db040
0x01a2a60e
0x00000000
0x00000000
0x01a2a61d
0x019db04b
0x019db04e
0x01a2a627
0x01a2a634
0x00000000
0x00000000
0x01a2a641
0x01a2a653
0x01a2a643
0x01a2a64c
0x01a2a64c
0x01a2a65b
0x00000000
0x00000000
0x00000000
0x01a2a66c
0x019db057
0x019db057
0x019db057
0x019db046
0x019db046
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 5a8188373e17aca59422049628e2416369881ba30ff3bf3b40a7310b37a266af
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 62018432201984DFE3268B5CC948F767BDCEB96B50F0A40A1FA1ACBA55D729DC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 01A91074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A91074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E01A9165E(__ebx, 0x1ab8ae4, (__edx -  *0x1ab8b04 >> 0x14) + (__edx -  *0x1ab8b04 >> 0x14), __edi, __ecx, (__edx -  *0x1ab8b04 >> 0x14) + (__edx -  *0x1ab8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E01A8AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E019E7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E01A7FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01a91074
0x01a91080
0x01a91082
0x01a9108a
0x01a9108f
0x01a91093
0x01a910ab
0x01a910ab
0x01a910c3
0x01a910cf
0x01a910e1
0x01a910d1
0x01a910da
0x01a910da
0x01a910e9
0x01a910f5
0x01a910f5
0x01a910fe

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b68c53bbf7cf0259ff9ecf658962de3fe8948269a2b3c9c587de89a452594c
Instruction ID: 059dcae0ddd58cbd42c41762dbfe5ec4fee215bd40fa5abaad4cc188eec08fff
Opcode Fuzzy Hash: 76b68c53bbf7cf0259ff9ecf658962de3fe8948269a2b3c9c587de89a452594c
Instruction Fuzzy Hash: E6014C726047439FCB11EF6CD944B1A7BE9BBC4320F04C519F98583291EE35D980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A7FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01A7FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1abd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E01A0FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E019E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01a7fec0
0x01a7fec0
0x01a7fecf
0x01a7fed9
0x01a7fede
0x01a7fee0
0x01a7feeb
0x01a7fef3
0x01a7fef6
0x01a7fef9
0x01a7ff04
0x01a7ff16
0x01a7ff06
0x01a7ff0f
0x01a7ff0f
0x01a7ff21
0x01a7ff22
0x01a7ff24
0x01a7ff29
0x01a7ff3e

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d250ee8360ce30e24c6f5fec3377155fa9dc15e119d1f5262c18c1b278e1b21
Instruction ID: 58c2e6a7f5ad60a96b2ee13a25a88aa9ec127cf25e11b738f3df10dc79f86482
Opcode Fuzzy Hash: 5d250ee8360ce30e24c6f5fec3377155fa9dc15e119d1f5262c18c1b278e1b21
Instruction Fuzzy Hash: 5D018F71A01209AFDB14DBA9E945FAFBBB8EF44700F004066BA04AB291EA70DA41C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 01A7FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01A7FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1abd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E01A0FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E019E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01a7fe3f
0x01a7fe3f
0x01a7fe4e
0x01a7fe58
0x01a7fe5d
0x01a7fe5f
0x01a7fe6a
0x01a7fe72
0x01a7fe75
0x01a7fe78
0x01a7fe83
0x01a7fe95
0x01a7fe85
0x01a7fe8e
0x01a7fe8e
0x01a7fea0
0x01a7fea1
0x01a7fea3
0x01a7fea8
0x01a7febd

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8257580ab12b722982bad8340a44d36f5f17df9f377d8b59fe0df194170a188
Instruction ID: 3a39a2559e1a446c23c9854728c570c16754755cc61bca1c9c70ee31df832f8e
Opcode Fuzzy Hash: f8257580ab12b722982bad8340a44d36f5f17df9f377d8b59fe0df194170a188
Instruction Fuzzy Hash: 77018F71A01249AFDB14DFA9E845FAEBBB8EF44B04F004066B904AB291DA70DA41C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A98A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01A98A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1abd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E019E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A0B640(E01A09AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01a98a62
0x01a98a71
0x01a98a79
0x01a98a82
0x01a98a85
0x01a98a89
0x01a98a8c
0x01a98a8f
0x01a98a92
0x01a98a95
0x01a98a9f
0x01a98ab1
0x01a98aa1
0x01a98aaa
0x01a98aaa
0x01a98abc
0x01a98abd
0x01a98abf
0x01a98ac4
0x01a98ada

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f1f7b378149288ca62a44a353e552564b2421086ae9b44900046acdd95788b
Instruction ID: 4a85797f5f5c64a3bb5cc519b00899b3536d878f30bf97d5e43e1f9dfd26fe83
Opcode Fuzzy Hash: 72f1f7b378149288ca62a44a353e552564b2421086ae9b44900046acdd95788b
Instruction Fuzzy Hash: F3012C75A0121DAFCB04DFA9E9419EEBBF8EF59310F50405AFA04E7391E734A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A98ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01A98ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x1abd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E019E7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01a98ed6
0x01a98ee5
0x01a98eed
0x01a98ef0
0x01a98efa
0x01a98f03
0x01a98f0c
0x01a98f15
0x01a98f24
0x01a98f27
0x01a98f31
0x01a98f43
0x01a98f33
0x01a98f3c
0x01a98f3c
0x01a98f4e
0x01a98f4f
0x01a98f51
0x01a98f56
0x01a98f69

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90773d6093099dc7caff77c2f55f9c6c51484d0ce5ce93d963be0a2940b01a9
Instruction ID: 6df6caef00484c380b41c0d276b477d1d095a7a61a5d8dccf31dd77ecda98b2d
Opcode Fuzzy Hash: f90773d6093099dc7caff77c2f55f9c6c51484d0ce5ce93d963be0a2940b01a9
Instruction Fuzzy Hash: 59111E70A002499FDB04DFA8D545BAEBBF4FF08700F0442AAE518EB382E6349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019CDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019CDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E019CDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E019CE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L019CE8B0(__ecx, _t14, 0xfff);
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x019cdb64
0x019cdb66
0x019cdb6b
0x019cdbaa
0x019cdb71
0x019cdb76
0x019cdb7a
0x019cdba3
0x019cdb7c
0x019cdb87
0x019cdb8b
0x01a24fa1
0x01a24fb3
0x01a24fb8
0x019cdb91
0x019cdb96
0x019cdb98
0x019cdb98
0x019cdb8b
0x019cdb7a
0x019cdb9d
0x019cdba2

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: e03a7e0e54d3141a651d0ac0f4aa17f6b19588200f817d0bf049b0d5cf98d414
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 85F068332415239BE7325AD9C8C4F77BAE99FD5E61F15043DF24D9B244C960880296E7

Uniqueness

Uniqueness Score: -1.00%

Function 019CB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019CB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E019E7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E019E7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01A47016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x019cb1e8
0x019cb1ea
0x019cb1f3
0x01a24a17
0x019cb1f9
0x019cb1f9
0x019cb1f9
0x019cb201
0x01a24a21
0x01a24a2e
0x00000000
0x00000000
0x01a24a3b
0x01a24a4d
0x01a24a3d
0x01a24a46
0x01a24a46
0x01a24a55
0x00000000
0x00000000
0x00000000
0x019cb20a
0x019cb20a
0x019cb20a
0x019cb20a

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 8fa3349c82fb606d3c30cd8e1407fa23d5eead8c560f9ccd48ff2e02ecad638d
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 7401F432200684DFD323975DD808F697FD9EFA5B90F0800A5FA598B6B2D679C840C316

Uniqueness

Uniqueness Score: -1.00%

Function 01A5FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01A5FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x1abd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E019E7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01a5fe96
0x01a5fe9e
0x01a5fea1
0x01a5fead
0x01a5feb3
0x01a5feb9
0x01a5fec3
0x01a5fed5
0x01a5fec5
0x01a5fece
0x01a5fece
0x01a5fee0
0x01a5fee1
0x01a5fee3
0x01a5fee8
0x01a5fefb

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900b2dda593d32abb49abb735892986d81d35e96f3e9ddf2d7ec0ba989b705c1
Instruction ID: baa643743abfd7258687a57b3a5b8059db18e30e42959ea171971839ec77cb81
Opcode Fuzzy Hash: 900b2dda593d32abb49abb735892986d81d35e96f3e9ddf2d7ec0ba989b705c1
Instruction Fuzzy Hash: F8018670A0520DEFCB14DFA8D546A6EB7F4FF04704F144169B908DB382D635D902CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A8131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01A8131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1abd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E019E7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01a8131b
0x01a8132a
0x01a81330
0x01a81336
0x01a8133e
0x01a81341
0x01a81344
0x01a8134f
0x01a81361
0x01a81351
0x01a8135a
0x01a8135a
0x01a8136c
0x01a8136d
0x01a8136f
0x01a81374
0x01a81387

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5540f3d97752e027b6aa22dfdd7ba036084f9fba536c2749cde33a84188a8740
Instruction ID: 354aed26ee74ba483ac39f04d0467faad1367b6d01c8d5f22ad23d3bd1ff647e
Opcode Fuzzy Hash: 5540f3d97752e027b6aa22dfdd7ba036084f9fba536c2749cde33a84188a8740
Instruction Fuzzy Hash: ED018C71A0120CAFCB04EFE8E645AAEB7F4FF08300F404069B905EB381E630DA00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A98F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01A98F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1abd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E019E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01a98f6a
0x01a98f79
0x01a98f81
0x01a98f84
0x01a98f8b
0x01a98f91
0x01a98f94
0x01a98f9e
0x01a98fb0
0x01a98fa0
0x01a98fa9
0x01a98fa9
0x01a98fbb
0x01a98fbc
0x01a98fbe
0x01a98fc3
0x01a98fd6

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fd4a9f9a8f952dae09a8699b41e4ccb56d117c5ecca2ffea617ab2ba96dc86
Instruction ID: 586735415077a5e373531d9617203ed9f6e3216fc4eadbb24e7bd94977b7d2bd
Opcode Fuzzy Hash: 41fd4a9f9a8f952dae09a8699b41e4ccb56d117c5ecca2ffea617ab2ba96dc86
Instruction Fuzzy Hash: C1014475A0120DAFDB04DFA8D545AAEB7F4EF58300F104059B909EB381EB74DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A81608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01A81608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x1abd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E019E7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01a81608
0x01a81617
0x01a8161d
0x01a81625
0x01a81628
0x01a8162b
0x01a81636
0x01a81648
0x01a81638
0x01a81641
0x01a81641
0x01a81653
0x01a81654
0x01a81656
0x01a8165b
0x01a8166e

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae856a63dfa2e4b421a8090e8559fab263c788f2ae26545901d78014fb607a6
Instruction ID: 8e7332ae070d03583be7e4cea5c8677257134570829c0998b42792068d500f34
Opcode Fuzzy Hash: aae856a63dfa2e4b421a8090e8559fab263c788f2ae26545901d78014fb607a6
Instruction Fuzzy Hash: 55F06D71A05248EFDB14EFE8D945AAEBBF4FF18300F0440A9A905EB391EA34D901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019EC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019EC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E019EC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x19a11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E01A988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x019ec577
0x019ec57d
0x019ec581
0x019ec5b5
0x019ec5b9
0x019ec5ce
0x019ec5ce
0x019ec5ca
0x00000000
0x019ec5ca
0x019ec5c4
0x019ec5c8
0x00000000
0x00000000
0x00000000
0x019ec5ad
0x00000000
0x019ec5af

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e6b0806d141112284d30b60ec8c1abc12c2e8b845e5074fb1515f2e8459f34
Instruction ID: ae698d5693b397a840cf415daf3f6d42bfac4e15c15c1bb05d1c69bde63e223c
Opcode Fuzzy Hash: 68e6b0806d141112284d30b60ec8c1abc12c2e8b845e5074fb1515f2e8459f34
Instruction Fuzzy Hash: 8EF09AB291D6A49EE737872CC04CF22BFEC9B05672F548866D59E87202CEA4D880C290

Uniqueness

Uniqueness Score: -1.00%

Function 01A82073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01A82073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E01A7FD22(__ecx);
				_t19 =  *0x1ab849c - _t3; // 0x7ae809a9
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1ab8748; // 0x0
					if(__eflags <= 0) {
						E01A81C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1ab8724 & 0x00000004;
							if(( *0x1ab8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1ab8724; // 0x0
					return E01A78DF1(__ebx, 0xc0000374, 0x1ab5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01a82076
0x01a82078
0x01a8207d
0x01a82083
0x01a820a4
0x01a820aa
0x01a820ac
0x01a820b7
0x01a820ba
0x01a820bc
0x01a820c9
0x01a820c9
0x01a820d0
0x01a820d2
0x00000000
0x01a820d2
0x01a820be
0x01a820c3
0x01a820c5
0x01a820c7
0x00000000
0x00000000
0x01a820c7
0x01a820bc
0x01a820d4
0x01a82085
0x01a82085
0x01a820a3
0x01a820a3

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c409ecffc815d580f72a844c6136f8812c4c86ff836caa88162a276ec6aafcf1
Instruction ID: 7f8c44e74f984be41a2f1cbec3323f9c25e7ae37b0d81236237dd1a3dad33955
Opcode Fuzzy Hash: c409ecffc815d580f72a844c6136f8812c4c86ff836caa88162a276ec6aafcf1
Instruction Fuzzy Hash: 60F0A07A8151C54AEE33BF2C76413F23FAAD796124B191486D4A01720BC53C8D93CB24

Uniqueness

Uniqueness Score: -1.00%

Function 01A0927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01A0927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E01A0FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E01A092C6(_t11, _t14);
				}
				return _t11;
			}

0x01a09295
0x01a09299
0x01a0929f
0x01a092aa
0x01a092ad
0x01a092ae
0x01a092af
0x01a092b0
0x01a092b4
0x01a092bb
0x01a092bb
0x01a092c5

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: a5ae972f77edb0975b9ec10650edf1bdaa5b6e76ca0a00ecc016cc5139720b0c
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 0CE0E5722405016BE7229E09DC84B0336999F96724F004078B5045F282C6F5D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A98D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01A98D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1abd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E019E7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01a98d34
0x01a98d43
0x01a98d4b
0x01a98d4e
0x01a98d52
0x01a98d5c
0x01a98d6e
0x01a98d5e
0x01a98d67
0x01a98d67
0x01a98d79
0x01a98d7a
0x01a98d7c
0x01a98d81
0x01a98d94

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9200a9e2e60a6a5e2cc5d13ddc64f5f19638edb223931c9e0425a83617f3f197
Instruction ID: fdb15558dab0f339b1e5a5304e2fe8c538653cc41022927bbea1bf1e0f2642e0
Opcode Fuzzy Hash: 9200a9e2e60a6a5e2cc5d13ddc64f5f19638edb223931c9e0425a83617f3f197
Instruction Fuzzy Hash: EEF0B470A0460C9FDB14EFB8E545A6E77F4EF14300F108099E905EB291EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01A98B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01A98B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1abd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E019E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01a98b67
0x01a98b6f
0x01a98b72
0x01a98b7d
0x01a98b8f
0x01a98b7f
0x01a98b88
0x01a98b88
0x01a98b9a
0x01a98b9b
0x01a98b9d
0x01a98ba2
0x01a98bb5

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538a4244c43d9bf25c246552128c51b10b2ff1f19bae54304a6849d9d6622623
Instruction ID: fe03bc23890f238a499a74cbf0270a7d0517afd6271369d9868633b0087e8872
Opcode Fuzzy Hash: 538a4244c43d9bf25c246552128c51b10b2ff1f19bae54304a6849d9d6622623
Instruction Fuzzy Hash: D2F082B1A0425DABDF14EBA8EA06E6E77F4EF04304F040459BA05DB3D1EB74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A98CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01A98CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1abd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E019E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E01A0B640(E01A09AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01a98ce5
0x01a98ced
0x01a98cf0
0x01a98cfb
0x01a98d0d
0x01a98cfd
0x01a98d06
0x01a98d06
0x01a98d18
0x01a98d19
0x01a98d1b
0x01a98d20
0x01a98d33

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89811bfe4482d1290a4073750ab13f46be4252766649241b375d5f86137d8426
Instruction ID: 05167064ac72d013f5e2bada16a5cefe558da26e07128239ac311b533e351de2
Opcode Fuzzy Hash: 89811bfe4482d1290a4073750ab13f46be4252766649241b375d5f86137d8426
Instruction Fuzzy Hash: 20F0E270A0420DAFCF04DBA8E945EAE77F4EF19304F100199E905EB2C1EA34D940C754

Uniqueness

Uniqueness Score: -1.00%

Function 019E746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E019E746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E019DEB70(__ecx, 0x1ab79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E01A095D0();
							L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x019e746d
0x019e746d
0x019e746d
0x019e7471
0x019e7488
0x01a2f92d
0x019e748e
0x019e7491
0x019e7495
0x01a2f937
0x01a2f93a
0x01a2f94e
0x01a2f953
0x01a2f956
0x01a2f956
0x019e7495
0x00000000
0x019e7488
0x019e7473
0x019e7478
0x019e747d
0x019e7481
0x00000000
0x019e7481
0x019e747d
0x019e747a
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea409e921fdd9f3198d828d0f67e44b0d4e6a8502ecb14c8cf946aad12a515c
Instruction ID: 8cb64654976d8743827967eb09223f99bbfc1ff712ac5d9f012e4cd0e49b150f
Opcode Fuzzy Hash: 1ea409e921fdd9f3198d828d0f67e44b0d4e6a8502ecb14c8cf946aad12a515c
Instruction Fuzzy Hash: 48F0B434600145BADF1B97ECC444F797FF7AF04B50F040515E859AB191F765980087C7

Uniqueness

Uniqueness Score: -1.00%

Function 019C4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019C4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E01A988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E019EC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x19a1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x019c4f2e
0x019c4f34
0x019c4f38
0x01a20b85
0x01a20b85
0x01a20b89
0x01a20b9a
0x01a20b9a
0x01a20b9f
0x00000000
0x01a20b9f
0x01a20b94
0x01a20b98
0x00000000
0x00000000
0x00000000
0x01a20b98
0x019c4f3e
0x019c4f48
0x00000000
0x019c4f6e
0x00000000
0x019c4f70

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfb2a7e41308a72a3840a3376270694f32dd0a3430ed2486cdc22b96ec2bd4b
Instruction ID: dccbbb5d7a9a2395ea329964245e7686a4bef459aa62c2898ac174019447264d
Opcode Fuzzy Hash: ccfb2a7e41308a72a3840a3376270694f32dd0a3430ed2486cdc22b96ec2bd4b
Instruction Fuzzy Hash: E0F0E2325256A98FD772CB1CC344B23BBD5AB017B8F454474E40987922C724EC84C680

Uniqueness

Uniqueness Score: -1.00%

Function 019FA44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019FA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1ab7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E01A0FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x019fa44b
0x019fa453
0x019fa472
0x019fa476
0x00000000
0x019fa493
0x019fa47a
0x019fa47f
0x019fa486
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d711081e0fff8fa8a205fc88ee7c152bd98f5c1271b975002a08d01d56f9c8df
Instruction ID: 32a42d6cf58b324c2051304d8045c9c110fab7621581e9e07e9ee11e4d6483ad
Opcode Fuzzy Hash: d711081e0fff8fa8a205fc88ee7c152bd98f5c1271b975002a08d01d56f9c8df
Instruction Fuzzy Hash: 48E09272A01421ABD2225A59FC00F66739DDBE8A51F094439E609D7254D668DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019CF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E019CF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E019FF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L019E4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x019cf35d
0x019cf361
0x019cf367
0x019cf372
0x019cf38c
0x019cf38c
0x019cf394

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 8c2df54f024183b0051b94b497dca29754179e38c325536d5e93586e60bb65e1
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 37E0D832A40118FBDB21A6D99D05F9ABFADDB98FA1F00015ABA08DB190D5609D00C6D1

Uniqueness

Uniqueness Score: -1.00%

Function 019DFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019DFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x19a11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E01A988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E019E0050(_t14);
				}
			}

0x019dff66
0x019dff6b
0x00000000
0x019dff8f
0x00000000
0x019dff8f

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d97f1b9dc24d5b8f949b70b0a245d03371bd6d8d8412ae350fa5d44a1015cdd
Instruction ID: 2e38aa66deadff005fe405d94aecd6fc67c91d9d82032cafd5af90b2ff598c76
Opcode Fuzzy Hash: 2d97f1b9dc24d5b8f949b70b0a245d03371bd6d8d8412ae350fa5d44a1015cdd
Instruction Fuzzy Hash: 7DE0DFB06052049FDB36DF5DD141F2D7BDCAB5272AF19C49DE00E4B102C621E882C2D6

Uniqueness

Uniqueness Score: -1.00%

Function 01A541E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01A541E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x1aa08f0);
				_t5 = E01A1D08C(__ebx, __edi, __esi);
				if( *0x1ab87ec == 0) {
					E019DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x1ab87ec == 0) {
						 *0x1ab87f0 = 0x1ab87ec;
						 *0x1ab87ec = 0x1ab87ec;
						 *0x1ab87e8 = 0x1ab87e4;
						 *0x1ab87e4 = 0x1ab87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01A54248();
				}
				return E01A1D0D1(_t5);
			}

0x01a541e8
0x01a541ea
0x01a541ef
0x01a541fb
0x01a54206
0x01a5420b
0x01a54216
0x01a5421d
0x01a54222
0x01a5422c
0x01a54231
0x01a54231
0x01a54236
0x01a5423d
0x01a5423d
0x01a54247

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cc19883651086c4bc819aa1ab37f8b2a6d3c5459550074d1e147fadf47f5c0
Instruction ID: c4fb458d74d50c4d6c7de4b346acf63af5e52b8ab5ac85216202de16b6a9c976
Opcode Fuzzy Hash: c3cc19883651086c4bc819aa1ab37f8b2a6d3c5459550074d1e147fadf47f5c0
Instruction Fuzzy Hash: 3EF03978812781DFCBB1EFADD68872836BCF75836AF10815A9004876AAD73844E2CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01A7D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A7D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L019CE8B0(__ecx, _a4, 0xfff);
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x01a7d38a
0x01a7d39b
0x01a7d3b1
0x00000000
0x01a7d3b6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 31e5917dbacfa24d4f4a4dbb1de1d917800e9f1aa98d79e26cd9e1921a931297
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 0AE0C231280205BBDB225E84CC00F697B66EF90BA1F104035FE085A690C6759D91D6C5

Uniqueness

Uniqueness Score: -1.00%

Function 019FA185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019FA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x1ab67e4 >= 0xa) {
					if(_t5 < 0x1ab6800 || _t5 >= 0x1ab6900) {
						return L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E019E0010(0x1ab67e0, _t5);
				}
			}

0x019fa190
0x019fa1a6
0x019fa1c2
0x00000000
0x00000000
0x00000000
0x019fa192
0x019fa192
0x019fa19f
0x019fa19f

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c42e4e9fe012a324b1406fe4454278efeba19cc4e92a3fc503ccee2c9d1ec0
Instruction ID: 70414fdc987650e7a643d92aa5df6d0760d7e0ebcbabda6b61ac30da71cabc78
Opcode Fuzzy Hash: d3c42e4e9fe012a324b1406fe4454278efeba19cc4e92a3fc503ccee2c9d1ec0
Instruction Fuzzy Hash: 73D02B613600812AD62F1380D8A8B61365AF7C4760F35080CF30F4B5A2E95088D0C308

Uniqueness

Uniqueness Score: -1.00%

Function 019F16E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019F16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E019F1710(0x1ab67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L019E4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x019f16e8
0x019f16ef
0x019f16f3
0x019f16fe
0x00000000
0x019f1700
0x019f170d
0x019f170d
0x019f16f2
0x019f16f2
0x019f16f2
0x019f16f2

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f39477d054f15b66afbab49c0fdcd47d284973afd6f39dab2ce3193d78505c
Instruction ID: 30fd6d4fa84340ef54353f8cb5f383033072c8c3f85ad6c4ecb25b3335d88658
Opcode Fuzzy Hash: a8f39477d054f15b66afbab49c0fdcd47d284973afd6f39dab2ce3193d78505c
Instruction Fuzzy Hash: 88D0A731110141F2EE2D5B149844B142659EBD0B82F38007CF30F594C1DFA1DC92E58C

Uniqueness

Uniqueness Score: -1.00%

Function 01A453CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A453CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E019DEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x01a453ca
0x01a453ce
0x01a453d9
0x01a453de
0x01a453e1
0x01a453e1
0x01a453e6
0x01a453f3
0x00000000
0x01a453f8
0x01a453fb

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 7d719007be0fd3a66f117ba2daa8c3f752ddbdef37f160b22c4c060fcf45a92f
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: D7E08C329407809BCF16EB89C660F4EBBF5FB84B00F140444A0085F620C624AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019DAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019DAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x019daab6
0x019daabb
0x01a2a442
0x00000000
0x01a2a448
0x01a2a454
0x01a2a454
0x019daac1
0x019daac1
0x019daac6
0x019daac6

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 6e21735d50fff368d126b7698a303fab8c4f1187710eb549eda78aa12f3c6a65
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: BAD0C939352980CFD617CB0CC554B0533A8BB04B40FC50590E500CBB62E62CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 019F35A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019F35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E019DEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x019f35a1
0x019f35a1
0x019f35a5
0x019f35ab
0x019f35ab
0x019f35b5
0x00000000
0x019f35c1
0x019f35b7

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 1ca8f2b79ddceaa5d4f28edab10ef83c9f2a010b1f2de20c0850ed31dd72ad75
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 97D0A931401281BAEF02AB14C21CB6C3BB6BB80309F58206D824E0A862C33E4B0AC700

Uniqueness

Uniqueness Score: -1.00%

Function 019CDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019CDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L019E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x019cdb4d
0x019cdb54
0x019cdb5f
0x019cdb56
0x019cdb56
0x019cdb5c
0x019cdb5c

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 7b4fc9b2febc7cbb8b66a32069f1234522dc628fbe1a7db33e0ea7a404067e9d
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: DEC08C30280A01AAEB221F20CD01B003AE4BB50F02F4400A06304DA0F0EB78D801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A4A537(intOrPtr _a4, intOrPtr _a8) {

				return L019E8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x01a4a553

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: b01e621d5e1dd4449867adb4820a24da803f4f29bd0c54ac4be9e1b3295d2a0b
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 71C01232080248BBCB126E81CC00F167B6AEBA4B60F008014BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 019E3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019E3A1C(intOrPtr _a4) {
				void* _t5;

				return L019E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x019e3a35

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 60d4804e0b5bf708b9436634275a2144db7ddd7453f33cb490d401ab09904eb4
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A1C04C32180648BBCB126E45DD05F157B69E7A4B60F154021B6084B5618576ED61D99C

Uniqueness

Uniqueness Score: -1.00%

Function 019CAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019CAD30(intOrPtr _a4) {

				return L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x019cad49

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 844f17f4d9c58359a4fdac7b860d9902982890dbbe98b9ca3b2c8a80ca0836ff
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 47C08C320C0248BBC7166A85DD00F017B69E7A0B60F000020B6080A6618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 019F36CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019F36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L019E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x019f36d2
0x019f36e8
0x019f36d4
0x019f36e5
0x019f36e5

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 8e44bb28c6a69deee8bce702a0466a4e280b5fb0cf7d5beb3efbd00af2c77e04
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 1FC02B70150440FBDB161F30CD01F147298F740E22F6403587324864F0D52C9C00D608

Uniqueness

Uniqueness Score: -1.00%

Function 019D76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019D76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L019E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x019d76e4
0x00000000
0x019d76f8
0x019d76fd

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: a725c07dae2daa0ecc18883d17be7ca4f2def21808233b5440956319d8566c34
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 40C08C701811805AEB2F578CCE24B207A98BB0860EF88099CAA09094A2D369A802C209

Uniqueness

Uniqueness Score: -1.00%

Function 019E7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019E7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x019e7d56
0x019e7d5b
0x019e7d60
0x019e7d5d
0x019e7d5d
0x019e7d5d

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 02cf78b10a27f334747c15fd73af355e4af6e899bfb99aa1962b75ec40f3addb
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 5AB09235301941CFCE1BDF18C084B1533E8BB44A40B8400D0E404CBA21D22AE8408900

Uniqueness

Uniqueness Score: -1.00%

Function 019F2ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019F2ACB() {
				void* _t5;

				return E019DEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x019f2adc

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: c8edafda917a97e300dfe9d59954ecc9f5d245f9b43e849609f595b6d2a15c00
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 9AB01232C10541CFCF02FF40C610B197331FB40750F05849090012B930C22CBC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01A099D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceebf9fa71235842a3c8f872f807db294abb378bac62a0bf3ef12e2bf92da61c
Instruction ID: a9cc2c2458f324d491000e7030868844998c858d9bfec657f8e0512d98828094
Opcode Fuzzy Hash: ceebf9fa71235842a3c8f872f807db294abb378bac62a0bf3ef12e2bf92da61c
Instruction Fuzzy Hash: 319002A121101042D10461A944087160445A7E1241F51C412A2144554CC5698C616165

Uniqueness

Uniqueness Score: -1.00%

Function 01A09950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9972f6480343dea5452d93df8c6eaf8588909a76e179b870d79c4e7a3973a872
Instruction ID: ed56228879bd555fa97aa2f1ddd6598572ac1d81c02f7f5de49ed1820d608059
Opcode Fuzzy Hash: 9972f6480343dea5452d93df8c6eaf8588909a76e179b870d79c4e7a3973a872
Instruction Fuzzy Hash: 6B9002A120141403D14065A948086170405A7D0342F51C411A2054555ECA698C517175

Uniqueness

Uniqueness Score: -1.00%

Function 01A098A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e466e845b0f2549f9c76a7c78ab26400e2fc3bc00f9f6b243ab5f8260da36bb0
Instruction ID: a73e2f39896d76a503e36e2719a396d0fa92b2b4ead7c2c356cd9dc49f6ebe3b
Opcode Fuzzy Hash: e466e845b0f2549f9c76a7c78ab26400e2fc3bc00f9f6b243ab5f8260da36bb0
Instruction Fuzzy Hash: 8E90026130101402D10261A944186160409E7D1385F91C412E1414555DC6658953B172

Uniqueness

Uniqueness Score: -1.00%

Function 01A09820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25adc6ef437a209a2b1d226e591e7836e5773d9836e6d38800cc2695ad27a6d
Instruction ID: 2f6c140764b1ad60b85411506e232e1ac0dc951a55532583fa08538501a4217f
Opcode Fuzzy Hash: f25adc6ef437a209a2b1d226e591e7836e5773d9836e6d38800cc2695ad27a6d
Instruction Fuzzy Hash: 4A90027124101402D14171A944086160409B7D0281F91C412A0414554EC6958A56BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A0B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4776594c2914a204787ad7f6f300372dd34404b5e451017eb2235dd707ca80fb
Instruction ID: d02325880de57bd8b4b5ef0df26ee9fef95085e308b2e1214668f2b9d5cddd1f
Opcode Fuzzy Hash: 4776594c2914a204787ad7f6f300372dd34404b5e451017eb2235dd707ca80fb
Instruction Fuzzy Hash: DC9002A1601150434540B1A948084165415B7E1341391C521A0444560CC6A88855A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A0A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6add280d6d87d9b9ade6e94fa18a134dd8dd2032036abf719f311cfdbb4be653
Instruction ID: 351130633ed16e5d55eee592e6f9605ba51662f98e004d77dfda3d4e0b265718
Opcode Fuzzy Hash: 6add280d6d87d9b9ade6e94fa18a134dd8dd2032036abf719f311cfdbb4be653
Instruction Fuzzy Hash: A990027120145002D14071A9844861B5405B7E0341F51C811E0415554CC6558856A261

Uniqueness

Uniqueness Score: -1.00%

Function 01A09B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b62cabc624aa3cc2f9d9f341b6be1cd57c25018ce961f873a8b3432baf22f11
Instruction ID: 25174b75882474752ed155cd24e122fbb90f7ba95cb0a88a1587ba03c09991f0
Opcode Fuzzy Hash: 7b62cabc624aa3cc2f9d9f341b6be1cd57c25018ce961f873a8b3432baf22f11
Instruction Fuzzy Hash: 2990026124101802D14071A984187170406E7D0641F51C411A0014554DC656896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01A09A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c879831ac4adfd64160fc50a5b22334020ce26be877c5b5284073b077e6035e2
Instruction ID: 4e604714dcab72c1dd5fdef12477761da11e724d0a7bce230fa2834c9c1f3bda
Opcode Fuzzy Hash: c879831ac4adfd64160fc50a5b22334020ce26be877c5b5284073b077e6035e2
Instruction Fuzzy Hash: A790026120145442D14062A94808B1F4505A7E1242F91C419A4146554CC95588556761

Uniqueness

Uniqueness Score: -1.00%

Function 01A09A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c75a3a13308b186965afd4ec96ba4648f3a005d9bbe39e2aad499bdf8441cf
Instruction ID: 46082e0a5fcfc314125e92f34a91bceb9726ae241349a1023ac4b6fbef74a680
Opcode Fuzzy Hash: 10c75a3a13308b186965afd4ec96ba4648f3a005d9bbe39e2aad499bdf8441cf
Instruction Fuzzy Hash: 9490027120141402D10061A9480C7570405A7D0342F51C411A5154555EC6A5C8917571

Uniqueness

Uniqueness Score: -1.00%

Function 01A095F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4cf2b811472be6808c168c2bdaa3b7a02971708c54c7ee79a47bbae10b19cc
Instruction ID: a30b03d680a6812cd0ee9e5c5957c8074a346487945e1f9a8a40d08322ac4cb3
Opcode Fuzzy Hash: 1f4cf2b811472be6808c168c2bdaa3b7a02971708c54c7ee79a47bbae10b19cc
Instruction Fuzzy Hash: A990027120101802D10461A948086960405A7D0341F51C411A6014655ED6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 01A09520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aa20b27db8f8b9d193ffac16243a812bc33bfbcbca8e8e564680e2fa824f42
Instruction ID: 0c9517e5ed871143b40b69925c7a4757570a18944129a74e7b7f3a7731231622
Opcode Fuzzy Hash: 52aa20b27db8f8b9d193ffac16243a812bc33bfbcbca8e8e564680e2fa824f42
Instruction Fuzzy Hash: 7A9002E1201150924500A2A98408B1A4905A7E0241B51C416E1044560CC5658851A175

Uniqueness

Uniqueness Score: -1.00%

Function 01A0AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c139baafc7bd19a71838e4a985954b0659c25b464ee6083d032067712ab7eff
Instruction ID: c585c53b4fab1557d47c1174b958da231e2a9172e0d7a072171a68f6027d9ca0
Opcode Fuzzy Hash: 0c139baafc7bd19a71838e4a985954b0659c25b464ee6083d032067712ab7eff
Instruction Fuzzy Hash: DE900271A0501012914071A948186564406B7E0781B55C411A0504554CC9948A5563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A09560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87dc446ea2765b88b5467bdb213f218888b04fde1ff567d59d507cea3db3d5
Instruction ID: 62a5207d2f13e662c88e7ecec6e3854be5e98ff5bc85764b1ae04431ba46b782
Opcode Fuzzy Hash: 4b87dc446ea2765b88b5467bdb213f218888b04fde1ff567d59d507cea3db3d5
Instruction Fuzzy Hash: 75900265221010020145A5A9060851B0845B7D6391391C415F1406590CC66188656361

Uniqueness

Uniqueness Score: -1.00%

Function 01A09FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efeee713fc91cef14d90035dff4154b0e54559fac98ce27d4453f598cc047ee
Instruction ID: c5596f1e282a66b90c6dcbff44fead726d13cef60132405f069205e30fb26616
Opcode Fuzzy Hash: 6efeee713fc91cef14d90035dff4154b0e54559fac98ce27d4453f598cc047ee
Instruction Fuzzy Hash: 5E90027131115402D11061A984087160405A7D1241F51C811A0814558DC6D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 01A09730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0349ac61e4e1a15b12c7798d51fb351d953f617e95619fd32e17f8fdd703fb
Instruction ID: 5d74b81305c0308553db88f40c440dd09fa5b3986f3e680be8a80bcfc8d94ba9
Opcode Fuzzy Hash: ac0349ac61e4e1a15b12c7798d51fb351d953f617e95619fd32e17f8fdd703fb
Instruction Fuzzy Hash: 7490026160501402D14071A9541C7160415A7D0241F51D411A0014554DC6998A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A0A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462cf3795c05f1d5b8dca7d63fff96025b5c84708b3218eb1f82b45363e15b80
Instruction ID: 64d41a73b5cbc8c686c7b11d7c4d3efb374e4ead288929e744037b6c65bbd77c
Opcode Fuzzy Hash: 462cf3795c05f1d5b8dca7d63fff96025b5c84708b3218eb1f82b45363e15b80
Instruction Fuzzy Hash: C2900271301010529500A6E95808A5A4505A7F0341B51D415A4004554CC59488616161

Uniqueness

Uniqueness Score: -1.00%

Function 01A09760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30a8611934821b18e7aaf048a275934701b8995a096229dbf82b001576765b9
Instruction ID: 98ce53896a2023141165e082c5050c72fc5547da4a2f235b50b8088eb85f0bcc
Opcode Fuzzy Hash: e30a8611934821b18e7aaf048a275934701b8995a096229dbf82b001576765b9
Instruction Fuzzy Hash: 7990047130101403D10071FD550C7170405F7D0341F51DC11F041455CDD7D7CC517171

Uniqueness

Uniqueness Score: -1.00%

Function 01A09770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65811549354a1e28e0368eacc6e9d725f2330d2f83c5538c69bbbd85af950012
Instruction ID: 2e18a7e97c6ce4df30f77f5548e22ce2d429bc2d08208e6668cfd50f23f3b876
Opcode Fuzzy Hash: 65811549354a1e28e0368eacc6e9d725f2330d2f83c5538c69bbbd85af950012
Instruction Fuzzy Hash: 5690047130505443D10075FD540CF170405F7D0345F51D411F10545D5DC775CC51F171

Uniqueness

Uniqueness Score: -1.00%

Function 01A0A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c94f4655b9be8d9922023f7dcb4e8ae12d46636c3fd7d1c313a72ad80c35007
Instruction ID: 2526b15b6de6027f5d405d07be3cfef01af4cdf277486f046af46ee6f694785d
Opcode Fuzzy Hash: 9c94f4655b9be8d9922023f7dcb4e8ae12d46636c3fd7d1c313a72ad80c35007
Instruction Fuzzy Hash: 5590027520505442D50065A95808A970405A7D0345F51D811A041459CDC6948861B161

Uniqueness

Uniqueness Score: -1.00%

Function 01A096D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a222e1711fe0b66334258ac507be4ee5cb309d9af229a510baee223e361e1490
Instruction ID: 8b6599b18af4aa7fccd13c077b1db623bd3e1af1274faaffcb167d6413a939b1
Opcode Fuzzy Hash: a222e1711fe0b66334258ac507be4ee5cb309d9af229a510baee223e361e1490
Instruction Fuzzy Hash: F690027120101842D10061A94408B560405A7E0341F51C416A0114654DC655C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 01A09610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f3df4280364c8e5ad2790af422bf3ca27e7ec07ff8d86402c95afbe9ef6d9c
Instruction ID: dbd56da6930d3b1ed1c87f79db87495226a085ce92b17430364b62f651c943ac
Opcode Fuzzy Hash: d7f3df4280364c8e5ad2790af422bf3ca27e7ec07ff8d86402c95afbe9ef6d9c
Instruction Fuzzy Hash: FA90027160501802D15071A944187560405A7D0341F51C411A0014654DC7958A5576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A09650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1126637795119e44961132489301a5c743e0b5f7e66b2feef5ecd178c4e7c2f2
Instruction ID: 1beb2775323717a037187083f203e0cfd05d58f5fe2bb256a255db56ae79b1fa
Opcode Fuzzy Hash: 1126637795119e44961132489301a5c743e0b5f7e66b2feef5ecd178c4e7c2f2
Instruction Fuzzy Hash: 3490027120505842D14071A94408A560415A7D0345F51C411A0054694DD6658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A09670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 70480b490e2062dc7adf70bf6e0ffb9c0fe6fc10f82ac9275b319c0ad23bf259
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01A5FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01A5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E01A0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01A55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01A55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x01a5fdda
0x01a5fde2
0x01a5fde5
0x01a5fdec
0x01a5fdfa
0x01a5fdff
0x01a5fe0a
0x01a5fe0f
0x01a5fe17
0x01a5fe1e
0x01a5fe19
0x01a5fe19
0x01a5fe19
0x01a5fe20
0x01a5fe21
0x01a5fe22
0x01a5fe25
0x01a5fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A5FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A5FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A5FE01

Memory Dump Source

Source File: 00000001.00000002.415316568.00000000019A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_19a0000_gsPzUI8EV8RoSMt.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c903605b175cd7ee197bccc778e7cc451199991b374f2709b049d7c7f4a6e9ac
Instruction ID: 5e3781630519b0450a97fdddd70deb2a8fe7118b0bd4ca1e85bb18d8d555c071
Opcode Fuzzy Hash: c903605b175cd7ee197bccc778e7cc451199991b374f2709b049d7c7f4a6e9ac
Instruction Fuzzy Hash: 3DF0F672604201BFEB611B45DD02F63BF6AEB84B30F240314FA28565D1DA72F86096F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gsPzUI8EV8RoSMt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gsPzUI8EV8RoSMt.exe.log

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
gsPzUI8EV8RoSMt.exe

Function 0158B740 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Function 0158B750 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 0158FDAC Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 0158FDB8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 01583DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0158536E Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Function 0158B970 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 0158B978 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 01589538 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 01589BB4 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 01589928 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 01589930 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON